@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md ADDED
@@ -0,0 +1,69 @@
1
+ ---
2
+ title: Do Not Use Default Credentials
3
+ impact: CRITICAL
4
+ impactDescription: prevents trivial compromise via known credentials
5
+ tags: credentials, default, passwords, configuration, security
6
+ ---
7
+
8
+ ## Do Not Use Default Credentials
9
+
10
+ Default credentials are publicly known. Attackers scan for them automatically, making any system using them trivially compromised.
11
+
12
+ **Incorrect (default or hardcoded credentials):**
13
+
14
+ ```yaml
15
+ # Docker Compose with defaults
16
+ services:
17
+ postgres:
18
+ image: postgres
19
+ environment:
20
+ POSTGRES_USER: postgres
21
+ POSTGRES_PASSWORD: postgres # Default!
22
+
23
+ redis:
24
+ image: redis
25
+ # No password = default open
26
+
27
+ # Application config
28
+ database:
29
+ user: admin
30
+ password: admin # Default!
31
+ ```
32
+
33
+ **Correct (environment/secrets management):**
34
+
35
+ ```yaml
36
+ # Docker Compose with secrets
37
+ services:
38
+ postgres:
39
+ image: postgres
40
+ environment:
41
+ POSTGRES_USER: ${DB_USER} # From env/secrets
42
+ POSTGRES_PASSWORD_FILE: /run/secrets/db_password
43
+ secrets:
44
+ - db_password
45
+
46
+ secrets:
47
+ db_password:
48
+ external: true # Managed by orchestrator
49
+ ```
50
+
51
+ ```typescript
52
+ // Application code
53
+ const dbConfig = {
54
+ user: process.env.DB_USER,
55
+ password: await secretManager.getSecret('db-password'),
56
+ };
57
+
58
+ // Validate no defaults
59
+ if (dbConfig.password === 'admin' || dbConfig.password === 'password') {
60
+ throw new Error('Default credentials detected - deployment blocked');
61
+ }
62
+ ```
63
+
64
+ **Blocked defaults:**
65
+ - `admin/admin`, `root/root`, `test/test`
66
+ - `postgres/postgres`, `mysql/mysql`, `sa/sa`
67
+ - Factory default API keys
68
+
69
+ **Tools:** Secret Scanner, GitLeaks, TruffleHog, CI/CD checks
package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md ADDED
@@ -0,0 +1,60 @@
1
+ ---
2
+ title: Output Encoding Before Interpreter Use
3
+ impact: HIGH
4
+ impactDescription: prevents XSS and injection attacks
5
+ tags: xss, encoding, output, html, security
6
+ ---
7
+
8
+ ## Output Encoding Before Interpreter Use
9
+
10
+ XSS and injection attacks occur when unescaped user data is interpreted by browsers or other systems.
11
+
12
+ **Incorrect (no encoding):**
13
+
14
+ ```typescript
15
+ // XSS vulnerability
16
+ app.get('/search', (req, res) => {
17
+ const query = req.query.q;
18
+ res.send(`<h1>Results for: ${query}</h1>`); // XSS!
19
+ });
20
+
21
+ // React dangerouslySetInnerHTML without sanitization
22
+ <div dangerouslySetInnerHTML={{ __html: userContent }} />
23
+ ```
24
+
25
+ **Correct (context-aware encoding):**
26
+
27
+ ```typescript
28
+ import { escape } from 'html-escaper';
29
+ import DOMPurify from 'dompurify';
30
+
31
+ // HTML context
32
+ app.get('/search', (req, res) => {
33
+ const query = escape(req.query.q);
34
+ res.send(`<h1>Results for: ${query}</h1>`);
35
+ });
36
+
37
+ // React - use JSX (auto-escapes)
38
+ <h1>Results for: {query}</h1>
39
+
40
+ // If HTML is needed, sanitize first
41
+ const cleanHtml = DOMPurify.sanitize(userContent);
42
+ <div dangerouslySetInnerHTML={{ __html: cleanHtml }} />
43
+
44
+ // URL context
45
+ const safeUrl = encodeURIComponent(userInput);
46
+
47
+ // JavaScript context
48
+ const safeJson = JSON.stringify(userData);
49
+ ```
50
+
51
+ **Encoding by Context:**
52
+
53
+ | Context | Encoding |
54
+ |---------|----------|
55
+ | HTML body | `&lt;`, `&gt;`, `&amp;` |
56
+ | HTML attribute | Encode quotes |
57
+ | JavaScript | JSON.stringify() |
58
+ | URL | encodeURIComponent() |
59
+
60
+ **Tools:** SonarQube (S5131), Semgrep, ESLint
package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Use Only Approved Crypto Algorithms
3
+ impact: MEDIUM
4
+ impactDescription: ensures cryptographic strength
5
+ tags: cryptography, algorithms, hashing, encryption, security
6
+ ---
7
+
8
+ ## Use Only Approved Crypto Algorithms
9
+
10
+ Weak algorithms are broken. MD5, SHA1, DES, and ECB mode have known vulnerabilities.
