@sun-asterisk/sunlint 1.3.26 → 1.3.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/config/rules/enhanced-rules-registry.json +101 -17
  2. package/config/rules/rules-registry-generated.json +22 -22
  3. package/origin-rules/security-en.md +351 -338
  4. package/package.json +1 -1
  5. package/rules/common/C003_no_vague_abbreviations/analyzer.js +73 -21
  6. package/rules/common/C017_constructor_logic/symbol-based-analyzer.js +206 -2
  7. package/rules/common/C024_no_scatter_hardcoded_constants/symbol-based-analyzer.js +553 -58
  8. package/rules/common/C029_catch_block_logging/analyzer.js +47 -12
  9. package/rules/common/C033_separate_service_repository/symbol-based-analyzer.js +35 -15
  10. package/rules/common/C041_no_sensitive_hardcode/symbol-based-analyzer.js +9 -5
  11. package/rules/security/S003_open_redirect_protection/README.md +371 -0
  12. package/rules/security/S003_open_redirect_protection/analyzer.js +135 -0
  13. package/rules/security/S003_open_redirect_protection/config.json +58 -0
  14. package/rules/security/S003_open_redirect_protection/symbol-based-analyzer.js +884 -0
  15. package/rules/security/S004_sensitive_data_logging/analyzer.js +135 -0
  16. package/rules/security/S004_sensitive_data_logging/config.json +62 -0
  17. package/rules/security/S004_sensitive_data_logging/symbol-based-analyzer.js +592 -0
  18. package/rules/security/S005_no_origin_auth/analyzer.js +97 -148
  19. package/rules/security/S005_no_origin_auth/config.json +28 -67
  20. package/rules/security/S005_no_origin_auth/symbol-based-analyzer.js +708 -0
  21. package/rules/security/S006_no_plaintext_recovery_codes/symbol-based-analyzer.js +170 -31
  22. package/rules/security/S010_no_insecure_encryption/analyzer.js +8 -2
  23. package/rules/security/S012_hardcoded_secrets/analyzer.js +149 -0
  24. package/rules/security/S012_hardcoded_secrets/config.json +75 -0
  25. package/rules/security/S012_hardcoded_secrets/symbol-based-analyzer.js +1204 -0
  26. package/rules/security/S013_tls_enforcement/symbol-based-analyzer.js +87 -0
  27. package/rules/security/S017_use_parameterized_queries/analyzer.js +11 -78
  28. package/rules/security/S017_use_parameterized_queries/symbol-based-analyzer.js +1146 -1
  29. package/rules/security/S019_smtp_injection_protection/analyzer.js +120 -0
  30. package/rules/security/S019_smtp_injection_protection/config.json +35 -0
  31. package/rules/security/S019_smtp_injection_protection/symbol-based-analyzer.js +687 -0
  32. package/rules/security/S020_no_eval_dynamic_code/analyzer.js +55 -130
  33. package/rules/security/S020_no_eval_dynamic_code/symbol-based-analyzer.js +4 -19
  34. package/rules/security/S022_escape_output_context/README.md +254 -0
  35. package/rules/security/S022_escape_output_context/analyzer.js +510 -0
  36. package/rules/security/S022_escape_output_context/config.json +229 -0
  37. package/rules/security/S023_no_json_injection/analyzer.js +15 -0
  38. package/rules/security/S023_no_json_injection/ast-analyzer.js +18 -3
  39. package/rules/security/S023_no_json_injection/config.json +133 -0
  40. package/rules/security/S024_xpath_xxe_protection/regex-based-analyzer.js +41 -0
  41. package/rules/security/S027_no_hardcoded_secrets/analyzer.js +67 -8
  42. package/rules/security/S027_no_hardcoded_secrets/categorized-analyzer.js +29 -6
  43. package/rules/security/S029_csrf_protection/config.json +127 -0
  44. package/rules/security/S030_directory_browsing_protection/regex-based-analyzer.js +160 -28
  45. package/rules/security/S030_directory_browsing_protection/symbol-based-analyzer.js +81 -19
  46. package/rules/security/S031_secure_session_cookies/analyzer.js +20 -2
  47. package/rules/security/S031_secure_session_cookies/regex-based-analyzer.js +100 -0
  48. package/rules/security/S031_secure_session_cookies/symbol-based-analyzer.js +8 -1
  49. package/rules/security/S032_httponly_session_cookies/analyzer.js +2 -2
