@sun-asterisk/sunlint 1.3.40 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md

@@ -0,0 +1,63 @@
+---
+title: Use Only Approved Crypto Algorithms
+impact: MEDIUM
+impactDescription: ensures cryptographic strength
+tags: cryptography, algorithms, hashing, encryption, security
+---
+
+## Use Only Approved Crypto Algorithms
+
+Weak algorithms are broken. MD5, SHA1, DES, and ECB mode have known vulnerabilities.
+
+**Incorrect (weak algorithms):**
+
+```go
+import (
+    "crypto/md5"
+    "crypto/des"
+    "crypto/cipher"
+)
+
+// WEAK hash
+h := md5.New()
+h.Write([]byte(password))
+hash := h.Sum(nil)
+
+// WEAK algorithm
+block, _ := des.NewCipher(key)
+```
+
+**Correct (approved algorithms):**
+
+```go
+import (
+    "crypto/aes"
+    "crypto/cipher"
+    "crypto/sha256"
+    "golang.org/x/crypto/bcrypt"
+)
+
+// STRONG hash (for data integrity)
+h := sha256.New()
+h.Write(data)
+hash := h.Sum(nil)
+
+// STRONG authenticated encryption (GCM mode)
+block, _ := aes.NewCipher(key)
+aesGCM, _ := cipher.NewGCM(block)
+ciphertext := aesGCM.Seal(nil, nonce, plaintext, associatedData)
+
+// For passwords - use specialized functions
+hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))
+```
+
+**Approved vs Prohibited:**
+
+| Purpose | Approved | Prohibited |
+|---------|----------|------------|
+| Hash | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
+| Encryption | AES-GCM, ChaCha20-Poly1305 | DES, 3DES, AES-ECB |
+| Password | bcrypt, Argon2, scrypt | MD5, SHA-*, plain AES |
+
+**Tools:** SonarQube, Semgrep, `crypto` (standard library)

package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md

@@ -0,0 +1,53 @@
+---
+title: Use CSPRNG For Security Purposes
+impact: HIGH
+impactDescription: prevents predictable tokens and session hijacking
+tags: random, csprng, tokens, session, cryptography, security
+---
+
+## Use CSPRNG For Security Purposes
+
+Non-cryptographic random generators are predictable. Attackers can guess session tokens, OTPs, and password reset links generated with weak random sources.
+
+**Incorrect (predictable random):**
+
+```go
+import "math/rand"
+
+// INSECURE - predictable!
+sessionId := fmt.Sprintf("%d", rand.Intn(1000000))
+
+// INSECURE - Seeded with time isn't enough for security tokens
+rand.Seed(time.Now().UnixNano())
+token := rand.Int63()
+```
+
+**Correct (cryptographically secure):**
+
+```go
+import (
+    "crypto/rand"
+    "encoding/hex"
+    "math/big"
+)
+
+// Cryptographically secure session ID
+b := make([]byte, 32)
+rand.Read(b)
+sessionId := hex.EncodeToString(b) // 256-bit entropy
+
+// Secure OTP generation
+func generateOTP(length int) string {
+    max := big.NewInt(int64(math.Pow10(length)))
+    n, _ := rand.Int(rand.Reader, max)
+    return fmt.Sprintf("%0*d", length, n)
+}
+```
+
+**CSPRNG by language:**
+
+| Language | Secure | Insecure |
+|----------|--------|----------|
+| Go | `crypto/rand` | `math/rand` |
+
+**Tools:** SonarQube, Semgrep, `crypto/rand`

package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md

@@ -0,0 +1,34 @@
+---
+title: Enable Encrypted Client Hello (ECH)
+impact: MEDIUM
+impactDescription: protects SNI from eavesdropping
+tags: tls, ech, sni, privacy, security
+---
+
+## Enable Encrypted Client Hello (ECH)
+
+ECH encrypts the Server Name Indication (SNI) to prevent network observers from seeing which site you're connecting to.
+
+**About ECH:**
+
+Encrypted Client Hello (formerly ESNI) is a TLS extension that encrypts the ClientHello message, hiding the destination hostname from network observers.
+
+**Implementation:**
+
+```nginx
+# Nginx with ECH (when supported)
+ssl_ech on;
+ssl_ech_key /path/to/ech-private-key.pem;
+```
+
+**DNS Configuration:**
+
+```
+# HTTPS DNS record for ECH
+_https.example.com. IN HTTPS 1 . alpn="h2,h3" ipv4hint=192.0.2.1 ech="..."
+```
+
+**Go Support:**
+Go's `crypto/tls` currently (as of Go 1.22) has limited native support for ECH, but it can be implemented via specialized packages or handled at the infrastructure level (e.g., Cloudflare).
+
+**Tools:** Cloudflare ECH, DNS Configuration