11
+
12
+ **Incorrect (weak algorithms):**
13
+
14
+ ```typescript
15
+ // WEAK hash
16
+ const hash = crypto.createHash('md5').update(password).digest('hex');
17
+
18
+ // WEAK cipher mode (ECB shows patterns)
19
+ const cipher = crypto.createCipheriv('aes-256-ecb', key, '');
20
+
21
+ // WEAK algorithm
22
+ const cipher = crypto.createCipheriv('des', key, iv);
23
+ ```
24
+
25
+ **Correct (approved algorithms):**
26
+
27
+ ```typescript
28
+ import crypto from 'crypto';
29
+ import bcrypt from 'bcrypt';
30
+
31
+ // STRONG hash (for data integrity)
32
+ const hash = crypto.createHash('sha256').update(data).digest('hex');
33
+
34
+ // STRONG authenticated encryption (GCM mode)
35
+ const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
36
+ cipher.setAAD(associatedData);
37
+ const encrypted = cipher.update(plaintext);
38
+ const authTag = cipher.getAuthTag();
39
+
40
+ // For passwords - use specialized functions
41
+ const hashedPassword = await bcrypt.hash(password, 12);
42
+ const isValid = await bcrypt.compare(password, hashedPassword);
43
+ ```
44
+
45
+ **Approved vs Prohibited:**
46
+
47
+ | Purpose | Approved | Prohibited |
48
+ |---------|----------|------------|
49
+ | Hash | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
50
+ | Encryption | AES-GCM, ChaCha20-Poly1305 | DES, 3DES, AES-ECB |
51
+ | Password | bcrypt, Argon2, scrypt | MD5, SHA-*, plain AES |
52
+
53
+ **Tools:** SonarQube (S2070, S4790), Semgrep
package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Use CSPRNG For Security Purposes
3
+ impact: HIGH
4
+ impactDescription: prevents predictable tokens and session hijacking
5
+ tags: random, csprng, tokens, session, cryptography, security
6
+ ---
7
+
8
+ ## Use CSPRNG For Security Purposes
9
+
10
+ Non-cryptographic random generators are predictable. Attackers can guess session tokens, OTPs, and password reset links generated with weak random sources.
11
+
12
+ **Incorrect (predictable random):**
13
+
14
+ ```typescript
15
+ // INSECURE - predictable!
