@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md ADDED
@@ -0,0 +1,61 @@
1
+ ---
2
+ title: Output Encoding Before Interpreter Use
3
+ impact: HIGH
4
+ impactDescription: prevents XSS and other injection attacks in the browser
5
+ tags: xss, encoding, output, html, security, php
6
+ ---
7
+
8
+ ## Output Encoding Before Interpreter Use
9
+
10
+ Cross-Site Scripting (XSS) and other injection attacks occur when unescaped user-controlled data is interpreted as code by the browser. All data must be encoded or escaped according to the context where it is being displayed.
11
+
12
+ **Incorrect (no encoding):**
13
+
14
+ ```php
15
+ // XSS vulnerability in plain PHP
16
+ echo "<h1>Results for: " . $_GET['q'] . "</h1>";
17
+
18
+ // Blade "unescaped" output for user input
19
+ {!! $userInput !!}
20
+
21
+ // Injecting into JavaScript without encoding
22
+ echo "<script>const name = '" . $userName . "';</script>";
23
+ // Attacker in $userName: '; alert(1); //
24
+ ```
25
+
26
+ **Correct (context-aware encoding):**
27
+
28
+ ```php
29
+ // 1. HTML Body context (plain PHP)
30
+ echo "<h1>Results for: " . htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8') . "</h1>";
31
+
32
+ // 2. Blade (Recommended)
33
+ // Auto-escapes using htmlspecialchars internally
34
+ <h1>Results for: {{ $query }}</h1>
35
+
36
+ // 3. If you MUST output HTML, use a sanitizer (e.g. HTML Purifier)
37
+ $purifier = new HTMLPurifier();
38
+ echo $purifier->purify($userHtml);
39
+
40
+ // 4. JavaScript context
41
+ // Always use json_encode for passing data to JS
42
+ ?>
43
+ <script>
44
+ const name = <?php echo json_encode($userName); ?>;
45
+ </script>
46
+ <?php
47
+
48
+ // 5. URL context
49
+ $url = "/profile?user=" . urlencode($username);
50
+ ```
51
+
52
+ **Encoding by Context:**
53
+
54
+ | Context | Encoding Method | Result Example |
55
+ |---------|-----------------|----------------|
56
+ | **HTML Body** | `htmlspecialchars()` | `<` becomes `&lt;` |
57
+ | **HTML Attribute** | `htmlspecialchars(..., ENT_QUOTES)` | `"` becomes `&quot;` |
58
+ | **JavaScript** | `json_encode()` | String becomes `"string"` with quotes |
59
+ | **URL Parameter** | `urlencode()` | Spaces become `+` or `%20` |
60
+
61
+ **Tools:** HTML Purifier, Blade Template Engine, PHP_CodeSniffer, SonarQube
package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Use Only Approved Crypto Algorithms
3
+ impact: MEDIUM
4
+ impactDescription: ensures cryptographic strength and resistance to collision or brute-force attacks
5
+ tags: cryptography, algorithms, hashing, encryption, security, php
6
+ ---
7
+
8
+ ## Use Only Approved Crypto Algorithms
9
+
10
+ Weak cryptographic algorithms like MD5, SHA-1, DES, and AES-ECB are either broken or have known vulnerabilities that make them insecure for modern applications. Always use industry-standard, approved algorithms for hashing and encryption.
11
+
12
+ **Incorrect (weak algorithms):**
13
+
14
+ ```php
15
+ // WEAK hash (MD5 is broken)
16
+ $hash = md5($password);
17
+
18
+ // WEAK encryption mode (ECB mode does not provide semantic security)
19
+ $encrypted = openssl_encrypt($data, 'aes-256-ecb', $key);
20
+
21
+ // WEAK algorithm
22
+ $encrypted = openssl_encrypt($data, 'des-ede3', $key); // 3DES is deprecated
23
+ ```
24
+
25
+ **Correct (approved algorithms):**
26
+
27
+ ```php
28
+ // 1. Password Hashing (Always use password_hash)
29
+ $hash = password_hash($password, PASSWORD_ARGON2ID); // Recommended: Argon2id or BCRYPT
30
+ $isValid = password_verify($password, $hash);
31
+
32
+ // 2. Data Integrity (non-password)
33
+ $hash = hash('sha256', $data);
34
+
35
+ // 3. Strong Authenticated Encryption (GCM mode)
36
+ $iv = random_bytes(openssl_cipher_iv_length('aes-256-gcm'));
37
+ $tag = "";
38
+ $encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
39
+ // Store $iv, $tag, and $encrypted
40
+ ```
41
+
42
+ **Approved vs Prohibited:**
43
+
44
+ | Purpose | Approved | Prohibited |
45
+ |---------|----------|------------|
46
+ | **Data Hashing** | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
47
+ | **Encryption** | AES-256-GCM, AES-256-CBC (with HMAC) | AES-ECB, DES, 3DES, RC4 |
48
+ | **Passwords** | Argon2id, BCRYPT | MD5, SHA-256, Plain Encryption |
49
+
50
+ **Best Practice:**
51
+ Never roll your own crypto. Use high-level libraries like `libsodium` (built-in to PHP 7.2+) if you need advanced features. For passwords, **only** use the native `password_hash()` functions.
