@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S037_cache_headers/symbol-based-analyzer.js

@@ -0,0 +1,546 @@
+/**
+ * S037 Symbol-Based Analyzer - Configure comprehensive cache headers
+ * Enhanced to analyze per route handler instead of per file
+ */
+
+class S037SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S037";
+    this.semanticEngine = semanticEngine;
+    this.requiredDirectives = ["no-store", "no-cache", "must-revalidate"];
+    this.sensitiveIndicators =
+      /\b(session|auth(?:enticate|orization)?|token|jwt|csrf|login|logout|banking|crypto|salary|ssn|social[-_]?security|medical|prescription|biometric|audit|tax|legal|contract|personal[-_]?data|identity|finance|wallet|private[-_]?key|secret|sensitive[-_]?data|confidential|admin[-_]?panel|payment[-_]?process|credit[-_]?card|oauth|password|reset)\b/i;
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+
+    // Skip files that are unlikely to be route handlers
+    const skipPatterns = [
+      /\.dto\.ts$/,
+      /\.interface\.ts$/,
+      /\.module\.ts$/,
+      /\.service\.spec\.ts$/,
+      /\.controller\.spec\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.constants?.ts$/,
+      /\.config\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return violations;
+    }
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find all function expressions and arrow functions that could be route handlers
+      const routeHandlers = [];
+
+      // Express route patterns: app.get("/path", (req, res) => {...})
+      const callExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+
+        // Check for Express route methods
+        if (/\.(get|post|put|delete|patch|use)$/.test(expression.getText())) {
+          const args = call.getArguments();
+          if (args.length >= 2) {
+            const lastArg = args[args.length - 1];
+            // The last argument should be the handler function
+            if (
+              lastArg.getKind() === SyntaxKind.ArrowFunction ||
+              lastArg.getKind() === SyntaxKind.FunctionExpression
+            ) {
+              routeHandlers.push({
+                handler: lastArg,
+                routeCall: call,
+                type: "express",
+              });
+            }
+          }
+        }
+      }
+
+      // Next.js export functions
+      const exportAssignments = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportAssignment
+      );
+      const exportDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportDeclaration
+      );
+      const functionDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.FunctionDeclaration
+      );
+
+      for (const func of functionDeclarations) {
+        const name = func.getName();
+        if (name && /^(GET|POST|PUT|DELETE|PATCH|handler)$/.test(name)) {
+          routeHandlers.push({
+            handler: func,
+            type: "nextjs",
+          });
+        }
+      }
+
+      // NestJS Controller methods with decorators
+      const methodDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.MethodDeclaration
+      );
+
+      for (const method of methodDeclarations) {
+        const decorators = method.getDecorators();
+        const hasRouteDecorator = decorators.some((d) => {
+          const decoratorName = d.getName();
+          return ["Get", "Post", "Put", "Delete", "Patch"].includes(
+            decoratorName
+          );
+        });
+
+        if (hasRouteDecorator) {
+          routeHandlers.push({
+            handler: method,
+            type: "nestjs",
+          });
+        }
+      }
+
+      // Nuxt.js defineEventHandler patterns
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+        if (expression.getKind() === SyntaxKind.Identifier) {
+          const identifier = expression.asKindOrThrow(SyntaxKind.Identifier);
+          if (identifier.getText() === "defineEventHandler") {
+            // Find the arrow function or function parameter
+            const args = call.getArguments();
+            if (args.length > 0) {
+              const firstArg = args[0];
+              if (
+                firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                firstArg.getKind() === SyntaxKind.FunctionExpression
+              ) {
+                routeHandlers.push({
+                  handler: firstArg,
+                  type: "nuxtjs",
+                });
+              }
+            }
+          }
+        }
+      }
+
+      // Nuxt.js named exports (GET, POST, etc.)
