npm - @sun-asterisk/sunlint - Versions diffs - 1.0.5 - Mend

@sun-asterisk/sunlint 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/eslint-integration/eslint-plugin-custom/s023-no-json-injection.js ADDED Viewed

@@ -0,0 +1,300 @@
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Prevent JSON injection attacks and unsafe JSON handling",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      noEvalJson: "Never use eval() to process JSON data - use JSON.parse() instead",
+      unsafeJsonParse: "Unsafe JSON parsing - validate input before parsing",
+      jsonStringifyInHtml: "JSON.stringify output should be escaped when used in HTML context",
+      unsafeTemplateString: "Unsafe template string with user input",
+      unsafeDocumentWrite: "JSON.stringify output should be escaped when used in HTML context",
+      unsafeStorageParse: "Unsafe JSON parsing - validate input before parsing",
+      unsafeUrlParse: "Unsafe JSON parsing - validate input before parsing",
+    },
+  },
+  create(context) {
+    const sourceCode = context.getSourceCode();
+    // Rule C005 - Each function should do one thing
+    const validationDetector = createValidationDetector(context);
+    const userInputDetector = createUserInputDetector();
+    const htmlContextDetector = createHtmlContextDetector(context);
+    const jsonParseChecker = createJsonParseChecker(context, userInputDetector, validationDetector);
+    const jsonStringifyChecker = createJsonStringifyChecker(context, htmlContextDetector);
+    const evalChecker = createEvalChecker(context);
+    const templateChecker = createTemplateChecker(context, userInputDetector, htmlContextDetector);
+    return {
+      CallExpression(node) {
+        jsonParseChecker.checkNode(node);
+        jsonStringifyChecker.checkNode(node);
+        evalChecker.checkNode(node);
+      },
+      TemplateLiteral(node) {
+        templateChecker.checkNode(node);
+      }
+    };
+  }
+};
+// Rule C006 - Function names should be verb/verb-noun
+// Rule C031 - Validation logic must be separate
+function createValidationDetector(context) {
+  const sourceCode = context.getSourceCode();
+  return {
+    hasValidationContext(node) {
+      return detectTryCatchContext(node) || detectValidationStatements(node, sourceCode);
+    }
+  };
+}
+function detectTryCatchContext(node) {
+  let parent = node.parent;
+  while (parent) {
+    if (parent.type === 'TryStatement') {
+      return true;
+    }
+    parent = parent.parent;
+  }
+  return false;
+}
+function detectValidationStatements(node, sourceCode) {
+  let parent = node.parent;
+  let current = node;
+  while (parent) {
+    if (parent.type === 'BlockStatement') {
+      const statements = parent.body;
+      const currentIndex = statements.indexOf(current);
+      for (let i = 0; i < currentIndex; i++) {
+        const stmt = statements[i];
+        const stmtText = sourceCode.getText(stmt);
+        if (containsValidationPattern(stmtText)) {
+          return true;
+        }
+      }
+    }
+    current = parent;
+    parent = parent.parent;
+  }
+  return false;
+}
+function containsValidationPattern(text) {
+  const validationPatterns = ['validate', 'typeof', 'length', 'isValid'];
+  return validationPatterns.some(pattern => text.includes(pattern));
+}
+// Rule C015 - Use domain language in class/function names
+function createUserInputDetector() {
+  const userInputPatterns = [
+    /req\.(body|query|params)/,
+    /request\.(body|query|params)/,
+    /localStorage\.getItem/,
+    /sessionStorage\.getItem/,
+    /window\.location/,
+    /location\.(search|hash)/,
+    /URLSearchParams/
+  ];
+  return {
+    isUserInput(node, sourceCode) {
+      if (!node) return false;
+      const text = sourceCode.getText(node);
+      return userInputPatterns.some(pattern => pattern.test(text));
+    }
+  };
+}
+function createHtmlContextDetector(context) {
+  const htmlContextMethods = ['innerHTML', 'outerHTML', 'insertAdjacentHTML'];
+  return {
+    isInHtmlContext(node) {
+      return detectHtmlAssignment(node, htmlContextMethods) ||
+             detectDocumentWrite(node) ||
+             detectHtmlTemplate(node, htmlContextMethods);
+    }
+  };
+}
+function detectHtmlAssignment(node, htmlContextMethods) {
+  let parent = node.parent;
+  while (parent) {
+    if (parent.type === 'AssignmentExpression' &&
+        parent.left.type === 'MemberExpression' &&
+        htmlContextMethods.includes(parent.left.property.name)) {
+      return true;
+    }
+    parent = parent.parent;
+  }
+  return false;
+}
+function detectDocumentWrite(node) {
+  let parent = node.parent;
+  while (parent) {
+    if (parent.type === 'CallExpression' &&
+        parent.callee.type === 'MemberExpression' &&
+        parent.callee.object.name === 'document' &&
+        parent.callee.property.name === 'write') {
+      return true;
+    }
+    parent = parent.parent;
+  }
+  return false;
+}
+function detectHtmlTemplate(node, htmlContextMethods) {
+  let parent = node.parent;
+  while (parent) {
+    if (parent.type === 'TemplateLiteral' &&
