@sun-asterisk/sunlint 1.0.5

package/config/typescript/security-rules/s014-insecure-tls-version.js

@@ -0,0 +1,50 @@
+"use strict";
+
+/**
+ * S014 – Insecure TLS Version
+ * OWASP ASVS 9.1.3
+ * Ensure that only secure versions of TLS (1.2 and 1.3) are enabled.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure that only secure versions of TLS are enabled. Do not use SSLv3, TLS 1.0, or TLS 1.1.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      insecureTLS:
+        "Insecure TLS/SSL version detected. Only TLS 1.2 or TLS 1.3 should be used.",
+    },
+  },
+
+  create(context) {
+    return {
+      Property(node) {
+        // Detect insecure minVersion in HTTPS server options
+        if (
+          node.key &&
+          node.key.name === "minVersion" &&
+          node.value.type === "Literal" &&
+          typeof node.value.value === "string"
+        ) {
+          const version = node.value.value.toLowerCase();
+          if (
+            version === "tlsv1" ||
+            version === "tlsv1.0" ||
+            version === "tlsv1.1" ||
+            version === "sslv3"
+          ) {
+            context.report({
+              node: node.value,
+              messageId: "insecureTLS",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s015-insecure-tls-certificate.js

@@ -0,0 +1,43 @@
+"use strict";
+
+/**
+ * S015 – Insecure TLS Certificate
+ * OWASP ASVS 9.2.1
+ * Ensure that only trusted TLS certificates are accepted.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure only trusted TLS certificates are used. Reject self-signed, expired, or untrusted certificates unless explicitly allowed for internal use.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      untrustedCert:
+        "Untrusted/self-signed/expired certificate accepted. Only use trusted certificates in production.",
+    },
+  },
+
+  create(context) {
+    return {
+      Property(node) {
+        // Check if rejectUnauthorized: false is used (should not be used in production)
+        if (
+          node.key &&
+          (node.key.name === "rejectUnauthorized" ||
+            node.key.value === "rejectUnauthorized") &&
+          node.value.type === "Literal" &&
+          node.value.value === false
+        ) {
+          context.report({
+            node: node.value,
+            messageId: "untrustedCert",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s016-sensitive-query-parameter.js

@@ -0,0 +1,59 @@
+/**
+ * ESLint Rule: S016 - Sensitive Data in Query Parameters
+ * Rule ID: custom/s016
+ * Description: Sensitive data should not be passed via query parameters (e.g., @Query('password')).
+ */
+
+"use strict";
+
+const SENSITIVE_TERMS = [
+  "password",
+  "otp",
+  "token",
+  "creditCard",
+  "ssn",
+  "apiKey",
+];
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Detect sensitive parameters passed via query string.",
+    },
+    messages: {
+      sensitiveParam:
+        "Avoid passing sensitive data via query parameters: '{{param}}'",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      Decorator(node) {
+        if (
+          node.expression &&
+          node.expression.type === "CallExpression" &&
+          node.expression.callee &&
+          node.expression.callee.type === "Identifier" &&
+          node.expression.callee.name === "Query"
+        ) {
+          const arg = node.expression.arguments[0];
+          if (arg && arg.type === "Literal" && typeof arg.value === "string") {
+            const paramName = arg.value.toLowerCase();
+            for (const sensitive of SENSITIVE_TERMS) {
+              if (paramName.includes(sensitive.toLowerCase())) {
+                context.report({
+                  node: arg,
+                  messageId: "sensitiveParam",
+                  data: { param: arg.value },
+                });
+                break;
+              }
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s017-no-sql-injection.js

