@sun-asterisk/sunlint 1.3.39 → 1.3.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (422) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  3. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  4. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  5. package/origin-rules/dart-en.md +151 -163
  6. package/package.json +2 -1
  7. package/rules/dart/D002_dispose_resources/config.json +25 -0
  8. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  9. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  10. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  11. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  12. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  13. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  14. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  15. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  16. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  17. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  18. package/rules/dart/D013_single_public_class/config.json +10 -0
  19. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  20. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  21. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  22. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  23. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  24. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  25. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  26. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  27. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  28. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  29. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  30. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  31. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  32. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  33. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  98. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  99. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  100. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  101. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  102. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  103. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  104. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  105. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  106. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  107. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  108. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  109. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  110. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  111. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  112. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  113. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  114. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  115. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  116. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  117. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  118. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  119. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  120. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  121. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  122. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  123. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  124. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  125. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  127. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  128. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  129. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  130. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  131. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  132. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  133. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  134. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  136. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  137. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  138. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  139. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  140. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  141. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  143. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  144. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  145. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  146. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  148. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  149. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  150. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  151. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  152. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  153. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  154. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  155. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  156. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  157. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  158. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  159. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  160. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  161. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  162. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  163. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  164. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  165. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  166. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  167. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  168. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  169. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  170. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  171. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  172. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  173. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  174. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  175. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  176. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  177. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  178. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  179. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  180. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  181. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  182. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  183. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  184. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  185. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  186. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  187. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  188. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  189. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  190. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  191. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  192. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  193. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  194. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  195. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  196. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  197. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  198. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  199. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  200. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  201. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  202. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  203. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  204. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  205. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  206. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  207. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  208. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  209. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  210. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  211. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  212. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  213. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  214. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  215. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  216. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  217. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  218. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  219. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  220. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  221. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  222. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  223. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  224. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  225. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  226. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  227. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  228. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  229. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  230. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  231. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  232. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  233. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  234. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  235. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  236. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  237. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  238. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  239. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  240. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  241. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  242. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  243. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  244. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  245. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  246. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  247. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  248. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  249. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  250. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  251. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  252. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  253. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  254. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  255. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  256. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  257. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  259. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  260. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  261. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  262. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  263. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  264. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  265. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  266. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  268. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  269. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  270. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  271. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  272. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  273. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  274. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  275. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  276. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  277. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  278. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  279. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  280. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  281. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  282. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  283. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  284. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  285. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  286. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  287. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  288. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  289. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  290. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  291. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  292. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  293. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  294. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  295. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  296. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  297. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  298. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  299. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  300. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  301. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  302. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  303. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  304. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  305. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  306. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  307. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  308. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  309. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  310. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  311. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  312. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  313. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  314. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  315. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  316. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  317. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  318. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  319. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  320. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  321. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  322. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  323. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  324. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  325. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  326. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  327. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  328. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  329. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  330. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  331. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  332. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  333. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  334. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  335. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  336. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  337. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  338. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  339. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  340. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  341. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  342. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  343. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  344. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  345. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  346. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  347. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  348. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  349. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  350. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  351. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  352. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  353. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  354. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  355. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  356. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  357. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  358. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  359. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  360. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  361. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  362. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  363. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  364. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  365. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  366. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  367. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  368. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  369. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  370. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  371. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  372. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  373. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  374. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  375. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  376. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  377. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  378. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  379. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  380. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  381. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  382. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  383. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  384. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  385. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  386. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  387. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  388. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  389. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  390. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  391. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  392. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  393. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  394. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  395. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  396. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  397. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  398. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  399. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  400. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  401. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  402. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  403. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  404. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  405. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  406. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  407. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  408. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  409. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  410. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  411. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  412. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  413. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  414. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  415. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  416. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  417. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  418. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  419. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  420. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  421. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  422. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Output Encoding Before Interpreter Use
3
+ impact: HIGH
4
+ impactDescription: prevents XSS and injection attacks
5
+ tags: xss, encoding, output, html, security, csharp, razor
6
+ ---
7
+
8
+ ## Output Encoding Before Interpreter Use
9
+
10
+ XSS attacks occur when unescaped user data is rendered in the browser. In ASP.NET Core, Razor automatically encodes output, but using `Html.Raw` or unsafe rendering bypasses this.
