@sun-asterisk/sunlint 1.0.7 → 1.1.4

package/integrations/eslint/plugin/rules/security/s003-no-unvalidated-redirect.js

@@ -0,0 +1,86 @@
+/**
+ * Custom ESLint rule: S003 – Prevent unvalidated redirects
+ * Rule ID: custom/s003
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Prevent unvalidated redirects to user-controlled URLs",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      unvalidatedRedirect:
+        "Redirect to user-controlled URL '{{target}}' without validation. Use allow list or warning page.",
+    },
+  },
+
+  create(context) {
+    const userInputSources = [
+      "req.query",
+      "req.body",
+      "input",
+      "form",
+      "params",
+    ];
+
+    function isUserControlled(nodeText) {
+      return userInputSources.some((source) => nodeText.includes(source));
+    }
+
+    function reportIfUserControlled(node, nodeText) {
+      if (isUserControlled(nodeText)) {
+        context.report({
+          node,
+          messageId: "unvalidatedRedirect",
+          data: { target: nodeText },
+        });
+      }
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // res.redirect(...)
+        if (
+          callee.type === "MemberExpression" &&
+          callee.property.name === "redirect" &&
+          node.arguments.length > 0
+        ) {
+          const argText = context.getSourceCode().getText(node.arguments[0]);
+          reportIfUserControlled(node, argText);
+        }
+      },
+
+      AssignmentExpression(node) {
+        const left = node.left;
+        const right = node.right;
+
+        if (
+          left.type === "MemberExpression" &&
+          left.object.name === "window" &&
+          ["location", "location.href"].includes(left.property.name || "") &&
+          right
+        ) {
+          const text = context.getSourceCode().getText(right);
+          reportIfUserControlled(node, text);
+        }
+
+        if (
+          left.type === "MemberExpression" &&
+          left.object.name === "location" &&
+          ["href", "replace"].includes(left.property.name || "") &&
+          right
+        ) {
+          const text = context.getSourceCode().getText(right);
+          reportIfUserControlled(node, text);
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/security/s007-no-plaintext-otp.js

@@ -0,0 +1,74 @@
+/**
+ * ESLint rule: S007 – Plaintext OTP Check
+ * Rule ID: custom/s007
+ * Description: Verify that OTPs are not stored or transmitted in plaintext form.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Verify that OTPs are not stored or transmitted in plaintext form.',
+      recommended: true,
+      url: 'https://owasp.org/www-community/vulnerabilities/Insecure_Storage',
+    },
+    messages: {
+      plaintextOtp:
+        'OTP should not be stored or transmitted in plaintext. Consider hashing or encrypting it.',
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      Property(node) {
+        if (
+          node.key &&
+          node.key.type === 'Identifier' &&
+          /otp/i.test(node.key.name) &&
+          node.value &&
+          node.value.type === 'Identifier' &&
+          !/hash|encrypt|bcrypt|sha/i.test(node.value.name)
+        ) {
+          context.report({
+            node,
+            messageId: 'plaintextOtp',
+          });
+        }
+      },
+
+      CallExpression(node) {
+        const calleeName = getCalleeName(node.callee);
+        if (!calleeName) return;
+
+        if (/(insert|update|save|query|create)/i.test(calleeName)) {
+          for (const arg of node.arguments) {
+            const text = context.getSourceCode().getText(arg);
+            if (/otp/i.test(text) && !/hash|encrypt|bcrypt|sha/i.test(text)) {
+              context.report({
+                node: arg,
+                messageId: 'plaintextOtp',
+              });
+            }
+          }
+        }
+      },
+    };
+  },
+};
+
+// ===== Helper function =====
+
+function getCalleeName(callee) {
+  if (callee.type === 'Identifier') {
+    return callee.name;
+  } else if (
+    callee.type === 'MemberExpression' &&
+    callee.property.type === 'Identifier'
+  ) {
+    return callee.property.name;
+  }
+  return null;
+}

package/integrations/eslint/plugin/rules/security/s013-verify-tls-connection.js

@@ -0,0 +1,47 @@
+/**
+ * ESLint rule: S013 – Enforce TLS Usage
+ * Rule ID: custom-tls/s013
+ */
+"use strict";
+
+const HTTP_REGEX = /^http:\/\//i;
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure all client connections use TLS (HTTPS) and prevent unencrypted (HTTP) connections.",
+      recommended: true,
+    },
+    messages: {
+      insecureUrl:
+        "Unencrypted connection detected (http://). Always use HTTPS (TLS).",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    /** Báo lỗi nếu node là string chứa http://  */
+    function reportIfHttp(node, text) {
+      if (HTTP_REGEX.test(text)) {
+        context.report({ node, messageId: "insecureUrl" });
+      }
+    }
+
+    return {
+      // String literal
+      Literal(node) {
+        if (typeof node.value === "string") reportIfHttp(node, node.value);
+      },
+
+      // Template “thuần” (không có ${...})
+      TemplateLiteral(node) {
+        if (node.expressions.length === 0) {
+          const raw = node.quasis.map(q => q.value.raw).join("");
+          reportIfHttp(node, raw);
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/security/s047-secure-random-passwords.js

