npm - @sun-asterisk/sunlint - Versions diffs - 1.0.6 → 1.0.7 - Mend

@sun-asterisk/sunlint 1.0.6 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

package/eslint-integration/eslint-plugin-custom/s017-no-sql-injection.js DELETED Viewed

@@ -1,193 +0,0 @@
-"use strict";
-module.exports = {
-  meta: {
-    type: "problem",
-    docs: {
-      description:
-        "Verify that data selection or database queries use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks",
-      recommended: true,
-    },
-    schema: [],
-    messages: {
-      sqlInjection: "Potential SQL injection vulnerability detected. Use parameterized queries instead of string concatenation in '{{method}}'.",
-      unsafeQuery: "Unsafe database query detected in '{{method}}'. Consider using ORM or parameterized queries.",
-      stringConcatenation: "Avoid string concatenation in SQL queries. Use parameterized queries in '{{method}}'.",
-      templateLiteralQuery: "Template literals in SQL queries can be vulnerable to injection. Use parameterized queries in '{{method}}'.",
-    },
-  },
-  create(context) {
-    // Database methods that should use parameterized queries
-    const databaseMethods = [
-      // MySQL
-      "query", "execute", "prepare",
-      // PostgreSQL
-      "query", "execute",
-      // MongoDB
-      "find", "findOne", "aggregate", "updateOne", "updateMany", "deleteOne", "deleteMany",
-      // SQLite
-      "run", "get", "all", "each", "prepare",
-      // General ORM methods
-      "where", "whereRaw", "raw", "knex",
-      // Sequelize
-      "findAll", "findOne", "create", "update", "destroy",
-      // TypeORM
-      "createQueryBuilder", "query", "manager",
-      // Prisma
-      "findMany", "findUnique", "create", "update", "delete",
-    ];
-    // Dangerous string methods that suggest concatenation
-    const dangerousStringMethods = [
-      "concat", "replace", "replaceAll", "substring", "slice"
-    ];
-    // SQL keywords that when used with string operations are suspicious
-    const sqlKeywords = [
-      "SELECT", "INSERT", "UPDATE", "DELETE", "DROP", "CREATE", "ALTER",
-      "WHERE", "FROM", "JOIN", "UNION", "ORDER", "GROUP", "HAVING",
-      "select", "insert", "update", "delete", "drop", "create", "alter",
-      "where", "from", "join", "union", "order", "group", "having"
-    ];
-    function containsSqlKeywords(str) {
-      return sqlKeywords.some(keyword => str.includes(keyword));
-    }
-    function checkStringConcatenation(node) {
-      if (node.type === "BinaryExpression" && node.operator === "+") {
-        const leftStr = getStringValue(node.left);
-        const rightStr = getStringValue(node.right);
-        if ((leftStr && containsSqlKeywords(leftStr)) ||
-            (rightStr && containsSqlKeywords(rightStr))) {
-          return true;
-        }
-      }
-      return false;
-    }
-    function getStringValue(node) {
-      if (node.type === "Literal" && typeof node.value === "string") {
-        return node.value;
-      }
-      if (node.type === "TemplateLiteral") {
-        return node.quasis.map(q => q.value.raw).join("");
-      }
-      return null;
-    }
-    function checkTemplateLiteral(node) {
-      if (node.type === "TemplateLiteral") {
-        const templateString = node.quasis.map(q => q.value.raw).join("");
-        return containsSqlKeywords(templateString) && node.expressions.length > 0;
-      }
-      return false;
-    }
-    function isDatabaseCall(node) {
-      if (node.type === "CallExpression") {
-        // Check for method calls like db.query(), connection.execute()
-        if (node.callee.type === "MemberExpression") {
-          const methodName = node.callee.property.name;
-          return databaseMethods.includes(methodName);
-        }
-        // Check for direct function calls like query()
-        if (node.callee.type === "Identifier") {
-          return databaseMethods.includes(node.callee.name);
-        }
-      }
-      return false;
-    }
-    function getMethodName(node) {
-      if (node.callee.type === "MemberExpression") {
-        return node.callee.property.name;
-      }
-      if (node.callee.type === "Identifier") {
-        return node.callee.name;
-      }
-      return "unknown";
-    }
-    function checkCallExpression(node) {
-      if (!isDatabaseCall(node)) {
-        return;
-      }
-      const methodName = getMethodName(node);
-      // Check each argument
-      for (const arg of node.arguments) {
-        // Check for string concatenation
-        if (checkStringConcatenation(arg)) {
-          context.report({
-            node: arg,
-            messageId: "stringConcatenation",
-            data: { method: methodName },
-          });
-          continue;
-        }
-        // Check for template literals with expressions
-        if (checkTemplateLiteral(arg)) {
-          context.report({
-            node: arg,
-            messageId: "templateLiteralQuery",
-            data: { method: methodName },
-          });
-          continue;
-        }
-        // Check for potentially unsafe patterns
-        if (arg.type === "Identifier" || arg.type === "MemberExpression") {
-          // This is a variable or property access - could be unsafe
-          // We'll be more lenient here and only warn if it's clearly a string concatenation
-          continue;
-        }
-      }
-    }
-    return {
-      CallExpression: checkCallExpression,
-      // Also check assignment expressions that might build SQL strings
-      AssignmentExpression(node) {
-        if (node.operator === "=" || node.operator === "+=") {
-          if (checkStringConcatenation(node.right)) {
-            const leftStr = getStringValue(node.right.left);
-            const rightStr = getStringValue(node.right.right);
-            if ((leftStr && containsSqlKeywords(leftStr)) ||
-                (rightStr && containsSqlKeywords(rightStr))) {
-              context.report({
-                node: node.right,
-                messageId: "sqlInjection",
-                data: { method: "string assignment" },
-              });
-            }
-          }
-        }
-      },
-      // Check variable declarations
-      VariableDeclarator(node) {
-        if (node.init && checkStringConcatenation(node.init)) {
-          const leftStr = getStringValue(node.init.left);
-          const rightStr = getStringValue(node.init.right);
-          if ((leftStr && containsSqlKeywords(leftStr)) ||
-              (rightStr && containsSqlKeywords(rightStr))) {
-            context.report({
-              node: node.init,
-              messageId: "sqlInjection",
-              data: { method: "variable declaration" },
-            });
-          }
-        }
-      },
-    };
-  },
-};

