@sun-asterisk/sunlint 1.3.39 → 1.3.40

package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md

@@ -0,0 +1,42 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents cross-site request forgery attacks
+tags: csrf, tokens, forms, security, csharp
+---
+
+## Apply CSRF Protection
+
+CSRF attacks trick users into submitting malicious requests. ASP.NET Core provides built-in protection.
+
+**Incorrect (disabled or missing validation):**
+
+```csharp
+[HttpPost]
+// Missing [ValidateAntiForgeryToken]
+public IActionResult Transfer(int amount)
+{
+    // ...
+}
+```
+
+**Correct (enabled protection):**
+
+```csharp
+[HttpPost]
+[ValidateAntiForgeryToken] // Enforce token validation
+public IActionResult Transfer(int amount)
+{
+    // ...
+}
+
+// In Razor Pages, this is automatic for <form> tags.
+// For AJAX, send the token in a header:
+/*
+    headers: {
+        "RequestVerificationToken": $('input[name="__RequestVerificationToken"]').val()
+    }
+*/
+```
+
+**Tools:** Roslyn Analyzers (CA5391), SonarQube

package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md

@@ -0,0 +1,26 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents information disclosure
+tags: configuration, information-disclosure, security, csharp
+---
+
+## Disable Directory Browsing
+
+Directory browsing allows attackers to verify file existence and structure.
+
+**Incorrect (enabled):**
+
+```csharp
+app.UseDirectoryBrowser(); // Dangerous in production
+```
+
+**Correct (disabled):**
+
+```csharp
+// Remove UseDirectoryBrowser() call.
+// Only use StaticFiles
+app.UseStaticFiles();
+```
+
+**Tools:** Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md

@@ -0,0 +1,35 @@
+---
+title: Set Secure Flag On Session Cookies
+impact: HIGH
+impactDescription: prevents cookie theft over HTTP
+tags: cookies, session, https, security, csharp
+---
+
+## Set Secure Flag On Session Cookies
+
+Session cookies must only be sent over HTTPS.
+
+**Incorrect (missing secure):**
+
+```csharp
+Response.Cookies.Append("session", token); // Defaults to Secure=false often
+```
+
+**Correct (Secure=true):**
+
+```csharp
+var options = new CookieOptions
+{
+    Secure = true, // Only HTTPS
+    HttpOnly = true
+};
+Response.Cookies.Append("session", token, options);
+
+// Global Policy
+services.Configure<CookiePolicyOptions>(options =>
+{
+    options.Secure = CookieSecurePolicy.Always;
+});
+```
+
+**Tools:** Browser DevTools, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md

@@ -0,0 +1,31 @@
+---
+title: Set HttpOnly On Session Cookies
+impact: HIGH
+impactDescription: prevents XSS cookie theft
+tags: cookies, session, xss, security, csharp
+---
+
+## Set HttpOnly On Session Cookies
+
+HttpOnly cookies cannot be accessed by JavaScript, preventing XSS attacks from stealing sessions.
+
+**Incorrect (HttpOnly=false):**
+
+```csharp
+var options = new CookieOptions
+{
+    HttpOnly = false // Accessible via document.cookie
+};
+```
+
+**Correct (HttpOnly=true):**
+
+```csharp
+var options = new CookieOptions
+{
+    HttpOnly = true
+};
+Response.Cookies.Append("session", token, options);
+```
+
+**Tools:** Browser DevTools

package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md

@@ -0,0 +1,36 @@
+---
+title: Set SameSite On Session Cookies
+impact: HIGH
+impactDescription: prevents CSRF attacks
+tags: cookies, session, csrf, security, csharp
+---
+
+## Set SameSite On Session Cookies
+
+SameSite prevents cookies from being sent in cross-site requests, mitigating CSRF.
+
+**Incorrect (None/Lax):**
+
+```csharp
+var options = new CookieOptions
+{
+    SameSite = SameSiteMode.None // Vulnerable to CSRF
+};
+```
+
+**Correct (Strict/Lax):**
+
+```csharp
+var options = new CookieOptions
+{
+    SameSite = SameSiteMode.Strict // Best security
+};
+
+// OR Lax (allows top-level navigation)
+var options = new CookieOptions
+{
+    SameSite = SameSiteMode.Lax
+};
+```
+
+**Tools:** Browser DevTools

package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md

@@ -0,0 +1,31 @@
+---
+title: Use __Host- Prefix For Cookies
+impact: MEDIUM
+impactDescription: enforces strict cookie security attributes
+tags: cookies, naming, security, csharp
+---
+
+## Use __Host- Prefix For Cookies
+
+Prefixing cookies with `__Host-` forces the browser to require `Secure`, `Path=/`, and no `Domain` attribute.
+
+**Incorrect:**
+
+```csharp
+Response.Cookies.Append("session", token);
+```
+
+**Correct:**
+
+```csharp
+// Browser rejects this cookie if attributes are missing
+var options = new CookieOptions
+{
+    Secure = true,
+    Path = "/",
+    // Domain must be null
+};
+Response.Cookies.Append("__Host-session", token, options);
+```
+
+**Tools:** Browser DevTools

