npm - @sun-asterisk/sunlint - Versions diffs - 1.3.33 → 1.3.34 - Mend

@sun-asterisk/sunlint 1.3.33 → 1.3.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (450) hide show

package/rules/common/C076_explicit_function_types/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * C076 Dart Analyzer - Explicit Function Types
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/C076_explicit_function_types.dart
+ */
+class DartC076Analyzer {
+  constructor() {
+    this.ruleId = 'C076';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'C076',
+      name: 'Explicit Function Types',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Function parameters should have explicit type annotations'
+    };
+  }
+  getConfig() {
+    return {
+      severity: 'warning'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartC076Analyzer;

package/rules/common/C076_explicit_function_types/index.js ADDED Viewed

@@ -0,0 +1,83 @@
+/**
+ * C076 Rule Router - Explicit Function Types
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript
+ */
+const path = require('path');
+class C076Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'C076';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript'
+    };
+    return languageMap[language.toLowerCase()] || 'typescript';
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new C076Router();

package/rules/index.js CHANGED Viewed

@@ -1,14 +1,15 @@
 /**
  * SunLint Heuristic Rules Registry
- * Central reconst securityRules = {
-  S015: require('./security/S015_insecure_tls_certificate/analyzer'),
-  S023: require('./security/S023_no_json_injection/analyzer'),stry for all heuristic rules organized by category
+ * Central registry for all heuristic rules organized by category
  */
 const path = require('path');
+const fs = require('fs');
 /**
  * Load rule analyzer from category folder
+ * Supports both old structure (analyzer.js) and new multi-language structure (index.js router)
+ *
  * @param {string} category - Rule category (common, security, typescript)
  * @param {string} ruleId - Rule ID (e.g., C006_function_naming)
  * @returns {Object} Rule analyzer module
@@ -21,7 +22,18 @@ function loadRule(category, ruleId) {
             console.log(`🔬 Loading C047 semantic analyzer: ${semanticPath}`);
             return require(semanticPath);
         }
+        // Try new multi-language structure first (index.js router)
+        const routerPath = path.join(__dirname, category, ruleId, 'index.js');
+        try {
+            if (fs.existsSync(routerPath)) {
+                return require(routerPath);
+            }
+        } catch (routerError) {
+            // Fall through to old structure
+        }
+        // Fallback to old structure (analyzer.js)
         const rulePath = path.join(__dirname, category, ruleId, 'analyzer.js');
         return require(rulePath);
     } catch (error) {
@@ -48,13 +60,17 @@ function loadRuleConfig(category, ruleId) {
 // 🔹 Common Rules (C-series) - General coding standards
 const commonRules = {
+    // Multi-language rules (TypeScript + Dart)
     C002: loadRule('common', 'C002_no_duplicate_code'),
+    C003: loadRule('common', 'C003_no_vague_abbreviations'),
+    // TypeScript-only rules (existing)
     C006: loadRule('common', 'C006_function_naming'),
     C012: loadRule('common', 'C012_command_query_separation'),
     C013: loadRule('common', 'C013_no_dead_code'),
     C014: loadRule('common', 'C014_dependency_injection'),
     C018: loadRule('common', 'C018_no_throw_generic_error'),
-    C019: loadRule('common', 'C019_log_level_usage'),
+    C019: loadRule('common', 'C019_log_level_usage'),
     C030: loadRule('common', 'C030_use_custom_error_classes'),
     C023: loadRule('common', 'C023_no_duplicate_variable'),
     C024: loadRule('common', 'C024_no_scatter_hardcoded_constants'),
@@ -72,6 +88,11 @@ const commonRules = {
 // 🔒 Security Rules (S-series) - Ready for migration
 const securityRules = {
+    // Multi-language rules (TypeScript + Dart)
+    S003: loadRule('security', 'S003_open_redirect_protection'),
+    S004: loadRule('security', 'S004_sensitive_data_logging'),
+    // TypeScript-only rules (existing)
     S006: loadRule('security', 'S006_no_plaintext_recovery_codes'),
     S010: loadRule('security', 'S010_no_insecure_encryption'),
     S015: loadRule('security', 'S015_insecure_tls_certificate'),
@@ -80,7 +101,6 @@ const securityRules = {
     S027: loadRule('security', 'S027_no_hardcoded_secrets'),
     S029: loadRule('security', 'S029_csrf_protection'),
     // S001: loadRule('security', 'S001_fail_securely'),
-    // S003: loadRule('security', 'S003_no_unvalidated_redirect'),
     // S012: loadRule('security', 'S012_hardcode_secret'),
     // ... 46 more security rules ready for migration
 };

