@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S030_directory_browsing_protection/symbol-based-analyzer.js

@@ -0,0 +1,539 @@
+/**
+ * S030 Symbol-Based Analyzer - Disable directory browsing and protect sensitive metadata files
+ * Enhanced to analyze static file serving configurations and middleware
+ */
+
+class S030SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S030";
+    this.semanticEngine = semanticEngine;
+
+    // Web framework static serving methods
+    this.staticMethods = [
+      "static",
+      "serveStatic",
+      "staticFiles",
+      "useStaticAssets",
+    ];
+    this.frameworkMethods = {
+      express: ["static", "use"],
+      koa: ["static"],
+      fastify: ["register"],
+      hapi: ["route"],
+      nestjs: ["useStaticAssets", "useGlobalPrefix"],
+      nextjs: ["static", "use"],
+    };
+
+    // Sensitive file patterns that should be protected
+    this.sensitiveFiles = [
+      ".env",
+      ".git",
+      ".svn",
+      ".hg",
+      ".bzr",
+      ".CVS",
+      "config",
+      "settings",
+      "secrets",
+      "keys",
+      "backup",
+      "database",
+      ".aws",
+      ".ssh",
+      "credentials",
+      "private",
+    ];
+
+    // Directory listing indicators (dangerous configurations)
+    this.directoryListingPatterns = [
+      "autoIndex",
+      "directory",
+      "listing",
+      "browse",
+      "index",
+      "serveIndex",
+      "list",
+      "dotfiles",
+      "hidden",
+    ];
+
+    // Middleware that enables directory browsing
+    this.dangerousMiddleware = [
+      "serveIndex",
+      "serve-index",
+      "directory",
+      "autoIndex",
+    ];
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+
+    // Skip files that are unlikely to contain server configurations
+    const skipPatterns = [
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.interface\.ts$/,
+      /\.constants?\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.model\.ts$/,
+      /\.entity\.ts$/,
+      /\.dto\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return violations;
+    }
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find static file serving configurations
+      const callExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        try {
+          // Analyze static file serving configurations
+          this.analyzeStaticFileServing(call, violations, filePath);
+
+          // Analyze middleware registration
+          this.analyzeMiddlewareUsage(call, violations, filePath);
+
+          // Analyze route handlers for sensitive paths
+          this.analyzeSensitiveRoutes(call, violations, filePath);
+        } catch (error) {
+          console.warn(
+            `⚠ [S030] Call expression analysis failed:`,
+            error.message
+          );
+        }
+      }
+
+      // Analyze NestJS decorators
+      const decorators = sourceFile.getDescendantsOfKind(SyntaxKind.Decorator);
+      for (const decorator of decorators) {
+        try {
+          this.analyzeNestJSDecorators(decorator, violations, filePath);
+        } catch (error) {
+          console.warn(`⚠ [S030] Decorator analysis failed:`, error.message);
+        }
+      }
+
+      // Analyze NextJS export functions (API routes)
+      const functionDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.FunctionDeclaration
+      );
+      for (const func of functionDeclarations) {
+        try {
+          this.analyzeNextJSAPIRoutes(func, violations, filePath);
+        } catch (error) {
+          console.warn(
+            `⚠ [S030] NextJS API route analysis failed:`,
+            error.message
+          );
+        }
+      }
+
+      // Check for variable declarations that might expose sensitive paths
+      const variableDeclarations = sourceFile.getDescendantsOfKind(
+        SyntaxKind.VariableDeclaration
+      );
+
+      for (const variable of variableDeclarations) {
+        try {
+          this.analyzeSensitivePathVariables(variable, violations, filePath);
+        } catch (error) {
+          console.warn(`⚠ [S030] Variable analysis failed:`, error.message);
+        }
+      }
+
+      // Check property assignments in object literals (config objects)
+      const objectLiterals = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ObjectLiteralExpression
+      );
+
+      for (const objLiteral of objectLiterals) {
+        try {
+          this.analyzeConfigurationObjects(objLiteral, violations, filePath);
+        } catch (error) {
+          console.warn(
+            `⚠ [S030] Object literal analysis failed:`,
+            error.message
+          );
+        }
+      }
+    } catch (error) {
+      console.warn(
+        `⚠ [S030] Symbol analysis failed for ${filePath}:`,
+        error.message
+      );
+    }
+
+    return violations;
+  }
+
+  analyzeStaticFileServing(call, violations, filePath) {
+    const { SyntaxKind } = require("ts-morph");
+
+    const expression = call.getExpression();
+    let methodName = null;
+    let objectName = null;
+
+    // Handle property access: app.use(), express.static()
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      methodName = expression.getName();
+      const object = expression.getExpression();
+      if (object.getKind() === SyntaxKind.Identifier) {
+        objectName = object.getText();
+      }
+    }
+
+    // Check for static file serving patterns
+    if (this.staticMethods.includes(methodName) || methodName === "use") {
+      const args = call.getArguments();
+
+      for (const arg of args) {