52
+
53
+ **Tools:** PHPStan (check for md5/sha1), SonarQube (S2070, S4790), Semgrep
package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: Use CSPRNG For Security Purposes
3
+ impact: HIGH
4
+ impactDescription: prevents predictable tokens and session hijacking
5
+ tags: random, csprng, tokens, session, cryptography, security, php
6
+ ---
7
+
8
+ ## Use CSPRNG For Security Purposes
9
+
10
+ Non-cryptographic random generators like `rand()` or `mt_rand()` are predictable. Attackers can guess session tokens, OTPs, and password reset links if they are generated with weak random sources.
11
+
12
+ **Incorrect (predictable random):**
13
+
14
+ ```php
15
+ // INSECURE - predictable!
16
+ $sessionId = md5(rand());
17
+
18
+ // INSECURE - mt_rand() is faster but not cryptographically secure
19
+ $otp = mt_rand(100000, 999999);
20
+
21
+ // INSECURE - uniqid() is based on current time in microseconds
22
+ $resetToken = uniqid('token_', true);
23
+ ```
24
+
25
+ **Correct (cryptographically secure):**
26
+
27
+ ```php
28
+ // Cryptographically secure session ID or token
29
+ $token = bin2hex(random_bytes(32)); // 256-bit entropy
30
+
31
+ // Secure OTP generation
32
+ $otp = random_int(100000, 999999);
33
+
34
+ // Using Laravel's Str helper (which uses random_bytes internally)
35
+ use Illuminate\Support\Str;
36
+ $token = Str::random(40);
37
+ ```
38
+
39
+ **CSPRNG by language (Update):**
40
+
41
+ | Language | Secure | Insecure |
42
+ |----------|--------|----------|
43
+ | PHP7+ | `random_bytes()`, `random_int()` | `rand()`, `mt_rand()`, `uniqid()` |
44
+ | Node.js | `crypto.randomBytes()` | `Math.random()` |
45
+ | Python | `secrets`, `os.urandom()` | `random` |
46
+
47
+ **Tools:** PHPStan (extension-installer), Psalm, SonarQube (S2245), Semgrep
package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md ADDED
@@ -0,0 +1,41 @@
1
+ ---
2
+ title: Enable Encrypted Client Hello (ECH)
3
+ impact: MEDIUM
4
+ impactDescription: protects Server Name Indication (SNI) from eavesdropping
5
+ tags: tls, ech, sni, privacy, security, infrastructure, php
6
+ ---
7
+
8
+ ## Enable Encrypted Client Hello (ECH)
9
+
10
+ Encrypted Client Hello (ECH) is a TLS extension that encrypts the entire `ClientHello` message during the TLS handshake. This prevents network eavesdroppers from seeing the Server Name Indication (SNI), essentially hiding the specific domain name you are visiting.
11
+
12
+ **Infrastructure Configuration:**
13
+
14
+ ECH is typically handled at the web server (Nginx/Apache) or CDN level (Cloudflare), not directly in PHP code.
