@sun-asterisk/sunlint 1.3.8 → 1.3.9

package/rules/security/S020_no_eval_dynamic_code/regex-based-analyzer.js

@@ -0,0 +1,307 @@
+/**
+ * S020 Regex-Based Analyzer - Avoid using eval() or executing dynamic code
+ * Detects dangerous dynamic code execution patterns across different contexts
+ */
+const fs = require("fs");
+
+class S020RegexBasedAnalyzer {
+  constructor() {
+    this.ruleId = "S020";
+
+    // Dangerous function patterns
+    this.dangerousPatterns = {
+      // Direct eval calls
+      eval: /\beval\s*\(/g,
+      // Function constructor
+      functionConstructor: /\bnew\s+Function\s*\(/g,
+      // Global eval access
+      globalEval: /\b(window|global|globalThis|self)\.eval\s*\(/g,
+      // setTimeout/setInterval with strings (but not function references)
+      timerWithString: /(setTimeout|setInterval)\s*\(\s*['"`]/g,
+      // execScript (IE legacy) - including type casting
+      execScript: /(\bexecScript\s*\(|\(\w+\s+as\s+any\)\.execScript\s*\()/g,
+      // setImmediate with strings (but not function references) - including type casting
+      setImmediateString:
+        /(\bsetImmediate\s*\(\s*['"`]|\(\s*setImmediate\s+as\s+any\)\s*\(\s*['"`])/g,
+    };
+
+    // Dynamic code indicators in variable names
+    this.dynamicCodeVariables =
+      /\b(code|script|expression|formula|template|eval)\w*\s*=/gi;
+
+    // Execution context patterns
+    this.executionPatterns = {
+      // Function.prototype.call/apply with dynamic strings
+      functionCall: /Function\.prototype\.(call|apply)/g,
+      // Code generation patterns
+      codeGeneration: /(generate|build|create)\w*\s*(code|script|function)/gi,
+      // Template execution
+      templateExecution: /(execute|run|eval)\w*\s*(template|expression)/gi,
+    };
+  }
+
+  async analyze(filePath) {
+    // Skip files that are unlikely to contain dynamic code execution
+    const skipPatterns = [
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.interface\.ts$/,
+      /\.constants?\.ts$/,
+      /\.config\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+      /\.min\.js$/,
+      /\.bundle\.js$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return [];
+    }
+
+    const content = fs.readFileSync(filePath, "utf8");
+    const lines = content.split(/\r?\n/);
+    const violations = [];
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Skip comments and imports
+      if (this.shouldSkipLine(line)) {
+        continue;
+      }
+
+      // Check for dangerous function patterns
+      this.checkDangerousPatterns(line, lineNumber, violations);
+
+      // Check for dynamic code variable patterns
+      this.checkDynamicCodeVariables(line, lineNumber, violations);
+
+      // Check for execution context patterns
+      this.checkExecutionPatterns(line, lineNumber, violations);
+    }
+
+    return violations;
+  }
+
+  shouldSkipLine(line) {
+    const trimmed = line.trim();
+
+    // Skip empty lines
+    if (!trimmed) return true;
+
+    // Skip single-line comments
+    if (trimmed.startsWith("//")) return true;
+
+    // Skip import/export statements
+    if (trimmed.startsWith("import ") || trimmed.startsWith("export "))
+      return true;
+
+    // Skip require statements
+    if (trimmed.startsWith("const ") && trimmed.includes("require("))
+      return true;
+
+    // Skip JSDoc comments
+    if (
+      trimmed.startsWith("*") ||
+      trimmed.startsWith("/**") ||
+      trimmed.startsWith("*/")
+    )
+      return true;
+
+    return false;
+  }
+
+  checkDangerousPatterns(line, lineNumber, violations) {
+    // Debug log for setImmediate lines specifically
+    if (line.includes("setImmediate") && process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔍 [S020-Regex] Checking setImmediate line ${lineNumber}: ${line.trim()}`
+      );
+    }
+
+    for (const [patternName, pattern] of Object.entries(
+      this.dangerousPatterns
+    )) {
+      const matches = [...line.matchAll(pattern)];
+
+      // Debug log for setImmediate pattern specifically
+      if (
+        patternName === "setImmediateString" &&
+        line.includes("setImmediate") &&
+        process.env.SUNLINT_DEBUG
+      ) {
+        console.log(
+          `🔍 [S020-Regex] Testing setImmediateString pattern on line ${lineNumber}`
+        );
+        console.log(`🔍 [S020-Regex] Pattern: ${pattern}`);
+        console.log(`🔍 [S020-Regex] Matches found: ${matches.length}`);
+      }
+
+      for (const match of matches) {
+        let message;
+        let severity = "error";
