@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md ADDED
@@ -0,0 +1,34 @@
1
+ ---
2
+ title: Do Not Use Error Log Level For Non-Critical Issues
3
+ impact: MEDIUM
4
+ impactDescription: prevents log noise and ensures relevant alerts
5
+ tags: logging, best-practice, java
6
+ ---
7
+
8
+ ## Do Not Use Error Log Level For Non-Critical Issues
9
+
10
+ The `ERROR` level should be reserved for issues that require immediate developer attention. For expected failures (like invalid user input), use `WARN` or `INFO`.
11
+
12
+ **Incorrect (error for everything):**
13
+
14
+ ```java
15
+ if (user == null) {
16
+ log.error("User not found: {}", id); // Should be WARN or INFO
17
+ }
18
+ ```
19
+
20
+ **Correct (appropriate log levels):**
21
+
22
+ ```java
23
+ if (user == null) {
24
+ log.warn("Attempt to access non-existent user: {}", id);
25
+ }
26
+
27
+ try {
28
+ db.save(data);
29
+ } catch (SQLException e) {
30
+ log.error("Critical database failure", e); // TRUE ERROR
31
+ }
32
+ ```
33
+
34
+ **Tools:** Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md ADDED
@@ -0,0 +1,34 @@
1
+ ---
2
+ title: Do Not Import Unused Modules
3
+ impact: MEDIUM
4
+ impactDescription: reduces compilation time and avoids namespace pollution
5
+ tags: readability, clean-code, java
6
+ ---
7
+
8
+ ## Do Not Import Unused Modules
9
+
10
+ Unused imports clutter the code and can lead to confusion if multiple classes have the same name in different packages.
11
+
12
+ **Incorrect (unused imports):**
13
+
14
+ ```java
15
+ import java.util.List;
16
+ import java.util.ArrayList; // UNUSED
17
+ import java.util.stream.Collectors; // UNUSED
18
+
19
+ public class MyClass {
20
+ public void run(List<String> list) { ... }
21
+ }
22
+ ```
23
+
24
+ **Correct (clean imports):**
25
+
26
+ ```java
27
+ import java.util.List;
28
+
29
+ public class MyClass {
30
+ public void run(List<String> list) { ... }
31
+ }
32
+ ```
33
+
34
+ **Tools:** IntelliJ "Optimize Imports", Checkstyle (UnusedImports), PMD
package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md ADDED
@@ -0,0 +1,31 @@
1
+ ---
2
+ title: Do Not Leave Unused Variables
3
+ impact: MEDIUM
4
+ impactDescription: reduces clutter and potential for logic errors
5
+ tags: readability, clean-code, java
6
+ ---
7
+
8
+ ## Do Not Leave Unused Variables
9
+
10
+ Variables that are declared but never used should be removed to keep the code focused and avoid confusion.
11
+
12
+ **Incorrect (unused variable):**
13
+
14
+ ```java
15
+ public void process() {
16
+ int count = 0; // UNUSED
17
+ String name = "Admin";
18
+ System.out.println(name);
19
+ }
20
+ ```
21
+
22
+ **Correct (clean code):**
23
+
24
+ ```java
25
+ public void process() {
26
+ String name = "Admin";
27
+ System.out.println(name);
28
+ }
29
+ ```
30
+
31
+ **Tools:** IntelliJ Inspections, SonarQube (S1481), SpotBugs
package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md ADDED
@@ -0,0 +1,37 @@
1
+ ---
2
+ title: No Duplicate Variable Names In Scope
3
+ impact: MEDIUM
4
+ impactDescription: prevents variable shadowing and unintentional logic errors
5
+ tags: clean-code, maintainability, java
6
+ ---
7
+
8
+ ## No Duplicate Variable Names In Scope
9
+
10
+ Using the same name for a local variable as a member variable (shadowing) makes the code hard to read and can lead to bugs where the wrong variable is updated.