package/eslint-integration/eslint-plugin-custom/s018-positive-input-validation.js DELETED Viewed

@@ -1,56 +0,0 @@
-"use strict";
-/**
- * S018 – Positive Input Validation
- * OWASP ASVS 5.1.3
- * Ensure that all input is validated using positive validation (allow lists).
- */
-module.exports = {
-  meta: {
-    type: "problem",
-    docs: {
-      description:
-        "Ensure input validation uses allow lists (whitelisting), not deny lists (blacklisting) wherever possible.",
-      recommended: true,
-    },
-    schema: [],
-    messages: {
-      denyList:
-        "Do not use deny lists (blacklisting) for input validation. Use allow lists (whitelisting) instead.",
-    },
-  },
-  create(context) {
-    // Detect use of common denylist patterns
-    function isDenyListCheck(node) {
-      // Example: if (input.includes('badword')) { ... }
-      return (
-        node &&
-        node.type === "CallExpression" &&
-        node.callee.type === "MemberExpression" &&
-        (node.callee.property.name === "includes" ||
-          node.callee.property.name === "indexOf") &&
-        node.arguments.length &&
-        node.arguments[0].type === "Literal" &&
-        typeof node.arguments[0].value === "string"
-      );
-    }
-    return {
-      IfStatement(node) {
-        if (
-          node.test &&
-          ((node.test.type === "UnaryExpression" &&
-            isDenyListCheck(node.test.argument)) ||
-            (node.test.type === "CallExpression" && isDenyListCheck(node.test)))
-        ) {
-          context.report({
-            node: node.test,
-            messageId: "denyList",
-          });
-        }
-      },
-    };
-  },
-};

package/eslint-integration/eslint-plugin-custom/s019-no-raw-user-input-in-email.js DELETED Viewed

