@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S038_no_version_headers/regex-based-analyzer.js

@@ -0,0 +1,339 @@
+/**
+ * S038 Regex-Based Ana    // Version header patterns
+    this.versionHeader    // Version information patterns
+    this.versionPatterns = [
+      /\d+\.\d+/, // Version numbers like 1.0, 2.1.3
+      /v\d+/i, // Version prefixes like v1, V2
+      /version/i, // The word "version"
+      /express/i, // Framework names
+      /node/i,
+      /nginx/i,
+      /apache/i,
+      /iis/i,
+      /php/i,
+      /asp\.net/i,
+      /ruby/i,
+      /python/i,
+      /django/i,
+      /rails/i,
+      /laravel/i,
+      /mysql/i, // Database versions
+      /postgresql/i,
+      /mongodb/i,
+      /redis/i,
+      /sqlite/i,
+      /mariadb/i
+    ];r",
+      "X-Powered-By",
+      "X-AspNet-Version",
+      "X-AspNetMvc-Version",
+      "X-Generator",
+      "X-Runtime",
+      "X-Version",
+      "X-Framework",
+      "X-Drupal-Cache",
+      "X-Varnish",
+      "X-Cache",
+      "X-Served-By",
+      "X-Database"
+    ];expose version information in response headers
+ * Detects version header exposure using pattern matching.
+ */
+const fs = require("fs");
+
+class S038RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S038";
+
+    // Framework-specific route patterns
+    this.routePatterns = {
+      // Express.js
+      express:
+        /\b(app|router)\.(get|post|put|delete|patch|use)\s*\(\s*['"`][^'"`]+['"`]/,
+      // Next.js API routes
+      nextjs: /export\s+(default\s+)?async?\s+function\s+handler\s*\(/,
+      // Next.js 13+ App Router
+      nextjsApp:
+        /export\s+async?\s+function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/,
+      // NestJS controllers
+      nestjs: /@(Get|Post|Put|Delete|Patch)\s*\(\s*['"`][^'"`]*['"`]?\s*\)/,
+      // Nuxt.js server routes
+      nuxtjs:
+        /export\s+(default\s+|const\s+(GET|POST|PUT|DELETE|PATCH)\s*=\s*)?defineEventHandler\s*\(/,
+    };
+
+    // Version header patterns
+    this.versionHeaders = [
+      "Server",
+      "X-Powered-By",
+      "X-AspNet-Version",
+      "X-AspNetMvc-Version",
+      "X-Generator",
+      "X-Runtime",
+      "X-Version",
+      "X-Framework",
+      "X-Drupal-Cache",
+      "X-Varnish",
+      "X-Cache",
+      "X-Served-By",
+    ];
+
+    // Header setting patterns for different frameworks
+    this.headerSetPatterns = {
+      express:
+        /res\.set(Header|)\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i,
+      nestjs:
+        /res\.header\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i,
+      nextjs:
+        /res\.setHeader\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i,
+      headers:
+        /headers\s*\.set\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i,
+      nuxtjs: /setHeader\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i,
+    };
+
+    // Bulk header setting patterns
+    this.bulkSetPattern = /res\.set\s*\(\s*\{([^}]+)\}/i;
+    this.nextHeadersPattern =
+      /\w+\.headers\s*\.set\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/i;
+
+    // Security middleware patterns (skip analysis if present)
+    this.securityMiddleware =
+      /helmet|hidePoweredBy|disable.*x.*powered.*by|removeHeader.*powered|noSniff/i;
+
+    // Version information patterns
+    this.versionPatterns = [
+      /\d+\.\d+/, // Version numbers like 1.0, 2.1.3
+      /v\d+/i, // Version prefixes like v1, V2
+      /version/i, // The word "version"
+      /express/i, // Framework names
+      /node/i,
+      /nginx/i,
+      /apache/i,
+      /iis/i,
+      /php/i,
+      /asp\.net/i,
+      /ruby/i,
+      /python/i,
+      /django/i,
+      /rails/i,
+      /laravel/i,
+    ];
+  }
+
+  async analyze(filePath) {
+    // Skip files that are unlikely to be route handlers
+    const skipPatterns = [
+      /\.dto\.ts$/,
+      /\.interface\.ts$/,
+      /\.module\.ts$/,
+      /\.service\.spec\.ts$/,
+      /\.controller\.spec\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.constants?\.ts$/,
+      /\.config\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return [];
+    }
+
+    const content = fs.readFileSync(filePath, "utf8");
+    const lines = content.split(/\r?\n/);
