npm - @sun-asterisk/sunlint - Versions diffs - 1.3.33 → 1.3.35 - Mend

@sun-asterisk/sunlint 1.3.33 → 1.3.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (535) hide show

package/rules/security/S003_open_redirect_protection/config.json CHANGED Viewed

@@ -1,58 +1,16 @@
 {
-  "ruleId": "S003",
+  "id": "S003",
   "name": "Open Redirect Protection",
-  "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
+  "description": "Chuyển hướng URL phải nằm trong danh sách cho phép (Allow List) - Ngăn chặn lỗ hổng Open Redirect",
   "category": "security",
-  "severity": "warning",
-  "languages": ["All languages"],
-  "tags": [
-    "security",
-    "owasp",
-    "injection",
-    "open-redirect",
-    "phishing",
-    "url-validation"
-  ],
-  "enabled": true,
-  "fixable": false,
-  "engine": "heuristic",
-  "metadata": {
-    "owaspCategory": "A03:2021 - Injection",
-    "cweId": "CWE-601",
-    "description": "Applications that redirect users to URLs from untrusted input without validation are vulnerable to phishing attacks. Attackers can create legitimate-looking links that redirect victims to malicious sites.",
-    "impact": "Medium - Phishing attacks, credential theft, malware distribution",
-    "likelihood": "High",
-    "remediation": "Use allow list (whitelist) to validate redirect URLs, or only allow relative URLs within the same domain"
+  "severity": "error",
+  "languages": ["typescript", "javascript", "dart"],
+  "config": {
+    "redirectMethods": ["redirect", "redirectTo", "navigateTo", "location.href", "window.location"],
+    "checkUserInput": true
   },
-  "patterns": {
-    "vulnerable": [
-      "res.redirect(req.query.*) without validation",
-      "res.redirect(req.params.*) without validation",
-      "window.location = userInput without validation",
-      "response.sendRedirect(request.getParameter(*)) without validation",
-      "new RedirectView(userInput) without validation",
-      "res.setHeader('Location', req.query.*) without validation"
-    ],
-    "secure": [
-      "Validate against allow list (whitelist) of trusted domains",
-      "Only allow relative URLs (startsWith('/') && !startsWith('//'))",
-      "Use indirect mapping (key -> URL mapping)",
-      "Parse and validate URL with new URL() and check hostname",
-      "Use framework validation (e.g., @IsIn(['home', 'dashboard']))"
-    ]
-  },
-  "examples": {
-    "violations": [
-      "res.redirect(req.query.url);",
-      "window.location.href = params.get('redirect');",
-      "response.sendRedirect(request.getParameter('next'));",
-      "new RedirectView(request.getParameter('url'));"
-    ],
-    "fixes": [
-      "const url = req.query.url; if (ALLOWED_URLS.includes(url)) res.redirect(url);",
-      "if (isAllowedDomain(url)) window.location.href = url;",
-      "const destination = REDIRECT_MAP[req.query.key]; res.redirect(destination);",
-      "if (url.startsWith('/') && !url.startsWith('//')) res.redirect(url);"
-    ]
-  }
+  "references": [
+    "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+    "https://cwe.mitre.org/data/definitions/601.html"
+  ]
 }

package/rules/security/S003_open_redirect_protection/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * S003 Dart Analyzer - Open Redirect Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/open_redirect_analyzer.dart
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép
+ */
+class DartS003Analyzer {
+  constructor() {
+    this.ruleId = 'S003';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S003',
+      name: 'Open Redirect Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Detect unsafe redirect patterns'
+    };
+  }
+  getConfig() {
+    return {
+      redirectMethods: ['redirect', 'navigateTo', 'pushNamed', 'go'],
+      severity: 'error'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS003Analyzer;

package/rules/security/S003_open_redirect_protection/index.js ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * S003 Rule Router - Open Redirect Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép (Allow List)
+ * - Không được chuyển hướng đến URL nhận từ đầu vào của người dùng mà không xác thực
+ * - Phải đối chiếu URL với danh sách cho phép trước khi thực hiện redirect
+ */
+const path = require('path');
+class S003Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S003';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    // Handle case where language might not be a string
+    if (typeof language !== 'string') {
+      return 'typescript'; // Default fallback
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    // Handle both signatures:
+    // 1. initialize(semanticEngine) - called by heuristic engine
+    // 2. initialize(language, semanticEngine) - original signature
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    // If language specified, initialize only that analyzer
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+    // Otherwise, this is just a general initialization - do nothing for now
+  }
+}
+module.exports = new S003Router();