  50. package/rules/security/S032_httponly_session_cookies/regex-based-analyzer.js +115 -0
  51. package/rules/security/S032_httponly_session_cookies/symbol-based-analyzer.js +39 -10
  52. package/rules/security/S036_lfi_rfi_protection/analyzer.js +224 -0
  53. package/rules/security/S036_lfi_rfi_protection/config.json +20 -0
  54. package/rules/security/S040_session_fixation_protection/analyzer.js +153 -0
  55. package/rules/security/S040_session_fixation_protection/config.json +20 -0
  56. package/rules/security/S042_require_re_authentication_for_long_lived/README.md +83 -0
  57. package/rules/security/S042_require_re_authentication_for_long_lived/analyzer.js +153 -0
  58. package/rules/security/S042_require_re_authentication_for_long_lived/config.json +41 -0
  59. package/rules/security/S042_require_re_authentication_for_long_lived/symbol-based-analyzer.js +1139 -0
  60. package/rules/security/S043_password_changes_invalidate_all_sessions/README.md +107 -0
  61. package/rules/security/S043_password_changes_invalidate_all_sessions/analyzer.js +153 -0
  62. package/rules/security/S043_password_changes_invalidate_all_sessions/config.json +41 -0
  63. package/rules/security/S043_password_changes_invalidate_all_sessions/symbol-based-analyzer.js +541 -0
  64. package/docs/COMMAND-EXAMPLES.md +0 -390
  65. package/docs/FILE_LIMITS_COMPLETION_REPORT.md +0 -151
  66. package/docs/FOLDER_STRUCTURE.md +0 -59
  67. package/docs/SIMPLIFIED_USAGE_GUIDE.md +0 -208
  68. package/rules/security/S017_use_parameterized_queries/regex-based-analyzer.js +0 -541
  69. package/rules/security/S020_no_eval_dynamic_code/regex-based-analyzer.js +0 -307
package/config/rules/enhanced-rules-registry.json CHANGED
@@ -496,16 +496,62 @@
496
496
  "tags": ["security", "idor", "access-control"]
497
497
  },
498
498
  "S003": {
499
- "name": "No Unvalidated Redirect",
500
- "description": "Prevent unvalidated redirects and forwards",
499
+ "name": "Open Redirect Protection",
500
+ "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
501
501
  "category": "security",
502
502
  "severity": "error",
503
503
  "languages": ["typescript", "javascript"],
504
- "analyzer": "eslint",
505
- "eslintRule": "custom/typescript_s003",
504
+ "analyzer": "./rules/security/S003_open_redirect_protection/analyzer.js",
505
+ "config": "./rules/security/S003_open_redirect_protection/config.json",
506
506
  "version": "1.0.0",
507
507
  "status": "stable",
508
- "tags": ["security", "redirect", "validation"]
508
+ "tags": ["security", "owasp", "injection", "open-redirect", "phishing", "url-validation"],
509
+ "strategy": {
510
+ "preferred": "heuristic",
511
+ "fallbacks": ["heuristic"],
512
+ "accuracy": {
513
+ "heuristic": 95
514
+ }
515
+ },
516
+ "engineMappings": {
517
+ "heuristic": ["rules/security/S003_open_redirect_protection/analyzer.js"]
518
+ },
519
+ "metadata": {
520
+ "owaspCategory": "A03:2021 - Injection",
521
+ "cweId": "CWE-601",
522
+ "frameworks": ["Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot"],
523
+ "detectionPatterns": 28,
524
+ "testCases": 118
525
+ }
526
+ },
527
+ "S004": {
528
+ "name": "Sensitive Data Logging Protection",
529
+ "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction",
530
+ "category": "security",
531
+ "severity": "warning",
532
+ "languages": ["typescript", "javascript"],
533
+ "analyzer": "./rules/security/S004_sensitive_data_logging/analyzer.js",
534
+ "config": "./rules/security/S004_sensitive_data_logging/config.json",
535
+ "version": "1.0.0",
536
+ "status": "stable",
537
+ "tags": ["security", "owasp", "logging", "sensitive-data", "pii", "credentials", "data-exposure"],
538
+ "strategy": {
539
+ "preferred": "heuristic",
540
+ "fallbacks": ["heuristic"],
541
+ "accuracy": {
542
+ "heuristic": 90
543
+ }
544
+ },
545
+ "engineMappings": {
546
+ "heuristic": ["rules/security/S004_sensitive_data_logging/analyzer.js"]
547
+ },
548