package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md

@@ -0,0 +1,49 @@
+---
+title: Use Secrets Management For Backend Secrets
+impact: CRITICAL
+impactDescription: centralizes and secures credential storage
+tags: secrets, vault, credentials, configuration, security
+---
+
+## Use Secrets Management For Backend Secrets
+
+Hardcoded secrets are exposed in version control and can be accessed by anyone with code access. Use dedicated secrets management systems.
+
+**Incorrect (hardcoded or plain env files):**
+
+```go
+// Hardcoded in code
+const APIKey = "sk-abc123xyz789"
+
+// .env file committed to repo
+DATABASE_URL=postgres://admin:password@localhost/db
+```
+
+**Correct (secrets management):**
+
+```go
+// Using secrets manager (AWS, HashiCorp Vault, etc.)
+dbPassword, _ := secretManager.GetSecret(ctx, "production/db-password")
+
+// Kubernetes secrets
+secret := os.Getenv("DB_PASSWORD") // Mounted from K8s secret
+
+// Environment-specific with validation
+config := struct {
+    DBPassword string
+}{
+    DBPassword: os.Getenv("DB_PASSWORD"),
+}
+
+if config.DBPassword == "" {
+    log.Fatal("DB_PASSWORD environment variable required")
+}
+```
+
+**Best practices:**
+- Never commit secrets to version control
+- Use secrets rotation
+- Audit secret access
+- Use different secrets per environment
+
+**Tools:** HashiCorp Vault, AWS Secrets Manager, Azure Key Vault

package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md

@@ -0,0 +1,61 @@
+---
+title: Always Use TLS For All Connections
+impact: HIGH
+impactDescription: protects data in transit from eavesdropping
+tags: tls, https, encryption, transport, security
+---
+
+## Always Use TLS For All Connections
+
+Unencrypted traffic exposes data to anyone on the network path - ISPs, WiFi operators, and attackers.
+
+**Incorrect (unencrypted connections):**
+
+```go
+// HTTP API calls
+resp, _ := http.Get("http://api.example.com/users")
+
+// Unencrypted database
+db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=disable")
+
+// Redis without TLS
+client := redis.NewClient(&redis.Options{
+    Addr: "localhost:6379",
+})
+```
+
+**Correct (TLS everywhere):**
+
+```go
+// HTTPS for all APIs
+resp, _ := http.Get("https://api.example.com/users")
+
+// TLS for database
+db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=verify-full")
+
+// Redis with TLS
+client := redis.NewClient(&redis.Options{
+    Addr: "localhost:6380",
+    TLSConfig: &tls.Config{...},
+})
+
+// Force HTTPS in a Go web server
+func enforceHTTPS(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Header.Get("X-Forwarded-Proto") != "https" && os.Getenv("ENV") == "production" {
+            http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusMovedPermanently)
+            return
+        }
+        next.ServeHTTP(w, r)
+    })
+}
+```
+
+**Checklist:**
+- [ ] All HTTP → HTTPS
+- [ ] Database connections encrypted (sslmode=verify-full)
+- [ ] Redis/memcached TLS
+- [ ] Message queues TLS
+- [ ] HSTS headers enabled
+
+**Tools:** OWASP ZAP, SSLyze, `crypto/tls`

