@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md ADDED
@@ -0,0 +1,79 @@
1
+ ---
2
+ title: Separate Processing And Data Access
3
+ impact: HIGH
4
+ impactDescription: enables testable business logic and cleaner architecture
5
+ tags: separation, repository, service, architecture, quality, php
6
+ ---
7
+
8
+ ## Separate Processing And Data Access
9
+
10
+ Mixing business logic with database queries (SQL or ORM calls) creates tight coupling. This makes unit testing difficult because it forces a dependency on a real database and violates the Single Responsibility Principle.
11
+
12
+ **Incorrect (mixed concerns in Service):**
13
+
14
+ ```php
15
+ class OrderService {
16
+ public function calculateDiscount($userId) {
17
+ // Business logic mixed with database queries
18
+ $user = DB::table('users')->where('id', $userId)->first();
19
+ $orderCount = DB::table('orders')->where('user_id', $userId)->count();
20
+
21
+ $discount = 0;
22
+ if ($orderCount > 10) $discount += 5;
23
+ if ($user->is_premium) $discount += 10;
24
+
25
+ return $discount;
26
+ }
27
+ }
28
+ ```
29
+
30
+ **Correct (separated Service and Repository layers):**
31
+
32
+ ```php
33
+ /**
34
+ * Repository - Handles Data Access only
35
+ */
36
+ class UserRepository {
37
+ public function findById($id): ?User {
38
+ return User::find($id);
39
+ }
40
+ }
41
+
42
+ class OrderRepository {
43
+ public function getCountByUserId($userId): int {
44
+ return Order::where('user_id', $userId)->count();
45
+ }
46
+ }
47
+
48
+ /**
49
+ * Service - Handles Business Logic only
50
+ */
51
+ class DiscountService {
52
+ public function __construct(
53
+ private UserRepository $userRepo,
54
+ private OrderRepository $orderRepo
55
+ ) {}
56
+
57
+ public function calculateDiscount(int $userId): int {
58
+ $user = $this->userRepo->findById($userId);
59
+ $orderCount = $this->orderRepo->getCountByUserId($userId);
60
+
61
+ return $this->compute(user, $orderCount);
62
+ }
63
+
64
+ private function compute(?User $user, int $count): int {
65
+ $discount = 0;
66
+ if ($count > 10) $discount += 5;
67
+ if ($user?->is_premium) $discount += 10;
68
+ return $discount;
69
+ }
70
+ }
71
+ ```
72
+
73
+ **Why separate them?**
74
+ - **Mockability**: You can test the `DiscountService` by mocking the repositories without touching a real database.
75
+ - **Maintainability**: If the database schema changes, you only update the Repository, not the business logic.
76
+ - **Reusability**: Different services can use the same repository methods.
77
+ - **Clarity**: High-level business rules are not obscured by low-level data access details.
78
+
79
+ **Tools:** Architectural review, PHPUnit (Mocking), Laravel Repository Pattern
package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md ADDED
@@ -0,0 +1,54 @@
1
+ ---
2
+ title: Log All Relevant Context On Errors
3
+ impact: HIGH
4
+ impactDescription: enables rapid debugging and incident resolution
5
+ tags: error-handling, logging, context, debugging, quality, php
6
+ ---
7
+
8
+ ## Log All Relevant Context On Errors
9
+
10
+ When an error occurs, simply logging the message "An error occurred" is insufficient. Effective debugging requires structured logs that include the error cause and the state of the application at that moment.