+        parent.parent &&
+        parent.parent.type === 'AssignmentExpression' &&
+        parent.parent.left.type === 'MemberExpression' &&
+        htmlContextMethods.includes(parent.parent.left.property.name)) {
+      return true;
+    }
+    parent = parent.parent;
+  }
+  return false;
+}
+// Rule C012 - Separate Command and Query: Clear single responsibility and side-effects
+function createJsonParseChecker(context, userInputDetector, validationDetector) {
+  const sourceCode = context.getSourceCode();
+  return {
+    checkNode(node) {
+      if (isJsonParseCall(node)) {
+        const argument = node.arguments[0];
+        if (argument && userInputDetector.isUserInput(argument, sourceCode)) {
+          if (!validationDetector.hasValidationContext(node)) {
+            reportUnsafeJsonParse(context, node);
+          }
+        }
+      }
+    }
+  };
+}
+function isJsonParseCall(node) {
+  return node.type === 'CallExpression' &&
+         node.callee.type === 'MemberExpression' &&
+         node.callee.object.name === 'JSON' &&
+         node.callee.property.name === 'parse';
+}
+function reportUnsafeJsonParse(context, node) {
+  context.report({
+    node,
+    messageId: "unsafeJsonParse"
+  });
+}
+function createJsonStringifyChecker(context, htmlContextDetector) {
+  return {
+    checkNode(node) {
+      if (isJsonStringifyCall(node)) {
+        if (htmlContextDetector.isInHtmlContext(node)) {
+          reportJsonStringifyInHtml(context, node);
+        }
+      }
+    }
+  };
+}
+function isJsonStringifyCall(node) {
+  return node.type === 'CallExpression' &&
+         node.callee.type === 'MemberExpression' &&
+         node.callee.object.name === 'JSON' &&
+         node.callee.property.name === 'stringify';
+}
+function reportJsonStringifyInHtml(context, node) {
+  context.report({
+    node,
+    messageId: "jsonStringifyInHtml"
+  });
+}
+function createEvalChecker(context) {
+  const sourceCode = context.getSourceCode();
+  return {
+    checkNode(node) {
+      if (isEvalCall(node)) {
+        const argument = node.arguments[0];
+        if (argument && containsJsonPattern(argument, sourceCode)) {
+          reportEvalWithJson(context, node);
+        }
+      }
+    }
+  };
+}
+function isEvalCall(node) {
+  return node.type === 'CallExpression' && node.callee.name === 'eval';
+}
+function containsJsonPattern(argument, sourceCode) {
+  const text = sourceCode.getText(argument);
+  const jsonPatterns = ['JSON', 'userJson', 'req.', 'request.'];
+  return jsonPatterns.some(pattern => text.includes(pattern));
+}
+function reportEvalWithJson(context, node) {
+  context.report({
+    node,
+    messageId: "noEvalJson"
+  });
+}
+function createTemplateChecker(context, userInputDetector, htmlContextDetector) {
+  const sourceCode = context.getSourceCode();
+  return {
+    checkNode(node) {
+      if (node.type === 'TemplateLiteral') {
+        const hasUserInput = node.expressions.some(expr =>
+          userInputDetector.isUserInput(expr, sourceCode)
+        );
+        if (hasUserInput && isUnsafeHtmlTemplate(node, sourceCode, htmlContextDetector)) {
+          reportUnsafeTemplate(context, node);
+        }
+      }
+    }
+  };
+}
+function isUnsafeHtmlTemplate(node, sourceCode, htmlContextDetector) {
+  const text = sourceCode.getText(node);
+  const htmlPatterns = ['<script>', '<div>', 'innerHTML'];
+  return htmlPatterns.some(pattern => text.includes(pattern)) ||
+         htmlContextDetector.isInHtmlContext(node);
+}
+function reportUnsafeTemplate(context, node) {
+  context.report({
+    node,
+    messageId: "unsafeTemplateString"
+  });
+}

package/eslint-integration/eslint-plugin-custom/s025-server-side-input-validation.js ADDED Viewed

@@ -0,0 +1,217 @@
+/**
+ * Custom ESLint rule for: S025 – Server-side input validation required
+ * Rule ID: custom/s025
+ * Purpose: Verify that input validation is enforced on a trusted service layer
+ * Target: NestJS applications - ensure all client input is validated server-side before processing
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure all client input is validated on server-side before processing in NestJS applications",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingValidationDecorator:
+        "Controller method parameter '{{param}}' should use validation decorators (@Body, @Query, @Param with DTO class).",
+      missingValidationPipe:
+        "Controller method '{{method}}' should use ValidationPipe to validate input data.",
+      missingDtoValidation:
+        "DTO class '{{dto}}' should have validation decorators (@IsString, @IsNumber, etc.) for its properties.",
+      directInputAccess:
+        "Direct access to request object '{{access}}' without validation. Use validated DTOs instead.",
+    },
+  },
+  create(context) {
+    const validatedParams = new Set();
+    const controllerMethods = new Set();
+    const dtoClasses = new Map();
+    const validationDecorators = new Set([
+      'IsString', 'IsNumber', 'IsBoolean', 'IsArray', 'IsObject', 'IsEmail',
