@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/common/C029_catch_block_logging/analyzer.js

@@ -215,14 +215,18 @@ class C029Analyzer {
     } else {
       // No logging found - check if there's valid error handling
       const hasErrorHandling = this.hasValidErrorHandling(block, exceptionVar);
-      
-      if (!hasErrorHandling && !this.isTestFile(filePath)) {
+
+      // Skip if underscore variable (intentional ignore) AND has error handling
+      const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+      const shouldSkip = (isIntentionallyIgnored && hasErrorHandling) || this.isTestFile(filePath);
+
+      if (!hasErrorHandling && !shouldSkip) {
         violations.push(this.createViolation(
           filePath,
           startLine,
           startColumn,
           'no_logging',
-          exceptionVar 
+          exceptionVar
             ? `Catch block does not log exception '${exceptionVar}'`
             : 'Catch block does not log exception',
           'Add console.error() or logger.error() with error details',
@@ -232,7 +236,10 @@ class C029Analyzer {
     }
 
     // STAGE 4: Check for unused exception variable
-    if (exceptionVar && !this.isExceptionUsed(block, exceptionVar) && !this.hasExplicitIgnoreComment(catchClause)) {
+    // Skip if variable name starts with underscore (conventional way to indicate intentional ignore)
+    const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+
+    if (exceptionVar && !isIntentionallyIgnored && !this.isExceptionUsed(block, exceptionVar) && !this.hasExplicitIgnoreComment(catchClause)) {
       violations.push(this.createViolation(
         filePath,
         startLine,
@@ -277,7 +284,8 @@ class C029Analyzer {
       usesExceptionVar: false,
       logLevels: [],
       hasStackTrace: false,
-      hasContextData: false
+      hasContextData: false,
+      loggingExpressions: [] // Track actual expressions used
     };
 
     // Find all call expressions
@@ -333,6 +341,9 @@ class C029Analyzer {
           arguments: argsText,
           line: call.getStartLineNumber()
         });
+
+        // Track expression for better error messages
+        loggingInfo.loggingExpressions.push(expressionText);
       }
     }
 
@@ -367,21 +378,32 @@ class C029Analyzer {
     const issues = [];
 
     // Issue 1: Using inappropriate log level (log/info/debug instead of error/warn)
-    const hasInappropriateLevel = loggingInfo.logLevels.some(level =>
-      this.config.inappropriateLevels.includes(level)
-    );
+    // BUT only for console.xxx, not for logger.xxx (custom loggers may have different semantics)
+    const hasInappropriateConsoleLevel = loggingInfo.calls.some(call => {
+      const isConsole = call.expression.startsWith('console.');
+      const isInappropriateLevel = this.config.inappropriateLevels.includes(call.level);
+      return isConsole && isInappropriateLevel;
+    });
+
+    if (hasInappropriateConsoleLevel && !this.isTestFile(filePath)) {
+      // Get only console calls with inappropriate levels
+      const consoleLevels = loggingInfo.calls
+        .filter(c => c.expression.startsWith('console.') && this.config.inappropriateLevels.includes(c.level))
+        .map(c => c.level);
 
-    if (hasInappropriateLevel && !this.isTestFile(filePath)) {
       issues.push({
         type: 'inappropriate_log_level',
-        message: `Catch block uses console.${loggingInfo.logLevels.join('/')} instead of console.error or console.warn`,
+        message: `Catch block uses console.${[...new Set(consoleLevels)].join('/')} instead of console.error or console.warn`,
         suggestion: 'Use console.error() or console.warn() for error logging in catch blocks',
         confidence: 0.75
       });
     }
 