package/rules/security/S003_open_redirect_protection/config.json CHANGED Viewed

@@ -1,58 +1,16 @@
 {
-  "ruleId": "S003",
+  "id": "S003",
   "name": "Open Redirect Protection",
-  "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
+  "description": "Chuyển hướng URL phải nằm trong danh sách cho phép (Allow List) - Ngăn chặn lỗ hổng Open Redirect",
   "category": "security",
-  "severity": "warning",
-  "languages": ["All languages"],
-  "tags": [
-    "security",
-    "owasp",
-    "injection",
-    "open-redirect",
-    "phishing",
-    "url-validation"
-  ],
-  "enabled": true,
-  "fixable": false,
-  "engine": "heuristic",
-  "metadata": {
-    "owaspCategory": "A03:2021 - Injection",
-    "cweId": "CWE-601",
-    "description": "Applications that redirect users to URLs from untrusted input without validation are vulnerable to phishing attacks. Attackers can create legitimate-looking links that redirect victims to malicious sites.",
-    "impact": "Medium - Phishing attacks, credential theft, malware distribution",
-    "likelihood": "High",
-    "remediation": "Use allow list (whitelist) to validate redirect URLs, or only allow relative URLs within the same domain"
+  "severity": "error",
+  "languages": ["typescript", "javascript", "dart"],
+  "config": {
+    "redirectMethods": ["redirect", "redirectTo", "navigateTo", "location.href", "window.location"],
+    "checkUserInput": true
   },
-  "patterns": {
-    "vulnerable": [
-      "res.redirect(req.query.*) without validation",
-      "res.redirect(req.params.*) without validation",
-      "window.location = userInput without validation",
-      "response.sendRedirect(request.getParameter(*)) without validation",
-      "new RedirectView(userInput) without validation",
-      "res.setHeader('Location', req.query.*) without validation"
-    ],
-    "secure": [
-      "Validate against allow list (whitelist) of trusted domains",
-      "Only allow relative URLs (startsWith('/') && !startsWith('//'))",
-      "Use indirect mapping (key -> URL mapping)",
-      "Parse and validate URL with new URL() and check hostname",
-      "Use framework validation (e.g., @IsIn(['home', 'dashboard']))"
-    ]
-  },
-  "examples": {
-    "violations": [
-      "res.redirect(req.query.url);",
-      "window.location.href = params.get('redirect');",
-      "response.sendRedirect(request.getParameter('next'));",
-      "new RedirectView(request.getParameter('url'));"
-    ],
-    "fixes": [
-      "const url = req.query.url; if (ALLOWED_URLS.includes(url)) res.redirect(url);",
-      "if (isAllowedDomain(url)) window.location.href = url;",
-      "const destination = REDIRECT_MAP[req.query.key]; res.redirect(destination);",
-      "if (url.startsWith('/') && !url.startsWith('//')) res.redirect(url);"
-    ]
-  }
+  "references": [
+    "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+    "https://cwe.mitre.org/data/definitions/601.html"
+  ]
 }

package/rules/security/S003_open_redirect_protection/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * S003 Dart Analyzer - Open Redirect Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/open_redirect_analyzer.dart
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép
+ */
+class DartS003Analyzer {
+  constructor() {
+    this.ruleId = 'S003';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S003',
+      name: 'Open Redirect Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Detect unsafe redirect patterns'
+    };
+  }
+  getConfig() {
+    return {
+      redirectMethods: ['redirect', 'navigateTo', 'pushNamed', 'go'],
+      severity: 'error'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS003Analyzer;

package/rules/security/S003_open_redirect_protection/index.js ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * S003 Rule Router - Open Redirect Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép (Allow List)
+ * - Không được chuyển hướng đến URL nhận từ đầu vào của người dùng mà không xác thực
+ * - Phải đối chiếu URL với danh sách cho phép trước khi thực hiện redirect
+ */
+const path = require('path');
+class S003Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S003';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    // Handle case where language might not be a string
+    if (typeof language !== 'string') {
+      return 'typescript'; // Default fallback
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    // Handle both signatures:
+    // 1. initialize(semanticEngine) - called by heuristic engine
+    // 2. initialize(language, semanticEngine) - original signature
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    // If language specified, initialize only that analyzer
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+    // Otherwise, this is just a general initialization - do nothing for now
+  }
+}
+module.exports = new S003Router();