+
+        switch (patternName) {
+          case "eval":
+            message =
+              "Direct eval() call can execute arbitrary code and poses security risks";
+            break;
+          case "functionConstructor":
+            message =
+              "Function constructor can create functions from strings and execute dynamic code";
+            break;
+          case "globalEval":
+            message = `Global eval access '${match[0]}' can execute arbitrary code and poses security risks`;
+            break;
+          case "timerWithString":
+            message = `${match[1]}() with string argument can execute dynamic code - use function reference instead`;
+            severity = "warning";
+            break;
+          case "execScript":
+            message =
+              "execScript() can execute arbitrary code and poses security risks";
+            break;
+          case "setImmediateString":
+            message =
+              "setImmediate() with string argument can execute dynamic code - use function reference instead";
+            severity = "warning";
+            break;
+          default:
+            message = "Potential dynamic code execution detected";
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          message: message,
+          severity: severity,
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S020-Regex] Found ${patternName} at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkDynamicCodeVariables(line, lineNumber, violations) {
+    const matches = [...line.matchAll(this.dynamicCodeVariables)];
+
+    for (const match of matches) {
+      // Additional context checking to reduce false positives
+      const context = line.toLowerCase();
+
+      // Check if it's actually related to code execution
+      if (this.isLikelyDynamicCode(context)) {
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Variable '${match[0].trim()}' suggests dynamic code handling - review for potential code execution`,
+          severity: "warning",
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S020-Regex] Found dynamic code variable at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  checkExecutionPatterns(line, lineNumber, violations) {
+    for (const [patternName, pattern] of Object.entries(
+      this.executionPatterns
+    )) {
+      const matches = [...line.matchAll(pattern)];
+
+      for (const match of matches) {
+        let message;
+
+        switch (patternName) {
+          case "functionCall":
+            message = `Function.prototype.${match[1]} may be used for dynamic code execution - review implementation`;
+            break;
+          case "codeGeneration":
+            message = `Code generation pattern '${match[0]}' detected - ensure no dynamic code execution`;
+            break;
+          case "templateExecution":
+            message = `Template execution pattern '${match[0]}' detected - ensure safe template handling`;
+            break;
+          default:
+            message = "Potential code execution pattern detected";
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          message: message,
+          severity: "warning",
+          line: lineNumber,
+          column: match.index + 1,
+        });
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔧 [S020-Regex] Found execution pattern ${patternName} at line ${lineNumber}: ${match[0]}`
+          );
+        }
+      }
+    }
+  }
+
+  isLikelyDynamicCode(context) {
+    // Keywords that suggest actual code execution
+    const codeExecutionKeywords = [
+      "execute",
+      "run",
+      "eval",
+      "compile",
+      "interpret",
+      "function",
+      "method",
+      "call",
+      "invoke",
+      "dynamic",
+      "runtime",
+      "generated",
+    ];
+
+    // Keywords that suggest benign usage (reduce false positives)
+    const benignKeywords = [
+      "html",
+      "css",
+      "style",
+      "markup",
+      "tag",
+      "error",
+      "message",
+      "text",
+      "string",
+      "config",
+      "setting",
+      "option",
+      "parameter",
+    ];
+
+    const hasExecutionKeyword = codeExecutionKeywords.some((keyword) =>
+      context.includes(keyword)
+    );
+
+    const hasBenignKeyword = benignKeywords.some((keyword) =>
+      context.includes(keyword)
+    );
+
+    // Only flag if there's execution context and no benign indicators
+    return hasExecutionKeyword && !hasBenignKeyword;
+  }
+
+  cleanup() {}
+}
+
+module.exports = S020RegexBasedAnalyzer;

