@sun-asterisk/sunlint 1.3.39 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md

@@ -0,0 +1,23 @@
+---
+title: OTPs Must Have 20-bit Entropy
+impact: MEDIUM
+impactDescription: ensures that numeric OTPs are difficult to guess within their short lifespan
+tags: otp, authentication, entropy, security, java
+---
+## OTPs Must Have 20-bit Entropy
+
+Numeric One-Time Passwords (OTPs) must be long enough to prevent guessing. A 6-digit OTP has approximately 20 bits of entropy, which is the recommended minimum for a short-lived token.
+
+**Correct (6-digit OTP):**
+
+```java
+SecureRandom random = new SecureRandom();
+int otp = 100000 + random.nextInt(900000); // 6 digits
+```
+
+**Strategy:**
+- Length: Minimum **6 digits**.
+- Expiry: **1-5 minutes**.
+- Rate limit attempts: Max **3-5 attempts** per OTP.
+
+**Tools:** Google Authenticator, Twilio Authy

package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md

@@ -0,0 +1,21 @@
+---
+title: Return Generic Error Messages To Users
+impact: MEDIUM
+impactDescription: prevents information disclosure that could help attackers map the system
+tags: error-handling, security, java
+---
+## Return Generic Error Messages To Users
+
+Avoid leaking system details (stack traces, DB versions) in HTTP responses.
+
+**Correct (Spring Security Handler):**
+
+```java
+@ExceptionHandler(Exception.class)
+public ResponseEntity<String> handle(Exception e) {
+    log.error("Internal Error", e);
+    return ResponseEntity.status(500).body("An internal error occurred.");
+}
+```
+
+**Tools:** Spring Boot ControllerAdvice

package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md

@@ -0,0 +1,16 @@
+---
+title: Avoid Default Admin/Root Accounts
+impact: MEDIUM
+impactDescription: prevents access via widely known default credentials
+tags: authentication, security, best-practice, java
+---
+## Avoid Default Admin/Root Accounts
+
+Systems should not ship with default, hardcoded administrator accounts.
+
+**Correct:**
+- Force password change on first login.
+- Generate a unique random password during the installation/setup process.
+- Do not use "admin" or "root" as default usernames.
+
+**Tools:** Security Audit

package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md

@@ -0,0 +1,36 @@
+---
+title: Validate Content-Type In REST Services
+impact: MEDIUM
+impactDescription: prevents content-type confusion attacks and parsing vulnerabilities
+tags: rest, content-type, validation, api, security, java
+---
+## Validate Content-Type In REST Services
+
+Accepting unexpected content types can lead to parsing vulnerabilities (like XML External Entity injection if XML is accidentally processed) or bypass security controls that only inspect certain media types.
+
+**Incorrect (accepting any content):**
+
+```java
+// VULNERABLE: No restriction on Content-Type
+@PostMapping("/api/data")
+public void handleData(@RequestBody String data) {
+    // Parser might try to be "smart" and parse XML inside a String
+}
+```
+
+**Correct (explicit Media Type):**
+
+```java
+// SECURE: Only accept JSON
+@PostMapping(value = "/api/data", consumes = MediaType.APPLICATION_JSON_VALUE)
+public ResponseEntity<?> handleData(@RequestBody MyDto dto) {
+    return ResponseEntity.ok().build();
+}
+```
+
+**Implementation Details:**
+- Use the `consumes` attribute in `@RequestMapping` / `@PostMapping`.
+- Ensure the server returns `415 Unsupported Media Type` for invalid requests.
+- Reject `multipart/form-data` unless specifically required for file uploads.
+
+**Tools:** OWASP ZAP, Postman (testing 415), Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md

