npm - @sun-asterisk/sunlint - Versions diffs - 1.3.8 → 1.3.10 - Mend

@sun-asterisk/sunlint 1.3.8 → 1.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/rules/common/C060_no_override_superclass/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,220 @@
+/**
+ * C060 Symbol-based Analyzer - Advanced Do not scatter hardcoded constants throughout the logic
+ * Purpose: The rule prevents scattering hardcoded constants throughout the logic. Instead, constants should be defined in a single place to improve maintainability and readability.
+ */
+const { SyntaxKind } = require('ts-morph');
+class C060SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'C060';
+    this.ruleName = 'Do not override superclass methods (Symbol-Based)';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    // === Ignore Configuration ===
+    this.ignoredClasses = [
+      "React.Component",   // React components
+      "React.PureComponent",
+      "BaseMock",          // Custom test mocks
+    ];
+    this.ignoredMethods = [
+      "render",            // React render
+      "componentDidMount", // Some lifecycle hooks
+      "componentWillUnmount",
+    ];
+    this.ignoredFilePatterns = [
+      /node_modules/,
+      /\.d\.ts$/,
+      /\.test\.ts$/,
+    ];
+  }
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C060 Symbol-Based] Analyzer initialized, verbose: ${this.verbose}`);
+    }
+  }
+  async analyzeFileBasic(filePath, options = {}) {
+    // This is the main entry point called by the hybrid analyzer
+    return await this.analyzeFileWithSymbols(filePath, options);
+  }
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    const violations = [];
+    // Enable verbose mode if requested
+    const verbose = options.verbose || this.verbose;
+    if (!this.semanticEngine?.project) {
+      if (verbose) {
+        console.warn('[C060 Symbol-Based] No semantic engine available, skipping analysis');
+      }
+      return violations;
+    }
+    if (this.shouldIgnoreFile(filePath)) {
+      if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+      return violations;
+    }
+    if (verbose) {
+      console.log(`🔍 [C060 Symbol-Based] Starting analysis for ${filePath}`);
+    }
+    try {
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      if (!sourceFile) {
+        return violations;
+      }
+      const classDeclarations = sourceFile.getClasses();
+      for (const classDeclaration of classDeclarations) {
+        const classViolations = this.analyzeClass(classDeclaration, filePath, verbose);
+        violations.push(...classViolations);
+      }
+      if (verbose) {
+        console.log(`🔍 [C060 Symbol-Based] Total violations found: ${violations.length}`);
+      }
+      return violations;
+    } catch (error) {
+      if (verbose) {
+        console.warn(`[C060 Symbol-Based] Analysis failed for ${filePath}:`, error.message);
+      }
+      return violations;
+    }
+  }
+  /**
+   * Analyze one class for override violations
+   */
+  analyzeClass(classDeclaration, filePath, verbose) {
+    const violations = [];
+    const baseClass = classDeclaration.getBaseClass();
+    if (!baseClass) return violations;
+    // Check if this class should be ignored
+    if (this.shouldIgnoreClass(baseClass)) {
+      if (verbose) {
+        console.log(`[${this.ruleId}] Skipping ignored base class: ${baseClass.getName()}`);
