@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md ADDED
@@ -0,0 +1,80 @@
1
+ ---
2
+ title: URL Redirects Must Be In Allow List
3
+ impact: LOW
4
+ impactDescription: prevents open redirect vulnerabilities
5
+ tags: redirect, url, allow-list, validation, security
6
+ ---
7
+
8
+ ## URL Redirects Must Be In Allow List
9
+
10
+ Open redirect vulnerabilities allow attackers to redirect users to malicious sites, often used in phishing attacks.
11
+
12
+ **Incorrect (unvalidated redirect URL):**
13
+
14
+ ```go
15
+ // Open redirect vulnerability
16
+ http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
17
+ url := r.URL.Query().Get("url")
18
+ http.Redirect(w, r, url, http.StatusFound) // Attacker: ?url=https://evil.com
19
+ })
20
+
21
+ // Partial validation (can be bypassed)
22
+ http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
23
+ url := r.URL.Query().Get("url")
24
+ if strings.Contains(url, "example.com") {
25
+ http.Redirect(w, r, url, http.StatusFound) // Bypass: evil.com?example.com
26
+ }
27
+ })
28
+ ```
29
+
30
+ **Correct (allow list validation):**
31
+
32
+ ```go
33
+ var allowedRedirectHosts = []string{
34
+ "example.com",
35
+ "app.example.com",
36
+ "admin.example.com",
37
+ }
38
+
39
+ func isAllowedHost(host string) bool {
40
+ for _, h := range allowedRedirectHosts {
41
+ if h == host {
42
+ return true
43
+ }
44
+ }
45
+ return false
46
+ }
47
+
48
+ http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
49
+ targetURL := r.URL.Query().Get("url")
50
+
51
+ parsed, err := url.Parse(targetURL)
52
+ if err != nil || !isAllowedHost(parsed.Hostname()) {
53
+ http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
54
+ return
55
+ }
56
+
57
+ http.Redirect(w, r, targetURL, http.StatusFound)
58
+ })
59
+
60
+ // Or use relative URLs only
61
+ http.HandleFunc("/relative-redirect", func(w http.ResponseWriter, r *http.Request) {
62
+ path := r.URL.Query().Get("path")
63
+
64
+ // Only allow relative paths starting with /
65
+ if !strings.HasPrefix(path, "/") || strings.HasPrefix(path, "//") {
66
+ http.Error(w, "Invalid path", http.StatusBadRequest)
67
+ return
68
+ }
69
+
70
+ http.Redirect(w, r, path, http.StatusFound)
71
+ })
72
+ ```
73
+
74
+ **Protection strategies:**
75
+ 1. Allow list of trusted domains
76
+ 2. Use relative URLs only
77
+ 3. Validate URL structure
78
+ 4. Warning page before external redirects
79
+
80
+ **Tools:** SonarQube, Semgrep, Manual Review
package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md ADDED
@@ -0,0 +1,66 @@
1
+ ---
2
+ title: Do Not Log Credentials Or Tokens
3
+ impact: MEDIUM
4
+ impactDescription: prevents credential exposure in logs
5
+ tags: logging, credentials, tokens, secrets, security
6
+ ---
7
+
8
+ ## Do Not Log Credentials Or Tokens
9
+
10
+ Logs are often stored unencrypted and accessed by many people. Credentials in logs can be harvested by attackers or accidentally exposed.
11
+
12
+ **Incorrect (logging sensitive data):**
13
+
14
+ ```go
15
+ // Logging passwords
16
+ slog.Info("Login attempt",
17
+ "username", user.Username,
18
+ "password", user.Password, // NEVER!
19
+ )
20
+
21
+ // Logging tokens
22
+ slog.Debug("Request headers", "headers", r.Header)
23
+ // Authorization header contains token!
24
+
25
+ // Logging full request body
26
+ body, _ := io.ReadAll(r.Body)
27
+ slog.Info("Incoming request", "body", string(body))
28
+ // May contain password, credit card, etc.
