@sun-asterisk/sunlint 1.3.36 → 1.3.37

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.36",
+  "version": "1.3.37",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/security/S001_backend_auth_communications/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S001 Dart Analyzer - Backend Authentication Communications
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S001_backend_auth_communications.dart
+ *
+ * Rule: Ensure backend-to-backend communications use secure, short-lived credentials
+ */
+
+class DartS001Analyzer {
+  constructor() {
+    this.ruleId = 'S001';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S001',
+      name: 'Backend Authentication Communications',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Ensure backend communications use secure, short-lived credentials'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkStaticCredentials: true,
+      checkHardcodedHeaders: true,
+      severity: 'error'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS001Analyzer;

package/rules/security/S001_backend_auth_communications/index.js

@@ -0,0 +1,87 @@
+/**
+ * S001 Rule Router - Backend Authentication Communications
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Ensure backend-to-backend communications are authenticated using secure,
+ * short-lived credentials instead of static secrets.
+ */
+
+const path = require('path');
+
+class S001Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S001';
+  }
+
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+
+    return this.analyzers.get(normalizedLang);
+  }
+
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+
+module.exports = new S001Router();

package/rules/security/S001_backend_auth_communications/typescript/analyzer.js

@@ -0,0 +1,164 @@
+/**
+ * S001 TypeScript Analyzer - Backend Authentication Communications
+ *
+ * Detects insecure backend authentication patterns in TypeScript/JavaScript code.
+ *
+ * Rule: Ensure backend-to-backend communications use secure, short-lived credentials
+ * instead of static secrets.
+ *
+ * Detects:
+ * - Static API keys/passwords in service calls
+ * - Hardcoded credentials in HTTP headers
+ * - Long-lived tokens without expiry
+ * - Shared secrets in configuration
+ */
+
+const fs = require('fs');
+
+class TypeScriptS001Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S001';
+    this.language = 'typescript';
+    this.config = {
+      checkStaticCredentials: config.checkStaticCredentials !== false,
+      checkHardcodedHeaders: config.checkHardcodedHeaders !== false,
+    };
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S001',
+      name: 'Backend Authentication Communications',
+      language: 'typescript',
+      description: 'Ensure backend communications use secure, short-lived credentials'
+    };
+  }
+
+  getConfig() {
+    return this.config;
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Skip test files
+    if (/\.(test|spec)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+        /__(tests?|mocks?)__/i.test(filePath)) {
+      return violations;
+    }
+
+    // Patterns for detecting insecure backend auth
+    const patterns = [
+      {
+        // Static API key in headers
+        regex: /headers\s*[=:]\s*\{[^}]*['"]?(Authorization|X-API-Key|Api-Key|X-Auth-Token)['"]?\s*[=:]\s*['"`][^'"`]{10,}['"`]/gi,
+        message: 'Static credential in HTTP headers - use environment variables or secrets manager'
+      },
+      {
+        // Hardcoded Bearer token
+        regex: /['"`]Bearer\s+[A-Za-z0-9._-]{20,}['"`]/gi,
+        message: 'Hardcoded Bearer token detected - use dynamic token generation'
+      },
+      {
+        // Static password in connection strings - must be actual password value assignment
+        // Match: password: 'secret123', password = 'mypass', db_password: 'admin'
+        // Skip: RESET_PASSWORD = '/path', resetPassword: 'service-name', password_field: 'name'
+        // Must not start with / (URL path) and must contain alphanumeric (not just identifiers)
+        regex: /(?<![a-zA-Z_])password\s*[=:]\s*['"`](?![\/])[^'"`]{8,}['"`]/gi,
+        message: 'Static password in connection - use secrets manager or environment variables',
+        excludePatterns: [
+          /process\.env/i,
+          /config\./i,
+          /getenv/i,
+          /Password\s*:/i,
+          /PASSWORD\s*=\s*['"`]\/[^'"`]*['"`]/i,  // URL paths like '/reset-password'
+          /password\s*[=:]\s*['"`][a-zA-Z]+-[a-zA-Z]+(-[a-zA-Z]+)*['"`]/i,  // service names like 'reset-password-activity'
+          /const\s+\w*PASSWORD\w*\s*=/i,  // const RESET_PASSWORD =
+          /enum/i  // enum definitions
+        ]
+      },
+      {
+        // API key assignment with literal value (must look like actual API key)
+        regex: /(?:apiKey|api_key|apiToken|api_token)\s*[=:]\s*['"`](?=[A-Za-z0-9._-]*[0-9])[A-Za-z0-9._-]{20,}['"`]/gi,
+        message: 'Hardcoded API key - use environment variables or secrets manager'
+      },
+      {
+        // Basic auth with hardcoded credentials (Base64 encoded)
+        regex: /['"`]Basic\s+[A-Za-z0-9+/]{20,}={0,2}['"`]/gi,
+        message: 'Hardcoded Basic authentication - credentials should be dynamically retrieved'
+      },
+      {
+        // Service account with static credentials
+        regex: /service[_-]?account.*(?<![a-zA-Z])password\s*[=:]\s*['"`][^'"`]{8,}['"`]/gi,
+        message: 'Static service account credentials - use certificate-based auth or short-lived tokens'
+      },
+      {
+        // Shared secret patterns
+        regex: /shared[_-]?secret\s*[=:]\s*['"`][^'"`]{8,}['"`]/gi,
+        message: 'Shared secret detected - use individual service accounts with short-lived tokens'
+      },
+      {
+        // Database connection string with password
+        regex: /(?:mongodb|postgres|mysql|redis|amqp):\/\/[^:]+:[^@]{4,}@/gi,
+        message: 'Hardcoded credentials in connection string - use secrets manager'
+      }
+    ];
+
+    lines.forEach((line, lineIndex) => {
+      // Skip comments
+      if (/^\s*(\/\/|\/\*|\*)/.test(line)) return;
+
+      // Skip if line contains environment variable access
+      if (/process\.env|getenv|Environment\.|config\./i.test(line)) return;
+
+      for (const pattern of patterns) {
+        let match;
+        pattern.regex.lastIndex = 0;
+        while ((match = pattern.regex.exec(line)) !== null) {
+          // Check exclude patterns
+          if (pattern.excludePatterns) {
+            const shouldExclude = pattern.excludePatterns.some(ep => ep.test(line));
+            if (shouldExclude) continue;
+          }
+
+          violations.push({
+            ruleId: 'S001',
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            severity: 'error',
+            message: pattern.message,
+            suggestion: 'Use short-lived tokens, certificate-based auth (mTLS), or secrets manager'
+          });
+        }
+      }
+    });
+
+    return violations;
+  }
+
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+
+module.exports = TypeScriptS001Analyzer;

