@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S039_no_session_tokens_in_url/symbol-based-analyzer.js

@@ -0,0 +1,443 @@
+/**
+ * S039 Symbol-Based Analyzer - Do not pass Session Tokens via URL parameters
+ * Enhanced to analyze per route handler for URL parameter token exposure
+ */
+
+class S039SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S039";
+    this.semanticEngine = semanticEngine;
+
+    // Session token parameter names to detect
+    this.sessionTokenParams = [
+      "sessionId",
+      "session_id",
+      "session-id",
+      "sessionToken",
+      "session_token",
+      "session-token",
+      "authToken",
+      "auth_token",
+      "auth-token",
+      "authorization",
+      "bearer",
+      "jwt",
+      "jwtToken",
+      "jwt_token",
+      "jwt-token",
+      "accessToken",
+      "access_token",
+      "access-token",
+      "refreshToken",
+      "refresh_token",
+      "refresh-token",
+      "apiKey",
+      "api_key",
+      "api-key",
+      "csrfToken",
+      "csrf_token",
+      "csrf-token",
+      "xsrfToken",
+      "xsrf_token",
+      "xsrf-token",
+      "token",
+      "apiToken",
+      "api_token",
+      "api-token",
+      "sid",
+      "sessionkey",
+      "session_key",
+      "session-key",
+      "userToken",
+      "user_token",
+      "user-token",
+      "authKey",
+      "auth_key",
+      "auth-key",
+      "securityToken",
+      "security_token",
+      "security-token",
+    ];
+
+    // Pattern to detect session token-like values
+    this.tokenValuePattern = /^[a-zA-Z0-9+/=\-_.]{16,}$/;
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+
+    // Skip files that are unlikely to be route handlers
+    const skipPatterns = [
+      /\.dto\.ts$/,
+      /\.interface\.ts$/,
+      /\.module\.ts$/,
+      /\.service\.spec\.ts$/,
+      /\.controller\.spec\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.constants?.ts$/,
+      /\.config\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return violations;
+    }
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find all function expressions and arrow functions that could be route handlers
+      const routeHandlers = [];
+
+      // Express route patterns: app.get("/path", (req, res) => {...})
+      const callExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const nameNode = expression.getNameNode();
+          if (nameNode) {
+            const methodName = nameNode.getText();
+            if (/^(get|post|put|delete|patch|all|use)$/.test(methodName)) {
+              const args = call.getArguments();
+              const lastArg = args[args.length - 1];
+              // The last argument should be the handler function
+              if (
+                lastArg && (
+                  lastArg.getKind() === SyntaxKind.ArrowFunction ||
+                  lastArg.getKind() === SyntaxKind.FunctionExpression
+                )
+              ) {
+                routeHandlers.push({
+                  handler: lastArg,
+                  routeCall: call,
+                  type: "express",
+                });
+              }
+            }
+          }
+        }
+      }
+
+      // Next.js export functions
+      const exportAssignments = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportAssignment
+      );
+      const exportDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ExportDeclaration
+      );
+      const functionDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.FunctionDeclaration
+      );
+
+      for (const func of functionDeclarations) {
+        const name = func.getName();
+        if (name && /^(GET|POST|PUT|DELETE|PATCH|handler)$/.test(name)) {
+          routeHandlers.push({
+            handler: func,
+            type: "nextjs",
+          });
+        }
+      }
+
+      // NestJS Controller methods with decorators
+      const methodDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.MethodDeclaration
+      );
+
+      for (const method of methodDeclarations) {
+        const decorators = method.getDecorators();
+        const hasRouteDecorator = decorators.some((decorator) => {
+          const decoratorName = decorator.getName();
+          return /^(Get|Post|Put|Delete|Patch|All)$/.test(decoratorName);
+        });
+
+        if (hasRouteDecorator) {
+          routeHandlers.push({
+            handler: method,
+            type: "nestjs",
+          });
+        }
+      }
+
+      // Nuxt.js defineEventHandler patterns
+      for (const call of callExpressions) {
+        const expression = call.getExpression();
+        if (expression && expression.getKind() === SyntaxKind.Identifier) {
+          const identifier = expression.asKindOrThrow(SyntaxKind.Identifier);
+          if (identifier.getText() === "defineEventHandler") {
+            // Find the arrow function or function parameter
+            const args = call.getArguments();
+            if (args.length > 0) {
+              const firstArg = args[0];
+              if (