11
+
12
+ **Incorrect (minimal context):**
13
+
14
+ ```php
15
+ Log::error('Error occurred');
16
+ Log::error($e->getMessage()); // Missing stack trace and context
17
+ ```
18
+
19
+ **Correct (structured logging with Monolog/Laravel Context):**
20
+
21
+ ```php
22
+ try {
23
+ $this->paymentService->process($order);
24
+ } catch (\Throwable $e) {
25
+ Log::error('Order processing failed', [
26
+ // The Exception itself (Monolog handles the stack trace)
27
+ 'exception' => $e,
28
+
29
+ // Business Context
30
+ 'order_id' => $order->id,
31
+ 'user_id' => auth()->id(),
32
+ 'amount' => $order->amount,
33
+
34
+ // Request Metadata
35
+ 'url' => request()->fullUrl(),
36
+ 'method' => request()->method(),
37
+ 'ip' => request()->ip(),
38
+
39
+ // Performance/Timing
40
+ 'duration_ms' => round((microtime(true) - $startTime) * 1000, 2),
41
+ ]);
42
+
43
+ throw $e; // Re-throw if necessary
44
+ }
45
+ ```
46
+
47
+ **Essential Context to Include:**
48
+ 1. **The Exception**: Pass the entire exception object to the logger so it can extract the message, file, line, and full stack trace.
49
+ 2. **Entity Identifiers**: IDs of the users, orders, or products involved.
50
+ 3. **Correlation IDs**: Use unique request IDs (e.g., from `X-Request-ID` header) to trace a single request across multiple logs.
51
+ 4. **Input State**: A summary of the input that lead to the error (excluding sensitive data like passwords).
52
+ 5. **Environment**: App environment (`production`, `staging`) and server name.
53
+
54
+ **Tools:** Monolog, Sentry, Laravel Logging, New Relic, ELK Stack
package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md ADDED
@@ -0,0 +1,59 @@
1
+ ---
2
+ title: No Hardcoded Secrets In Repo
3
+ impact: HIGH
4
+ impactDescription: prevents credential exposure and security breaches
5
+ tags: secrets, credentials, security, git, quality, php
6
+ ---
7
+
8
+ ## No Hardcoded Secrets In Repo
9
+
10
+ Hardcoding secrets (API keys, database passwords, private tokens) directly in the source code exposes them to anyone with repository access. Once committed, these secrets remain in the Git history even if deleted later.
11
+
12
+ **Incorrect (secrets in code):**
13
+
14
+ ```php
15
+ // Hardcoded API key
16
+ $stripeSecret = 'sk_live_51P...';
17
+
18
+ // Hardcoded database credentials
19
+ $conn = mysqli_connect("localhost", "root", "password123", "my_db");
20
+
21
+ // Using plain text secrets in config files committed to VCS
22
+ return [
23
+ 'aws_key' => 'AKIA...',
24
+ 'aws_secret' => 'base64_encoded_secret...'
25
+ ];
26
+ ```
27
+
28
+ **Correct (environment variables or secrets manager):**
29
+
30
+ ```php
31
+ // Using environment variables (via .env file not in VCS)
32
+ $stripeSecret = getenv('STRIPE_SECRET_KEY');
33
+
34
+ // In Laravel (using config which pulls from .env)
35
+ $stripeSecret = config('services.stripe.secret');
36
+
37
+ // Validation at startup or in Service Providers
38
+ if (empty($stripeSecret)) {
39
+ throw new \RuntimeException('STRIPE_SECRET_KEY is required but not set.');
40
+ }
41
+ ```
42
+
43
+ **.gitignore configuration:**
44
+ Ensure sensitive files are never committed:
45
+ ```gitignore
46
+ # .gitignore
47
+ .env
48
+ .env.production
49
+ auth.json
50
+ *.key
51
+ *.pem
52
+ ```
53
+
54
+ **Prevention Strategy:**
55
+ 1. Use `.env.example` to list required keys without values.
56
+ 2. Use a Secrets Manager (AWS, HashiCorp Vault) for production environments.
57
+ 3. Rotate secrets immediately if they are accidentally committed.