+      }
+      return violations;
+    }
+    const baseMethods = this.collectBaseMethods(baseClass);
+    for (const method of classDeclaration.getMethods()) {
+      // Skip ignored methods
+      if (this.shouldIgnoreMethod(method)) {
+        if (verbose) {
+          console.log(`[${this.ruleId}] Skipping ignored method: ${method.getName()}`);
+        }
+        continue;
+      }
+      if (baseMethods.has(method.getName())) {
+        const violation = this.checkMethodOverride(method, classDeclaration, filePath, verbose);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+    }
+    return violations;
+  }
+  /**
+   * Collect all method names from base class
+   */
+  collectBaseMethods(baseClass) {
+    return new Set(baseClass.getMethods().map((method) => method.getName()));
+  }
+  /**
+   * Check if overridden method properly calls super.method()
+   */
+  checkMethodOverride(method, classDeclaration, filePath, verbose) {
+    const body = method.getBodyText();
+    if (!body) return null;
+    const methodName = method.getName();
+    const baseClass = classDeclaration.getBaseClass();
+    if (!baseClass) return null;
+    const baseClassName = baseClass.getName();
+    // 1 Get all CallExpressions in the method body
+    const calls = method.getDescendantsOfKind(SyntaxKind.CallExpression);
+    // 2 Check for super.method() or BaseClass.prototype.method.call(this)
+    const hasSuperCall = calls.some((call) => {
+      const expression = call.getExpression().getText();
+      return expression === `super.${methodName}`;
+    });
+    const hasBaseCall = calls.some((call) => {
+      const expression = call.getExpression().getText();
+      return expression === `${baseClassName}.prototype.${methodName}.call`;
+    });
+    if (!hasSuperCall && !hasBaseCall) {
+      const violation = {
+        ruleId: this.ruleId,
+        severity: 'warning',
+        message: `Overridden method '${method.getName()}' in '${classDeclaration.getName()}' does not call 'super.${method.getName()}()', potentially skipping lifecycle/resource logic.`,
+        source: this.ruleId,
+        file: filePath,
+        line: method.getStartLineNumber(),
+        column: method.getStart() - method.getStartLinePos(),
+        description: `[SYMBOL-BASED] Overriding methods should call the superclass implementation to ensure proper behavior.`,
+        suggestion: `Add a call to 'super.${method.getName()}()' within the method body.`,
+        category: 'best-practices',
+      };
+      if (verbose) {
+        console.log(
+          `⚠️ [${this.ruleId}] Violation in ${filePath}: Method '${method.getName()}' overrides superclass method but does not call super.`
+        );
+      }
+      return violation;
+    }
+    return null;
+  }
+  /**
+   * Ignore logic for classes
+   */
+  shouldIgnoreClass(baseClass) {
+    const baseName = baseClass.getName();
+    return this.ignoredClasses.includes(baseName);
+  }
+  /**
+   * Ignore logic for methods
+   */
+  shouldIgnoreMethod(method) {
+    const methodName = method.getName();
+    return this.ignoredMethods.includes(methodName);
+  }
+  /**
+   * Ignore files based on patterns
+   */
+  shouldIgnoreFile(filePath) {
+    return this.ignoredFilePatterns.some((pattern) => pattern.test(filePath));
+  }
+}
+module.exports = C060SymbolBasedAnalyzer;

