@sun-asterisk/sunlint 1.3.8 → 1.3.10

package/rules/security/S039_no_session_tokens_in_url/symbol-based-analyzer.js

@@ -101,21 +101,26 @@ class S039SymbolBasedAnalyzer {
 
       for (const call of callExpressions) {
         const expression = call.getExpression();
-        if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
-          const methodName = expression.getNameNode().getText();
-          if (/^(get|post|put|delete|patch|all|use)$/.test(methodName)) {
-            const args = call.getArguments();
-            const lastArg = args[args.length - 1];
-            // The last argument should be the handler function
-            if (
-              lastArg.getKind() === SyntaxKind.ArrowFunction ||
-              lastArg.getKind() === SyntaxKind.FunctionExpression
-            ) {
-              routeHandlers.push({
-                handler: lastArg,
-                routeCall: call,
-                type: "express",
-              });
+        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const nameNode = expression.getNameNode();
+          if (nameNode) {
+            const methodName = nameNode.getText();
+            if (/^(get|post|put|delete|patch|all|use)$/.test(methodName)) {
+              const args = call.getArguments();
+              const lastArg = args[args.length - 1];
+              // The last argument should be the handler function
+              if (
+                lastArg && (
+                  lastArg.getKind() === SyntaxKind.ArrowFunction ||
+                  lastArg.getKind() === SyntaxKind.FunctionExpression
+                )
+              ) {
+                routeHandlers.push({
+                  handler: lastArg,
+                  routeCall: call,
+                  type: "express",
+                });
+              }
             }
           }
         }
@@ -165,7 +170,7 @@ class S039SymbolBasedAnalyzer {
       // Nuxt.js defineEventHandler patterns
       for (const call of callExpressions) {
         const expression = call.getExpression();
-        if (expression.getKind() === SyntaxKind.Identifier) {
+        if (expression && expression.getKind() === SyntaxKind.Identifier) {
           const identifier = expression.asKindOrThrow(SyntaxKind.Identifier);
           if (identifier.getText() === "defineEventHandler") {
             // Find the arrow function or function parameter
@@ -173,8 +178,10 @@ class S039SymbolBasedAnalyzer {
             if (args.length > 0) {
               const firstArg = args[0];
               if (
-                firstArg.getKind() === SyntaxKind.ArrowFunction ||
-                firstArg.getKind() === SyntaxKind.FunctionExpression
+                firstArg && (
+                  firstArg.getKind() === SyntaxKind.ArrowFunction ||
+                  firstArg.getKind() === SyntaxKind.FunctionExpression
+                )
               ) {
                 routeHandlers.push({
                   handler: firstArg,
@@ -247,7 +254,7 @@ class S039SymbolBasedAnalyzer {
       const { SyntaxKind } = require("ts-morph");
 
       // For NestJS, check decorator parameters first
-      if (node.getKind() === SyntaxKind.MethodDeclaration) {
+      if (node && node.getKind() === SyntaxKind.MethodDeclaration) {
         const parameters = node.getParameters();
         for (const param of parameters) {
           const decorators = param.getDecorators();
@@ -257,7 +264,7 @@ class S039SymbolBasedAnalyzer {
               const args = decorator.getArguments();
               if (args.length > 0) {
                 const firstArg = args[0];
-                if (firstArg.getKind() === SyntaxKind.StringLiteral) {
+                if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
                   const paramName = firstArg.getLiteralValue();
                   if (this.isSessionTokenParam(paramName)) {
                     exposures.push({
@@ -283,7 +290,7 @@ class S039SymbolBasedAnalyzer {
         const property = propAccess.getName();
 
         // Check for req.query.paramName patterns
-        if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        if (expression && expression.getKind() === SyntaxKind.PropertyAccessExpression) {
           const parentExpression = expression.getExpression();
           const parentProperty = expression.getName();
 