16
+ const sessionId = Math.random().toString(36);
17
+
18
+ // INSECURE - Date-based
19
+ const resetToken = Date.now().toString(36) + Math.random().toString(36);
20
+
21
+ // INSECURE - UUID v1 (time-based, guessable)
22
+ const otp = uuidv1().substring(0, 6);
23
+ ```
24
+
25
+ **Correct (cryptographically secure):**
26
+
27
+ ```typescript
28
+ import { randomBytes } from 'crypto';
29
+
30
+ // Cryptographically secure session ID
31
+ const sessionId = randomBytes(32).toString('hex'); // 256-bit entropy
32
+
33
+ // Secure OTP generation
34
+ function generateOTP(length: number = 6): string {
35
+ const bytes = randomBytes(4);
36
+ const num = bytes.readUInt32BE(0) % Math.pow(10, length);
37
+ return num.toString().padStart(length, '0');
38
+ }
39
+
40
+ // Secure token for password reset
41
+ const resetToken = randomBytes(32).toString('base64url');
42
+ ```
43
+
44
+ **CSPRNG by language:**
45
+
46
+ | Language | Secure | Insecure |
47
+ |----------|--------|----------|
48
+ | Node.js | `crypto.randomBytes()` | `Math.random()` |
49
+ | Python | `secrets`, `os.urandom()` | `random` |
50
+ | Java | `SecureRandom` | `Random` |
51
+ | Go | `crypto/rand` | `math/rand` |
52
+
53
+ **Tools:** SonarQube (S2245), Semgrep
package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md ADDED
@@ -0,0 +1,45 @@
1
+ ---
2
+ title: Enable Encrypted Client Hello (ECH)
3
+ impact: MEDIUM
4
+ impactDescription: protects SNI from eavesdropping
5
+ tags: tls, ech, sni, privacy, security
6
+ ---
7
+
8
+ ## Enable Encrypted Client Hello (ECH)
9
+
10
+ ECH encrypts the Server Name Indication (SNI) to prevent network observers from seeing which site you're connecting to.
11
+
12
+ **About ECH:**
13
+
14
+ Encrypted Client Hello (formerly ESNI) is a TLS extension that encrypts the ClientHello message, hiding the destination hostname from network observers.
15
+
16
+ **Implementation:**
17
+
18
+ ```nginx
19
+ # Nginx with ECH (when supported)
20
+ ssl_ech on;
21
+ ssl_ech_key /path/to/ech-private-key.pem;
22
+ ```
23
+
24
+ **DNS Configuration:**
25
+
26
+ ```
27
+ # HTTPS DNS record for ECH
28
+ _https.example.com. IN HTTPS 1 . alpn="h2,h3" ipv4hint=192.0.2.1 ech="..."
29
+ ```
30
+
31
+ **Client-side (where supported):**
32
+
33
+ ```typescript
34
+ // Browser support detection
35
+ if ('ECH' in navigator) {
36
+ console.log('ECH is supported');
37
+ }
38
+ ```
39
+
40
+ **Current status:**
41
+ - Experimental in most browsers
42
+ - Cloudflare supports ECH
43
+ - Requires DNS HTTPS records
44
+
45
+ **Tools:** Cloudflare ECH, DNS Configuration
package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: Use Secrets Management For Backend Secrets
3
+ impact: CRITICAL
4
+ impactDescription: centralizes and secures credential storage
5
+ tags: secrets, vault, credentials, configuration, security
6
+ ---
7
+
8
+ ## Use Secrets Management For Backend Secrets
9
+
10
+ Hardcoded secrets are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems.
11
+
12
+ **Incorrect (hardcoded or plain env files):**
13
+
14
+ ```typescript
15
+ // Hardcoded in code
16
+ const API_KEY = 'sk-abc123xyz789';
17
+
18
+ // .env file committed to repo
19
+ DATABASE_URL=postgres://admin:password@localhost/db
20
+ ```
21
+
22
+ **Correct (secrets management):**
23
+
24
+ ```typescript
25
+ // Using secrets manager (AWS, HashiCorp Vault, etc.)
26
+ const dbPassword = await secretManager.getSecret('production/db-password');
27
+
28
+ // Kubernetes secrets
29
+ const secret = process.env.DB_PASSWORD; // Mounted from K8s secret
30
+
31
+ // Environment-specific with validation
32
+ const config = {
33
+ dbPassword: process.env.DB_PASSWORD,
34
+ };
35
+
36
+ if (!config.dbPassword) {
37
+ throw new Error('DB_PASSWORD environment variable required');
38
+ }
39
+ ```
40
+
41
+ **Best practices:**
42
+ - Never commit secrets to version control
43
+ - Use secrets rotation
44
+ - Audit secret access
45
+ - Use different secrets per environment
46
+
47
+ **Tools:** HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md ADDED
@@ -0,0 +1,70 @@
1
+ ---
2
+ title: Always Use TLS For All Connections
3
+ impact: HIGH
4
+ impactDescription: protects data in transit from eavesdropping
5
+ tags: tls, https, encryption, transport, security
6
+ ---
7
+
8
+ ## Always Use TLS For All Connections
9
+
10
+ Unencrypted traffic exposes data to anyone on the network path - ISPs, WiFi operators, and attackers.
