npm - @sun-asterisk/sunlint - Versions diffs - 1.3.39 → 1.3.41 - Mend

@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (488) hide show

package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md ADDED Viewed

@@ -0,0 +1,51 @@
+---
+title: Avoid eval() or Dynamic Code Execution
+impact: CRITICAL
+impactDescription: prevents arbitrary code execution vulnerabilities
+tags: injection, eval, dynamic-code, security, python, pyspark
+---
+## Avoid eval() or Dynamic Code Execution
+Functions that execute strings as code (like `eval()` and `exec()`) are extremely dangerous. If an attacker can control part of the string, they can execute arbitrary commands on the server.
+**Incorrect (dynamic code execution):**
+```python
+# Unsafe use of eval()
+formula = request.args.get('formula')
+result = eval(formula) # Attack: __import__('os').system('rm -rf /')
+# Unsafe use of exec()
+code_snippet = request.args.get('code')
+exec(code_snippet)
+```
+**Correct (safe alternatives):**
+```python
+# Use a safe library for mathematical expressions
+from simpleeval import simple_eval
+formula = request.args.get('formula')
+result = simple_eval(formula)
+# Use explicit logic instead of dynamic code
+def get_calculation(op, a, b):
+    ops = {
+        'add': lambda x, y: x + y,
+        'sub': lambda x, y: x - y
+    }
+    return ops.get(op)(a, b)
+# For PySpark: Avoid using custom Python functions (UDFs) with dynamic code
+# Use built-in Spark SQL functions instead
+from pyspark.sql import functions as F
+df = df.withColumn("total", F.col("price") * F.col("quantity"))
+```
+**Benefits:**
+- Eliminates Remote Code Execution (RCE) risks
+- Improves performance (compiled code vs interpreted strings)
+- Easier to debug and audit
+**Tools:** Bandit (B307, B102), SonarQube, Semgrep

package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Escape Data By Output Context
+impact: MEDIUM
+impactDescription: ensures correct encoding for each output context
+tags: xss, escaping, context, encoding, security
+---
+## Escape Data By Output Context
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Output Encoding For Dynamic JS/JSON
+impact: HIGH
+impactDescription: prevents injection in JavaScript contexts
+tags: xss, python, json, encoding, security
+---
+## Output Encoding For Dynamic JS/JSON
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Always Validate Client Data Server-side
+impact: MEDIUM
+impactDescription: ensures input validation cannot be bypassed
+tags: validation, server-side, input, sanitization, security
+---
+## Always Validate Client Data Server-side
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: TLS Encryption For All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from interception
+tags: tls, encryption, https, transport, security
+---
+## TLS Encryption For All Connections
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Validate mTLS Certificates Before Auth
+impact: CRITICAL
+impactDescription: ensures mutual authentication between services
+tags: mtls, certificates, authentication, service-mesh, security
+---
+## Validate mTLS Certificates Before Auth
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Limit Upload File Size And Count
+impact: MEDIUM
+impactDescription: prevents denial of service attacks
+tags: upload, file-size, dos, limits, security
+---
+## Limit Upload File Size And Count
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents cross-site request forgery attacks
+tags: csrf, tokens, forms, security
+---
+## Apply CSRF Protection
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents file enumeration
+tags: directory, listing, file-exposure, security
+---
+## Disable Directory Browsing
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Set Secure Flag On Session Cookies
+impact: HIGH
+impactDescription: prevents cookie theft over unencrypted connections
+tags: cookies, secure, https, session, security
+---
+## Set Secure Flag On Session Cookies
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Set HttpOnly On Session Cookies
+impact: MEDIUM
+impactDescription: prevents cookie theft via XSS
+tags: cookies, httponly, xss, session, security
+---
+## Set HttpOnly On Session Cookies
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Set SameSite On Session Cookies
+impact: MEDIUM
+impactDescription: provides CSRF protection
+tags: cookies, samesite, csrf, session, security
+---
+## Set SameSite On Session Cookies
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Use __Host- Prefix For Cookies
+impact: MEDIUM
+impactDescription: ensures cookie is domain-locked
+tags: cookies, prefix, domain, security
+---
+## Use __Host- Prefix For Cookies
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Host Apps On Different Hostnames
+impact: MEDIUM
+impactDescription: provides cookie and origin isolation
+tags: hostname, isolation, same-origin, security
+---
+## Host Apps On Different Hostnames
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md ADDED Viewed