11
+
12
+ **Incorrect (shadowing):**
13
+
14
+ ```java
15
+ public class UserService {
16
+ private String name;
17
+
18
+ public void updateName(String name) {
19
+ // VULNERABLE: Which 'name' is being used?
20
+ name = name; // Bug: logic error
21
+ }
22
+ }
23
+ ```
24
+
25
+ **Correct (clear naming):**
26
+
27
+ ```java
28
+ public class UserService {
29
+ private String name;
30
+
31
+ public void updateName(String newName) {
32
+ this.name = newName;
33
+ }
34
+ }
35
+ ```
36
+
37
+ **Tools:** IntelliJ Inspections, Checkstyle (HiddenField), SonarQube (S1117)
package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Centralize Constants In Config Files
3
+ impact: MEDIUM
4
+ impactDescription: improves maintainability by avoiding "magic strings" and "magic numbers"
5
+ tags: refactoring, clean-code, java
6
+ ---
7
+
8
+ ## Centralize Constants In Config Files
9
+
10
+ Literals (strings, numbers) used multiple times should be defined as constants in a centralized place rather than hardcoded throughout the logic.
11
+
12
+ **Incorrect (hardcoded literals):**
13
+
14
+ ```java
15
+ public void process() {
16
+ if ("ADMIN".equals(user.getRole())) { // Magic string
17
+ // ...
18
+ }
19
+ }
20
+ ```
21
+
22
+ **Correct (centralized constants):**
23
+
24
+ ```java
25
+ public class AuthConstants {
26
+ public static final String ROLE_ADMIN = "ADMIN";
27
+ }
28
+
29
+ public void process() {
30
+ if (AuthConstants.ROLE_ADMIN.equals(user.getRole())) {
31
+ // ...
32
+ }
33
+ }
34
+ ```
35
+
36
+ **Tools:** IntelliJ "Extract Constant", Checkstyle (MagicNumber), SonarQube (S1192)
package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ title: Catch Blocks Must Log Root Cause
3
+ impact: CRITICAL
4
+ impactDescription: ensures debuggability by preserving full exception context
5
+ tags: error-handling, logging, debugging, java
6
+ ---
7
+
8
+ ## Catch Blocks Must Log Root Cause
9
+
10
+ When catching an exception, you must log the actual exception object (the root cause) along with relevant context. Swallowing exceptions or logging only the message makes it impossible to find the line number or the stack trace of the original error.
11
+
12
+ **Incorrect (swallowing or incomplete logging):**
13
+
14
+ ```java
15
+ try {
16
+ processData();
17
+ } catch (Exception e) {
18
+ // VULNERABLE: No stack trace, no context
19
+ log.error("An error occurred");
20
+
21
+ // VULNERABLE: Swallowed!
22
+ }
23
+ ```
24
+
25
+ **Correct (logging with context and stack trace):**
26
+
27
+ ```java
28
+ try {
29
+ processData(userId);
30
+ } catch (IOException e) {
31
+ // SECURE: Log context + the exception object
32
+ log.error("Failed to process data for user: {}", userId, e);
33
+ throw new ServiceException("Database error", e); // Wrap and rethrow
34
+ }
35
+ ```
36
+
37
+ **Checklist:**
38
+ - Always pass the exception object `e` as the last argument to the logger.
39
+ - Include unique identifiers (like `userId`, `orderId`) in the log message.
40
+ - Avoid logging only `e.getMessage()`.
41
+
42
+ **Tools:** SonarQube (S1166), SpotBugs, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md ADDED
@@ -0,0 +1,50 @@
1
+ ---
2
+ title: Use Custom Error Classes
3
+ impact: MEDIUM
4
+ impactDescription: enables specific error handling and cleaner code structure
5
+ tags: error-handling, clean-code, exceptions, java
6
+ ---
7
+
8
+ ## Use Custom Error Classes
9
+
10
+ Throwing generic exceptions like `RuntimeException` or `Exception` forces the caller to use "catch-all" blocks, which is dangerous and lacks semantic meaning. Custom exceptions allow for fine-grained error handling.