11
+
12
+ **Incorrect (no encoding):**
13
+
14
+ ```csharp
15
+ // Razor View - XSS Vulnerability
16
+ @Html.Raw(Model.UserDescription)
17
+
18
+ // Returning raw HTML from Controller
19
+ return Content($"<h1>Hello {userInput}</h1>", "text/html");
20
+ ```
21
+
22
+ **Correct (context-aware encoding):**
23
+
24
+ ```csharp
25
+ // Razor - Auto-encoded (Safe)
26
+ @Model.UserDescription
27
+
28
+ // If you MUST use Html.Raw, sanitize first
29
+ @Html.Raw(_sanitizer.Sanitize(Model.UserDescription))
30
+
31
+ // Controller - Use libraries
32
+ using System.Text.Encodings.Web;
33
+ var safeHtml = HtmlEncoder.Default.Encode(userInput);
34
+ ```
35
+
36
+ **Tools:** Roslyn Analyzers, SonarQube (S5131)
package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md ADDED
@@ -0,0 +1,37 @@
1
+ ---
2
+ title: Use Only Approved Cryptographic Algorithms
3
+ impact: HIGH
4
+ impactDescription: prevents use of broken cryptography
5
+ tags: cryptography, crypto, hashing, encryption, security, csharp
6
+ ---
7
+
8
+ ## Use Only Approved Cryptographic Algorithms
9
+
10
+ Obsolete algorithms (MD5, SHA1, DES) are vulnerable to collision and pre-image attacks.
11
+
12
+ **Incorrect (broken algorithms):**
13
+
14
+ ```csharp
15
+ using System.Security.Cryptography;
16
+
17
+ // MD5 is broken
18
+ var md5 = MD5.Create();
19
+ // SHA1 is broken
20
+ var sha1 = SHA1.Create();
21
+ // DES is broken
22
+ var des = DES.Create();
23
+ ```
24
+
25
+ **Correct (strong algorithms):**
26
+
27
+ ```csharp
28
+ // SHA-256 or higher for hashing
29
+ using var sha256 = SHA256.Create();
30
+
31
+ // AES for encryption (GCM recommended)
32
+ using var aes = Aes.Create();
33
+ aes.KeySize = 256;
34
+ aes.Mode = CipherMode.CBC; // Or GCM via AesGcm class
35
+ ```
36
+
37
+ **Tools:** Roslyn Analyzers (CA5350, CA5351), SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md ADDED
@@ -0,0 +1,32 @@
1
+ ---
2
+ title: Use CSPRNG For Security Purposes
3
+ impact: HIGH
4
+ impactDescription: prevents predictable random numbers
5
+ tags: crypto, random, entropy, csprng, security, csharp
6
+ ---
7
+
8
+ ## Use CSPRNG For Security Purposes
9
+
10
+ `System.Random` is not cryptographically secure and should not be used for tokens, keys, or passwords.
11
+
12
+ **Incorrect (predictable):**
13
+
14
+ ```csharp
15
+ var random = new Random();
16
+ var token = random.Next(100000, 999999); // Predictable!
17
+ ```
18
+
19
+ **Correct (CSPRNG):**
20
+
21
+ ```csharp
22
+ using System.Security.Cryptography;
23
+
24
+ // Generate secure bytes
25
+ var bytes = new byte[32];
26
+ RandomNumberGenerator.Fill(bytes);
27
+
28
+ // Or for integers
29
+ var secureInt = RandomNumberGenerator.GetInt32(100000, 999999);
30
+ ```
31
+
32
+ **Tools:** Roslyn Analyzers (CA5394), SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Enable Encrypted Client Hello (ECH)
3
+ impact: HIGH
4
+ impactDescription: protects privacy of connection metadata
5
+ tags: tls, ech, privacy, encryption, security, csharp
6
+ ---
7
+
8
+ ## Enable Encrypted Client Hello (ECH)
9
+
10
+ ECH encrypts the initial TLS handshake (SNI) to prevent ISPs from seeing which domain you are connecting to.
