@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S030_directory_browsing_protection/regex-based-analyzer.js

@@ -0,0 +1,483 @@
+/**
+ * S030 Regex-Based       // Fastify static serving
+      fastifyStatic:
+        /fastify\.register\s*\(\s*require\s*\(\s*['"\`]@?fastify\/static['"\`]\s*\)\s*,\s*\{([^}]*)\}/g,
+      fastifyStaticRoot:
+        /root\s*:\s*['"\`]([^'"\`]+)['"\`]/g,lyzer - Disa      // NuxtJS static serving (in nuxt.config.js)
+      nuxtStatic: /static\s*:\s*['"\`]([^'"\`]+)['"\`]/g,
+      nuxtGenerate: /generate\s*:\s*\{[^}]*dir\s*:\s*['"\`]([^'"\`]+)['"\`]/g,
+      nuxtPublicAssets: /dir\s*:\s*['"\`]([^'"\`]+)['"\`]/g,
+
+      // Hapi.js directory serving
+      hapiDirectory: /directory\s*:\s*\{[^}]*path\s*:\s*['"\`]([^'"\`]+)['"\`]/g, directory browsing and protect sensitive metadata files
+ * Detects static file serving configurations and directory browsing vulnerabilities
+ */
+const fs = require("fs");
+
+class S030RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S030";
+
+    // Static file serving patterns
+    this.staticPatterns = {
+      // Express.js static serving
+      expressStatic:
+        /express\.static\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+      appUseStatic:
+        /app\.use\s*\(\s*(?:['"`][^'"`]*['"`]\s*,\s*)?express\.static\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+
+      // Koa.js static serving
+      koaStatic:
+        /koa-static\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+      koaMount:
+        /mount\s*\(\s*['"`][^'"`]*['"`]\s*,\s*serve\s*\(\s*['"`]([^'"`]+)['"`]/g,
+
+      // Fastify static serving
+      fastifyStatic:
+        /fastify\.register\s*\(\s*require\s*\(\s*['"`]@?fastify\/static['"`]\s*\)\s*,\s*\{([^}]*)\}/g,
+
+      // NextJS static serving
+      nextStatic:
+        /express\.static\s*\(\s*path\.join\s*\(\s*__dirname\s*,\s*['"`]([^'"`]*(?:public|static|assets)[^'"`]*)['"`]\s*\)\s*(?:,\s*\{([^}]*)\})?\s*\)/g,
+      nextPublicDir:
+        /app\.use\s*\(\s*['"`]\/static['"`]\s*,\s*express\.static\s*\(\s*['"`]([^'"`]+)['"`]/g,
+
+      // NestJS static serving
+      nestServeStatic: /ServeStaticModule\.forRoot\s*\(\s*\{([^}]*)\}\s*\)/g,
+      nestUseStatic:
+        /app\.useStaticAssets\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+
+      // NuxtJS static serving (in nuxt.config.js)
+      nuxtStatic: /static\s*:\s*['"`]([^'"`]+)['"`]/g,
+      nuxtGenerate: /generate\s*:\s*\{[^}]*dir\s*:\s*['"`]([^'"`]+)['"`]/g,
+
+      // Generic static serving
+      serveStatic:
+        /serveStatic\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+    };
+
+    // Directory browsing middleware patterns
+    this.directoryBrowsingPatterns = {
+      serveIndex:
+        /serve-?index\s*\(\s*['"`]([^'"`]+)['"`](?:\s*,\s*\{([^}]*)\})?\s*\)/g,
+      autoIndex: /autoIndex\s*:\s*(true|1|"true"|'true')/g,
+      directoryListing: /directory\s*:\s*(true|1|"true"|'true')/g,
+      listDirectories: /list\s*:\s*(true|1|"true"|'true')/g,
+      listingTrue: /listing\s*:\s*(true|1|"true"|'true')/g,
+    };
+
+    // Sensitive file/directory patterns
+    this.sensitiveFiles = [
+      /\\.env/g,
+      /\\.git/g,
+      /\\.svn/g,
+      /\\.hg/g,
+      /\\.bzr/g,
+      /\\.CVS/g,
+      /config(?:s|uration)?/g,
+      /settings?/g,
+      /secrets?/g,
+      /keys?/g,
+      /backup(?:s)?/g,
+      /database(?:s)?/g,
+      /\\.aws/g,
+      /\\.ssh/g,
+      /credentials?/g,
+      /private/g,
+    ];
+
+    // Dangerous configuration patterns
+    this.dangerousConfigs = {
+      dotfilesAllow: /dotfiles\s*:\s*['"`]allow['"`]/g,
+      hiddenTrue: /hidden\s*:\s*(true|1|"true"|'true')/g,
+      indexFalse: /index\s*:\s*(false|0|"false"|'false')/g,
+      listingTrue: /listing\s*:\s*(true|1|"true"|'true')/g,
+    };
+
+    // Route patterns that expose sensitive paths
+    this.sensitiveRoutePatterns = {
+      // Express.js routes
+      envRoute:
+        /\.(get|post|put|delete|patch|all)\s*\(\s*['"`][^'"`]*\.env[^'"`]*['"`]/g,
+      gitRoute:
+        /\.(get|post|put|delete|patch|all)\s*\(\s*['"`][^'"`]*\.git[^'"`]*['"`]/g,
+      configRoute:
+        /\.(get|post|put|delete|patch|all)\s*\(\s*['"`][^'"`]*config[^'"`]*['"`]/g,
+      backupRoute:
+        /\.(get|post|put|delete|patch|all)\s*\(\s*['"`][^'"`]*backup[^'"`]*['"`]/g,
+
+      // NextJS API routes (export functions in /pages/api/ or /app/api/)
+      nextApiEnv:
+        /export\s+(default\s+)?(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*{[^}]*['"`][^'"`]*\.env[^'"`]*['"`]/g,
+      nextApiGit:
+        /export\s+(default\s+)?(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*{[^}]*['"`][^'"`]*\.git[^'"`]*['"`]/g,
+      nextApiSensitive:
+        /export\s+(default\s+)?(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*{[^}]*['"`][^'"`]*(?:config|backup|secret|\.ssh)[^'"`]*['"`]/g,
