@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/rules/security/S039_no_session_tokens_in_url/regex-based-analyzer.js

@@ -0,0 +1,337 @@
+/**
+ * S039 Regex-Based Analyzer - Do not pass Session Tokens via URL parameters
+ * Detects session token exposure in URL parameters across different frameworks
+ */
+const fs = require("fs");
+
+class S039RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S039";
+
+    // Framework-specific route patterns
+    this.routePatterns = {
+      // Express.js
+      express:
+        /\b(app|router)\.(get|post|put|delete|patch|use)\s*\(\s*['"`][^'"`]+['"`]/,
+      // Next.js API routes (legacy handler)
+      nextjs: /export\s+(default\s+)?async?\s+function\s+handler\s*\(/,
+      // Next.js 13+ App Router HTTP methods
+      nextjsApp:
+        /export\s+async?\s+function\s+(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s*\(/,
+      // NestJS controllers
+      nestjs: /@(Get|Post|Put|Delete|Patch)\s*\(\s*['"`][^'"`]*['"`]?\s*\)/,
+      // Nuxt.js server routes
+      nuxtjs:
+        /export\s+(default\s+|const\s+(GET|POST|PUT|DELETE|PATCH)\s*=\s*)?defineEventHandler\s*\(/,
+    };
+
+    // Session token parameter names to detect
+    this.sessionTokenParams = [
+      "sessionId",
+      "session_id",
+      "session-id",
+      "sessionToken",
+      "session_token",
+      "session-token",
+      "authToken",
+      "auth_token",
+      "auth-token",
+      "authorization",
+      "bearer",
+      "jwt",
+      "jwtToken",
+      "jwt_token",
+      "jwt-token",
+      "accessToken",
+      "access_token",
+      "access-token",
+      "refreshToken",
+      "refresh_token",
+      "refresh-token",
+      "apiKey",
+      "api_key",
+      "api-key",
+      "csrfToken",
+      "csrf_token",
+      "csrf-token",
+      "xsrfToken",
+      "xsrf_token",
+      "xsrf-token",
+      "token",
+      "apiToken",
+      "api_token",
+      "api-token",
+      "sid",
+      "sessionkey",
+      "session_key",
+      "session-key",
+      "userToken",
+      "user_token",
+      "user-token",
+      "authKey",
+      "auth_key",
+      "auth-key",
+      "securityToken",
+      "security_token",
+      "security-token",
+    ];
+
+    // URL parameter access patterns for different frameworks
+    this.urlParamPatterns = {
+      // Express.js: req.query.sessionToken, req.params.authToken
+      express: /req\.(query|params)\.(\w+)/g,
+      // Express.js bracket notation: req.query["access-token"]
+      expressBracket: /req\.(query|params)\[['"`]([^'"`]+)['"`]\]/g,
+      // NestJS: @Query('sessionToken'), @Param('authToken')
+      nestjs: /@(Query|Param)\s*\(\s*['"`](\w+)['"`]\s*\)/g,
+      // Next.js: searchParams.get('sessionToken')
+      nextjs: /searchParams\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
+      // Generic destructuring: { sessionToken } = req.query
+      destructuring: /\{\s*([^}]+)\s*\}\s*=\s*req\.(query|params)/g,
+      // URL constructor patterns: new URL().searchParams.get()
+      urlConstructor:
+        /new\s+URL\([^)]+\)\.searchParams\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
+      // URLSearchParams patterns: params.get("token")
+      urlSearchParams: /(\w+)\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g,
+    };
+
+    // Pattern to detect session token-like values
+    this.tokenValuePattern = /^[a-zA-Z0-9+/=\-_.]{16,}$/;
+  }
+
+  async analyze(filePath) {
+    // Skip files that are unlikely to be route handlers
+    const skipPatterns = [
+      /\.dto\.ts$/,
+      /\.interface\.ts$/,
+      /\.module\.ts$/,
+      /\.service\.spec\.ts$/,
+      /\.controller\.spec\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.constants?\.ts$/,
+      /\.config\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return [];
+    }
+
+    const content = fs.readFileSync(filePath, "utf8");
+    const lines = content.split(/\r?\n/);
+    const violations = [];
+
+    let inRoute = false;
+    let braceDepth = 0;
+    let routeStartLine = 0;
+    let routeType = null;
+    const tokenExposures = [];
+
+    // Helper functions
+    const reset = () => {
+      inRoute = false;
+      braceDepth = 0;
+      routeStartLine = 0;
+      routeType = null;
+      tokenExposures.length = 0;
+    };
+
+    const evaluate = () => {
+      // Report violations for exposed session tokens
+      for (const exposure of tokenExposures) {
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Session token '${exposure.paramName}' passed via URL parameter - use secure headers or request body instead`,
+          severity: "warning",
+          line: exposure.line,
+          column: 1,
+        });
+      }
+    };
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+
+      // Detect route start for different frameworks
+      if (!inRoute) {
+        for (const [framework, pattern] of Object.entries(this.routePatterns)) {
+          if (pattern.test(line)) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S039-Regex] Found ${framework} route at line ${
+                  i + 1
+                }: ${line.trim()}`
+              );
+            inRoute = true;
+            routeStartLine = i + 1;
+            routeType = framework;
+            braceDepth =
+              (line.match(/\{/g) || []).length -
+              (line.match(/\}/g) || []).length;
+
+            // If no opening brace on this line, look ahead for it
