npm - @sun-asterisk/sunlint - Versions diffs - 1.3.32 → 1.3.34 - Mend

@sun-asterisk/sunlint 1.3.32 → 1.3.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/rules/security/S058_no_ssrf/typescript/config.json ADDED Viewed

@@ -0,0 +1,125 @@
+{
+  "ruleId": "S058",
+  "name": "No SSRF (Server-Side Request Forgery)",
+  "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests",
+  "category": "security",
+  "severity": "error",
+  "options": {
+    "httpClientPatterns": [
+      "fetch\\s*\\(",
+      "axios\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "http\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "https\\.(?:get|post|put|delete|patch|request)\\s*\\(",
+      "(?:^|\\s|=|\\()request\\s*\\(",
+      "got\\s*\\(",
+      "superagent\\.",
+      "needle\\.",
+      "bent\\(",
+      "node-fetch\\s*\\(",
+      "isomorphic-fetch\\s*\\(",
+      "ky\\s*\\(",
+      "httpClient\\.",
+      "\\.httpClient\\."
+    ],
+    "userInputSources": [
+      "req\\.body",
+      "req\\.query",
+      "req\\.params",
+      "request\\.body",
+      "request\\.query",
+      "request\\.params",
+      "ctx\\.request\\.body",
+      "ctx\\.query",
+      "ctx\\.params",
+      "event\\.body",
+      "event\\.queryStringParameters",
+      "event\\.pathParameters",
+      "\\.query\\.",
+      "\\.body\\.",
+      "\\.params\\.",
+      "process\\.argv",
+      "process\\.env\\.",
+      "from.*request",
+      "from.*input",
+      "user.*input",
+      "client.*data",
+      "external.*data"
+    ],
+    "dangerousProtocols": [
+      "file://",
+      "ftp://",
+      "sftp://",
+      "ldap://",
+      "ldaps://",
+      "dict://",
+      "gopher://",
+      "jar://",
+      "netdoc://",
+      "mailto:",
+      "news:",
+      "imap://",
+      "pop3://",
+      "smb://",
+      "afp://",
+      "telnet://",
+      "ssh://"
+    ],
+    "blockedIPs": [
+      "127\\.0\\.0\\.1",
+      "::1",
+      "localhost",
+      "169\\.254\\.169\\.254",
+      "metadata\\.google\\.internal",
+      "169\\.254\\.",
+      "10\\.",
+      "172\\.(1[6-9]|2[0-9]|3[01])\\.",
+      "192\\.168\\."
+    ],
+    "blockedPorts": [
+      "22",
+      "23",
+      "25",
+      "53",
+      "135",
+      "139",
+      "445",
+      "1433",
+      "1521",
+      "3306",
+      "3389",
+      "5432",
+      "5984",
+      "6379",
+      "8080",
+      "9200",
+      "11211",
+      "27017",
+      "50070"
+    ],
+    "allowedDomains": [
+      "api\\.trusted-service\\.com",
+      "service\\.company\\.com"
+    ],
+    "validationFunctions": [
+      "validateUrl",
+      "validateUrlAllowList",
+      "checkAllowedUrl",
+      "isAllowedUrl",
+      "sanitizeUrl",
+      "verifyUrl",
+      "urlValidator"
+    ],
+    "policy": {
+      "requireExplicitValidation": true,
+      "enforceAllowList": true,
+      "blockPrivateIPs": true,
+      "checkProtocols": true,
+      "requireHttpsOnly": false,
+      "maxRedirects": 0
+    },
+    "thresholds": {
+      "maxSuspiciousUrls": 3,
+      "maxUnvalidatedRequests": 1
+    }
+  }
+}

package/scripts/build-release.sh CHANGED Viewed

@@ -46,6 +46,17 @@ node cli.js --security --typescript --input=core/ || {
     echo "⚠️  Security issues detected, but continuing with release..."
 }
+# Copy released-rules.json from pages to config
+echo "📋 Copying released-rules.json..."
+RELEASED_RULES_SRC="../../pages/scripts/released-rules.json"
+RELEASED_RULES_DEST="config/released-rules.json"
+if [ -f "$RELEASED_RULES_SRC" ]; then
+    cp "$RELEASED_RULES_SRC" "$RELEASED_RULES_DEST"
+    echo "✅ Copied released-rules.json to config/"
+else
+    echo "⚠️  released-rules.json not found at $RELEASED_RULES_SRC"
+fi
 # Verify critical files exist
 echo "📁 Verifying critical files..."
 CRITICAL_FILES=(
@@ -54,6 +65,7 @@ CRITICAL_FILES=(
     "README.md"
     "CHANGELOG.md"
     "config/rules/rules-registry.json"
+    "config/released-rules.json"
     "core/cli-program.js"
     "core/cli-action-handler.js"
     "core/typescript-engine.js"