+      const nuxtExportAssignments = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportAssignment
+      );
+
+      for (const exportAssign of nuxtExportAssignments) {
+        const expr = exportAssign.getExpression();
+        if (expr && expr.getKind() === SyntaxKind.CallExpression) {
+          const callExpr = expr.asKindOrThrow(SyntaxKind.CallExpression);
+          const callExpression = callExpr.getExpression();
+          if (callExpression.getKind() === SyntaxKind.Identifier) {
+            const identifier = callExpression.asKindOrThrow(
+              SyntaxKind.Identifier
+            );
+            if (identifier.getText() === "defineEventHandler") {
+              const args = callExpr.getArguments();
+              if (args.length > 0) {
+                const firstArg = args[0];
+                if (
+                  firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                  firstArg.getKind() === SyntaxKind.FunctionExpression
+                ) {
+                  routeHandlers.push({
+                    handler: firstArg,
+                    type: "nuxtjs",
+                  });
+                }
+              }
+            }
+          }
+        }
+      }
+
+      const variableDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.VariableDeclaration
+      );
+
+      for (const varDecl of variableDeclarations) {
+        const name = varDecl.getName();
+        if (name && /^(GET|POST|PUT|DELETE|PATCH)$/.test(name)) {
+          const initializer = varDecl.getInitializer();
+          if (
+            initializer &&
+            initializer.getKind() === SyntaxKind.CallExpression
+          ) {
+            const callExpr = initializer.asKindOrThrow(
+              SyntaxKind.CallExpression
+            );
+            const callExpression = callExpr.getExpression();
+            if (callExpression.getKind() === SyntaxKind.Identifier) {
+              const identifier = callExpression.asKindOrThrow(
+                SyntaxKind.Identifier
+              );
+              if (identifier.getText() === "defineEventHandler") {
+                const args = callExpr.getArguments();
+                if (args.length > 0) {
+                  const firstArg = args[0];
+                  if (
+                    firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                    firstArg.getKind() === SyntaxKind.FunctionExpression
+                  ) {
+                    routeHandlers.push({
+                      handler: firstArg,
+                      type: "nuxtjs",
+                    });
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+
+      // Analyze each route handler
+      if (process.env.SUNLINT_DEBUG)
+        console.log(
+          `🔧 [S037-Symbol] Found ${routeHandlers.length} route handlers`
+        );
+
+      for (const route of routeHandlers) {
+        const handlerViolations = this.analyzeRouteHandler(route);
+        violations.push(...handlerViolations);
+      }
+
+      // Only analyze actual route handlers - no file-level checking
+      // File-level checking removed to prevent false positives on DTO, module, service files
+    } catch (err) {
+      // Fallback - don't report errors from symbol analysis
+      console.warn(`Symbol analysis failed for ${filePath}:`, err.message);
+    }
+
+    return violations;
+  }
+
+  analyzeRouteHandler(route) {
+    const violations = [];
+    const { handler, routeCall, type } = route;
+
+    // Check if route contains sensitive indicators
+    const handlerText = handler.getFullText();
+    const routeText = routeCall ? routeCall.getFullText() : handlerText;
+
+    // Check for secure middleware (skip analysis if present)
+    if (/secureNoCache|noCache|antiCache/.test(routeText)) {
+      return violations; // Middleware handles headers
+    }
+
+    const isSensitive =
+      this.sensitiveIndicators.test(handlerText) ||
+      this.sensitiveIndicators.test(routeText);
+
+    // Find header setting calls within this handler
+    const headerState = this.findHeadersInNode(handler);
+
+    // Only analyze if route is sensitive OR headers are being set
+    const touchedHeaders =
+      headerState.hasCC || headerState.hasPragma || headerState.hasExpires;
+    if (!isSensitive && !touchedHeaders) {
+      return violations; // Skip non-sensitive routes without headers
+    }
+
+    // Check for missing headers
+    const missing = [];
+    if (!headerState.hasCC) missing.push("Cache-Control");
+    if (!headerState.hasPragma) missing.push("Pragma");
+    if (!headerState.hasExpires) missing.push("Expires");