+    const violations = [];
+
+    let inRoute = false;
+    let braceDepth = 0;
+    let routeStartLine = 0;
+    let routeType = "";
+    let hasSecurityMiddleware = false;
+    let versionExposures = [];
+
+    const reset = () => {
+      inRoute = false;
+      braceDepth = 0;
+      routeStartLine = 0;
+      routeType = "";
+      hasSecurityMiddleware = false;
+      versionExposures = [];
+    };
+
+    const evaluate = () => {
+      if (!routeStartLine) return;
+
+      if (hasSecurityMiddleware) return; // assume middleware handles header security
+
+      // Report all version header exposures found in this route
+      for (const exposure of versionExposures) {
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Exposing version information in '${exposure.header}' header`,
+          severity: "warning",
+          line: exposure.line,
+          column: 1,
+        });
+      }
+    };
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+
+      // Detect route start for different frameworks
+      if (!inRoute) {
+        for (const [framework, pattern] of Object.entries(this.routePatterns)) {
+          if (pattern.test(line)) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S038-Regex] Found ${framework} route at line ${
+                  i + 1
+                }: ${line.trim()}`
+              );
+            inRoute = true;
+            routeStartLine = i + 1;
+            routeType = framework;
+            braceDepth =
+              (line.match(/\{/g) || []).length -
+              (line.match(/\}/g) || []).length;
+            hasSecurityMiddleware = this.securityMiddleware.test(line);
+            if (hasSecurityMiddleware && process.env.SUNLINT_DEBUG) {
+              console.log(
+                `🔧 [S038-Regex] Security middleware detected, skipping evaluation`
+              );
+            }
+
+            // If no opening brace on this line, look ahead for it
+            if (braceDepth === 0) {
+              for (let j = i + 1; j < Math.min(i + 3, lines.length); j++) {
+                const nextLine = lines[j];
+                if (nextLine.includes("{")) {
+                  braceDepth =
+                    (nextLine.match(/\{/g) || []).length -
+                    (nextLine.match(/\}/g) || []).length;
+                  break;
+                }
+              }
+            }
+            break;
+          }
+        }
+      }
+
+      if (inRoute) {
+        // Update brace depth
+        braceDepth +=
+          (line.match(/\{/g) || []).length - (line.match(/\}/g) || []).length;
+
+        // Check for security middleware within route
+        if (this.securityMiddleware.test(line)) {
+          hasSecurityMiddleware = true;
+        }
+
+        // Check for version header setting
+        this.checkVersionHeaderSetting(line, i + 1, versionExposures);
+
+        // End of route detection
+        if (
+          braceDepth <= 0 &&
+          (/\)\s*;?\s*$/.test(line) ||
+            /^\s*\}\s*$/.test(line) ||
+            /^export/.test(line))
+        ) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S038-Regex] Route ended, evaluating: Exposures=${versionExposures.length}, Security=${hasSecurityMiddleware}`
+            );
+          }
+          evaluate();
+          reset();
+        }
+      }
+    }
+
+    // Safety evaluate if unbalanced at file end
+    if (inRoute) evaluate();
+
+    return violations;
+  }
+
+  checkVersionHeaderSetting(line, lineNumber, exposures) {
+    // Check each header setting pattern
+    for (const [framework, pattern] of Object.entries(this.headerSetPatterns)) {
+      const match = pattern.exec(line);
+      if (match) {
+        const headerName = match[2] || match[1]; // Different capture groups for different patterns
+        const headerValue = match[3] || match[2];
+
+        if (
+          this.isVersionHeader(headerName) &&
+          this.containsVersionInfo(headerValue)
+        ) {
+          exposures.push({
+            header: headerName,
+            value: headerValue,
+            line: lineNumber,
+            framework,
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S038-Regex] Found version header exposure: ${headerName} = ${headerValue}`
