@sun-asterisk/sunlint 1.3.8 → 1.3.9

package/rules/security/S030_directory_browsing_protection/README.md

@@ -0,0 +1,128 @@
+# S030 - Disable Directory Browsing and Protect Sensitive Metadata Files
+
+## Overview
+
+This rule detects and prevents directory browsing vulnerabilities and exposure of sensitive metadata files that could lead to information disclosure.
+
+## Security Concerns
+
+### Directory Browsing
+
+- **Information Disclosure**: Directory listing can reveal application structure, file names, and potentially sensitive information
+- **Attack Surface**: Exposed directories provide attackers with reconnaissance information
+- **Compliance**: Many security standards require disabling directory browsing
+
+### Sensitive Metadata Files
+
+- **Version Control**: `.git/`, `.svn/`, `.hg/` directories contain source code history
+- **Configuration Files**: `.env`, `config.json`, `settings.yml` may contain secrets
+- **Backup Files**: Database dumps, configuration backups can expose sensitive data
+- **Development Files**: IDE settings, temporary files may contain sensitive information
+
+## Detection Patterns
+
+### ❌ Violations
+
+```javascript
+// Express.js - Directory browsing enabled
+app.use(express.static("public", { index: false, dotfiles: "allow" }));
+app.use("/files", serveIndex("uploads")); // Directory listing middleware
+
+// Serving sensitive directories
+app.use("/backup", express.static("./backups/"));
+app.use("/.git", express.static("./.git/"));
+
+// Missing protection for sensitive files
+app.get("/.env", (req, res) => {
+  res.sendFile(".env");
+});
+
+// Koa.js - Unsafe static serving
+app.use(koaStatic("./public", { hidden: true }));
+
+// Fastify - Directory browsing
+fastify.register(require("@fastify/static"), {
+  root: path.join(__dirname, "public"),
+  list: true, // Enables directory listing
+});
+```
+
+### ✅ Safe Alternatives
+
+```javascript
+// Express.js - Secure static file serving
+app.use(
+  express.static("public", {
+    index: ["index.html", "index.htm"],
+    dotfiles: "deny", // Block access to dotfiles
+    redirect: false,
+  })
+);
+
+// Explicit file serving with validation
+app.get("/files/:filename", (req, res) => {
+  const filename = path.basename(req.params.filename);
+  const safePath = path.join(SAFE_DIRECTORY, filename);
+
+  // Validate file exists and is safe
+  if (fs.existsSync(safePath) && isAllowedFile(filename)) {
+    res.sendFile(safePath);
+  } else {
+    res.status(404).send("File not found");
+  }
+});
+
+// Koa.js - Secure configuration
+app.use(
+  koaStatic("./public", {
+    hidden: false, // Don't serve hidden files
+    index: "index.html",
+    gzip: true,
+  })
+);
+
+// Fastify - Disable directory listing
+fastify.register(require("@fastify/static"), {
+  root: path.join(__dirname, "public"),
+  list: false, // Disable directory listing
+  wildcard: false,
+});
+
+// Nginx-style protection in configuration
+const protectedPaths = [".env", ".git", "config/", "backup/"];
+app.use((req, res, next) => {
+  const isProtected = protectedPaths.some((path) => req.url.includes(path));
+
+  if (isProtected) {
+    return res.status(403).send("Access denied");
+  }
+
+  next();
+});
+```
+
+## Configuration Options
+
+- **Severity**: Error (high security impact)
+- **Categories**: Security, Information Disclosure
+- **Frameworks**: Express.js, Koa.js, Fastify, Hapi.js
+- **File Types**: JavaScript, TypeScript, Configuration files
+
+## Implementation Notes
+
+1. **Symbol-based Analysis**: Detects static file serving configurations and middleware usage
+2. **Regex-based Fallback**: Identifies patterns in configuration files and string literals
+3. **Framework Detection**: Supports multiple Node.js web frameworks
+4. **Path Validation**: Checks for exposure of sensitive directories and files
+
+## Related Security Rules
+
+- S027: No hardcoded secrets
+- S038: No version headers
+- S055: Content type validation
+
+## References
+
+- [OWASP: Information Exposure](https://owasp.org/www-community/vulnerabilities/Information_exposure)
+- [CWE-548: Exposure of Information Through Directory Listing](https://cwe.mitre.org/data/definitions/548.html)
+- [Express.js Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)

package/rules/security/S030_directory_browsing_protection/analyzer.js

@@ -0,0 +1,264 @@
+/**
+ * S030 Main Analyzer - Disable directory browsing and protect sensitive metadata files
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S030 --input=examples/rule-test-fixtures/rules/S030_directory_browsing_protection --engine=heuristic
+ */
+
+const S030SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S030RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+
+class S030Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S030] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S030] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+
+    this.ruleId = "S030";
+    this.ruleName =
+      "Disable directory browsing and protect sensitive metadata files";
+    this.description =
+      "Disable directory browsing and protect sensitive metadata files (.git/, .env, config files, etc.) to prevent information disclosure and potential security vulnerabilities.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+
+    try {
+      this.symbolAnalyzer = new S030SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S030] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S030] Error creating symbol analyzer:`, error);
+    }
+
+    try {
+      this.regexAnalyzer = new S030RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S030] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S030] Error creating regex analyzer:`, error);
+    }
+  }
+
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S030] Main analyzer initializing...`);
+
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S030] Main analyzer initialized successfully`);
+  }
+
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S030] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S030] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S030] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S030] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S030] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S030] Total violations found: ${violations.length}`);
+    return violations;
+  }
+
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S030] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S030] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S030] Trying symbol-based analysis...`);
+
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S030] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S030] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S030] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S030] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S030] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+
+          // If symbol-based found violations AND prioritizeSymbolic is true, skip regex
+          // But still run regex if symbol-based didn't find any violations
+          if (this.config.prioritizeSymbolic && symbolViolations.length > 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S030] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S030] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S030] Symbol analysis failed:`, error.message);
+      }
+    }
+
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S030] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S030] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S030] Regex analysis failed:`, error.message);
+      }
+    }
+
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S030] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+
+module.exports = S030Analyzer;

package/rules/security/S030_directory_browsing_protection/config.json

@@ -0,0 +1,63 @@
+{
+  "id": "S030",
+  "name": "Disable directory browsing and protect sensitive metadata files",
+  "category": "security",
+  "description": "S030 - Disable directory browsing and protect sensitive metadata files (.git/, .env, config files, etc.) to prevent information disclosure and potential security vulnerabilities.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": [
+      "**/*.js",
+      "**/*.ts",
+      "**/*.jsx",
+      "**/*.tsx",
+      "**/*.json",
+      "**/*.yaml",
+      "**/*.yml",
+      "**/.*"
+    ],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "serverConfigs": ["express", "koa", "fastify", "hapi"],
+    "sensitiveFiles": [
+      ".env",
+      ".git",
+      ".svn",
+      ".hg",
+      "config",
+      "settings",
+      "secrets",
+      "keys",
+      "backup",
+      "database"
+    ],
+    "directoryListingIndicators": [
+      "autoIndex",
+      "directory",
+      "listing",
+      "browse",
+      "index"
+    ],
+    "protectionMethods": ["serveStatic", "static", "staticFiles", "public"]
+  }
+}