@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S049_short_validity_tokens/symbol-based-analyzer.js

@@ -0,0 +1,389 @@
+/**
+ * S049 Symbol-based Analyzer - Authentication tokens should have short validity periods
+ * Detects long-lived tokens using AST analysis
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+class S049SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S049";
+    
+    // Load configuration
+    const configPath = path.join(__dirname, 'config.json');
+    this.config = JSON.parse(fs.readFileSync(configPath, 'utf8')).configuration;
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+  }
+
+  /**
+   * Analyze file for authentication token validity issues
+   */
+  async analyze(filePath, language = "typescript", options = {}) {
+    if (!this.semanticEngine || !this.semanticEngine.parseCode) {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S049] No semantic engine available or parseCode method missing, skipping symbol-based analysis`);
+      }
+      return [];
+    }
+
+    try {
+      const sourceCode = fs.readFileSync(filePath, "utf8");
+      const ast = await this.semanticEngine.parseCode(sourceCode, language);
+      
+      if (!ast) {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S049] Failed to parse AST for: ${filePath}`);
+        }
+        return [];
+      }
+
+      const violations = [];
+      
+      // Traverse AST to find token-related violations
+      await this.traverseAST(ast, sourceCode, filePath, violations);
+      
+      return violations;
+    } catch (error) {
+      console.error(`🔧 [S049] Error in symbol-based analysis:`, error);
+      return [];
+    }
+  }
+
+  /**
+   * Traverse AST to find authentication token violations
+   */
+  async traverseAST(node, sourceCode, filePath, violations) {
+    if (!node || typeof node !== 'object') return;
+
+    try {
+      // Check for JWT token creation with long expiration
+      if (this.isJWTTokenCreation(node)) {
+        this.checkJWTExpiration(node, sourceCode, filePath, violations);
+      }
+
+      // Check for session configuration with long maxAge
+      if (this.isSessionConfiguration(node)) {
+        this.checkSessionExpiration(node, sourceCode, filePath, violations);
+      }
+
+      // Check for OAuth token configuration
+      if (this.isOAuthTokenConfiguration(node)) {
+        this.checkOAuthExpiration(node, sourceCode, filePath, violations);
+      }
+
+      // Check for tokens without expiration
+      if (this.isTokenWithoutExpiration(node)) {
+        this.checkMissingExpiration(node, sourceCode, filePath, violations);
+      }
+
+      // Recursively traverse child nodes
+      for (const key in node) {
+        if (node[key] && typeof node[key] === 'object') {
+          if (Array.isArray(node[key])) {
+            for (const child of node[key]) {
+              await this.traverseAST(child, sourceCode, filePath, violations);
+            }
+          } else {
+            await this.traverseAST(node[key], sourceCode, filePath, violations);
+          }
+        }
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error traversing AST node:`, error);
+    }
+  }
+
+  /**
+   * Check if node represents JWT token creation
+   */
+  isJWTTokenCreation(node) {
+    if (node.type === 'CallExpression') {
+      const callee = node.callee;
+      
+      // Check for jwt.sign(), jwt.create(), etc.
+      if (callee.type === 'MemberExpression') {
+        const object = callee.object?.name;
+        const method = callee.property?.name;
+        
+        return this.config.jwtLibraries.some(lib => object === lib || object === 'jwt') &&
+               this.config.tokenMethods.includes(method);
+      }
+      
+      // Check for direct function calls like sign()
+      if (callee.type === 'Identifier') {
+        return this.config.tokenMethods.includes(callee.name);
+      }
+    }
+    
+    return false;
+  }
+
+  /**
+   * Check JWT expiration configuration
+   */
+  checkJWTExpiration(node, sourceCode, filePath, violations) {
+    try {
+      const options = this.getOptionsObject(node);
+      if (!options) return;
+
+      let expirationValue = null;
+      let expirationProperty = null;
+
+      // Find expiration property
+      for (const prop of options.properties || []) {
+        const key = prop.key?.name || prop.key?.value;
+        if (this.config.jwtProperties.includes(key)) {
+          expirationProperty = key;
+          expirationValue = this.extractValue(prop.value);
+          break;
+        }
+      }
+
+      if (expirationValue !== null) {
+        const seconds = this.parseTimeValue(expirationValue);
+        if (seconds > this.config.maxValidityPeriods.accessToken) {
+          this.addViolation(violations, node, filePath, sourceCode, 
+            `JWT token expiration time (${expirationValue}) exceeds recommended maximum of ${this.config.maxValidityPeriods.accessToken} seconds`,
+            'long-expiration');
+        }
+      } else {
+        // No expiration found
+        this.addViolation(violations, node, filePath, sourceCode,
+          'JWT token created without expiration time',
+          'missing-expiration');
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error checking JWT expiration:`, error);
+    }
+  }
+
+  /**
+   * Check if node represents session configuration
+   */
+  isSessionConfiguration(node) {
+    if (node.type === 'CallExpression') {
+      const callee = node.callee;
+      
+      if (callee.type === 'Identifier') {
+        return this.config.sessionMethods.includes(callee.name);
+      }
+      
+      if (callee.type === 'MemberExpression') {
+        const method = callee.property?.name;
+        return this.config.sessionMethods.includes(method);
+      }
+    }
+    
+    return false;
+  }
+
+  /**
+   * Check session expiration configuration
+   */
+  checkSessionExpiration(node, sourceCode, filePath, violations) {
+    try {