11
+
12
+ **Incorrect (unencrypted connections):**
13
+
14
+ ```typescript
15
+ // HTTP API calls
16
+ fetch('http://api.example.com/users');
17
+
18
+ // Unencrypted database
19
+ mongoose.connect('mongodb://db.example.com:27017/app');
20
+
21
+ // Redis without TLS
22
+ const redis = new Redis({ host: 'redis.example.com', port: 6379 });
23
+ ```
24
+
25
+ **Correct (TLS everywhere):**
26
+
27
+ ```typescript
28
+ // HTTPS for all APIs
29
+ fetch('https://api.example.com/users');
30
+
31
+ // TLS for database
32
+ mongoose.connect('mongodb://db.example.com:27017/app', {
33
+ tls: true,
34
+ tlsCAFile: '/path/to/ca.pem'
35
+ });
36
+
37
+ // Redis with TLS
38
+ const redis = new Redis({
39
+ host: 'redis.example.com',
40
+ port: 6380,
41
+ tls: {
42
+ ca: fs.readFileSync('/path/to/ca.pem')
43
+ }
44
+ });
45
+
46
+ // Force HTTPS in Express
47
+ app.use((req, res, next) => {
48
+ if (!req.secure && process.env.NODE_ENV === 'production') {
49
+ return res.redirect(301, `https://${req.headers.host}${req.url}`);
50
+ }
51
+ next();
52
+ });
53
+
54
+ // HSTS header
55
+ app.use(helmet.hsts({
56
+ maxAge: 31536000, // 1 year
57
+ includeSubDomains: true,
58
+ preload: true
59
+ }));
60
+ ```
61
+
62
+ **Checklist:**
63
+ - [ ] All HTTP → HTTPS
64
+ - [ ] Database connections encrypted
65
+ - [ ] Redis/memcached TLS
66
+ - [ ] Message queues TLS
67
+ - [ ] HSTS headers enabled
68
+ - [ ] No localhost exceptions in production
69
+
70
+ **Tools:** OWASP ZAP, SSLyze, Lighthouse
package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md ADDED
@@ -0,0 +1,53 @@
1
+ ---
2
+ title: Do Not Pass Sensitive Data In Query String
3
+ impact: HIGH
4
+ impactDescription: prevents credential leakage in logs and history
5
+ tags: url, query-string, sensitive-data, leakage, security
6
+ ---
7
+
8
+ ## Do Not Pass Sensitive Data In Query String
9
+
10
+ Query strings appear in logs, browser history, referrer headers, and can be cached.
11
+
12
+ **Incorrect (sensitive data in URL):**
13
+
14
+ ```typescript
15
+ // Tokens in URL
16
+ fetch(`/api/data?token=${accessToken}`);
17
+
18
+ // Password in URL
19
+ fetch(`/api/login?user=admin&pass=${password}`);
20
+
21
+ // PII in URL
22
+ fetch(`/api/search?ssn=${socialSecurityNumber}`);
23
+ ```
24
+
25
+ **Correct (sensitive data in body/headers):**
26
+
27
+ ```typescript
28
+ // Token in header
29
+ fetch('/api/data', {
30
+ headers: { 'Authorization': `Bearer ${accessToken}` }
31
+ });
32
+
33
+ // Credentials in body
34
+ fetch('/api/login', {
35
+ method: 'POST',
36
+ headers: { 'Content-Type': 'application/json' },
37
+ body: JSON.stringify({ user: 'admin', pass: password })
38
+ });
39
+
40
+ // Reset token via POST
41
+ <form method="POST" action="/reset-password">
42
+ <input type="hidden" name="token" value="abc123">
43
+ </form>
44
+ ```
45
+
46
+ **Where query strings leak:**
47
+ - Server access logs
48
+ - Browser history
49
+ - Referrer headers
50
+ - Proxy/CDN logs
51
+ - Shared URLs
52
+
53
+ **Tools:** Semgrep, Manual Review, Proxy log scanner
package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md ADDED
@@ -0,0 +1,55 @@
1
+ ---
2
+ title: Always Use Parameterized Queries
3
+ impact: CRITICAL
4
+ impactDescription: prevents SQL and NoSQL injection attacks
5
+ tags: injection, sql, nosql, database, parameterized, security
6
+ ---
7
+
8
+ ## Always Use Parameterized Queries
9
+
10
+ SQL injection is one of the top security vulnerabilities. Direct string concatenation allows attackers to execute arbitrary database commands, steal data, or destroy databases.
