@sun-asterisk/sunlint 1.0.5

package/eslint-integration/eslint-plugin-custom/s029-require-csrf-protection.js

@@ -0,0 +1,79 @@
+"use strict";
+
+/**
+ * Custom ESLint rule: S029 – Require CSRF protection on routes
+ * Rule ID: custom/s029
+ * Purpose: Ensure CSRF protection is applied to route handlers
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure CSRF protection is applied to route handlers",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingCsrf:
+        "CSRF protection is missing on this route handler '{{route}}'. Apply csurf() or equivalent middleware.",
+    },
+  },
+
+  create(context) {
+    const csrfFunctions = [
+      "csurf",
+      "csrfProtection",
+      "verifyCsrfToken",
+      "checkCsrf",
+    ];
+    const routeMethods = ["post", "put", "delete"];
+
+    const protectedInstances = new Set(); // e.g. app, router
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Detect app.use(csurf()) → mark 'app' as protected
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "use" &&
+          node.arguments.some(
+            (arg) =>
+              (arg.type === "CallExpression" &&
+                arg.callee.type === "Identifier" &&
+                csrfFunctions.includes(arg.callee.name)) ||
+              (arg.type === "Identifier" && csrfFunctions.includes(arg.name))
+          )
+        ) {
+          const instance = callee.object.name;
+          if (instance) {
+            protectedInstances.add(instance);
+          }
+        }
+
+        // Detect route registrations
+        if (
+          callee.type === "MemberExpression" &&
+          routeMethods.includes(callee.property.name)
+        ) {
+          const instance = callee.object.name;
+          const args = node.arguments;
+
+          if (!protectedInstances.has(instance)) {
+            const path =
+              args[0] && args[0].type === "Literal"
+                ? args[0].value
+                : "<unknown>";
+            context.report({
+              node,
+              messageId: "missingCsrf",
+              data: { route: path },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s030-no-directory-browsing.js

@@ -0,0 +1,78 @@
+/**
+ * Custom ESLint rule: S030 – Prevent directory browsing and metadata disclosure
+ * Rule ID: custom/s030
+ * Purpose: Disallow unsafe static serving or exposure of internal metadata files
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Prevent directory browsing and metadata file disclosure",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unsafeStatic:
+        "Directory browsing might be enabled via static file serving. Explicitly set `index: false` if not intended.",
+      exposeMetaFile:
+        "Avoid exposing internal files or folders such as '.git', '.svn', '.DS_Store', or 'Thumbs.db'.",
+    },
+  },
+
+  create(context) {
+    const metaFileNames = [".git", ".svn", ".DS_Store", "Thumbs.db"];
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Detect express.static(...) or serveStatic(...)
+        if (
+          (callee.type === "MemberExpression" &&
+            callee.property.name === "static") ||
+          (callee.type === "Identifier" && callee.name === "serveStatic")
+        ) {
+          const optionsArg = node.arguments[1];
+
+          let hasIndexFalse = false;
+          if (optionsArg && optionsArg.type === "ObjectExpression") {
+            hasIndexFalse = optionsArg.properties.some((prop) => {
+              return (
+                prop.key.name === "index" &&
+                prop.value.type === "Literal" &&
+                prop.value.value === false
+              );
+            });
+          }
+
+          if (!hasIndexFalse) {
+            context.report({
+              node,
+              messageId: "unsafeStatic",
+            });
+          }
+        }
+
+        // Detect serving meta files directly
+        if (
+          node.arguments &&
+          node.arguments.some((arg) => {
+            return (
+              arg.type === "Literal" &&
+              typeof arg.value === "string" &&
+              metaFileNames.some((name) => arg.value.includes(name))
+            );
+          })
+        ) {
+          context.report({
+            node,
+            messageId: "exposeMetaFile",
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s033-require-samesite-cookie.js

@@ -0,0 +1,80 @@
+/**
+ * Custom ESLint rule: S033 – Enforce SameSite on cookies
+ * Rule ID: custom/s033
+ * Purpose: Ensure SameSite attribute is set when setting cookies
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure SameSite is set when using cookies to prevent CSRF",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingSameSite:
+        "Cookie does not set 'SameSite' attribute. This may expose it to CSRF.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Detect res.cookie("name", "value", options)
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "cookie"
+        ) {
+          const options = node.arguments[2];
+          if (options && options.type === "ObjectExpression") {
+            const hasSameSite = options.properties.some((prop) => {
+              return (
+                prop.key &&
+                prop.key.name === "sameSite" &&
+                prop.value.type === "Literal" &&
+                ["strict", "lax", "none"].includes(
+                  prop.value.value.toLowerCase()
+                )
+              );
+            });
+
+            if (!hasSameSite) {
+              context.report({
+                node,
+                messageId: "missingSameSite",
+              });
+            }
+          } else {
+            // No options object passed at all
+            context.report({
+              node,
+              messageId: "missingSameSite",
+            });
+          }
+        }
+
+        // Detect res.setHeader('Set-Cookie', '...') → doesn't include SameSite
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "setHeader" &&
+          node.arguments.length >= 2 &&
+          node.arguments[0].type === "Literal" &&
+          node.arguments[0].value === "Set-Cookie" &&
+          node.arguments[1].type === "Literal" &&
+          typeof node.arguments[1].value === "string" &&
+          !node.arguments[1].value.includes("SameSite")
+        ) {
+          context.report({
+            node,
+            messageId: "missingSameSite",
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s034-require-host-cookie-prefix.js

