@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S031_secure_session_cookies/regex-based-analyzer.js

@@ -58,6 +58,21 @@ class S031RegexBasedAnalyzer {
     }
   }
 
+  /**
+   * Check if file should be skipped (test files)
+   */
+  shouldSkipFile(filePath) {
+    const testPatterns = [
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+      /\/fixtures?\//,
+    ];
+    return testPatterns.some((pattern) => pattern.test(filePath));
+  }
+
   /**
    * Analyze file content using regex patterns
 
@@ -67,6 +82,14 @@ class S031RegexBasedAnalyzer {
       console.log(`🔍 [S031] Regex-based analysis for: ${filePath}`);
     }
 
+    // Skip test files
+    if (this.shouldSkipFile(filePath)) {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`⏭ [S031] Skipping test file: ${filePath}`);
+      }
+      return [];
+    }
+
     let content;
     try {
       content = fs.readFileSync(filePath, "utf8");
@@ -85,6 +108,9 @@ class S031RegexBasedAnalyzer {
       this.checkPattern(pattern, content, lines, violations, filePath);
     }
 
+    // Check for custom cookie utilities (e.g., StorageUtils.setCookie)
+    this.checkCustomCookieUtilities(content, lines, violations, filePath);
+
     return violations;
   }
 
@@ -191,6 +217,80 @@ class S031RegexBasedAnalyzer {
       severity: "error",
     });
   }
+
+  /**
+   * Check for custom cookie utility functions with variable names
+   * Handles cases like: StorageUtils.setCookie(STORAGE_KEY.ACCESS_TOKEN, value)
+   */
+  checkCustomCookieUtilities(content, lines, violations, filePath) {
+    // Pattern to match custom cookie utilities with variable references
+    // Matches: Utils.setCookie(VARIABLE_NAME, value) or Utils.setCookie(VARIABLE_NAME, value, options)
+    const customCookiePattern = /(\w+\.setCookie)\s*\(\s*([A-Z_][A-Z0-9_.]*)\s*,\s*([^,)]+)(?:\s*,\s*([^)]*))?\s*\)/gi;
+
+    let match;
+    customCookiePattern.lastIndex = 0;
+
+    while ((match = customCookiePattern.exec(content)) !== null) {
+      const methodCall = match[1]; // e.g., "StorageUtils.setCookie"
+      const cookieNameVar = match[2]; // e.g., "STORAGE_KEY.ACCESS_TOKEN"
+      const cookieValue = match[3]; // e.g., "response.user?.access_token || ''"
+      const cookieOptions = match[4] || ""; // e.g., options object if present
+      const matchText = match[0];
+
+      // Check if this looks like a session cookie based on variable name or value
+      if (!this.isSessionCookieLikely(cookieNameVar, cookieValue, matchText)) {
+        continue;
+      }
+
+      // Check if secure flag is present in options
+      if (!this.hasSecureFlag(cookieOptions, matchText)) {
+        const lineNumber = this.getLineNumber(content, match.index);
+
+        // Extract a friendly cookie name from the variable
+        const friendlyCookieName = this.extractFriendlyCookieName(cookieNameVar);
+
+        this.addViolation(
+          matchText,
+          lineNumber,
+          violations,
+          `Session cookie from "${friendlyCookieName}" missing Secure flag - add secure flag to options`
+        );
+      }
+    }
+  }
+
+  /**
+   * Check if cookie variable name or value suggests it's a session cookie
+   */
+  isSessionCookieLikely(varName, value, matchText) {
+    const textToCheck = (varName + " " + value + " " + matchText).toLowerCase();
+
+    // Check against session indicators
+    const isSession = this.sessionIndicators.some((indicator) =>
+      textToCheck.includes(indicator.toLowerCase())
+    );
+
+    // Also check for common patterns like ACCESS_TOKEN, REFRESH_TOKEN, etc.
+    const tokenPatterns = [
+      /access[_-]?token/i,
+      /refresh[_-]?token/i,
+      /auth[_-]?token/i,
+      /id[_-]?token/i,
+      /session/i,
+    ];
+
+    return isSession || tokenPatterns.some(pattern => pattern.test(textToCheck));
+  }
+
+  /**
+   * Extract a friendly cookie name from variable reference
+   * e.g., "STORAGE_KEY.ACCESS_TOKEN" -> "ACCESS_TOKEN"
+   */
+  extractFriendlyCookieName(varName) {
+    // If it has a dot, take the last part
+    const parts = varName.split(".");
+    return parts[parts.length - 1] || varName;
+  }
 }
 