@@ -314,7 +321,7 @@ class S039SymbolBasedAnalyzer {
         const argumentExpression = elemAccess.getArgumentExpression();
 
         if (
-          expression.getKind() === SyntaxKind.PropertyAccessExpression &&
+          expression && expression.getKind() === SyntaxKind.PropertyAccessExpression &&
           argumentExpression &&
           argumentExpression.getKind() === SyntaxKind.StringLiteral
         ) {
@@ -344,19 +351,19 @@ class S039SymbolBasedAnalyzer {
 
       for (const call of callExpressions) {
         const callExpression = call.getExpression();
-        if (callExpression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        if (callExpression && callExpression.getKind() === SyntaxKind.PropertyAccessExpression) {
           const methodName = callExpression.getName();
           const objectExpression = callExpression.getExpression();
 
           // searchParams.get("sessionToken"), URLSearchParams.get("token")
           if (
             methodName === "get" &&
-            objectExpression.getText().includes("searchParams")
+            objectExpression && objectExpression.getText().includes("searchParams")
           ) {
             const args = call.getArguments();
             if (args.length > 0) {
               const firstArg = args[0];
-              if (firstArg.getKind() === SyntaxKind.StringLiteral) {
+              if (firstArg && firstArg.getKind() === SyntaxKind.StringLiteral) {
                 const paramName = firstArg.getLiteralValue();
                 if (this.isSessionTokenParam(paramName)) {
                   exposures.push({
@@ -378,7 +385,7 @@ class S039SymbolBasedAnalyzer {
 
       for (const varDecl of variableDeclarations) {
         const nameNode = varDecl.getNameNode();
-        if (nameNode.getKind() === SyntaxKind.ObjectBindingPattern) {
+        if (nameNode && nameNode.getKind() === SyntaxKind.ObjectBindingPattern) {
           const bindingPattern = nameNode.asKindOrThrow(
             SyntaxKind.ObjectBindingPattern
           );

package/rules/security/S056_log_injection_protection/analyzer.js

@@ -28,9 +28,9 @@ class S056Analyzer {
 
     // Configuration
     this.config = {
-      useSymbolBased: true, // Primary approach
+      useSymbolBased: true, // Re-enabled with ts-morph API fixes
       fallbackToRegex: true, // Secondary approach
-      regexBasedOnly: false, // Can be set to true for pure mode
+      regexBasedOnly: false, // Now we can use symbol analysis again
     };
 
     // Initialize analyzers

package/rules/security/S056_log_injection_protection/symbol-based-analyzer.js

@@ -1,9 +1,9 @@
 /**
  * S056 Symbol-Based Analyzer - Protect against Log Injection attacks
- * Uses TypeScript compiler API for semantic analysis
+ * Uses ts-morph for semantic analysis (consistent with SunLint architecture)
  */
 
-const ts = require("typescript");
+const { SyntaxKind } = require("ts-morph");
 
 class S056SymbolBasedAnalyzer {
   constructor(semanticEngine = null) {
@@ -70,51 +70,54 @@ class S056SymbolBasedAnalyzer {
     }
   }
 
-  async analyze(filePath) {
+  async analyze(sourceFileOrPath) {
+    // Handle both sourceFile object and file path
+    let sourceFile;
+    let filePath;
+    
+    if (typeof sourceFileOrPath === 'string') {
+      filePath = sourceFileOrPath;
+      // Try to get from semantic engine first
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      
+      // If not found, create new ts-morph project
+      if (!sourceFile) {
+        const { Project } = require("ts-morph");
+        const project = new Project();
+        sourceFile = project.addSourceFileAtPath(filePath);
+      }
+    } else {
+      // Assume it's already a ts-morph SourceFile
+      sourceFile = sourceFileOrPath;
+      filePath = sourceFile.getFilePath();
+    }
+
     if (this.verbose) {
       console.log(
         `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
       );
     }
 