11
+
12
+ **Incorrect (generic exceptions):**
13
+
14
+ ```java
15
+ public void process(int amount) {
16
+ if (amount < 0) {
17
+ throw new RuntimeException("Invalid amount");
18
+ }
19
+ }
20
+ ```
21
+
22
+ **Correct (custom exceptions):**
23
+
24
+ ```java
25
+ public class InsufficientFundsException extends RuntimeException {
26
+ public InsufficientFundsException(String message) {
27
+ super(message);
28
+ }
29
+ }
30
+
31
+ public void process(int amount) {
32
+ if (amount < 0) {
33
+ throw new InsufficientFundsException("Amount cannot be negative");
34
+ }
35
+ }
36
+
37
+ // Caller can now catch specifically
38
+ try {
39
+ service.process(-1);
40
+ } catch (InsufficientFundsException e) {
41
+ // Handle specifically
42
+ }
43
+ ```
44
+
45
+ **Recommendation:**
46
+ - Inherit from `RuntimeException` for unrecoverable errors (unchecked).
47
+ - Inherit from `Exception` for errors that the caller *must* handle (checked).
48
+ - Use descriptive names (e.g., `UserNotFoundException`, `DatabaseConnectionException`).
49
+
50
+ **Tools:** IntelliJ Inspections, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md ADDED
@@ -0,0 +1,46 @@
1
+ ---
2
+ title: Separate Processing And Data Access Layers
3
+ impact: HIGH
4
+ impactDescription: enforces clean architecture and improves testability
5
+ tags: architecture, clean-code, java
6
+ ---
7
+
8
+ ## Separate Processing And Data Access Layers
9
+
10
+ Business logic should be decoupled from database operations. Repositories should only handle data retrieval/storage, while Services handle the logic.
11
+
12
+ **Incorrect (mixed concerns):**
13
+
14
+ ```java
15
+ @Service
16
+ public class OrderService {
17
+ @Autowired private JdbcTemplate jdbc;
18
+
19
+ public void checkout(Cart cart) {
20
+ // VULNERABLE: SQL logic directly in Service
21
+ jdbc.update("INSERT INTO orders...");
22
+ // complex business logic here...
23
+ }
24
+ }
25
+ ```
26
+
27
+ **Correct (layered architecture):**
28
+
29
+ ```java
30
+ @Service
31
+ public class OrderService {
32
+ @Autowired private OrderRepository repository;
33
+
34
+ public void checkout(Cart cart) {
35
+ // Business logic...
36
+ Order order = new Order(cart);
37
+ repository.save(order);
38
+ }
39
+ }
40
+
41
+ @Repository
42
+ public interface OrderRepository extends JpaRepository<Order, Long> {
43
+ }
44
+ ```
45
+
46
+ **Tools:** ArchUnit, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md ADDED
@@ -0,0 +1,38 @@
1
+ ---
2
+ title: Log All Relevant Context On Errors
3
+ impact: CRITICAL
4
+ impactDescription: enables efficient incident resolution by providing necessary details
5
+ tags: logging, error-handling, java
6
+ ---
7
+
8
+ ## Log All Relevant Context On Errors
9
+
10
+ An error log without context (like IDs or state) is often useless. Always include enough information to reproduce the issue.
11
+
12
+ **Incorrect (lacking context):**
13
+
14
+ ```java
15
+ try {
16
+ paymentService.charge(amount);
17
+ } catch (Exception e) {
18
+ log.error("Payment failed", e); // Which user? Which order?
19
+ }
20
+ ```
21
+
22
+ **Correct (contextual logging):**
23
+
24
+ ```java
25
+ try {
26
+ paymentService.charge(orderId, amount);
27
+ } catch (Exception e) {
28
+ log.error("Payment failed for Order: {} (User: {}). Amount: {}",
29
+ orderId, userId, amount, e);
30
+ }
31
+ ```
32
+
33
+ **Recommended Data to Log:**
34
+ - Entity IDs (`userId`, `orderId`).