58
+
59
+ **Tools:** Gitleaks, TruffleHog, SonarQube, pre-commit hooks
package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md ADDED
@@ -0,0 +1,52 @@
1
+ ---
2
+ title: Boolean Names Is/Has/Should
3
+ impact: HIGH
4
+ impactDescription: makes conditions instantly readable
5
+ tags: naming, booleans, readability, quality, php
6
+ ---
7
+
8
+ ## Boolean Names Is/Has/Should
9
+
10
+ Boolean variables and methods should use prefixes like `is`, `has`, `should`, `can`, or `will`. This makes conditions and logic flows instantly readable and distinguishes booleans from other data types.
11
+
12
+ **Incorrect (unclear boolean names):**
13
+
14
+ ```php
15
+ $active = ($user->status === 'active');
16
+ $admin = checkAdminRole($user);
17
+ $items = (count($cart) > 0);
18
+ $refresh = needsRefresh();
19
+
20
+ if ($active) { ... } // Unclear if $active is an object, string, or boolean
21
+ ```
22
+
23
+ **Correct (boolean prefixes):**
24
+
25
+ ```php
26
+ $isActive = ($user->status === 'active');
27
+ $isAdmin = checkAdminRole($user);
28
+ $hasItems = (count($cart) > 0);
29
+ $shouldRefresh = needsRefresh();
30
+ $canEdit = hasPermission($user, 'edit');
31
+
32
+ if ($isActive) { ... } // Instantly readable context
33
+ ```
34
+
35
+ **Common Boolean prefixes:**
36
+
37
+ | Prefix | Use Case | Example |
38
+ |--------|----------|---------|
39
+ | `is` | State or identity | `$isEnabled`, `$isActive`, `$isOwner` |
40
+ | `has` | Possession or existence | `$hasPermission`, `$hasErrors`, `$hasAttachment` |
41
+ | `should` | Boolean logic for decisions | `$shouldRetry`, `$shouldRedirect`, `$shouldSave` |
42
+ | `can` | Permissions or capabilities | `$canDelete`, `$canViewAdmin`, `$canUpload` |
43
+ | `will` | Future state or intent | `$willExpire`, `$willAutoRenew` |
44
+
45
+ **Best Practice for Methods:**
46
+ Always prefer naming boolean-returning methods with these prefixes as well:
47
+ ```php
48
+ public function isActive(): bool { ... }
49
+ public function hasPermission(string $perm): bool { ... }
50
+ ```
51
+
52
+ **Tools:** PHPStan (check-naming-conventions), PR review
package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md ADDED
@@ -0,0 +1,66 @@
1
+ ---
2
+ title: Separate Parsing From Controllers
3
+ impact: HIGH
4
+ impactDescription: keeps controllers thin and focused on HTTP orchestration
5
+ tags: controller, parsing, transformation, patterns, quality, php
6
+ ---
7
+
8
+ ## Separate Parsing From Controllers
9
+
10
+ Controllers should be "thin" and focus only on orchestrating HTTP concerns: receiving requests, calling services, and returning responses. Complex data transformation or parsing logic should be extracted into dedicated classes like Resources, Transformers, or Mappers.
11
+
12
+ **Incorrect (transformation logic in Controller):**
13
+
14
+ ```php
15
+ class UserController extends Controller {
16
+ public function show($id) {
17
+ $user = User::findOrFail($id);
18
+
19
+ // Complex transformation in controller
20
+ return response()->json([
21
+ 'id' => $user->id,
22
+ 'full_name' => $user->first_name . ' ' . $user->last_name,
23
+ 'email' => strtolower($user->email),
24
+ 'member_since' => $user->created_at->format('Y-m-d'),
25
+ 'can_delete' => $user->id !== auth()->id()
26
+ ]);
27
+ }
28
+ }
29
+ ```
30
+
31
+ **Correct (using a Resource or Transformer):**
32
+
33
+ ```php
34
+ /**
35
+ * Using Laravel API Resources (Recommended)
36
+ */
37
+ class UserResource extends JsonResource {
38
+ public function toArray($request) {
39
+ return [
40
+ 'id' => $this->id,
41
+ 'full_name' => $this->first_name . ' ' . $this->last_name,
42
+ 'email' => strtolower($this->email),
43
+ 'member_since' => $this->created_at->format('Y-m-d'),
44
+ 'can_delete' => $this->id !== auth()->id()
45
+ ];
46
+ }
47
+ }
48
+
49
+ /**
50
+ * Clean Controller
51
+ */
52
+ class UserController extends Controller {
53
+ public function show($id) {
54
+ $user = User::findOrFail($id);
55
+ return new UserResource($user);
56
+ }
57
+ }
58
+ ```
59
+
60
+ **Benefits:**
61
+ - **Reusability**: Use the same transformation logic in different controllers or for nested relationships.