-    if (!this.semanticEngine) {
+    if (!sourceFile) {
       if (this.verbose) {
         console.log(
-          `🔍 [${this.ruleId}] Symbol: No semantic engine available, skipping`
+          `� [${this.ruleId}] Symbol: Could not create source file`
         );
       }
       return [];
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
-      if (!sourceFile) {
-        if (this.verbose) {
-          console.log(
-            `🔍 [${this.ruleId}] Symbol: No source file found, trying ts-morph fallback`
-          );
-        }
-        return await this.analyzeTsMorph(filePath);
-      }
-
-      if (this.verbose) {
-        console.log(`🔧 [${this.ruleId}] Source file found, analyzing...`);
-      }
-
       const violations = [];
-      const typeChecker = this.semanticEngine.program?.getTypeChecker();
 
-      // Visit all nodes in the source file
-      const visit = (node) => {
-        // Check for log method calls
-        if (ts.isCallExpression(node)) {
-          this.checkLogMethodCall(node, violations, sourceFile, typeChecker);
+      // Find all call expressions using ts-morph API
+      sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === SyntaxKind.CallExpression) {
+          this.checkLogMethodCall(node, violations, sourceFile);
         }
-        
-        ts.forEachChild(node, visit);
-      };
-
-      visit(sourceFile);
+      });
 
       if (this.verbose) {
         console.log(
@@ -129,26 +132,28 @@ class S056SymbolBasedAnalyzer {
     }
   }
 
-  checkLogMethodCall(node, violations, sourceFile, typeChecker) {
-    // Check if this is a logging method call
-    const methodName = this.getMethodName(node);
+  checkLogMethodCall(callExprNode, violations, sourceFile) {
+    // Check if this is a logging method call using ts-morph API
+    const methodName = this.getMethodName(callExprNode);
     if (!methodName || !this.logMethods.includes(methodName)) {
       return;
     }
 
     // Check arguments for user input
-    if (node.arguments && node.arguments.length > 0) {
-      for (const arg of node.arguments) {
-        if (this.containsUserInput(arg, sourceFile)) {
-          const position = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+    const args = callExprNode.getArguments();
+    if (args && args.length > 0) {
+      for (const arg of args) {
+        if (this.containsUserInput(arg)) {
+          const lineAndCol = sourceFile.getLineAndColumnAtPos(callExprNode.getStart());
+          
           violations.push({
             ruleId: this.ruleId,
             message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
-            line: position.line + 1,
-            column: position.character + 1,
+            line: lineAndCol.line,
+            column: lineAndCol.column,
             severity: "error",
             category: this.category,
-            code: sourceFile.getFullText().slice(node.getStart(), node.getEnd())
+            code: callExprNode.getText()
           });
           break;
         }
@@ -157,56 +162,62 @@ class S056SymbolBasedAnalyzer {
   }
 
   getMethodName(callExpression) {
-    const expression = callExpression.expression;
+    // Use ts-morph API instead of TypeScript compiler API
+    const expression = callExpression.getExpression();
     
-    if (ts.isIdentifier(expression)) {
-      return expression.text;
+    if (expression.getKind() === SyntaxKind.Identifier) {
+      return expression.getText();
     }
     
-    if (ts.isPropertyAccessExpression(expression)) {
-      return expression.name.text;
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      return expression.getName();
     }
     
     return null;
   }
 
-  containsUserInput(node, sourceFile) {
-    // Check for direct user input references
-    if (ts.isIdentifier(node)) {
-      return this.userInputSources.includes(node.text);
+  containsUserInput(node) {
+    // Check for direct user input references using ts-morph API
+    if (node.getKind() === SyntaxKind.Identifier) {
+      return this.userInputSources.includes(node.getText());
     }
 
     // Check for property access on user input (e.g., req.body, req.query)
-    if (ts.isPropertyAccessExpression(node)) {
+    if (node.getKind() === SyntaxKind.PropertyAccessExpression) {
       const objectName = this.getObjectName(node);
       return this.userInputSources.includes(objectName);
     }
 