11
+
12
+ **Incorrect (string concatenation):**
13
+
14
+ ```typescript
15
+ // SQL Injection vulnerability
16
+ const userId = req.params.id;
17
+ const query = `SELECT * FROM users WHERE id = '${userId}'`;
18
+ const user = await db.query(query);
19
+
20
+ // Attacker input: ' OR '1'='1
21
+ // Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
22
+ // Returns ALL users!
23
+ ```
24
+
25
+ ```javascript
26
+ // NoSQL Injection in MongoDB
27
+ const user = await User.findOne({
28
+ username: req.body.username,
29
+ password: req.body.password // Attacker can pass { "$gt": "" }
30
+ });
31
+ ```
32
+
33
+ **Correct (parameterized queries):**
34
+
35
+ ```typescript
36
+ // Parameterized query - SQL
37
+ const userId = req.params.id;
38
+ const user = await db.query(
39
+ 'SELECT * FROM users WHERE id = $1',
40
+ [userId]
41
+ );
42
+
43
+ // Using ORM with type safety
44
+ const user = await userRepository.findOne({
45
+ where: { id: userId }
46
+ });
47
+
48
+ // Safe MongoDB query
49
+ const user = await User.findOne({
50
+ username: String(req.body.username),
51
+ password: String(req.body.password)
52
+ }).exec();
53
+ ```
54
+
55
+ **Tools:** SonarQube (S2077, S3649), Semgrep, CodeQL
package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md ADDED
@@ -0,0 +1,56 @@
1
+ ---
2
+ title: Sanitize Input Before Sending Emails
3
+ impact: MEDIUM
4
+ impactDescription: prevents email header injection
5
+ tags: email, injection, sanitization, input-validation, security
6
+ ---
7
+
8
+ ## Sanitize Input Before Sending Emails
9
+
10
+ Email header injection allows attackers to add recipients, change headers, or send spam through your system.
11
+
12
+ **Incorrect (unsanitized email input):**
13
+
14
+ ```typescript
15
+ // Email injection vulnerability
16
+ const subject = req.body.subject; // "Hello\r\nBcc: spam@evil.com"
17
+ await sendEmail({
18
+ to: user.email,
19
+ subject: subject, // Injects headers!
20
+ body: 'Your message'
21
+ });
22
+ ```
23
+
24
+ **Correct (sanitized email fields):**
25
+
26
+ ```typescript
27
+ function sanitizeEmailField(input: string): string {
28
+ // Remove CRLF characters that could inject headers
29
+ return input.replace(/[\r\n]/g, '').trim();
30
+ }
31
+
32
+ function validateEmail(email: string): boolean {
33
+ const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
34
+ return emailRegex.test(email) && !email.includes('\n');
35
+ }
36
+
37
+ app.post('/contact', async (req, res) => {
38
+ const { to, subject, body } = req.body;
39
+
40
+ // Validate email address
41
+ if (!validateEmail(to)) {
42
+ return res.status(400).json({ error: 'Invalid email address' });
43
+ }
44
+
45
+ // Sanitize all text fields
46
+ await sendEmail({
47
+ to: sanitizeEmailField(to),
48
+ subject: sanitizeEmailField(subject),
49
+ body: body // Body can contain newlines, but sanitize if templating
50
+ });
51
+
52
+ res.json({ success: true });
53
+ });
54
+ ```
55
+
56
+ **Tools:** Email Libraries with Built-in Protection, Manual Review
package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md ADDED
@@ -0,0 +1,58 @@
1
+ ---
2
+ title: Avoid Eval Or Dynamic Code Execution
3
+ impact: HIGH
4
+ impactDescription: prevents remote code execution vulnerabilities
5
+ tags: eval, code-execution, rce, injection, security
6
+ ---
7
+
8
+ ## Avoid Eval Or Dynamic Code Execution
9
+
10
+ `eval()` and similar functions execute arbitrary code, making them extremely dangerous with user input. Attackers can run any code on your server.