35
+ - Failed values (if not sensitive).
36
+ - Correlation IDs (`traceId`).
37
+
38
+ **Tools:** SLF4J (MDC - Mapped Diagnostic Context), Sentry
package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md ADDED
@@ -0,0 +1,34 @@
1
+ ---
2
+ title: No Hardcoded Secrets In Repository
3
+ impact: CRITICAL
4
+ impactDescription: prevents secrets from being exposed in version control history
5
+ tags: secrets, credentials, git, security, java
6
+ ---
7
+
8
+ ## No Hardcoded Secrets In Repository
9
+
10
+ Passwords, API keys, and tokens must never be written directly into the source code. Even if deleted later, they remain in the Git history.
11
+
12
+ **Incorrect (secrets in code):**
13
+
14
+ ```java
15
+ // DANGEROUS: Secret is visible to anyone with code access
16
+ public String getS3Client() {
17
+ return "AKIAIOSFODNN7EXAMPLE"; // AWS Key
18
+ }
19
+ ```
20
+
21
+ **Correct (environment variables or config):**
22
+
23
+ ```java
24
+ // SECURE: Value is loaded at runtime
25
+ public String getS3Client() {
26
+ return System.getenv("AWS_ACCESS_KEY_ID");
27
+ }
28
+ ```
29
+
30
+ **Prevention:**
31
+ - Use `.gitignore` to exclude config files like `application-local.properties`.
32
+ - Use tools like `git-secrets` or `trufflehog` to scan for secrets before committing.
33
+
34
+ **Tools:** trufflehog, git-secrets, Gitleaks, SonarQube (S2068)
package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md ADDED
@@ -0,0 +1,27 @@
1
+ ---
2
+ title: Boolean Names Prefix
3
+ impact: MEDIUM
4
+ impactDescription: improves code readability by making boolean variables sound like questions
5
+ tags: naming, readability, java
6
+ ---
7
+
8
+ ## Boolean Names Prefix
9
+
10
+ Boolean variables and methods should be prefixed with `is`, `has`, `should`, `can`, or `exists` to be instantly recognizable as true/false values.
11
+
12
+ **Incorrect (missing prefix):**
13
+
14
+ ```java
15
+ boolean valid = true;
16
+ boolean active(User user) { ... }
17
+ ```
18
+
19
+ **Correct (standard boolean naming):**
20
+
21
+ ```java
22
+ boolean isValid = true;
23
+ boolean hasPermission = false;
24
+ boolean isActive(User user) { ... }
25
+ ```
26
+
27
+ **Tools:** IntelliJ Inspections, Checkstyle, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md ADDED
@@ -0,0 +1,39 @@
1
+ ---
2
+ title: Separate Parsing From Controllers
3
+ impact: HIGH
4
+ impactDescription: keeps controllers thin and focuses them on request routing
5
+ tags: architecture, controllers, java
6
+ ---
7
+
8
+ ## Separate Parsing From Controllers
9
+
10
+ Controllers should handle request mapping and delegation. Heavy parsing, transformation, or mapping logic should be moved to specialized Mapper classes or Services.
11
+
12
+ **Incorrect (bloated controller):**
13
+
14
+ ```java
15
+ @PostMapping("/users")
16
+ public String createUser(@RequestBody String rawJson) {
17
+ // VULNERABLE: Parsing logic in Controller
18
+ JSONObject json = new JSONObject(rawJson);
19
+ User user = new User();
20
+ user.setName(json.getString("full_name"));
21
+ // ...
