@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S038_no_version_headers/README.md

@@ -0,0 +1,234 @@
+# S038 - Do Not Expose Version Information in Response Headers
+
+## Overview
+
+Rule S038 prevents the exposure of server and framework version information through HTTP response headers. This reduces information disclosure that could help attackers identify known vulnerabilities in specific versions of web servers, frameworks, or runtime environments.
+
+Common version-revealing headers include:
+
+- `Server: nginx/1.18.0`
+- `X-Powered-By: Express`
+- `X-AspNet-Version: 4.0.30319`
+- `X-Generator: Drupal 7`
+
+## Framework Support
+
+This rule supports multiple web frameworks:
+
+- **Express.js**: Route handlers using `app.get()`, `router.post()`, etc.
+- **Next.js**: API routes (`export default function handler`) and App Router (`export async function GET`)
+- **NestJS**: Controller methods with decorators (`@Get()`, `@Post()`, etc.)
+- **Nuxt.js**: Server routes (`export default defineEventHandler`)
+
+## Security Impact
+
+Version information disclosure can:
+
+- Help attackers identify known vulnerabilities in specific versions
+- Facilitate targeted attacks against outdated software
+- Provide reconnaissance information for further attacks
+- Violate security best practices for information hiding
+
+## Rule Details
+
+### Prohibited Headers
+
+The following headers should not expose version information:
+
+- `Server`
+- `X-Powered-By`
+- `X-AspNet-Version`
+- `X-AspNetMvc-Version`
+- `X-Generator`
+- `X-Runtime`
+- `X-Version`
+- `X-Framework`
+- `X-Drupal-Cache`
+- `X-Varnish`
+- `X-Cache`
+- `X-Served-By`
+
+### Version Information Patterns
+
+The rule detects these patterns in header values:
+
+- Version numbers: `1.0`, `2.1.3`, `v1.2`
+- Framework names: `Express`, `nginx`, `Apache`, `IIS`
+- Runtime versions: `Node.js`, `PHP`, `ASP.NET`
+
+## Violations
+
+### Express.js Examples
+
+```typescript
+// ❌ Violation: Exposing server version
+app.get("/api/data", (req, res) => {
+  res.setHeader("Server", "nginx/1.18.0");
+  res.setHeader("X-Powered-By", "Express 4.18.0");
+  res.json({ data: "value" });
+});
+
+// ❌ Violation: Custom version header
+app.get("/api/info", (req, res) => {
+  res.set("X-Version", "MyApp v2.1.3");
+  res.json({ status: "ok" });
+});
+```
+
+### NestJS Examples
+
+```typescript
+// ❌ Violation: Framework version disclosure
+@Get('status')
+getStatus(@Res() res: Response) {
+  res.header('X-Powered-By', 'NestJS 9.0.0');
+  res.header('X-Framework', 'Node.js/Express');
+  return res.json({ status: 'running' });
+}
+```
+
+### Next.js Examples
+
+```typescript
+// ❌ Violation: Runtime version exposure
+export default function handler(req, res) {
+  res.setHeader("X-Runtime", "Node.js 18.16.0");
+  res.setHeader("Server", "Vercel");
+  res.json({ message: "Hello" });
+}
+```
+
+## Compliant Code
+
+### Express.js Solutions
+
+```typescript
+// ✅ Correct: Remove or hide version headers
+app.disable("x-powered-by"); // Remove Express header
+
+app.get("/api/data", (req, res) => {
+  // No version headers set
+  res.json({ data: "value" });
+});
+
+// ✅ Correct: Use helmet middleware
+const helmet = require("helmet");
+app.use(helmet.hidePoweredBy());
+
+// ✅ Correct: Generic server header
+app.get("/api/secure", (req, res) => {
+  res.setHeader("Server", "WebServer"); // Generic, no version
+  res.json({ data: "secure" });
+});
+```
+
+### NestJS Solutions
+
+```typescript
+// ✅ Correct: Use helmet middleware
+import helmet from "helmet";
+
+@Controller()
+export class AppController {
+  constructor() {
+    // Configure helmet in main.ts
+  }
+
+  @Get("status")
+  getStatus() {
+    // No version headers
+    return { status: "running" };
+  }
+}
+
+// In main.ts:
+app.use(
+  helmet({
+    hidePoweredBy: true,
+  })
+);
+```
+
+### Next.js Solutions
+
+```typescript
+// ✅ Correct: No version headers
+export default function handler(req, res) {
+  res.json({ message: "Hello" });
+}
+
+// ✅ Correct: Configure in next.config.js
+module.exports = {
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Server",
+            value: "WebServer", // Generic server name
+          },
+        ],
+      },
+    ];
+  },
+};
+```
+
+## Configuration Solutions
+
+### nginx Configuration
+
+```nginx
+# Hide nginx version
+server_tokens off;
+
+# Remove specific headers
+more_clear_headers 'Server';
+more_clear_headers 'X-Powered-By';
+```
+
+### Apache Configuration
+
+```apache
+# Hide Apache version
+ServerTokens Prod
+ServerSignature Off
+
+# Remove specific headers
+Header unset Server
+Header unset X-Powered-By
+```
+
+## Best Practices
+
+1. **Use Security Middleware**: Implement helmet.js or similar security middleware
+2. **Server Configuration**: Configure web servers to hide version information
+3. **Regular Audits**: Regularly check response headers for version leaks
+4. **Generic Headers**: Use generic server names instead of specific versions
+5. **Reverse Proxy**: Use a reverse proxy to normalize all outgoing headers
+
+## Exceptions
+
+This rule may not apply when:
+
+- Version information is intentionally exposed for debugging (development only)
+- API versioning requires version headers (use API version, not server version)
+- Third-party services require specific version headers
+
+## Related Rules
+
+- **S055**: Content-Type Validation
+- **S031**: Secure Session Cookies
+- **S037**: Cache Headers for Sensitive Data
+
+## Implementation Notes
+
+The rule uses both symbol-based (AST) and regex-based analysis to detect:
+
+1. Direct header setting in route handlers
+2. Bulk header object assignments
+3. Framework-specific header methods
+4. Version patterns in header values
+
+Security middleware detection automatically skips analysis when proper security measures are in place.