11
+
12
+ **Incorrect (dynamic code execution):**
13
+
14
+ ```typescript
15
+ // eval() with user input
16
+ const formula = req.body.formula;
17
+ const result = eval(formula); // RCE vulnerability!
18
+
19
+ // new Function() with user input
20
+ const fn = new Function('x', userCode);
21
+
22
+ // setTimeout with string
23
+ setTimeout(userInput, 1000); // Executes as code!
24
+
25
+ // Dynamic require
26
+ const module = require(userInput); // Path traversal + RCE
27
+ ```
28
+
29
+ **Correct (safe alternatives):**
30
+
31
+ ```typescript
32
+ // Use a safe expression parser
33
+ import { evaluate } from 'mathjs';
34
+ const result = evaluate(formula, { x: 10 }); // Limited to math
35
+
36
+ // Use switch/object mapping for dynamic behavior
37
+ const operations: Record<string, (a: number, b: number) => number> = {
38
+ add: (a, b) => a + b,
39
+ subtract: (a, b) => a - b,
40
+ multiply: (a, b) => a * b,
41
+ };
42
+
43
+ const operation = operations[req.body.operation];
44
+ if (!operation) throw new Error('Invalid operation');
45
+ const result = operation(a, b);
46
+
47
+ // Use JSON.parse for data (not eval)
48
+ const data = JSON.parse(jsonString);
49
+
50
+ // Allowlist for dynamic imports
51
+ const allowedModules = ['module-a', 'module-b'];
52
+ if (!allowedModules.includes(moduleName)) {
53
+ throw new Error('Module not allowed');
54
+ }
55
+ const module = require(`./${moduleName}`);
56
+ ```
57
+
58
+ **Tools:** ESLint (`no-eval`), Semgrep, SonarQube (S1523)
package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md ADDED
@@ -0,0 +1,48 @@
1
+ ---
2
+ title: Escape Data By Output Context
3
+ impact: MEDIUM
4
+ impactDescription: ensures correct encoding for each output context
5
+ tags: xss, escaping, context, encoding, security
6
+ ---
7
+
8
+ ## Escape Data By Output Context
9
+
10
+ Different contexts require different escaping strategies. Using HTML encoding in a JavaScript context doesn't prevent XSS.
11
+
12
+ **Incorrect (wrong encoding for context):**
13
+
14
+ ```typescript
15
+ // Wrong: same escape for all contexts
16
+ const escaped = htmlEscape(userInput);
17
+ res.send(`<script>var x = "${escaped}";</script>`); // Still vulnerable!
18
+
19
+ // Wrong: no header injection protection
20
+ res.setHeader('X-Custom', userInput); // Header injection!
21
+ ```
22
+
23
+ **Correct (context-appropriate encoding):**
24
+
25
+ ```typescript
26
+ import { escape as htmlEscape } from 'html-escaper';
27
+
28
+ // HTML content context
29
+ const htmlContent = htmlEscape(userInput);
30
+ res.send(`<p>${htmlContent}</p>`);
31
+
32
+ // JavaScript context
33
+ const jsData = JSON.stringify(userInput);
34
+ res.send(`<script>var x = ${jsData};</script>`);
35
+
36
+ // URL parameter context
37
+ const urlParam = encodeURIComponent(userInput);
38
+ res.redirect(`/search?q=${urlParam}`);
39
+
40
+ // HTTP header context - strip CRLF
41
+ const safeHeader = userInput.replace(/[\r\n]/g, '');
42
+ res.setHeader('X-Custom', safeHeader);
43
+
44
+ // Email context - prevent injection
45
+ const safeSubject = emailInput.replace(/[\r\n]/g, '');
46
+ ```
47
+
48
+ **Tools:** ESLint, SonarQube, DOMPurify