package/rules/security/S002_os_command_injection/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S002 Dart Analyzer - OS Command Injection Protection
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S002_os_command_injection.dart
+ *
+ * Rule: Prevent OS command injection by using parameterized commands
+ */
+
+class DartS002Analyzer {
+  constructor() {
+    this.ruleId = 'S002';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S002',
+      name: 'OS Command Injection Protection',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Prevent OS command injection by using parameterized commands'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkProcessRun: true,
+      checkShellExecution: true,
+      severity: 'error'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS002Analyzer;

package/rules/security/S002_os_command_injection/index.js

@@ -0,0 +1,87 @@
+/**
+ * S002 Rule Router - OS Command Injection Protection
+ *
+ * Routes analysis to the appropriate language-specific analyzer.
+ * Supports: TypeScript, JavaScript, Dart
+ *
+ * Rule: Prevent OS command injection attacks by ensuring all operating system
+ * calls use parameterized queries or proper output encoding.
+ */
+
+const path = require('path');
+
+class S002Router {
+  constructor() {
+    this.analyzers = new Map();
+    this.ruleId = 'S002';
+  }
+
+  getAnalyzer(language) {
+    const normalizedLang = this.normalizeLanguage(language);
+
+    if (!this.analyzers.has(normalizedLang)) {
+      try {
+        const analyzerPath = path.join(__dirname, normalizedLang, 'analyzer.js');
+        const AnalyzerClass = require(analyzerPath);
+        this.analyzers.set(normalizedLang, new AnalyzerClass());
+      } catch (error) {
+        return null;
+      }
+    }
+
+    return this.analyzers.get(normalizedLang);
+  }
+
+  normalizeLanguage(language) {
+    if (typeof language !== 'string') {
+      return 'typescript';
+    }
+    const languageMap = {
+      'typescript': 'typescript',
+      'javascript': 'typescript',
+      'ts': 'typescript',
+      'js': 'typescript',
+      'dart': 'dart'
+    };
+    return languageMap[language.toLowerCase()] || language.toLowerCase();
+  }
+
+  supportsLanguage(language) {
+    if (typeof language !== 'string') return false;
+    const supported = ['typescript', 'javascript', 'ts', 'js', 'dart'];
+    return supported.includes(language.toLowerCase());
+  }
+
+  getSupportedLanguages() {
+    return ['typescript', 'javascript', 'dart'];
+  }
+
+  async analyze(files, language, options = {}) {
+    const analyzer = this.getAnalyzer(language);
+    if (!analyzer) return [];
+    if (typeof analyzer.analyze === 'function') {
+      return analyzer.analyze(files, language, options);
+    }
+    return [];
+  }
+
+  async initialize(semanticEngineOrLanguage = null, semanticEngine = null) {
+    let engine = semanticEngine;
+    let lang = null;
+
+    if (typeof semanticEngineOrLanguage === 'string') {
+      lang = semanticEngineOrLanguage;
+    } else if (semanticEngineOrLanguage && typeof semanticEngineOrLanguage === 'object') {
+      engine = semanticEngineOrLanguage;
+    }
+
+    if (lang) {
+      const analyzer = this.getAnalyzer(lang);
+      if (analyzer && typeof analyzer.initialize === 'function') {
+        await analyzer.initialize(engine);
+      }
+    }
+  }
+}
+
+module.exports = new S002Router();