+
+    if (missing.length > 0) {
+      violations.push({
+        ruleId: this.ruleId,
+        message: `Handler missing anti-cache headers: ${missing.join(
+          ", "
+        )} (${type})`,
+        severity: "warning",
+        line: handler.getStartLineNumber(),
+        column: 1,
+      });
+    } else {
+      // Validate Cache-Control directives
+      if (headerState.ccValues.length > 0) {
+        const combined = headerState.ccValues.join(",").toLowerCase();
+        const missingDir = this.requiredDirectives.filter(
+          (d) => !combined.includes(d)
+        );
+        if (missingDir.length > 0) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Cache-Control missing directives: ${missingDir.join(
+              ", "
+            )} (${type})`,
+            severity: "warning",
+            line: handler.getStartLineNumber(),
+            column: 1,
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  findHeadersInNode(node) {
+    const { SyntaxKind } = require("ts-morph");
+    const headerState = {
+      hasCC: false,
+      hasPragma: false,
+      hasExpires: false,
+      ccValues: [],
+      expiresValue: null,
+    };
+
+    // Find all call expressions within this node
+    const calls = node.getDescendantsOfKind(SyntaxKind.CallExpression);
+    const newExpressions = node.getDescendantsOfKind(SyntaxKind.NewExpression);
+
+    // Check for Next.js new Response() constructor with headers
+    for (const newExpr of newExpressions) {
+      const identifier = newExpr.getExpression();
+      if (identifier.getText() === "Response") {
+        const args = newExpr.getArguments();
+        if (args.length >= 2) {
+          const optionsArg = args[1];
+          if (optionsArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+            const headersProp = optionsArg.getProperty("headers");
+            if (
+              headersProp &&
+              headersProp.getKind() === SyntaxKind.PropertyAssignment
+            ) {
+              const headersValue = headersProp.getInitializer();
+              if (
+                headersValue &&
+                headersValue.getKind() === SyntaxKind.ObjectLiteralExpression
+              ) {
+                this.parseHeadersObject(headersValue, headerState);
+              }
+            }
+          }
+        }
+      }
+    }
+
+    for (const call of calls) {
+      const expression = call.getExpression();
+      const methodName = expression.getText();
+
+      // Look for header setting methods: Express (res.set, res.setHeader), NestJS (res.header)
+      if (
+        /\.set(Header)?$/.test(methodName) ||
+        /setHeader$/.test(methodName) ||
+        /\.set$/.test(methodName) ||
+        /\.header$/.test(methodName)
+      ) {
+        const args = call.getArguments();
+        if (args.length >= 2) {
+          const headerArg = args[0];
+          const valueArg = args[1];
+          const headerName = headerArg.getText().replace(/['"`]/g, "");
+          const headerValue = valueArg.getText().replace(/['"`]/g, "");
+
+          if (headerName.toLowerCase() === "cache-control") {
+            headerState.hasCC = true;
+            headerState.ccValues.push(headerValue);
+          } else if (headerName.toLowerCase() === "pragma") {
+            headerState.hasPragma = true;
+          } else if (headerName.toLowerCase() === "expires") {
+            headerState.hasExpires = this.isValidExpires(headerValue);
+            headerState.expiresValue = headerValue;
+          }
+        }
+      }
+
+      // Check for Nuxt.js setHeader(event, name, value) pattern
+      if (methodName === "setHeader") {
+        const args = call.getArguments();
+        if (args.length >= 3) {
+          // First arg should be 'event', second is header name, third is value
+          const eventArg = args[0];
+          const headerArg = args[1];
+          const valueArg = args[2];
+
+          if (eventArg.getText() === "event") {
+            const headerName = headerArg.getText().replace(/['"`]/g, "");
+            const headerValue = valueArg.getText().replace(/['"`]/g, "");
+
+            if (headerName.toLowerCase() === "cache-control") {
+              headerState.hasCC = true;
+              headerState.ccValues.push(headerValue);
+            } else if (headerName.toLowerCase() === "pragma") {
+              headerState.hasPragma = true;
+            } else if (headerName.toLowerCase() === "expires") {
+              headerState.hasExpires = this.isValidExpires(headerValue);
+              headerState.expiresValue = headerValue;
+            }