     // Issue 2: Exception variable not included in logging
-    if (exceptionVar && !loggingInfo.usesExceptionVar) {
+    // Skip if variable is underscore (intentional ignore - developer explicitly doesn't want error details)
+    const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+
+    if (exceptionVar && !isIntentionallyIgnored && !loggingInfo.usesExceptionVar) {
       issues.push({
         type: 'exception_not_logged',
         message: `Exception variable '${exceptionVar}' is not included in logging`,
@@ -462,7 +484,20 @@ class C029Analyzer {
       /utils?\.log/i,
       /helpers?\.log/i,
       /ErrorUtils/,
-      /ErrorService/
+      /ErrorService/,
+      // UI Feedback patterns (toast, notification, alert, etc.)
+      /toast\.(error|failed|show|warning)\s*\(/,
+      /notification\.(error|show|warning)\s*\(/,
+      /message\.(error|show|warning)\s*\(/,
+      /alert\s*\(/,
+      /showError\s*\(/,
+      /showMessage\s*\(/,
+      // Fallback/recovery actions
+      /window\.open\s*\(/,
+      /window\.location/,
+      /navigate\s*\(/,
+      /redirect\s*\(/,
+      /router\.(push|replace)\s*\(/
     ];
 
     if (errorHandlerPatterns.some(pattern => pattern.test(text))) {

package/rules/common/C033_separate_service_repository/symbol-based-analyzer.js

@@ -768,32 +768,52 @@ class C033SymbolBasedAnalyzer {
   analyzeControllerFile(sourceFile, filePath) {
     const violations = [];
     const classes = sourceFile.getClasses();
-    
+
     for (const cls of classes) {
       const className = cls.getName() || 'UnnamedClass';
       const methods = cls.getMethods();
-      
+
       for (const method of methods) {
         const methodBody = method.getBodyText() || '';
-        
+
         // Controllers should not directly access database
         for (const operation of this.databaseOperations) {
-          const pattern = new RegExp(`\\b${operation}\\s*\\(`, 'i');
-          if (pattern.test(methodBody)) {
-            violations.push({
-              ruleId: this.ruleId,
-              severity: 'warning',
-              message: `Controller class '${className}' should not directly access database with '${operation}'. Use Service layer instead.`,
-              file: filePath,
-              line: method.getStartLineNumber(),
-              column: 1
-            });
-            break;
+          const operationPattern = new RegExp(`\\b${operation}\\s*\\(`, 'gi');
+          const matches = methodBody.matchAll(operationPattern);
+
+          for (const match of matches) {
+            const matchIndex = match.index;
+            const contextStart = Math.max(0, matchIndex - 50);
+            const context = methodBody.substring(contextStart, matchIndex);
+
+            // Check if this is a call through service (ALLOWED)
+            // Matches: this.xxxService.method(), this.xxxUseCase.method(), this.xxxHandler.method()
+            const serviceCallPattern = /this\.([\w]+Service|[\w]+UseCase|[\w]+Handler)\s*\.\s*$/i;
+            if (serviceCallPattern.test(context)) {
+              continue; // Skip - this is allowed
+            }
+
+            // Check if this is direct database call (VIOLATION)
+            // Matches: this.repository, this.userRepository, this.entityManager, this.xxxClient, etc.
+            const directDbCallPattern = /this\.([\w]*Repository|[\w]*Repo|dataSource|connection|entityManager|manager|database|db|[\w]*Client|prisma)\./i;
+            const globalDbCallPattern = /(getRepository|getConnection|getManager|createQueryBuilder)\s*\([^)]*\)\s*\.?[\w.]*$/i;
+
+            if (directDbCallPattern.test(context) || globalDbCallPattern.test(context)) {
+              violations.push({
+                ruleId: this.ruleId,
+                severity: 'warning',
+                message: `Controller class '${className}' should not directly access database with '${operation}'. Use Service layer instead.`,
+                file: filePath,
+                line: method.getStartLineNumber(),
+                column: 1
+              });
+              break;
+            }
           }
         }
       }
     }
-    
+
     return violations;
   }
 }

package/rules/common/C041_no_sensitive_hardcode/symbol-based-analyzer.js

@@ -65,14 +65,19 @@ class C041SymbolBasedAnalyzer {
       /secret/i,
       /password/i,
       /passwd/i,
-      /pass/i,
+      /\bpass\b/i,
       /token/i,
-      /auth/i,
-      /credential/i,
+      /\b(jwt|bearer)_?token/i,
+      /\b(session|csrf)_?token/i,
+      /\boauth/i,                   // OAuth tokens/creds
+      /\bauth(_?(key|token|secret|code))\b/i,  // auth+credential
+      /\bcredential/i,
       /private[_-]?key/i,
       /access[_-]?key/i,
       /client[_-]?secret/i,
-      /encryption[_-]?key/i
+      /encryption[_-]?key/i,
+      /signing[_-]?key/i,
+      /webhook[_-]?secret/i
     ];
 