+      'IsUrl', 'IsUUID', 'IsOptional', 'IsNotEmpty', 'Length', 'Min', 'Max',
+      'IsPositive', 'IsNegative', 'IsDate', 'IsEnum', 'ValidateNested',
+      'IsInt', 'IsDecimal', 'IsJSON', 'Matches', 'Contains', 'IsAlpha',
+      'IsAlphanumeric', 'IsPhoneNumber', 'IsISO8601', 'IsBase64'
+    ]);
+    function hasValidationDecorator(decorators) {
+      if (!decorators) return false;
+      return decorators.some(decorator => {
+        if (decorator.expression && decorator.expression.callee) {
+          const name = decorator.expression.callee.name;
+          return validationDecorators.has(name);
+        }
+        return false;
+      });
+    }
+    function isNestJSController(node) {
+      if (!node.decorators) return false;
+      return node.decorators.some(decorator => {
+        if (decorator.expression && decorator.expression.callee) {
+          return decorator.expression.callee.name === 'Controller';
+        }
+        return false;
+      });
+    }
+    function isControllerMethod(node) {
+      if (!node.decorators) return false;
+      const httpDecorators = ['Get', 'Post', 'Put', 'Delete', 'Patch', 'Head', 'Options'];
+      return node.decorators.some(decorator => {
+        if (decorator.expression && decorator.expression.callee) {
+          return httpDecorators.includes(decorator.expression.callee.name);
+        }
+        return false;
+      });
+    }
+    function hasNestJSValidationDecorator(param) {
+      if (!param.decorators) return false;
+      const nestValidationDecorators = ['Body', 'Query', 'Param', 'Headers'];
+      return param.decorators.some(decorator => {
+        if (decorator.expression && decorator.expression.callee) {
+          return nestValidationDecorators.includes(decorator.expression.callee.name);
+        }
+        return false;
+      });
+    }
+    function hasValidationPipe(node) {
+      if (!node.decorators) return false;
+      return node.decorators.some(decorator => {
+        if (decorator.expression && decorator.expression.callee) {
+          if (decorator.expression.callee.name === 'UsePipes') {
+            return decorator.expression.arguments.some(arg => {
+              return arg.type === 'NewExpression' &&
+                     arg.callee &&
+                     arg.callee.name === 'ValidationPipe';
+            });
+          }
+        }
+        return false;
+      });
+    }
+    return {
+      // Check DTO classes for validation decorators
+      ClassDeclaration(node) {
+        if (node.id && node.id.name.endsWith('Dto')) {
+          const className = node.id.name;
+          const properties = [];
+          node.body.body.forEach(member => {
+            if (member.type === 'PropertyDefinition' && member.key) {
+              const hasValidation = hasValidationDecorator(member.decorators);
+              properties.push({
+                name: member.key.name,
+                hasValidation
+              });
+            }
+          });
+          dtoClasses.set(className, properties);
+          // Check if DTO has at least one validation decorator
+          const hasAnyValidation = properties.some(prop => prop.hasValidation);
+          if (properties.length > 0 && !hasAnyValidation) {
+            context.report({
+              node,
+              messageId: "missingDtoValidation",
+              data: {
+                dto: className,
+              },
+            });
+          }
+        }
+      },
+      // Check controller methods
+      MethodDefinition(node) {
+        const parentClass = node.parent.parent;
+        if (isNestJSController(parentClass) && isControllerMethod(node)) {
+          const methodName = node.key.name;
+          controllerMethods.add(methodName);
+          // Check if method has ValidationPipe
+          const hasValidationPipeDecorator = hasValidationPipe(node);
+          // Check parameters for validation decorators
+          if (node.value.params) {
+            node.value.params.forEach(param => {
+              if (param.type === 'Identifier') {
+                const hasNestValidation = hasNestJSValidationDecorator(param);
+                if (hasNestValidation) {
+                  validatedParams.add(param.name);
+                } else {
+                  // If no ValidationPipe and no parameter validation decorator
+                  if (!hasValidationPipeDecorator) {
+                    context.report({
+                      node: param,
+                      messageId: "missingValidationDecorator",
+                      data: {
+                        param: param.name,
+                      },
+                    });
+                  }
+                }
+              }
+            });
+          }
+          // Check if method uses ValidationPipe when dealing with request bodies
+          const hasBodyParam = node.value.params.some(param =>
+            param.decorators && param.decorators.some(decorator =>
+              decorator.expression &&
+              decorator.expression.callee &&
+              decorator.expression.callee.name === 'Body'
