@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S051_password_length_policy/analyzer.js

@@ -0,0 +1,410 @@
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * S051: Password length policy enforcement (12-64 chars recommended, reject >128)
+ * 
+ * Detects:
+ * 1. Weak minimum length validators (<12 chars)
+ * 2. Missing maximum length limits
+ * 3. Bcrypt usage without length validation (>72 bytes truncation)
+ * 4. Cross-file FE/BE policy mismatches
+ * 
+ * Uses multi-signal approach: requires ≥2 password context signals to reduce false positives
+ */
+class S051PasswordLengthPolicyAnalyzer {
+  constructor(config = null) {
+    this.ruleId = 'S051';
+    this.loadConfig(config);
+    
+    // Compile regex patterns for performance
+    this.compiledPatterns = this.compilePatterns();
+    this.verbose = false;
+  }
+
+  loadConfig(config) {
+    try {
+      if (config && config.options) {
+        this.config = config;
+        this.lengthPolicy = config.options.lengthPolicy || {};
+        this.passwordIdentifiers = config.options.passwordIdentifiers || [];
+        this.validatorPatterns = config.options.validatorPatterns || {};
+        this.bcryptHints = config.options.bcryptHints || {};
+        this.contextSignals = config.options.contextSignals || {};
+        this.policy = config.options.policy || {};
+        this.allowlist = config.options.allowlist || { paths: [] };
+        this.thresholds = config.options.thresholds || {};
+      } else {
+        // Load from config file
+        const configPath = path.join(__dirname, 'config.json');
+        const configData = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+        this.loadConfig(configData);
+      }
+    } catch (error) {
+      console.warn(`[S051] Failed to load config: ${error.message}`);
+      this.initializeDefaultConfig();
+    }
+  }
+
+  initializeDefaultConfig() {
+    this.lengthPolicy = {
+      minAllowedRange: { min: 8, recommended: 12, warnBelow: 12, errorBelow: 8 },
+      maxRecommended: 64,
+      hardRejectLength: 128
+    };
+    this.passwordIdentifiers = ['password', 'passwd', 'pwd', 'passphrase', 'secret'];
+    this.validatorPatterns = {
+      fe: [
+        'minLength\\s*:\\s*(\\d+)',  // minLength: 8
+        'maxLength\\s*:\\s*(\\d+)',  // maxLength: 20
+        'minlength\\s*=\\s*[\'\"](\\d+)[\'"]',  // minlength="8"
+        'minLength\\s*=\\s*[\'\"](\\d+)[\'"]',  // minLength="8"
+        'minLength\\s*=\\s*(\\d+)',  // minLength=8 (without quotes)
+        'minlength\\s*=\\s*(\\d+)'   // minlength=8 (without quotes)
+      ],
+      be: [
+        'password\\.length\\s*[<>]=?\\s*(\\d+)',  // password.length < 8
+        'minlength\\s*:\\s*(\\d+)',  // minlength: 8
+        'maxlength\\s*:\\s*(\\d+)',  // maxlength: 50
+        'if\\s*\\([^)]*password[^)]*\\.length\\s*[<>]=?\\s*(\\d+)\\s*\\)'  // if (password.length < 6)
+      ]
+    };
+    this.bcryptHints = { 
+      apis: ['bcrypt\\.hash', 'bcrypt\\.compare', 'bcryptjs'], 
+      warnOnMissingLengthCheck: true, 
+      byteLimit: 72 
+    };
+    this.contextSignals = {
+      routes: ['auth', 'signup', 'login', 'reset', 'password'],
+      files: ['auth', 'password', 'security', 'user'],
+      methods: ['hashPassword', 'validatePassword', 'setPassword', 'changePassword'],
+      uiHints: ['type=[\'"]password[\'"]', 'placeholder.*password']
+    };
+    this.policy = { 
+      requireMinSignals: 1,  // Lower for testing - will increase later
+      alignFeBe: true, 
+      rejectOverHardLimit: true 
+    };
+    this.allowlist = { paths: ['test/', 'tests/', '__tests__/', 'spec/', 'fixtures/'] };
+    this.thresholds = { maxWeakValidators: 0, maxBcryptWithoutLengthCheck: 0 };
+  }
+
+  compilePatterns() {
+    const patterns = {
+      feValidators: [],
+      beValidators: [],
+      passwordContext: new RegExp(`\\b(${this.passwordIdentifiers.join('|')})\\b`, 'gi'),
+      bcryptApis: []
+    };
+
+    // Compile FE validator patterns
+    if (this.validatorPatterns.fe) {
+      patterns.feValidators = this.validatorPatterns.fe.map(regex => new RegExp(regex, 'gi'));