+            );
+          }
+        }
+        break; // Found a match, no need to check other patterns
+      }
+    }
+
+    // Check bulk header setting
+    const bulkMatch = this.bulkSetPattern.exec(line);
+    if (bulkMatch) {
+      const headersContent = bulkMatch[1];
+      this.checkBulkHeaders(headersContent, lineNumber, exposures);
+    }
+  }
+
+  checkBulkHeaders(headersContent, lineNumber, exposures) {
+    // Parse object literal headers like { "X-Powered-By": "Express", "Server": "nginx/1.18" }
+    const headerMatches = headersContent.matchAll(
+      /['"`]([^'"`]+)['"`]\s*:\s*['"`]([^'"`]+)['"`]/g
+    );
+
+    for (const match of headerMatches) {
+      const headerName = match[1];
+      const headerValue = match[2];
+
+      if (
+        this.isVersionHeader(headerName) &&
+        this.containsVersionInfo(headerValue)
+      ) {
+        exposures.push({
+          header: headerName,
+          value: headerValue,
+          line: lineNumber,
+          framework: "bulk",
+        });
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S038-Regex] Found bulk version header exposure: ${headerName} = ${headerValue}`
+          );
+        }
+      }
+    }
+  }
+
+  isVersionHeader(headerName) {
+    return this.versionHeaders.some(
+      (vh) => vh.toLowerCase() === headerName.toLowerCase()
+    );
+  }
+
+  containsVersionInfo(value) {
+    return this.versionPatterns.some((pattern) => pattern.test(value));
+  }
+
+  cleanup() {}
+}
+
+module.exports = S038RegexBasedAnalyzer;

package/rules/security/S038_no_version_headers/symbol-based-analyzer.js

@@ -0,0 +1,375 @@
+/**
+ * S038 Sy      "X-Generator",
+      "X-Runtime",
+      "X-Version",
+      "X-Framework",
+      "X-Drupal-Cache",
+      "X-Varnish",
+      "X-Cache",
+      "X-Served-By",
+      "X-Database"
+    ];yzer - Do not expose version information in response headers
+ * Detects version header exposure in route handlers
+ */
+
+class S038SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S038";
+    this.semanticEngine = semanticEngine;
+    this.versionHeaders = [
+      "Server",
+      "X-Powered-By",
+      "X-AspNet-Version",
+      "X-AspNetMvc-Version",
+      "X-Generator",
+      "X-Runtime",
+      "X-Version",
+      "X-Framework",
+      "X-Drupal-Cache",
+      "X-Varnish",
+      "X-Cache",
+      "X-Served-By",
+      "X-Database",
+      "X-Framework",
+      "X-Drupal-Cache",
+      "X-Varnish",
+      "X-Cache",
+      "X-Served-By",
+    ];
+    this.securityMiddleware =
+      /helmet|hidePoweredBy|disable.*x.*powered.*by|removeHeader.*powered|noSniff/i;
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+
+    // Skip files that are unlikely to be route handlers
+    const skipPatterns = [
+      /\.dto\.ts$/,
+      /\.interface\.ts$/,
+      /\.module\.ts$/,
+      /\.service\.spec\.ts$/,
+      /\.controller\.spec\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.constants?\.ts$/,
+      /\.config\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return violations;
+    }
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find all function expressions and arrow functions that could be route handlers
+      const routeHandlers = [];
+
+      // Express route patterns: app.get("/path", (req, res) => {...})
+      const callExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+
+        // Check for Express route methods
+        if (/\.(get|post|put|delete|patch|use)$/.test(expression.getText())) {
+          const args = call.getArguments();
+          if (args.length >= 2) {
+            const lastArg = args[args.length - 1];
+            // The last argument should be the handler function
+            if (
+              lastArg.getKind() === SyntaxKind.ArrowFunction ||
+              lastArg.getKind() === SyntaxKind.FunctionExpression
+            ) {
+              routeHandlers.push({
+                handler: lastArg,
+                routeCall: call,
+                type: "express",
+              });
+            }
+          }
+        }
+      }
+
+      // Next.js export functions
+      const exportAssignments = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportAssignment
+      );