package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md

@@ -0,0 +1,42 @@
+---
+title: Do Not Pass Sensitive Data In Query String
+impact: HIGH
+impactDescription: prevents credential leakage in logs and history
+tags: url, query-string, sensitive-data, leakage, security
+---
+
+## Do Not Pass Sensitive Data In Query String
+
+Query strings appear in server logs, browser history, referrer headers, and can be cached by proxies and CDNs.
+
+**Incorrect (sensitive data in URL):**
+
+```go
+// Tokens in URL
+http.Get(fmt.Sprintf("https://api.example.com/data?token=%s", accessToken))
+
+// Password in URL
+http.Post(fmt.Sprintf("https://api.example.com/login?user=admin&pass=%s", password), "application/json", nil)
+```
+
+**Correct (sensitive data in body/headers):**
+
+```go
+// Token in header
+req, _ := http.NewRequest("GET", "https://api.example.com/data", nil)
+req.Header.Set("Authorization", "Bearer "+accessToken)
+client.Do(req)
+
+// Credentials in body
+payload := map[string]string{"user": "admin", "pass": password}
+jsonPayload, _ := json.Marshal(payload)
+http.Post("https://api.example.com/login", "application/json", bytes.NewBuffer(jsonPayload))
+```
+
+**Where query strings leak:**
+- Server access logs
+- Browser history
+- Referrer headers
+- Proxy/CDN logs
+
+**Tools:** Semgrep, Manual Review, Proxy log scanner

package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md

@@ -0,0 +1,36 @@
+---
+title: Always Use Parameterized Queries
+impact: CRITICAL
+impactDescription: prevents SQL and NoSQL injection attacks
+tags: injection, sql, nosql, database, parameterized, security
+---
+
+## Always Use Parameterized Queries
+
+SQL injection allows attackers to execute arbitrary database commands, steal data, or destroy databases.
+
+**Incorrect (string concatenation):**
+
+```go
+// SQL Injection vulnerability
+userId := r.URL.Query().Get("id")
+query := fmt.Sprintf("SELECT * FROM users WHERE id = '%s'", userId)
+db.Query(query)
+
+// Attacker input: ' OR '1'='1
+// Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
+```
+
+**Correct (parameterized queries):**
+
+```go
+// Parameterized query using database/sql
+userId := r.URL.Query().Get("id")
+db.Query("SELECT * FROM users WHERE id = ?", userId) // Postgres uses $1, $2
+
+// Using GORM (safely handles parameters)
+var user User
+db.First(&user, "id = ?", userId)
+```
+
+**Tools:** SonarQube, Semgrep, `sqlclosecheck`, `gosec` (G201, G202)

package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md

@@ -0,0 +1,44 @@
+---
+title: Sanitize Input Before Sending Emails
+impact: MEDIUM
+impactDescription: prevents email header injection
+tags: email, injection, sanitization, input-validation, security
+---
+
+## Sanitize Input Before Sending Emails
+
+Email header injection allows attackers to add recipients, change headers, or send spam through your system.
+
+**Incorrect (unsanitized email input):**
+
+```go
+// Email injection vulnerability
+subject := r.FormValue("subject") // "Hello\r\nBcc: spam@evil.com"
+msg := []byte("Subject: " + subject + "\r\n\r\n" + "Body")
+smtp.SendMail("smtp.example.com:25", auth, from, to, msg)
+```
+
+**Correct (sanitized email fields):**
+
+```go
+func sanitizeEmailField(input string) string {
+    // Remove CRLF characters that could inject headers
+    return strings.NewReplacer("\r", "", "\n", "").Replace(input)
+}
+
+func validateEmail(email string) bool {
+    // Use a robust regex or net/mail
+    _, err := mail.ParseAddress(email)
+    return err == nil && !strings.ContainsAny(email, "\r\n")
+}
+
+// In handler
+subject := sanitizeEmailField(r.FormValue("subject"))
+to := r.FormValue("to")
+if !validateEmail(to) {
+    http.Error(w, "Invalid email", 400)
+    return
+}
+```
+
+**Tools:** Email Libraries with Built-in Protection, Manual Review, `net/mail`

package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md

@@ -0,0 +1,47 @@
+---
+title: Avoid Dynamic Code Execution
+impact: HIGH
+impactDescription: prevents remote code execution vulnerabilities
+tags: eval, code-execution, rce, injection, security
+---
+
+## Avoid Dynamic Code Execution
+
+Executing arbitrary strings as code is extremely dangerous. Attackers can run any code on your server. While Go doesn't have a native `eval()` function, similar risks exist with certain libraries or `os/exec`.
+
+**Incorrect (dynamic execution/dangerous OS calls):**
+
+```go
+// INSECURE: Executing user-provided command
+cmd := exec.Command("bash", "-c", r.URL.Query().Get("cmd"))
+cmd.Run()
+
+// INSECURE: Using a dangerous expression library with unsanitized input
+result, _ := govau.Eval(r.URL.Query().Get("formula")) 
+```
+
+**Correct (safe alternatives):**
+
+```go
+// Use switch/mapping for dynamic behavior
+var operations = map[string]func(int, int) int{
+    "add":      func(a, b int) int { return a + b },
+    "subtract": func(a, b int) int { return a - b },
+}
+
+opFunc, ok := operations[r.FormValue("op")]
+if !ok {
+    http.Error(w, "Invalid operation", 400)
+    return
+}
+result := opFunc(a, b)
+
+// Use safe parsers for math
+// import "github.com/Knetic/govaluate"
+expression, _ := govaluate.NewEvaluable("10 + x")
+parameters := make(map[string]interface{})
+parameters["x"] = 5
+result, _ := expression.Evaluate(parameters)
+```
+
+**Tools:** `gosec` (G204), Semgrep, Code Review