62
+ - **Maintainability**: Changing the API response format only requires editing one resource class.
63
+ - **Testability**: You can unit test the Resource/Transformer class independently of the HTTP request.
64
+ - **Separation of Concerns**: Controllers handle "How to respond", Resources handle "What the response looks like".
65
+
66
+ **Tools:** Laravel API Resources, league/fractal, Spatie Data Transfer Objects, PR review
package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md ADDED
@@ -0,0 +1,54 @@
1
+ ---
2
+ title: Do Not Ignore Superclass Logic
3
+ impact: HIGH
4
+ impactDescription: ensures proper inheritance behavior and prevents breaking base logic
5
+ tags: inheritance, override, superclass, oop, quality, php
6
+ ---
7
+
8
+ ## Do Not Ignore Superclass Logic
9
+
10
+ When overriding methods in a subclass, ensure that you are not accidentally bypassing critical logic defined in the base class. Unless you intentionally want to replace the entire behavior, you should generally call the parent implementation.
11
+
12
+ **Incorrect (ignoring superclass logic):**
13
+
14
+ ```php
15
+ class BaseService {
16
+ public function save($entity) {
17
+ $this->validate($entity);
18
+ $this->beforeSave($entity);
19
+ $this->repository->persist($entity);
20
+ $this->afterSave($entity);
21
+ }
22
+ }
23
+
24
+ class UserService extends BaseService {
25
+ public function save($user) {
26
+ // Completely bypasses validation and hooks!
27
+ $this->repository->persist($user);
28
+ }
29
+ }
30
+ ```
31
+
32
+ **Correct (calling parent implementation):**
33
+
34
+ ```php
35
+ class UserService extends BaseService {
36
+ public function save($user) {
37
+ // Add subclass-specific logic
38
+ $user->updated_at = now();
39
+
40
+ // Call superclass logic to ensure hooks and validation run
41
+ parent::save($user);
42
+
43
+ // Add more specific logic
44
+ $this->notifyAdmins($user);
45
+ }
46
+ }
47
+ ```
48
+
49
+ **When is it acceptable to skip `parent::method()`?**
50
+ - When the base implementation is explicitly designed to be replaced.
51
+ - When the base implementation is an empty placeholder or default behavior that does not apply.
52
+ - **Action**: Always document the reason why the parent logic is being intentionally bypassed.
53
+
54
+ **Tools:** PHPStan (check for missing parent calls), Psalm, PR review
package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md ADDED
@@ -0,0 +1,55 @@
1
+ ---
2
+ title: Do Not Hardcode Configuration
3
+ impact: HIGH
4
+ impactDescription: enables environment-specific deployments without code changes
5
+ tags: configuration, environment, deployment, quality, php
6
+ ---
7
+
8
+ ## Do Not Hardcode Configuration
9
+
10
+ Configuration values that vary between environments (Staging, Production, Local) should never be hardcoded in the source code. Hardcoding these values requires code changes and deployments for simple configuration updates and prevents the creation of portable builds.