@@ -0,0 +1,77 @@
+/**
+ * Custom ESLint rule: S034 – Enforce '__Host-' prefix on secure cookies
+ * Rule ID: custom/s034
+ * Purpose: Ensure cookies use the '__Host-' prefix for added security
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Ensure cookies use the '__Host-' prefix for secure session cookies",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingHostPrefix:
+        "Cookie name '{{name}}' should use the '__Host-' prefix for stronger security.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Match res.cookie("name", ...)
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "cookie" &&
+          node.arguments.length >= 1
+        ) {
+          const cookieNameArg = node.arguments[0];
+
+          if (
+            cookieNameArg.type === "Literal" &&
+            typeof cookieNameArg.value === "string"
+          ) {
+            const name = cookieNameArg.value;
+
+            // If cookie name does not start with '__Host-' → warn
+            if (!name.startsWith("__Host-")) {
+              context.report({
+                node: cookieNameArg,
+                messageId: "missingHostPrefix",
+                data: { name },
+              });
+            }
+          }
+        }
+
+        // Optional: check res.setHeader('Set-Cookie', 'session=value; ...')
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "setHeader" &&
+          node.arguments.length >= 2 &&
+          node.arguments[0].type === "Literal" &&
+          node.arguments[0].value === "Set-Cookie" &&
+          node.arguments[1].type === "Literal" &&
+          typeof node.arguments[1].value === "string"
+        ) {
+          const cookieString = node.arguments[1].value;
+          const cookieName = cookieString.split("=")[0].trim();
+          if (!cookieName.startsWith("__Host-")) {
+            context.report({
+              node: node.arguments[1],
+              messageId: "missingHostPrefix",
+              data: { name: cookieName },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s035-cookie-specific-path.js

@@ -0,0 +1,74 @@
+/**
+ * Custom ESLint rule: S035 – Require specific path in cookies
+ * Rule ID: custom/s035
+ * Purpose: Ensure cookies set a specific path, not the root `/`
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Ensure cookies use a specific path (not `/`) to reduce exposure to sibling apps under same domain",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      pathTooBroad:
+        "Cookie uses path `'/'`, which may expose it across unrelated applications. Use a more specific path.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Match res.cookie("name", "value", { ... })
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "cookie" &&
+          node.arguments.length >= 3
+        ) {
+          const options = node.arguments[2];
+
+          if (options.type === "ObjectExpression") {
+            const pathProp = options.properties.find(
+              (prop) => prop.key.name === "path"
+            );
+
+            if (
+              pathProp &&
+              pathProp.value.type === "Literal" &&
+              pathProp.value.value === "/"
+            ) {
+              context.report({
+                node: pathProp,
+                messageId: "pathTooBroad",
+              });
+            }
+          }
+        }
+
+        // Optional: check res.setHeader("Set-Cookie", "...Path=/...")
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "setHeader" &&
+          node.arguments.length >= 2 &&
+          node.arguments[0].type === "Literal" &&
+          node.arguments[0].value === "Set-Cookie" &&
+          node.arguments[1].type === "Literal" &&
+          typeof node.arguments[1].value === "string" &&
+          /path=\/(;|\s|$)/i.test(node.arguments[1].value)
+        ) {
+          context.report({
+            node: node.arguments[1],
+            messageId: "pathTooBroad",
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s036-no-unsafe-file-include.js

@@ -0,0 +1,68 @@
+/**
+ * Custom ESLint rule: S036 – Prevent LFI and RFI vulnerabilities
+ * Rule ID: custom/s036
+ * Purpose: Detect unvalidated user input passed to file system or dynamic import/require
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Detect possible Local/Remote File Inclusion vulnerabilities",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unsafeFilePath:
+        "Potential LFI/RFI: Do not pass user input directly to file or import functions.",
+    },
+  },
+
+  create(context) {
+    const fileFunctions = ["readFile", "readFileSync", "createReadStream"];
+    const importFunctions = ["require", "import"];
+
+    function isUserInput(argNode) {
+      const code = context.getSourceCode().getText(argNode);
+      return /req\.|input\.|params\.|query\.|body\./.test(code);
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Handle fs.readFile(...), fs.createReadStream(...)
+        if (
+          callee.type === "MemberExpression" &&
+          fileFunctions.includes(callee.property.name)
+        ) {
+          const [arg] = node.arguments;
+          if (arg && isUserInput(arg)) {
+            context.report({
+              node: arg,
+              messageId: "unsafeFilePath",
+            });
+          }
+        }
+
+        // Handle require(...) and import(...)
+        if (
+          (callee.type === "Identifier" &&
+            importFunctions.includes(callee.name)) ||
+          node.type === "ImportExpression"
+        ) {
+          const arg = node.arguments?.[0] || node.source;
+          if (arg && isUserInput(arg)) {
+            context.report({
+              node: arg,
+              messageId: "unsafeFilePath",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s037-require-anti-cache-headers.js