15
+
16
+ **1. Nginx Configuration (where supported):**
17
+
18
+ ```nginx
19
+ # Future-facing Nginx configuration
20
+ ssl_ech on;
21
+ ssl_ech_key /etc/nginx/ssl/ech-key.pem;
22
+ ```
23
+
24
+ **2. DNS Configuration:**
25
+
26
+ You must publish an `HTTPS` or `SVCB` DNS record containing the ECH configuration string:
27
+
28
+ ```text
29
+ # Example HTTPS record with ECH data
30
+ example.com. IN HTTPS 1 . alpn="h2" ech="<base64-ech-config>"
31
+ ```
32
+
33
+ **How it works with PHP:**
34
+ PHP applications benefit from ECH transparently when served behind a compatible reverse proxy or CDN. No changes are required to the PHP logic itself, but developers should advocate for its use in production environments to improve user privacy.
35
+
36
+ **Current Support State:**
37
+ - **Cloudflare**: Provides one-click ECH support.
38
+ - **Browsers**: Chrome and Firefox have experimental or rolling support.
39
+ - **Privacy**: Crucial for bypassing censorship and preventing DNS/SNI-based tracking.
40
+
41
+ **Tools:** Cloudflare, NGINX (with ECH patches), DigiCert, DNS management
package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md ADDED
@@ -0,0 +1,60 @@
1
+ ---
2
+ title: Use Secrets Management For Backend Secrets
3
+ impact: CRITICAL
4
+ impactDescription: centralizes and secures credential storage
5
+ tags: secrets, vault, credentials, configuration, security, php
6
+ ---
7
+
8
+ ## Use Secrets Management For Backend Secrets
9
+
10
+ Hardcoded secrets (API keys, database passwords, tokens) are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems or environment variables that are not committed to the repository.
11
+
12
+ **Incorrect (hardcoded or plain env files):**
13
+
14
+ ```php
15
+ // Hardcoded in code
16
+ define('API_KEY', 'sk-abc123xyz789');
17
+
18
+ // Hardcoded in a config file
19
+ $config = [
20
+ 'db' => [
21
+ 'password' => 'super-secret-password'
22
+ ]
23
+ ];
24
+
25
+ // .env file committed to repo (vulnerable)
26
+ // DB_PASSWORD=password123
27
+ ```
28
+
29
+ **Correct (secrets management):**
30
+
31
+ ```php
32
+ // Using environment variables (not committed to VCS)
33
+ $dbPassword = getenv('DB_PASSWORD');
34
+
35
+ // In Laravel (using .env which is in .gitignore)
36
+ $password = env('DB_PASSWORD');
37
+ // Or via config (Recommended)
38
+ $stripeKey = config('services.stripe.key');
39
+
40
+ // Using a dedicated Secrets Manager (e.g., AWS Secrets Manager via SDK)
41
+ use Aws\SecretsManager\SecretsManagerClient;
42
+
43
+ $client = new SecretsManagerClient(['region' => 'us-east-1']);
44
+ $result = $client->getSecretValue(['SecretId' => 'prod/db/password']);
45
+ $dbPassword = $result['SecretString'];
46
+
47
+ // Validation at startup
48
+ if (!$dbPassword) {
49
+ throw new \RuntimeException('DATABASE_URL environment variable is required but not set.');
50
+ }
51
+ ```
52
+
53
+ **Best practices:**
54
+ 1. Never commit `.env` files or hardcoded secrets to version control.
55
+ 2. Use a `.env.example` to document required variables without real data.
56
+ 3. Use secrets rotation for critical credentials.
57
+ 4. Audit access to your production secrets.
58
+ 5. Use different secrets for development, staging, and production environments.
59
+
60
+ **Tools:** HashiCorp Vault, AWS Secrets Manager, Dotenv PHP, SonarQube
package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md ADDED
@@ -0,0 +1,67 @@
1
+ ---
2
+ title: Always Use TLS For All Connections
3
+ impact: HIGH
4
+ impactDescription: protects data in transit from eavesdropping and man-in-the-middle attacks
5
+ tags: tls, https, encryption, transport, security, php
6
+ ---
7
+
8
+ ## Always Use TLS For All Connections
9
+
10
+ Unencrypted data (HTTP, plain SQL, plain Redis) is easily intercepted by anyone on the network path. You must enforce TLS for all external and internal communications.