 module.exports = S031RegexBasedAnalyzer;

package/rules/security/S031_secure_session_cookies/symbol-based-analyzer.js

@@ -31,7 +31,7 @@ class S031SymbolBasedAnalyzer {
     this.cookieMethods = [
       "setCookie",
       "cookie",
-      "set",
+      // Note: "set" removed - too generic, matches localStorage.set(), Map.set(), etc.
       "append",
       "session",
       "setHeader",
@@ -693,6 +693,13 @@ class S031SymbolBasedAnalyzer {
       if (ts.isIdentifier(firstArg)) {
         return firstArg.text;
       }
+      // Handle PropertyAccessExpression like STORAGE_KEY.ACCESS_TOKEN
+      if (ts.isPropertyAccessExpression(firstArg)) {
+        const fullText = firstArg.getText();
+        // Extract the last part (e.g., "ACCESS_TOKEN" from "STORAGE_KEY.ACCESS_TOKEN")
+        const parts = fullText.split('.');
+        return parts[parts.length - 1] || fullText;
+      }
     }
     return null;
   }

package/rules/security/S032_httponly_session_cookies/analyzer.js

@@ -246,9 +246,9 @@ class S032Analyzer {
   extractCookieName(message) {
     try {
       const match = message.match(
-        /Session cookie "([^"]+)"|useCookie "([^"]+)"|Cookie "([^"]+)"/
+        /Session cookie "([^"]+)"|Session cookie from "([^"]+)"|useCookie "([^"]+)"|Cookie "([^"]+)"/
       );
-      return match ? match[1] || match[2] || match[3] : "";
+      return match ? match[1] || match[2] || match[3] || match[4] : "";
     } catch (error) {
       return "";
     }

package/rules/security/S032_httponly_session_cookies/regex-based-analyzer.js

@@ -104,6 +104,21 @@ class S032RegexBasedAnalyzer {
     }
   }
 
+  /**
+   * Check if file should be skipped (test files)
+   */
+  shouldSkipFile(filePath) {
+    const testPatterns = [
+      /\.test\.(ts|tsx|js|jsx)$/,
+      /\.spec\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+      /\/fixtures?\//,
+    ];
+    return testPatterns.some((pattern) => pattern.test(filePath));
+  }
+
   /**
    * Main analysis method
    */
@@ -112,6 +127,14 @@ class S032RegexBasedAnalyzer {
       console.log(`🔍 [S032] Regex-based analysis for: ${filePath}`);
     }
 
+    // Skip test files
+    if (this.shouldSkipFile(filePath)) {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`⏭ [S032] Skipping test file: ${filePath}`);
+      }
+      return [];
+    }
+
     const violations = [];
     const violationMap = new Map(); // Deduplication map
 
@@ -135,6 +158,9 @@ class S032RegexBasedAnalyzer {
         );
       }
 
+      // Check for custom cookie utilities (e.g., StorageUtils.setCookie)
+      this.checkCustomCookieUtilities(content, lines, violations, filePath);
+
       // Check for session middleware without cookie config
       // This method is now mainly handled by checkPattern, but keep for edge cases
     } catch (error) {
@@ -710,6 +736,95 @@ class S032RegexBasedAnalyzer {
 