package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md

@@ -0,0 +1,26 @@
+---
+title: Host Apps On Different Hostnames
+impact: MEDIUM
+impactDescription: prevents cookie leaking and same-origin issues
+tags: architecture, deployment, security, csharp
+---
+
+## Host Apps On Different Hostnames
+
+Don't host untrusted content on the same domain as sensitive apps.
+
+**Incorrect:**
+
+```
+App: example.com
+User Content: example.com/uploads/malicious.html (Can read cookies via XSS)
+```
+
+**Correct:**
+
+```
+App: app.example.com
+User Content: user-content.com
+```
+
+**Tools:** Architecture Review

package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md

@@ -0,0 +1,36 @@
+---
+title: Use Internal Data For File Paths (Path Traversal)
+impact: HIGH
+impactDescription: prevents path traversal attacks
+tags: file-system, path-traversal, security, csharp
+---
+
+## Use Internal Data For File Paths (Path Traversal)
+
+Never use user input directly in file paths.
+
+**Incorrect (path traversal):**
+
+```csharp
+public IActionResult GetFile(string filename)
+{
+    // Attacker: filename = "../../../etc/passwd"
+    return PhysicalFile(Path.Combine("uploads", filename), "text/plain");
+}
+```
+
+**Correct (validation):**
+
+```csharp
+public IActionResult GetFile(string filename)
+{
+    // 1. Use filename from DB (Internal ID)
+    // 2. Or validate filename has no path separators
+    var name = Path.GetFileName(filename); // Strips path
+    
+    var path = Path.Combine(_env.WebRootPath, "uploads", name);
+    return PhysicalFile(path, "text/plain");
+}
+```
+
+**Tools:** Roslyn Analyzers, SonarQube

package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md

@@ -0,0 +1,33 @@
+---
+title: Set Anti-cache Headers For Sensitive Pages
+impact: MEDIUM
+impactDescription: prevents sensitive data caching on shared computers
+tags: headers, caching, privacy, security, csharp
+---
+
+## Set Anti-cache Headers For Sensitive Pages
+
+Sensitive pages shouldn't be cached by browsers or proxies.
+
+**Incorrect (default caching):**
+
+```csharp
+// Response might be cached
+return Ok(sensitiveData);
+```
+
+**Correct (explicit no-cache):**
+
+```csharp
+[ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]
+public IActionResult GetSensitiveData()
+{
+    return Ok(sensitiveData);
+}
+
+// Or manually
+Response.Headers.Add("Cache-Control", "no-store, no-cache, must-revalidate");
+Response.Headers.Add("Pragma", "no-cache");
+```
+
+**Tools:** Developer Tools

package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md

@@ -0,0 +1,41 @@
+---
+title: TLS Clients Must Validate Server Certificates
+impact: CRITICAL
+impactDescription: prevents man-in-the-middle attacks
+tags: tls, certificates, validation, mitm, security, csharp
+---
+
+## TLS Clients Must Validate Server Certificates
+
+Disabling certificate validation (ignoring SSL errors) opens you to MITM attacks.
+
+**Incorrect (disabling validation):**
+
+```csharp
+var handler = new HttpClientHandler
+{
+    // DANGEROUS: Accepts any certificate
+    ServerCertificateCustomValidationCallback = (msg, cert, chain, errors) => true
+};
+var client = new HttpClient(handler);
+```
+
+**Correct (default validation):**
+
+```csharp
+// Standard HttpClient validates by default
+var client = new HttpClient();
+
+// Or specific CA validation
+var handler = new HttpClientHandler
+{
+    ServerCertificateCustomValidationCallback = (msg, cert, chain, errors) => 
+    {
+         if (errors == SslPolicyErrors.None) return true;
+         // Verify against pinned public key or internal CA
+         return cert.Thumbprint == EXPECTED_THUMBPRINT;
+    }
+};
+```
+
+**Tools:** Roslyn Analyzers, SonarQube

package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md

@@ -0,0 +1,36 @@
+---
+title: Invalidate Session On Logout
+impact: MEDIUM
+impactDescription: ensures logout actually terminates access
+tags: session, logout, invalidation, security, csharp
+---
+
+## Invalidate Session On Logout
+
+Ensure that logging out invalidates the session on the server side.
+
+**Incorrect (client-side only):**
+
+```javascript
+// Front-end removes cookie/token, but server token remains valid
+localStorage.removeItem('token');
+```
+
+**Correct (server-side invalidation):**
+
+```csharp
+[HttpPost]
+public async Task<IActionResult> Logout()
+{
+    // Cookie Auth
+    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+    
+    // JWT - Add current token to revocation list / blacklist (Redis/DB)
+    var token = await HttpContext.GetTokenAsync("access_token");
+    await _tokenBlacklistService.RevokeAsync(token);
+    
+    return Ok();
+}
+```
+
+**Tools:** Identity Framework, Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md