@@ -0,0 +1,38 @@
+---
+title: Protect Against Log Injection
+impact: MEDIUM
+impactDescription: prevents attackers from forged log entries and corrupting audit trails
+tags: logging, injection, log-injection, security, java
+---
+## Protect Against Log Injection
+
+Log injection occurs when user-controlled data is written to a log file without sanitization. An attacker can insert newline characters to forge new log entries, confusing administrators or hiding malicious activity.
+
+**Incorrect (direct logging of user input):**
+
+```java
+// VULNERABLE: User input can contain \n or \r
+String username = request.getParameter("user");
+log.error("Failed login for user: " + username);
+// Input: admin\n[INFO] Login successful for user: admin
+```
+
+**Correct (sanitized logging):**
+
+```java
+// SECURE: Sanitize input by replacing newlines
+String username = request.getParameter("user")
+                  .replace('\n', '_')
+                  .replace('\r', '_');
+log.error("Failed login for user: {}", username);
+
+// Better: Use a logging library/layout that handles encoding automatically
+// (e.g., Logback's %replace or a JSON layout)
+```
+
+**Prevention:**
+- Replace `\r` and `\n` characters from all data before logging.
+- Use structured logging (JSON) which naturally escapes these characters.
+- Limit the length of data written to logs.
+
+**Tools:** SonarQube (S5147), Veracode, Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md

@@ -0,0 +1,35 @@
+---
+title: Use Synchronized Time (UTC) In Logs
+impact: MEDIUM
+impactDescription: enables accurate incident correlation and audit trail reconstruction across distributed systems
+tags: logging, time, utc, synchronization, security, java
+---
+## Use Synchronized Time (UTC) In Logs
+
+Inconsistent timestamps across different servers make it nearly impossible to correlate events during a security incident. Always use UTC and ensure servers are synchronized via NTP.
+
+**Incorrect (local time, inconsistent format):**
+
+```java
+// VULNERABLE: Local timezone - inconsistent across distributed servers
+log.info("Event at: " + LocalDateTime.now());
+```
+
+**Correct (UTC and standardized format):**
+
+```java
+// SECURE: Use Instant (UTC) and ISO-8601
+log.info("Event at: {}", Instant.now());
+
+// Or configure the logging framework (logback-spring.xml):
+// <encoder>
+//   <pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX, UTC} [%thread] %-5level %logger{36} - %msg%n</pattern>
+// </encoder>
+```
+
+**Checklist:**
+- Servers must use NTP (Network Time Protocol) to sync clocks.
+- All application logs must use UTC (not server local time).
+- Use ISO-8601 format for timestamps.
+
+**Tools:** NTP, Manual Configuration Review

package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md

@@ -0,0 +1,56 @@
+---
+title: Protect Against SSRF Attacks
+impact: CRITICAL
+impactDescription: prevents attackers from making requests to internal services or external systems from your server
+tags: ssrf, validation, security, java
+---
+## Protect Against SSRF Attacks
+
+Server-Side Request Forgery (SSRF) occurs when an application fetches a resource from a user-supplied URL without validation. Attackers can use this to scan internal networks, access cloud metadata (e.g., `169.254.169.254`), or bypass firewalls.
+
+**Incorrect (trusting user URL):**
+
+```java
+@GetMapping("/api/fetch")
+public void fetchImage(@RequestParam String url) {
+    // VULNERABLE: Attacker input: http://localhost:8080/admin
+    // or http://169.254.169.254/latest/meta-data/
+    HttpClient.newHttpClient().send(
+        HttpRequest.newBuilder().uri(URI.create(url)).build(),
+        BodyHandlers.ofString()
+    );
+}
+```
+
+**Correct (allow-listing and validation):**
+
+```java
+private static final List<String> ALLOWED_DOMAINS = List.of("cdn.sun-asterisk.vn", "images.example.com");
+
+@GetMapping("/api/fetch")
+public void fetchImage(@RequestParam String url) {
+    URI uri = URI.create(url);
+    
+    // 1. Validate Scheme
+    if (!"https".equals(uri.getScheme())) {
+        throw new SecurityException("Only HTTPS allowed");
+    }
+
+    // 2. Validate Domain (Allow-list)
+    if (!ALLOWED_DOMAINS.contains(uri.getHost())) {
+        throw new SecurityException("Domain not allowed");
+    }
+    
+    // 3. Prohibit internal/private IPs
+    // (Additional check against resolving the IP and checking if it's private)
+    
+    httpClient.send(...);
+}
+```
+
+**Prevention Strategies:**
+- **Allow-listing:** Only allow requests to a small list of known-good domains.
+- **Protocol Restriction:** Only allow `https://` (disable `file://`, `gopher://`, `http://`).
+- **IP Validation:** Never allow requests to internal IP ranges (127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254).
+
+**Tools:** OWASP ZAP, Snyk, Manual Architecture Review