@@ -0,0 +1,108 @@
+"use strict";
+
+/**
+ * S047 – Verify system generated initial passwords or activation codes SHOULD be securely randomly generated
+ * OWASP ASVS 2.3.1
+ * Rule ID: custom/s047
+ * SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.
+ */
+
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Initial passwords or activation codes must be securely generated, at least 6 characters, expire soon, and not reused long-term.",
+      recommended: false,
+    },
+    messages: {
+      weakInitialSecret:
+        "Initial secret (password or activation code) must be securely randomly generated, at least 6 characters, expire soon, and not reused long-term.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    const SECRET_NAME_REGEX = /(initial|activation|temp).*?(password|code|token|secret)/i;
+
+    function isPotentialSecretName(name) {
+      return SECRET_NAME_REGEX.test(name);
+    }
+
+    function checkInsecureGeneration(node) {
+      const callee = node.callee;
+
+      // Check for Math.random()
+      if (
+        callee.type === "MemberExpression" &&
+        callee.object.type === "Identifier" &&
+        callee.object.name === "Math" &&
+        callee.property.type === "Identifier" &&
+        callee.property.name === "random"
+      ) {
+        context.report({ node, messageId: "weakInitialSecret" });
+      }
+
+      // Check for Date.now()
+      if (
+        callee.type === "MemberExpression" &&
+        callee.object.type === "Identifier" &&
+        callee.object.name === "Date" &&
+        callee.property.type === "Identifier" &&
+        callee.property.name === "now"
+      ) {
+        context.report({ node, messageId: "weakInitialSecret" });
+      }
+    }
+
+    return {
+      VariableDeclarator(node) {
+        if (
+          node.id.type === "Identifier" &&
+          isPotentialSecretName(node.id.name) &&
+          node.init
+        ) {
+          if (node.init.type === "Literal") {
+            const val = node.init.value;
+            if (typeof val === "string" && val.length < 6) {
+              context.report({ node, messageId: "weakInitialSecret" });
+            }
+          }
+
+          if (
+            node.init.type === "CallExpression" ||
+            node.init.type === "NewExpression"
+          ) {
+            checkInsecureGeneration(node.init);
+          }
+        }
+      },
+
+      AssignmentExpression(node) {
+        const left = node.left;
+        const right = node.right;
+
+        if (
+          left.type === "MemberExpression" &&
+          left.property.type === "Identifier" &&
+          isPotentialSecretName(left.property.name)
+        ) {
+          if (right.type === "Literal") {
+            const val = right.value;
+            if (typeof val === "string" && val.length < 6) {
+              context.report({ node, messageId: "weakInitialSecret" });
+            }
+          }
+
+          if (
+            right.type === "CallExpression" ||
+            right.type === "NewExpression"
+          ) {
+            checkInsecureGeneration(right);
+          }
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/security/s055-verification-rest-check-the-incoming-content-type.js