11
+
12
+ **Status:**
13
+ - Support in .NET is dependent on the underlying OS (OpenSSL 3+ on Linux, Windows 11+).
14
+ - Requires DNS configuration (HTTPS records).
15
+
16
+ **Implementation:**
17
+
18
+ ```csharp
19
+ // Kestrel configuration (mostly transparent if OS supports it)
20
+ // Ensure you are using HTTP/3 (QUIC) and latest TLS
21
+ webBuilder.ConfigureKestrel(options =>
22
+ {
23
+ options.ListenAnyIP(443, listenOptions =>
24
+ {
25
+ listenOptions.UseHttps();
26
+ listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
27
+ });
28
+ });
29
+ ```
30
+
31
+ **Checklist:**
32
+ - [ ] Configure DNS HTTPS records
33
+ - [ ] Use Cloudflare or ECH-enabled CDN
34
+ - [ ] Ensure underlying OS supports ECH
35
+
36
+ **Tools:** SSL Labs, Wireshark
package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md ADDED
@@ -0,0 +1,35 @@
1
+ ---
2
+ title: Use Secrets Management For Backend Secrets
3
+ impact: CRITICAL
4
+ impactDescription: centralizes and secures credential storage
5
+ tags: secrets, vault, credentials, configuration, security, csharp
6
+ ---
7
+
8
+ ## Use Secrets Management For Backend Secrets
9
+
10
+ Avoid hardcoding secrets or committing them to source control. Use standard mechanisms like User Secrets (dev) and KeyVault/Environment Variables (prod).
11
+
12
+ **Incorrect (hardcoded):**
13
+
14
+ ```csharp
15
+ public void ConfigureServices(IServiceCollection services)
16
+ {
17
+ var apiKey = "sk-1234567890"; // Hardcoded secret
18
+ }
19
+ ```
20
+
21
+ **Correct (secrets management):**
22
+
23
+ ```csharp
24
+ // Development: dotnet user-secrets set "ApiKey" "..."
25
+ // Production: Azure Key Vault or Environment Variables
26
+
27
+ public void ConfigureServices(IServiceCollection services)
28
+ {
29
+ var apiKey = Configuration["ApiKey"]; // Loaded from secure source
30
+
31
+ if (string.IsNullOrEmpty(apiKey)) throw new Exception("ApiKey missing");
32
+ }
33
+ ```
34
+
35
+ **Tools:** Azure Key Vault, AWS Secrets Manager, dotnet user-secrets
package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Always Use TLS For All Connections
3
+ impact: HIGH
4
+ impactDescription: protects data in transit from eavesdropping
5
+ tags: tls, https, encryption, transport, security, csharp
6
+ ---
7
+
8
+ ## Always Use TLS For All Connections
9
+
10
+ Force HTTPS in your application and ensure all external connections use TLS.
11
+
12
+ **Incorrect (HTTP):**
13
+
14
+ ```csharp
15
+ // Unencrypted HttpClient
16
+ var client = new HttpClient { BaseAddress = new Uri("http://api.example.com") };
17
+ ```
18
+
19
+ **Correct (HTTPS Enforcement):**
20
+
21
+ ```csharp
22
+ // Startup.cs / Program.cs
23
+ public void Configure(IApplicationBuilder app)
24
+ {
25
+ // Force HTTPS Redirection
26
+ app.UseHttpsRedirection();
27
+
28
+ // HSTS (Strict Transport Security)
29
+ app.UseHsts();
30
+ }
31
+
32
+ // Secure HttpClient
33
+ var client = new HttpClient { BaseAddress = new Uri("https://api.example.com") };
34
+ ```
35
+
36
+ **Tools:** SSLyze, OWASP ZAP
package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md ADDED
@@ -0,0 +1,39 @@
1
+ ---
2
+ title: Do Not Pass Sensitive Data In Query String
3
+ impact: HIGH
4
+ impactDescription: prevents sensitive data leakage in logs
5
+ tags: sensitive-data, query-string, logging, privacy, security, csharp
6
+ ---
7
+
8
+ ## Do Not Pass Sensitive Data In Query String
9
+
10
+ Query strings are logged by servers, proxies, and browsers. Never put passwords, tokens, or PII in URL parameters.