@@ -0,0 +1,50 @@
+---
+title: Use Internal Data For File Paths
+impact: CRITICAL
+impactDescription: prevents path traversal attacks
+tags: file-path, path-traversal, lfi, input-validation, security, python, pyspark
+---
+## Use Internal Data For File Paths
+Using user-controlled input to build file paths can lead to Path Traversal vulnerabilities, allowing attackers to read or write sensitive files on the system.
+**Incorrect (unvalidated path):**
+```python
+filename = request.args.get('filename')
+with open(f"/app/uploads/{filename}", "r") as f:
+    return f.read()
+# Attacker input: ../../../etc/passwd
+```
+**Correct (validation and mapping):**
+```python
+import os
+ALLOWED_FILES = {
+    "report": "report_2024.pdf",
+    "stats": "stats_2024.csv"
+}
+# Use an allow-list or ID-based lookup
+file_id = request.args.get('id')
+actual_filename = ALLOWED_FILES.get(file_id)
+if not actual_filename:
+    raise ValueError("Invalid file ID")
+# Safe path joins and normalization check
+base_dir = "/app/uploads"
+safe_path = os.path.normpath(os.path.join(base_dir, actual_filename))
+if not safe_path.startswith(base_dir):
+    raise SecurityError("Path traversal attempted")
+with open(safe_path, "r") as f:
+    return f.read()
+```
+**PySpark Context:**
+When reading from S3/HDFS using user-provided paths, ensure the path starts with the expected prefix.
+**Tools:** Bandit (B108, B110), SonarQube, Semgrep

package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Set Anti-cache Headers
+impact: MEDIUM
+impactDescription: prevents sensitive data caching
+tags: headers, cache, sensitive-data, security
+---
+## Set Anti-cache Headers
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: TLS Clients Must Validate Server Certificates
+impact: CRITICAL
+impactDescription: prevents man-in-the-middle attacks
+tags: tls, certificates, validation, mitm, security
+---
+## TLS Clients Must Validate Server Certificates
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Invalidate Session On Logout
+impact: MEDIUM
+impactDescription: ensures logout actually terminates access
+tags: session, logout, invalidation, security
+---
+## Invalidate Session On Logout
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Re-authenticate For Long-lived Sessions
+impact: MEDIUM
+impactDescription: ensures continuous user identity verification
+tags: session, authentication, timeout, reauthentication, security
+---
+## Re-authenticate For Long-lived Sessions
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Re-authenticate Before Critical Changes
+impact: MEDIUM
+impactDescription: prevents unauthorized critical operations
+tags: authentication, critical, reauthentication, security
+---
+## Re-authenticate Before Critical Changes
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Implement Brute-force Protection
+impact: MEDIUM
+impactDescription: prevents password guessing attacks
+tags: brute-force, rate-limiting, authentication, security
+---
+## Implement Brute-force Protection
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Protect OAuth Code Flow Vs CSRF
+impact: HIGH
+impactDescription: prevents OAuth authorization code theft
+tags: oauth, csrf, state, authorization, security
+---
+## Protect OAuth Code Flow Vs CSRF
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Validate OAuth Redirect URIs Exactly
+impact: CRITICAL
+impactDescription: prevents OAuth redirect hijacking
+tags: oauth, redirect, uri, validation, security
+---
+## Validate OAuth Redirect URIs Exactly
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Authentication Codes Must Expire Quickly
+impact: MEDIUM
+impactDescription: limits window for code interception attacks
+tags: authentication, codes, expiry, otp, security
+---
+## Authentication Codes Must Expire Quickly
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Reference Tokens 128-bit Entropy CSPRNG
+impact: HIGH
+impactDescription: prevents token brute-forcing
+tags: tokens, entropy, csprng, session, security
+---
+## Reference Tokens 128-bit Entropy CSPRNG
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Support 12-64 Character Passwords
+impact: MEDIUM
+impactDescription: enables secure passphrase usage
+tags: password, length, passphrase, security
+---
+## Support 12-64 Character Passwords
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: OTPs Must Have 20-bit Entropy Minimum
+impact: MEDIUM
+impactDescription: prevents OTP brute-forcing
+tags: otp, entropy, authentication, 2fa, security
+---
+## OTPs Must Have 20-bit Entropy Minimum
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Return Generic Error Messages
+impact: HIGH
+impactDescription: prevents information disclosure
+tags: error-messages, information-disclosure, security
+---
+## Return Generic Error Messages
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Avoid Default Admin/Root Accounts
+impact: HIGH
+impactDescription: prevents easy initial access by attackers
+tags: admin, default-accounts, credentials, security
+---
+## Avoid Default Admin/Root Accounts
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Validate Content-Type In REST Services
+impact: MEDIUM
+impactDescription: prevents content-type confusion attacks
+tags: rest, content-type, validation, api, security
+---
+## Validate Content-Type In REST Services
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Protect Against Log Injection
+impact: HIGH
+impactDescription: prevents log forging and exploitation
+tags: logging, injection, sanitization, security
+---
+## Protect Against Log Injection
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)

package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+title: Use Synchronized Time (UTC) In Logs
+impact: MEDIUM
+impactDescription: enables accurate incident correlation
+tags: logging, time, utc, synchronization, security
+---
+## Use Synchronized Time (UTC) In Logs
+This rule ensures high quality and security in Python and PySpark applications.
+**Implementation Guidance:**
+- Follow standard Python best practices (PEP 8)
+- Use type hints for better clarity
+- For PySpark, prefer DataFrame API over SQL strings where possible
+- Ensure proper resource management (using \`with\` statements)