package/rules/security/S003_open_redirect_protection/typescript/analyzer.js ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * S003 TypeScript Analyzer - Open Redirect Protection
+ *
+ * Detects unsafe redirect patterns in TypeScript/JavaScript code.
+ *
+ * Rule: Chuyển hướng URL phải nằm trong danh sách cho phép
+ */
+const fs = require('fs');
+const path = require('path');
+class TypeScriptS003Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S003';
+    this.language = 'typescript';
+    this.config = {
+      redirectMethods: config.redirectMethods || [
+        'redirect', 'redirectTo', 'navigateTo',
+        'location.href', 'window.location', 'res.redirect'
+      ],
+      checkUserInput: config.checkUserInput !== false
+    };
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S003',
+      name: 'Open Redirect Protection',
+      language: 'typescript',
+      description: 'Detect unsafe redirect patterns that may lead to open redirect vulnerabilities'
+    };
+  }
+  getConfig() {
+    return this.config;
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+    return violations;
+  }
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    // Patterns for detecting unsafe redirects
+    const unsafePatterns = [
+      // res.redirect(req.query.url)
+      /res\.redirect\s*\(\s*(req\.(query|body|params)\.[\w]+)/g,
+      // window.location = userInput
+      /window\.location\s*=\s*([\w]+)/g,
+      // location.href = variable (not a literal)
+      /location\.href\s*=\s*([^'"]+)/g,
+      // redirect(url) where url is from params
+      /redirect\s*\(\s*(req\.(query|body|params)\.[\w]+)/g,
+      // router.push(userInput)
+      /router\.push\s*\(\s*([\w]+)\s*\)/g,
+      // navigate(url) without validation
+      /navigate\s*\(\s*(req\.(query|body|params)\.[\w]+)/g
+    ];
+    lines.forEach((line, lineIndex) => {
+      for (const pattern of unsafePatterns) {
+        let match;
+        pattern.lastIndex = 0;
+        while ((match = pattern.exec(line)) !== null) {
+          // Skip if URL is a string literal (safe)
+          if (/['"`]/.test(match[1])) continue;
+          violations.push({
+            ruleId: 'S003',
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            severity: 'error',
+            message: `Potential open redirect vulnerability: redirecting to unvalidated URL "${match[1]}"`,
+            suggestion: 'Validate the redirect URL against an allowlist before redirecting'
+          });
+        }
+      }
+    });
+    return violations;
+  }
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+module.exports = TypeScriptS003Analyzer;

package/rules/security/S003_open_redirect_protection/{symbol-based-analyzer.js → typescript/semantic-analyzer.js} RENAMED Viewed

@@ -144,7 +144,7 @@ class S003SymbolBasedAnalyzer {
         taintedVariables
       );
     } catch (error) {
-      console.warn(`⚠ [S003] Analysis error in ${filePath}: ${error.message}`);
+      // Silently ignore analysis errors - file may not be parseable TypeScript
     }
     return violations;

package/rules/security/S004_sensitive_data_logging/config.json CHANGED Viewed

@@ -4,7 +4,7 @@
   "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction",
   "category": "security",
   "severity": "warning",
-  "languages": ["All languages"],
+  "languages": ["typescript", "javascript", "dart"],
   "tags": [
     "security",
     "owasp",

package/rules/security/S004_sensitive_data_logging/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * S004 Dart Analyzer - Sensitive Data Logging Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/sensitive_data_logging_analyzer.dart
+ *
+ * Rule: Prevent logging of sensitive information like passwords, tokens, and payment data
+ */
+class DartS004Analyzer {
+  constructor() {
+    this.ruleId = 'S004';
+    this.language = 'dart';
+  }
+  /**
+   * Get rule metadata
+   */
+  getMetadata() {
+    return {
+      ruleId: 'S004',
+      name: 'Sensitive Data Logging Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Prevent logging of sensitive information without proper redaction'
+    };
+  }
+  /**
+   * Get default configuration
+   */
+  getConfig() {
+    return {
+      sensitivePatterns: [
+        'password', 'secret', 'token', 'apikey', 'api_key',
+        'accessToken', 'access_token', 'refreshToken', 'refresh_token',
+        'credential', 'auth', 'private', 'creditCard', 'credit_card',
+        'ssn', 'socialSecurity'
+      ],
+      logMethods: ['print', 'debugPrint', 'log', 'logger'],
+      severity: 'warning'
+    };
+  }
+  /**
+   * Analysis is delegated to DartAnalyzer via heuristic-engine.js
+   */
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS004Analyzer;

package/rules/security/S004_sensitive_data_logging/index.js ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * S004 Rule Router - Sensitive Data Logging Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Prevent logging of sensitive information like passwords, tokens, and payment data
+ * - Detect logging of sensitive data without proper redaction
+ * - Mask or redact sensitive fields before logging
+ */
+const path = require('path');
+class S004Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S004';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    // Handle case where language might not be a string
+    if (typeof language !== 'string') {
+      return 'typescript'; // Default fallback
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    // Handle both signatures:
+    // 1. initialize(semanticEngine) - called by heuristic engine
+    // 2. initialize(language, semanticEngine) - original signature
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    // If language specified, initialize only that analyzer
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S004Router();

package/rules/security/S005_no_origin_auth/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * S005 Dart Analyzer
+ * JS wrapper that delegates to DartAnalyzer binary.
+ */
+class DartS005Analyzer {
+  constructor() {
+    this.ruleId = 'S005';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S005',
+      language: 'dart',
+      delegateTo: 'dart_analyzer'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS005Analyzer;

package/rules/security/S005_no_origin_auth/index.js ADDED Viewed

@@ -0,0 +1,83 @@
+/**
+ * S005 Rule Router
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ */
+const path = require('path');
+class S005Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S005';
+  }
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+    return this.analyzers.get(normalizedLang);
+  }
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+module.exports = new S005Router();

package/rules/security/S005_no_origin_auth/{analyzer.js → typescript/analyzer.js} RENAMED Viewed

@@ -8,6 +8,7 @@
  * - OWASP A07:2021 - Identification and Authentication Failures
  * - CWE-290: Authentication Bypass by Spoofing
  */
+// Command: node cli.js --rule=S005 --input=examples/rule-test-fixtures/rules/S005_no_origin_auth --engine=heuristic
 const S005SymbolBasedAnalyzer = require("./symbol-based-analyzer");

package/rules/security/S006_no_plaintext_recovery_codes/dart/analyzer.js ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * S006 Dart Analyzer
+ * JS wrapper that delegates to DartAnalyzer binary.
+ */
+class DartS006Analyzer {
+  constructor() {
+    this.ruleId = 'S006';
+    this.language = 'dart';
+  }
+  getMetadata() {
+    return {
+      ruleId: 'S006',
+      language: 'dart',
+      delegateTo: 'dart_analyzer'
+    };
+  }
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+module.exports = DartS006Analyzer;