     // === Safe patterns to exclude (env vars, config imports) ===
@@ -365,7 +370,6 @@ class C041SymbolBasedAnalyzer {
       }
 
       const isSensitiveName = this.sensitiveVariableNames.some(pattern => pattern.test(name));
-
       if (isSensitiveName) {
         const initText = initializer.getText();
 

package/rules/security/S003_open_redirect_protection/README.md

@@ -0,0 +1,371 @@
+# S003 - Open Redirect Protection
+
+## Overview
+
+Quy tắc này phát hiện lỗ hổng Open Redirect - nơi ứng dụng chuyển hướng người dùng đến URL được cung cấp từ đầu vào mà không xác thực. Kẻ tấn công có thể lợi dụng để chuyển hướng nạn nhân đến trang độc hại (phishing, malware) thông qua link có vẻ hợp lệ.
+
+## OWASP Classification
+
+- **Category**: A03:2021 - Injection
+- **CWE**: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
+- **Severity**: Warning
+- **Impact**: Medium (Phishing attacks, credential theft, malware distribution)
+
+## Vấn đề
+
+Khi ứng dụng chuyển hướng người dùng đến URL từ đầu vào mà không xác thực:
+
+1. **Phishing attacks**: Kẻ tấn công có thể tạo link hợp lệ dẫn đến trang giả mạo
+2. **Credential theft**: Người dùng tin tưởng domain gốc và nhập thông tin nhạy cảm
+3. **Malware distribution**: Chuyển hướng đến trang chứa malware
+4. **Bypass security controls**: Vượt qua whitelist/blacklist dựa trên domain
+
+## Các trường hợp vi phạm
+
+### 1. Redirect trực tiếp từ query parameter
+
+```javascript
+// ❌ Vi phạm - Redirect trực tiếp không kiểm tra
+app.get('/redirect', (req, res) => {
+  const url = req.query.url;
+  res.redirect(url); // Nguy hiểm!
+});
+
+// ❌ Vi phạm - Express redirect
+router.get('/goto', (req, res) => {
+  res.redirect(req.query.redirect_url);
+});
+
+// ❌ Vi phạm - Location header
+app.get('/forward', (req, res) => {
+  res.setHeader('Location', req.query.next);
+  res.status(302).send();
+});
+```
+
+### 2. Client-side redirect không validate
+
+```javascript
+// ❌ Vi phạm - window.location redirect
+const redirectUrl = new URLSearchParams(window.location.search).get('redirect');
+window.location = redirectUrl;
+
+// ❌ Vi phạm - window.location.href
+const next = getQueryParam('next');
+window.location.href = next;
+
+// ❌ Vi phạm - window.location.replace
+window.location.replace(req.params.url);
+```
+
+### 3. NestJS redirects
+
+```typescript
+// ❌ Vi phạm - NestJS @Redirect decorator
+@Controller('redirect')
+export class RedirectController {
+  @Get()
+  @Redirect()
+  redirect(@Query('url') url: string) {
+    return { url }; // Nguy hiểm!
+  }
+}
+
+// ❌ Vi phạm - NestJS res.redirect
+@Get()
+goto(@Query('target') target: string, @Res() res: Response) {
+  res.redirect(target);
+}
+```
+
+### 4. Next.js redirects (App Router)
+
+```typescript
+// ❌ Vi phạm - Next.js redirect
+import { redirect } from 'next/navigation';
+
+export default async function Page({ searchParams }) {
+  redirect(searchParams.url); // Nguy hiểm!
+}
+
+// ❌ Vi phạm - Next.js permanentRedirect
+import { permanentRedirect } from 'next/navigation';
+
+export default function RedirectPage({ searchParams }) {
+  permanentRedirect(searchParams.target);
+}
+
+// ❌ Vi phạm - Next.js router.push
+'use client';
+export default function ClientRedirect() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+