11
+
12
+ **Incorrect (sensitive data in URL):**
13
+
14
+ ```csharp
15
+ [HttpGet]
16
+ // DANGEROUS: /login?password=secret
17
+ public IActionResult Login(string username, string password)
18
+ {
19
+ // ...
20
+ }
21
+
22
+ var url = $"https://api.example.com/reset?token={resetToken}";
23
+ ```
24
+
25
+ **Correct (POST body or Headers):**
26
+
27
+ ```csharp
28
+ [HttpPost]
29
+ public IActionResult Login([FromBody] LoginModel model)
30
+ {
31
+ // Password is in body, not URL
32
+ // ...
33
+ }
34
+
35
+ // Pass tokens in Headers
36
+ client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
37
+ ```
38
+
39
+ **Tools:** Roslyn Analyzers, SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: Always Use Parameterized Queries
3
+ impact: CRITICAL
4
+ impactDescription: prevents SQL and NoSQL injection attacks
5
+ tags: injection, sql, nosql, database, parameterized, security, csharp
6
+ ---
7
+
8
+ ## Always Use Parameterized Queries
9
+
10
+ SQL injection is one of the top security vulnerabilities. Direct string concatenation allows attackers to execute arbitrary database commands, steal data, or destroy databases.
11
+
12
+ **Incorrect (string concatenation):**
13
+
14
+ ```csharp
15
+ // SQL Injection vulnerability with ADO.NET
16
+ string userId = Request.QueryString["id"];
17
+ string query = "SELECT * FROM Users WHERE Id = '" + userId + "'";
18
+ SqlCommand cmd = new SqlCommand(query, connection);
19
+ var reader = cmd.ExecuteReader();
20
+
21
+ // Vulnerability with EF Core (FromSqlRaw)
22
+ var user = context.Users
23
+ .FromSqlRaw($"SELECT * FROM Users WHERE Id = '{userId}'")
24
+ .FirstOrDefault();
25
+ ```
26
+
27
+ **Correct (parameterized queries):**
28
+
29
+ ```csharp
30
+ // Parameterized query - ADO.NET
31
+ string userId = Request.QueryString["id"];
32
+ string query = "SELECT * FROM Users WHERE Id = @Id";
33
+ SqlCommand cmd = new SqlCommand(query, connection);
34
+ cmd.Parameters.AddWithValue("@Id", userId); // Safe
35
+ var reader = cmd.ExecuteReader();
36
+
37
+ // EF Core - Automatically parameterized
38
+ var user = context.Users
39
+ .FirstOrDefault(u => u.Id == userId);
40
+
41
+ // EF Core - Interpolated SQL (Safe)
42
+ var user = context.Users
43
+ .FromSqlInterpolated($"SELECT * FROM Users WHERE Id = {userId}")
44
+ .FirstOrDefault();
45
+ ```
46
+
47
+ **Tools:** Roslyn Analyzers (CA2100), SonarQube (S2077, S3649), Security Code Scan
package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md ADDED
@@ -0,0 +1,35 @@
1
+ ---
2
+ title: Sanitize Input Before Sending Emails
3
+ impact: MEDIUM
4
+ impactDescription: prevents email header injection
5
+ tags: email, injection, sanitization, input-validation, security, csharp
6
+ ---
7
+
8
+ ## Sanitize Input Before Sending Emails
9
+
10
+ Email header injection allows attackers to inject headers (Bcc, From) by including CRLF characters in input fields.