     return hasHttpOnly;
   }
+
+  /**
+   * Check for custom cookie utility functions with variable names
+   * Handles cases like: StorageUtils.setCookie(STORAGE_KEY.ACCESS_TOKEN, value)
+   */
+  checkCustomCookieUtilities(content, lines, violations, filePath) {
+    // Pattern to match custom cookie utilities with variable references
+    // Matches: Utils.setCookie(VARIABLE_NAME, value) or Utils.setCookie(VARIABLE_NAME, value, options)
+    const customCookiePattern = /(\w+\.setCookie)\s*\(\s*([A-Z_][A-Z0-9_.]*)\s*,\s*([^,)]+)(?:\s*,\s*([^)]*))?\s*\)/gi;
+
+    let match;
+    customCookiePattern.lastIndex = 0;
+
+    while ((match = customCookiePattern.exec(content)) !== null) {
+      const methodCall = match[1]; // e.g., "StorageUtils.setCookie"
+      const cookieNameVar = match[2]; // e.g., "STORAGE_KEY.ACCESS_TOKEN"
+      const cookieValue = match[3]; // e.g., "response.user?.access_token || ''"
+      const cookieOptions = match[4] || ""; // e.g., options object if present
+      const matchText = match[0];
+
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(
+          `🔍 [S032] Custom cookie utility: ${methodCall}(${cookieNameVar}, ...)`
+        );
+      }
+
+      // Check if this looks like a session cookie based on variable name or value
+      if (!this.isSessionCookieLikely(cookieNameVar, cookieValue, matchText)) {
+        continue;
+      }
+
+      // Check if httpOnly flag is present in options
+      if (!this.hasHttpOnlyFlag(cookieOptions)) {
+        const lineNumber = this.getLineNumber(content, match.index);
+
+        // Extract a friendly cookie name from the variable
+        const friendlyCookieName = this.extractFriendlyCookieName(cookieNameVar);
+
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(
+            `🔍 [S032] ⚠️ VIOLATION: Custom cookie "${friendlyCookieName}" missing httpOnly at line ${lineNumber}`
+          );
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          source: filePath,
+          category: this.category,
+          line: lineNumber,
+          column: 1,
+          message: `Insecure session cookie: Session cookie from "${friendlyCookieName}" missing HttpOnly attribute - add httpOnly flag to options`,
+          severity: "error",
+        });
+      }
+    }
+  }
+
+  /**
+   * Check if cookie variable name or value suggests it's a session cookie
+   */
+  isSessionCookieLikely(varName, value, matchText) {
+    const textToCheck = (varName + " " + value + " " + matchText).toLowerCase();
+
+    // Check against session indicators
+    const isSession = this.sessionIndicators.some((indicator) =>
+      textToCheck.includes(indicator.toLowerCase())
+    );
+
+    // Also check for common patterns like ACCESS_TOKEN, REFRESH_TOKEN, etc.
+    const tokenPatterns = [
+      /access[_-]?token/i,
+      /refresh[_-]?token/i,
+      /auth[_-]?token/i,
+      /id[_-]?token/i,
+      /session/i,
+    ];
+
+    return isSession || tokenPatterns.some(pattern => pattern.test(textToCheck));
+  }
+
+  /**
+   * Extract a friendly cookie name from variable reference
+   * e.g., "STORAGE_KEY.ACCESS_TOKEN" -> "ACCESS_TOKEN"
+   */
+  extractFriendlyCookieName(varName) {
+    // If it has a dot, take the last part
+    const parts = varName.split(".");
+    return parts[parts.length - 1] || varName;
+  }
 }
 
 module.exports = S032RegexBasedAnalyzer;

package/rules/security/S032_httponly_session_cookies/symbol-based-analyzer.js

@@ -50,7 +50,7 @@ class S032SymbolBasedAnalyzer {
     this.cookieMethods = [
       "setCookie",
       "cookie",
-      "set",
+      // Note: "set" removed - too generic, matches localStorage.set(), Map.set(), etc.
       "append",
       "session",
       "setHeader",
@@ -412,18 +412,37 @@ class S032SymbolBasedAnalyzer {
       if (args && args.length > 0) {
         const methodName = this.getMorphMethodName(callNode);
 