+        // Check if serving sensitive directories
+        if (arg.getKind() === SyntaxKind.StringLiteral) {
+          const path = arg.getLiteralValue();
+          if (this.isSensitivePath(path)) {
+            const startLine = call.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Static file serving exposes sensitive path '${path}' - this could leak sensitive metadata files`,
+              severity: "error",
+              line: startLine,
+              column: 1,
+            });
+          }
+        }
+
+        // Check configuration objects for dangerous settings
+        if (arg.getKind() === SyntaxKind.ObjectLiteralExpression) {
+          this.analyzeStaticConfigObject(
+            arg,
+            violations,
+            call.getStartLineNumber()
+          );
+        }
+      }
+    }
+  }
+
+  analyzeMiddlewareUsage(call, violations, filePath) {
+    const { SyntaxKind } = require("ts-morph");
+
+    const expression = call.getExpression();
+
+    // Check for dangerous middleware usage
+    const args = call.getArguments();
+    for (const arg of args) {
+      if (arg.getKind() === SyntaxKind.CallExpression) {
+        const innerExpression = arg.getExpression();
+
+        if (innerExpression.getKind() === SyntaxKind.Identifier) {
+          const middlewareName = innerExpression.getText();
+          if (this.dangerousMiddleware.includes(middlewareName)) {
+            const startLine = call.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Dangerous middleware '${middlewareName}' enables directory browsing - disable or configure securely`,
+              severity: "error",
+              line: startLine,
+              column: 1,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  analyzeSensitiveRoutes(call, violations, filePath) {
+    const { SyntaxKind } = require("ts-morph");
+
+    const expression = call.getExpression();
+
+    // Check for route definitions that expose sensitive paths
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      const methodName = expression.getName();
+      const httpMethods = ["get", "post", "put", "delete", "patch", "all"];
+
+      if (httpMethods.includes(methodName)) {
+        const args = call.getArguments();
+        if (args.length > 0 && args[0].getKind() === SyntaxKind.StringLiteral) {
+          const routePath = args[0].getLiteralValue();
+
+          if (this.isSensitivePath(routePath)) {
+            const startLine = call.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Route '${routePath}' exposes sensitive path - implement proper access controls`,
+              severity: "error",
+              line: startLine,
+              column: 1,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  analyzeStaticConfigObject(configObj, violations, lineNumber) {
+    const properties = configObj.getProperties();
+
+    for (const prop of properties) {
+      if (
+        prop.getKind() === require("ts-morph").SyntaxKind.PropertyAssignment
+      ) {
+        const name = prop.getName();
+        const value = prop.getInitializer();
+
+        // Check for dangerous configuration options
+        if (this.directoryListingPatterns.includes(name)) {
+          if (value && this.isTruthyValue(value)) {
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Configuration option '${name}' enables directory browsing - set to false or remove`,
+              severity: "error",
+              line: lineNumber,
+              column: 1,
+            });
+          }
+        }
+
+        // Check for dotfiles configuration
+        if (name === "dotfiles" && value) {
+          const dotfilesValue = this.getValueAsString(value);
+          if (dotfilesValue === "allow" || dotfilesValue === true) {
+            violations.push({
+              ruleId: this.ruleId,
+              message:
+                "Dotfiles access is enabled - set dotfiles to 'deny' to protect sensitive files",
+              severity: "warning",
+              line: lineNumber,
+              column: 1,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  analyzeSensitivePathVariables(variable, violations, filePath) {
+    const initializer = variable.getInitializer();
+    const varName = variable.getName();
+
+    if (
+      initializer &&
+      initializer.getKind() === require("ts-morph").SyntaxKind.StringLiteral
+    ) {
+      const path = initializer.getLiteralValue();
+
+      if (this.isSensitivePath(path)) {
+        const startLine = variable.getStartLineNumber();
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Variable '${varName}' contains sensitive path '${path}' - ensure proper access controls`,
+          severity: "warning",
+          line: startLine,
+          column: 1,
+        });
+      }
+    }
+  }
+
+  analyzeConfigurationObjects(objLiteral, violations, filePath) {
+    const properties = objLiteral.getProperties();
+
+    for (const prop of properties) {
+      if (
+        prop.getKind() === require("ts-morph").SyntaxKind.PropertyAssignment
+      ) {
+        const name = prop.getName();
+        const value = prop.getInitializer();
+
+        // Check for configuration that might enable directory browsing
+        if (
+          name === "list" ||
+          name === "directory" ||
+          name === "autoIndex" ||
+          name === "listing"
+        ) {
+          if (value && this.isTruthyValue(value)) {
+            const startLine = prop.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Configuration '${name}: true' enables directory browsing - disable for security`,