11
+
12
+ **Incorrect (hardcoded config):**
13
+
14
+ ```php
15
+ // Hardcoded API URLs and limits
16
+ $apiUrl = 'https://api.production.example.com';
17
+ $timeout = 30;
18
+ $maxUploadSize = 10485760; // 10MB
19
+ ```
20
+
21
+ **Correct (externalized config):**
22
+
23
+ ```php
24
+ /**
25
+ * Use Environment Variables (.env)
26
+ */
27
+
28
+ // In plain PHP
29
+ $apiUrl = getenv('API_URL') ?: 'http://localhost:8000';
30
+ $timeout = (int)(getenv('API_TIMEOUT') ?: 30);
31
+
32
+ // In Laravel (Recommended: use config files that pull from env)
33
+ // config/services.php
34
+ return [
35
+ 'external_api' => [
36
+ 'url' => env('EXTERNAL_API_URL', 'https://api.staging.example.com'),
37
+ 'timeout' => env('EXTERNAL_API_TIMEOUT', 30),
38
+ ]
39
+ ];
40
+
41
+ // Usage in Service
42
+ $url = config('services.external_api.url');
43
+ ```
44
+
45
+ **Why externalize configuration?**
46
+ - **Portability**: The same code can run in Dev, Staging, and Production by changing only the `.env` file or environment variables.
47
+ - **Security**: Sensitive configuration (like API keys) is kept out of the codebase (see rule **C041**).
48
+ - **Flexibility**: Change values (like timeouts or feature flags) without re-deploying or re-building the application code.
49
+
50
+ **Best Practices:**
51
+ 1. Provide sensible defaults for local development.
52
+ 2. Validate required configuration at application startup.
53
+ 3. Use a single source of truth for configuration (e.g., Laravel's `config/` directory).
54
+
55
+ **Tools:** PHP Dotenv (`vlucas/phpdotenv`), Laravel/Symfony Config components, PR review
package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md ADDED
@@ -0,0 +1,60 @@
1
+ ---
2
+ title: URL Redirects Must Be In Allow List
3
+ impact: LOW
4
+ impactDescription: prevents open redirect vulnerabilities
5
+ tags: redirect, url, allow-list, validation, security, php
6
+ ---
7
+
8
+ ## URL Redirects Must Be In Allow List
9
+
10
+ Open redirect vulnerabilities allow attackers to redirect users to malicious sites, often used in phishing attacks. This occurs when an application takes a URL as input and redirects the user to that URL without proper validation.
11
+
12
+ **Incorrect (unvalidated redirect URL):**
13
+
14
+ ```php
15
+ // Open redirect vulnerability
16
+ $url = $_GET['url'];
17
+ header("Location: " . $url); // Attacker: ?url=https://malicious-site.com
18
+ exit;
19
+
20
+ // Partial validation (can be bypassed)
21
+ if (strpos($_GET['url'], 'example.com') !== false) {
22
+ header("Location: " . $_GET['url']); // Bypass: https://attacker.com?example.com
23
+ exit;
24
+ }
25
+ ```
26
+
27
+ **Correct (allow list validation):**
28
+
29
+ ```php
30
+ // 1. Using an allow list of hosts
31
+ $url = $_GET['url'] ?? '/';
32
+ $parsed = parse_url($url);
33
+ $allowedHosts = ['example.com', 'sun-asterisk.vn'];
34
+
35
+ if (isset($parsed['host'])) {
36
+ if (!in_array($parsed['host'], $allowedHosts)) {
37
+ header("Location: /error?msg=Invalid+Redirect");
38
+ exit;
39
+ }
40
+ }
41
+
42
+ // 2. Ensuring relative redirect only
43
+ if (strpos($url, '/') === 0 && strpos($url, '//') !== 0) {
44
+ // This is a relative path starting with / but not // (which is an absolute URL)
45
+ header("Location: " . $url);
46
+ exit;
47
+ }
48
+
49
+ // 3. Using Laravel's safe redirect
50
+ return redirect()->away($url); // If host is trusted, or:
51
+ return redirect()->intended('/dashboard'); // Safer
52
+ ```
53
+
54
+ **Protection strategies:**
55
+ 1. Maintain an allow list of trusted domains.
56
+ 2. Force redirects to be relative URLs (starting with a single `/`).
57
+ 3. Always validate the host part using `parse_url()`.