+                firstArg && (
+                  firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                  firstArg.getKind() === SyntaxKind.FunctionExpression
+                )
+              ) {
+                routeHandlers.push({
+                  handler: firstArg,
+                  type: "nuxtjs",
+                });
+              }
+            }
+          }
+        }
+      }
+
+      // Analyze each route handler for session token exposure in URL parameters
+      for (const { handler, routeCall, type } of routeHandlers) {
+        try {
+          const handlerViolations = this.analyzeRouteHandler(
+            handler,
+            routeCall,
+            type,
+            filePath
+          );
+          violations.push(...handlerViolations);
+        } catch (error) {
+          console.warn(
+            `⚠ [S039] Handler analysis failed for ${type}:`,
+            error.message
+          );
+        }
+      }
+    } catch (error) {
+      console.warn(
+        `⚠ [S039] Symbol analysis failed for ${filePath}:`,
+        error.message
+      );
+    }
+
+    return violations;
+  }
+
+  analyzeRouteHandler(handler, routeCall, type, filePath) {
+    const violations = [];
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find URL parameter access patterns within this handler
+      const tokenExposures = this.findTokenParametersInNode(handler);
+
+      // Report violations for exposed session tokens in URL parameters
+      for (const exposure of tokenExposures) {
+        const startLine = exposure.node.getStartLineNumber();
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Session token '${exposure.paramName}' passed via URL parameter - use secure headers or request body instead`,
+          severity: "warning",
+          line: startLine,
+          column: 1,
+        });
+      }
+    } catch (error) {
+      console.warn(`⚠ [S039] Route handler analysis failed:`, error.message);
+    }
+
+    return violations;
+  }
+
+  findTokenParametersInNode(node) {
+    const exposures = [];
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // For NestJS, check decorator parameters first
+      if (node && node.getKind() === SyntaxKind.MethodDeclaration) {
+        const parameters = node.getParameters();
+        for (const param of parameters) {
+          const decorators = param.getDecorators();
+          for (const decorator of decorators) {
+            const decoratorName = decorator.getName();
+            if (decoratorName === "Query" || decoratorName === "Param") {
+              const args = decorator.getArguments();
+              if (args.length > 0) {
+                const firstArg = args[0];
+                if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
+                  const paramName = firstArg.getLiteralValue();
+                  if (this.isSessionTokenParam(paramName)) {
+                    exposures.push({
+                      node: param,
+                      paramName: paramName,
+                      accessType: decoratorName.toLowerCase(),
+                    });
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+
+      // Find all property access expressions for URL parameters
+      const propertyAccesses = node.getDescendantsOfKind(
+        SyntaxKind.PropertyAccessExpression
+      );
+
+      for (const propAccess of propertyAccesses) {
+        const expression = propAccess.getExpression();
+        const property = propAccess.getName();
+
+        // Check for req.query.paramName patterns
+        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const parentExpression = expression.getExpression();
+          const parentProperty = expression.getName();
+
+          // req.query.sessionToken, req.params.authToken, etc.
+          if (
+            parentProperty === "query" ||
+            parentProperty === "params" ||
+            parentProperty === "searchParams"
+          ) {
+            if (this.isSessionTokenParam(property)) {
+              exposures.push({
+                node: propAccess,
+                paramName: property,
+                accessType: parentProperty,
+              });
+            }
+          }
+        }
+      }
+
+      // Check for bracket notation access: req.query["access-token"]
+      const elementAccessExpressions = node.getDescendantsOfKind(
+        SyntaxKind.ElementAccessExpression
+      );
+
+      for (const elemAccess of elementAccessExpressions) {
+        const expression = elemAccess.getExpression();
+        const argumentExpression = elemAccess.getArgumentExpression();
+
+        if (
+          expression && expression.getKind() === SyntaxKind.PropertyAccessExpression &&
+          argumentExpression &&
+          argumentExpression.getKind() === SyntaxKind.StringLiteral
+        ) {
+          const parentProperty = expression.getName();
+          const paramName = argumentExpression.getLiteralValue();
+
+          // req.query["sessionToken"], req.params["authToken"], etc.
