npm - @sun-asterisk/sunlint - Versions diffs - 1.3.40 → 1.3.41 - Mend

@sun-asterisk/sunlint 1.3.40 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md ADDED Viewed

@@ -0,0 +1,68 @@
+---
+title: Separate Processing And Data Access
+impact: HIGH
+impactDescription: enables testable business logic
+tags: separation, repository, service, architecture, quality
+---
+## Separate Processing And Data Access
+Mixing business logic with database queries creates tight coupling and makes testing require real databases.
+**Incorrect (mixed concerns):**
+```go
+type OrderService struct {
+    db *sql.DB
+}
+func (s *OrderService) CalculateDiscount(userId string) (int, error) {
+    // Business logic mixed with data access
+    var isPremium bool
+    db.QueryRow("SELECT is_premium FROM users WHERE id = ?", userId).Scan(&isPremium)
+    var orderCount int
+    db.QueryRow("SELECT count(*) FROM orders WHERE user_id = ?", userId).Scan(&orderCount)
+    discount := 0
+    if orderCount > 10 { discount += 5 }
+    if isPremium { discount += 10 }
+    return discount, nil
+}
+```
+**Correct (separated layers):**
+```go
+// Repository - data access only
+type UserRepository interface {
+    FindByID(id string) (*User, error)
+}
+type OrderRepository interface {
+    CountByUserID(id string) (int, error)
+}
+// Service - business logic only
+type DiscountService struct {
+    userRepo  UserRepository
+    orderRepo OrderRepository
+}
+func (s *DiscountService) CalculateDiscount(userId string) (int, error) {
+    user, _ := s.userRepo.FindByID(userId)
+    count, _ := s.orderRepo.CountByUserID(userId)
+    return s.computeDiscount(user, count), nil
+}
+func (s *DiscountService) computeDiscount(user *User, orderCount int) int {
+    discount := 0
+    if orderCount > 10 { discount += 5 }
+    if user != nil && user.IsPremium { discount += 10 }
+    return discount
+}
+```
+**Tools:** Architectural review, Code Review

package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+title: Log All Relevant Context On Errors
+impact: HIGH
+impactDescription: enables quick debugging and incident response
+tags: error-handling, logging, context, debugging, quality
+---
+## Log All Relevant Context On Errors
+Context-rich logs enable quick debugging. Without proper context, finding root causes is difficult.
+**Incorrect (minimal context):**
+```go
+slog.Error("error occurred")
+slog.Error(err.Error())
+```
+**Correct (comprehensive context using slog):**
+```go
+slog.Error("failed to process order",
+  // What happened
+  "error", err,
+  "stack", string(debug.Stack()), // Optional: but useful for critical errors
+  // Context
+  "order_id", order.ID,
+  "user_id", user.ID,
+  "request_id", ctx.Value("request_id"),
+  // Input that caused the issue
+  "item_count", len(order.Items),
+  "total_amount", order.Total,
+  // Timing
+  "processing_time_ms", time.Since(startTime).Milliseconds(),
+)
+```
+**Essential context:**
+- Error details
+- Entity identifiers
+- Request/correlation IDs
+- Relevant input summary
+- Timing information
+**Tools:** `slog`, `zap`, `logback` equivalent

package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md ADDED Viewed

@@ -0,0 +1,45 @@
+---
+title: No Hardcoded Secrets In Repo
+impact: HIGH
+impactDescription: prevents credential exposure
+tags: secrets, credentials, security, git, quality
+---
+## No Hardcoded Secrets In Repo
+Secrets in code are exposed to everyone with repo access and can be scraped by attackers.
+**Incorrect (secrets in code):**
+```go
+const APIKey = "sk-abc123xyz789"
+const DBPassword = "admin123"
+func init() {
+    client := stripe.NewClient("sk_live_xxx")
+}
+```
+**Correct (environment/secrets manager):**
+```go
+// From environment
+apiKey := os.Getenv("API_KEY")
+// From secrets manager
+apiKey, err := secretManager.GetSecret(ctx, "stripe-api-key")
+// Validation at startup
+if os.Getenv("API_KEY") == "" {
+    log.Fatal("API_KEY environment variable is required")
+}
+```
+```gitignore
+# .gitignore
+.env
+*.pem
+*.key
+```
+**Tools:** GitLeaks, TruffleHog, pre-commit hooks