package/rules/security/S002_os_command_injection/typescript/analyzer.js

@@ -0,0 +1,194 @@
+/**
+ * S002 TypeScript Analyzer - OS Command Injection Protection
+ *
+ * Detects OS command injection vulnerabilities in TypeScript/JavaScript code.
+ *
+ * Rule: Prevent OS command injection by ensuring operating system calls use
+ * parameterized queries or proper output encoding.
+ *
+ * Detects:
+ * - exec() with string concatenation
+ * - spawn/execFile with shell: true and user input
+ * - Template literals in shell commands
+ * - child_process with untrusted data
+ */
+
+const fs = require('fs');
+
+class TypeScriptS002Analyzer {
+  constructor(config = {}) {
+    this.ruleId = 'S002';
+    this.language = 'typescript';
+    this.config = {
+      checkExec: config.checkExec !== false,
+      checkSpawn: config.checkSpawn !== false,
+      checkEval: config.checkEval !== false,
+    };
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S002',
+      name: 'OS Command Injection Protection',
+      language: 'typescript',
+      description: 'Prevent OS command injection by using parameterized commands'
+    };
+  }
+
+  getConfig() {
+    return this.config;
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+
+    for (const filePath of files) {
+      if (!/\.(ts|tsx|js|jsx)$/i.test(filePath)) continue;
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const fileViolations = this.analyzeContent(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        // Skip files that can't be read
+      }
+    }
+
+    return violations;
+  }
+
+  analyzeContent(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    // Skip test files
+    if (/\.(test|spec)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
+        /__(tests?|mocks?)__/i.test(filePath)) {
+      return violations;
+    }
+
+    // Track user input variables
+    const userInputVars = new Set();
+
+    // First pass: identify user input variables
+    lines.forEach((line) => {
+      const inputPatterns = [
+        /const\s+(\w+)\s*=\s*req\.(query|body|params)/,
+        /let\s+(\w+)\s*=\s*req\.(query|body|params)/,
+        /const\s+\{\s*([^}]+)\s*\}\s*=\s*req\.(query|body|params)/,
+      ];
+
+      for (const pattern of inputPatterns) {
+        const match = line.match(pattern);
+        if (match) {
+          if (match[1].includes(',')) {
+            match[1].split(',').forEach(v => userInputVars.add(v.trim()));
+          } else {
+            userInputVars.add(match[1]);
+          }
+        }
+      }
+    });
+
+    // Patterns for detecting OS command injection
+    const patterns = [
+      {
+        // exec() with template literal or string concatenation
+        regex: /exec\s*\(\s*`[^`]*\$\{/g,
+        message: 'OS command injection risk: exec() with template literal containing variables'
+      },
+      {
+        // exec() with string concatenation
+        regex: /exec\s*\([^)]*\+\s*\w+/g,
+        message: 'OS command injection risk: exec() with string concatenation'
+      },
+      {
+        // execSync with template literal
+        regex: /execSync\s*\(\s*`[^`]*\$\{/g,
+        message: 'OS command injection risk: execSync() with template literal'
+      },
+      {
+        // spawn with shell: true
+        regex: /spawn\s*\([^)]+,\s*\{[^}]*shell\s*:\s*true/g,
+        message: 'OS command injection risk: spawn() with shell: true - use argument array instead'
+      },
+      {
+        // spawnSync with shell: true
+        regex: /spawnSync\s*\([^)]+,\s*\{[^}]*shell\s*:\s*true/g,
+        message: 'OS command injection risk: spawnSync() with shell: true'
+      },
+      {
+        // child_process.exec with user input patterns
