npm - @sun-asterisk/sunlint - Versions diffs - 1.3.7 → 1.3.9 - Mend

@sun-asterisk/sunlint 1.3.7 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/rules/security/S056_log_injection_protection/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,246 @@
+/**
+ * S056 Symbol-Based Analyzer - Protect against Log Injection attacks
+ * Uses ts-morph for semantic analysis (consistent with SunLint architecture)
+ */
+const { SyntaxKind } = require("ts-morph");
+class S056SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S056";
+    this.category = "security";
+    // Log method names that can be vulnerable
+    this.logMethods = [
+      "log",
+      "info",
+      "warn",
+      "error",
+      "debug",
+      "trace",
+      "write",
+      "writeSync"
+    ];
+    // User input sources that could lead to injection
+    this.userInputSources = [
+      "req",
+      "request",
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies",
+      "session"
+    ];
+    // Dangerous characters for log injection
+    this.dangerousCharacters = [
+      "\\r",
+      "\\n",
+      "\\r\\n",
+      "\\u000a",
+      "\\u000d",
+      "%0a",
+      "%0d",
+      "\\x0a",
+      "\\x0d"
+    ];
+    // Secure log patterns
+    this.securePatterns = [
+      "sanitize",
+      "escape",
+      "clean",
+      "filter",
+      "validate",
+      "replace",
+      "strip"
+    ];
+  }
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Symbol: Semantic engine initialized`);
+    }
+  }
+  async analyze(sourceFileOrPath) {
+    // Handle both sourceFile object and file path
+    let sourceFile;
+    let filePath;
+    if (typeof sourceFileOrPath === 'string') {
+      filePath = sourceFileOrPath;
+      // Try to get from semantic engine first
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      // If not found, create new ts-morph project
+      if (!sourceFile) {
+        const { Project } = require("ts-morph");
+        const project = new Project();
+        sourceFile = project.addSourceFileAtPath(filePath);
+      }
+    } else {
+      // Assume it's already a ts-morph SourceFile
+      sourceFile = sourceFileOrPath;
+      filePath = sourceFile.getFilePath();
+    }
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
+      );
+    }
+    if (!sourceFile) {
+      if (this.verbose) {
+        console.log(
+          `� [${this.ruleId}] Symbol: Could not create source file`
+        );
+      }
+      return [];
+    }
+    try {
+      const violations = [];
+      // Find all call expressions using ts-morph API
+      sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === SyntaxKind.CallExpression) {
+          this.checkLogMethodCall(node, violations, sourceFile);
+        }
+      });
+      if (this.verbose) {
+        console.log(
+          `🔧 [${this.ruleId}] Symbol analysis completed: ${violations.length} violations found`
+        );
+      }
+      return violations;
+    } catch (error) {
+      console.warn(`⚠ [${this.ruleId}] Symbol analysis failed:`, error.message);
+      return [];
+    }
+  }
+  checkLogMethodCall(callExprNode, violations, sourceFile) {
+    // Check if this is a logging method call using ts-morph API
+    const methodName = this.getMethodName(callExprNode);
+    if (!methodName || !this.logMethods.includes(methodName)) {
+      return;
+    }
+    // Check arguments for user input
+    const args = callExprNode.getArguments();
+    if (args && args.length > 0) {
+      for (const arg of args) {
+        if (this.containsUserInput(arg)) {
+          const lineAndCol = sourceFile.getLineAndColumnAtPos(callExprNode.getStart());
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
+            line: lineAndCol.line,
+            column: lineAndCol.column,
+            severity: "error",
+            category: this.category,
+            code: callExprNode.getText()
+          });
+          break;
+        }
+      }
+    }
+  }
+  getMethodName(callExpression) {
+    // Use ts-morph API instead of TypeScript compiler API
+    const expression = callExpression.getExpression();
+    if (expression.getKind() === SyntaxKind.Identifier) {
+      return expression.getText();
+    }
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      return expression.getName();
+    }
+    return null;
+  }
+  containsUserInput(node) {
+    // Check for direct user input references using ts-morph API
+    if (node.getKind() === SyntaxKind.Identifier) {
+      return this.userInputSources.includes(node.getText());
+    }
+    // Check for property access on user input (e.g., req.body, req.query)
+    if (node.getKind() === SyntaxKind.PropertyAccessExpression) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+    // Check for element access on user input (e.g., req["body"], headers['user-agent'])
+    if (node.getKind() === SyntaxKind.ElementAccessExpression) {
+      const objectName = this.getObjectName(node);
+      return this.userInputSources.includes(objectName);
+    }
+    // Check for binary expressions (concatenation)
+    if (node.getKind() === SyntaxKind.BinaryExpression) {
+      const left = node.getLeft();
+      const right = node.getRight();
+      return this.containsUserInput(left) || this.containsUserInput(right);
+    }
+    // Check for template literals
+    if (node.getKind() === SyntaxKind.TemplateExpression) {
+      const templateSpans = node.getTemplateSpans();
+      return templateSpans.some(span =>
+        this.containsUserInput(span.getExpression())
+      );
+    }
+    // Check for function calls that might return user input
+    if (node.getKind() === SyntaxKind.CallExpression) {
+      // Check if it's JSON.stringify with user input
+      const methodName = this.getMethodName(node);
+      if (methodName === "stringify") {
+        const args = node.getArguments();
+        if (args.length > 0) {
+          return this.containsUserInput(args[0]);
+        }
+      }
+    }
+    return false;
+  }
+  getObjectName(node) {
+    if (node.getKind() === SyntaxKind.PropertyAccessExpression ||
+        node.getKind() === SyntaxKind.ElementAccessExpression) {
+      const expression = node.getExpression();
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        return expression.getText();
+      }
+    }
+    return null;
+  }
+  /**
+   * Clean up resources
+   */
+  cleanup() {
+    // Cleanup resources if needed
+  }
+}
+module.exports = S056SymbolBasedAnalyzer;