22
+ service.save(user);
23
+ return "OK";
24
+ }
25
+ ```
26
+
27
+ **Correct (clean controller):**
28
+
29
+ ```java
30
+ @PostMapping("/users")
31
+ public ResponseEntity<?> createUser(@Valid @RequestBody UserDto dto) {
32
+ // Controller only delegates
33
+ User user = userMapper.toEntity(dto);
34
+ userService.save(user);
35
+ return ResponseEntity.ok().build();
36
+ }
37
+ ```
38
+
39
+ **Tools:** MapStruct, Jackson (for automatic parsing), Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md ADDED
@@ -0,0 +1,32 @@
1
+ ---
2
+ title: Do Not Ignore Superclass Logic
3
+ impact: MEDIUM
4
+ impactDescription: prevents bugs where base class functionality is unintentionally disabled
5
+ tags: clean-code, inheritance, java
6
+ ---
7
+
8
+ ## Do Not Ignore Superclass Logic
9
+
10
+ When overriding a method, you should usually call `super.methodName()` unless you are intentionally and explicitly replacing the base behavior. This ensures that hooks, logging, or state changes in the parent class are preserved.
11
+
12
+ **Incorrect (ignoring super):**
13
+
14
+ ```java
15
+ @Override
16
+ protected void onLoginSuccess() {
17
+ // VULNERABLE: Base class might trigger events or metrics!
18
+ myCustomLogic();
19
+ }
20
+ ```
21
+
22
+ **Correct (calling super):**
23
+
24
+ ```java
25
+ @Override
26
+ protected void onLoginSuccess() {
27
+ super.onLoginSuccess(); // Preserves base logic
28
+ myCustomLogic();
29
+ }
30
+ ```
31
+
32
+ **Tools:** IntelliJ Inspections, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md ADDED
@@ -0,0 +1,31 @@
1
+ ---
2
+ title: Do Not Hardcode Configuration Values
3
+ impact: HIGH
4
+ impactDescription: prevents the need for code changes when environment settings change
5
+ tags: configuration, env-vars, java
6
+ ---
7
+
8
+ ## Do Not Hardcode Configuration Values
9
+
10
+ Values that change between environments (URLs, thread counts, timeouts) should be stored in configuration files or environment variables.
11
+
12
+ **Incorrect (hardcoded config):**
13
+
14
+ ```java
15
+ public void connect() {
16
+ String url = "https://prod-api.example.com"; // VULNERABLE to env changes
17
+ }
18
+ ```
19
+
20
+ **Correct (configurable values):**
21
+
22
+ ```java
23
+ @Value("${api.url}")
24
+ private String apiUrl;
25
+
26
+ public void connect() {
27
+ // Uses the value from application.properties or ENV
28
+ }
29
+ ```
30
+
31
+ **Tools:** Spring Boot `@Value` / `@ConfigurationProperties`, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md ADDED
@@ -0,0 +1,38 @@
1
+ ---
2
+ title: URL Redirects Must Be In Allow List
3
+ impact: MEDIUM
4
+ impactDescription: prevents Open Redirect vulnerabilities used in phishing attacks
5
+ tags: redirect, phishing, security, java
6
+ ---
7
+
8
+ ## URL Redirects Must Be In Allow List
9
+
10
+ Accepting arbitrary URLs for redirection allows attackers to use your trusted domain to trick users into visiting malicious sites (Phishing). Always validate destination URLs against an allow-list.
11
+
12
+ **Incorrect (arbitrary redirect):**
13
+
14
+ ```java
15
+ // VULNERABLE: Attacker input: ?url=http://malicious-site.com
16
+ @GetMapping("/api/redirect")
17
+ public void handleRedirect(@RequestParam String url, HttpServletResponse response) {
18
+ response.sendRedirect(url);
19
+ }
20
+ ```
21
+
22
+ **Correct (allow-list validation):**
23
+
24
+ ```java
25
+ private static final List<String> ALLOWED_DOMAINS = List.of("sun-asterisk.vn", "partner.com");
26
+
27
+ @GetMapping("/api/redirect")
28
+ public void handleRedirect(@RequestParam String url, HttpServletResponse response) {
29
+ URI uri = URI.create(url);
30
+ if (ALLOWED_DOMAINS.contains(uri.getHost())) {
31
+ response.sendRedirect(url);
32
+ } else {
33
+ throw new SecurityException("Untrusted redirect destination");
34
+ }
35
+ }
36
+ ```
37
+
38
+ **Tools:** OWASP ZAP, Manual Audit, SonarQube (S5146)
package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Do Not Log Credentials Or Tokens
3
+ impact: CRITICAL
4
+ impactDescription: prevents sensitive authentication data from leaking into logs
5
+ tags: logging, credentials, secrets, security, java
6
+ ---
7
+
8
+ ## Do Not Log Credentials Or Tokens
9
+
10
+ Logging passwords, session tokens, or API keys is a major security violation. Logs are often stored with less security than the actual database and can be accessed by many developers or automated log aggregation tools.