package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md ADDED Viewed

@@ -0,0 +1,42 @@
+---
+title: Boolean Names Is/Has/Should
+impact: HIGH
+impactDescription: makes conditions instantly readable
+tags: naming, booleans, readability, quality
+---
+## Boolean Names Is/Has/Should
+Boolean prefixes make conditions instantly readable.
+**Incorrect (unclear boolean names):**
+```go
+active := user.Status == "active"
+admin := checkAdminRole(user)
+items := len(cart) > 0
+update := needsRefresh()
+```
+**Correct (boolean prefixes):**
+```go
+isActive := user.Status == "active"
+isAdmin := checkAdminRole(user)
+hasItems := len(cart) > 0
+shouldUpdate := needsRefresh()
+canEdit := hasPermission(user, "edit")
+willExpire := expirationDate.Before(time.Now())
+```
+**Boolean prefixes:**
+| Prefix | Use For |
+|--------|---------|
+| `Is` | State (IsActive, IsEnabled) |
+| `Has` | Ownership (HasPermission, HasError) |
+| `Should` | Decision (ShouldUpdate, ShouldRetry) |
+| `Can` | Capability (CanEdit, CanDelete) |
+| `Will` | Future (WillExpire, WillRetry) |
+**Tools:** Linter, Code Review

package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md ADDED Viewed

@@ -0,0 +1,62 @@
+---
+title: Separate Parsing From Handlers
+impact: HIGH
+impactDescription: keeps handlers thin and focused
+tags: handler, parsing, transformation, patterns, quality
+---
+## Separate Parsing From Handlers
+Handlers (controllers) should be thin - only handling HTTP concerns. Transformation logic should be extracted.
+**Incorrect (transformation in handler):**
+```go
+func GetUserHandler(w http.ResponseWriter, r *http.Request) {
+    user, _ := userService.FindByID(r.URL.Query().Get("id"))
+    // Transformation logic in handler
+    response := map[string]any{
+        "id":        user.ID,
+        "full_name": user.FirstName + " " + user.LastName,
+        "email":     strings.ToLower(user.Email),
+        "created_at": user.CreatedAt.Format("2006-01-02"),
+    }
+    json.NewEncoder(w).Encode(response)
+}
+```
+**Correct (separate mapper/DTO):**
+```go
+type UserResponse struct {
+    ID        string `json:"id"`
+    FullName  string `json:"full_name"`
+    Email     string `json:"email"`
+    CreatedAt string `json:"created_at"`
+}
+func ToUserResponse(user *User) UserResponse {
+    return UserResponse{
+        ID:        user.ID,
+        FullName:  user.FirstName + " " + user.LastName,
+        Email:     strings.ToLower(user.Email),
+        CreatedAt: user.CreatedAt.Format("2006-01-02"),
+    }
+}
+// Clean handler
+func GetUserHandler(w http.ResponseWriter, r *http.Request) {
+    user, _ := userService.FindByID(r.URL.Query().Get("id"))
+    json.NewEncoder(w).Encode(ToUserResponse(user))
+}
+```
+**Benefits:**
+- Reusable transformation logic
+- Testable mappers
+- Clean handlers
+- Consistent response format
+**Tools:** Code review, Architecture rules

package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md ADDED Viewed

@@ -0,0 +1,60 @@
+---
+title: Do Not Ignore Embedded Struct Logic
+impact: HIGH
+impactDescription: ensures proper composition behavior
+tags: composition, embedding, override, quality
+---
+## Do Not Ignore Embedded Struct Logic
+When "overriding" methods of an embedded struct, ensure the embedded behavior is preserved unless explicitly intended otherwise.
+**Incorrect (ignoring embedded logic):**
+```go
+type BaseService struct{}
+func (s *BaseService) Save(entity any) error {
+    s.Validate(entity)
+    s.BeforeSave(entity)
+    // ... actual save logic ...
+    return nil
+}
+type UserService struct {
+    BaseService
+}
+func (s *UserService) Save(user any) error {
+    // Completely ignores BaseService.Save logic (validation, hooks, etc.)
+    return s.repo.Save(user)
+}
+```
+**Correct (explicitly calling embedded method):**
+```go
+type UserService struct {
+    BaseService
+}
+func (s *UserService) Save(user *User) error {
+    // Add user-specific preprocessing
+    user.UpdatedAt = time.Now()
+    // Call embedded struct implementation
+    if err := s.BaseService.Save(user); err != nil {
+        return err
+    }
+    // Add user-specific postprocessing
+    return s.updateSearchIndex(user)
+}
+```
+**When to skip:**
+- Complete replacement is intentional
+- Base implementation doesn't apply
+- Document the reason clearly
+**Tools:** Static Analysis, Code Review