58
+ 4. Use framework-specific security helpers (e.g., Laravel's `redirect()`).
59
+
60
+ **Tools:** SonarQube (S5144), Semgrep, PHPStan, Manual Review
package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md ADDED
@@ -0,0 +1,67 @@
1
+ ---
2
+ title: Do Not Log Credentials Or Tokens
3
+ impact: MEDIUM
4
+ impactDescription: prevents credential exposure in logs
5
+ tags: logging, credentials, tokens, secrets, security, php
6
+ ---
7
+
8
+ ## Do Not Log Credentials Or Tokens
9
+
10
+ Logs are frequently stored in plaintext and accessible by many developers or automated tools. Including sensitive credentials (passwords, API tokens, session IDs) in logs can lead to account takeovers if the logs are ever compromised or accidentally exposed.
11
+
12
+ **Incorrect (logging sensitive data):**
13
+
14
+ ```php
15
+ // Logging user credentials
16
+ Log::info('Login attempt', [
17
+ 'username' => $request->username,
18
+ 'password' => $request->password // NEVER!
19
+ ]);
20
+
21
+ // Logging all request headers
22
+ Log::debug('Request headers', $request->headers->all());
23
+ // Authorization header contains Bearer tokens!
24
+
25
+ // Logging full request body
26
+ Log::info('Incoming form data', $request->all());
27
+ // May contain password, credit_card, or secret_key
28
+ ```
29
+
30
+ **Correct (sanitized logging):**
31
+
32
+ ```php
33
+ // 1. Omit sensitive fields explicitly
34
+ Log::info('Login attempt', [
35
+ 'username' => $request->username,
36
+ // password excluded
37
+ ]);
38
+
39
+ // 2. Redact sensitive headers
40
+ $headers = $request->headers->all();
41
+ if (isset($headers['authorization'])) {
42
+ $headers['authorization'] = '[REDACTED]';
43
+ }
44
+ Log::debug('Request headers', $headers);
45
+
46
+ // 3. Use an allowlist or a masking helper
47
+ function sanitizeForLog(array $data): array {
48
+ $sensitive = ['password', 'token', 'secret', 'credit_card', 'api_key'];
49
+ foreach ($sensitive as $field) {
50
+ if (isset($data[$field])) {
51
+ $data[$field] = '[REDACTED]';
52
+ }
53
+ }
54
+ return $data;
55
+ }
56
+
57
+ Log::info('Request data', sanitizeForLog($request->all()));
58
+ ```
59
+
60
+ **Never log:**
61
+ - Passwords (plaintext or hashes)
62
+ - API keys, JWT tokens, OAuth tokens
63
+ - Credit card numbers, CVVs
64
+ - Session IDs (`PHPSESSID`)
65
+ - Personal Identifiable Information (PII) like SSNs where not required
66
+
67
+ **Tools:** Monolog (custom formatters), PHPStan, SonarQube, Log analysis tools
package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md ADDED
@@ -0,0 +1,57 @@
1
+ ---
2
+ title: Enforce Authorization At Trusted Service Layer
3
+ impact: CRITICAL
4
+ impactDescription: prevents client-side authorization bypass and unauthorized access
5
+ tags: authorization, server-side, middleware, access-control, security, php
6
+ ---
7
+
8
+ ## Enforce Authorization At Trusted Service Layer
9
+
10
+ Client-side authorization (e.g., hiding a button in JavaScript) is a UI enhancement only and can be easily bypassed by an attacker using the browser console or intercepting network requests. All access control checks must be enforced on the server-side, using trusted data from the authenticated session.
11
+
12
+ **Incorrect (client-side or trusting client-provided state):**
13
+
14
+ ```php
15
+ // 1. Trusting a hidden field or POST data for permissions
16
+ function deleteUser($userId) {
17
+ if ($_POST['is_admin'] == '1') { // VULNERABLE: Client can send is_admin=1
18
+ DB::table('users')->where('id', $userId)->delete();
19
+ }
20
+ }
21
+
22
+ // 2. Trusting a role stored in a cookie (that is not a secure session)
23
+ if ($_COOKIE['role'] === 'admin') {
24
+ // ...
