pumuki 6.3.285 → 6.3.287

package/core/facts/detectors/typescript/index.ts

@@ -41,6 +41,8 @@ const loggingMethodNames = new Set([
   'verbose',
   'warn',
 ]);
+const backendLogContextKeys = new Set(['correlationId', 'requestId', 'traceId', 'userId']);
+const backendLogSignalKeys = new Set(['err', 'error', 'exception', 'message']);
 const mockOrSpyMethodNames = new Set([
   'fn',
   'mock',
@@ -53,6 +55,8 @@ const mockOrSpyMethodNames = new Set([
 ]);
 const httpResponseObjectNames = new Set(['ctx', 'reply', 'res', 'response']);
 const httpResponseMethodNames = new Set(['json', 'send']);
+const backendErrorResponseRequiredKeys = new Set(['message', 'path', 'statusCode', 'timestamp']);
+const backendErrorResponseSignalKeys = new Set(['error', 'message', 'path', 'statusCode', 'timestamp']);
 type AstNode = Record<string, string | number | boolean | bigint | symbol | null | Date | object>;
 type TypeScriptSemanticNode = {
   kind: 'class' | 'property' | 'call' | 'member';
@@ -1797,6 +1801,27 @@ export const hasBackendGenericErrorThrow = (node: unknown): boolean => {
   });
 };
 
+const isBackendRawThrowExpression = (node: AstNode): boolean => {
+  if (node.type !== 'ThrowStatement' || !isObject(node.argument)) {
+    return false;
+  }
+  const argument = node.argument;
+  return (
+    argument.type === 'StringLiteral' ||
+    argument.type === 'NumericLiteral' ||
+    argument.type === 'BooleanLiteral' ||
+    argument.type === 'ObjectExpression' ||
+    argument.type === 'Identifier'
+  );
+};
+
+export const findBackendRawThrowExpressionLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) => isBackendRawThrowExpression(node));
+};
+
+export const hasBackendRawThrowExpression = (ast: unknown): boolean =>
+  findBackendRawThrowExpressionLines(ast).length > 0;
+
 export const hasBackendProductionMockOrSpy = (node: unknown): boolean => {
   return hasNode(node, (value) => {
     if (value.type !== 'CallExpression' || !isObject(value.callee)) {
@@ -1857,6 +1882,251 @@ export const hasBackendErrorStackInHttpResponse = (node: unknown): boolean => {
   });
 };
 