+ "metadata": {
549
+ "owaspCategory": "A09:2021 - Security Logging and Monitoring Failures",
550
+ "cweId": "CWE-532",
551
+ "frameworks": ["Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot", "Winston", "Pino", "Bunyan"],
552
+ "detectionPatterns": 90,
553
+ "testCases": 45
554
+ }
509
555
  },
510
556
  "S005": {
511
557
  "name": "No Origin Header Authentication",
@@ -636,16 +682,34 @@
636
682
  "tags": ["security", "uuid", "random"]
637
683
  },
638
684
  "S012": {
639
- "name": "No Hardcoded Secrets",
640
- "description": "Prevent hardcoded secrets in source code",
685
+ "name": "Hardcoded Secrets Protection",
686
+ "description": "Detects hardcoded secrets, API keys, passwords, tokens, and credentials in source code to prevent accidental exposure through version control",
641
687
  "category": "security",
642
688
  "severity": "error",
643
689
  "languages": ["typescript", "javascript"],
644
- "analyzer": "eslint",
645
- "eslintRule": "custom/typescript_s012",
690
+ "analyzer": "./rules/security/S012_hardcoded_secrets/analyzer.js",
691
+ "config": "./rules/security/S012_hardcoded_secrets/config.json",
646
692
  "version": "1.0.0",
647
693
  "status": "stable",
648
- "tags": ["security", "secrets", "hardcoded"]
694
+ "tags": ["security", "owasp", "secrets", "credentials", "cryptographic-failures", "hardcoded-secrets", "api-keys", "passwords", "tokens"],
695
+ "strategy": {
696
+ "preferred": "heuristic",
697
+ "fallbacks": ["heuristic"],
698
+ "accuracy": {
699
+ "heuristic": 92
700
+ }
701
+ },
702
+ "engineMappings": {
703
+ "heuristic": ["rules/security/S012_hardcoded_secrets/analyzer.js"]
704
+ },
705
+ "metadata": {
706
+ "owaspCategory": "A02:2021 - Cryptographic Failures",
707
+ "cweId": "CWE-798",
708
+ "frameworks": ["Node.js", "Express", "NestJS", "Next.js", "React", "Vue", "Angular"],
709
+ "secretTypes": ["API Keys", "Passwords", "Access Tokens", "Private Keys", "JWT Secrets", "Database Credentials", "OAuth Secrets", "AWS Keys", "GitHub Tokens", "Slack Tokens"],
710
+ "detectionPatterns": 50,
711
+ "testCases": 30
712
+ }
649
713
  },
650
714
  "S013": {
651
715
  "name": "Verify TLS Connection",
@@ -736,16 +800,34 @@
736
800
  "tags": ["security", "validation", "input"]
737
801
  },
738
802
  "S019": {
739
- "name": "No Raw User Input in Email",
740
- "description": "Prevent raw user input in email content",
803
+ "name": "SMTP Injection Protection",
804
+ "description": "Detects potential SMTP/IMAP injection vulnerabilities by identifying unsanitized user input in email fields and direct SMTP protocol manipulation",
741
805
  "category": "security",
742
806
  "severity": "error",
743
807
  "languages": ["typescript", "javascript"],
744
- "analyzer": "eslint",
745
- "eslintRule": "custom/typescript_s019",
808
+ "analyzer": "./rules/security/S019_smtp_injection_protection/analyzer.js",
809
+ "config": "./rules/security/S019_smtp_injection_protection/config.json",
746
810
  "version": "1.0.0",
747
811
  "status": "stable",
748
- "tags": ["security", "email", "injection"]
812
+ "tags": ["security", "owasp", "injection", "smtp", "email", "crlf"],
813
+ "strategy": {
814
+ "preferred": "heuristic",
815
+ "fallbacks": ["heuristic"],
816
+ "accuracy": {
817
+ "heuristic": 90
818
+ }
819
+ },
820
+ "engineMappings": {
821
+ "heuristic": ["rules/security/S019_smtp_injection_protection/analyzer.js"]
822
+ },
823
+ "metadata": {
824
+ "owaspCategory": "A03:2021 - Injection",
825
+ "cweId": "CWE-93, CWE-144",
826
+ "frameworks": ["Node.js", "Express", "NestJS", "Next.js"],
827
+ "emailLibraries": ["nodemailer", "sendgrid", "mailgun", "aws-ses", "postmark"],
828
+ "detectionTypes": ["Unsanitized email fields", "SMTP command injection", "CRLF injection"],
829
+ "testCases": 40
830
+ }
749
831
  },
750
832
  "S020": {
751
833
  "name": "Avoid using eval() or executing dynamic code",
@@ -1156,7 +1238,8 @@
1156
1238
  "category": "security",
1157