29
+ ```
30
+
31
+ **Correct (sanitized logging):**
32
+
33
+ ```go
34
+ // Mask or omit sensitive fields
35
+ slog.Info("Login attempt",
36
+ "username", user.Username,
37
+ // password omitted
38
+ )
39
+
40
+ // Sanitize headers
41
+ safeHeader := r.Header.Clone()
42
+ if safeHeader.Get("Authorization") != "" {
43
+ safeHeader.Set("Authorization", "[REDACTED]")
44
+ }
45
+ slog.Debug("Request headers", "headers", safeHeader)
46
+
47
+ // Use a sanitizer for request body
48
+ func sanitizeForLog(data map[string]any) map[string]any {
49
+ sensitiveFields := []string{"password", "token", "secret", "credit_card"}
50
+ for _, field := range sensitiveFields {
51
+ if _, ok := data[field]; ok {
52
+ data[field] = "[REDACTED]"
53
+ }
54
+ }
55
+ return data
56
+ }
57
+ ```
58
+
59
+ **Never log:**
60
+ - Passwords (plaintext or hashed)
61
+ - API keys and tokens
62
+ - Credit card numbers
63
+ - Social Security Numbers
64
+ - Session identifiers
65
+
66
+ **Tools:** SonarQube, Semgrep, Log Audit
package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md ADDED
@@ -0,0 +1,55 @@
1
+ ---
2
+ title: Enforce Authorization At Trusted Service Layer
3
+ impact: CRITICAL
4
+ impactDescription: prevents client-side authorization bypass
5
+ tags: authorization, server-side, middleware, access-control, security
6
+ ---
7
+
8
+ ## Enforce Authorization At Trusted Service Layer
9
+
10
+ Client-side authorization can be bypassed. All permission checks must occur server-side where they cannot be manipulated.
11
+
12
+ **Incorrect (client-side or trusting client data):**
13
+
14
+ ```go
15
+ // Trusting client-sent role
16
+ func deleteUserHandler(w http.ResponseWriter, r *http.Request) {
17
+ userRole := r.FormValue("role") // From client!
18
+ if userRole == "admin" {
19
+ deleteUser(r.FormValue("id"))
20
+ }
21
+ }
22
+ ```
23
+
24
+ **Correct (server-side authorization middleware):**
25
+
26
+ ```go
27
+ func authMiddleware(requiredRole string, next http.HandlerFunc) http.HandlerFunc {
28
+ return func(w http.ResponseWriter, r *http.Request) {
29
+ token := r.Header.Get("Authorization")
30
+ user, err := getUserFromToken(token)
31
+ if err != nil {
32
+ http.Error(w, "Unauthorized", http.StatusUnauthorized)
33
+ return
34
+ }
35
+
36
+ if !checkPermission(user.ID, requiredRole) {
37
+ http.Error(w, "Forbidden", http.StatusForbidden)
38
+ return
39
+ }
40
+
41
+ next.ServeHTTP(w, r)
42
+ }
43
+ }
44
+
45
+ // Router usage
46
+ http.HandleFunc("/users/delete", authMiddleware("admin", deleteUserHandler))
47
+ ```
48
+
49
+ **Never trust:**
50
+ - Client-side JavaScript checks
51
+ - Hidden form fields
52
+ - URL parameters for access control
53
+ - Unvalidated tokens from browser storage
54
+
55
+ **Tools:** Manual Review, Static Analysis, Penetration Testing
package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: Do Not Use Default Credentials
3
+ impact: CRITICAL
4
+ impactDescription: prevents trivial compromise via known credentials
5
+ tags: credentials, default, passwords, configuration, security
6
+ ---
7
+
8
+ ## Do Not Use Default Credentials
9
+
10
+ Default credentials are publicly known. Attackers scan for them automatically, making any system using them trivially compromised.
11
+
12
+ **Incorrect (default or hardcoded credentials):**
13
+
14
+ ```yaml
15
+ # Docker Compose with defaults
16
+ services:
17
+ postgres:
18
+ image: postgres
19
+ environment:
20
+ POSTGRES_USER: postgres
21
+ POSTGRES_PASSWORD: postgres # Default!