package/rules/security/S038_no_version_headers/analyzer.js

@@ -0,0 +1,262 @@
+/**
+ * S038 Main Analyzer - Do not expose version information in response headers
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S038 --input=examples/rule-test-fixtures/rules/S038_no_version_headers --engine=heuristic
+ */
+
+const S038SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S038RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S038Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S038] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S038] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S038";
+    this.ruleName = "Do not expose version information in response headers";
+    this.description =
+      "Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S038SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S038] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S038] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S038RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S038] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S038] Error creating regex analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S038] Main analyzer initializing...`);
+
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S038] Main analyzer initialized successfully`);
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S038] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S038] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S038] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S038] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S038] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S038] Total violations found: ${violations.length}`);
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S038] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S038] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S038] Trying symbol-based analysis...`);
+
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S038] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S038] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S038] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S038] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S038] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+
+          // If symbol-based found violations or prioritizeSymbolic is true, skip regex
+          if (this.config.prioritizeSymbolic && symbolViolations.length >= 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S038] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S038] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S038] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S038] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S038] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S038] Regex analysis failed:`, error.message);
+      }
+    }
+
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S038] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+
+module.exports = S038Analyzer;

package/rules/security/S038_no_version_headers/config.json

@@ -0,0 +1,49 @@
+{
+  "id": "S038",
+  "name": "Do not expose version information in response headers",
+  "category": "security",
+  "description": "S038 - Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.",
+  "severity": "warning",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "medium",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "headerSetters": ["setHeader", "set", "header"],
+    "versionHeaders": [
+      "Server",
+      "X-Powered-By",
+      "X-AspNet-Version",
+      "X-AspNetMvc-Version",
+      "X-Generator",
+      "X-Runtime",
+      "X-Version",
+      "X-Framework"
+    ],
+    "middleware": {
+      "express": ["helmet", "disable-x-powered-by"],
+      "nestjs": ["helmet"],
+      "nextjs": ["security-headers"]
+    }
+  }
+}