+    }
+
+    // Compile BE validator patterns
+    if (this.validatorPatterns.be) {
+      patterns.beValidators = this.validatorPatterns.be.map(regex => new RegExp(regex, 'gi'));
+    }
+
+    // Compile bcrypt API patterns
+    if (this.bcryptHints.apis) {
+      patterns.bcryptApis = this.bcryptHints.apis.map(regex => new RegExp(regex, 'gi'));
+    }
+
+    return patterns;
+  }
+
+  analyze(files, language, options = {}) {
+    this.verbose = options.verbose || false;
+    const violations = [];
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051 ANALYZE: Starting password length policy analysis`);
+    }
+
+    if (!Array.isArray(files)) {
+      files = [files];
+    }
+
+    for (const filePath of files) {
+      if (this.verbose) {
+        console.log(`[DEBUG] 🎯 S051: Analyzing ${filePath.split('/').pop()}`);
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileExtension = path.extname(filePath);
+        const fileName = path.basename(filePath);
+        const fileViolations = this.analyzeFile(filePath, content, fileExtension, fileName);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`[S051] Error analyzing ${filePath}: ${error.message}`);
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Found ${violations.length} password length policy violations`);
+    }
+
+    return violations;
+  }
+
+  // Alias methods for different engines
+  run(filePath, content, options = {}) {
+    this.verbose = options.verbose || false;
+    const fileExtension = path.extname(filePath);
+    const fileName = path.basename(filePath);
+    return this.analyzeFile(filePath, content, fileExtension, fileName);
+  }
+
+  runAnalysis(filePath, content, options = {}) {
+    return this.run(filePath, content, options);
+  }
+
+  runEnhancedAnalysis(filePath, content, language, options = {}) {
+    return this.run(filePath, content, options);
+  }
+
+  analyzeFile(filePath, content, fileExtension, fileName) {
+    const language = this.detectLanguage(fileExtension, fileName);
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Detected language: ${language}`);
+    }
+
+    const isExempted = this.isExemptedFile(filePath);
+    if (isExempted) {
+      if (this.verbose) {
+        console.log(`[DEBUG] 🔍 S051: Skipping exempted file: ${fileName}`);
+      }
+      return [];
+    }
+
+    return this.analyzePasswordPolicy(filePath, content, language);
+  }
+
+  detectLanguage(fileExtension, fileName) {
+    const extensions = {
+      '.js': 'javascript',
+      '.jsx': 'javascript', 
+      '.ts': 'typescript',
+      '.tsx': 'typescript',
+      '.vue': 'vue',
+      '.py': 'python',
+      '.java': 'java',
+      '.cs': 'csharp',
+      '.php': 'php',
+      '.rb': 'ruby',
+      '.go': 'go'
+    };
+    return extensions[fileExtension] || 'generic';
+  }
+
+  isExemptedFile(filePath) {
+    const allowedPaths = this.allowlist.paths || [];
+    // Skip exemption for test-fixtures as we want to test the analyzer
+    if (filePath.includes('test-fixtures')) {
+      return false;
+    }
+    return allowedPaths.some(path => filePath.includes(path));
+  }
+
+  analyzePasswordPolicy(filePath, content, language) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Starting password policy analysis of ${lines.length} lines`);
+    }
+
+    // Step 1: Scan for weak length validators
+    const weakValidators = this.scanWeakValidators(content, lines, filePath, language);
+    violations.push(...weakValidators);
+
+    // Step 2: Check for bcrypt usage without length checks
+    const bcryptIssues = this.scanBcryptIssues(content, lines, filePath);
+    violations.push(...bcryptIssues);
+
+    // Step 3: Look for missing hard limit checks
+    const hardLimitIssues = this.scanHardLimitIssues(content, lines, filePath);
+    violations.push(...hardLimitIssues);
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Found ${violations.length} policy violations`);
+    }
+
+    return violations;
+  }
+
+  scanWeakValidators(content, lines, filePath, language) {
+    const violations = [];
