@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S039_no_session_tokens_in_url/README.md

@@ -0,0 +1,198 @@
+# S039 - Do Not Pass Session Tokens via URL Parameters
+
+## Overview
+
+Rule S039 detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.
+
+## Framework Support
+
+This rule supports multiple web frameworks:
+
+- **Express.js**: Parameter access via `req.query`, `req.params`
+- **Next.js**: URL parameter access via `searchParams.get()`, `new URL().searchParams`
+- **NestJS**: Parameter decorators `@Query()`, `@Param()`
+- **Nuxt.js**: Server route parameter handling
+- **Client-side**: Browser URL parameter access via `location.search`, `URLSearchParams`
+
+## Security Impact
+
+Passing session tokens via URL parameters creates several security vulnerabilities:
+
+1. **Web Server Logs**: URL parameters are logged in web server access logs
+2. **Browser History**: URLs with parameters are stored in browser history
+3. **Referrer Headers**: URLs may be exposed when navigating to external sites
+4. **Shared URLs**: Users may inadvertently share URLs containing tokens
+5. **Cache Poisoning**: URLs with tokens may be cached by proxies or CDNs
+6. **Analytics Tracking**: URL parameters are often sent to analytics services
+
+## Rule Details
+
+### Detected Token Parameter Names
+
+The rule detects the following session token parameter patterns:
+
+| Parameter Name | Variants                                            |
+| -------------- | --------------------------------------------------- |
+| Session ID     | `sessionId`, `session_id`, `session-id`             |
+| Session Token  | `sessionToken`, `session_token`, `session-token`    |
+| Auth Token     | `authToken`, `auth_token`, `auth-token`             |
+| Authorization  | `authorization`, `bearer`                           |
+| JWT            | `jwt`, `jwtToken`, `jwt_token`, `jwt-token`         |
+| Access Token   | `accessToken`, `access_token`, `access-token`       |
+| Refresh Token  | `refreshToken`, `refresh_token`, `refresh-token`    |
+| API Key        | `apiKey`, `api_key`, `api-key`                      |
+| CSRF Token     | `csrfToken`, `csrf_token`, `csrf-token`             |
+| XSRF Token     | `xsrfToken`, `xsrf_token`, `xsrf-token`             |
+| Generic Token  | `token`, `apiToken`, `api_token`, `api-token`       |
+| Session Key    | `sid`, `sessionkey`, `session_key`, `session-key`   |
+| User Token     | `userToken`, `user_token`, `user-token`             |
+| Auth Key       | `authKey`, `auth_key`, `auth-key`                   |
+| Security Token | `securityToken`, `security_token`, `security-token` |
+
+### Detected Access Patterns
+
+✅ **Secure Alternatives:**
+
+```typescript
+// Use Authorization header
+app.get("/api/user", (req, res) => {
+  const token = req.headers.authorization?.replace("Bearer ", "");
+  // Process token securely
+});
+
+// Use request body for POST requests
+app.post("/api/authenticate", (req, res) => {
+  const { sessionToken } = req.body;
+  // Process token securely
+});
+
+// Use secure cookies
+app.get("/api/profile", (req, res) => {
+  const sessionId = req.cookies.sessionId;
+  // Process session ID securely
+});
+```
+
+❌ **Violation Examples:**
+
+```typescript
+// Express.js violations
+app.get('/api/user', (req, res) => {
+  const sessionToken = req.query.sessionToken; // ❌ Token in URL
+  const authKey = req.params.authKey; // ❌ Token in URL
+});
+
+// Object destructuring violations
+app.get('/api/data', (req, res) => {
+  const { jwt, apiKey } = req.query; // ❌ Multiple tokens in URL
+});
+
+// NestJS violations
+@Get('user')
+getUserData(@Query('sessionToken') token: string) { // ❌ Token in URL
+  // ...
+}
+
+@Get('profile/:authToken')
+getProfile(@Param('authToken') token: string) { // ❌ Token in URL path
+  // ...
+}
+
+// Next.js violations
+export async function GET(request: Request) {
+  const url = new URL(request.url);
+  const jwt = url.searchParams.get('jwt'); // ❌ Token in URL
+  // ...
+}
+
+// Client-side violations
+const params = new URLSearchParams(location.search);
+const sessionId = params.get('sessionId'); // ❌ Token in URL
+```
+
+### Framework-Specific Detection
+
+#### Express.js
+
+- `req.query.tokenName`
+- `req.params.tokenName`
+- Object destructuring: `{ tokenName } = req.query`
+
+#### NestJS
+
+- `@Query('tokenName')`
+- `@Param('tokenName')`
+
+#### Next.js
+
+- `searchParams.get('tokenName')`
+- `new URL().searchParams.get('tokenName')`
+- `URLSearchParams().get('tokenName')`
+
+#### Client-side JavaScript
+
+- `location.search` with subsequent parameter parsing
+- `URLSearchParams(location.search).get('tokenName')`
+- `window.location.search` parameter access
+
+## Best Practices
+
+### ✅ Secure Token Transmission
+
+1. **Authorization Headers**:
+
+   ```typescript
+   // Send token in Authorization header
+   fetch("/api/data", {
+     headers: {
+       Authorization: `Bearer ${token}`,
+     },
+   });
+   ```
+
+2. **Request Body**:
+
+   ```typescript
+   // Send token in request body for POST requests
+   fetch("/api/authenticate", {
+     method: "POST",
+     headers: { "Content-Type": "application/json" },
+     body: JSON.stringify({ sessionToken: token }),
+   });
+   ```
+
+3. **Secure Cookies**:
+   ```typescript
+   // Store session in secure, HTTP-only cookies
+   res.cookie("sessionId", sessionId, {
+     httpOnly: true,
+     secure: true,
+     sameSite: "strict",
+   });
+   ```
+
+### ❌ Avoid These Patterns
+
+1. **URL Query Parameters**: Never pass tokens as `?token=abc123`
+2. **URL Path Parameters**: Never embed tokens in URL paths `/api/user/abc123`
+3. **Fragment Identifiers**: Avoid `#token=abc123` (though less logged)
+4. **Form GET Methods**: Don't use GET forms for token submission
+
+## Configuration
+
+The rule can be configured in `config.json`:
+
+```json
+{
+  "validation": {
+    "sessionTokenParams": ["custom-token", "my-auth-key"],
+    "frameworks": ["express", "nestjs", "nextjs"]
+  }
+}
+```
+
+## Related Security Rules
+
+- **S027**: No hardcoded secrets - Prevents tokens in source code
+- **S031**: Secure session cookies - Ensures proper cookie security
+- **S016**: No sensitive data in query strings - Broader sensitive data protection