11
+
12
+ **Incorrect (unsanitized inputs):**
13
+
14
+ ```csharp
15
+ // Vulnerable to Header Injection
16
+ var message = new MailMessage();
17
+ message.Subject = userInput; // "Subject\r\nBcc: victim@example.com"
18
+ ```
19
+
20
+ **Correct (sanitized email fields):**
21
+
22
+ ```csharp
23
+ public string SanitizeEmailHeader(string input)
24
+ {
25
+ if (string.IsNullOrEmpty(input)) return input;
26
+ // Remove newlines to prevent header injection
27
+ return Regex.Replace(input, @"[\r\n]", ""); // Simple removal
28
+ }
29
+
30
+ var message = new MailMessage();
31
+ message.Subject = SanitizeEmailHeader(userInput);
32
+ message.Body = userInput; // Body is usually safe from header injection, but beware XSS if HTML
33
+ ```
34
+
35
+ **Tools:** Security Code Scan, SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md ADDED
@@ -0,0 +1,56 @@
1
+ ---
2
+ title: Avoid Eval Or Dynamic Code Execution
3
+ impact: HIGH
4
+ impactDescription: prevents remote code execution vulnerabilities
5
+ tags: eval, code-execution, rce, injection, security, csharp
6
+ ---
7
+
8
+ ## Avoid Eval Or Dynamic Code Execution
9
+
10
+ Dynamic code execution functions allow attackers to execute arbitrary code on the server. In C#, this often involves `Assembly.Load`, `Process.Start` with user input, or dynamic compilation tools like Roslyn scripting.
11
+
12
+ **Incorrect (dynamic code execution):**
13
+
14
+ ```csharp
15
+ // Executing user input as code
16
+ using Microsoft.CodeAnalysis.CSharp.Scripting;
17
+
18
+ string userCode = Request.Form["code"];
19
+ var result = await CSharpScript.EvaluateAsync(userCode); // RCE Vulnerability!
20
+
21
+ // Loading arbitrary assembly
22
+ var assembly = Assembly.LoadFile(userInputPath); // Dangerous
23
+
24
+ // Command Injection via Process.Start
25
+ Process.Start("cmd.exe", "/c " + userInput);
26
+ ```
27
+
28
+ **Correct (safe alternatives):**
29
+
30
+ ```csharp
31
+ // Use a math parser library for formulas
32
+ var result = new DataTable().Compute("1 + 2", null); // Simple math only
33
+
34
+ // Use Strategy Pattern or Dictionary for dynamic logic
35
+ var actions = new Dictionary<string, Action>
36
+ {
37
+ { "start", StartService },
38
+ { "stop", StopService }
39
+ };
40
+
41
+ if (actions.TryGetValue(userInput, out var action))
42
+ {
43
+ action();
44
+ }
45
+
46
+ // Process.Start with explicit arguments (no shell execute)
47
+ var startInfo = new ProcessStartInfo
48
+ {
49
+ FileName = "git",
50
+ ArgumentList = { "status" }, // Safe list
51
+ UseShellExecute = false
52
+ };
53
+ Process.Start(startInfo);
54
+ ```
55
+
56
+ **Tools:** Roslyn Analyzers, SonarQube (S1523), Security Code Scan
package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md ADDED
@@ -0,0 +1,50 @@
1
+ ---
2
+ title: Escape Data By Output Context
3
+ impact: MEDIUM
4
+ impactDescription: ensures correct encoding for each output context
5
+ tags: xss, escaping, context, encoding, security, csharp
6
+ ---
7
+
8
+ ## Escape Data By Output Context
9
+
10
+ Different output contexts (HTML, JavaScript, URL, Header) require different encoding methods.