-        // Handle setCookie(event, "cookieName", "value", options) pattern
+        // Handle Nuxt3 setCookie(event, "cookieName", "value", options) pattern
+        // Check if first argument looks like an event object (not a cookie name)
         if (methodName === "setCookie" && args.length >= 2) {
-          const secondArg = args[1]; // Cookie name is second argument
-          if (secondArg && secondArg.getText) {
-            const text = secondArg.getText();
-            return text.replace(/['"]/g, ""); // Remove quotes
+          const firstArg = args[0];
+          const firstArgText = firstArg.getText ? firstArg.getText() : "";
+
+          // If first arg looks like an event (contains 'event', 'req', 'context'),
+          // then cookie name is second arg (Nuxt3 pattern)
+          if (firstArgText.match(/\bevent\b|\.event\b|\breq\b|\bcontext\b/i)) {
+            const secondArg = args[1]; // Cookie name is second argument
+            if (secondArg && secondArg.getText) {
+              const text = secondArg.getText();
+              return text.replace(/['"]/g, ""); // Remove quotes
+            }
           }
         }
 
         // Handle standard cookie methods (cookieName is first argument)
+        // This includes: StorageUtils.setCookie(COOKIE_NAME, value)
         const firstArg = args[0];
         if (firstArg && firstArg.getText) {
+          const kind = firstArg.getKindName();
+
+          // Handle PropertyAccessExpression like STORAGE_KEY.ACCESS_TOKEN
+          if (kind === "PropertyAccessExpression") {
+            const fullText = firstArg.getText();
+            const parts = fullText.split('.');
+            return parts[parts.length - 1] || fullText;
+          }
+
+          // Handle Identifier or StringLiteral
           const text = firstArg.getText();
           return text.replace(/['"]/g, ""); // Remove quotes
         }
@@ -707,7 +726,7 @@ class S032SymbolBasedAnalyzer {
       const lineAndChar = sourceFile.getLineAndColumnAtPos(start);
 
       violations.push({
-        rule: this.ruleId,
+        ruleId: this.ruleId,
         source: sourceFile.getFilePath(),
         category: this.category,
         line: lineAndChar.line,
@@ -718,7 +737,7 @@ class S032SymbolBasedAnalyzer {
     } catch (error) {
       // Fallback violation without line/column info
       violations.push({
-        rule: this.ruleId,
+        ruleId: this.ruleId,
         source: sourceFile.getFilePath ? sourceFile.getFilePath() : "unknown",
         category: this.category,
         line: 1,
@@ -1022,6 +1041,16 @@ class S032SymbolBasedAnalyzer {
         if (firstArg && ts.isStringLiteral(firstArg)) {
           return firstArg.text;
         }
+        if (ts.isIdentifier(firstArg)) {
+          return firstArg.text;
+        }
+        // Handle PropertyAccessExpression like STORAGE_KEY.ACCESS_TOKEN
+        if (ts.isPropertyAccessExpression(firstArg)) {
+          const fullText = firstArg.getText();
+          // Extract the last part (e.g., "ACCESS_TOKEN" from "STORAGE_KEY.ACCESS_TOKEN")
+          const parts = fullText.split('.');
+          return parts[parts.length - 1] || fullText;
+        }
       }
     } catch (error) {
       if (process.env.SUNLINT_DEBUG) {
@@ -1242,7 +1271,7 @@ class S032SymbolBasedAnalyzer {
       );
 
       violations.push({
-        rule: this.ruleId,
+        ruleId: this.ruleId,
         source: sourceFile.fileName,
         category: this.category,
         line: start.line + 1,
@@ -1253,7 +1282,7 @@ class S032SymbolBasedAnalyzer {
     } catch (error) {
       // Fallback violation
       violations.push({
-        rule: this.ruleId,
+        ruleId: this.ruleId,
         source: sourceFile.fileName || "unknown",
         category: this.category,
         line: 1,