@@ -0,0 +1,193 @@
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Verify that data selection or database queries use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      sqlInjection: "Potential SQL injection vulnerability detected. Use parameterized queries instead of string concatenation in '{{method}}'.",
+      unsafeQuery: "Unsafe database query detected in '{{method}}'. Consider using ORM or parameterized queries.",
+      stringConcatenation: "Avoid string concatenation in SQL queries. Use parameterized queries in '{{method}}'.",
+      templateLiteralQuery: "Template literals in SQL queries can be vulnerable to injection. Use parameterized queries in '{{method}}'.",
+    },
+  },
+
+  create(context) {
+    // Database methods that should use parameterized queries
+    const databaseMethods = [
+      // MySQL
+      "query", "execute", "prepare",
+      // PostgreSQL
+      "query", "execute", 
+      // MongoDB
+      "find", "findOne", "aggregate", "updateOne", "updateMany", "deleteOne", "deleteMany",
+      // SQLite
+      "run", "get", "all", "each", "prepare",
+      // General ORM methods
+      "where", "whereRaw", "raw", "knex",
+      // Sequelize
+      "findAll", "findOne", "create", "update", "destroy",
+      // TypeORM
+      "createQueryBuilder", "query", "manager",
+      // Prisma
+      "findMany", "findUnique", "create", "update", "delete",
+    ];
+
+    // Dangerous string methods that suggest concatenation
+    const dangerousStringMethods = [
+      "concat", "replace", "replaceAll", "substring", "slice"
+    ];
+
+    // SQL keywords that when used with string operations are suspicious
+    const sqlKeywords = [
+      "SELECT", "INSERT", "UPDATE", "DELETE", "DROP", "CREATE", "ALTER",
+      "WHERE", "FROM", "JOIN", "UNION", "ORDER", "GROUP", "HAVING",
+      "select", "insert", "update", "delete", "drop", "create", "alter",
+      "where", "from", "join", "union", "order", "group", "having"
+    ];
+
+    function containsSqlKeywords(str) {
+      return sqlKeywords.some(keyword => str.includes(keyword));
+    }
+
+    function checkStringConcatenation(node) {
+      if (node.type === "BinaryExpression" && node.operator === "+") {
+        const leftStr = getStringValue(node.left);
+        const rightStr = getStringValue(node.right);
+        
+        if ((leftStr && containsSqlKeywords(leftStr)) || 
+            (rightStr && containsSqlKeywords(rightStr))) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    function getStringValue(node) {
+      if (node.type === "Literal" && typeof node.value === "string") {
+        return node.value;
+      }
+      if (node.type === "TemplateLiteral") {
+        return node.quasis.map(q => q.value.raw).join("");
+      }
+      return null;
+    }
+
+    function checkTemplateLiteral(node) {
+      if (node.type === "TemplateLiteral") {
+        const templateString = node.quasis.map(q => q.value.raw).join("");
+        return containsSqlKeywords(templateString) && node.expressions.length > 0;
+      }
+      return false;
+    }
+
+    function isDatabaseCall(node) {
+      if (node.type === "CallExpression") {
+        // Check for method calls like db.query(), connection.execute()
+        if (node.callee.type === "MemberExpression") {
+          const methodName = node.callee.property.name;
+          return databaseMethods.includes(methodName);
+        }
+        
+        // Check for direct function calls like query()
+        if (node.callee.type === "Identifier") {
+          return databaseMethods.includes(node.callee.name);
+        }
+      }
+      return false;
+    }
+
+    function getMethodName(node) {
+      if (node.callee.type === "MemberExpression") {
+        return node.callee.property.name;
+      }
+      if (node.callee.type === "Identifier") {
+        return node.callee.name;
+      }
+      return "unknown";
+    }
+
+    function checkCallExpression(node) {
+      if (!isDatabaseCall(node)) {
+        return;
+      }
+
+      const methodName = getMethodName(node);
+
+      // Check each argument
+      for (const arg of node.arguments) {
+        // Check for string concatenation
+        if (checkStringConcatenation(arg)) {
+          context.report({
+            node: arg,
+            messageId: "stringConcatenation",
+            data: { method: methodName },
+          });
+          continue;
+        }
+
+        // Check for template literals with expressions
+        if (checkTemplateLiteral(arg)) {
+          context.report({
+            node: arg,
+            messageId: "templateLiteralQuery",
+            data: { method: methodName },
+          });
+          continue;
+        }
+
+        // Check for potentially unsafe patterns
+        if (arg.type === "Identifier" || arg.type === "MemberExpression") {
+          // This is a variable or property access - could be unsafe
+          // We'll be more lenient here and only warn if it's clearly a string concatenation
+          continue;
+        }
+      }
+    }
+
+    return {
+      CallExpression: checkCallExpression,
+      
+      // Also check assignment expressions that might build SQL strings
+      AssignmentExpression(node) {
+        if (node.operator === "=" || node.operator === "+=") {
+          if (checkStringConcatenation(node.right)) {
+            const leftStr = getStringValue(node.right.left);
+            const rightStr = getStringValue(node.right.right);
+            
+            if ((leftStr && containsSqlKeywords(leftStr)) || 
+                (rightStr && containsSqlKeywords(rightStr))) {
+              context.report({
+                node: node.right,
+                messageId: "sqlInjection",
+                data: { method: "string assignment" },
+              });
+            }
+          }
+        }
+      },
+
+      // Check variable declarations
+      VariableDeclarator(node) {
+        if (node.init && checkStringConcatenation(node.init)) {
+          const leftStr = getStringValue(node.init.left);
+          const rightStr = getStringValue(node.init.right);
+          
+          if ((leftStr && containsSqlKeywords(leftStr)) || 
+              (rightStr && containsSqlKeywords(rightStr))) {
+            context.report({
+              node: node.init,
+              messageId: "sqlInjection",
+              data: { method: "variable declaration" },
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s018-positive-input-validation.js