@@ -0,0 +1,47 @@
+---
+title: Re-authenticate For Long Keys/Sessions
+impact: CRITICAL
+impactDescription: prevents indefinite access via stolen tokens
+tags: session, authentication, token, expiry, security, csharp
+---
+
+## Re-authenticate For Long Keys/Sessions
+
+Long-lived sessions allow attackers to maintain access indefinitely if they steal a token.
+
+**Incorrect (never expiring tokens):**
+
+```csharp
+var tokenDescriptor = new SecurityTokenDescriptor
+{
+    Subject = new ClaimsIdentity(claims),
+    Expires = DateTime.UtcNow.AddYears(1), // Too long!
+    SigningCredentials = credentials
+};
+```
+
+**Correct (short lived access tokens + refresh tokens):**
+
+```csharp
+// 1. Short Access Token (e.g. 15-30 mins)
+var tokenDescriptor = new SecurityTokenDescriptor
+{
+    Subject = new ClaimsIdentity(claims),
+    Expires = DateTime.UtcNow.AddMinutes(15), 
+    SigningCredentials = credentials
+};
+
+// 2. Validate Security Stamp periodically for Cookie Auth
+services.Configure<SecurityStampValidatorOptions>(options =>
+{
+    // Check if user attributes (password/roles) changed every 30 mins
+    options.ValidationInterval = TimeSpan.FromMinutes(30);
+});
+
+// 3. Sliding Expiration for Cookies
+// Resets expiration if user is active, but enforces absolute limit?
+options.SlidingExpiration = true;
+options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
+```
+
+**Tools:** ASP.NET Identity, IdentityServer

package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md

@@ -0,0 +1,45 @@
+---
+title: Re-authenticate Before Critical Changes
+impact: MEDIUM
+impactDescription: prevents unauthorized critical operations
+tags: authentication, critical, reauthentication, security, csharp
+---
+
+## Re-authenticate Before Critical Changes
+
+Critical actions like changing passwords, emails, or 2FA settings should require re-entering the password or strict re-authentication.
+
+**Incorrect (no verification):**
+
+```csharp
+[HttpPost]
+public async Task<IActionResult> ChangeEmail(string newEmail)
+{
+    var user = await _userManager.GetUserAsync(User);
+    await _userManager.SetEmailAsync(user, newEmail); // Vulnerable if session hijacked
+    return Ok();
+}
+```
+
+**Correct (verify password):**
+
+```csharp
+[HttpPost]
+public async Task<IActionResult> ChangeEmail(ChangeEmailModel model)
+{
+    var user = await _userManager.GetUserAsync(User);
+    
+    // Check password again
+    var passwordCheck = await _userManager.CheckPasswordAsync(user, model.CurrentPassword);
+    if (!passwordCheck) 
+    {
+        return Unauthorized("Invalid password");
+    }
+
+    // Proceed with change
+    await _userManager.SetEmailAsync(user, model.NewEmail);
+    return Ok();
+}
+```
+
+**Tools:** ASP.NET Identity, Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md

@@ -0,0 +1,48 @@
+---
+title: Implement Brute-force Protection
+impact: MEDIUM
+impactDescription: prevents password guessing attacks
+tags: brute-force, rate-limiting, authentication, security, csharp
+---
+
+## Implement Brute-force Protection
+
+Prevent automated password guessing by implementing rate limiting or account lockout policies.
+
+**Incorrect (no limit):**
+
+```csharp
+[HttpPost]
+public async Task<IActionResult> Login(LoginModel model)
+{
+    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, false);
+    // lockoutOnFailure is false = unlimited attempts
+}
+```
+
+**Correct (lockout enabled):**
+
+```csharp
+// 1. Enable Lockout in Startup
+services.AddDefaultIdentity<IdentityUser>(options => 
+{
+    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
+    options.Lockout.MaxFailedAccessAttempts = 5;
+    options.Lockout.AllowedForNewUsers = true;
+});
+
+// 2. Use it in Login
+[HttpPost]
+public async Task<IActionResult> Login(LoginModel model)
+{
+    // lockoutOnFailure: true
+    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, lockoutOnFailure: true);
+    
+    if (result.IsLockedOut)
+    {
+        return BadRequest("Account locked out");
+    }
+}
+```
+
+**Tools:** ASP.NET Identity, AspNetCoreRateLimit 