11
+
12
+ **Incorrect (wrong context encoding):**
13
+
14
+ ```csharp
15
+ // Razor View - Script Context
16
+ <script>
17
+ // XSS: If userInput contains quotes, it breaks the string
18
+ var userData = "@Model.UserInput";
19
+ </script>
20
+
21
+ // Header Injection
22
+ Response.Headers.Add("X-Custom", userInput);
23
+ ```
24
+
25
+ **Correct (context-appropriate encoding):**
26
+
27
+ ```csharp
28
+ using System.Text.Encodings.Web;
29
+
30
+ // JavaScript Context in Razor
31
+ <script>
32
+ var userData = @Json.Serialize(Model.UserInput); // Safe JSON encoding
33
+ </script>
34
+
35
+ // Explicit JS Encoder
36
+ var safeJs = JavaScriptEncoder.Default.Encode(userInput);
37
+
38
+ // URL Context
39
+ var safeUrl = UrlEncoder.Default.Encode(userInput);
40
+ // or
41
+ var safeUrl = Uri.EscapeDataString(userInput);
42
+
43
+ // Header - Strip CRLF
44
+ if (!userInput.Contains('\r') && !userInput.Contains('\n'))
45
+ {
46
+ Response.Headers.Add("X-Custom", userInput);
47
+ }
48
+ ```
49
+
50
+ **Tools:** Roslyn Analyzers, SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md ADDED
@@ -0,0 +1,34 @@
1
+ ---
2
+ title: Output Encoding For Dynamic JS/JSON
3
+ impact: HIGH
4
+ impactDescription: prevents injection in JavaScript contexts
5
+ tags: xss, javascript, json, encoding, security, csharp
6
+ ---
7
+
8
+ ## Output Encoding For Dynamic JS/JSON
9
+
10
+ Embedding user data in JavaScript or JSON blocks in Razor pages requires proper encoding.
11
+
12
+ **Incorrect (unescaped data in JS):**
13
+
14
+ ```csharp
15
+ // XSS in Razor
16
+ <script>
17
+ var user = "@Model.Username"; // Vulnerable if Username contains quotes
18
+ </script>
19
+ ```
20
+
21
+ **Correct (proper JSON encoding):**
22
+
23
+ ```csharp
24
+ // Use Json.Serialize in Razor
25
+ <script>
26
+ var user = @Json.Serialize(Model.Username); // Encodes quotes and special chars
27
+ </script>
28
+
29
+ // Or encode explicitly in C#
30
+ var safeJson = JsonConvert.SerializeObject(userData); // Newtonsoft
31
+ var safeJson = JsonSerializer.Serialize(userData); // System.Text.Json
32
+ ```
33
+
34
+ **Tools:** Roslyn Analyzers, SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md ADDED
@@ -0,0 +1,56 @@
1
+ ---
2
+ title: Always Validate Client Data Server-side
3
+ impact: MEDIUM
4
+ impactDescription: ensures input validation cannot be bypassed
5
+ tags: validation, server-side, input, sanitization, security, csharp
6
+ ---
7
+
8
+ ## Always Validate Client Data Server-side
9
+
10
+ Client-side validation is for UX only and can be bypassed. Always validate in your C# Controllers or Services.
11
+
12
+ **Incorrect (trusting client):**
13
+
14
+ ```csharp
15
+ [HttpPost]
16
+ public IActionResult Transfer(TransferRequest request)
17
+ {
18
+ // trusting that frontend sent valid data
19
+ _service.Transfer(request.Amount, request.ToAccount);
20
+ return Ok();
21
+ }
22
+ ```
23
+
24
+ **Correct (comprehensive server validation):**
25
+
26
+ ```csharp
27
+ // Using FluentValidation
28
+ public class TransferRequestValidator : AbstractValidator<TransferRequest>
29
+ {
30
+ public TransferRequestValidator()
31
+ {
32
+ RuleFor(x => x.Amount).GreaterThan(0).LessThan(10000);
33
+ RuleFor(x => x.ToAccount).Matches(@"^[A-Z]{2}\d{18}$");
34
+ }
35
+ }
36
+
37
+ [HttpPost]
38
+ public IActionResult Transfer(TransferRequest request)
39
+ {
40
+ if (!ModelState.IsValid)
41
+ {
42
+ return BadRequest(ModelState);
43
+ }
44
+
45
+ // Business validation
46
+ if (!_service.AccountExists(request.ToAccount))
47
+ {
48
+ return NotFound("Account not found");
49
+ }
50
+
51
+ _service.Transfer(request.Amount, request.ToAccount);
52
+ return Ok();
53
+ }
54
+ ```
55
+
56
+ **Tools:** FluentValidation, DataAnnotations, SonarQube
package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md ADDED
@@ -0,0 +1,28 @@
1
+ ---
2
+ title: TLS Encryption For All Connections (Database)
3
+ impact: CRITICAL
4
+ impactDescription: protects data in transit from interception
5
+ tags: tls, encryption, https, transport, security, csharp
6
+ ---
7
+
8
+ ## TLS Encryption For All Connections (Database)
9
+
10
+ Database connections must be encrypted.