+      const exportDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportDeclaration
+      );
+      const functionDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.FunctionDeclaration
+      );
+
+      for (const func of functionDeclarations) {
+        const name = func.getName();
+        if (name && /^(GET|POST|PUT|DELETE|PATCH|handler)$/.test(name)) {
+          routeHandlers.push({
+            handler: func,
+            type: "nextjs",
+          });
+        }
+      }
+
+      // NestJS Controller methods with decorators
+      const methodDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.MethodDeclaration
+      );
+
+      for (const method of methodDeclarations) {
+        const decorators = method.getDecorators();
+        const hasRouteDecorator = decorators.some((decorator) => {
+          const decoratorName = decorator.getName();
+          return /^(Get|Post|Put|Delete|Patch|All)$/.test(decoratorName);
+        });
+
+        if (hasRouteDecorator) {
+          routeHandlers.push({
+            handler: method,
+            type: "nestjs",
+          });
+        }
+      }
+
+      // Nuxt.js defineEventHandler patterns
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+        if (expression.getKind() === SyntaxKind.Identifier) {
+          const identifier = expression.asKindOrThrow(SyntaxKind.Identifier);
+          if (identifier.getText() === "defineEventHandler") {
+            // Find the arrow function or function parameter
+            const args = call.getArguments();
+            if (args.length > 0) {
+              const firstArg = args[0];
+              if (
+                firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                firstArg.getKind() === SyntaxKind.FunctionExpression
+              ) {
+                routeHandlers.push({
+                  handler: firstArg,
+                  type: "nuxtjs",
+                });
+              }
+            }
+          }
+        }
+      }
+
+      // Nuxt.js named exports (GET, POST, etc.)
+      const nuxtExportAssignments = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportAssignment
+      );
+
+      for (const exportAssign of nuxtExportAssignments) {
+        const expr = exportAssign.getExpression();
+        if (expr.getKind() === SyntaxKind.ArrowFunction) {
+          routeHandlers.push({
+            handler: expr,
+            type: "nuxtjs",
+          });
+        }
+      }
+
+      // Analyze each route handler
+      for (const route of routeHandlers) {
+        const handlerViolations = this.analyzeRouteHandler(route);
+        violations.push(...handlerViolations);
+      }
+
+      // Only analyze actual route handlers - no file-level checking
+      // File-level checking removed to prevent false positives on DTO, module, service files
+    } catch (err) {
+      // Fallback - don't report errors from symbol analysis
+      console.warn(`Symbol analysis failed for ${filePath}:`, err.message);
+    }
+
+    return violations;
+  }
+
+  analyzeRouteHandler(route) {
+    const violations = [];
+    const { handler, routeCall, type } = route;
+
+    // Check if route contains security middleware (skip analysis if present)
+    const handlerText = handler.getFullText();
+    const routeText = routeCall ? routeCall.getFullText() : handlerText;
+
+    if (
+      this.securityMiddleware.test(routeText) ||
+      this.securityMiddleware.test(handlerText)
+    ) {
+      return violations; // Middleware handles header security
+    }
+
+    // Find version header exposures within this handler
+    const versionExposures = this.findVersionHeadersInNode(handler);
+
+    // Report violations for exposed version headers
+    for (const exposure of versionExposures) {
+      const startLine = exposure.node.getStartLineNumber();
+      violations.push({
+        ruleId: this.ruleId,
+        message: `Exposing version information in '${exposure.header}' header`,
+        severity: "warning",
+        line: startLine,
+        column: 1,
+      });
+    }
+
+    return violations;
+  }
+
+  findVersionHeadersInNode(node) {
+    const exposures = [];
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find all call expressions that set headers