11
+
12
+ **Incorrect (unencrypted connections):**
13
+
14
+ ```php
15
+ // 1. Plain HTTP API calls
16
+ $data = file_get_contents("http://api.example.com/data");
17
+
18
+ // 2. Database without encryption
19
+ $pdo = new PDO("mysql:host=db.example.com;dbname=test", "user", "pass");
20
+
21
+ // 3. Unencrypted Redis
22
+ $redis = new Redis();
23
+ $redis->connect('redis.example.com', 6379);
24
+ ```
25
+
26
+ **Correct (TLS everywhere):**
27
+
28
+ ```php
29
+ // 1. HTTPS for APIs
30
+ $data = file_get_contents("https://api.example.com/data");
31
+
32
+ // 2. Database with TLS (PDO MySQL)
33
+ $pdo = new PDO(
34
+ "mysql:host=db.example.com;dbname=test",
35
+ "user", "pass",
36
+ [
37
+ PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem',
38
+ PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
39
+ ]
40
+ );
41
+
42
+ // 3. Redis with TLS (PhpRedis)
43
+ $redis = new Redis();
44
+ $redis->connect('tls://redis.example.com', 6380, 1.5, NULL, 0, 0, [
45
+ 'stream' => [
46
+ 'cafile' => '/path/to/ca-cert.pem',
47
+ 'verify_peer' => true,
48
+ ],
49
+ ]);
50
+
51
+ // 4. Force HTTPS in Application (Laravel Middleware)
52
+ if (! $request->secure() && App::environment('production')) {
53
+ return redirect()->secure($request->getRequestUri());
54
+ }
55
+
56
+ // 5. HSTS Header
57
+ header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
58
+ ```
59
+
60
+ **Checklist:**
61
+ - [ ] All external API calls use `https://`.
62
+ - [ ] Database connections use SSL/TLS attributes.
63
+ - [ ] Redis/Cache connections use `tls://`.
64
+ - [ ] HSTS headers are enabled in production.
65
+ - [ ] Web server (Nginx/Apache) redirects all HTTP traffic to HTTPS.
66
+
67
+ **Tools:** OWASP ZAP, SSLyze, Qualys SSL Labs, PHPUnit (to verify connection stubs)
package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md ADDED
@@ -0,0 +1,61 @@
1
+ ---
2
+ title: Do Not Pass Sensitive Data In Query String
3
+ impact: HIGH
4
+ impactDescription: prevents sensitive information leakage in logs, browser history, and diagnostic tools
5
+ tags: url, query-string, sensitive-data, leakage, security, php
6
+ ---
7
+
8
+ ## Do Not Pass Sensitive Data In Query String
9
+
10
+ URL query strings are stored in browser history, web server access logs, proxy/CDN logs, and are passed in the `Referer` header to external sites. Sensitive information like tokens, passwords, or PII (Personally Identifiable Information) in a URL is practically public.
11
+
12
+ **Incorrect (sensitive data in URL):**
13
+
14
+ ```php
15
+ // Passing token in GET parameter
16
+ $response = file_get_contents("https://api.example.com/data?api_key=" . $apiKey);
17
+
18
+ // Login via GET (Very Dangerous)
19
+ // GET /login.php?user=admin&password=secret123
20
+
21
+ // Passing sensitive PII
22
+ // GET /user/details?ssn=123-45-678
23
+ ```
24
+
25
+ **Correct (sensitive data in Headers or Request Body):**
26
+
27
+ ```php
28
+ // 1. Passing tokens in Authorization Header
29
+ $context = stream_context_create([
30
+ 'http' => [
31
+ 'header' => "Authorization: Bearer " . $accessToken
32
+ ]
33
+ ]);
34
+ $response = file_get_contents("https://api.example.com/data", false, $context);
35
+
36
+ // 2. Sensitive data in POST Request Body
37
+ // (Using Guzzle for clarity)
38
+ $client->post('/login', [
39
+ 'form_params' => [
40
+ 'user' => 'admin',
41
+ 'password' => $password
42
+ ]
43
+ ]);
44
+
45
+ // 3. One-time tokens in POST forms
46
+ ?>
47
+ <form action="/reset-password" method="POST">
48
+ <input type="hidden" name="token" value="<?php echo htmlspecialchars($secureToken); ?>">
49
+ <input type="password" name="new_password">
50
+ <button type="submit">Reset</button>
51
+ </form>
52
+ <?php
53
+ ```
54
+
55
+ **Where query strings leak:**
56
+ - **Web Server Logs**: Apache/Nginx logs store the full URL including query strings.
57
+ - **Browser History**: Users can see sensitive tokens in their history.
58
+ - **Referer Header**: If a page with a token in the URL links to an external image or site, that site receives the token.