+          }
+        }
+      }
+
+      // Check for Next.js Response constructor with headers object
+      if (
+        call.getExpression().getText() === "Response" ||
+        call.getExpression().getKind() === SyntaxKind.NewExpression
+      ) {
+        const args = call.getArguments();
+        if (args.length >= 2) {
+          const optionsArg = args[1];
+          if (optionsArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+            const headersProp = optionsArg.getProperty("headers");
+            if (
+              headersProp &&
+              headersProp.getKind() === SyntaxKind.PropertyAssignment
+            ) {
+              const headersValue = headersProp.getInitializer();
+              if (
+                headersValue &&
+                headersValue.getKind() === SyntaxKind.ObjectLiteralExpression
+              ) {
+                this.parseHeadersObject(headersValue, headerState);
+              }
+            }
+          }
+        }
+      }
+
+      // Check for bulk header setting: res.set({...})
+      if (/\.set$/.test(methodName)) {
+        const args = call.getArguments();
+        if (args.length === 1) {
+          const objArg = args[0];
+          if (objArg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+            const props = objArg.getProperties();
+            for (const prop of props) {
+              if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+                const name = prop.getName().replace(/['"`]/g, "").toLowerCase();
+                const value =
+                  prop.getInitializer()?.getText().replace(/['"`]/g, "") || "";
+
+                if (name === "cache-control") {
+                  headerState.hasCC = true;
+                  headerState.ccValues.push(value);
+                } else if (name === "pragma") {
+                  headerState.hasPragma = true;
+                } else if (name === "expires") {
+                  headerState.hasExpires = true;
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    return headerState;
+  }
+
+  isValidExpires(expiresValue) {
+    // Remove quotes and trim
+    const value = expiresValue.replace(/['"`]/g, "").trim();
+
+    // Valid immediate expiry values
+    if (value === "0" || value === "-1") {
+      return true;
+    }
+
+    // Check for past dates (Thu, 01 Jan 1970...)
+    if (value.includes("1970") || value.includes("Jan 1970")) {
+      return true;
+    }
+
+    // Check for invalid formats
+    if (
+      value === "never" ||
+      value === "invalid-date" ||
+      value === "invalid-date-format"
+    ) {
+      return false;
+    }
+
+    // Try parsing as date to check if it's a future date
+    try {
+      const date = new Date(value);
+      if (isNaN(date.getTime())) {
+        return false; // Invalid date format
+      }
+
+      // If it's a future date (after current time), it's invalid for cache prevention
+      const now = new Date();
+      if (date > now) {
+        return false; // Future dates allow caching
+      }
+
+      return true; // Past date is valid
+    } catch (e) {
+      return false; // Invalid format
+    }
+  }
+
+  parseHeadersObject(headersObject, headerState) {
+    const { SyntaxKind } = require("ts-morph");
+    const props = headersObject.getProperties();
+
+    for (const prop of props) {
+      if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+        const name = prop.getName().replace(/['"`]/g, "").toLowerCase();
+        const value =
+          prop.getInitializer()?.getText().replace(/['"`]/g, "") || "";
+
+        if (name === "cache-control") {
+          headerState.hasCC = true;
+          headerState.ccValues.push(value);
+        } else if (name === "pragma") {
+          headerState.hasPragma = true;
+        } else if (name === "expires") {
+          headerState.hasExpires = true;
+        }
+      }
+    }
+  }
+
+  analyzeFileLevel(sourceFile) {
+    const violations = [];
+    const headerState = this.findHeadersInNode(sourceFile);
+
+    const missing = [];
+    if (!headerState.hasCC) missing.push("Cache-Control");
+    if (!headerState.hasPragma) missing.push("Pragma");
+    if (!headerState.hasExpires) missing.push("Expires");
+
+    if (missing.length > 0) {
+      violations.push({
+        ruleId: this.ruleId,
+        message: `File contains sensitive data but missing anti-cache headers: ${missing.join(
+          ", "
+        )}`,
+        severity: "warning",
+        line: 1,
+        column: 1,
+      });
+    }
+
+    return violations;
+  }
+
+  cleanup() {}
+}
+
+module.exports = S037SymbolBasedAnalyzer;