package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md ADDED Viewed

@@ -0,0 +1,51 @@
+---
+title: Do Not Hardcode Configuration
+impact: HIGH
+impactDescription: enables environment-specific deployments
+tags: configuration, environment, deployment, quality
+---
+## Do Not Hardcode Configuration
+Hardcoded configuration requires code changes to deploy to different environments.
+**Incorrect (hardcoded config):**
+```go
+const APIUrl = "https://api.production.example.com"
+const Timeout = 5000
+const MaxFileSize = 10485760
+```
+**Correct (externalized config):**
+```go
+type Config struct {
+    API struct {
+        URL     string
+        Timeout time.Duration
+    }
+    Upload struct {
+        MaxFileSize int64
+    }
+}
+func LoadConfig() *Config {
+    return &Config{
+        API: struct {
+            URL     string
+            Timeout time.Duration
+        }{
+            URL:     getEnv("API_URL", "http://localhost:3000"),
+            Timeout: time.Duration(getEnvInt("API_TIMEOUT", 5000)) * time.Millisecond,
+        },
+        // ...
+    }
+}
+// Usage
+cfg := LoadConfig()
+client := &http.Client{Timeout: cfg.API.Timeout}
+```
+**Tools:** `os.Getenv`, `viper`, `clever-env`, Manual review

package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md ADDED Viewed

@@ -0,0 +1,80 @@
+---
+title: URL Redirects Must Be In Allow List
+impact: LOW
+impactDescription: prevents open redirect vulnerabilities
+tags: redirect, url, allow-list, validation, security
+---
+## URL Redirects Must Be In Allow List
+Open redirect vulnerabilities allow attackers to redirect users to malicious sites, often used in phishing attacks.
+**Incorrect (unvalidated redirect URL):**
+```go
+// Open redirect vulnerability
+http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
+    url := r.URL.Query().Get("url")
+    http.Redirect(w, r, url, http.StatusFound) // Attacker: ?url=https://evil.com
+})
+// Partial validation (can be bypassed)
+http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
+    url := r.URL.Query().Get("url")
+    if strings.Contains(url, "example.com") {
+        http.Redirect(w, r, url, http.StatusFound) // Bypass: evil.com?example.com
+    }
+})
+```
+**Correct (allow list validation):**
+```go
+var allowedRedirectHosts = []string{
+    "example.com",
+    "app.example.com",
+    "admin.example.com",
+}
+func isAllowedHost(host string) bool {
+    for _, h := range allowedRedirectHosts {
+        if h == host {
+            return true
+        }
+    }
+    return false
+}
+http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
+    targetURL := r.URL.Query().Get("url")
+    parsed, err := url.Parse(targetURL)
+    if err != nil || !isAllowedHost(parsed.Hostname()) {
+        http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
+        return
+    }
+    http.Redirect(w, r, targetURL, http.StatusFound)
+})
+// Or use relative URLs only
+http.HandleFunc("/relative-redirect", func(w http.ResponseWriter, r *http.Request) {
+    path := r.URL.Query().Get("path")
+    // Only allow relative paths starting with /
+    if !strings.HasPrefix(path, "/") || strings.HasPrefix(path, "//") {
+        http.Error(w, "Invalid path", http.StatusBadRequest)
+        return
+    }
+    http.Redirect(w, r, path, http.StatusFound)
+})
+```
+**Protection strategies:**
+1. Allow list of trusted domains
+2. Use relative URLs only
+3. Validate URL structure
+4. Warning page before external redirects
+**Tools:** SonarQube, Semgrep, Manual Review

package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md ADDED Viewed

@@ -0,0 +1,66 @@
+---
+title: Do Not Log Credentials Or Tokens
+impact: MEDIUM
+impactDescription: prevents credential exposure in logs
+tags: logging, credentials, tokens, secrets, security
+---
+## Do Not Log Credentials Or Tokens
+Logs are often stored unencrypted and accessed by many people. Credentials in logs can be harvested by attackers or accidentally exposed.
+**Incorrect (logging sensitive data):**
+```go
+// Logging passwords
+slog.Info("Login attempt",
+    "username", user.Username,
+    "password", user.Password, // NEVER!
+)
+// Logging tokens
+slog.Debug("Request headers", "headers", r.Header)
+// Authorization header contains token!
+// Logging full request body
+body, _ := io.ReadAll(r.Body)
+slog.Info("Incoming request", "body", string(body))
+// May contain password, credit card, etc.
+```
+**Correct (sanitized logging):**
+```go
+// Mask or omit sensitive fields
+slog.Info("Login attempt",
+    "username", user.Username,
+    // password omitted
+)
+// Sanitize headers
+safeHeader := r.Header.Clone()
+if safeHeader.Get("Authorization") != "" {
+    safeHeader.Set("Authorization", "[REDACTED]")
+}
+slog.Debug("Request headers", "headers", safeHeader)
+// Use a sanitizer for request body
+func sanitizeForLog(data map[string]any) map[string]any {
+    sensitiveFields := []string{"password", "token", "secret", "credit_card"}
+    for _, field := range sensitiveFields {
+        if _, ok := data[field]; ok {
+            data[field] = "[REDACTED]"
+        }
+    }
+    return data
+}
+```
+**Never log:**
+- Passwords (plaintext or hashed)
+- API keys and tokens
+- Credit card numbers
+- Social Security Numbers
+- Session identifiers
+**Tools:** SonarQube, Semgrep, Log Audit