22
+ ```
23
+
24
+ **Correct (environment/secrets management):**
25
+
26
+ ```go
27
+ // Application code
28
+ dbConfig := struct {
29
+ User string
30
+ Password string
31
+ }{
32
+ User: os.Getenv("DB_USER"),
33
+ Password: os.Getenv("DB_PASSWORD"),
34
+ }
35
+
36
+ // Validate no defaults
37
+ if dbConfig.Password == "admin" || dbConfig.Password == "password" || dbConfig.Password == "postgres" {
38
+ log.Fatal("Default credentials detected - deployment blocked")
39
+ }
40
+ ```
41
+
42
+ **Blocked defaults:**
43
+ - `admin/admin`, `root/root`, `test/test`
44
+ - `postgres/postgres`, `mysql/mysql`
45
+ - Factory default API keys
46
+
47
+ **Tools:** Secret Scanner, GitLeaks, TruffleHog, CI/CD checks
package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md ADDED
@@ -0,0 +1,50 @@
1
+ ---
2
+ title: Output Encoding Before Interpreter Use
3
+ impact: HIGH
4
+ impactDescription: prevents XSS and injection attacks
5
+ tags: xss, encoding, output, html, security
6
+ ---
7
+
8
+ ## Output Encoding Before Interpreter Use
9
+
10
+ XSS and injection attacks occur when unescaped user data is interpreted by browsers or other systems.
11
+
12
+ **Incorrect (no encoding):**
13
+
14
+ ```go
15
+ // XSS vulnerability
16
+ http.HandleFunc("/search", func(w http.ResponseWriter, r *http.Request) {
17
+ query := r.URL.Query().Get("q")
18
+ fmt.Fprintf(w, "<h1>Results for: %s</h1>", query) // XSS!
19
+ })
20
+ ```
21
+
22
+ **Correct (context-aware encoding):**
23
+
24
+ ```go
25
+ import "html"
26
+
27
+ // HTML context
28
+ http.HandleFunc("/search", func(w http.ResponseWriter, r *http.Request) {
29
+ query := r.URL.Query().Get("q")
30
+ // html.EscapeString escapes <, >, &, ', "
31
+ fmt.Fprintf(w, "<h1>Results for: %s</h1>", html.EscapeString(query))
32
+ })
33
+
34
+ // Using html/template (auto-escapes by default)
35
+ tmpl := template.Must(template.New("res").Parse("<h1>Results for: {{.}}</h1>"))
36
+ tmpl.Execute(w, query)
37
+
38
+ // URL context
39
+ safeURL := url.QueryEscape(userInput)
40
+ ```
41
+
42
+ **Encoding by Context:**
43
+
44
+ | Context | Encoding |
45
+ |---------|----------|
46
+ | HTML body | `html.EscapeString()` |
47
+ | URL | `url.QueryEscape()` |
48
+ | JSON | `json.Marshal()` |
49
+
50
+ **Tools:** SonarQube, Semgrep, `html/template` (enforced escaping)
package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md ADDED
@@ -0,0 +1,63 @@
1
+ ---
2
+ title: Use Only Approved Crypto Algorithms
3
+ impact: MEDIUM
4
+ impactDescription: ensures cryptographic strength
5
+ tags: cryptography, algorithms, hashing, encryption, security
6
+ ---
7
+
8
+ ## Use Only Approved Crypto Algorithms
9
+
10
+ Weak algorithms are broken. MD5, SHA1, DES, and ECB mode have known vulnerabilities.
11
+
12
+ **Incorrect (weak algorithms):**
13
+
14
+ ```go
15
+ import (
16
+ "crypto/md5"
17
+ "crypto/des"
18
+ "crypto/cipher"
19
+ )
20
+
21
+ // WEAK hash
22
+ h := md5.New()
23
+ h.Write([]byte(password))
24
+ hash := h.Sum(nil)
25
+
26
+ // WEAK algorithm
27
+ block, _ := des.NewCipher(key)
28
+ ```
29
+
30
+ **Correct (approved algorithms):**
31
+
32
+ ```go
33
+ import (
34
+ "crypto/aes"
35
+ "crypto/cipher"
36
+ "crypto/sha256"
37
+ "golang.org/x/crypto/bcrypt"
38
+ )
39
+
40
+ // STRONG hash (for data integrity)
41
+ h := sha256.New()
42
+ h.Write(data)
43
+ hash := h.Sum(nil)
44
+
45
+ // STRONG authenticated encryption (GCM mode)
46
+ block, _ := aes.NewCipher(key)
47
+ aesGCM, _ := cipher.NewGCM(block)
48
+ ciphertext := aesGCM.Seal(nil, nonce, plaintext, associatedData)
49
+
50
+ // For passwords - use specialized functions
51
+ hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
52
+ err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))
53
+ ```
54
+
55
+ **Approved vs Prohibited:**
56
+
57
+ | Purpose | Approved | Prohibited |
58
+ |---------|----------|------------|
59
+ | Hash | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
60
+ | Encryption | AES-GCM, ChaCha20-Poly1305 | DES, 3DES, AES-ECB |
61
+ | Password | bcrypt, Argon2, scrypt | MD5, SHA-*, plain AES |
62
+
63
+ **Tools:** SonarQube, Semgrep, `crypto` (standard library)
package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Use CSPRNG For Security Purposes
3
+ impact: HIGH
4
+ impactDescription: prevents predictable tokens and session hijacking
5
+ tags: random, csprng, tokens, session, cryptography, security
6
+ ---
7
+
8
+ ## Use CSPRNG For Security Purposes
9
+
10
+ Non-cryptographic random generators are predictable. Attackers can guess session tokens, OTPs, and password reset links generated with weak random sources.
