@sun-asterisk/sunlint 1.3.40 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md

@@ -0,0 +1,53 @@
+---
+title: Re-authenticate Before Critical Changes
+impact: MEDIUM
+impactDescription: prevents unauthorized critical operations
+tags: authentication, critical, reauthentication, security
+---
+
+## Re-authenticate Before Critical Changes
+
+Critical actions like password change, email change, or account deletion require fresh authentication.
+
+**Incorrect (no re-authentication):**
+
+```go
+// Dangerous - no password confirmation
+func DeleteAccountHandler(w http.ResponseWriter, r *http.Request) {
+    userID := r.Context().Value("userID").(string)
+    deleteAccount(userID)
+    w.Write([]byte(`{"success": true}`))
+}
+```
+
+**Correct (require password confirmation):**
+
+```go
+func DeleteAccountHandler(w http.ResponseWriter, r *http.Request) {
+    userID := r.Context().Value("userID").(string)
+    currentPassword := r.FormValue("password")
+    
+    // 1. Verify current password
+    if !verifyPassword(userID, currentPassword) {
+        http.Error(w, "Invalid password", 401)
+        return
+    }
+    
+    // 2. Perform critical action
+    deleteAccount(userID)
+    
+    // 3. Log the security event
+    slog.Info("Account deleted", "user_id", userID)
+    
+    w.Write([]byte(`{"success": true}`))
+}
+```
+
+**Critical actions requiring re-auth:**
+- Password change
+- Email change
+- Phone number change
+- Account deletion
+- Major security settings changes
+
+**Tools:** Manual Review, Security Audit

package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md

@@ -0,0 +1,55 @@
+---
+title: Implement Brute-force Protection
+impact: MEDIUM
+impactDescription: prevents password guessing attacks
+tags: brute-force, rate-limiting, authentication, security
+---
+
+## Implement Brute-force Protection
+
+Without rate limiting, attackers can try millions of password combinations.
+
+**Incorrect (no protection):**
+
+```go
+func LoginHandler(w http.ResponseWriter, r *http.Request) {
+    user, err := authenticate(r.FormValue("email"), r.FormValue("password"))
+    // No limit on attempts!
+    if err != nil {
+        http.Error(w, "Invalid credentials", 401)
+        return
+    }
+}
+```
+
+**Correct (rate limiting with middleware):**
+
+```go
+import "golang.org/x/time/rate"
+
+var loginLimiter = rate.NewLimiter(rate.Every(3*time.Minute), 5) // 5 attempts per window
+
+func LoginHandler(w http.ResponseWriter, r *http.Request) {
+    if !loginLimiter.Allow() {
+        http.Error(w, "Too many login attempts", 429)
+        return
+    }
+
+    user, err := authenticate(r.FormValue("email"), r.FormValue("password"))
+    // ...
+}
+
+// Better: persistent rate limiting via Redis
+func RateLimitMiddleware(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        key := "login_limit:" + r.RemoteAddr
+        if isRateLimited(key) {
+            http.Error(w, "Too many attempts", 429)
+            return
+        }
+        next.ServeHTTP(w, r)
+    })
+}
+```
+
+**Tools:** `golang.org/x/time/rate`, Redis, WAF

package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md

@@ -0,0 +1,51 @@
+---
+title: Protect OAuth Code Flow Vs CSRF
+impact: HIGH
+impactDescription: prevents OAuth authorization code theft
+tags: oauth, csrf, state, authorization, security
+---
+
+## Protect OAuth Code Flow Vs CSRF
+
+Without state parameter validation, attackers can use their own authorization codes to link their accounts to a victim's session.
+
+**Incorrect (no state parameter):**
+
+```go
+func OAuthInitHandler(w http.ResponseWriter, r *http.Request) {
+    url := fmt.Sprintf("https://accounts.google.com/o/oauth2/auth?client_id=%s&redirect_uri=%s&response_type=code", clientID, redirectURI)
+    // No state parameter!
+    http.Redirect(w, r, url, http.StatusFound)
+}
+```
+
+**Correct (state parameter validation):**
+
+```go
+func OAuthInitHandler(w http.ResponseWriter, r *http.Request) {
+    state := generateRandomState() // CSPRNG
+    
+    // Store in session (cookie or DB)
+    session := getSession(r)
+    session.Values["oauth_state"] = state
+    session.Save(r, w)
+    
+    url := googleConfig.AuthCodeURL(state)
+    http.Redirect(w, r, url, http.StatusFound)
+}
+
+func OAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
+    queryState := r.URL.Query().Get("state")
+    session := getSession(r)
+    
+    // Validate state
+    if queryState == "" || queryState != session.Values["oauth_state"] {
+        http.Error(w, "Invalid state", 403)
+        return
+    }
+    
+    // Exchange code for token
+}
+```
+
+**Tools:** `golang.org/x/oauth2`, Security Audit