+      const callExpressions = node.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+        const args = call.getArguments();
+
+        if (args.length >= 2) {
+          // Check different header setting patterns
+          const expressionText = expression.getText();
+
+          // Express/NestJS: res.setHeader("HeaderName", "value")
+          if (/\.(setHeader|set|header)$/.test(expressionText)) {
+            const headerArg = args[0];
+            const valueArg = args[1];
+
+            if (headerArg.getKind() === SyntaxKind.StringLiteral) {
+              const headerName = headerArg.getLiteralValue();
+              const isVersionHeader = this.versionHeaders.some(
+                (vh) => vh.toLowerCase() === headerName.toLowerCase()
+              );
+
+              if (isVersionHeader) {
+                // Check if the value contains version information
+                let hasVersionInfo = false;
+
+                if (valueArg.getKind() === SyntaxKind.StringLiteral) {
+                  const value = valueArg.getLiteralValue();
+                  hasVersionInfo = this.containsVersionInfo(value);
+                } else {
+                  // For non-literal values, assume they might contain version info
+                  hasVersionInfo = true;
+                }
+
+                if (hasVersionInfo) {
+                  exposures.push({
+                    node: call,
+                    header: headerName,
+                    value: valueArg.getText(),
+                  });
+                }
+              }
+            }
+          }
+
+          // Next.js: headers.set("HeaderName", "value")
+          if (/headers\s*\.\s*set$/.test(expressionText)) {
+            const headerArg = args[0];
+            const valueArg = args[1];
+
+            if (headerArg.getKind() === SyntaxKind.StringLiteral) {
+              const headerName = headerArg.getLiteralValue();
+              const isVersionHeader = this.versionHeaders.some(
+                (vh) => vh.toLowerCase() === headerName.toLowerCase()
+              );
+
+              if (isVersionHeader) {
+                exposures.push({
+                  node: call,
+                  header: headerName,
+                  value: valueArg.getText(),
+                });
+              }
+            }
+          }
+        }
+      }
+
+      // Check for object literal header settings
+      const objectLiterals = node.getDescendantsOfKind(
+        SyntaxKind.ObjectLiteralExpression
+      );
+
+      for (const obj of objectLiterals) {
+        const properties = obj.getProperties();
+
+        for (const prop of properties) {
+          if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+            const nameNode = prop.getNameNode();
+
+            if (nameNode.getKind() === SyntaxKind.StringLiteral) {
+              const headerName = nameNode.getLiteralValue();
+              const isVersionHeader = this.versionHeaders.some(
+                (vh) => vh.toLowerCase() === headerName.toLowerCase()
+              );
+
+              if (isVersionHeader) {
+                exposures.push({
+                  node: prop,
+                  header: headerName,
+                  value: prop.getInitializer()?.getText() || "unknown",
+                });
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.warn("Error analyzing version headers:", error.message);
+    }
+
+    return exposures;
+  }
+
+  containsVersionInfo(value) {
+    // Check if the value contains version patterns
+    const versionPatterns = [
+      /\d+\.\d+/, // Version numbers like 1.0, 2.1.3
+      /v\d+/i, // Version prefixes like v1, V2
+      /version/i, // The word "version"
+      /express/i, // Framework names
+      /node/i,
+      /nginx/i,
+      /apache/i,
+      /iis/i,
+      /php/i,
+      /asp\.net/i,
+      /ruby/i,
+      /python/i,
+      /django/i,
+      /rails/i,
+      /laravel/i,
+      /mysql/i, // Database versions
+      /postgresql/i,
+      /mongodb/i,
+      /redis/i,
+      /sqlite/i,
+      /mariadb/i,
+    ];
+
+    return versionPatterns.some((pattern) => pattern.test(value));
+  }
+
+  cleanup() {}
+}
+
+module.exports = S038SymbolBasedAnalyzer;