+              severity: "error",
+              line: startLine,
+              column: 1,
+            });
+          }
+        }
+
+        // Check for hidden files access
+        if (name === "hidden") {
+          if (value && this.isTruthyValue(value)) {
+            const startLine = prop.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `Configuration '${name}: true' enables hidden files access - disable for security`,
+              severity: "warning",
+              line: startLine,
+              column: 1,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  isSensitivePath(path) {
+    if (!path || typeof path !== "string") return false;
+
+    const normalizedPath = path.toLowerCase();
+
+    return this.sensitiveFiles.some((sensitive) => {
+      // Check if path contains sensitive file/directory patterns
+      return (
+        normalizedPath.includes(sensitive.toLowerCase()) ||
+        normalizedPath.startsWith("/" + sensitive.toLowerCase()) ||
+        normalizedPath.startsWith("./" + sensitive.toLowerCase()) ||
+        normalizedPath.endsWith("/" + sensitive.toLowerCase())
+      );
+    });
+  }
+
+  isTruthyValue(valueNode) {
+    const { SyntaxKind } = require("ts-morph");
+
+    if (valueNode.getKind() === SyntaxKind.TrueKeyword) return true;
+    if (valueNode.getKind() === SyntaxKind.StringLiteral) {
+      const value = valueNode.getLiteralValue();
+      return value === "true" || value === "allow" || value === "yes";
+    }
+    if (valueNode.getKind() === SyntaxKind.NumericLiteral) {
+      return valueNode.getLiteralValue() !== 0;
+    }
+
+    return false;
+  }
+
+  getValueAsString(valueNode) {
+    const { SyntaxKind } = require("ts-morph");
+
+    if (valueNode.getKind() === SyntaxKind.StringLiteral) {
+      return valueNode.getLiteralValue();
+    }
+    if (valueNode.getKind() === SyntaxKind.TrueKeyword) return true;
+    if (valueNode.getKind() === SyntaxKind.FalseKeyword) return false;
+
+    return valueNode.getText();
+  }
+
+  analyzeNestJSDecorators(decorator, violations, filePath) {
+    const { SyntaxKind } = require("ts-morph");
+
+    const expression = decorator.getCallExpression();
+    if (!expression) return;
+
+    const decoratorName = expression.getExpression().getText();
+
+    // Check for route decorators with sensitive paths
+    if (["Get", "Post", "Put", "Delete", "Patch"].includes(decoratorName)) {
+      const args = expression.getArguments();
+      if (args.length > 0 && args[0].getKind() === SyntaxKind.StringLiteral) {
+        const routePath = args[0].getLiteralValue();
+
+        if (this.isSensitivePath(routePath)) {
+          const startLine = decorator.getStartLineNumber();
+          violations.push({
+            ruleId: this.ruleId,
+            message: `NestJS route '${routePath}' exposes sensitive path - implement proper access controls`,
+            severity: "error",
+            line: startLine,
+            column: 1,
+          });
+        }
+      }
+    }
+
+    // Check for Controller decorator with sensitive paths
+    if (decoratorName === "Controller") {
+      const args = expression.getArguments();
+      if (args.length > 0 && args[0].getKind() === SyntaxKind.StringLiteral) {
+        const controllerPath = args[0].getLiteralValue();
+
+        if (this.isSensitivePath(controllerPath)) {
+          const startLine = decorator.getStartLineNumber();
+          violations.push({
+            ruleId: this.ruleId,
+            message: `NestJS controller path '${controllerPath}' exposes sensitive path - review controller design`,
+            severity: "warning",
+            line: startLine,
+            column: 1,
+          });
+        }
+      }
+    }
+  }
+
+  analyzeNextJSAPIRoutes(func, violations, filePath) {
+    const { SyntaxKind } = require("ts-morph");
+
+    // Check if this is an exported API route function
+    const exportKeyword = func
+      .getFirstAncestorByKind(SyntaxKind.SourceFile)
+      ?.getExportedDeclarations()
+      ?.get(func.getName() || "default");
+
+    if (!exportKeyword) return;
+
+    // Check if function name suggests HTTP method (GET, POST, etc.)
+    const funcName = func.getName();
+    const httpMethods = ["GET", "POST", "PUT", "DELETE", "PATCH"];
+
+    if (httpMethods.includes(funcName)) {
+      // Check function body for sensitive file operations
+      const body = func.getBody();
+      if (body) {
+        const bodyText = body.getText();
+
+        // Check for sensitive file paths in the function body
+        const sensitivePatterns = [
+          /['"`][^'"`]*\.env[^'"`]*['"`]/g,
+          /['"`][^'"`]*\.git[^'"`]*['"`]/g,
+          /['"`][^'"`]*config[^'"`]*['"`]/g,
+          /['"`][^'"`]*backup[^'"`]*['"`]/g,
+          /['"`][^'"`]*secret[^'"`]*['"`]/g,
+          /['"`][^'"`]*\.ssh[^'"`]*['"`]/g,
+        ];
+
+        for (const pattern of sensitivePatterns) {
+          const matches = [...bodyText.matchAll(pattern)];
+          if (matches.length > 0) {
+            const startLine = func.getStartLineNumber();
+            violations.push({
+              ruleId: this.ruleId,
+              message: `NextJS API route '${funcName}' contains sensitive file references - ensure proper access controls`,
+              severity: "error",
+              line: startLine,
+              column: 1,
+            });
+            break; // Only report once per function
+          }
+        }
+      }
+    }
+  }
+
+  cleanup() {}
+}
+
+module.exports = S030SymbolBasedAnalyzer;