+    const minLength = this.lengthPolicy?.minAllowedRange?.recommended || 12;
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Scanning weak validators (min length: ${minLength})`);
+      console.log(`[DEBUG] 🎯 S051: Available patterns:`, {
+        fePatterns: this.compiledPatterns.feValidators?.length || 0,
+        bePatterns: this.compiledPatterns.beValidators?.length || 0
+      });
+    }
+
+    // Choose patterns based on language
+    const validatorPatterns = (language === 'typescript' || language === 'javascript') 
+      ? this.compiledPatterns.feValidators 
+      : this.compiledPatterns.beValidators;
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Using ${validatorPatterns.length} ${language} patterns`);
+    }
+
+    for (const pattern of validatorPatterns) {
+      const matches = [...content.matchAll(pattern)];
+      
+      if (this.verbose && matches.length > 0) {
+        console.log(`[DEBUG] 🎯 S051: Pattern "${pattern}" found ${matches.length} matches`);
+      }
+      
+      for (const match of matches) {
+        const lineNumber = this.getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1];
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 S051: Checking match "${match[0]}" at line ${lineNumber}: ${lineContent.trim()}`);
+        }
+        
+        // Extract the length value
+        const lengthMatch = match[0].match(/\d+/);
+        if (lengthMatch) {
+          const length = parseInt(lengthMatch[0]);
+          const isPasswordContext = this.isInPasswordContext(lineContent, lines, lineNumber);
+          
+          if (this.verbose) {
+            console.log(`[DEBUG] 🎯 S051: Length=${length}, isPasswordContext=${isPasswordContext}, minLength=${minLength}`);
+          }
+          
+          if (isPasswordContext && length < minLength) {
+            if (this.verbose) {
+              console.log(`[DEBUG] 🚨 S051: VIOLATION DETECTED! Line ${lineNumber}, length ${length} < ${minLength}`);
+            }
+            
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Password minimum length ${length} is too weak - use at least ${minLength} characters`,
+              severity: 'error',
+              line: lineNumber,
+              column: this.getColumnNumber(content, match.index),
+              filePath: filePath,
+              context: {
+                violationType: 'insufficient_min_length',
+                evidence: lineContent.trim(),
+                currentLength: length,
+                recommendedLength: minLength,
+                recommendation: `Update minimum password length to ${minLength} characters`
+              }
+            });
+          }
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  scanBcryptIssues(content, lines, filePath) {
+    // TODO: Implement bcrypt length check detection
+    return [];
+  }
+
+  scanHardLimitIssues(content, lines, filePath) {
+    // TODO: Implement hard limit validation
+    return [];
+  }
+
+  isInPasswordContext(lineContent, lines, lineNumber) {
+    let signalCount = 0;
+    const signals = [];
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🔍 S051: Checking password context for line ${lineNumber}: "${lineContent.trim()}"`);
+    }
+
+    // Signal 1: Password identifiers in current line or surrounding lines
+    const contextRange = 3;
+    const start = Math.max(0, lineNumber - contextRange - 1);
+    const end = Math.min(lines.length, lineNumber + contextRange);
+    
+    for (let i = start; i < end; i++) {
+      const contextLine = lines[i];
+      
+      // Reset regex lastIndex for global patterns
+      this.compiledPatterns.passwordContext.lastIndex = 0;
+      
+      if (this.compiledPatterns.passwordContext.test(contextLine)) {
+        signalCount++;
+        signals.push('password_identifier');
+        if (this.verbose) {
+          console.log(`[DEBUG] 🔍 S051: Signal 1 - Password identifier found in line ${i + 1}: "${contextLine.trim()}"`);
+        }
+        break; // Only count once per scan
+      }
+      
+      // Check for UI hints (type="password", etc.)