@@ -1,113 +0,0 @@
-/**
- * Custom ESLint rule for: S019 – Sanitize input before using in email systems
- * Rule ID: custom/s019
- * Purpose: Prevent SMTP/IMAP injection via unvalidated user input
- */
-"use strict";
-module.exports = {
-  meta: {
-    type: "problem",
-    docs: {
-      description:
-        "Ensure user input is sanitized before use in mail functions",
-      recommended: true,
-    },
-    schema: [],
-    messages: {
-      unsanitizedEmailInput:
-        "Unsanitized user input '{{input}}' should not be passed directly to mail systems.",
-    },
-  },
-  create(context) {
-    const mailFunctionNames = ["sendMail", "sendEmail", "mailer.send"];
-    const sanitizeFunctions = [
-      "sanitize",
-      "escape",
-      "validateEmail",
-      "cleanInput",
-    ];
-    // Identify common patterns of user input
-    function isUserInput(name) {
-      return (
-        name.includes("req.body") ||
-        name.includes("input") ||
-        name.includes("form")
-      );
-    }
-    // Check if a value has been sanitized
-    function isSanitized(node) {
-      return (
-        node.type === "CallExpression" &&
-        node.callee &&
-        sanitizeFunctions.includes(node.callee.name)
-      );
-    }
-    return {
-      CallExpression(node) {
-        const calleeName =
-          (node.callee.type === "MemberExpression" &&
-            node.callee.property.name) ||
-          node.callee.name;
-        // Only analyze known mail function calls
-        if (!mailFunctionNames.includes(calleeName)) return;
-        for (const arg of node.arguments) {
-          // Direct use of user input in function arguments
-          if (arg.type === "MemberExpression") {
-            const fullName = context.getSourceCode().getText(arg);
-            if (isUserInput(fullName)) {
-              context.report({
-                node: arg,
-                messageId: "unsanitizedEmailInput",
-                data: { input: fullName },
-              });
-            }
-          }
-          // If email parameters are passed in an object
-          if (arg.type === "ObjectExpression") {
-            for (const prop of arg.properties) {
-              const value = prop.value;
-              // User input used directly
-              if (
-                value.type === "MemberExpression" &&
-                isUserInput(context.getSourceCode().getText(value))
-              ) {
-                context.report({
-                  node: value,
-                  messageId: "unsanitizedEmailInput",
-                  data: { input: context.getSourceCode().getText(value) },
-                });
-              }
-              // User input passed through function without sanitization
-              if (
-                value.type === "CallExpression" &&
-                !isSanitized(value) &&
-                value.arguments.some(
-                  (a) =>
-                    a.type === "MemberExpression" &&
-                    isUserInput(context.getSourceCode().getText(a))
-                )
-              ) {
-                context.report({
-                  node: value,
-                  messageId: "unsanitizedEmailInput",
-                  data: { input: context.getSourceCode().getText(value) },
-                });
-              }
-            }
-          }
-        }
-      },
-    };
-  },
-};

package/eslint-integration/eslint-plugin-custom/s020-no-eval-dynamic-execution.js DELETED Viewed