1239
  "severity": "error",
1158
1240
  "languages": ["typescript", "javascript"],
1159
- "analyzer": "eslint",
1241
+ "analyzer": "./rules/security/S042_require_re_authentication_for_long_lived/analyzer.js",
1242
+ "config": "./rules/security/S042_require_re_authentication_for_long_lived/config.json",
1160
1243
  "eslintRule": "custom/typescript_s042",
1161
1244
  "version": "1.0.0",
1162
1245
  "status": "stable",
@@ -1168,7 +1251,8 @@
1168
1251
  "category": "security",
1169
1252
  "severity": "error",
1170
1253
  "languages": ["typescript", "javascript"],
1171
- "analyzer": "eslint",
1254
+ "analyzer": "./rules/security/S043_password_changes_invalidate_all_sessions/analyzer.js",
1255
+ "config": "./rules/security/S043_password_changes_invalidate_all_sessions/config.json",
1172
1256
  "eslintRule": "custom/typescript_s043",
1173
1257
  "version": "1.0.0",
1174
1258
  "status": "stable",
package/config/rules/rules-registry-generated.json CHANGED
@@ -3569,8 +3569,8 @@
3569
3569
  "languages": [
3570
3570
  "All languages"
3571
3571
  ],
3572
- "version": "1.0",
3573
- "status": "activated",
3572
+ "version": "1.1",
3573
+ "status": "draft",
3574
3574
  "tags": [
3575
3575
  "Common",
3576
3576
  "readability",
@@ -3596,8 +3596,8 @@
3596
3596
  "languages": [
3597
3597
  "All languages"
3598
3598
  ],
3599
- "version": "1.0",
3600
- "status": "activated",
3599
+ "version": "1.1",
3600
+ "status": "draft",
3601
3601
  "tags": [
3602
3602
  "Common",
3603
3603
  "readability",
@@ -3755,8 +3755,8 @@
3755
3755
  "languages": [
3756
3756
  "All languages"
3757
3757
  ],
3758
- "version": "1.0",
3759
- "status": "activated",
3758
+ "version": "1.1",
3759
+ "status": "draft",
3760
3760
  "tags": [
3761
3761
  "Common",
3762
3762
  "readability",
@@ -4029,8 +4029,8 @@
4029
4029
  "languages": [
4030
4030
  "All languages"
4031
4031
  ],
4032
- "version": "1.0",
4033
- "status": "activated",
4032
+ "version": "1.1",
4033
+ "status": "draft",
4034
4034
  "tags": [
4035
4035
  "Common",
4036
4036
  "readability",
@@ -4107,8 +4107,8 @@
4107
4107
  "languages": [
4108
4108
  "All languages"
4109
4109
  ],
4110
- "version": "1.0",
4111
- "status": "activated",
4110
+ "version": "1.1",
4111
+ "status": "draft",
4112
4112
  "tags": [
4113
4113
  "Common",
4114
4114
  "readability",
@@ -4194,8 +4194,8 @@
4194
4194
  "languages": [
4195
4195
  "All languages"
4196
4196
  ],
4197
- "version": "1.0.0",
4198
- "status": "draft",
4197
+ "version": "1.1",
4198
+ "status": "activated",
4199
4199
  "tags": [
4200
4200
  "Common",
4201
4201
  "readability",
@@ -4583,8 +4583,8 @@
4583
4583
  "languages": [
4584
4584
  "All languages"
4585
4585
  ],
4586
- "version": "1.0.0",
4587
- "status": "draft",
4586
+ "version": "1.1",
4587
+ "status": "activated",
4588
4588
  "tags": [
4589
4589
  "Common",
4590
4590
  "readability",
@@ -4638,8 +4638,8 @@
4638
4638
  "languages": [
4639
4639
  "All languages"
4640
4640
  ],
4641
- "version": "1.0",
4642
- "status": "activated",
4641
+ "version": "1.1",
4642
+ "status": "draft",
4643
4643
  "tags": [
4644
4644
  "Common",
4645
4645
  "readability",
@@ -4721,8 +4721,8 @@
4721
4721
  "languages": [
4722
4722
  "All languages"
4723
4723
  ],
4724
- "version": "1.0",
4725
- "status": "activated",
4724
+ "version": "1.1",
4725
+ "status": "draft",
4726
4726
  "tags": [
4727
4727
  "Common",
4728
4728
  "readability",
@@ -4802,8 +4802,8 @@
4802
4802
  "languages": [
4803
4803
  "All languages"
4804
4804
  ],
4805
- "version": "1.0",
4806
- "status": "activated",
4805
+ "version": "1.1",
4806
+ "status": "draft",
4807
4807
  "tags": [
4808
4808
  "Common",
4809
4809
  "readability",
@@ -5147,8 +5147,8 @@
5147
5147
  "languages": [
5148
5148
  "All languages"
5149
5149
  ],
5150
- "version": "1.0",
5151
- "status": "activated",
5150
+ "version": "1.1",
5151
+ "status": "draft",
5152
5152
  "tags": [
5153
5153
  "Common",
5154
5154
  "readability",