25
+ }
26
+ ```
27
+
28
+ **Correct (server-side authorization):**
29
+
30
+ ```php
31
+ // 1. Using Middleware (Laravel example)
32
+ Route::delete('/users/{id}', [UserController::class, 'destroy'])
33
+ ->middleware('can:delete-users'); // Server-side check via Policy/Gate
34
+
35
+ // 2. Explicit checking in Controller against session user
36
+ public function destroy($id) {
37
+ $user = Auth::user(); // Trusted data from session
38
+
39
+ // Using a Policy (Recommended)
40
+ if ($user->cannot('delete', User::find($id))) {
41
+ abort(403, 'Unauthorized action.');
42
+ }
43
+
44
+ // ... delete logic
45
+ }
46
+
47
+ // 3. Using Symfony Voters
48
+ // $this->denyAccessUnlessGranted('POST_EDIT', $post);
49
+ ```
50
+
51
+ **Never trust:**
52
+ - Client-side checks (JavaScript logic).
53
+ - Hidden form fields or request body parameters for defining user "roles" or "powers".
54
+ - URL parameters for access control (e.g. `?is_admin=true`).
55
+ - Browser storage (LocalStorage/SessionStorage) for authorization state.
56
+
57
+ **Tools:** Laravel Middleware/Gates/Policies, Symfony Voters, PHPUnit (testing auth logic), SonarQube
package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md ADDED
@@ -0,0 +1,61 @@
1
+ ---
2
+ title: Do Not Use Default Credentials
3
+ impact: CRITICAL
4
+ impactDescription: prevents trivial compromise via known credentials
5
+ tags: credentials, default, passwords, configuration, security, php
6
+ ---
7
+
8
+ ## Do Not Use Default Credentials
9
+
10
+ Default credentials (e.g., `admin/admin`, `root/root`) are publicly known and are the first thing attackers or automated bots try when probing a system. Using them in any environment (even staging) exposes the system to trivial compromise.
11
+
12
+ **Incorrect (default or hardcoded credentials):**
13
+
14
+ ```php
15
+ // Application config with defaults
16
+ return [
17
+ 'db' => [
18
+ 'username' => 'root',
19
+ 'password' => 'root', // Default!
20
+ ],
21
+ 'admin' => [
22
+ 'user' => 'admin',
23
+ 'password' => 'admin' // Default!
24
+ ]
25
+ ];
26
+
27
+ // Docker Compose Example with defaults
28
+ // POSTGRES_PASSWORD: password
29
+ ```
30
+
31
+ **Correct (externalized and unique credentials):**
32
+
33
+ ```php
34
+ // Use environment variables or Secrets Manager
35
+ return [
36
+ 'db' => [
37
+ 'username' => getenv('DB_USERNAME'),
38
+ 'password' => getenv('DB_PASSWORD'),
39
+ ],
40
+ ];
41
+
42
+ // Validation during application boot (e.g. in Laravel AppServiceProvider)
43
+ if (config('app.env') === 'production') {
44
+ $pass = config('database.connections.mysql.password');
45
+ $defaults = ['admin', 'password', 'root', '123456'];
46
+
47
+ if (in_array(strtolower($pass), $defaults)) {
48
+ throw new \RuntimeException('Production is using default/weak credentials. Deployment blocked.');
49
+ }
50
+ }
51
+ ```
52
+
53
+ **Never use common defaults:**
54
+ - `admin / admin`
55
+ - `root / root`
56
+ - `guest / guest`
57
+ - `postgres / postgres`
58
+ - `admin / 123456`
59
+ - Any empty passwords in networked environments.
60
+
61
+ **Tools:** Gitleaks, TruffleHog, OWASP ZAP (to check for default admin pages), SonarQube