package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md

@@ -0,0 +1,49 @@
+---
+title: Escape Data By Output Context
+impact: MEDIUM
+impactDescription: ensures correct encoding for each output context
+tags: xss, escaping, context, encoding, security
+---
+
+## Escape Data By Output Context
+
+Different contexts require different escaping strategies. Using HTML encoding in a JavaScript context doesn't prevent XSS.
+
+**Incorrect (wrong encoding for context):**
+
+```go
+// Wrong: same escape for all contexts
+escaped := html.EscapeString(userInput)
+fmt.Fprintf(w, "<script>var x = '%s';</script>", escaped) // Still vulnerable!
+
+// Wrong: no header injection protection
+w.Header().Set("X-Custom", userInput) // Header injection!
+```
+
+**Correct (context-appropriate encoding):**
+
+```go
+import (
+    "encoding/json"
+    "html"
+    "net/url"
+    "strings"
+)
+
+// HTML content context
+fmt.Fprintf(w, "<p>%s</p>", html.EscapeString(userInput))
+
+// JavaScript context
+jsData, _ := json.Marshal(userInput)
+fmt.Fprintf(w, "<script>var x = %s;</script>", jsData)
+
+// URL parameter context
+urlParam := url.QueryEscape(userInput)
+http.Redirect(w, r, "/search?q="+urlParam, 302)
+
+// HTTP header context - strip CRLF
+safeHeader := strings.NewReplacer("\r", "", "\n", "").Replace(userInput)
+w.Header().Set("X-Custom", safeHeader)
+```
+
+**Tools:** `html/template` (handles context automatically), `gosec`

package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md

@@ -0,0 +1,51 @@
+---
+title: Output Encoding For Dynamic JS/JSON
+impact: HIGH
+impactDescription: prevents injection in JavaScript contexts
+tags: xss, javascript, json, encoding, security
+---
+
+## Output Encoding For Dynamic JS/JSON
+
+Embedding user data in JavaScript or JSON requires proper encoding to prevent code injection.
+
+**Incorrect (unescaped data in JS):**
+
+```go
+// XSS in inline script
+func ProfileHandler(w http.ResponseWriter, r *http.Request) {
+    username := r.Context().Value("username").(string) // "</script><script>alert('xss')"
+    fmt.Fprintf(w, "<script>var user = '%s';</script>", username)
+}
+```
+
+**Correct (proper JSON encoding):**
+
+```go
+func ProfileHandler(w http.ResponseWriter, r *http.Request) {
+    user := struct {
+        Name string `json:"name"`
+    }{
+        Name: "User Name",
+    }
+    
+    // json.Marshal properly escapes special characters
+    safeData, _ := json.Marshal(user)
+    
+    fmt.Fprintf(w, `
+        <script>
+            var user = %s;
+        </script>
+    `, safeData)
+}
+
+// Using html/template (SAFE)
+tmpl := template.Must(template.New("profile").Parse(`
+    <script>
+        var user = {{.}};
+    </script>
+`))
+tmpl.Execute(w, user) // Automically encodes as JSON for JS context
+```
+
+**Tools:** `html/template`, `json.Marshal`