+      for (const hint of this.contextSignals.uiHints || []) {
+        if (new RegExp(hint, 'i').test(contextLine)) {
+          signalCount++;
+          signals.push('ui_hint');
+          if (this.verbose) {
+            console.log(`[DEBUG] 🔍 S051: Signal 2 - UI hint found: "${hint}" in line ${i + 1}`);
+          }
+          break;
+        }
+      }
+      
+      // Check for route context
+      for (const route of this.contextSignals.routes || []) {
+        if (new RegExp(`\\b${route}\\b`, 'i').test(contextLine)) {
+          signalCount++;
+          signals.push('route_context');
+          if (this.verbose) {
+            console.log(`[DEBUG] 🔍 S051: Signal 3 - Route context found: "${route}" in line ${i + 1}`);
+          }
+          break;
+        }
+      }
+      
+      // Check for method context
+      for (const method of this.contextSignals.methods || []) {
+        if (new RegExp(`\\b${method}\\b`, 'i').test(contextLine)) {
+          signalCount++;
+          signals.push('method_context');
+          if (this.verbose) {
+            console.log(`[DEBUG] 🔍 S051: Signal 4 - Method context found: "${method}" in line ${i + 1}`);
+          }
+          break;
+        }
+      }
+    }
+
+    const requireMinSignals = 1; // Temporary for testing
+    const isPasswordContext = signalCount >= requireMinSignals;
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S051: Password context: ${signalCount} signals [${signals.join(', ')}], required: ${requireMinSignals}, result: ${isPasswordContext}`);
+    }
+
+    return isPasswordContext;
+  }
+
+  getLineNumber(content, index) {
+    return content.substring(0, index).split('\n').length;
+  }
+
+  getColumnNumber(content, index) {
+    const beforeIndex = content.substring(0, index);
+    const lastNewlineIndex = beforeIndex.lastIndexOf('\n');
+    return index - lastNewlineIndex;
+  }
+}
+
+module.exports = S051PasswordLengthPolicyAnalyzer;

package/rules/security/S051_password_length_policy/config.json

@@ -0,0 +1,83 @@
+{
+  "ruleId": "S051",
+  "name": "Support 12–64 char passwords; reject >128",
+  "description": "Enforce modern password length policy (min 12, typical max 64; reject >128) and align FE/BE validators. Warn on bcrypt 72-byte truncation.",
+  "category": "security",
+  "severity": "error",
+  "options": {
+    "lengthPolicy": {
+      "minAllowedRange": {
+        "min": 8,
+        "recommended": 12,
+        "warnBelow": 12,
+        "errorBelow": 8
+      },
+      "maxRecommended": 64,
+      "hardRejectLength": 128
+    },
+    "mode": "strict",
+    "passwordIdentifiers": [
+      "password", "newPassword", "oldPassword", "confirmPassword", 
+      "passwd", "pwd", "passphrase", "secret", "credential"
+    ],
+    "uiHints": [
+      "type=[\"']password[\"']",
+      "placeholder.*password",
+      "label.*password",
+      "i18n.*password"
+    ],
+    "contextSignals": {
+      "routes": ["auth", "signup", "register", "login", "reset", "change-password"],
+      "files": ["auth", "password", "credential", "security"],
+      "methods": ["hashPassword", "validatePassword", "checkPassword"]
+    },
+    "validatorPatterns": {
+      "fe": [
+        "minLength\\s*:\\s*(\\d+)",
+        "maxLength\\s*:\\s*(\\d+)", 
+        "yup\\.string\\(\\).*\\.min\\((\\d+)\\).*\\.max\\((\\d+)\\)",
+        "z\\.string\\(\\).*\\.min\\((\\d+)\\).*\\.max\\((\\d+)\\)",
+        "Validators\\.minLength\\((\\d+)\\)",
+        "Validators\\.maxLength\\((\\d+)\\)",
+        "minlength=[\"']?(\\d+)[\"']?",
+        "maxlength=[\"']?(\\d+)[\"']?"
+      ],
+      "be": [
+        "Joi\\.string\\(\\).*min\\((\\d+)\\).*max\\((\\d+)\\)",
+        "Length\\s*\\(\\s*min\\s*=\\s*(\\d+).*max\\s*=\\s*(\\d+)\\)",
+        "@Size\\s*\\(\\s*min\\s*=\\s*(\\d+).*max\\s*=\\s*(\\d+)\\)",
+        "if\\s*\\(.*password\\.length\\s*[<>]=?\\s*(\\d+)\\)"
+      ]
+    },
+    "bcryptHints": {
+      "apis": [
+        "bcrypt\\.", "BCrypt\\.", "bcryptjs", "@nestjs/bcrypt",
+        "org\\.springframework\\.security\\.crypto\\.bcrypt"
+      ],
+      "warnOnMissingLengthCheck": true,
+      "byteLimit": 72,
+      "checkMethods": ["hash", "hashSync", "compare", "compareSync"]
+    },
+    "crossFileAnalysis": {
+      "enabled": true,
+      "compareFeBeMinMax": true,
+      "warnOnMismatch": true,
+      "toleranceDiff": 2
+    },
+    "policy": {
+      "requireMinSignals": 2,
+      "alignFeBe": true,
+      "rejectOverHardLimit": true,
+      "priorityOrder": ["weak_validators", "bcrypt_issues", "hard_limit"]
+    },
+    "allowlist": {
+      "paths": ["test/", "tests/", "__tests__/", "fixtures/", "mocks/", "dummy/"],
+      "notes": "Test and dummy files may have different password requirements"
+    },
+    "thresholds": {
+      "maxWeakValidators": 0,
+      "maxBcryptWithoutLengthCheck": 0,
+      "maxMissingHardLimit": 1
+    }
+  }
+}