@@ -0,0 +1,56 @@
+"use strict";
+
+/**
+ * S018 – Positive Input Validation
+ * OWASP ASVS 5.1.3
+ * Ensure that all input is validated using positive validation (allow lists).
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure input validation uses allow lists (whitelisting), not deny lists (blacklisting) wherever possible.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      denyList:
+        "Do not use deny lists (blacklisting) for input validation. Use allow lists (whitelisting) instead.",
+    },
+  },
+
+  create(context) {
+    // Detect use of common denylist patterns
+    function isDenyListCheck(node) {
+      // Example: if (input.includes('badword')) { ... }
+      return (
+        node &&
+        node.type === "CallExpression" &&
+        node.callee.type === "MemberExpression" &&
+        (node.callee.property.name === "includes" ||
+          node.callee.property.name === "indexOf") &&
+        node.arguments.length &&
+        node.arguments[0].type === "Literal" &&
+        typeof node.arguments[0].value === "string"
+      );
+    }
+
+    return {
+      IfStatement(node) {
+        if (
+          node.test &&
+          ((node.test.type === "UnaryExpression" &&
+            isDenyListCheck(node.test.argument)) ||
+            (node.test.type === "CallExpression" && isDenyListCheck(node.test)))
+        ) {
+          context.report({
+            node: node.test,
+            messageId: "denyList",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s019-no-raw-user-input-in-email.js

@@ -0,0 +1,113 @@
+/**
+ * Custom ESLint rule for: S019 – Sanitize input before using in email systems
+ * Rule ID: custom/s019
+ * Purpose: Prevent SMTP/IMAP injection via unvalidated user input
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure user input is sanitized before use in mail functions",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unsanitizedEmailInput:
+        "Unsanitized user input '{{input}}' should not be passed directly to mail systems.",
+    },
+  },
+
+  create(context) {
+    const mailFunctionNames = ["sendMail", "sendEmail", "mailer.send"];
+    const sanitizeFunctions = [
+      "sanitize",
+      "escape",
+      "validateEmail",
+      "cleanInput",
+    ];
+
+    // Identify common patterns of user input
+    function isUserInput(name) {
+      return (
+        name.includes("req.body") ||
+        name.includes("input") ||
+        name.includes("form")
+      );
+    }
+
+    // Check if a value has been sanitized
+    function isSanitized(node) {
+      return (
+        node.type === "CallExpression" &&
+        node.callee &&
+        sanitizeFunctions.includes(node.callee.name)
+      );
+    }
+
+    return {
+      CallExpression(node) {
+        const calleeName =
+          (node.callee.type === "MemberExpression" &&
+            node.callee.property.name) ||
+          node.callee.name;
+
+        // Only analyze known mail function calls
+        if (!mailFunctionNames.includes(calleeName)) return;
+
+        for (const arg of node.arguments) {
+          // Direct use of user input in function arguments
+          if (arg.type === "MemberExpression") {
+            const fullName = context.getSourceCode().getText(arg);
+            if (isUserInput(fullName)) {
+              context.report({
+                node: arg,
+                messageId: "unsanitizedEmailInput",
+                data: { input: fullName },
+              });
+            }
+          }
+
+          // If email parameters are passed in an object
+          if (arg.type === "ObjectExpression") {
+            for (const prop of arg.properties) {
+              const value = prop.value;
+
+              // User input used directly
+              if (
+                value.type === "MemberExpression" &&
+                isUserInput(context.getSourceCode().getText(value))
+              ) {
+                context.report({
+                  node: value,
+                  messageId: "unsanitizedEmailInput",
+                  data: { input: context.getSourceCode().getText(value) },
+                });
+              }
+
+              // User input passed through function without sanitization
+              if (
+                value.type === "CallExpression" &&
+                !isSanitized(value) &&
+                value.arguments.some(
+                  (a) =>
+                    a.type === "MemberExpression" &&
+                    isUserInput(context.getSourceCode().getText(a))
+                )
+              ) {
+                context.report({
+                  node: value,
+                  messageId: "unsanitizedEmailInput",
+                  data: { input: context.getSourceCode().getText(value) },
+                });
+              }
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s020-no-eval-dynamic-execution.js