package/rules/index.js CHANGED Viewed

@@ -64,6 +64,7 @@ const commonRules = {
     C048: loadRule('common', 'C048_no_bypass_architectural_layers'),
     C052: loadRule('common', 'C052_parsing_or_data_transformation'),
     C047: loadRule('common', 'C047_no_duplicate_retry_logic'),
+    C060: loadRule('common', 'C060_no_override_superclass'),
 };
 // 🔒 Security Rules (S-series) - Ready for migration

package/rules/security/S020_no_eval_dynamic_code/README.md ADDED Viewed

@@ -0,0 +1,136 @@
+# S020 - Avoid using eval() or executing dynamic code
+## Overview
+This rule detects and prevents the use of `eval()` and other dynamic code execution mechanisms that can lead to security vulnerabilities, particularly code injection attacks.
+## Why This Rule Matters
+Dynamic code execution through `eval()` and similar functions poses significant security risks:
+1. **Code Injection Vulnerabilities**: Untrusted input can be executed as code
+2. **Performance Issues**: Dynamic code execution is slower than static code
+3. **Debugging Difficulties**: Dynamic code is harder to debug and analyze
+4. **Security Auditing**: Static analysis tools cannot analyze dynamically generated code
+## What This Rule Detects
+### ❌ Dangerous Functions
+- `eval()` - Direct code execution
+- `new Function()` - Function constructor with string
+- `setTimeout(string)` - Timer with string code
+- `setInterval(string)` - Interval with string code
+- `execScript()` - Legacy IE function
+- `setImmediate(string)` - Immediate execution with string
+### ❌ Global Access Patterns
+- `window.eval()`
+- `global.eval()`
+- `globalThis.eval()`
+- `self.eval()`
+### ❌ Suspicious Variable Patterns
+Variables containing dynamic code indicators:
+- Variables named with `code`, `script`, `expression`, `formula`, `template`, `eval`
+## Examples
+### ❌ Violations
+```javascript
+// Direct eval usage
+eval("console.log('Hello')"); // ERROR
+// Function constructor
+const fn = new Function("return 1 + 1"); // ERROR
+// setTimeout with string
+setTimeout("console.log('test')", 1000); // WARNING
+// Global eval access
+window.eval("alert('test')"); // ERROR
+// Dynamic code variables
+const userCode = req.body.code;
+eval(userCode); // ERROR - code injection risk
+```
+### ✅ Safe Alternatives
+```javascript
+// Instead of eval(), use proper parsing and validation
+const result = JSON.parse(jsonString);
+// Instead of Function constructor, use proper function definitions
+function add(a, b) {
+  return a + b;
+}
+// Instead of setTimeout with string, use function reference
+setTimeout(() => console.log("test"), 1000);
+// Instead of dynamic code execution, use configuration objects
+const actions = {
+  add: (a, b) => a + b,
+  multiply: (a, b) => a * b,
+};
+const result = actions[operation](x, y);
+// For template engines, use safe templating libraries
+const template = handlebars.compile(templateString);
+const result = template(data);
+```
+## Configuration
+The rule can be configured in `config.json`:
+```json
+{
+  "validation": {
+    "dangerousFunctions": ["eval", "Function", "setTimeout", "setInterval"],
+    "dangerousPatterns": ["new Function", "window.eval", "global.eval"],
+    "dynamicCodeIndicators": ["code", "script", "expression", "formula"]
+  }
+}
+```
+## Security Best Practices
+1. **Input Validation**: Always validate and sanitize user input
+2. **Use Safe Alternatives**: Prefer configuration objects over dynamic code
+3. **Template Engines**: Use established, secure template libraries
+4. **Content Security Policy**: Implement CSP headers to prevent code injection
+5. **Code Review**: Carefully review any dynamic code patterns
+## Related Rules
+- **S023**: JSON Injection Protection
+- **S025**: Server-side Validation
+- **S056**: Log Injection Protection
+## Severity Levels
+- **ERROR**: Direct `eval()`, `Function()` constructor, global eval access
+- **WARNING**: `setTimeout`/`setInterval` with strings, suspicious variable patterns
+## Framework-Specific Notes
+### Node.js
+- Be especially careful with `vm` module usage
+- Avoid `child_process.exec()` with user input
+### Browser
+- Consider Content Security Policy to prevent eval
+- Be cautious with `innerHTML` and similar DOM manipulation
+### React/Vue
+- Avoid `dangerouslySetInnerHTML` with user content
+- Use proper event handlers instead of inline scripts

package/rules/security/S020_no_eval_dynamic_code/analyzer.js ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * S020 Main Analyzer - Avoid using eval() or executing dynamic code
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S020 --input=examples/rule-test-fixtures/rules/S020_no_eval_dynamic_code --engine=heuristic
+ */
+const S020SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S020RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S020Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S020] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S020] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S020";
+    this.ruleName = "Avoid using eval() or executing dynamic code";
+    this.description =
+      "Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+    try {
+      this.symbolAnalyzer = new S020SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S020] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S020RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S020] Error creating regex analyzer:`, error);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Main analyzer initializing...`);
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Main analyzer initialized successfully`);
+  }
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S020] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S020] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S020] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Total violations found: ${violations.length}`);
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S020] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S020] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Trying symbol-based analysis...`);
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          // If symbol-based found violations AND prioritizeSymbolic is true, skip regex
+          // But still run regex if symbol-based didn't find any violations
+          if (this.config.prioritizeSymbolic && symbolViolations.length > 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
+      }
+    }
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S020] Regex analysis failed:`, error.message);
+      }
+    }
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S020] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+module.exports = S020Analyzer;

package/rules/security/S020_no_eval_dynamic_code/config.json ADDED Viewed

@@ -0,0 +1,54 @@
+{
+  "id": "S020",
+  "name": "Avoid using eval() or executing dynamic code",
+  "category": "security",
+  "description": "S020 - Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "dangerousFunctions": [
+      "eval",
+      "Function",
+      "setTimeout",
+      "setInterval",
+      "execScript",
+      "setImmediate"
+    ],
+    "dangerousPatterns": [
+      "new Function",
+      "window.eval",
+      "global.eval",
+      "globalThis.eval"
+    ],
+    "dynamicCodeIndicators": [
+      "code",
+      "script",
+      "expression",
+      "formula",
+      "template"
+    ]
+  }
+}