11
+
12
+ **Incorrect (logging sensitive data):**
13
+
14
+ ```java
15
+ @PostMapping("/login")
16
+ public void login(@RequestBody LoginRequest req) {
17
+ // VULNERABLE: Password written to logs!
18
+ log.info("Login attempt for user: {} with password: {}", req.getUsername(), req.getPassword());
19
+ }
20
+ ```
21
+
22
+ **Correct (safely logging):**
23
+
24
+ ```java
25
+ @PostMapping("/login")
26
+ public void login(@RequestBody LoginRequest req) {
27
+ // SECURE: Only log the username or a masked value
28
+ log.info("Login attempt for user: {}", req.getUsername());
29
+ }
30
+ ```
31
+
32
+ **Masking Strategy:**
33
+ If you must log sensitive objects, use a custom `toString()` method or a library to mask fields:
34
+ `{ "user": "admin", "password": "****" }`
35
+
36
+ **Tools:** Logback/Log4j2 filters, Manual Review, SonarQube (S2254)
package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Enforce Authorization At Server Side
3
+ impact: CRITICAL
4
+ impactDescription: prevents unauthorized access to sensitive data and functionality
5
+ tags: authorization, security, server-side, access-control, java
6
+ ---
7
+
8
+ ## Enforce Authorization At Server Side
9
+
10
+ Client-side checks (hiding buttons, disabling links) are purely for UI/UX. The final decision on whether a user can perform an action must always happen on the server. Otherwise, an attacker can simply call the API endpoint directly.
11
+
12
+ **Incorrect (client-side or perimeter only):**
13
+
14
+ ```java
15
+ // VULNERABLE: Assuming anyone hitting this URL is an admin
16
+ @GetMapping("/admin/delete-user")
17
+ public void deleteUser(@RequestParam Long id) {
18
+ userRepo.deleteById(id);
19
+ }
20
+ ```
21
+
22
+ **Correct (server-side checks):**
23
+
24
+ ```java
25
+ // 1. Using Spring Security Annotations
26
+ @PreAuthorize("hasRole('ADMIN')")
27
+ @PostMapping("/api/users/{id}/delete")
28
+ public ResponseEntity<?> deleteUser(@PathVariable Long id) {
29
+ userRepo.deleteById(id);
30
+ return ResponseEntity.ok().build();
31
+ }
32
+
33
+ // 2. Resource-level authorization (Owning record check)
34
+ @PostMapping("/api/posts/{id}/edit")
35
+ public ResponseEntity<?> editPost(@PathVariable Long id, @RequestBody PostUpdateData data) {
36
+ Post post = postRepo.findById(id).orElseThrow();
37
+
38
+ // Explicitly check if the current user is the author
39
+ if (!post.getAuthorId().equals(CurrentContext.getUserId())) {
40
+ return ResponseEntity.status(403).body("Forbidden");
41
+ }
42
+
43
+ post.update(data);
44
+ return ResponseEntity.ok().build();
45
+ }
46
+ ```
47
+
48
+ **Security Best Practices:**
49
+ - Follow the **Principle of Least Privilege**.
50
+ - Default to **Deny All** and explicitly allow access to specific roles/users.
51
+ - Perform authorization checks for every single request, even for subsequent steps in a multi-step process.
52
+
53
+ **Tools:** Spring Security, Apache Shiro, Manual Audit