+const backendObjectPropertyName = (property: unknown): string | null => {
+  if (!isObject(property)) {
+    return null;
+  }
+  const key = property.key;
+  if (!isObject(key)) {
+    return null;
+  }
+  if (typeof key.name === 'string') {
+    return key.name;
+  }
+  if (typeof key.value === 'string') {
+    return key.value;
+  }
+  return null;
+};
+
+const objectExpressionPropertyNames = (node: AstNode): Set<string> => {
+  if (!Array.isArray(node.properties)) {
+    return new Set();
+  }
+  return new Set(
+    node.properties
+      .map((property) => backendObjectPropertyName(property))
+      .filter((name): name is string => typeof name === 'string')
+  );
+};
+
+const isErrorStatusCallExpression = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'CallExpression') {
+    return false;
+  }
+  const callee = node.callee;
+  if (!isObject(callee) || callee.type !== 'MemberExpression') {
+    return false;
+  }
+  if (memberExpressionPropertyName(callee) !== 'status') {
+    return false;
+  }
+  const [statusArgument] = Array.isArray(node.arguments) ? node.arguments : [];
+  return (
+    isObject(statusArgument) &&
+    statusArgument.type === 'NumericLiteral' &&
+    typeof statusArgument.value === 'number' &&
+    statusArgument.value >= 400
+  );
+};
+
+const isSuccessStatusCallExpression = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'CallExpression') {
+    return false;
+  }
+  const callee = node.callee;
+  if (!isObject(callee) || callee.type !== 'MemberExpression') {
+    return false;
+  }
+  if (memberExpressionPropertyName(callee) !== 'status') {
+    return false;
+  }
+  const [statusArgument] = Array.isArray(node.arguments) ? node.arguments : [];
+  return (
+    isObject(statusArgument) &&
+    statusArgument.type === 'NumericLiteral' &&
+    typeof statusArgument.value === 'number' &&
+    statusArgument.value >= 200 &&
+    statusArgument.value < 400
+  );
+};
+
+const hasCatchClauseAncestor = (ancestors: ReadonlyArray<AstNode>): boolean => {
+  return ancestors.some((ancestor) => ancestor.type === 'CatchClause');
+};
+
+const isHttpErrorResponseCallContext = (
+  node: AstNode,
+  ancestors: ReadonlyArray<AstNode>
+): boolean => {
+  const callee = node.callee;
+  if (!isObject(callee) || callee.type !== 'MemberExpression') {
+    return false;
+  }
+  const methodName = memberExpressionPropertyName(callee);
+  if (!methodName || !httpResponseMethodNames.has(methodName)) {
+    return false;
+  }
+  if (isErrorStatusCallExpression(callee.object)) {
+    return true;
+  }
+  return hasCatchClauseAncestor(ancestors);
+};
+
+const isBackendInconsistentErrorResponseCall = (
+  node: AstNode,
+  ancestors: ReadonlyArray<AstNode>
+): boolean => {
+  if (node.type !== 'CallExpression' || !isHttpErrorResponseCallContext(node, ancestors)) {
+    return false;
+  }
+  const [payload] = Array.isArray(node.arguments) ? node.arguments : [];
+  if (!isObject(payload) || payload.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(payload);
+  const hasErrorSignal = Array.from(backendErrorResponseSignalKeys).some((key) =>
+    propertyNames.has(key)
+  );
+  if (!hasErrorSignal) {
+    return false;
+  }
+  return Array.from(backendErrorResponseRequiredKeys).some((key) => !propertyNames.has(key));
+};
+
+export const findBackendInconsistentErrorResponseLines = (
+  node: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(node, isBackendInconsistentErrorResponseCall);
+};
+
+export const hasBackendInconsistentErrorResponse = (node: unknown): boolean => {
+  return hasNodeWithAncestors(node, isBackendInconsistentErrorResponseCall);
+};
+
+const isBackendErrorPayloadObject = (node: unknown): node is AstNode => {
+  if (!isObject(node) || node.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(node);
+  return Array.from(backendErrorResponseSignalKeys).some((key) => propertyNames.has(key));
+};
+
+const isBackendErrorPayloadWithSuccessStatusCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression') {
+    return false;
+  }
+  const callee = node.callee;
+  if (!isObject(callee) || callee.type !== 'MemberExpression') {
+    return false;
+  }
+  const methodName = memberExpressionPropertyName(callee);
+  if (!methodName || !httpResponseMethodNames.has(methodName)) {
+    return false;
+  }
+  if (!isSuccessStatusCallExpression(callee.object)) {
+    return false;
+  }
+  const [payload] = Array.isArray(node.arguments) ? node.arguments : [];
+  return isBackendErrorPayloadObject(payload);
+};
+
+export const findBackendErrorPayloadWithSuccessStatusLines = (
+  node: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(node, (value) =>
+    isBackendErrorPayloadWithSuccessStatusCall(value)
+  );
+};
+
+export const hasBackendErrorPayloadWithSuccessStatus = (node: unknown): boolean => {
+  return hasNodeWithAncestors(node, (value) => isBackendErrorPayloadWithSuccessStatusCall(value));
+};
+
+const typeNameFromTypeReference = (node: unknown): string | null => {
+  if (!isObject(node)) {
+    return null;
+  }
+  const typeName = node.typeName;
+  if (!isObject(typeName)) {
+    return null;
+  }
+  if (typeof typeName.name === 'string') {
+    return typeName.name;
+  }
+  if (typeName.type === 'TSQualifiedName' && isObject(typeName.right)) {
+    return typeof typeName.right.name === 'string' ? typeName.right.name : null;
+  }
+  return null;
+};
+
+const isEntityTypeName = (name: string | null | undefined): boolean => {
+  return typeof name === 'string' && /(Entity|Model)$/.test(name);
+};
+
+const typeNodeContainsEntityType = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  if (node.type === 'TSTypeReference') {
+    if (isEntityTypeName(typeNameFromTypeReference(node))) {
+      return true;
+    }
+    if (isObject(node.typeParameters) && Array.isArray(node.typeParameters.params)) {
+      return node.typeParameters.params.some(typeNodeContainsEntityType);
+    }
+    if (isObject(node.typeArguments) && Array.isArray(node.typeArguments.params)) {
+      return node.typeArguments.params.some(typeNodeContainsEntityType);
+    }
+  }
+  if (node.type === 'TSArrayType') {
+    return typeNodeContainsEntityType(node.elementType);
+  }
+  if (node.type === 'TSUnionType' && Array.isArray(node.types)) {
+    return node.types.some(typeNodeContainsEntityType);
+  }
+  return false;
+};
+
+const hasEntityReturnTypeAnnotation = (node: AstNode): boolean => {
+  if (!isObject(node.returnType)) {
+    return false;
+  }
+  const returnType = node.returnType;
+  return isObject(returnType.typeAnnotation) && typeNodeContainsEntityType(returnType.typeAnnotation);
+};
+
+const isNewEntityExpression = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'NewExpression') {
+    return false;
+  }
+  return isEntityTypeName(methodNameFromNode(node.callee));
+};
+
+const isBackendControllerEntityResponseNode = (node: AstNode): boolean => {
+  if (
+    (node.type === 'ClassMethod' ||
+      node.type === 'ClassPrivateMethod' ||
+      node.type === 'ObjectMethod') &&
+    hasEntityReturnTypeAnnotation(node)
+  ) {
+    return true;
+  }
+  return node.type === 'ReturnStatement' && isNewEntityExpression(node.argument);
+};
+
+export const findBackendControllerEntityResponseLines = (
+  node: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(node, (value) =>
+    isBackendControllerEntityResponseNode(value)
+  );
+};
+
+export const hasBackendControllerEntityResponse = (node: unknown): boolean => {
+  return hasNodeWithAncestors(node, (value) => isBackendControllerEntityResponseNode(value));
+};
+
 export const hasBackendAnemicDomainModel = (node: unknown): boolean => {
   const match = findFirstNode(node, (value) => {
     if (value.type !== 'ClassDeclaration' && value.type !== 'ClassExpression') {
@@ -1878,6 +2148,117 @@ export const hasBackendAnemicDomainModel = (node: unknown): boolean => {
   return match !== undefined;
 };
 