package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md ADDED Viewed

@@ -0,0 +1,55 @@
+---
+title: Enforce Authorization At Trusted Service Layer
+impact: CRITICAL
+impactDescription: prevents client-side authorization bypass
+tags: authorization, server-side, middleware, access-control, security
+---
+## Enforce Authorization At Trusted Service Layer
+Client-side authorization can be bypassed. All permission checks must occur server-side where they cannot be manipulated.
+**Incorrect (client-side or trusting client data):**
+```go
+// Trusting client-sent role
+func deleteUserHandler(w http.ResponseWriter, r *http.Request) {
+    userRole := r.FormValue("role") // From client!
+    if userRole == "admin" {
+        deleteUser(r.FormValue("id"))
+    }
+}
+```
+**Correct (server-side authorization middleware):**
+```go
+func authMiddleware(requiredRole string, next http.HandlerFunc) http.HandlerFunc {
+    return func(w http.ResponseWriter, r *http.Request) {
+        token := r.Header.Get("Authorization")
+        user, err := getUserFromToken(token)
+        if err != nil {
+            http.Error(w, "Unauthorized", http.StatusUnauthorized)
+            return
+        }
+        if !checkPermission(user.ID, requiredRole) {
+            http.Error(w, "Forbidden", http.StatusForbidden)
+            return
+        }
+        next.ServeHTTP(w, r)
+    }
+}
+// Router usage
+http.HandleFunc("/users/delete", authMiddleware("admin", deleteUserHandler))
+```
+**Never trust:**
+- Client-side JavaScript checks
+- Hidden form fields
+- URL parameters for access control
+- Unvalidated tokens from browser storage
+**Tools:** Manual Review, Static Analysis, Penetration Testing

package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md ADDED Viewed

@@ -0,0 +1,47 @@
+---
+title: Do Not Use Default Credentials
+impact: CRITICAL
+impactDescription: prevents trivial compromise via known credentials
+tags: credentials, default, passwords, configuration, security
+---
+## Do Not Use Default Credentials
+Default credentials are publicly known. Attackers scan for them automatically, making any system using them trivially compromised.
+**Incorrect (default or hardcoded credentials):**
+```yaml
+# Docker Compose with defaults
+services:
+  postgres:
+    image: postgres
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres  # Default!
+```
+**Correct (environment/secrets management):**
+```go
+// Application code
+dbConfig := struct {
+    User     string
+    Password string
+}{
+    User:     os.Getenv("DB_USER"),
+    Password: os.Getenv("DB_PASSWORD"),
+}
+// Validate no defaults
+if dbConfig.Password == "admin" || dbConfig.Password == "password" || dbConfig.Password == "postgres" {
+    log.Fatal("Default credentials detected - deployment blocked")
+}
+```
+**Blocked defaults:**
+- `admin/admin`, `root/root`, `test/test`
+- `postgres/postgres`, `mysql/mysql`
+- Factory default API keys
+**Tools:** Secret Scanner, GitLeaks, TruffleHog, CI/CD checks

package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md ADDED Viewed

@@ -0,0 +1,50 @@
+---
+title: Output Encoding Before Interpreter Use
+impact: HIGH
+impactDescription: prevents XSS and injection attacks
+tags: xss, encoding, output, html, security
+---
+## Output Encoding Before Interpreter Use
+XSS and injection attacks occur when unescaped user data is interpreted by browsers or other systems.
+**Incorrect (no encoding):**
+```go
+// XSS vulnerability
+http.HandleFunc("/search", func(w http.ResponseWriter, r *http.Request) {
+    query := r.URL.Query().Get("q")
+    fmt.Fprintf(w, "<h1>Results for: %s</h1>", query) // XSS!
+})
+```
+**Correct (context-aware encoding):**
+```go
+import "html"
+// HTML context
+http.HandleFunc("/search", func(w http.ResponseWriter, r *http.Request) {
+    query := r.URL.Query().Get("q")
+    // html.EscapeString escapes <, >, &, ', "
+    fmt.Fprintf(w, "<h1>Results for: %s</h1>", html.EscapeString(query))
+})
+// Using html/template (auto-escapes by default)
+tmpl := template.Must(template.New("res").Parse("<h1>Results for: {{.}}</h1>"))
+tmpl.Execute(w, query)
+// URL context
+safeURL := url.QueryEscape(userInput)
+```
+**Encoding by Context:**
+| Context | Encoding |
+|---------|----------|
+| HTML body | `html.EscapeString()` |
+| URL | `url.QueryEscape()` |
+| JSON | `json.Marshal()` |
+**Tools:** SonarQube, Semgrep, `html/template` (enforced escaping)