+  const url = searchParams.get('url');
+  router.push(url); // Nguy hiểm!
+}
+```
+
+### 5. Nuxt.js redirects
+
+```typescript
+// ❌ Vi phạm - Nuxt.js navigateTo
+export default defineComponent({
+  setup() {
+    const route = useRoute();
+    const url = route.query.url;
+    navigateTo(url); // Nguy hiểm!
+  }
+});
+
+// ❌ Vi phạm - Nuxt.js sendRedirect
+export default defineEventHandler((event) => {
+  const { url } = getQuery(event);
+  return sendRedirect(event, url);
+});
+```
+
+### 6. Spring Boot/Java redirects
+
+```java
+// ❌ Vi phạm - Spring RedirectView
+@GetMapping("/redirect")
+public RedirectView redirect(@RequestParam String url) {
+    return new RedirectView(url);
+}
+
+// ❌ Vi phạm - sendRedirect
+@GetMapping("/forward")
+public void forward(@RequestParam String target, HttpServletResponse response) {
+    response.sendRedirect(target);
+}
+```
+
+## Giải pháp an toàn
+
+### 1. Sử dụng Allow List (Whitelist)
+
+```javascript
+// ✅ An toàn - Allow list
+const ALLOWED_DOMAINS = [
+  'https://example.com',
+  'https://app.example.com'
+];
+
+app.get('/redirect', (req, res) => {
+  const url = req.query.url;
+  if (!ALLOWED_DOMAINS.includes(url)) {
+    return res.status(400).send('Invalid redirect URL');
+  }
+  res.redirect(url);
+});
+
+// ✅ An toàn - Domain validation
+function isAllowedUrl(urlString) {
+  try {
+    const url = new URL(urlString);
+    const allowedHosts = ['example.com', 'app.example.com'];
+    return allowedHosts.includes(url.hostname);
+  } catch (e) {
+    return false;
+  }
+}
+```
+
+### 2. Relative URL only
+
+```javascript
+// ✅ An toàn - Chỉ cho phép relative URLs
+function isRelativeUrl(url) {
+  return url && url.startsWith('/') && !url.startsWith('//');
+}
+
+app.get('/redirect', (req, res) => {
+  const path = req.query.next;
+  if (!isRelativeUrl(path)) {
+    return res.status(400).send('Only relative URLs allowed');
+  }
+  res.redirect(path);
+});
+```
+
+### 3. Indirect redirect mapping
+
+```javascript
+// ✅ An toàn - Mapping key
+const REDIRECT_MAP = {
+  'home': '/',
+  'dashboard': '/dashboard',
+  'profile': '/user/profile'
+};
+
+app.get('/redirect', (req, res) => {
+  const key = req.query.destination;
+  const url = REDIRECT_MAP[key];
+  if (!url) {
+    return res.status(400).send('Invalid destination');
+  }
+  res.redirect(url);
+});
+```
+
+### 4. Framework-specific solutions
+
+#### NestJS
+```typescript
+// ✅ An toàn - NestJS với DTO validation
+import { IsIn } from 'class-validator';
+
+class RedirectDto {
+  @IsIn(['home', 'dashboard', 'profile'])
+  destination: string;
+}
+
+@Controller('redirect')
+export class SafeController {
+  @Get()
+  redirect(@Query() query: RedirectDto) {
+    const urlMap = {
+      home: '/',
+      dashboard: '/dashboard',
+      profile: '/profile'
+    };
+    return { url: urlMap[query.destination] }; // Safe
+  }
+}
+
+// ✅ An toàn - NestJS với custom validation
+@Controller('goto')
+export class ValidatedController {
+  private readonly allowedUrls = ['https://example.com'];
+
+  @Get()
+  goto(@Query('url') url: string, @Res() res: Response) {
+    if (this.allowedUrls.includes(url)) {
+      res.redirect(url); // Safe
+    } else {
+      throw new BadRequestException('Invalid URL');