+const isCorsPermissiveValue = (node: unknown): boolean => {
+  return (
+    (isObject(node) && node.type === 'StringLiteral' && node.value === '*') ||
+    (isObject(node) && node.type === 'BooleanLiteral' && node.value === true)
+  );
+};
+
+const objectPropertyName = (node: unknown): string | undefined => {
+  if (!isObject(node) || (node.type !== 'ObjectProperty' && node.type !== 'Property')) {
+    return undefined;
+  }
+  return methodNameFromNode(node.key);
+};
+
+const objectExpressionHasPermissiveCorsProperty = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression' || !Array.isArray(node.properties)) {
+    return false;
+  }
+  return node.properties.some((property) => {
+    if (!isObject(property)) {
+      return false;
+    }
+    const propertyName = objectPropertyName(property);
+    return (
+      (propertyName === 'origin' || propertyName === 'cors') &&
+      isCorsPermissiveValue(property.value)
+    );
+  });
+};
+
+const isNestFactoryCreateCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  const objectName = memberExpressionObjectName(node.callee);
+  const propertyName = memberExpressionPropertyName(node.callee);
+  return objectName === 'NestFactory' && propertyName === 'create';
+};
+
+const isEnableCorsCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  return memberExpressionPropertyName(node.callee) === 'enableCors';
+};
+
+const isCorsMiddlewareCall = (node: AstNode): boolean => {
+  return (
+    node.type === 'CallExpression' &&
+    isObject(node.callee) &&
+    node.callee.type === 'Identifier' &&
+    node.callee.name === 'cors'
+  );
+};
+
+const isBackendPermissiveCorsConfigurationCall = (node: AstNode): boolean => {
+  if (!Array.isArray(node.arguments)) {
+    return false;
+  }
+  if (isEnableCorsCall(node) || isCorsMiddlewareCall(node)) {
+    return (
+      node.arguments.length === 0 ||
+      node.arguments.some(objectExpressionHasPermissiveCorsProperty)
+    );
+  }
+  return (
+    isNestFactoryCreateCall(node) &&
+    node.arguments.some(objectExpressionHasPermissiveCorsProperty)
+  );
+};
+
+export const findBackendPermissiveCorsConfigurationLines = (
+  ast: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) =>
+    isBackendPermissiveCorsConfigurationCall(node)
+  );
+};
+
+export const hasBackendPermissiveCorsConfiguration = (ast: unknown): boolean =>
+  findBackendPermissiveCorsConfigurationLines(ast).length > 0;
+
+const isStringLiteralTypeNode = (node: unknown): boolean => {
+  return (
+    isObject(node) &&
+    node.type === 'TSLiteralType' &&
+    isObject(node.literal) &&
+    node.literal.type === 'StringLiteral' &&
+    typeof node.literal.value === 'string'
+  );
+};
+
+const isBackendStringLiteralUnionTypeNode = (node: AstNode): boolean => {
+  if (node.type !== 'TSUnionType' || !Array.isArray(node.types)) {
+    return false;
+  }
+  const stringLiteralTypes = node.types.filter(isStringLiteralTypeNode);
+  return stringLiteralTypes.length >= 2 && stringLiteralTypes.length === node.types.length;
+};
+
+export const findBackendStringLiteralUnionEnumCandidateLines = (
+  ast: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) =>
+    isBackendStringLiteralUnionTypeNode(node)
+  );
+};
+
+export const hasBackendStringLiteralUnionEnumCandidate = (ast: unknown): boolean =>
+  findBackendStringLiteralUnionEnumCandidateLines(ast).length > 0;
+
 const isLoggingCall = (node: AstNode): boolean => {
   if (node.type !== 'CallExpression' || !isObject(node.callee)) {
     return false;
@@ -1910,6 +2291,62 @@ export const hasSensitiveDataLoggingCall = (node: unknown): boolean => {
   });
 };
 