package/rules/security/S003_open_redirect_protection/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * S003 TypeScript Analyzer - Open Redirect Protection
+ *
+ * Detects unsafe redirect patterns in TypeScript/JavaScript code.
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép
+ */
+const fs = require('fs');
+const path = require('path');
+class TypeScriptS003Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S003';
+    this.language = 'typescript';
+    this.config = {
+      redirectMethods: config.redirectMethods || [
+        'redirect', 'redirectTo', 'navigateTo',
+        'location.href', 'window.location', 'res.redirect'
+      ],
+      checkUserInput: config.checkUserInput !== false
+    };
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S003',
+      name: 'Open Redirect Protection',
+      language: 'typescript',
+      description: 'Detect unsafe redirect patterns that may lead to open redirect vulnerabilities'
+    };
+  }
+  getConfig() {
+    return this.config;
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+    return violations;
+  }
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    // Patterns for detecting unsafe redirects
+    const unsafePatterns = [
+      // res.redirect(req.query.url)
+      /res\.redirect\s*\(\s*(req\.(query|body|params)\.[\w]+)/g,
+      // window.location = userInput
+      /window\.location\s*=\s*([\w]+)/g,
+      // location.href = variable (not a literal)
+      /location\.href\s*=\s*([^'"]+)/g,
+      // redirect(url) where url is from params
+      /redirect\s*\(\s*(req\.(query|body|params)\.[\w]+)/g,
+      // router.push(userInput)
+      /router\.push\s*\(\s*([\w]+)\s*\)/g,
+      // navigate(url) without validation
+      /navigate\s*\(\s*(req\.(query|body|params)\.[\w]+)/g
+    ];
+    lines.forEach((line, lineIndex) => {
+      for (const pattern of unsafePatterns) {
+        let match;
+        pattern.lastIndex = 0;
+        while ((match = pattern.exec(line)) !== null) {
+          // Skip if URL is a string literal (safe)
+          if (/['"`]/.test(match[1])) continue;
+          violations.push({
+            ruleId: 'S003',
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            severity: 'error',
+            message: `Potential open redirect vulnerability: redirecting to unvalidated URL "${match[1]}"`,
+            suggestion: 'Validate the redirect URL against an allowlist before redirecting'
+          });
+        }
+      }
+    });
+    return violations;
+  }
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+module.exports = TypeScriptS003Analyzer;

package/rules/security/S003_open_redirect_protection/{symbol-based-analyzer.js → typescript/semantic-analyzer.js} RENAMED Viewed

@@ -144,7 +144,7 @@ class S003SymbolBasedAnalyzer {
         taintedVariables
       );
     } catch (error) {
-      console.warn(`⚠ [S003] Analysis error in ${filePath}: ${error.message}`);
+      // Silently ignore analysis errors - file may not be parseable TypeScript
     }
     return violations;

package/rules/security/S004_sensitive_data_logging/config.json CHANGED Viewed

@@ -4,7 +4,7 @@
   "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction",
   "category": "security",
   "severity": "warning",
-  "languages": ["All languages"],
+  "languages": ["typescript", "javascript", "dart"],
   "tags": [
     "security",
     "owasp",

package/rules/security/S004_sensitive_data_logging/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * S004 Dart Analyzer - Sensitive Data Logging Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/sensitive_data_logging_analyzer.dart
+ *
+ * Rule: Prevent logging of sensitive information like passwords, tokens, and payment data
+ */
+class DartS004Analyzer {
+  constructor() {
+    this.ruleId = 'S004';
+    this.language = 'dart';
+  }
+  /**
+   * Get rule metadata
+   */
+  getMetadata() {
+    return {
+      ruleId: 'S004',
+      name: 'Sensitive Data Logging Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Prevent logging of sensitive information without proper redaction'
+    };
+  }
+  /**
+   * Get default configuration
+   */
+  getConfig() {
+    return {
+      sensitivePatterns: [
+        'password', 'secret', 'token', 'apikey', 'api_key',
+        'accessToken', 'access_token', 'refreshToken', 'refresh_token',
+        'credential', 'auth', 'private', 'creditCard', 'credit_card',
+        'ssn', 'socialSecurity'
+      ],
+      logMethods: ['print', 'debugPrint', 'log', 'logger'],
+      severity: 'warning'
+    };
+  }
+  /**
+   * Analysis is delegated to DartAnalyzer via heuristic-engine.js
+   */
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS004Analyzer;

package/rules/security/S004_sensitive_data_logging/index.js ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * S004 Rule Router - Sensitive Data Logging Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Prevent logging of sensitive information like passwords, tokens, and payment data
+ * - Detect logging of sensitive data without proper redaction
+ * - Mask or redact sensitive fields before logging
+ */
+const path = require('path');
+class S004Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S004';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    // Handle case where language might not be a string
+    if (typeof language !== 'string') {
+      return 'typescript'; // Default fallback
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    // Handle both signatures:
+    // 1. initialize(semanticEngine) - called by heuristic engine
+    // 2. initialize(language, semanticEngine) - original signature
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    // If language specified, initialize only that analyzer
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S004Router();