@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S054_no_default_accounts/config.json

@@ -0,0 +1,101 @@
+{
+  "ruleId": "S054",
+  "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
+  "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
+  "category": "security",
+  "severity": "error",
+  "options": {
+    "blockedUsernames": [
+      "admin","root","sa","test","guest","operator","super","superuser","sys",
+      "postgres","mysql","mssql","oracle","elastic","kibana","grafana",
+      "administrator", "demo", "example", "default", "public", "anonymous",
+      "user", "password", "service", "support", "backup", "monitor"
+    ],
+    "codeCreationPatterns": [
+      "create(User|Account)\\s*\\(",
+      "new\\s+User\\s*\\(",
+      "user(Name|name|_name)\\s*:",
+      "username\\s*=\\s*",
+      "setUser(Name|name)\\s*\\(",
+      "addUser\\s*\\(",
+      "registerUser\\s*\\(",
+      "createAccount\\s*\\("
+    ],
+    "sqlInsertUserPatterns": [
+      "INSERT\\s+INTO\\s+\\w*user\\w*\\s*\\(",
+      "UPSERT\\s+INTO\\s+\\w*user\\w*\\s*\\(",
+      "CREATE\\s+USER\\s+",
+      "GRANT\\s+.+\\s+TO\\s+",
+      "REVOKE\\s+.+\\s+FROM\\s+"
+    ],
+    "infraPatterns": {
+      "terraform": [
+        "username\\s*=\\s*\"(admin|root|sa|test|guest)\"",
+        "user\\s*=\\s*\"(admin|root|sa|test|guest)\"",
+        "admin_username\\s*=\\s*\"(admin|root|sa|test|guest)\""
+      ],
+      "helmValues": [
+        "admin(User|Password)\\s*:",
+        "default(User|Pass)\\s*:",
+        "root(User|Password)\\s*:",
+        "service(User|Account)\\s*:"
+      ],
+      "docker": [
+        "ENV\\s+.*(USER|USERNAME|_ROOT_USERNAME)\\s*=\\s*(admin|root|sa)",
+        "POSTGRES_USER\\s*=\\s*(postgres|admin|root)",
+        "MONGO_INITDB_ROOT_USERNAME\\s*=\\s*(root|admin)",
+        "MYSQL_USER\\s*=\\s*(root|admin|mysql)",
+        "REDIS_USER\\s*=\\s*(redis|admin|root)"
+      ],
+      "kubernetes": [
+        "serviceAccount:\\s*default",
+        "user:\\s*(admin|root|sa|test|guest)",
+        "username:\\s*(admin|root|sa|test|guest)"
+      ]
+    },
+    "docPatterns": [
+      "login\\s*[:=]\\s*(admin|root|sa|test|guest)",
+      "user\\s*[:=]\\s*(admin|root|sa|test|guest)",
+      "username\\s*[:=]\\s*(admin|root|sa|test|guest)",
+      "password\\s*[:=]\\s*(admin|root|sa|test|guest|password|123456)"
+    ],
+    "passwordSmells": [
+      "password", "123456", "admin", "Admin@123", "Password1", "changeme", 
+      "default", "qwerty", "letmein", "welcome", "secret", "pass123",
+      "root", "toor", "administrator", "guest"
+    ],
+    "configFilePatterns": [
+      "database\\.(username|user)\\s*=\\s*(admin|root|sa)",
+      "db\\.(username|user)\\s*=\\s*(admin|root|sa)",
+      "auth\\.(username|user)\\s*=\\s*(admin|root|sa)",
+      "admin\\.(username|user)\\s*=\\s*",
+      "spring\\.datasource\\.username\\s*=\\s*(admin|root|sa)"
+    ],
+    "policy": {
+      "requirePerUserAccount": true,
+      "requireInitialPasswordChange": true,
+      "forbidWellKnownServiceAccountsInAppDB": true,
+      "allowOnlyInEphemeralTests": true,
+      "mustDisableBuiltInsOnInfra": true
+    },
+    "allowlist": {
+      "paths": [
+        "test/", "tests/", "__tests__/", "e2e/", "playground/", 
+        "local-dev/", "demo/", "example/", "mock/", "fixture/",
+        "spec/", ".spec.", ".test."
+      ],
+      "notes": "Vẫn cảnh báo nếu xuất hiện mật khẩu mặc định; cho phép username cấm chỉ khi data giả lập không public và không nối vào môi trường thật."
+    },
+    "thresholds": {
+      "maxFindings": 0,
+      "maxInAllowedPaths": 2,
+      "maxPasswordSmells": 0
+    },
+    "exemptions": {
+      "testDirectories": ["test", "tests", "__tests__", "e2e", "spec"],
+      "configFiles": ["jest.config", "test.config", "local.config"],
+      "allowTestData": true,
+      "allowDocumentationExamples": false
+    }
+  }
+}