package/rules/security/S039_no_session_tokens_in_url/analyzer.js

@@ -0,0 +1,262 @@
+/**
+ * S039 Main Analyzer - Do not pass Session Tokens via URL parameters
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S039 --input=examples/rule-test-fixtures/rules/S039_no_session_tokens_in_url --engine=heuristic
+ */
+
+const S039SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S039RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S039Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S039] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S039] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S039";
+    this.ruleName = "Do not pass Session Tokens via URL parameters";
+    this.description =
+      "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S039SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S039] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S039] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S039RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S039] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S039] Error creating regex analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S039] Main analyzer initializing...`);
+
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S039] Main analyzer initialized successfully`);
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S039] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S039] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S039] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S039] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S039] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S039] Total violations found: ${violations.length}`);
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S039] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S039] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S039] Trying symbol-based analysis...`);
+
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S039] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S039] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S039] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S039] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S039] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+
+          // If symbol-based found violations or prioritizeSymbolic is true, skip regex
+          if (this.config.prioritizeSymbolic && symbolViolations.length >= 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S039] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S039] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S039] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S039] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S039] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S039] Regex analysis failed:`, error.message);
+      }
+    }
+
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S039] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+
+module.exports = S039Analyzer;

package/rules/security/S039_no_session_tokens_in_url/config.json

@@ -0,0 +1,92 @@
+{
+  "id": "S039",
+  "name": "Do not pass Session Tokens via URL parameters",
+  "category": "security",
+  "description": "S039 - Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.",
+  "severity": "warning",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "sessionTokenParams": [
+      "sessionId",
+      "session_id",
+      "session-id",
+      "sessionToken",
+      "session_token",
+      "session-token",
+      "authToken",
+      "auth_token",
+      "auth-token",
+      "authorization",
+      "bearer",
+      "jwt",
+      "jwtToken",
+      "jwt_token",
+      "jwt-token",
+      "accessToken",
+      "access_token",
+      "access-token",
+      "refreshToken",
+      "refresh_token",
+      "refresh-token",
+      "apiKey",
+      "api_key",
+      "api-key",
+      "csrfToken",
+      "csrf_token",
+      "csrf-token",
+      "xsrfToken",
+      "xsrf_token",
+      "xsrf-token",
+      "token",
+      "apiToken",
+      "api_token",
+      "api-token",
+      "sid",
+      "sessionkey",
+      "session_key",
+      "session-key",
+      "userToken",
+      "user_token",
+      "user-token",
+      "authKey",
+      "auth_key",
+      "auth-key",
+      "securityToken",
+      "security_token",
+      "security-token"
+    ],
+    "urlAccessPatterns": [
+      "req.query",
+      "req.params",
+      "searchParams.get",
+      "@Query",
+      "@Param",
+      "URLSearchParams",
+      "location.search"
+    ],
+    "frameworks": ["express", "nestjs", "nextjs", "nuxtjs"]
+  }
+}