package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md

@@ -0,0 +1,57 @@
+---
+title: Always Validate Client Data Server-side
+impact: MEDIUM
+impactDescription: ensures input validation cannot be bypassed
+tags: validation, server-side, input, sanitization, security
+---
+
+## Always Validate Client Data Server-side
+
+Client-side validation is for UX only - it can be bypassed easily. All input must be validated server-side.
+
+**Incorrect (trusting client validation):**
+
+```go
+// No server validation - trusting frontend
+func TransferHandler(w http.ResponseWriter, r *http.Request) {
+    amount, _ := strconv.Atoi(r.FormValue("amount"))
+    toAccount := r.FormValue("toAccount")
+    transferMoney(r.Context().Value("userId").(string), toAccount, amount)
+}
+```
+
+**Correct (comprehensive server validation):**
+
+```go
+import "github.com/go-playground/validator/v10"
+
+type TransferRequest struct {
+    Amount    int    `validate:"required,gt=0,lte=10000"`
+    ToAccount string `validate:"required,printascii,len=20"`
+}
+
+func TransferHandler(w http.ResponseWriter, r *http.Request) {
+    var req TransferRequest
+    // Parse and validate
+    if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+        http.Error(w, "Invalid request", 400)
+        return
+    }
+    
+    validate := validator.New()
+    if err := validate.Struct(req); err != nil {
+        http.Error(w, err.Error(), 400)
+        return
+    }
+    
+    // Additional business validation
+    if !accountExists(req.ToAccount) {
+        http.Error(w, "Account not found", 404)
+        return
+    }
+    
+    transferMoney(r.Context().Value("userId").(string), req.ToAccount, req.Amount)
+}
+```
+
+**Tools:** `go-playground/validator`, `ozzo-validation`, `asaskevich/govalidator`

package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md

@@ -0,0 +1,46 @@
+---
+title: TLS Encryption For All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from interception
+tags: tls, encryption, https, transport, security
+---
+
+## TLS Encryption For All Connections
+
+All network communications must use TLS to prevent eavesdropping and man-in-the-middle attacks.
+
+**Incorrect (unencrypted connections):**
+
+```go
+// HTTP instead of HTTPS
+http.Get("http://api.example.com/data")
+
+// Unencrypted database connection
+sql.Open("postgres", "host=db.example.com sslmode=disable")
+```
+
+**Correct (TLS everywhere):**
+
+```go
+// HTTPS for all external calls
+http.Get("https://api.example.com/data")
+
+// TLS for database
+sql.Open("postgres", "host=db.example.com sslmode=verify-full")
+
+// HSTS header in Go
+func hstsMiddleware(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
+        next.ServeHTTP(w, r)
+    })
+}
+```
+
+**Requirements:**
+- All HTTP endpoints must redirect to HTTPS
+- Database connections must use TLS (verify-full)
+- Internal service-to-service calls (gRPC/HTTP) must use TLS
+- HSTS headers should be enabled
+
+**Tools:** `crypto/tls`, SSLyze, Qualys SSL Labs

package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md

@@ -0,0 +1,52 @@
+---
+title: Validate mTLS Certificates Before Auth
+impact: CRITICAL
+impactDescription: ensures mutual authentication between services
+tags: mtls, certificates, authentication, service-mesh, security
+---
+
+## Validate mTLS Certificates Before Auth
+
+Mutual TLS ensures both parties are authenticated. Always validate client certificates before processing requests.
+
+**Incorrect (skipping certificate validation):**
+
+```go
+// Accepting any client certificate
+server := &http.Server{
+    TLSConfig: &tls.Config{
+        ClientAuth: tls.RequestClientCert, // Does NOT reject invalid certs
+    },
+}
+```
+
+**Correct (proper mTLS validation):**
+
+```go
+// Load CA cert
+caCert, _ := os.ReadFile("ca.crt")
+caCertPool := x509.NewCertPool()
+caCertPool.AppendCertsFromPEM(caCert)
+
+tlsConfig := &tls.Config{
+    ClientCAs:  caCertPool,
+    ClientAuth: tls.RequireAndVerifyClientCert, // Require AND Verify
+}
+
+server := &http.Server{
+    TLSConfig: tlsConfig,
+}
+
+// Additional validation in handler
+func handler(w http.ResponseWriter, r *http.Request) {
+    if len(r.TLS.PeerCertificates) > 0 {
+        cert := r.TLS.PeerCertificates[0]
+        if cert.Subject.CommonName != "trusted-service" {
+            http.Error(w, "Forbidden", 403)
+            return
+        }
+    }
+}
+```
+
+**Tools:** `crypto/tls`, `crypto/x509`, Service Mesh (Istio, Linkerd)