package/rules/security/S036_lfi_rfi_protection/analyzer.js

@@ -0,0 +1,224 @@
+const fs = require('fs');
+
+class S036Analyzer {
+  constructor() {
+    this.ruleId = 'S036';
+    this.ruleName = 'LFI/RFI Protection';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      // Skip test files
+      if (this.isTestFile(filePath)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.warn(`S036: Error analyzing ${filePath}:`, error.message);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.test\.(ts|tsx|js|jsx|php|py)$/,
+      /\.spec\.(ts|tsx|js|jsx|php|py)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\/tests?\//,
+    ];
+    return testPatterns.some(p => p.test(filePath));
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split(/\r?\n/);
+
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmed = line.trim();
+
+      // Skip comments
+      if (trimmed.startsWith('//') || trimmed.startsWith('#') || trimmed.startsWith('/*')) {
+        return;
+      }
+
+      // Check for unsafe file operations
+      violations.push(...this.checkUnsafeFileOperations(line, lineNumber, filePath));
+
+      // Check for path traversal
+      violations.push(...this.checkPathTraversal(line, lineNumber, filePath));
+
+      // Check for remote file inclusion
+      violations.push(...this.checkRemoteFileInclusion(line, lineNumber, filePath));
+    });
+
+    return violations;
+  }
+
+  checkUnsafeFileOperations(line, lineNumber, filePath) {
+    const violations = [];
+
+    // Unsafe file read/include patterns with user input
+    const unsafePatterns = [
+      // JavaScript/TypeScript
+      {
+        pattern: /(?:fs\.readFileSync|fs\.readFile|require|import)\s*\(\s*[^)]*(?:req\.|request\.|params\.|query\.|body\.)[^)]*\)/gi,
+        message: 'Unsafe file operation with user input - validate and use allowlist',
+      },
+      {
+        pattern: /(?:fs\.readFileSync|fs\.readFile|fs\.createReadStream)\s*\(\s*[`'"](.*?)(?:\$\{[^}]+\}|%s|%d)[^`'"]*[`'"]\s*\)/gi,
+        message: 'File path uses string interpolation with potential user input - validate path',
+      },
+
+      // PHP
+      {
+        pattern: /(?:include|require|include_once|require_once|fopen|file_get_contents|readfile)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)/gi,
+        message: 'PHP: Direct use of superglobal in file operation - extreme LFI/RFI risk',
+      },
+
+      // Python
+      {
+        pattern: /(?:open|exec|execfile|compile|__import__)\s*\(\s*(?:request\.|params\.|args\.|form\.)/gi,
+        message: 'Python: File operation with user input - validate and sanitize',
+      },
+    ];
+
+    unsafePatterns.forEach(({ pattern, message }) => {
+      if (pattern.test(line)) {
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: 1,
+          message: message,
+          severity: 2, // error
+          ruleId: this.ruleId,
+        });
+      }
+    });
+
+    return violations;
+  }
+
+  checkPathTraversal(line, lineNumber, filePath) {
+    const violations = [];
+
+    // Skip import/require statements - these are safe module imports
+    if (this.isImportStatement(line)) {
+      return violations;
+    }
+
+    // Only check path traversal in actual file operations
+    // Path traversal patterns in file operations
+    const traversalPatterns = [
+      {
+        // Path traversal in file operations
+        pattern: /(?:fs\.readFile|readFile|fopen|file_get_contents|open|sendFile|readFileSync|createReadStream)\s*\([^)]*\.\.\/[^)]*\)/gi,
+        message: 'Path traversal in file operation (../) - normalize and validate paths',
+      },
+      {