+
+      // NestJS controller routes
+      nestControllerSensitive:
+        /@(Get|Post|Put|Delete|Patch)\s*\(\s*['"`][^'"`]*(?:\.env|\.git|config|backup|secret|\.ssh)[^'"`]*['"`]\s*\)/g,
+      nestControllerPath:
+        /@Controller\s*\(\s*['"`][^'"`]*(?:\.env|\.git|config|backup|secret|\.ssh)[^'"`]*['"`]\s*\)/g,
+
+      // File serving in routes
+      sendFileSensitive:
+        /(?:res\.sendFile|sendFile)\s*\(\s*['"`][^'"`]*(?:\.env|\.git|config|backup|secret|\.ssh)[^'"`]*['"`]/g,
+    };
+  }
+
+  async analyze(filePath) {
+    // Skip files that are unlikely to contain server configurations
+    const skipPatterns = [
+      /\\.d\\.ts$/,
+      /\\.types\\.ts$/,
+      /\\.interface\\.ts$/,
+      /\\.constants?\\.ts$/,
+      /\\.spec\\.ts$/,
+      /\\.test\\.ts$/,
+      /\\.min\\.js$/,
+      /\\.bundle\\.js$/,
+      /\\.model\\.ts$/,
+      /\\.entity\\.ts$/,
+      /\\.dto\\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return [];
+    }
+
+    const content = fs.readFileSync(filePath, "utf8");
+    const lines = content.split(/\\r?\\n/);
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Skip comments and imports
+      if (this.shouldSkipLine(line)) {
+        continue;
+      }
+
+      // Check for static file serving patterns
+      this.checkStaticFileServing(line, lineNumber, violations);
+
+      // Check for directory browsing configurations
+      this.checkDirectoryBrowsing(line, lineNumber, violations);
+
+      // Check for sensitive file exposure
+      this.checkSensitiveFileExposure(line, lineNumber, violations);
+
+      // Check for dangerous configurations
+      this.checkDangerousConfigurations(line, lineNumber, violations);
+
+      // Check for sensitive route definitions
+      this.checkSensitiveRoutes(line, lineNumber, violations);
+    }
+
+    return violations;
+  }
+
+  shouldSkipLine(line) {
+    const trimmed = line.trim();
+
+    // Skip empty lines
+    if (!trimmed) return true;
+
+    // Skip single-line comments
+    if (trimmed.startsWith("//")) return true;
+
+    // Skip import/export statements
+    if (trimmed.startsWith("import ") || trimmed.startsWith("export "))
+      return true;
+
+    // Skip require statements
+    if (trimmed.startsWith("const ") && trimmed.includes("require("))
+      return true;
+
+    // Skip JSDoc comments
+    if (
+      trimmed.startsWith("*") ||
+      trimmed.startsWith("/**") ||
+      trimmed.startsWith("*/")
+    )
+      return true;
+
+    return false;
+  }
+
+  checkStaticFileServing(line, lineNumber, violations) {
+    for (const [patternName, pattern] of Object.entries(this.staticPatterns)) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        let servedPath;
+        let configStr = "";
+
+        // Handle different pattern structures
+        if (
+          patternName === "fastifyStaticRoot" ||
+          patternName === "nuxtPublicAssets" ||
+          patternName === "hapiDirectory"
+        ) {
+          servedPath = match[1];
+        } else {
+          servedPath = match[1];
+          configStr = match[2] || "";
+        }
+
+        // Check if serving sensitive directories
+        if (this.isSensitivePath(servedPath)) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Static file serving exposes sensitive path '${servedPath}' - this could leak sensitive metadata files`,
+            severity: "error",
+            line: lineNumber,
+            column: match.index + 1,
+          });
+        }
+
+        // Check configuration for dangerous settings
+        if (configStr) {
+          this.checkStaticConfiguration(
+            configStr,
+            lineNumber,
+            violations,
+            match.index
+          );
+        }
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S030-Regex] Found static serving at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkDirectoryBrowsing(line, lineNumber, violations) {
+    for (const [patternName, pattern] of Object.entries(
+      this.directoryBrowsingPatterns
+    )) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        let message;
+
+        switch (patternName) {
+          case "serveIndex":
+            message = `Directory browsing middleware detected - this enables directory listing which exposes file structure`;
+            break;
+          case "autoIndex":
+          case "directoryListing":
+          case "listDirectories":
+          case "listingTrue":
+            message = `Configuration enables directory browsing - set '${patternName}' to false to prevent directory listing`;
+            break;
+          default:
+            message = "Directory browsing configuration detected";
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          message: message,
+          severity: "error",