+        regex: /child_process\.exec\s*\(\s*`[^`]*\$\{/g,
+        message: 'OS command injection risk: child_process.exec with interpolated values'
+      },
+      {
+        // shelljs exec
+        regex: /shell\.exec\s*\(\s*`[^`]*\$\{/g,
+        message: 'OS command injection risk: shelljs exec with template literal'
+      },
+      {
+        // execa with shell option
+        regex: /execa\s*\([^)]+,\s*\{[^}]*shell\s*:\s*true/g,
+        message: 'OS command injection risk: execa with shell: true'
+      },
+      {
+        // Direct system call patterns
+        regex: /\bsystem\s*\(\s*`[^`]*\$\{/g,
+        message: 'OS command injection risk: system() with template literal'
+      },
+      {
+        // eval with user input
+        regex: /eval\s*\(\s*(req\.(query|body|params)|userInput|\w+Input)/g,
+        message: 'Code injection risk: eval() with potentially untrusted input'
+      }
+    ];
+
+    lines.forEach((line, lineIndex) => {
+      // Skip comments
+      if (/^\s*(\/\/|\/\*|\*)/.test(line)) return;
+
+      for (const pattern of patterns) {
+        let match;
+        pattern.regex.lastIndex = 0;
+        while ((match = pattern.regex.exec(line)) !== null) {
+          violations.push({
+            ruleId: 'S002',
+            file: filePath,
+            line: lineIndex + 1,
+            column: match.index + 1,
+            severity: 'error',
+            message: pattern.message,
+            suggestion: 'Use execFile/spawn with argument arrays instead of shell commands with string interpolation'
+          });
+        }
+      }
+
+      // Check for user input variables in exec calls
+      if (/exec\s*\(/.test(line) || /spawn\s*\(/.test(line)) {
+        for (const userVar of userInputVars) {
+          const varPattern = new RegExp(`(exec|spawn)\\s*\\([^)]*\\b${userVar}\\b`, 'g');
+          if (varPattern.test(line)) {
+            violations.push({
+              ruleId: 'S002',
+              file: filePath,
+              line: lineIndex + 1,
+              column: 1,
+              severity: 'error',
+              message: `OS command injection risk: user input "${userVar}" used in shell command`,
+              suggestion: 'Validate and sanitize user input before using in commands, or use allowlists'
+            });
+          }
+        }
+      }
+    });
+
+    return violations;
+  }
+
+  supportsLanguage(language) {
+    return ['typescript', 'javascript', 'ts', 'js'].includes(language.toLowerCase());
+  }
+}
+
+module.exports = TypeScriptS002Analyzer;

package/rules/security/S008_svg_content_validation/dart/analyzer.js

@@ -0,0 +1,44 @@
+/**
+ * S008 Dart Analyzer - SVG Content Validation
+ *
+ * This is a JS wrapper that delegates to DartAnalyzer binary.
+ * Actual implementation: dart_analyzer/lib/rules/security/S008_svg_content_sanitization.dart
+ *
+ * Rule: Ensure user-supplied SVG content is sanitized before rendering
+ */
+
+class DartS008Analyzer {
+  constructor() {
+    this.ruleId = 'S008';
+    this.language = 'dart';
+  }
+
+  getMetadata() {
+    return {
+      ruleId: 'S008',
+      name: 'SVG Content Validation',
+      language: 'dart',
+      delegateTo: 'dart_analyzer',
+      description: 'Ensure user-supplied SVG content is sanitized before rendering'
+    };
+  }
+
+  getConfig() {
+    return {
+      checkSvgRendering: true,
+      checkScriptTags: true,
+      severity: 'warning'
+    };
+  }
+
+  async analyze(files, language, options) {
+    // Delegated to DartAnalyzer binary via heuristic-engine.js
+    return [];
+  }
+
+  supportsLanguage(language) {
+    return language === 'dart';
+  }
+}
+
+module.exports = DartS008Analyzer;