59
+ - **Proxy/WAF logs**: Intermediate network devices log URLs.
60
+
61
+ **Tools:** Semgrep, SonarQube, Manual Review, OWASP ZAP (to detect sensitive data in URLs)
package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md ADDED
@@ -0,0 +1,44 @@
1
+ ---
2
+ title: Always Use Parameterized Queries
3
+ impact: CRITICAL
4
+ impactDescription: prevents SQL injection attacks
5
+ tags: injection, sql, database, parameterized, security, php
6
+ ---
7
+
8
+ ## Always Use Parameterized Queries
9
+
10
+ SQL injection is one of the top security vulnerabilities in PHP applications. Direct string concatenation or using variables directly in SQL strings allows attackers to execute arbitrary database commands, steal data, or destroy databases.
11
+
12
+ **Incorrect (string concatenation):**
13
+
14
+ ```php
15
+ // SQL Injection vulnerability
16
+ $userId = $_GET['id'];
17
+ $query = "SELECT * FROM users WHERE id = '" . $userId . "'";
18
+ $result = $conn->query($query);
19
+
20
+ // Attacker input: ' OR '1'='1
21
+ // Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
22
+ // Returns ALL users!
23
+ ```
24
+
25
+ **Correct (parameterized queries):**
26
+
27
+ ```php
28
+ // Using PDO (Recommended)
29
+ $userId = $_GET['id'];
30
+ $stmt = $pdo->prepare("SELECT * FROM users WHERE id = :id");
31
+ $stmt->execute(['id' => $userId]);
32
+ $user = $stmt->fetch();
33
+
34
+ // Using MySQLi (Prepared Statements)
35
+ $stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
36
+ $stmt->bind_param("s", $userId);
37
+ $stmt->execute();
38
+ $result = $stmt->get_result();
39
+
40
+ // Using Laravel Eloquent (Safe by default)
41
+ $user = User::where('id', $userId)->first();
42
+ ```
43
+
44
+ **Tools:** PHPStan (DBA extension), SonarQube (S2077, S3649), Psalm, Semgrep
package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md ADDED
@@ -0,0 +1,54 @@
1
+ ---
2
+ title: Sanitize Input Before Sending Emails
3
+ impact: MEDIUM
4
+ impactDescription: prevents email header injection and spam abuse
5
+ tags: email, injection, sanitization, input-validation, security, php
6
+ ---
7
+
8
+ ## Sanitize Input Before Sending Emails
9
+
10
+ Email header injection vulnerabilities occur when an attacker can inject newline characters (`\r` or `\n`) into email headers like `Subject`, `To`, or `From`. This allows them to add unauthorized `Bcc:` or `Cc:` recipients, effectively turning your system into a spam relay.
11
+
12
+ **Incorrect (unsanitized email input):**
13
+
14
+ ```php
15
+ // VULNERABLE: Direct use of user input in mail() headers
16
+ $subject = $_POST['subject']; // Input: "Question\r\nBcc: victim@example.com"
17
+ $to = "admin@example.com";
18
+ $message = "User message...";
19
+
20
+ mail($to, $subject, $message); // Attacker successfully sent Bcc to victim!
21
+ ```
22
+
23
+ **Correct (sanitized email fields):**
24
+
25
+ ```php
26
+ function sanitizeEmailHeader($input) {
27
+ // Remove carriage returns and line feeds to prevent header injection
28
+ return str_replace(["\r", "\n", "\t"], ' ', $input);
29
+ }
30
+
31
+ $to = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
32
+ if (!$to) {
33
+ die("Invalid email address");
34
+ }
35
+
36
+ $subject = sanitizeEmailHeader($_POST['subject']);
37
+ $message = $_POST['message'];
38
+
39
+ // 1. Using native mail() with sanitized input
40
+ mail($to, $subject, $message);
41
+
42
+ // 2. Using Laravel Mail (Recommended)
43
+ // Laravel's Mailer and SwiftMailer/Symfony Mailer automatically sanitize headers.
44
+ // However, validation of addresses is still mandatory.
45
+ Mail::to($to)->send(new ContactRequest($subject, $message));
46
+ ```
47
+
48
+ **Security Checklist:**
49
+ 1. **Validate** email addresses using `FILTER_VALIDATE_EMAIL`.