+      const options = this.getOptionsObject(node);
+      if (!options) return;
+
+      let maxAge = null;
+
+      // Find maxAge property
+      for (const prop of options.properties || []) {
+        const key = prop.key?.name || prop.key?.value;
+        if (key === 'maxAge' || key === 'expires') {
+          maxAge = this.extractValue(prop.value);
+          break;
+        }
+      }
+
+      if (maxAge !== null) {
+        const seconds = this.parseTimeValue(maxAge, true); // Session times often in milliseconds
+        if (seconds > this.config.maxValidityPeriods.sessionToken) {
+          this.addViolation(violations, node, filePath, sourceCode,
+            `Session maxAge (${maxAge}) exceeds recommended maximum of ${this.config.maxValidityPeriods.sessionToken} seconds`,
+            'long-session');
+        }
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error checking session expiration:`, error);
+    }
+  }
+
+  /**
+   * Check if node represents OAuth token configuration
+   */
+  isOAuthTokenConfiguration(node) {
+    if (node.type === 'ObjectExpression') {
+      return node.properties?.some(prop => {
+        const key = prop.key?.name || prop.key?.value;
+        return this.config.oauthProperties.includes(key);
+      });
+    }
+    
+    return false;
+  }
+
+  /**
+   * Check OAuth token expiration
+   */
+  checkOAuthExpiration(node, sourceCode, filePath, violations) {
+    try {
+      for (const prop of node.properties || []) {
+        const key = prop.key?.name || prop.key?.value;
+        if (this.config.oauthProperties.includes(key)) {
+          const value = this.extractValue(prop.value);
+          if (value !== null) {
+            const seconds = this.parseTimeValue(value);
+            if (seconds > this.config.maxValidityPeriods.accessToken) {
+              this.addViolation(violations, node, filePath, sourceCode,
+                `OAuth token lifetime (${value}) exceeds recommended maximum of ${this.config.maxValidityPeriods.accessToken} seconds`,
+                'long-oauth-token');
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.error(`🔧 [S049] Error checking OAuth expiration:`, error);
+    }
+  }
+
+  /**
+   * Check if token is created without expiration
+   */
+  isTokenWithoutExpiration(node) {
+    if (node.type === 'CallExpression' && this.isJWTTokenCreation(node)) {
+      const options = this.getOptionsObject(node);
+      if (!options) return true; // No options object means no expiration
+      
+      // Check if any expiration property exists
+      return !options.properties?.some(prop => {
+        const key = prop.key?.name || prop.key?.value;
+        return this.config.jwtProperties.includes(key);
+      });
+    }
+    
+    return false;
+  }
+
+  /**
+   * Check for missing expiration
+   */
+  checkMissingExpiration(node, sourceCode, filePath, violations) {
+    this.addViolation(violations, node, filePath, sourceCode,
+      'Authentication token created without expiration time',
+      'missing-expiration');
+  }
+
+  /**
+   * Get options object from function call
+   */
+  getOptionsObject(node) {
+    if (!node.arguments || node.arguments.length < 3) return null;
+    
+    const optionsArg = node.arguments[2]; // Usually the third argument
+    if (optionsArg?.type === 'ObjectExpression') {
+      return optionsArg;
+    }
+    
+    return null;
+  }
+
+  /**
+   * Extract value from AST node
+   */
+  extractValue(node) {
+    if (!node) return null;
+    
+    switch (node.type) {
+      case 'Literal':
+        return node.value;
+      case 'TemplateLiteral':
+        if (node.expressions.length === 0 && node.quasis.length === 1) {
+          return node.quasis[0].value.raw;
+        }
+        break;
+      case 'BinaryExpression':
+        if (node.operator === '*') {
+          const left = this.extractValue(node.left);
+          const right = this.extractValue(node.right);
+          if (typeof left === 'number' && typeof right === 'number') {
+            return left * right;
+          }
+        }
+        break;
+    }
+    
+    return null;
+  }
+
+  /**
+   * Parse time value to seconds
+   */
+  parseTimeValue(value, isMilliseconds = false) {
+    if (typeof value === 'number') {
+      return isMilliseconds ? Math.floor(value / 1000) : value;
+    }
+    
+    if (typeof value === 'string') {
+      // Handle string formats like '1h', '30d', '2w'
+      const match = value.match(/^(\d+)\s*([a-zA-Z]+)?$/);
+      if (match) {
+        const num = parseInt(match[1]);
+        const unit = match[2]?.toLowerCase() || 's';
+        
+        const multiplier = this.config.timeUnits[unit] || 
+                          this.config.timeUnits[unit + 's'] || 1;
+        
+        return num * multiplier;
+      }
+    }
+    
+    return value || 0;
+  }
+
+  /**
+   * Add violation to results
+   */
+  addViolation(violations, node, filePath, sourceCode, message, subType) {
+    const lines = sourceCode.split('\n');
+    const startLine = node.loc?.start?.line || 1;
+    const endLine = node.loc?.end?.line || startLine;
+    
+    violations.push({
+      ruleId: this.ruleId,
+      message,
+      severity: "error",
+      line: startLine,
+      column: node.loc?.start?.column || 0,
+      endLine,
+      endColumn: node.loc?.end?.column || 0,
+      source: lines[startLine - 1] || "",
+      filePath,
+      type: "symbol-based",
+      subType,
+      context: {
+        surrounding: this.getSurroundingLines(lines, startLine, 3)
+      }
+    });
+  }
+
+  /**
+   * Get surrounding lines for context
+   */
+  getSurroundingLines(lines, centerLine, contextLines) {
+    const start = Math.max(0, centerLine - contextLines - 1);
+    const end = Math.min(lines.length, centerLine + contextLines);
+    return lines.slice(start, end).join('\n');
+  }
+
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+
+module.exports = S049SymbolBasedAnalyzer;