+    }
+  }
+}
+```
+
+#### Next.js (App Router)
+```typescript
+// ✅ An toàn - Next.js với allowlist
+const ALLOWED_PATHS = ['/home', '/dashboard', '/profile'];
+
+export default function SafeRedirect({ searchParams }) {
+  const path = searchParams.path;
+
+  if (ALLOWED_PATHS.includes(path)) {
+    redirect(path); // Safe
+  } else {
+    redirect('/'); // Safe default
+  }
+}
+
+// ✅ An toàn - Next.js với mapping
+const REDIRECT_MAP = {
+  'success': '/success',
+  'error': '/error'
+};
+
+export default function MappedRedirect({ searchParams }) {
+  const key = searchParams.destination;
+  redirect(REDIRECT_MAP[key] || '/'); // Safe
+}
+
+// ✅ An toàn - Next.js router với validation
+'use client';
+export default function SafeClientRedirect() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+
+  const handleRedirect = () => {
+    const path = searchParams.get('path');
+    const safePaths = ['/home', '/about'];
+
+    if (safePaths.includes(path)) {
+      router.push(path); // Safe
+    }
+  };
+}
+```
+
+#### Nuxt.js
+```typescript
+// ✅ An toàn - Nuxt.js với validation
+const ALLOWED_PATHS = ['/home', '/dashboard'];
+
+export default defineEventHandler((event) => {
+  const { path } = getQuery(event);
+
+  if (ALLOWED_PATHS.includes(path)) {
+    return navigateTo(path); // Safe
+  }
+
+  return navigateTo('/'); // Safe default
+});
+
+// ✅ An toàn - Nuxt.js với mapping
+const ROUTE_MAP = {
+  'profile': '/user/profile',
+  'settings': '/settings'
+};
+
+export default defineComponent({
+  setup() {
+    const route = useRoute();
+
+    const redirect = () => {
+      const key = route.query.destination;
+      const url = ROUTE_MAP[key] || '/';
+      navigateTo(url); // Safe
+    };
+  }
+});
+
+// ✅ An toàn - Nuxt.js với domain validation
+export default defineEventHandler((event) => {
+  const { url } = getQuery(event);
+  const allowedDomains = ['example.com'];
+
+  try {
+    const parsed = new URL(url);
+    if (allowedDomains.includes(parsed.hostname)) {
+      return sendRedirect(event, url); // Safe
+    }
+  } catch {
+    throw createError({ statusCode: 400 });
+  }
+});
+```
+
+## Phương pháp phát hiện
+
+Rule này sử dụng symbol-based analysis để phát hiện:
+
+1. **Redirect functions**:
+   - Express: `res.redirect()`
+   - NestJS: `@Redirect()`, `res.redirect()`
+   - Next.js: `redirect()`, `permanentRedirect()`, `router.push()`
+   - Nuxt.js: `navigateTo()`, `sendRedirect()`
+   - Spring: `response.sendRedirect()`
+   - Generic: `window.location`, `setHeader('Location')`
+
+2. **User input sources**:
+   - `req.query`, `req.params`, `req.body`
+   - `@Query()`, `@Param()`, `@Body()` (NestJS)
+   - `searchParams`, `useSearchParams()` (Next.js)
+   - `useRoute()`, `getQuery()`, `event.query` (Nuxt.js)
+   - `URLSearchParams.get()`
+
+3. **Dataflow analysis**: Track từ user input đến redirect function
+4. **Validation check**: Kiểm tra có whitelist/validation hay không
+
+## Tài liệu tham khảo
+
+- [OWASP A03:2021 - Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [CWE-601: URL Redirection to Untrusted Site](https://cwe.mitre.org/data/definitions/601.html)
+- [OWASP Unvalidated Redirects Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)