11
+
12
+ **Incorrect (unencrypted connection string):**
13
+
14
+ ```
15
+ Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;
16
+ ```
17
+
18
+ **Correct (encrypted):**
19
+
20
+ ```
21
+ // SQL Server
22
+ Server=myServerAddress;...;Encrypt=True;TrustServerCertificate=False;
23
+
24
+ // PostgreSQL (Npgsql)
25
+ Server=...;SSL Mode=Require;
26
+ ```
27
+
28
+ **Tools:** Connection String validation
package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ title: Validate mTLS Certificates Before Auth
3
+ impact: CRITICAL
4
+ impactDescription: ensures mutual authentication between services
5
+ tags: mtls, certificates, authentication, service-mesh, security, csharp
6
+ ---
7
+
8
+ ## Validate mTLS Certificates Before Auth
9
+
10
+ Use Mutual TLS for service-to-service authentication.
11
+
12
+ **Configuration (Kestrel):**
13
+
14
+ ```csharp
15
+ webBuilder.ConfigureKestrel(options =>
16
+ {
17
+ options.ConfigureHttpsDefaults(httpsOptions =>
18
+ {
19
+ httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
20
+
21
+ // Custom validation logic
22
+ httpsOptions.ClientCertificateValidation = (cert, chain, errors) =>
23
+ {
24
+ return cert.Issuer == "CN=MyInternalCA";
25
+ };
26
+ });
27
+ });
28
+ ```
29
+
30
+ **Authorization:**
31
+
32
+ ```csharp
33
+ services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
34
+ .AddCertificate();
35
+
36
+ [Authorize]
37
+ public IActionResult InternalApi() { }
38
+ ```
39
+
40
+ **Tools:** Kestrel Configuration, OpenSSL
package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md ADDED
@@ -0,0 +1,50 @@
1
+ ---
2
+ title: Limit Upload File Size And Count
3
+ impact: HIGH
4
+ impactDescription: prevents DoS via resource exhaustion
5
+ tags: upload, dos, resource-limits, files, security, csharp
6
+ ---
7
+
8
+ ## Limit Upload File Size And Count
9
+
10
+ Unrestricted file uploads can exhaust server disk space and memory (DoS).
11
+
12
+ **Incorrect (unlimited):**
13
+
14
+ ```csharp
15
+ [HttpPost]
16
+ public async Task<IActionResult> Upload(List<IFormFile> files)
17
+ {
18
+ foreach (var file in files)
19
+ {
20
+ // No size check!
21
+ await file.CopyToAsync(stream);
22
+ }
23
+ }
24
+ ```
25
+
26
+ **Correct (limits):**
27
+
28
+ ```csharp
29
+ // Global limit in Startup
30
+ services.Configure<FormOptions>(options =>
31
+ {
32
+ options.MultipartBodyLengthLimit = 10 * 1024 * 1024; // 10MB
33
+ });
34
+
35
+ // Action-specific limit
36
+ [HttpPost]
37
+ [RequestSizeLimit(10 * 1024 * 1024)]
38
+ public async Task<IActionResult> Upload(List<IFormFile> files)
39
+ {
40
+ if (files.Count > 5) return BadRequest("Too many files");
41
+
42
+ foreach (var file in files)
43
+ {
44
+ if (file.Length > 2 * 1024 * 1024) return BadRequest("File too large");
45
+ // ...
46
+ }
47
+ }
48
+ ```
49
+
50
+ **Tools:** ASP.NET Core Middleware, IIS Request Filtering