package/rules/security/S056_log_injection_protection/analyzer.js

@@ -0,0 +1,242 @@
+/**
+ * S056 Main Analyzer - Protect against Log Injection attacks
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S056 --input=examples/rule-test-fixtures/rules/S056_log_injection_protection --engine=heuristic
+ */
+
+const S056SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S056RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S056Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S056] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S056] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S056";
+    this.ruleName = "Protect against Log Injection attacks";
+    this.description =
+      "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true, // Re-enabled with ts-morph API fixes
+      fallbackToRegex: true, // Secondary approach
+      regexBasedOnly: false, // Now we can use symbol analysis again
+    };
+
+    // Initialize analyzers
+    try {
+      this.symbolAnalyzer = new S056SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S056] Symbol analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S056] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S056RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [S056] Regex analyzer created successfully`);
+      }
+    } catch (error) {
+      console.error(`🔧 [S056] Error creating regex analyzer:`, error);
+    }
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S056] Main analyzer initializing...`);
+    }
+
+    // Initialize both analyzers
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    }
+    if (this.regexAnalyzer) {
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    }
+
+    // Clean up if needed
+    if (this.regexAnalyzer) {
+      this.regexAnalyzer.cleanup?.();
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S056] Main analyzer initialized successfully`);
+    }
+  }
+
+  /**
+   * Single file analysis method for testing
+   */
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`📊 [S056] analyzeSingle() called for: ${filePath}`);
+    }
+
+    // Return result using same format as analyze method
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S056] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S056] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S056] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(
+          `⚠ [S056] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S056] Total violations found: ${violations.length}`);
+    }
+
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [S056] analyzeFile() called for: ${filePath}`);
+    }
+
+    // Create a Map to track unique violations and prevent duplicates
+    const violationMap = new Map();
+
+    // 1. Try Symbol-based analysis first (primary)
+    if (
+      this.config.useSymbolBased &&
+      this.semanticEngine?.project &&
+      this.semanticEngine?.initialized
+    ) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S056] Trying symbol-based analysis...`);
+        }
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S056] Source file found, analyzing...`);
+          }
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+
+          // Add to violation map with deduplication
+          symbolViolations.forEach((violation) => {
+            const key = `${violation.line}:${violation.column}:${violation.message}`;
+            if (!violationMap.has(key)) {
+              violationMap.set(key, violation);
+            }
+          });
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S056] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [S056] Source file not found, falling back...`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠ [S056] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // 2. Try Regex-based analysis (fallback or additional)
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [S056] Trying regex-based analysis...`);
+        }
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+
+        // Add to violation map with deduplication
+        regexViolations.forEach((violation) => {
+          const key = `${violation.line}:${violation.column}:${violation.message}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, violation);
+          }
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S056] Regex analysis completed: ${regexViolations.length} violations`
+          );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S056] Regex analysis failed:`, error.message);
+      }
+    }
+
+    // Convert Map values to array and add filePath to each violation
+    const finalViolations = Array.from(violationMap.values()).map(
+      (violation) => ({
+        ...violation,
+        filePath: filePath,
+        file: filePath, // Also add 'file' for compatibility
+      })
+    );
+
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S056] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    }
+
+    return finalViolations;
+  }
+
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) {
+      this.symbolAnalyzer.cleanup();
+    }
+    if (this.regexAnalyzer?.cleanup) {
+      this.regexAnalyzer.cleanup();
+    }
+  }
+}
+
+module.exports = S056Analyzer;