package/scripts/copy-arch-detect.js ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * Copy architecture-detection dist to engines/arch-detect
+ * This script is run during build to bundle architecture detection
+ */
+const fs = require('fs');
+const path = require('path');
+const SOURCE = path.resolve(__dirname, '../../../../architecture-detection/dist');
+const DEST = path.resolve(__dirname, '../engines/arch-detect');
+function copyDir(src, dest) {
+  if (!fs.existsSync(src)) {
+    console.log('⚠️  architecture-detection/dist not found. Run "npm run build" in architecture-detection first.');
+    return false;
+  }
+  // Clean destination
+  if (fs.existsSync(dest)) {
+    fs.rmSync(dest, { recursive: true });
+  }
+  fs.mkdirSync(dest, { recursive: true });
+  // Copy files recursively
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+    // Skip source maps and declaration files
+    if (entry.name.endsWith('.map') || entry.name.endsWith('.d.ts')) {
+      continue;
+    }
+    // Skip CLI and LLM folders
+    if (entry.name === 'cli.js' || entry.name === 'llm' || entry.name === 'llm-primary') {
+      continue;
+    }
+    if (entry.isDirectory()) {
+      copyDir(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+  return true;
+}
+console.log('📦 Copying architecture-detection...');
+if (copyDir(SOURCE, DEST)) {
+  const size = getTotalSize(DEST);
+  console.log(`✅ Copied to engines/arch-detect (${formatSize(size)})`);
+} else {
+  console.log('⚠️  Skipped architecture-detection copy');
+}
+function getTotalSize(dir) {
+  let size = 0;
+  const entries = fs.readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      size += getTotalSize(fullPath);
+    } else {
+      size += fs.statSync(fullPath).size;
+    }
+  }
+  return size;
+}
+function formatSize(bytes) {
+  if (bytes < 1024) return bytes + ' B';
+  if (bytes < 1024 * 1024) return (bytes / 1024).toFixed(1) + ' KB';
+  return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
+}

package/rules/common/C002_no_duplicate_code/test-cases/api-handlers.ts DELETED Viewed

@@ -1,64 +0,0 @@
-// ❌ VIOLATION: Monkey coding - Copy-paste error handling
-export class ApiHandlers {
-  // Get user by ID with error handling
-  async getUserById(id: number) {
-    try {
-      const response = await fetch(`/api/users/${id}`);
-      if (!response.ok) {
-        const error = await response.json();
-        console.error('Error fetching user:', error);
-        throw new Error(error.message || 'Failed to fetch user');
-      }
-      const data = await response.json();
-      return data;
-    } catch (error) {
-      console.error('Network error:', error);
-      throw new Error('Network request failed');
-    }
-  }
-  // Get product by ID - SAME error handling!
-  async getProductById(id: number) {
-    // DUPLICATE: Same try-catch, error handling pattern (monkey coding!)
-    try {
-      const response = await fetch(`/api/products/${id}`);
-      if (!response.ok) {
-        const error = await response.json();
-        console.error('Error fetching product:', error);
-        throw new Error(error.message || 'Failed to fetch product');
-      }
-      const data = await response.json();
-      return data;
-    } catch (error) {
-      console.error('Network error:', error);
-      throw new Error('Network request failed');
-    }
-  }
-  // Get order by ID - same pattern
-  async getOrderById(id: number) {
-    try {
-      const response = await fetch(`/api/orders/${id}`);
-      if (!response.ok) {
-        const error = await response.json();
-        console.error('Error fetching order:', error);
-        throw new Error(error.message || 'Failed to fetch order');
-      }
-      const data = await response.json();
-      return data;
-    } catch (error) {
-      console.error('Network error:', error);
-      throw new Error('Network request failed');
-    }
-  }
-}

package/rules/common/C002_no_duplicate_code/test-cases/data-processor.ts DELETED Viewed

@@ -1,46 +0,0 @@
-// ❌ VIOLATION: Monkey coding - Copy-paste data transformation
-export class DataProcessor {
-  // Process user data from API
-  processUserData(rawData: any[]) {
-    return rawData
-      .filter(item => item !== null && item !== undefined)
-      .map(item => ({
-        id: item.id,
-        name: item.name?.trim() || 'Unknown',
-        email: item.email?.toLowerCase() || '',
-        status: item.active ? 'active' : 'inactive',
-        createdAt: new Date(item.created_at)
-      }))
-      .sort((a, b) => a.name.localeCompare(b.name));
-  }
-  // Process product data from API - SAME transformation logic!
-  processProductData(rawData: any[]) {
-    // DUPLICATE: Same filtering, mapping, sorting pattern (monkey coding!)
-    return rawData
-      .filter(item => item !== null && item !== undefined)
-      .map(item => ({
-        id: item.id,
-        name: item.name?.trim() || 'Unknown',
-        price: item.price || 0,
-        status: item.available ? 'active' : 'inactive',
-        createdAt: new Date(item.created_at)
-      }))
-      .sort((a, b) => a.name.localeCompare(b.name));
-  }
-  // Process order data - same pattern again
-  processOrderData(rawData: any[]) {
-    return rawData
-      .filter(item => item !== null && item !== undefined)
-      .map(item => ({
-        id: item.id,
-        customer: item.customer_name?.trim() || 'Unknown',
-        total: item.total_amount || 0,
-        status: item.paid ? 'active' : 'inactive',
-        createdAt: new Date(item.order_date)
-      }))
-      .sort((a, b) => a.customer.localeCompare(b.customer));
-  }
-}

package/rules/common/C002_no_duplicate_code/test-cases/good-example.tsx DELETED Viewed