@@ -0,0 +1,70 @@
+/**
+ * Custom ESLint rule: S037 – Require anti-caching headers on responses
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Ensure anti-cache headers are set to prevent sensitive data caching",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      missingCacheHeader:
+        "Missing anti-cache header for response '{{resName}}'. Consider setting 'Cache-Control: no-store'.",
+    },
+  },
+
+  create(context) {
+    // Track which response variables have Cache-Control: no-store/no-cache
+    const secureResNames = new Set();
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Match res.setHeader('Cache-Control', '...')
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "setHeader" &&
+          node.arguments.length >= 2 &&
+          node.arguments[0].type === "Literal" &&
+          node.arguments[0].value === "Cache-Control"
+        ) {
+          const resVar = callee.object;
+          const valNode = node.arguments[1];
+
+          if (
+            resVar.type === "Identifier" &&
+            valNode.type === "Literal" &&
+            typeof valNode.value === "string" &&
+            /no-store|no-cache/i.test(valNode.value)
+          ) {
+            secureResNames.add(resVar.name);
+          }
+        }
+
+        // Match res.send / res.json / res.end
+        if (
+          callee.type === "MemberExpression" &&
+          ["send", "json", "end"].includes(callee.property.name) &&
+          callee.object.type === "Identifier"
+        ) {
+          const resName = callee.object.name;
+
+          if (!secureResNames.has(resName)) {
+            context.report({
+              node,
+              messageId: "missingCacheHeader",
+              data: { resName },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s038-no-version-disclosure.js

@@ -0,0 +1,74 @@
+/**
+ * Custom ESLint rule: S038 – Prevent version disclosure in HTTP headers or response
+ * Rule ID: custom/s038
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Prevent exposing version info via HTTP headers or response bodies",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      headerLeak:
+        "Do not expose version information via HTTP header '{{name}}'.",
+      responseLeak: "Do not send version information in response: '{{text}}'.",
+    },
+  },
+
+  create(context) {
+    const riskyHeaders = ["x-powered-by", "server", "x-runtime", "x-version"];
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // res.setHeader("Header-Name", "value")
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "setHeader" &&
+          node.arguments.length >= 2 &&
+          node.arguments[0].type === "Literal" &&
+          typeof node.arguments[0].value === "string"
+        ) {
+          const headerName = node.arguments[0].value.toLowerCase();
+          const headerValue = node.arguments[1];
+
+          if (
+            riskyHeaders.includes(headerName) &&
+            headerValue.type === "Literal" &&
+            typeof headerValue.value === "string" &&
+            /\d+\.\d+/.test(headerValue.value) // has version pattern
+          ) {
+            context.report({
+              node,
+              messageId: "headerLeak",
+              data: { name: headerName },
+            });
+          }
+        }
+
+        // res.send("Express 4.17.1") or res.end("NestJS 9.0")
+        if (
+          callee.type === "MemberExpression" &&
+          ["send", "end", "json"].includes(callee.property.name) &&
+          node.arguments.length &&
+          node.arguments[0].type === "Literal" &&
+          typeof node.arguments[0].value === "string" &&
+          /\d+\.\d+/.test(node.arguments[0].value)
+        ) {
+          context.report({
+            node,
+            messageId: "responseLeak",
+            data: { text: node.arguments[0].value },
+          });
+        }
+      },
+    };
+  },
+};

package/eslint-integration/eslint-plugin-custom/s039-no-session-token-in-url.js

@@ -0,0 +1,63 @@
+/**
+ * Custom ESLint rule: S039 – Do not include session tokens in URL parameters
+ * Rule ID: custom/s039
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure session tokens are not exposed in URL query parameters",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      tokenInUrl: "Do not expose session token '{{param}}' in URL parameters.",
+    },
+  },
+
+  create(context) {
+    const tokenKeywords = ["token", "session", "auth", "jwt", "sid"];
+
+    return {
+      Literal(node) {
+        if (typeof node.value === "string") {
+          const url = node.value;
+
+          // Simple match ?token=abc123 or &sid=xyz or ?session=...
+          const regex = /[?&]([a-zA-Z0-9_-]+)=/g;
+          let match;
+          while ((match = regex.exec(url)) !== null) {
+            const param = match[1].toLowerCase();
+            if (tokenKeywords.some((key) => param.includes(key))) {
+              context.report({
+                node,
+                messageId: "tokenInUrl",
+                data: { param: match[1] },
+              });
+            }
+          }
+        }
+      },
+
+      TemplateLiteral(node) {
+        const raw = context.getSourceCode().getText(node);
+        const regex = /[?&]([a-zA-Z0-9_-]+)=/g;
+        let match;
+        while ((match = regex.exec(raw)) !== null) {
+          const param = match[1].toLowerCase();
+          if (tokenKeywords.some((key) => param.includes(key))) {
+            context.report({
+              node,
+              messageId: "tokenInUrl",
+              data: { param: match[1] },
+            });
+          }
+        }
+      },
+    };
+  },
+};