11
+
12
+ **Incorrect (predictable random):**
13
+
14
+ ```go
15
+ import "math/rand"
16
+
17
+ // INSECURE - predictable!
18
+ sessionId := fmt.Sprintf("%d", rand.Intn(1000000))
19
+
20
+ // INSECURE - Seeded with time isn't enough for security tokens
21
+ rand.Seed(time.Now().UnixNano())
22
+ token := rand.Int63()
23
+ ```
24
+
25
+ **Correct (cryptographically secure):**
26
+
27
+ ```go
28
+ import (
29
+ "crypto/rand"
30
+ "encoding/hex"
31
+ "math/big"
32
+ )
33
+
34
+ // Cryptographically secure session ID
35
+ b := make([]byte, 32)
36
+ rand.Read(b)
37
+ sessionId := hex.EncodeToString(b) // 256-bit entropy
38
+
39
+ // Secure OTP generation
40
+ func generateOTP(length int) string {
41
+ max := big.NewInt(int64(math.Pow10(length)))
42
+ n, _ := rand.Int(rand.Reader, max)
43
+ return fmt.Sprintf("%0*d", length, n)
44
+ }
45
+ ```
46
+
47
+ **CSPRNG by language:**
48
+
49
+ | Language | Secure | Insecure |
50
+ |----------|--------|----------|
51
+ | Go | `crypto/rand` | `math/rand` |
52
+
53
+ **Tools:** SonarQube, Semgrep, `crypto/rand`
package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md ADDED
@@ -0,0 +1,34 @@
1
+ ---
2
+ title: Enable Encrypted Client Hello (ECH)
3
+ impact: MEDIUM
4
+ impactDescription: protects SNI from eavesdropping
5
+ tags: tls, ech, sni, privacy, security
6
+ ---
7
+
8
+ ## Enable Encrypted Client Hello (ECH)
9
+
10
+ ECH encrypts the Server Name Indication (SNI) to prevent network observers from seeing which site you're connecting to.
11
+
12
+ **About ECH:**
13
+
14
+ Encrypted Client Hello (formerly ESNI) is a TLS extension that encrypts the ClientHello message, hiding the destination hostname from network observers.
15
+
16
+ **Implementation:**
17
+
18
+ ```nginx
19
+ # Nginx with ECH (when supported)
20
+ ssl_ech on;
21
+ ssl_ech_key /path/to/ech-private-key.pem;
22
+ ```
23
+
24
+ **DNS Configuration:**
25
+
26
+ ```
27
+ # HTTPS DNS record for ECH
28
+ _https.example.com. IN HTTPS 1 . alpn="h2,h3" ipv4hint=192.0.2.1 ech="..."
29
+ ```
30
+
31
+ **Go Support:**
32
+ Go's `crypto/tls` currently (as of Go 1.22) has limited native support for ECH, but it can be implemented via specialized packages or handled at the infrastructure level (e.g., Cloudflare).
33
+
34
+ **Tools:** Cloudflare ECH, DNS Configuration
package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md ADDED
@@ -0,0 +1,49 @@
1
+ ---
2
+ title: Use Secrets Management For Backend Secrets
3
+ impact: CRITICAL
4
+ impactDescription: centralizes and secures credential storage
5
+ tags: secrets, vault, credentials, configuration, security
6
+ ---
7
+
8
+ ## Use Secrets Management For Backend Secrets
9
+
10
+ Hardcoded secrets are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems.