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S030-Regex] Found directory browsing at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkSensitiveFileExposure(line, lineNumber, violations) {
+    for (const sensitivePattern of this.sensitiveFiles) {
+      const matches = [...line.matchAll(sensitivePattern)];
+
+      for (const match of matches) {
+        // Check if it's in a serving context (not just a string mention)
+        if (this.isInServingContext(line)) {
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Potential exposure of sensitive file/directory '${match[0]}' - ensure proper access controls`,
+            severity: "warning",
+            line: lineNumber,
+            column: match.index + 1,
+          });
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S030-Regex] Found sensitive file exposure at line ${lineNumber}: ${match[0]}`
+            );
+          }
+        }
+      }
+    }
+  }
+
+  checkDangerousConfigurations(line, lineNumber, violations) {
+    for (const [configName, pattern] of Object.entries(this.dangerousConfigs)) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        let message;
+
+        switch (configName) {
+          case "dotfilesAllow":
+            message =
+              "Dotfiles access is enabled - set dotfiles to 'deny' to protect sensitive files like .env";
+            break;
+          case "hiddenTrue":
+            message =
+              "Hidden files access is enabled - this may expose sensitive metadata files";
+            break;
+          case "indexFalse":
+            message =
+              "Index file serving is disabled - this may enable directory browsing";
+            break;
+          case "listingTrue":
+            message =
+              "Directory listing is enabled - disable listing to prevent directory browsing";
+            break;
+          default:
+            message = "Dangerous static file configuration detected";
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          message: message,
+          severity: "warning",
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S030-Regex] Found dangerous config at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkSensitiveRoutes(line, lineNumber, violations) {
+    for (const [routeName, pattern] of Object.entries(
+      this.sensitiveRoutePatterns
+    )) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Route exposes sensitive path - implement proper access controls for sensitive files/directories`,
+          severity: "error",
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S030-Regex] Found sensitive route at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkStaticConfiguration(configStr, lineNumber, violations, columnOffset) {
+    // Check for dangerous configuration options within static serving
+    if (/dotfiles\\s*:\\s*['"`]allow['"`]/.test(configStr)) {
+      violations.push({
+        ruleId: this.ruleId,
+        message:
+          "Dotfiles access enabled in static serving - this exposes sensitive files like .env",
+        severity: "warning",
+        line: lineNumber,
+        column: columnOffset + 1,
+      });
+    }
+
+    if (/index\\s*:\\s*(false|0|"false"|'false')/.test(configStr)) {
+      violations.push({
+        ruleId: this.ruleId,
+        message:
+          "Index file serving disabled - this may enable directory browsing",
+        severity: "warning",
+        line: lineNumber,
+        column: columnOffset + 1,
+      });
+    }
+
+    if (/list\\s*:\\s*(true|1|"true"|'true')/.test(configStr)) {
+      violations.push({
+        ruleId: this.ruleId,
+        message:
+          "Directory listing enabled in static configuration - disable to prevent directory browsing",
+        severity: "error",
+        line: lineNumber,
+        column: columnOffset + 1,
+      });
+    }
+  }
+
+  isSensitivePath(path) {
+    if (!path || typeof path !== "string") return false;
+
+    const normalizedPath = path.toLowerCase();
+    const sensitiveKeywords = [
+      ".env",
+      ".git",
+      ".svn",
+      ".hg",
+      "config",
+      "settings",
+      "secrets",
+      "keys",
+      "backup",
+      "database",
+      ".aws",
+      ".ssh",
+      "credentials",
+      "private",
+    ];
+
+    return sensitiveKeywords.some(
+      (keyword) =>
+        normalizedPath.includes(keyword) ||
+        normalizedPath.startsWith("./" + keyword) ||
+        normalizedPath.endsWith("/" + keyword)
+    );
+  }
+
+  isInServingContext(line) {
+    const servingKeywords = [
+      "static",
+      "serve",
+      "use",
+      "mount",
+      "register",
+      "get",
+      "post",
+      "put",
+      "delete",
+      "patch",
+      "sendFile",
+      "express",
+      "app",
+      "router",
+    ];
+
+    return servingKeywords.some((keyword) => line.includes(keyword));
+  }
+
+  cleanup() {}
+}
+
+module.exports = S030RegexBasedAnalyzer;