+        pattern: /(?:fs\.readFile|readFile|fopen|file_get_contents|open|sendFile|readFileSync|createReadStream)\s*\([^)]*\.\.\\[^)]*\)/gi,
+        message: 'Path traversal in file operation (..\\) - normalize and validate paths',
+      },
+      {
+        pattern: /(?:fs\.readFile|readFile|fopen|file_get_contents|open|sendFile|readFileSync|createReadStream)\s*\([^)]*\/etc\/passwd[^)]*\)/gi,
+        message: 'Suspicious file path (/etc/passwd) - potential LFI attempt',
+      },
+      {
+        pattern: /(?:fs\.readFile|readFile|fopen|file_get_contents|open|sendFile|readFileSync|createReadStream)\s*\([^)]*C:\\Windows\\system32[^)]*\)/gi,
+        message: 'Suspicious file path (Windows system32) - potential LFI attempt',
+      },
+    ];
+
+    traversalPatterns.forEach(({ pattern, message }) => {
+      const match = line.match(pattern);
+      if (match && !this.isSafeContext(line)) {
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: 1,
+          message: message,
+          severity: 2, // error
+          ruleId: this.ruleId,
+        });
+      }
+    });
+
+    return violations;
+  }
+
+  checkRemoteFileInclusion(line, lineNumber, filePath) {
+    const violations = [];
+
+    // Remote file inclusion patterns
+    const rfiPatterns = [
+      {
+        pattern: /(?:require|import|include|include_once|require_once)\s*\(\s*['"`]https?:\/\//gi,
+        message: 'Remote File Inclusion (RFI) detected - never include remote URLs',
+      },
+      {
+        pattern: /(?:fs\.readFile|file_get_contents|fopen|urllib\.request\.urlopen)\s*\(\s*[^)]*(?:http:\/\/|https:\/\/)[^)]*\)/gi,
+        message: 'Loading remote file content - validate URL allowlist',
+      },
+      {
+        pattern: /eval\s*\(\s*(?:fs\.readFileSync|file_get_contents|fetch|axios)\s*\(/gi,
+        message: 'Eval with file content - extreme code injection risk',
+      },
+    ];
+
+    rfiPatterns.forEach(({ pattern, message }) => {
+      if (pattern.test(line)) {
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: 1,
+          message: message,
+          severity: 2, // error
+          ruleId: this.ruleId,
+        });
+      }
+    });
+
+    return violations;
+  }
+
+  isImportStatement(line) {
+    // Check if this is an import/require statement (safe module imports)
+    const importPatterns = [
+      /^\s*import\s+/,
+      /^\s*export\s+.*from\s+/,
+      /^\s*const\s+.*=\s*require\s*\(/,
+      /^\s*let\s+.*=\s*require\s*\(/,
+      /^\s*var\s+.*=\s*require\s*\(/,
+      /^\s*import\s*\(/,  // dynamic import
+    ];
+
+    return importPatterns.some(p => p.test(line));
+  }
+
+  isSafeContext(line) {
+    // Check if line is in a safe context (e.g., configuration, constants)
+    const safePatterns = [
+      /const\s+[A-Z_]+\s*=/,  // Constants
+      /BASE_PATH|ROOT_DIR|PUBLIC_DIR|STATIC_DIR/,
+      /path\.join\s*\(\s*__dirname/,  // Relative to current dir
+      /\.resolve\s*\(/,  // path.resolve
+    ];
+
+    return safePatterns.some(p => p.test(line));
+  }
+
+  cleanup() {}
+}
+
+module.exports = S036Analyzer;

package/rules/security/S036_lfi_rfi_protection/config.json

@@ -0,0 +1,20 @@
+{
+  "id": "S036",
+  "name": "LFI and RFI Protection - Prevent Local and Remote File Inclusion",
+  "category": "security",
+  "description": "S036 - Prevent Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities by validating file paths and using allowlists.",
+  "severity": "error",
+  "enabled": true,
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx", "**/*.php", "**/*.py"],
+    "exclude": [
+      "**/*.test.*",
+      "**/*.spec.*",
+      "__tests__/**",
+      "__mocks__/**",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  }
+}