11
+
12
+ **Incorrect (hardcoded or plain env files):**
13
+
14
+ ```go
15
+ // Hardcoded in code
16
+ const APIKey = "sk-abc123xyz789"
17
+
18
+ // .env file committed to repo
19
+ DATABASE_URL=postgres://admin:password@localhost/db
20
+ ```
21
+
22
+ **Correct (secrets management):**
23
+
24
+ ```go
25
+ // Using secrets manager (AWS, HashiCorp Vault, etc.)
26
+ dbPassword, _ := secretManager.GetSecret(ctx, "production/db-password")
27
+
28
+ // Kubernetes secrets
29
+ secret := os.Getenv("DB_PASSWORD") // Mounted from K8s secret
30
+
31
+ // Environment-specific with validation
32
+ config := struct {
33
+ DBPassword string
34
+ }{
35
+ DBPassword: os.Getenv("DB_PASSWORD"),
36
+ }
37
+
38
+ if config.DBPassword == "" {
39
+ log.Fatal("DB_PASSWORD environment variable required")
40
+ }
41
+ ```
42
+
43
+ **Best practices:**
44
+ - Never commit secrets to version control
45
+ - Use secrets rotation
46
+ - Audit secret access
47
+ - Use different secrets per environment
48
+
49
+ **Tools:** HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md ADDED
@@ -0,0 +1,61 @@
1
+ ---
2
+ title: Always Use TLS For All Connections
3
+ impact: HIGH
4
+ impactDescription: protects data in transit from eavesdropping
5
+ tags: tls, https, encryption, transport, security
6
+ ---
7
+
8
+ ## Always Use TLS For All Connections
9
+
10
+ Unencrypted traffic exposes data to anyone on the network path - ISPs, WiFi operators, and attackers.
11
+
12
+ **Incorrect (unencrypted connections):**
13
+
14
+ ```go
15
+ // HTTP API calls
16
+ resp, _ := http.Get("http://api.example.com/users")
17
+
18
+ // Unencrypted database
19
+ db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=disable")
20
+
21
+ // Redis without TLS
22
+ client := redis.NewClient(&redis.Options{
23
+ Addr: "localhost:6379",
24
+ })
25
+ ```
26
+
27
+ **Correct (TLS everywhere):**
28
+
29
+ ```go
30
+ // HTTPS for all APIs
31
+ resp, _ := http.Get("https://api.example.com/users")
32
+
33
+ // TLS for database
34
+ db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=verify-full")
35
+
36
+ // Redis with TLS
37
+ client := redis.NewClient(&redis.Options{
38
+ Addr: "localhost:6380",
39
+ TLSConfig: &tls.Config{...},
40
+ })
41
+
42
+ // Force HTTPS in a Go web server
43
+ func enforceHTTPS(next http.Handler) http.Handler {
44
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
45
+ if r.Header.Get("X-Forwarded-Proto") != "https" && os.Getenv("ENV") == "production" {
46
+ http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusMovedPermanently)
47
+ return
48
+ }
49
+ next.ServeHTTP(w, r)
50
+ })
51
+ }
52
+ ```
53
+
54
+ **Checklist:**
55
+ - [ ] All HTTP → HTTPS
56
+ - [ ] Database connections encrypted (sslmode=verify-full)
57
+ - [ ] Redis/memcached TLS
58
+ - [ ] Message queues TLS
59
+ - [ ] HSTS headers enabled
60
+
61
+ **Tools:** OWASP ZAP, SSLyze, `crypto/tls`
package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ title: Do Not Pass Sensitive Data In Query String
3
+ impact: HIGH
4
+ impactDescription: prevents credential leakage in logs and history
5
+ tags: url, query-string, sensitive-data, leakage, security
6
+ ---
7
+
8
+ ## Do Not Pass Sensitive Data In Query String
9
+
10
+ Query strings appear in server logs, browser history, referrer headers, and can be cached by proxies and CDNs.