+            )
+          );
+          if (hasBodyParam && !hasValidationPipeDecorator) {
+            context.report({
+              node,
+              messageId: "missingValidationPipe",
+              data: {
+                method: methodName,
+              },
+            });
+          }
+        }
+      },
+      // Check for direct access to request object without validation
+      MemberExpression(node) {
+        if (node.object && node.property) {
+          const objectName = node.object.name;
+          const propertyName = node.property.name;
+          // Check for direct access to req.body, req.query, req.params without validation
+          if (objectName === 'req' || objectName === 'request') {
+            if (['body', 'query', 'params', 'headers'].includes(propertyName)) {
+              const accessPath = `${objectName}.${propertyName}`;
+              // Check if this access is in a validated context
+              if (!validatedParams.has(objectName)) {
+                context.report({
+                  node,
+                  messageId: "directInputAccess",
+                  data: {
+                    access: accessPath,
+                  },
+                });
+              }
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s026-json-schema-validation.js ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Custom ESLint rule for: S026 – JSON schema validation required for inputs
+ * Rule ID: custom/s026
+ * Purpose: Ensure that all input JSON is validated against a schema
+ */
+"use strict";
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure JSON schema validation is in place for input objects",
+      recommended: false,
+    },
+    schema: [],
+    messages: {
+      missingValidation:
+        "JSON input '{{input}}' should be validated using a JSON schema before use.",
+    },
+  },
+  create(context) {
+    let validatedInputs = new Set();
+    return {
+      CallExpression(node) {
+        // Detect validation functions like schema.validate(req.body)
+        if (
+          node.callee &&
+          node.callee.property &&
+          node.arguments &&
+          node.arguments.length > 0
+        ) {
+          const arg = node.arguments[0];
+          if (
+            arg.type === "MemberExpression" &&
+            arg.object &&
+            arg.property &&
+            (arg.property.name === "body" || arg.property.name === "query")
+          ) {
+            const validatedInput = `${arg.object.name}.${arg.property.name}`;
+            validatedInputs.add(validatedInput);
+          }
+        }
+      },
+      MemberExpression(node) {
+        if (
+          node.property &&
+          (node.property.name === "body" || node.property.name === "query")
+        ) {
+          const fullInput = `${node.object.name}.${node.property.name}`;
+          if (!validatedInputs.has(fullInput)) {
+            context.report({
+              node,
+              messageId: "missingValidation",
+              data: {
+                input: fullInput,
+              },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s027-no-hardcoded-secrets.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Custom ESLint rule for: S027 – No hardcoded secrets
+ * Rule ID: custom/s027
+ * Purpose: Prevent passwords, API keys, secrets from being hardcoded
+ */
+"use strict";
+const sensitiveKeywords = [
+  "password",
+  "pass",
+  "pwd",
+  "secret",
+  "apiKey",
+  "token",
+  "auth",
+  "key",
+  "seed",
+];
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Prevent hardcoded passwords, API keys, and secrets",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      hardcodedSecret:
+        "Avoid hardcoding sensitive information such as '{{name}}'. Use secure storage instead.",
+    },
+  },
+  create(context) {
+    function isSensitiveName(name) {
+      const lower = name.toLowerCase();
+      return sensitiveKeywords.some((keyword) => lower.includes(keyword));
+    }
+    return {
+      VariableDeclarator(node) {
+        if (
+          node.id &&
+          node.init &&
+          (node.init.type === "Literal" || node.init.type === "TemplateLiteral")
+        ) {
+          const name =
+            node.id.name || (node.id.property && node.id.property.name);
+          if (name && isSensitiveName(name)) {
+            context.report({
+              node,
+              messageId: "hardcodedSecret",
+              data: { name },
+            });
+          }
+        }
+      },
+      AssignmentExpression(node) {
+        if (
+          node.left &&
+          node.right &&
+          (node.right.type === "Literal" ||
+            node.right.type === "TemplateLiteral")
+        ) {
+          const name =
+            node.left.name || (node.left.property && node.left.property.name);
+          if (name && isSensitiveName(name)) {
+            context.report({
+              node,
+              messageId: "hardcodedSecret",
+              data: { name },
+            });
+          }
+        }
+      },
+    };
+  },
+};