package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md

@@ -0,0 +1,53 @@
+---
+title: Protect OAuth Code Flow Vs CSRF
+impact: HIGH
+impactDescription: prevents OAuth authorization code theft
+tags: oauth, csrf, state, authorization, security, csharp
+---
+
+## Protect OAuth Code Flow Vs CSRF
+
+OAuth flows must use the `state` parameter to prevent CSRF attacks. ASP.NET Core Authentication handlers do this by default, but custom implementations often miss it.
+
+**Incorrect (manual implementation without state):**
+
+```csharp
+public IActionResult LoginWithGoogle()
+{
+    var url = $"https://accounts.google.com/o/oauth2/auth?client_id={ClientId}&redirect_uri={RedirectUri}";
+    return Redirect(url); // No state parameter!
+}
+```
+
+**Correct (using library or state):**
+
+```csharp
+// Preferred: Use built-in libraries
+services.AddAuthentication().AddGoogle(options => 
+{
+    options.ClientId = "...";
+    options.ClientSecret = "...";
+    // Correlation Cookie & State handles CSRF automatically
+});
+
+// Manual implementation:
+public IActionResult LoginWithGoogle()
+{
+    var state = GenerateRandomState();
+    HttpContext.Session.SetString("oauth_state", state);
+    
+    var url = $"https://...&state={state}";
+    return Redirect(url);
+}
+
+public IActionResult Callback(string code, string state)
+{
+    if (state != HttpContext.Session.GetString("oauth_state"))
+    {
+        return BadRequest("Invalid state");
+    }
+    // ...
+}
+```
+
+**Tools:** ASP.NET Security Providers, Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md

@@ -0,0 +1,37 @@
+---
+title: Validate OAuth Redirect URIs Exactly
+impact: CRITICAL
+impactDescription: prevents OAuth redirect hijacking
+tags: oauth, redirect, uri, validation, security, csharp
+---
+
+## Validate OAuth Redirect URIs Exactly
+
+If you are implementing an Identity Provider, you must validate redirect URIs exactly.
+
+**Incorrect (loose validation):**
+
+```csharp
+if (redirectUri.StartsWith("https://myapp.com")) // Vulnerable to myapp.com.evil.com
+{
+    return true;
+}
+```
+
+**Correct (exact match):**
+
+```csharp
+var allowedUris = new List<string> 
+{ 
+    "https://myapp.com/callback",
+    "https://mobile.myapp.com/auth"
+};
+
+// Must match exactly
+if (!allowedUris.Contains(redirectUri, StringComparer.OrdinalIgnoreCase))
+{
+    return BadRequest("Invalid redirect_uri");
+}
+```
+
+**Tools:** IdentityServer, OpenIddict Configuration

package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md

@@ -0,0 +1,33 @@
+---
+title: Authentication Codes Must Expire Quickly
+impact: MEDIUM
+impactDescription: limits window for code interception attacks
+tags: authentication, codes, expiry, otp, security, csharp
+---
+
+## Authentication Codes Must Expire Quickly
+
+Authorization codes, OTPs, and email verification tokens must have short lifetimes.
+
+**Incorrect (long expiry):**
+
+```csharp
+// Generating a token valid for 24 hours
+var token = GenerateToken();
+_cache.Set(token, userId, TimeSpan.FromHours(24)); 
+```
+
+**Correct (short expiry):**
+
+```csharp
+// 5 minutes for OTP/Auth Codes
+_cache.Set(token, userId, TimeSpan.FromMinutes(5));
+
+// Identity config
+services.Configure<DataProtectionTokenProviderOptions>(options =>
+{
+    options.TokenLifespan = TimeSpan.FromMinutes(15); // For password reset / email confirm
+});
+```
+
+**Tools:** ASP.NET Identity Options, Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md

@@ -0,0 +1,33 @@
+---
+title: Reference Tokens 128-bit Entropy CSPRNG
+impact: HIGH
+impactDescription: prevents token brute-forcing
+tags: tokens, entropy, csprng, session, security, csharp
+---
+
+## Reference Tokens 128-bit Entropy CSPRNG
+
+Generating tokens (session IDs, API keys) must use high entropy.
+
+**Incorrect (using Guid or Random):**
+
+```csharp
+var token = Guid.NewGuid().ToString(); // Predictable generation logic, only 122 bits random?
+var token2 = new Random().Next().ToString(); // Very weak
+```
+
+**Correct (RNGCryptoServiceProvider / RandomNumberGenerator):**
+
+```csharp
+using System.Security.Cryptography;
+
+string GenerateToken(int length = 32)
+{
+    var bytes = new byte[length];
+    RandomNumberGenerator.Fill(bytes);
+    return Convert.ToBase64String(bytes)
+        .Replace("+", "-").Replace("/", "_").Replace("=", ""); // Base64Url
+}
+```
+
+**Tools:** SonarQube