+          if (
+            (parentProperty === "query" ||
+              parentProperty === "params" ||
+              parentProperty === "searchParams") &&
+            this.isSessionTokenParam(paramName)
+          ) {
+            exposures.push({
+              node: elemAccess,
+              paramName: paramName,
+              accessType: parentProperty,
+            });
+          }
+        }
+      }
+
+      // Check for URL.searchParams.get() patterns
+      const callExpressions = node.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        const callExpression = call.getExpression();
+        if (callExpression && callExpression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const methodName = callExpression.getName();
+          const objectExpression = callExpression.getExpression();
+
+          // searchParams.get("sessionToken"), URLSearchParams.get("token")
+          if (
+            methodName === "get" &&
+            objectExpression && objectExpression.getText().includes("searchParams")
+          ) {
+            const args = call.getArguments();
+            if (args.length > 0) {
+              const firstArg = args[0];
+              if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
+                const paramName = firstArg.getLiteralValue();
+                if (this.isSessionTokenParam(paramName)) {
+                  exposures.push({
+                    node: call,
+                    paramName: paramName,
+                    accessType: "searchParams",
+                  });
+                }
+              }
+            }
+          }
+        }
+      }
+
+      // Check for object destructuring patterns
+      const variableDeclarations = node.getDescendantsOfKind(
+        SyntaxKind.VariableDeclaration
+      );
+
+      for (const varDecl of variableDeclarations) {
+        const nameNode = varDecl.getNameNode();
+        if (nameNode && nameNode.getKind() === SyntaxKind.ObjectBindingPattern) {
+          const bindingPattern = nameNode.asKindOrThrow(
+            SyntaxKind.ObjectBindingPattern
+          );
+          const elements = bindingPattern.getElements();
+
+          const initializer = varDecl.getInitializer();
+          if (
+            initializer &&
+            (initializer.getText().includes("req.query") ||
+              initializer.getText().includes("req.params") ||
+              initializer.getText().includes("searchParams"))
+          ) {
+            for (const element of elements) {
+              let paramName = null;
+
+              // Handle both { paramName } and { "param-name": alias } patterns
+              const propNameNode = element.getPropertyNameNode();
+              const nameNode = element.getNameNode();
+
+              if (propNameNode) {
+                // { "param-name": alias } or { paramName: alias }
+                paramName = propNameNode.getText().replace(/['"]/g, "");
+              } else if (nameNode) {
+                // { paramName } shorthand
+                paramName = nameNode.getText();
+              }
+
+              if (this.isSessionTokenParam(paramName)) {
+                exposures.push({
+                  node: element,
+                  paramName: paramName,
+                  accessType: "destructuring",
+                });
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.warn(`⚠ [S039] Parameter analysis failed:`, error.message);
+    }
+
+    return exposures;
+  }
+
+  isSessionTokenParam(paramName) {
+    return this.sessionTokenParams.some(
+      (tokenParam) => tokenParam.toLowerCase() === paramName.toLowerCase()
+    );
+  }
+
+  cleanup() {}
+}
+
+module.exports = S039SymbolBasedAnalyzer;

package/rules/security/S049_short_validity_tokens/analyzer.js

@@ -0,0 +1,175 @@
+/**
+ * S049 Main Analyzer - Authentication tokens should have short validity periods
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S049 --input=examples/rule-test-fixtures/rules/S049_short_validity_tokens --engine=heuristic
+ */
+
+const S049SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S049RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S049Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S049] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S049] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S049";
+    this.ruleName = "Authentication tokens should have short validity periods";
+    this.description =
+      "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Primary approach
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Can be set to true for pure mode
+    };
+
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S049SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S049] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S049RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S049] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error creating regex analyzer:`, error);
+    }
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S049] Main analyzer initializing...`);
+    }
+
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S049] Main analyzer initialized successfully`);
+    }
+  }
+
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`📊 [S049] analyzeSingle() called for: ${filePath}`);
+    }
+
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S049] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const results = [];
+    const preferredEngine = options.engine || "heuristic";
+
+    for (const filePath of files) {
+      let fileResults = [];
+
+      try {
+        // Determine analysis strategy
+        let useSymbolBased = this.config.useSymbolBased && this.semanticEngine;
+        
+        if (preferredEngine === "regex") {
+          useSymbolBased = false;
+        }
+
+        // Primary analysis: Symbol-based (when available and enabled)
+        if (useSymbolBased && this.symbolAnalyzer) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S049] Using symbol-based analysis for: ${filePath}`);
+          }
+          
+          try {
+            fileResults = await this.symbolAnalyzer.analyze(filePath, language, options);
+          } catch (error) {
+            console.error(`🔧 [S049] Symbol-based analysis failed:`, error);
+            fileResults = [];
+          }
+        }
+
+        // Fallback analysis: Regex-based
+        if ((!fileResults || fileResults.length === 0) && this.config.fallbackToRegex && this.regexAnalyzer) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S049] Using regex-based analysis for: ${filePath}`);
+          }
+          
+          try {
+            fileResults = await this.regexAnalyzer.analyze(filePath, language, options);
+          } catch (error) {
+            console.error(`🔧 [S049] Regex-based analysis failed:`, error);
+            fileResults = [];
+          }
+        }
+
+        // Add file results to overall results
+        if (fileResults && fileResults.length > 0) {
+          results.push(...fileResults);
+        }
+
+      } catch (error) {
+        console.error(`🔧 [S049] Error analyzing file ${filePath}:`, error);
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S049] Analysis completed. Found ${results.length} issues.`);
+    }
+
+    return results;
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer) {
+      this.symbolAnalyzer.cleanup?.();
+    }
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+  }
+}
+
+module.exports = S049Analyzer;