@@ -0,0 +1,143 @@
+"use strict";
+
+/**
+ * S055 – Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.
+ * OWASP ASVS 13.2.5
+ * Rule ID: custom/s055
+ * Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Ensure REST request handlers validate Content-Type when using req.body",
+      recommended: false,
+    },
+    messages: {
+      missingCheck:
+        "Handler uses req.body but does not validate Content-Type.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    function walkForReqBody(node, reqName = "req") {
+      const visited = new Set();
+      let found = false;
+
+      function walk(n) {
+        if (!n || typeof n !== "object" || visited.has(n) || found) return;
+        visited.add(n);
+
+        if (
+          n.type === "MemberExpression" &&
+          n.object.type === "Identifier" &&
+          n.object.name === reqName &&
+          n.property.type === "Identifier" &&
+          n.property.name === "body"
+        ) {
+          found = true;
+          return;
+        }
+
+        for (const key in n) {
+          if (!Object.prototype.hasOwnProperty.call(n, key)) continue;
+          const child = n[key];
+          if (Array.isArray(child)) child.forEach(walk);
+          else if (typeof child === "object" && child !== null) walk(child);
+        }
+      }
+
+      walk(node);
+      return found;
+    }
+
+    function walkForContentTypeCheck(node, reqName = "req") {
+      const visited = new Set();
+
+      function walk(n) {
+        if (!n || typeof n !== "object" || visited.has(n)) return false;
+        visited.add(n);
+
+        // req.is("application/json")
+        if (
+          n.type === "CallExpression" &&
+          n.callee.type === "MemberExpression" &&
+          n.callee.object.type === "Identifier" &&
+          n.callee.object.name === reqName &&
+          n.callee.property.name === "is" &&
+          n.arguments.length > 0 &&
+          n.arguments[0].type === "Literal" &&
+          typeof n.arguments[0].value === "string" &&
+          n.arguments[0].value.startsWith("application/")
+        ) {
+          return true;
+        }
+
+        // req.headers["content-type"]
+        if (
+          n.type === "MemberExpression" &&
+          n.object?.type === "MemberExpression" &&
+          n.object.object?.type === "Identifier" &&
+          n.object.object.name === reqName &&
+          n.object.property?.name === "headers" &&
+          (
+            (n.property.type === "Literal" && n.property.value === "content-type") ||
+            (n.property.type === "Identifier" && n.property.name === "content-type")
+          )
+        ) {
+          return true;
+        }
+
+        // Look through children
+        for (const key in n) {
+          if (!Object.prototype.hasOwnProperty.call(n, key)) continue;
+          const child = n[key];
+          if (Array.isArray(child)) {
+            if (child.some(walk)) return true;
+          } else if (typeof child === "object" && child !== null) {
+            if (walk(child)) return true;
+          }
+        }
+
+        return false;
+      }
+
+      return walk(node);
+    }
+
+    return {
+      CallExpression(node) {
+        // Match app.post("/path", handler)
+        if (
+          node.callee.type === "MemberExpression" &&
+          ["post", "put", "patch", "delete"].includes(
+            node.callee.property.name
+          )
+        ) {
+          const handler = node.arguments.find(
+            (arg) =>
+              arg.type === "FunctionExpression" ||
+              arg.type === "ArrowFunctionExpression"
+          );
+
+          if (!handler || !handler.body) return;
+
+          const reqName = handler.params[0]?.name || "req";
+
+          const usesBody = walkForReqBody(handler.body, reqName);
+          const hasValidation = walkForContentTypeCheck(handler.body, reqName);
+
+          if (usesBody && !hasValidation) {
+            context.report({
+              node: handler,
+              messageId: "missingCheck",
+            });
+          }
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/typescript/t002-interface-prefix-i.js

@@ -0,0 +1,42 @@
+/**
+ * Custom ESLint rule for: T002 – Interface names should start with 'I'
+ * Rule ID: custom/t002
+ * Purpose: Enforce consistent interface naming convention by requiring the 'I' prefix
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Interface names should start with 'I'",
+      recommended: false
+    },
+    fixable: "code",
+    schema: [],
+    messages: {
+      interfacePrefix: "Interface name '{{name}}' should start with 'I'"
+    }
+  },
+
+  create(context) {
+    return {
+      TSInterfaceDeclaration(node) {
+        const interfaceName = node.id.name;
+        if (!interfaceName.startsWith("I")) {
+          context.report({
+            node: node.id,
+            messageId: "interfacePrefix",
+            data: {
+              name: interfaceName,
+            },
+            fix(fixer) {
+              return fixer.replaceText(node.id, `I${interfaceName}`);
+            },
+          });
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/typescript/t003-ts-ignore-reason.js

@@ -0,0 +1,48 @@
+/**
+ * Custom ESLint rule for: T003 – Avoid using @ts-ignore without justification
+ * Rule ID: custom/t003  
+ * Purpose: Require clear justification when using @ts-ignore comments
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Avoid using @ts-ignore without a justification",
+      recommended: false
+    },
+    fixable: null,
+    schema: [],
+    messages: {
+      tsIgnoreReason: "Please provide a reason for using @ts-ignore"
+    }
+  },
+
+  create(context) {
+    return {
+      Program() {
+        const sourceCode = context.getSourceCode();
+        const comments = sourceCode.getAllComments();
+
+        comments.forEach((comment) => {
+          if (comment.type === "Line" && comment.value.includes("@ts-ignore")) {
+            // Check if there's a justification after @ts-ignore
+            const hasJustification = comment.value
+              .replace("@ts-ignore", "")
+              .trim()
+              .length > 0;
+
+            if (!hasJustification) {
+              context.report({
+                node: comment,
+                messageId: "tsIgnoreReason",
+              });
+            }
+          }
+        });
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/typescript/t004-no-empty-type.js