package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md

@@ -0,0 +1,45 @@
+---
+title: Function Names Verb-Noun
+impact: LOW
+impactDescription: makes code self-documenting
+tags: naming, functions, readability, conventions, quality, kotlin
+---
+
+## Function Names Verb-Noun
+
+Functions do things. Action verbs make purpose clear. In Kotlin, use camelCase for function names and ensure they start with a verb.
+
+**Incorrect (vague names):**
+
+```kotlin
+fun user() { }           // Noun only
+fun userData() { }       // Noun only
+fun doSomething() { }    // Vague
+fun handleStuff() { }    // Vague
+fun manager() { }        // Noun only
+```
+
+**Correct (action verbs):**
+
+```kotlin
+fun getUser() { }
+fun createUserAccount() { }
+fun validateEmailFormat() { }
+fun calculateTotalPrice() { }
+fun sendConfirmationEmail() { }
+fun convertCurrencyToUSD() { }
+```
+
+**Verb categories:**
+
+| Category | Verbs |
+|----------|-------|
+| Retrieval | `get`, `fetch`, `find`, `load`, `query` |
+| Creation | `create`, `build`, `make`, `generate` |
+| Modification | `set`, `update`, `modify`, `change` |
+| Deletion | `delete`, `remove`, `destroy`, `clear` |
+| Validation | `validate`, `verify`, `check`, `ensure` |
+| Computation | `calculate`, `compute`, `parse`, `format` |
+| Boolean | `is`, `has`, `can`, `should`, `will` |
+
+**Tools:** PR review, detekt, Android Studio Linter

package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md

@@ -0,0 +1,49 @@
+---
+title: Do Not Use Dead Code
+impact: LOW
+impactDescription: reduces codebase noise and reduces cognitive load
+tags: dead-code, cleanup, maintenance, quality, kotlin
+---
+
+## Do Not Use Dead Code
+
+Dead code confuses readers and makes maintenance harder. Git history preserves deleted code, so there is no need to keep it in the active codebase as comments or unused functions.
+
+**Incorrect (keeping dead code):**
+
+```kotlin
+fun processOrder(order: Order): Double {
+    // Old implementation - keeping for reference
+    // val total = order.items.sumOf { it.price * it.quantity }
+    
+    val total = calculateTotal(order)
+    return total
+}
+
+// Unused function - someone might need it later
+fun legacyCalculation() { }
+
+import com.sun.utils.unusedHelper  // Never used
+```
+
+**Correct (clean code):**
+
+```kotlin
+fun processOrder(order: Order): Double {
+    val total = calculateTotal(order)
+    return total
+}
+
+// Delete unused functions - git history preserves them
+// Delete commented code - git history preserves it
+// Remove unused imports
+```
+
+**Types of dead code:**
+- Commented-out code
+- Unused functions/classes/properties
+- Unused imports
+- Unreachable code
+- Unused local variables
+
+**Tools:** detekt (UnusedPrivateMember, UnusedPrivateClass), Android Studio Linter, IntelliJ IDEA

package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md

@@ -0,0 +1,64 @@
+---
+title: Use Dependency Injection
+impact: HIGH
+impactDescription: enables testability and loose coupling
+tags: dependency-injection, testing, coupling, architecture, quality, kotlin
+---
+
+## Use Dependency Injection
+
+Direct instantiation of dependencies inside a class creates tight coupling, making unit testing difficult and modifications risky. Dependency Injection (DI) enables mockability, switchability, and better overall architecture.
+
+**Incorrect (hardcoded dependencies):**
+
+```kotlin
+class OrderService {
+    private val db = DatabaseConnection() // Hardcoded dependency
+    private val mailer = EmailService()   // Hardcoded dependency
+
+    fun createOrder(data: OrderData): Order {
+        val order = db.insert("orders", data)
+        mailer.send(data.email, "Order created")
+        return order
+    }
+}
+```
+
+**Correct (injected dependencies):**
+
+```kotlin
+interface Database {
+    fun insert(table: String, data: OrderData): Order
+}
+
+interface Mailer {
+    fun send(to: String, message: String)
+}
+
+class OrderService(
+    private val db: Database,
+    private val mailer: Mailer
+) {
+    fun createOrder(data: OrderData): Order {
+        val order = db.insert("orders", data)
+        mailer.send(data.email, "Order created")
+        return order
+    }
+}
+
+// Usage (manual or via Dagger/Koin/Hilt)
+val service = OrderService(PostgresDatabase(), SendGridMailer())
+
+// Testing with MockK
+val mockDb = mockk<Database>()
+val mockMailer = mockk<Mailer>()
+val testService = OrderService(mockDb, mockMailer)
+```
+
+**Benefits:**
+- Easy mocking and stubbing for unit tests
+- Modular and reusable components
+- Clear visibility of class dependencies
+- Separation of concerns
+
+**Tools:** Dagger-Hilt, Koin, MockK, PR review