package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md

@@ -0,0 +1,58 @@
+---
+title: Validate OAuth Redirect URIs Exactly
+impact: CRITICAL
+impactDescription: prevents OAuth redirect hijacking
+tags: oauth, redirect, uri, validation, security
+---
+
+## Validate OAuth Redirect URIs Exactly
+
+Loose redirect URI validation allows attackers to steal authorization codes by redirecting users to malicious sites.
+
+**Incorrect (partial/loose validation):**
+
+```go
+// Dangerous - substring match
+if strings.Contains(redirectURI, "example.com") {
+    // Allows attacker.com?example.com
+}
+
+// Dangerous - prefix match
+if strings.HasPrefix(redirectURI, "https://example.com") {
+    // Allows https://example.com.attacker.com
+}
+```
+
+**Correct (exact match against registered URIs):**
+
+```go
+var registeredRedirectURIs = []string{
+    "https://app.example.com/callback",
+}
+
+func isValidRedirect(uri string) bool {
+    // Exact match required
+    for _, r := range registeredRedirectURIs {
+        if r == uri {
+            return true
+        }
+    }
+    return false
+}
+
+func AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
+    redirectURI := r.URL.Query().Get("redirect_uri")
+    if !isValidRedirect(redirectURI) {
+        http.Error(w, "Invalid redirect URI", 400)
+        return
+    }
+    // ...
+}
+```
+
+**Requirements:**
+- Exact string match for redirect URIs.
+- No wildcards or pattern matching.
+- HTTPS required for production.
+
+**Tools:** OAuth Security Testing, `golang.org/x/oauth2`

package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md

@@ -0,0 +1,52 @@
+---
+title: Authentication Codes Must Expire Quickly
+impact: MEDIUM
+impactDescription: limits window for code interception attacks
+tags: authentication, codes, expiry, otp, security
+---
+
+## Authentication Codes Must Expire Quickly
+
+Long-lived codes give attackers more time to intercept and use them. Short expiry limits the attack window.
+
+**Incorrect (codes last too long):**
+
+```go
+// Code valid for 24 hours
+db.SaveToken(userID, token, time.Now().Add(24 * time.Hour))
+```
+
+**Correct (short expiry with proper handling):**
+
+```go
+const CodeExpiry = 5 * time.Minute
+
+func GenerateAuthCode(userID string) (string, error) {
+    code := generateOTP() // 6-digit CSPRNG
+    
+    // Store in Redis with TTL
+    err := redisClient.Set(ctx, "otp:"+userID, code, CodeExpiry).Err()
+    return code, err
+}
+
+func VerifyAuthCode(userID, inputCode string) (bool, error) {
+    storedCode, err := redisClient.Get(ctx, "otp:"+userID).Result()
+    if err == redis.Nil {
+        return false, nil // Expired or not found
+    }
+    
+    if storedCode == inputCode {
+        redisClient.Del(ctx, "otp:"+userID) // Single use!
+        return true, nil
+    }
+    
+    return false, nil
+}
+```
+
+**Recommended expiry times:**
+- 2FA/OTP: 5-10 minutes
+- Password reset: 15-60 minutes
+- Email verification: 24 hours
+
+**Tools:** Redis (TTL), Database (expiry column), Manual Review