+const hasBackendLogContextObject = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression') {
+    return false;
+  }
+  for (const propertyName of objectExpressionPropertyNames(node)) {
+    if (backendLogContextKeys.has(propertyName)) {
+      return true;
+    }
+  }
+  return false;
+};
+
+const hasBackendLogSignal = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  const identifierName = identifierNameFromNode(node);
+  if (identifierName !== undefined && backendLogSignalKeys.has(identifierName)) {
+    return true;
+  }
+  if (node.type === 'StringLiteral') {
+    return typeof node.value === 'string' && node.value.trim().length > 0;
+  }
+  if (node.type === 'ObjectExpression') {
+    for (const propertyName of objectExpressionPropertyNames(node)) {
+      if (backendLogSignalKeys.has(propertyName)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  if (node.type === 'MemberExpression') {
+    const propertyName = identifierNameFromNode(node.property);
+    return propertyName !== undefined && backendLogSignalKeys.has(propertyName);
+  }
+  return false;
+};
+
+const isBackendLogWithoutContextCall = (node: AstNode): boolean => {
+  if (!isLoggingCall(node)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  if (!args.some(hasBackendLogSignal)) {
+    return false;
+  }
+  return !args.some(hasBackendLogContextObject);
+};
+
+export const findBackendLogWithoutContextLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) => isBackendLogWithoutContextCall(node));
+};
+
+export const hasBackendLogWithoutContext = (ast: unknown): boolean =>
+  findBackendLogWithoutContextLines(ast).length > 0;
+
 export const hasEvalCall = (node: unknown): boolean => {
   return hasNode(node, (value) => {
     if (value.type !== 'CallExpression') {
@@ -2626,6 +3063,45 @@ export const findPersistenceMutationWithoutAuditEventMatch = (
 export const hasPersistenceMutationWithoutAuditEvent = (ast: unknown): boolean =>
   findPersistenceMutationWithoutAuditEventMatch(ast) !== undefined;
 
+const hardDeleteMethodNames = new Set(['delete', 'deleteMany', 'hardDelete', 'remove']);
+
+const memberExpressionRootObjectName = (node: unknown): string | undefined => {
+  if (!isObject(node)) {
+    return undefined;
+  }
+  if (node.type === 'Identifier' && typeof node.name === 'string') {
+    return node.name;
+  }
+  if (node.type === 'MemberExpression') {
+    return memberExpressionRootObjectName(node.object);
+  }
+  return undefined;
+};
+
+const isBackendHardDeleteCall = (node: AstNode): boolean => {
+  const memberName = callExpressionMemberName(node);
+  const objectName = callExpressionObjectName(node);
+  const rootObjectName =
+    node.type === 'CallExpression' && isObject(node.callee)
+      ? memberExpressionRootObjectName(node.callee)
+      : undefined;
+  return (
+    memberName !== undefined &&
+    hardDeleteMethodNames.has(memberName) &&
+    ((objectName !== undefined && persistenceObjectPattern.test(objectName)) ||
+      (rootObjectName !== undefined && persistenceObjectPattern.test(rootObjectName)))
+  );
+};
+
+export const findBackendHardDeleteWithoutSoftDeleteLines = (
+  ast: unknown
+): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) => isBackendHardDeleteCall(node));
+};
+
+export const hasBackendHardDeleteWithoutSoftDelete = (ast: unknown): boolean =>
+  findBackendHardDeleteWithoutSoftDeleteLines(ast).length > 0;
+
 const classValidatorDecoratorPattern =
   /^(Array|Is|Validate|Min|Max|Length|Matches|Contains|Equals|NotEquals|Allow|Expose|Exclude|Transform|Type)/;
 const dtoNestedDecoratorNames = new Set(['Type', 'ValidateNested']);