@@ -1,40 +0,0 @@
-// ✅ GOOD: No violation - These are intentional patterns (different names, simple wrappers)
-import React from 'react';
-// Different button variants - intentional pattern, not duplicate
-export function PrimaryButton({ className, ...props }: React.ComponentProps<'button'>) {
-  return (
-    <button
-      className={`btn-primary ${className}`}
-      {...props}
-    />
-  );
-}
-export function SecondaryButton({ className, ...props }: React.ComponentProps<'button'>) {
-  return (
-    <button
-      className={`btn-secondary ${className}`}
-      {...props}
-    />
-  );
-}
-export function DangerButton({ className, ...props }: React.ComponentProps<'button'>) {
-  return (
-    <button
-      className={`btn-danger ${className}`}
-      {...props}
-    />
-  );
-}
-// Short functions - below minimum lines
-export function add(a: number, b: number) {
-  return a + b;
-}
-export function subtract(a: number, b: number) {
-  return a - b;
-}

package/rules/common/C002_no_duplicate_code/test-cases/product-service.ts DELETED Viewed

@@ -1,57 +0,0 @@
-// ❌ VIOLATION: Monkey coding - Copy-paste calculation logic
-export class ProductService {
-  // Calculate price with tax for online orders
-  calculateOnlinePrice(price: number, quantity: number) {
-    const subtotal = price * quantity;
-    const tax = subtotal * 0.1; // 10% tax
-    const shipping = subtotal > 100 ? 0 : 10; // Free shipping over $100
-    const discount = subtotal > 200 ? subtotal * 0.05 : 0; // 5% discount over $200
-    const total = subtotal + tax + shipping - discount;
-    return {
-      subtotal,
-      tax,
-      shipping,
-      discount,
-      total
-    };
-  }
-  // Calculate price with tax for store orders - SAME calculation!
-  calculateStorePrice(price: number, quantity: number) {
-    // DUPLICATE: Exactly same calculation logic (monkey coding!)
-    const subtotal = price * quantity;
-    const tax = subtotal * 0.1; // 10% tax
-    const shipping = subtotal > 100 ? 0 : 10; // Free shipping over $100
-    const discount = subtotal > 200 ? subtotal * 0.05 : 0; // 5% discount over $200
-    const total = subtotal + tax + shipping - discount;
-    return {
-      subtotal,
-      tax,
-      shipping,
-      discount,
-      total
-    };
-  }
-  // Wholesale pricing - slightly different but still copy-paste
-  calculateWholesalePrice(price: number, quantity: number) {
-    const subtotal = price * quantity;
-    const tax = subtotal * 0.1; // 10% tax
-    const shipping = subtotal > 100 ? 0 : 10; // Free shipping over $100
-    const discount = subtotal > 200 ? subtotal * 0.05 : 0; // 5% discount over $200
-    const wholesaleDiscount = quantity > 50 ? subtotal * 0.1 : 0; // Extra 10% for bulk
-    const total = subtotal + tax + shipping - discount - wholesaleDiscount;
-    return {
-      subtotal,
-      tax,
-      shipping,
-      discount,
-      wholesaleDiscount,
-      total
-    };
-  }
-}

package/rules/common/C002_no_duplicate_code/test-cases/user-service.ts DELETED Viewed

@@ -1,49 +0,0 @@
-// ❌ VIOLATION: Monkey coding - Copy-paste entire functions
-export class UserService {
-  // Function 1: Process user payment
-  async processUserPayment(userId: number, amount: number) {
-    const user = await this.getUserData(userId);
-    if (amount <= 0) {
-      throw new Error('Invalid payment amount');
-    }
-    const fee = amount * 0.029 + 0.30; // Stripe fee
-    const total = amount + fee;
-    const result = await this.chargeCard(user.cardId, total);
-    if (!result.success) {
-      throw new Error('Payment failed');
-    }
-    await this.recordTransaction(userId, total, 'payment');
-    return { success: true, transactionId: result.id };
-  }
-  // Function 2: Process user refund - EXACT COPY-PASTE!
-  async processUserRefund(userId: number, amount: number) {
-    const user = await this.getUserData(userId);
-    if (amount <= 0) {
-      throw new Error('Invalid payment amount');
-    }
-    const fee = amount * 0.029 + 0.30; // Stripe fee
-    const total = amount + fee;
-    const result = await this.chargeCard(user.cardId, total);
-    if (!result.success) {
-      throw new Error('Payment failed');
-    }
-    await this.recordTransaction(userId, total, 'payment');
-    return { success: true, transactionId: result.id };
-  }
-  private async getUserData(userId: number) { return {}; }
-  private async chargeCard(cardId: string, amount: number) { return { success: true, id: '123' }; }
-  private async recordTransaction(userId: number, amount: number, type: string) { }
-}