package/rules/security/S056_log_injection_protection/config.json

@@ -0,0 +1,148 @@
+{
+  "rule": {
+    "id": "S056",
+    "name": "Protect against Log Injection attacks",
+    "description": "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.",
+    "category": "security",
+    "severity": "error",
+    "languages": ["typescript", "javascript"],
+    "frameworks": ["express", "nestjs", "node"],
+    "version": "1.0.0",
+    "status": "stable",
+    "tags": ["security", "logging", "injection", "owasp", "crlf"],
+    "references": [
+      "https://owasp.org/www-community/attacks/Log_Injection",
+      "https://cwe.mitre.org/data/definitions/117.html",
+      "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html",
+      "https://portswigger.net/kb/issues/00200200_log-injection"
+    ]
+  },
+  "configuration": {
+    "enableLogInjectionDetection": true,
+    "checkUserInputSources": [
+      "req",
+      "request", 
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies",
+      "session"
+    ],
+    "vulnerableLogMethods": [
+      "log",
+      "info",
+      "warn",
+      "error",
+      "debug",
+      "trace",
+      "write",
+      "writeSync"
+    ],
+    "vulnerableLogLibraries": [
+      "winston",
+      "bunyan",
+      "pino",
+      "log4js",
+      "console",
+      "morgan",
+      "debug"
+    ],
+    "dangerousCharacters": [
+      "\\r",
+      "\\n",
+      "\\r\\n",
+      "\\u000a",
+      "\\u000d",
+      "%0a",
+      "%0d",
+      "\\x0a",
+      "\\x0d"
+    ],
+    "secureLogPatterns": [
+      "sanitize",
+      "escape",
+      "clean",
+      "filter",
+      "validate",
+      "replace",
+      "strip"
+    ]
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Direct user input in log message",
+        "code": "logger.info('User login: ' + req.body.username);"
+      },
+      {
+        "description": "Template literal with user input",
+        "code": "console.log(`User ${req.query.user} attempted login`);"
+      },
+      {
+        "description": "User input containing CRLF in log",
+        "code": "winston.error('Authentication failed for: ' + req.headers['user-agent']);"
+      },
+      {
+        "description": "Session data in log message",
+        "code": "logger.debug('Session: ' + JSON.stringify(req.session));"
+      }
+    ],
+    "fixes": [
+      {
+        "description": "Sanitize user input before logging",
+        "code": "const sanitizedUser = sanitize(req.body.username);\nlogger.info('User login: ' + sanitizedUser);"
+      },
+      {
+        "description": "Use structured logging with safe values",
+        "code": "logger.info('User login', { username: sanitize(req.body.username) });"
+      },
+      {
+        "description": "Filter dangerous characters",
+        "code": "const cleanInput = req.query.user.replace(/[\\r\\n]/g, '_');\nconsole.log(`User ${cleanInput} attempted login`);"
+      },
+      {
+        "description": "Validate input before logging",
+        "code": "if (validateInput(req.headers['user-agent'])) {\n  winston.error('Authentication failed for: ' + req.headers['user-agent']);\n}"
+      }
+    ]
+  },
+  "testing": {
+    "testCases": [
+      {
+        "name": "log_injection_direct_input",
+        "type": "violation",
+        "description": "Direct user input in log message"
+      },
+      {
+        "name": "log_injection_template_literal", 
+        "type": "violation",
+        "description": "Template literal with user input"
+      },
+      {
+        "name": "log_injection_crlf",
+        "type": "violation",
+        "description": "User input containing CRLF characters"
+      },
+      {
+        "name": "log_injection_json_stringify",
+        "type": "violation",
+        "description": "JSON.stringify with user input"
+      },
+      {
+        "name": "secure_log_sanitized",
+        "type": "clean",
+        "description": "Sanitized user input in log"
+      },
+      {
+        "name": "secure_log_structured",
+        "type": "clean", 
+        "description": "Structured logging with safe values"
+      }
+    ]
+  },
+  "performance": {
+    "complexity": "O(n)",
+    "description": "Linear complexity based on number of function calls and expressions in the source code"
+  }
+}