package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md

@@ -0,0 +1,68 @@
+---
+title: No Business Logic In Constructors
+impact: HIGH
+impactDescription: ensures predictable object initialization and testability
+tags: constructor, initialization, side-effects, patterns, quality, kotlin
+---
+
+## No Business Logic In Constructors
+
+Constructors should only be used to assign dependencies and initialize simple state. Complex logic, I/O operations, or external system calls in constructors are hard to test, trap errors poorly, and can lead to uninitialized state issues.
+
+**Incorrect (logic in constructor):**
+
+```kotlin
+class UserService(configPath: String) {
+    private val config: Config
+
+    init {
+        // BAD: Blocking I/O in constructor
+        val rawConfig = File(configPath).readText()
+        this.config = Json.decodeFromString<Config>(rawConfig)
+        
+        // BAD: Starting threads or network calls
+        GlobalScope.launch { 
+            initializeExternalSystem()
+        }
+        
+        // BAD: Non-trivial logging
+        println("UserService initialized")
+    }
+}
+```
+
+**Correct (Factory pattern or Dependency Injection):**
+
+```kotlin
+class UserService(
+    private val config: Config,
+    private val httpClient: HttpClient
+) {
+    // Only assignments, no complex logic in init
+    
+    companion object {
+        // Factory method for complex initialization
+        suspend fun create(configPath: String): UserService {
+            val rawConfig = withContext(Dispatchers.IO) {
+                File(configPath).readText()
+            }
+            val config = Json.decodeFromString<Config>(rawConfig)
+            
+            val httpClient = HttpClient()
+            httpClient.initialize()
+            
+            return UserService(config, httpClient)
+        }
+    }
+}
+
+// Usage
+val service = UserService.create("./config.json")
+```
+
+**Recommended Practices:**
+- Use `companion object` for factory methods.
+- Inject dependencies via constructor.
+- Move side effects to dedicated `init()` or `start()` methods called explicitly after object creation.
+
+**Tools:** Static analyzer, detekt, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md

@@ -0,0 +1,46 @@
+---
+title: Do Not Throw Generic Exceptions
+impact: HIGH
+impactDescription: enables specific error handling and accurate monitoring
+tags: error-handling, exceptions, custom-errors, debugging, quality, kotlin
+---
+
+## Do Not Throw Generic Exceptions
+
+Generic exceptions like `Exception`, `RuntimeException`, or `Throwable` lack specific context. They make it impossible for callers to catch specific error types and handle them appropriately (e.g., retrying a network error but failing on a validation error).
+
+**Incorrect (generic exceptions):**
+
+```kotlin
+if (user == null) {
+    throw Exception("error")
+}
+
+if (!isValid) {
+    throw RuntimeException("Invalid")
+}
+```
+
+**Correct (specific custom exceptions):**
+
+```kotlin
+if (user == null) {
+    throw UserNotFoundException("User with ID $userId not found in database")
+}
+
+if (!isValid) {
+    throw ValidationException(
+        field = "email",
+        message = "Email format is invalid",
+        value = email,
+        code = "INVALID_EMAIL_FORMAT"
+    )
+}
+```
+
+**Custom exceptions should include:**
+- Descriptive message with runtime context.
+- Domain-specific naming (e.g., `InsufficientFundsException`).
+- Optional error codes or structured data for debugging/API responses.
+
+**Tools:** detekt (TooGenericExceptionThrown), Android Studio Linter, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md