     // Check for element access on user input (e.g., req["body"], headers['user-agent'])
-    if (ts.isElementAccessExpression(node)) {
+    if (node.getKind() === SyntaxKind.ElementAccessExpression) {
       const objectName = this.getObjectName(node);
       return this.userInputSources.includes(objectName);
     }
 
     // Check for binary expressions (concatenation)
-    if (ts.isBinaryExpression(node)) {
-      return this.containsUserInput(node.left, sourceFile) || 
-             this.containsUserInput(node.right, sourceFile);
+    if (node.getKind() === SyntaxKind.BinaryExpression) {
+      const left = node.getLeft();
+      const right = node.getRight();
+      return this.containsUserInput(left) || this.containsUserInput(right);
     }
 
     // Check for template literals
-    if (ts.isTemplateExpression(node)) {
-      return node.templateSpans.some(span => 
-        this.containsUserInput(span.expression, sourceFile)
+    if (node.getKind() === SyntaxKind.TemplateExpression) {
+      const templateSpans = node.getTemplateSpans();
+      return templateSpans.some(span => 
+        this.containsUserInput(span.getExpression())
       );
     }
 
     // Check for function calls that might return user input
-    if (ts.isCallExpression(node)) {
+    if (node.getKind() === SyntaxKind.CallExpression) {
       // Check if it's JSON.stringify with user input
       const methodName = this.getMethodName(node);
-      if (methodName === "stringify" && node.arguments.length > 0) {
-        return this.containsUserInput(node.arguments[0], sourceFile);
+      if (methodName === "stringify") {
+        const args = node.getArguments();
+        if (args.length > 0) {
+          return this.containsUserInput(args[0]);
+        }
       }
     }
 
@@ -214,71 +225,19 @@ class S056SymbolBasedAnalyzer {
   }
 
   getObjectName(node) {
-    if (ts.isPropertyAccessExpression(node) || ts.isElementAccessExpression(node)) {
-      if (ts.isIdentifier(node.expression)) {
-        return node.expression.text;
+    if (node.getKind() === SyntaxKind.PropertyAccessExpression || 
+        node.getKind() === SyntaxKind.ElementAccessExpression) {
+      const expression = node.getExpression();
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        return expression.getText();
       }
     }
     return null;
   }
 
   /**
-   * Fallback analysis using ts-morph when semantic engine is not available
+   * Clean up resources
    */
-  async analyzeTsMorph(filePath) {
-    try {
-      const fs = require("fs");
-      const { Project } = require("ts-morph");
-      
-      const project = new Project();
-      const sourceFile = project.addSourceFileAtPath(filePath);
-      const violations = [];
-
-      // Find all call expressions
-      sourceFile.forEachDescendant((node) => {
-        if (node.getKind() === ts.SyntaxKind.CallExpression) {
-          const callExpr = node;
-          const methodName = this.extractMethodName(callExpr.getText());
-          
-          if (this.logMethods.includes(methodName)) {
-            const args = callExpr.getArguments();
-            for (const arg of args) {
-              if (this.containsUserInputText(arg.getText())) {
-                const line = sourceFile.getLineAndColumnAtPos(node.getStart()).line;
-                const column = sourceFile.getLineAndColumnAtPos(node.getStart()).column;
-                
-                violations.push({
-                  ruleId: this.ruleId,
-                  message: `Log injection vulnerability: User input directly used in ${methodName}() call without sanitization`,
-                  line: line,
-                  column: column,
-                  severity: "error",
-                  category: this.category,
-                  code: node.getText()
-                });
-                break;
-              }
-            }
-          }
-        }
-      });
-
-      return violations;
-    } catch (error) {
-      console.warn(`⚠ [${this.ruleId}] ts-morph analysis failed:`, error.message);
-      return [];
-    }
-  }
-
-  extractMethodName(callText) {
-    const match = callText.match(/(\w+)\s*\(/);
-    return match ? match[1] : null;
-  }
-
-  containsUserInputText(text) {
-    return this.userInputSources.some(source => text.includes(source));
-  }
-
   cleanup() {
     // Cleanup resources if needed
   }