package/rules/security/S056_log_injection_protection/regex-based-analyzer.js

@@ -0,0 +1,120 @@
+/**
+ * S056 Regex-Based Analyzer - Protect against Log Injection attacks  
+ * Uses regular expressions for pattern-based analysis
+ */
+
+const fs = require("fs");
+
+class S056RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S056";
+    this.category = "security";
+
+    // Regex patterns for detecting log injection vulnerabilities
+    this.patterns = [
+      // Direct concatenation with user input
+      {
+        pattern: /(logger\.|console\.)(log|info|warn|error|debug)\s*\(\s*['"`].*?\+\s*(req\.|request\.)/g,
+        message: "Log injection vulnerability: Direct concatenation of user input in log statement"
+      },
+      // Template literals with user input
+      {
+        pattern: /(logger\.|console\.)(log|info|warn|error|debug)\s*\(\s*`.*?\$\{.*?(req\.|request\.)/g,
+        message: "Log injection vulnerability: Template literal with user input in log statement"
+      },
+      // Winston/Bunyan/Pino with user input
+      {
+        pattern: /(winston\.|bunyan\.|pino\.)(log|info|warn|error|debug)\s*\(\s*['"`].*?\+\s*(req\.|request\.)/g,
+        message: "Log injection vulnerability: User input concatenated in Winston/Bunyan/Pino log"
+      },
+      // JSON.stringify with user input in logs
+      {
+        pattern: /(logger\.|console\.)(log|info|warn|error|debug)\s*\(.*?JSON\.stringify\s*\(\s*(req\.|request\.|session)/g,
+        message: "Log injection vulnerability: JSON.stringify with user input in log statement"
+      },
+      // User input sources in log calls
+      {
+        pattern: /(logger\.|console\.|winston\.|bunyan\.|pino\.)(log|info|warn|error|debug).*?(req\.body|req\.query|req\.params|req\.headers|req\.cookies|req\.session)/g,
+        message: "Log injection vulnerability: User input source used in log statement without sanitization"
+      },
+      // CRLF injection patterns
+      {
+        pattern: /(logger\.|console\.)(log|info|warn|error|debug).*?(\\r|\\n|%0a|%0d)/g,
+        message: "Log injection vulnerability: CRLF characters detected in log statement"
+      }
+    ];
+
+    // Patterns that indicate secure usage (to reduce false positives)
+    this.securePatterns = [
+      /sanitize\s*\(/g,
+      /escape\s*\(/g, 
+      /clean\s*\(/g,
+      /filter\s*\(/g,
+      /validate\s*\(/g,
+      /replace\s*\(/g,
+      /strip\s*\(/g
+    ];
+  }
+
+  async analyze(filePath) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔍 [${this.ruleId}] Regex: Starting analysis for ${filePath}`);
+    }
+
+    try {
+      const fileContent = fs.readFileSync(filePath, "utf8");
+      const violations = [];
+      const lines = fileContent.split('\n');
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+
+        // Skip if line contains secure patterns
+        if (this.hasSecurePattern(line)) {
+          continue;
+        }
+
+        // Check each vulnerability pattern
+        for (const { pattern, message } of this.patterns) {
+          const matches = [...line.matchAll(pattern)];
+          
+          for (const match of matches) {
+            const column = match.index + 1;
+            
+            violations.push({
+              ruleId: this.ruleId,
+              message: message,
+              line: lineNumber,
+              column: column,
+              severity: "error",
+              category: this.category,
+              code: line.trim()
+            });
+          }
+        }
+      }
+
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(
+          `🔍 [${this.ruleId}] Regex: Analysis completed, ${violations.length} violations found`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] Regex analysis failed:`, error.message);
+      return [];
+    }
+  }
+
+  hasSecurePattern(line) {
+    return this.securePatterns.some(pattern => pattern.test(line));
+  }
+
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+
+module.exports = S056RegexBasedAnalyzer;