@@ -1,89 +0,0 @@
-/**
- * ESLint rule S020: Avoid eval() and dynamic code execution
- * Prevents Remote Code Execution vulnerabilities
- * OWASP ASVS 5.2.4 compliance
- */
-const ZERO_INDEX = 0;
-const s020Rule = {
-  meta: {
-    type: "problem",
-    docs: {
-      description: "Avoid eval() and dynamic code execution to prevent RCE vulnerabilities",
-      category: "Security",
-      recommended: "error"
-    },
-    messages: {
-      avoidEval: "Avoid eval() - use JSON.parse() or safer alternatives to prevent RCE",
-      avoidFunction: "Avoid Function constructor - use regular functions to prevent code injection",
-      avoidStringTimeout: "Avoid string arguments in setTimeout/setInterval - use function references",
-      avoidDynamicExecution: "Avoid dynamic code execution - sanitize and validate all inputs"
-    }
-  },
-  create(context) {
-    return {
-      CallExpression(node) {
-        // Check for eval() usage
-        if (node.callee.type === 'Identifier' && node.callee.name === 'eval') {
-          context.report({
-            node,
-            messageId: 'avoidEval'
-          });
-        }
-        // Check for setTimeout/setInterval with string arguments
-        if (node.callee.type === 'Identifier' &&
-            (node.callee.name === 'setTimeout' || node.callee.name === 'setInterval')) {
-          if (node.arguments.length > ZERO_INDEX &&
-              node.arguments[ZERO_INDEX].type === 'Literal' &&
-              typeof node.arguments[ZERO_INDEX].value === 'string') {
-            context.report({
-              node,
-              messageId: 'avoidStringTimeout'
-            });
-          }
-        }
-        // Check for dynamic script execution methods
-        if (node.callee.type === 'MemberExpression') {
-          const methodName = node.callee.property.name;
-          if (methodName === 'executeScript' || methodName === 'executeJavaScript') {
-            context.report({
-              node,
-              messageId: 'avoidDynamicExecution'
-            });
-          }
-        }
-      },
-      NewExpression(node) {
-        // Check for new Function() constructor
-        if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
-          context.report({
-            node,
-            messageId: 'avoidFunction'
-          });
-        }
-      },
-      MemberExpression(node) {
-        // Check for indirect eval access via window/global
-        if (node.property.type === 'Identifier' && node.property.name === 'eval') {
-          if (node.object.type === 'Identifier') {
-            const objectName = node.object.name;
-            if (objectName === 'window' || objectName === 'global' || objectName === 'globalThis') {
-              context.report({
-                node,
-                messageId: 'avoidEval'
-              });
-            }
-          }
-        }
-      }
-    };
-  }
-};
-module.exports = s020Rule;

package/eslint-integration/eslint-plugin-custom/s022-output-encoding.js DELETED Viewed

@@ -1,78 +0,0 @@
-"use strict";
-module.exports = {
-  meta: {
-    type: "problem",
-    docs: {
-      description: "Ensure HTML output is properly encoded to prevent XSS.",
-      recommended: true,
-    },
-    schema: [],
-    messages: {
-      unsafeOutput:
-        "Output to HTML must use proper encoding (e.g., escapeHtml) to prevent XSS.",
-    },
-  },
-  create(context) {
-    const outputMethods = new Set(["write", "print", "println", "log"]);
-    const outputObjects = new Set(["out", "writer", "response", "console", "System"]);
-    const riskyVarNames = ["input", "user", "html", "token", "param", "data"];
-    function isEscapeFunction(node) {
-      return (
-        node.type === "CallExpression" &&
-        node.callee.type === "Identifier" &&
-        (node.callee.name.includes("escape") || node.callee.name.includes("encode"))
-      );
-    }
-    function isUnescapedArg(node) {
-      if (!node) return false;
-      if (node.type === "Literal") return false;
-      if (isEscapeFunction(node)) return false;
-      if (node.type === "BinaryExpression") {
-        return isUnescapedArg(node.left) || isUnescapedArg(node.right);
-      }
-      if (node.type === "Identifier") {
-        const varName = node.name.toLowerCase();
-        return riskyVarNames.some((risky) => varName.includes(risky));
-      }
-      return true;
-    }
-    return {
-      CallExpression(node) {
-        const callee = node.callee;
-        if (
-          callee.type === "MemberExpression" &&
-          outputMethods.has(callee.property.name)
-        ) {
-          const object = callee.object;
-          const isLikelyHtmlOutput =
-            (object.type === "Identifier" && outputObjects.has(object.name)) ||
-            (object.type === "MemberExpression" &&
-              object.property?.name === "getWriter");
-          if (!isLikelyHtmlOutput) return;
-          for (const arg of node.arguments) {
-            if (isUnescapedArg(arg)) {
-              context.report({
-                node: arg,
-                messageId: "unsafeOutput",
-              });
-              break;
-            }
-          }
-        }
-      },
-    };
-  },
-};