@@ -0,0 +1,89 @@
+/**
+ * ESLint rule S020: Avoid eval() and dynamic code execution
+ * Prevents Remote Code Execution vulnerabilities
+ * OWASP ASVS 5.2.4 compliance
+ */
+
+const ZERO_INDEX = 0;
+
+const s020Rule = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Avoid eval() and dynamic code execution to prevent RCE vulnerabilities",
+      category: "Security",
+      recommended: "error"
+    },
+    messages: {
+      avoidEval: "Avoid eval() - use JSON.parse() or safer alternatives to prevent RCE",
+      avoidFunction: "Avoid Function constructor - use regular functions to prevent code injection",
+      avoidStringTimeout: "Avoid string arguments in setTimeout/setInterval - use function references",
+      avoidDynamicExecution: "Avoid dynamic code execution - sanitize and validate all inputs"
+    }
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Check for eval() usage
+        if (node.callee.type === 'Identifier' && node.callee.name === 'eval') {
+          context.report({
+            node,
+            messageId: 'avoidEval'
+          });
+        }
+
+        // Check for setTimeout/setInterval with string arguments
+        if (node.callee.type === 'Identifier' && 
+            (node.callee.name === 'setTimeout' || node.callee.name === 'setInterval')) {
+          if (node.arguments.length > ZERO_INDEX && 
+              node.arguments[ZERO_INDEX].type === 'Literal' && 
+              typeof node.arguments[ZERO_INDEX].value === 'string') {
+            context.report({
+              node,
+              messageId: 'avoidStringTimeout'
+            });
+          }
+        }
+
+        // Check for dynamic script execution methods
+        if (node.callee.type === 'MemberExpression') {
+          const methodName = node.callee.property.name;
+          if (methodName === 'executeScript' || methodName === 'executeJavaScript') {
+            context.report({
+              node,
+              messageId: 'avoidDynamicExecution'
+            });
+          }
+        }
+      },
+
+      NewExpression(node) {
+        // Check for new Function() constructor
+        if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+          context.report({
+            node,
+            messageId: 'avoidFunction'
+          });
+        }
+      },
+
+      MemberExpression(node) {
+        // Check for indirect eval access via window/global
+        if (node.property.type === 'Identifier' && node.property.name === 'eval') {
+          if (node.object.type === 'Identifier') {
+            const objectName = node.object.name;
+            if (objectName === 'window' || objectName === 'global' || objectName === 'globalThis') {
+              context.report({
+                node,
+                messageId: 'avoidEval'
+              });
+            }
+          }
+        }
+      }
+    };
+  }
+};
+
+module.exports = s020Rule;

package/config/typescript/security-rules/s022-output-encoding.js

@@ -0,0 +1,78 @@
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure HTML output is properly encoded to prevent XSS.",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unsafeOutput:
+        "Output to HTML must use proper encoding (e.g., escapeHtml) to prevent XSS.",
+    },
+  },
+
+  create(context) {
+    const outputMethods = new Set(["write", "print", "println", "log"]);
+    const outputObjects = new Set(["out", "writer", "response", "console", "System"]);
+    const riskyVarNames = ["input", "user", "html", "token", "param", "data"];
+
+    function isEscapeFunction(node) {
+      return (
+        node.type === "CallExpression" &&
+        node.callee.type === "Identifier" &&
+        (node.callee.name.includes("escape") || node.callee.name.includes("encode"))
+      );
+    }
+
+    function isUnescapedArg(node) {
+      if (!node) return false;
+
+      if (node.type === "Literal") return false;
+      if (isEscapeFunction(node)) return false;
+
+      if (node.type === "BinaryExpression") {
+        return isUnescapedArg(node.left) || isUnescapedArg(node.right);
+      }
+
+      if (node.type === "Identifier") {
+        const varName = node.name.toLowerCase();
+        return riskyVarNames.some((risky) => varName.includes(risky));
+      }
+
+      return true;
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        if (
+          callee.type === "MemberExpression" &&
+          outputMethods.has(callee.property.name)
+        ) {
+          const object = callee.object;
+
+          const isLikelyHtmlOutput =
+            (object.type === "Identifier" && outputObjects.has(object.name)) ||
+            (object.type === "MemberExpression" &&
+              object.property?.name === "getWriter");
+
+          if (!isLikelyHtmlOutput) return;
+
+          for (const arg of node.arguments) {
+            if (isUnescapedArg(arg)) {
+              context.report({
+                node: arg,
+                messageId: "unsafeOutput",
+              });
+              break;
+            }
+          }
+        }
+      },
+    };
+  },
+};