package/rules/security/S020_no_eval_dynamic_code/symbol-based-analyzer.js

@@ -0,0 +1,280 @@
+/**
+ * S020 Symbol-Based Analyzer - Avoid using eval() or executing dynamic code
+ * Enhanced to analyze function calls, constructor patterns, and dynamic code execution
+ */
+
+class S020SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S020";
+    this.semanticEngine = semanticEngine;
+
+    // Dangerous functions that execute dynamic code
+    this.dangerousFunctions = ["eval", "Function", "execScript"];
+
+    // Functions that can execute code when used with strings
+    this.conditionallyDangerous = ["setTimeout", "setInterval", "setImmediate"];
+
+    // Constructor patterns to detect
+    this.dangerousConstructors = ["Function"];
+
+    // Global object access patterns
+    this.globalAccessPatterns = [
+      "window.eval",
+      "global.eval",
+      "globalThis.eval",
+      "self.eval",
+    ];
+
+    // Dynamic code indicators in variable names/strings
+    this.dynamicCodeIndicators = [
+      "code",
+      "script",
+      "expression",
+      "formula",
+      "template",
+      "eval",
+    ];
+  }
+
+  async initialize() {}
+
+  analyze(sourceFile, filePath) {
+    const violations = [];
+
+    // Skip files that are unlikely to contain dynamic code execution
+    const skipPatterns = [
+      /\.d\.ts$/,
+      /\.types\.ts$/,
+      /\.interface\.ts$/,
+      /\.constants?\.ts$/,
+      /\.config\.ts$/,
+      /\.spec\.ts$/,
+      /\.test\.ts$/,
+    ];
+
+    const shouldSkip = skipPatterns.some((pattern) => pattern.test(filePath));
+    if (shouldSkip) {
+      return violations;
+    }
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      // Find all call expressions for function calls
+      const callExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.CallExpression
+      );
+
+      for (const call of callExpressions) {
+        try {
+          const callViolations = this.analyzeCallExpression(call, filePath);
+          violations.push(...callViolations);
+        } catch (error) {
+          console.warn(
+            `⚠ [S020] Call expression analysis failed:`,
+            error.message
+          );
+        }
+      }
+
+      // Find all new expressions for constructor calls
+      const newExpressions = sourceFile.getDescendantsOfKind(
+        SyntaxKind.NewExpression
+      );
+
+      for (const newExpr of newExpressions) {
+        try {
+          const newViolations = this.analyzeNewExpression(newExpr, filePath);
+          violations.push(...newViolations);
+        } catch (error) {
+          console.warn(
+            `⚠ [S020] New expression analysis failed:`,
+            error.message
+          );
+        }
+      }
+
+      // Find property access expressions for global object access
+      const propertyAccesses = sourceFile.getDescendantsOfKind(
+        SyntaxKind.PropertyAccessExpression
+      );
+
+      for (const propAccess of propertyAccesses) {
+        try {
+          const propViolations = this.analyzePropertyAccess(
+            propAccess,
+            filePath
+          );
+          violations.push(...propViolations);
+        } catch (error) {
+          console.warn(
+            `⚠ [S020] Property access analysis failed:`,
+            error.message
+          );
+        }
+      }
+    } catch (error) {
+      console.warn(
+        `⚠ [S020] Symbol analysis failed for ${filePath}:`,
+        error.message
+      );
+    }
+
+    return violations;
+  }
+
+  analyzeCallExpression(call, filePath) {
+    const violations = [];
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      const expression = call.getExpression();
+      let functionName = null;
+
+      // Direct function call: eval(), Function()
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        functionName = expression.getText();
+      }
+      // Property access: window.eval(), global.Function()
+      else if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+        const fullExpression = expression.getText();
+        const propertyName = expression.getName();
+
+        // Check for global access patterns
+        if (
+          this.globalAccessPatterns.some(
+            (pattern) => fullExpression === pattern
+          )
+        ) {
+          functionName = propertyName;
+        } else if (this.dangerousFunctions.includes(propertyName)) {
+          functionName = propertyName;
+        }
+      }
+      // Type assertion / type casting: (setImmediate as any)("string")
+      else if (expression.getKind() === SyntaxKind.ParenthesizedExpression) {
+        const innerExpression = expression.getExpression();
+        if (innerExpression.getKind() === SyntaxKind.AsExpression) {
+          const asExpression = innerExpression;
+          const leftExpression = asExpression.getExpression();
+          if (leftExpression.getKind() === SyntaxKind.Identifier) {
+            functionName = leftExpression.getText();
+          }
+        }
+      }
+
+      if (functionName) {
+        // Check for dangerous functions
+        if (this.dangerousFunctions.includes(functionName)) {
+          const startLine = call.getStartLineNumber();
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Dangerous function '${functionName}()' can execute arbitrary code and poses security risks`,
+            severity: "error",
+            line: startLine,
+            column: 1,
+          });
+        }
+        // Check for conditionally dangerous functions (setTimeout/setInterval with string)
+        else if (this.conditionallyDangerous.includes(functionName)) {
+          const args = call.getArguments();
+          if (args.length > 0) {
+            const firstArg = args[0];
+
+            // Check if first argument is a string literal
+            if (firstArg.getKind() === SyntaxKind.StringLiteral) {
+              const startLine = call.getStartLineNumber();
+              violations.push({
+                ruleId: this.ruleId,
+                message: `Function '${functionName}()' with string argument can execute dynamic code - use function reference instead`,
+                severity: "warning",
+                line: startLine,
+                column: 1,
+              });
+            }
+            // Check if first argument contains dynamic code indicators
+            else {
+              const argText = firstArg.getText().toLowerCase();
+              const hasDynamicIndicator = this.dynamicCodeIndicators.some(
+                (indicator) => argText.includes(indicator)
+              );
+
+              if (hasDynamicIndicator) {
+                const startLine = call.getStartLineNumber();
+                violations.push({
+                  ruleId: this.ruleId,
+                  message: `Function '${functionName}()' may be executing dynamic code based on variable naming`,
+                  severity: "warning",
+                  line: startLine,
+                  column: 1,
+                });
+              }
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.warn(`⚠ [S020] Call expression analysis failed:`, error.message);
+    }
+
+    return violations;
+  }
+
+  analyzeNewExpression(newExpr, filePath) {
+    const violations = [];
+
+    try {
+      const { SyntaxKind } = require("ts-morph");
+
+      const expression = newExpr.getExpression();
+
+      if (expression.getKind() === SyntaxKind.Identifier) {
+        const constructorName = expression.getText();
+
+        if (this.dangerousConstructors.includes(constructorName)) {
+          const startLine = newExpr.getStartLineNumber();
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Constructor 'new ${constructorName}()' can create functions from strings and execute dynamic code`,
+            severity: "error",
+            line: startLine,
+            column: 1,
+          });
+        }
+      }
+    } catch (error) {
+      console.warn(`⚠ [S020] New expression analysis failed:`, error.message);
+    }
+
+    return violations;
+  }
+
+  analyzePropertyAccess(propAccess, filePath) {
+    const violations = [];
+
+    try {
+      const fullExpression = propAccess.getText();
+
+      // Check for global eval access patterns
+      if (this.globalAccessPatterns.includes(fullExpression)) {
+        const startLine = propAccess.getStartLineNumber();
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Global eval access '${fullExpression}' can execute arbitrary code and poses security risks`,
+          severity: "error",
+          line: startLine,
+          column: 1,
+        });
+      }
+    } catch (error) {
+      console.warn(`⚠ [S020] Property access analysis failed:`, error.message);
+    }
+
+    return violations;
+  }
+
+  cleanup() {}
+}
+
+module.exports = S020SymbolBasedAnalyzer;