50
+ 2. **Sanitize** any user input used in headers (Subject, From, CC, BCC) by removing CRLF characters.
51
+ 3. **Use Modern Libraries** like PHPMailer or Symfony Mailer which provide built-in protection against header injection.
52
+ 4. **Rate Limit** email sending to prevent mass spamming if an account is compromised.
53
+
54
+ **Tools:** PHPStan, Psalm, SonarQube, Manual Security Review
package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md ADDED
@@ -0,0 +1,57 @@
1
+ ---
2
+ title: Avoid Eval Or Dynamic Code Execution
3
+ impact: HIGH
4
+ impactDescription: prevents remote code execution vulnerabilities
5
+ tags: eval, code-execution, rce, injection, security, php
6
+ ---
7
+
8
+ ## Avoid Eval Or Dynamic Code Execution
9
+
10
+ `eval()`, `exec()`, `system()`, and similar functions execute arbitrary code or shell commands. Using these with user-controlled input makes the application extremely vulnerable to Remote Code Execution (RCE).
11
+
12
+ **Incorrect (dynamic code execution):**
13
+
14
+ ```php
15
+ // eval() with user input
16
+ $formula = $_POST['formula'];
17
+ eval('$result = ' . $formula . ';'); // RCE vulnerability!
18
+
19
+ // system() or exec() with unsanitized input
20
+ system("ls -l " . $_GET['dir']); // Command injection!
21
+
22
+ // create_function() with user input (Deprecated)
23
+ $func = create_function('$a', 'return ' . $_POST['logic'] . ';');
24
+
25
+ // Dangerous unserialize with user input
26
+ $data = unserialize($_POST['data']); // Object injection vulnerability
27
+ ```
28
+
29
+ **Correct (safe alternatives):**
30
+
31
+ ```php
32
+ // Use a dedicated library for expression parsing (e.g., symfony/expression-language)
33
+ use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
34
+
35
+ $expressionLanguage = new ExpressionLanguage();
36
+ $result = $expressionLanguage->evaluate($formula, ['a' => 10]);
37
+
38
+ // Use an allowlist for commands
39
+ $allowedDirs = ['uploads', 'public'];
40
+ $dir = $_GET['dir'];
41
+ if (in_array($dir, $allowedDirs)) {
42
+ $safeDir = escapeshellarg($dir);
43
+ system("ls -l " . $safeDir);
44
+ }
45
+
46
+ // Use JSON for data exchange (instead of serialize)
47
+ $data = json_decode($_POST['data'], true);
48
+
49
+ // For dynamic inclusion, use an allowlist
50
+ $allowedPages = ['home', 'contact', 'about'];
51
+ $page = $_GET['page'];
52
+ if (in_array($page, $allowedPages)) {
53
+ require_once "pages/" . $page . ".php";
54
+ }
55
+ ```
56
+
57
+ **Tools:** PHPStan (disallow-eval), Psalm, SonarQube (S1523), Semgrep
package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md ADDED
@@ -0,0 +1,58 @@
1
+ ---
2
+ title: Escape Data By Output Context
3
+ impact: MEDIUM
4
+ impactDescription: ensures correct encoding for each output context to prevent XSS and injection
5
+ tags: xss, escaping, context, encoding, security, php
6
+ ---
7
+
8
+ ## Escape Data By Output Context
9
+
10
+ Using the wrong escaping strategy for a given context is a common security mistake. For example, using HTML encoding (`htmlspecialchars`) inside a JavaScript block or in an HTTP header does not provide adequate protection.