@@ -0,0 +1,50 @@
+---
+title: Do Not Use Error Log For Non-critical
+impact: HIGH
+impactDescription: prevents alert fatigue and ensures meaningful monitoring
+tags: logging, log-levels, error, observability, quality, kotlin
+---
+
+## Do Not Use Error Log For Non-critical
+
+Incorrect log levels cause alert fatigue and hide real issues. When non-critical business events are logged as "ERROR", it becomes difficult for SRE/Developers to identify actual system failures.
+
+**Incorrect (overusing error level):**
+
+```kotlin
+// NOT an error - expected business case
+logger.error("User entered wrong password")
+
+// NOT an error - validation failure
+logger.error("Email format invalid")
+
+// NOT an error - expected retry
+logger.error("Retry attempt 2 of 5")
+```
+
+**Correct (appropriate log levels):**
+
+```kotlin
+// WARN - recoverable, may need attention if repetitive
+logger.warn("Payment retry attempt: {}, max: {}", current, max)
+
+// INFO - normal business events
+logger.info("Login failed - invalid password for user: {}", userId)
+
+// DEBUG - detailed troubleshooting information
+logger.debug("Validation failed for field: {}, value: {}", field, value)
+
+// ERROR - only for actual system failures or unhandled exceptions
+logger.error("Database connection lost to host: {}", dbHost, exception)
+```
+
+**Log Level Guide:**
+
+| Level | Use For |
+|-------|---------|
+| ERROR | System failures, unhandled exceptions, data loss, dependency down |
+| WARN | Recoverable errors, degraded performance, deprecated API usage |
+| INFO | Key business milestones, startup/shutdown, audit-level events |
+| DEBUG | Detailed technical data for developers during troubleshooting |
+
+**Tools:** Static analyzer, PR review, Log Monitoring (Sentry/Datadog) alerts configuration

package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md

@@ -0,0 +1,44 @@
+---
+title: Do Not Import Unused Modules
+impact: LOW
+impactDescription: reduces codebase noise and improves build times
+tags: imports, cleanup, maintenance, quality, kotlin
+---
+
+## Do Not Import Unused Modules
+
+Unused imports increase compilation time and create unnecessary noise in the codebase. Modern IDEs like IntelliJ or Android Studio can automatically clean these up.
+
+**Incorrect (unused imports):**
+
+```kotlin
+package com.sun.service
+
+import com.sun.models.User
+import com.sun.models.Order     // Unused
+import com.sun.models.Product   // Unused
+import java.util.Date           // Unused
+
+// Only User is actually used
+fun fetchUser(id: String): User {
+    return userRepository.findById(id)
+}
+```
+
+**Correct (only needed imports):**
+
+```kotlin
+package com.sun.service
+
+import com.sun.models.User
+
+fun fetchUser(id: String): User {
+    return userRepository.findById(id)
+}
+```
+
+**Auto-removal in IntelliJ/Android Studio:**
+- Use **Optimize Imports** shortcut: `Ctrl + Alt + O` (Windows/Linux) or `Option + Command + O` (macOS).
+- Enable "Optimize imports on the fly" in Settings -> Editor -> General -> Auto Import.
+
+**Tools:** detekt (UnusedImport), ktlint, Android Studio / IntelliJ IDEA

package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md

@@ -0,0 +1,39 @@
+---
+title: Do Not Leave Unused Variables
+impact: LOW
+impactDescription: reduces code noise and prevents potential logic bugs
+tags: variables, cleanup, quality, kotlin
+---
+
+## Do Not Leave Unused Variables
+
+Unused variables suggest incomplete refactoring, abandoned logic, or potential bugs. They clutter the code and distract the reader.
+
+**Incorrect (unused variables):**
+
+```kotlin
+fun processOrder(order: Order): List<String> {
+    val user = order.user       // Never used
+    val total = order.total     // Never used
+    val items = order.items
+    
+    return items.map { it.name }
+}
+```
+
+**Correct (only needed variables):**
+
+```kotlin
+fun processOrder(order: Order): List<String> {
+    return order.items.map { it.name }
+}
+
+// In lambdas or destructuring, use underscore (_) for intentionally ignored parameters
+order.items.forEachIndexed { _, item ->
+    println(item.id)
+}
+
+val (id, _) = getPair() // ignore second element
+```
+
+**Tools:** detekt (UnusedPrivateMember, UnusedLocalVariable), Android Studio Linter, Kotlin Compiler warnings