11
+
12
+ **Incorrect (sensitive data in URL):**
13
+
14
+ ```go
15
+ // Tokens in URL
16
+ http.Get(fmt.Sprintf("https://api.example.com/data?token=%s", accessToken))
17
+
18
+ // Password in URL
19
+ http.Post(fmt.Sprintf("https://api.example.com/login?user=admin&pass=%s", password), "application/json", nil)
20
+ ```
21
+
22
+ **Correct (sensitive data in body/headers):**
23
+
24
+ ```go
25
+ // Token in header
26
+ req, _ := http.NewRequest("GET", "https://api.example.com/data", nil)
27
+ req.Header.Set("Authorization", "Bearer "+accessToken)
28
+ client.Do(req)
29
+
30
+ // Credentials in body
31
+ payload := map[string]string{"user": "admin", "pass": password}
32
+ jsonPayload, _ := json.Marshal(payload)
33
+ http.Post("https://api.example.com/login", "application/json", bytes.NewBuffer(jsonPayload))
34
+ ```
35
+
36
+ **Where query strings leak:**
37
+ - Server access logs
38
+ - Browser history
39
+ - Referrer headers
40
+ - Proxy/CDN logs
41
+
42
+ **Tools:** Semgrep, Manual Review, Proxy log scanner
package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Always Use Parameterized Queries
3
+ impact: CRITICAL
4
+ impactDescription: prevents SQL and NoSQL injection attacks
5
+ tags: injection, sql, nosql, database, parameterized, security
6
+ ---
7
+
8
+ ## Always Use Parameterized Queries
9
+
10
+ SQL injection allows attackers to execute arbitrary database commands, steal data, or destroy databases.
11
+
12
+ **Incorrect (string concatenation):**
13
+
14
+ ```go
15
+ // SQL Injection vulnerability
16
+ userId := r.URL.Query().Get("id")
17
+ query := fmt.Sprintf("SELECT * FROM users WHERE id = '%s'", userId)
18
+ db.Query(query)
19
+
20
+ // Attacker input: ' OR '1'='1
21
+ // Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
22
+ ```
23
+
24
+ **Correct (parameterized queries):**
25
+
26
+ ```go
27
+ // Parameterized query using database/sql
28
+ userId := r.URL.Query().Get("id")
29
+ db.Query("SELECT * FROM users WHERE id = ?", userId) // Postgres uses $1, $2
30
+
31
+ // Using GORM (safely handles parameters)
32
+ var user User
33
+ db.First(&user, "id = ?", userId)
34
+ ```
35
+
36
+ **Tools:** SonarQube, Semgrep, `sqlclosecheck`, `gosec` (G201, G202)
package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md ADDED
@@ -0,0 +1,44 @@
1
+ ---
2
+ title: Sanitize Input Before Sending Emails
3
+ impact: MEDIUM
4
+ impactDescription: prevents email header injection
5
+ tags: email, injection, sanitization, input-validation, security
6
+ ---
7
+
8
+ ## Sanitize Input Before Sending Emails
9
+
10
+ Email header injection allows attackers to add recipients, change headers, or send spam through your system.
11
+
12
+ **Incorrect (unsanitized email input):**
13
+
14
+ ```go
15
+ // Email injection vulnerability
16
+ subject := r.FormValue("subject") // "Hello\r\nBcc: spam@evil.com"
17
+ msg := []byte("Subject: " + subject + "\r\n\r\n" + "Body")
18
+ smtp.SendMail("smtp.example.com:25", auth, from, to, msg)
19
+ ```
20
+
21
+ **Correct (sanitized email fields):**
22
+
23
+ ```go
24
+ func sanitizeEmailField(input string) string {
25
+ // Remove CRLF characters that could inject headers
26
+ return strings.NewReplacer("\r", "", "\n", "").Replace(input)
27
+ }
28
+
29
+ func validateEmail(email string) bool {
30
+ // Use a robust regex or net/mail
31
+ _, err := mail.ParseAddress(email)
32
+ return err == nil && !strings.ContainsAny(email, "\r\n")
33
+ }
34
+
35
+ // In handler
36
+ subject := sanitizeEmailField(r.FormValue("subject"))
37
+ to := r.FormValue("to")
38
+ if !validateEmail(to) {
39
+ http.Error(w, "Invalid email", 400)
40
+ return
41
+ }
42
+ ```
43
+
44
+ **Tools:** Email Libraries with Built-in Protection, Manual Review, `net/mail`