package/rules/security/S033_samesite_session_cookies/symbol-based-analyzer.js

@@ -1,9 +1,9 @@
 /**
  * S033 Symbol-Based Analyzer - Set SameSite attribute for Session Cookies
- * Uses TypeScript compiler API for semantic analysis
+ * Uses ts-morph for semantic analysis (consistent with SunLint architecture)
  */
 
-const ts = require("typescript");
+const { SyntaxKind } = require("ts-morph");
 
 class S033SymbolBasedAnalyzer {
   constructor(semanticEngine = null) {
@@ -78,7 +78,7 @@ class S033SymbolBasedAnalyzer {
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
       if (!sourceFile) {
         if (this.verbose) {
           console.log(
@@ -684,13 +684,12 @@ class S033SymbolBasedAnalyzer {
   /**
    * Enhanced method name detection with framework support
    */
-  getMorphMethodName(callNode) {
+  extractMethodName(callExpression) {
     try {
-      const expression = callNode.getExpression();
-      const ts = require("typescript");
+      const expression = callExpression.getExpression();
 
       // Handle property access expressions (obj.method)
-      if (expression.getKind() === ts.SyntaxKind.PropertyAccessExpression) {
+      if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
         const propertyName = expression.getNameNode().getText();
 
         // Check for chained method calls like response.cookies.set
@@ -698,7 +697,7 @@ class S033SymbolBasedAnalyzer {
           const objectExpression = expression.getExpression();
           if (
             objectExpression.getKind() ===
-            ts.SyntaxKind.PropertyAccessExpression
+            SyntaxKind.PropertyAccessExpression
           ) {
             const parentProperty = objectExpression.getNameNode().getText();
             if (parentProperty === "cookies") {
@@ -712,7 +711,7 @@ class S033SymbolBasedAnalyzer {
       }
 
       // Handle direct function calls
-      if (expression.getKind() === ts.SyntaxKind.Identifier) {
+      if (expression.getKind() === SyntaxKind.Identifier) {
         return expression.getText();
       }