@@ -0,0 +1,95 @@
+/**
+ * Custom ESLint rule for: T019 – Disallow empty type definitions
+ * Rule ID: custom/t019
+ * Purpose: Prevent empty type definitions and suggest more specific types
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Disallow empty type definitions",
+      category: "TypeScript",
+      recommended: true,
+    },
+    fixable: "code",
+    schema: [],
+    messages: {
+      emptyType: "Empty type definition is not allowed. Add at least one property or use a more specific type.",
+    },
+  },
+
+  create(context) {
+    // Helper function to get a more specific type suggestion based on the name
+    function getSuggestedType(name) {
+      const lowerName = name.toLowerCase();
+      
+      // Suggest more specific types based on common naming patterns
+      if (lowerName.includes("config") || lowerName.includes("options")) {
+        return "Record<string, unknown>";
+      }
+      if (lowerName.includes("props")) {
+        return "Record<string, React.ReactNode>";
+      }
+      if (lowerName.includes("state")) {
+        return "Record<string, unknown>";
+      }
+      if (lowerName.includes("params")) {
+        return "Record<string, string | number | boolean>";
+      }
+      if (lowerName.includes("result") || lowerName.includes("response")) {
+        return "Record<string, unknown>";
+      }
+      if (lowerName.includes("event") || lowerName.includes("handler")) {
+        return "(...args: unknown[]) => void";
+      }
+      if (lowerName.includes("callback") || lowerName.includes("fn")) {
+        return "(...args: unknown[]) => unknown";
+      }
+      if (lowerName.includes("data") || lowerName.includes("item")) {
+        return "Record<string, unknown>";
+      }
+      
+      // Default suggestion
+      return "Record<string, unknown>";
+    }
+
+    return {
+      TSInterfaceDeclaration(node) {
+        if (node.body.body.length === 0) {
+          const suggestedType = getSuggestedType(node.id.name);
+          context.report({
+            node: node.body,
+            messageId: "emptyType",
+            fix(fixer) {
+              return fixer.replaceText(
+                node,
+                `type ${node.id.name} = ${suggestedType};`
+              );
+            },
+          });
+        }
+      },
+      TSTypeAliasDeclaration(node) {
+        if (
+          node.typeAnnotation.type === "TSTypeLiteral" &&
+          node.typeAnnotation.members.length === 0
+        ) {
+          const suggestedType = getSuggestedType(node.id.name);
+          context.report({
+            node: node.typeAnnotation,
+            messageId: "emptyType",
+            fix(fixer) {
+              return fixer.replaceText(
+                node.typeAnnotation,
+                suggestedType
+              );
+            },
+          });
+        }
+      },
+    };
+  },
+};

package/integrations/eslint/plugin/rules/typescript/t007-no-fn-in-constructor.js

@@ -0,0 +1,52 @@
+/**
+ * Custom ESLint rule for: T007 – Avoid declaring functions inside constructors or class bodies
+ * Rule ID: custom/t007
+ * Purpose: Discourage function declarations within constructors or class methods
+ */
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Avoid declaring functions inside constructors or class bodies",
+      recommended: false
+    },
+    schema: [],
+    messages: {
+      noFunctionInConstructor: "Avoid declaring functions inside class constructors.",
+      noFunctionInClassBody: "Avoid declaring nested functions inside class body."
+    }
+  },
+  create(context) {
+    return {
+      MethodDefinition(node) {
+        if (node.kind === "constructor" && node.value && node.value.body && node.value.body.body) {
+          const constructorBody = node.value.body.body;
+          constructorBody.forEach(element => {
+            if (element.type === "FunctionDeclaration" || element.type === "FunctionExpression") {
+              context.report({
+                node: element,
+                messageId: "noFunctionInConstructor"
+              });
+            }
+          });
+        }
+      },
+      ClassBody(node) {
+        node.body.forEach(element => {
+          if (element.type === "MethodDefinition" && element.value && element.value.body && element.value.body.body) {
+            const methodBody = element.value.body.body;
+            methodBody.forEach(subNode => {
+              if (subNode.type === "FunctionDeclaration") {
+                context.report({
+                  node: subNode,
+                  messageId: "noFunctionInClassBody"
+                });
+              }
+            });
+          }
+        });
+      }
+    };
+  }
+};