package/rules/security/S024_xpath_xxe_protection/symbol-based-analyzer.js

@@ -1,9 +1,9 @@
 /**
  * S024 Symbol-Based Analyzer - Protect against XPath Injection and XML External Entity (XXE)
- * Uses TypeScript compiler API for semantic analysis
+ * Uses ts-morph for semantic analysis (consistent with SunLint architecture)
  */
 
-const ts = require("typescript");
+const { SyntaxKind } = require("ts-morph");
 
 class S024SymbolBasedAnalyzer {
   constructor(semanticEngine = null) {
@@ -85,7 +85,7 @@ class S024SymbolBasedAnalyzer {
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
       if (!sourceFile) {
         if (this.verbose) {
           console.log(

package/rules/security/S025_server_side_validation/symbol-based-analyzer.js

@@ -1,6 +1,6 @@
 /**
  * S025 Symbol-Based Analyzer - Always validate client-side data on the server
- * Uses TypeScript compiler API for semantic analysis
+ * Uses ts-morph for semantic analysis (consistent with SunLint architecture)
  * 
  * Detects patterns where client data is used without server-side validation:
  * 1. Using @Body() without ValidationPipe or DTO validation
@@ -8,10 +8,9 @@
  * 3. Direct use of req.body, req.query, req.params without validation
  * 4. Missing ValidationPipe configuration
  * 5. SQL injection via string concatenation
- * 6. File upload without server-side validation
  */
 
-const ts = require("typescript");
+const { SyntaxKind } = require("ts-morph");
 
 class S025SymbolBasedAnalyzer {
   constructor(semanticEngine = null) {
@@ -81,7 +80,7 @@ class S025SymbolBasedAnalyzer {
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
       if (!sourceFile) {
         if (this.verbose) {
           console.log(