+            if (braceDepth === 0) {
+              for (let j = i + 1; j < Math.min(i + 3, lines.length); j++) {
+                const nextLine = lines[j];
+                if (nextLine.includes("{")) {
+                  braceDepth =
+                    (nextLine.match(/\{/g) || []).length -
+                    (nextLine.match(/\}/g) || []).length;
+                  break;
+                }
+              }
+            }
+            break;
+          }
+        }
+      }
+
+      if (inRoute) {
+        // Update brace depth
+        braceDepth +=
+          (line.match(/\{/g) || []).length - (line.match(/\}/g) || []).length;
+
+        // Check for session token parameter access
+        this.checkTokenParameterAccess(line, i + 1, tokenExposures);
+
+        // End of route detection
+        if (
+          braceDepth <= 0 &&
+          (/\)\s*;?\s*$/.test(line) ||
+            /^\s*\}\s*$/.test(line) ||
+            /^export/.test(line))
+        ) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S039-Regex] Route ended, evaluating: Token exposures=${tokenExposures.length}`
+            );
+          }
+          evaluate();
+          reset();
+        }
+      }
+    }
+
+    // Safety evaluate if unbalanced at file end
+    if (inRoute) evaluate();
+
+    return violations;
+  }
+
+  checkTokenParameterAccess(line, lineNumber, exposures) {
+    // Check each URL parameter access pattern
+    for (const [framework, pattern] of Object.entries(this.urlParamPatterns)) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        let paramName = null;
+
+        if (framework === "express") {
+          // req.query.sessionToken or req.params.authToken
+          paramName = match[2];
+        } else if (framework === "expressBracket") {
+          // req.query["access-token"] or req.params["auth-token"]
+          paramName = match[2];
+        } else if (framework === "nestjs") {
+          // @Query('sessionToken') or @Param('authToken')
+          paramName = match[2];
+        } else if (framework === "nextjs" || framework === "urlConstructor") {
+          // searchParams.get('sessionToken'), new URL().searchParams.get('token')
+          paramName = match[1];
+        } else if (framework === "urlSearchParams") {
+          // params.get('sessionToken') - general URLSearchParams pattern
+          paramName = match[2];
+        } else if (framework === "destructuring") {
+          // { sessionToken, authToken } = req.query
+          const destructuredParams = match[1].split(",").map((p) => p.trim());
+          for (const param of destructuredParams) {
+            const cleanParam = param.replace(/['"]/g, "");
+            if (this.isSessionTokenParam(cleanParam)) {
+              exposures.push({
+                paramName: cleanParam,
+                line: lineNumber,
+                framework: framework,
+                accessType: match[2], // query or params
+              });
+              if (process.env.SUNLINT_DEBUG) {
+                console.log(
+                  `🔧 [S039-Regex] Found token parameter exposure: ${cleanParam} via ${framework}`
+                );
+              }
+            }
+          }
+          continue; // Skip the normal parameter check below
+        }
+
+        if (paramName && this.isSessionTokenParam(paramName)) {
+          exposures.push({
+            paramName: paramName,
+            line: lineNumber,
+            framework: framework,
+            accessType: framework === "express" ? match[1] : "parameter",
+          });
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S039-Regex] Found token parameter exposure: ${paramName} via ${framework}`
+            );
+          }
+        }
+      }
+    }
+
+    // Additional patterns for hardcoded URL parsing
+    const hardcodedPatterns = [
+      // window.location.search, location.search
+      /(?:window\.)?location\.search/g,
+      // URLSearchParams(location.search)
+      /URLSearchParams\s*\(\s*(?:window\.)?location\.search\s*\)/g,
+      // document.location.search
+      /document\.location\.search/g,
+    ];
+
+    for (const pattern of hardcodedPatterns) {
+      if (pattern.test(line)) {
+        // Look for subsequent .get() calls or parameter access in nearby lines
+        for (
+          let j = Math.max(0, lineNumber - 3);
+          j < Math.min(lineNumber + 3, exposures.length + lineNumber);
+          j++
+        ) {
+          const nearbyLine = exposures[j] || line;
+          const getMatches = [
+            ...nearbyLine.matchAll(/\.get\s*\(\s*['"`](\w+)['"`]\s*\)/g),
+          ];
+          for (const getMatch of getMatches) {
+            const paramName = getMatch[1];
+            if (this.isSessionTokenParam(paramName)) {
+              exposures.push({
+                paramName: paramName,
+                line: lineNumber,
+                framework: "client-side",
+                accessType: "url-search",
+              });
+              if (process.env.SUNLINT_DEBUG) {
+                console.log(
+                  `🔧 [S039-Regex] Found client-side token parameter: ${paramName}`
+                );
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  isSessionTokenParam(paramName) {
+    return this.sessionTokenParams.some(
+      (tokenParam) => tokenParam.toLowerCase() === paramName.toLowerCase()
+    );
+  }
+
+  cleanup() {}
+}
+
+module.exports = S039RegexBasedAnalyzer;