11
+
12
+ **Incorrect (wrong encoding for specific context):**
13
+
14
+ ```php
15
+ $input = $_GET['user']; // Attacker input: "; alert(1); //
16
+
17
+ // WRONG: Using HTML escaping in a JavaScript context
18
+ $escaped = htmlspecialchars($input);
19
+ echo "<script>var name = '{$escaped}';</script>";
20
+ // Result: var name = '&quot;; alert(1); //'; -> Still potentially breaks logic or remains vulnerable
21
+
22
+ // WRONG: No sanitization for HTTP headers
23
+ header("X-Custom-Data: " . $input); // Header injection via CRLF
24
+ ```
25
+
26
+ **Correct (context-appropriate encoding):**
27
+
28
+ ```php
29
+ // 1. HTML Body Context
30
+ echo "<div>" . htmlspecialchars($input, ENT_QUOTES, 'UTF-8') . "</div>";
31
+
32
+ // 2. JavaScript Context (Always use JSON encoding)
33
+ $jsonInput = json_encode($input);
34
+ echo "<script>var name = {$jsonInput};</script>";
35
+
36
+ // 3. URL Context
37
+ echo "<a href='/profile?name=" . urlencode($input) . "'>View</a>";
38
+
39
+ // 4. HTTP Header Context (Strip newlines)
40
+ $safeHeader = str_replace(["\r", "\n"], '', $input);
41
+ header("X-Custom-Data: " . $safeHeader);
42
+
43
+ // 5. Shell Argument Context (If using exec/system)
44
+ $safeArg = escapeshellarg($input);
45
+ system("echo " . $safeArg);
46
+ ```
47
+
48
+ **Context Selection Guide:**
49
+
50
+ | Context | Recommended PHP Function | Why? |
51
+ |---------|--------------------------|------|
52
+ | **HTML Content** | `htmlspecialchars(..., ENT_QUOTES)` | Converts `< > & " '` to entities. |
53
+ | **JS Variable** | `json_encode()` | Safely wraps strings in quotes and escapes internal quotes/slashes. |
54
+ | **URL Parameter** | `urlencode()` | Converts special chars to `%XX` format. |
55
+ | **HTTP Header** | `str_replace(["\r", "\n"], '', $input)` | Prevents CRLF injection (Splitting). |
56
+ | **Shell Command** | `escapeshellarg()` | Adds quotes and escapes shells meta-characters. |
57
+
58
+ **Tools:** PHPStan, Psalm, SonarQube, Manual Security Review
package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md ADDED
@@ -0,0 +1,62 @@
1
+ ---
2
+ title: Output Encoding For Dynamic JS/JSON
3
+ impact: HIGH
4
+ impactDescription: prevents code injection when embedding server-side data into JavaScript
5
+ tags: xss, javascript, json, encoding, security, php
6
+ ---
7
+
8
+ ## Output Encoding For Dynamic JS/JSON
9
+
10
+ Embedding PHP data directly into JavaScript tags requires proper encoding to prevent Cross-Site Scripting (XSS). Simple string interpolation or manual quoting is dangerous. The safest way to pass complex data (strings, arrays, objects) from PHP to JavaScript is using `json_encode`.
11
+
12
+ **Incorrect (unescaped data in inline Script):**
13
+
14
+ ```php
15
+ // VULNERABLE: Direct interpolation in JS
16
+ $username = "</script><script>alert('XSS')</script>";
17
+ ?>
18
+ <script>
19
+ var current_user = "<?php echo $username; ?>";
20
+ </script>
21
+ <?php
22
+ // Result: var current_user = "</script><script>alert('XSS')</script>";
23
+ // The browser closes the first script tag and executes the second one!
24
+ ```
25
+
26
+ **Correct (using json_encode):**
27
+
28
+ ```php
29
+ $userData = [
30
+ 'name' => $user->name,
31
+ 'email' => $user->email,
32
+ 'roles' => $user->getRoles()
33
+ ];
34
+
35
+ // 1. Safe JSON encoding for inline script
36
+ ?>
37
+ <script>
38
+ // json_encode automatically adds quotes and escapes dangerous characters
39
+ var appConfig = <?php echo json_encode($userData, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); ?>;
40
+ </script>
41
+
42
+ <?php
43
+ // 2. Best Practice: Using data attributes (Recommended for SPAs/Vue/React)
44
+ ?>
45
+ <div id="user-profile" data-user="<?php echo htmlspecialchars(json_encode($userData), ENT_QUOTES, 'UTF-8'); ?>">
46
+ <!-- JS will read this via element.dataset.user -->
47
+ </div>
48
+
49
+ <?php
50
+ // 3. In Laravel Blade
51
+ ?>
52
+ <script>
53
+ var user = @json($userData);
54
+ </script>
55
+ ```
56
+
57
+ **Why `json_encode`?**
58
+ - It handles strings, integers, booleans, and nested arrays/objects correctly for JavaScript.
59
+ - It escapes backslashes and quotes automatically.
60
+ - Using flags like `JSON_HEX_TAG` prevents `</script>` tags from breaking your own script block.
61
+
62
+ **Tools:** Laravel Blade `@json` directive, SonarQube, Manual Security Review