package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md

@@ -0,0 +1,53 @@
+---
+title: Reference Tokens 128-bit Entropy CSPRNG
+impact: HIGH
+impactDescription: prevents token brute-forcing
+tags: tokens, entropy, csprng, session, security
+---
+
+## Reference Tokens 128-bit Entropy CSPRNG
+
+Low-entropy tokens can be brute-forced. 128 bits of entropy makes attacks computationally infeasible.
+
+**Incorrect (low entropy tokens):**
+
+```go
+// Low entropy
+token := fmt.Sprintf("%d", rand.Int63())
+
+// Predictable
+token := "session_" + strconv.Itoa(counter)
+```
+
+**Correct (high entropy tokens via crypto/rand):**
+
+```go
+import (
+    "crypto/rand"
+    "encoding/base64"
+)
+
+func GenerateToken(length int) string {
+    b := make([]byte, length)
+    if _, err := rand.Read(b); err != nil {
+        panic(err)
+    }
+    return base64.URLEncoding.EncodeToString(b)
+}
+
+// 128-bit minimum entropy (16 bytes)
+sessionToken := GenerateToken(16)
+
+// 256-bit recommended (32 bytes)
+refreshToken := GenerateToken(32)
+```
+
+**Entropy levels:**
+
+| Bytes | Bits | Security Level |
+|-------|------|----------------|
+| 8 | 64 | Weak |
+| 16 | 128 | Minimum |
+| 32 | 256 | Recommended |
+
+**Tools:** `crypto/rand`, Security Audit

package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md

@@ -0,0 +1,49 @@
+---
+title: Support 12-64 Character Passwords
+impact: MEDIUM
+impactDescription: enables secure passphrase usage
+tags: password, length, passphrase, security
+---
+
+## Support 12-64 Character Passwords
+
+Long passwords/passphrases are more secure than complex short ones. Don't impose restrictive limits that prevent users from using passphrases.
+
+**Incorrect (restrictive limits):**
+
+```go
+// Too restrictive max length
+if len(password) < 8 || len(password) > 16 {
+    return errors.New("password must be 8-16 characters")
+}
+```
+
+**Correct (reasonable limits):**
+
+```go
+func ValidatePassword(password string) error {
+    length := utf8.RuneCountInString(password)
+    
+    if length < 12 {
+        return errors.New("password too short (min 12)")
+    }
+    
+    if length > 64 {
+        return errors.New("password too long (max 64)")
+    }
+    
+    // For long passwords (e.g., 20+), complexity rules can be relaxed
+    if length < 20 {
+        // check for symbols, numbers, etc.
+    }
+    
+    return nil
+}
+```
+
+**NIST Guidelines:**
+- Minimum 8-12+ characters.
+- Maximum 64+ characters.
+- Allow space and all printable Unicode characters.
+
+**Tools:** Password Policy logic, Manual Review

package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md

@@ -0,0 +1,48 @@
+---
+title: OTPs Must Have 20-bit Entropy Minimum
+impact: MEDIUM
+impactDescription: prevents OTP brute-forcing
+tags: otp, entropy, authentication, 2fa, security
+---
+
+## OTPs Must Have 20-bit Entropy Minimum
+
+Low-entropy OTPs (like 4 digits) can be brute-forced easily. 20 bits of entropy requires at least 6 decimal digits.
+
+**Incorrect (low entropy OTPs):**
+
+```go
+// 4 digits = ~13 bits entropy
+otp := fmt.Sprintf("%04d", rand.Intn(10000))
+```
+
+**Correct (high entropy OTPs via crypto/rand):**
+
+```go
+import (
+    "crypto/rand"
+    "math/big"
+)
+
+// 6-digit numeric OTP (≈20 bits entropy)
+func GenerateOTP() string {
+    max := big.NewInt(1000000)
+    n, _ := rand.Int(rand.Reader, max)
+    return fmt.Sprintf("%06d", n)
+}
+
+// 8-digit for higher security (≈26 bits)
+func GenerateStrongOTP() string {
+    max := big.NewInt(100000000)
+    n, _ := rand.Int(rand.Reader, max)
+    return fmt.Sprintf("%08d", n)
+}
+```
+
+**OTP requirements:**
+- Must use `crypto/rand` (CSPRNG).
+- Minimum 6 digits (20 bits).
+- Short expiration (5-10 minutes).
+- Rate limit verification attempts.
+
+**Tools:** Manual Review, Unit Test

package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md

@@ -0,0 +1,51 @@
+---
+title: Return Generic Error Messages
+impact: HIGH
+impactDescription: prevents information disclosure
+tags: error-messages, information-disclosure, security
+---
+
+## Return Generic Error Messages
+
+Detailed error messages can help attackers understand your system's internals. Return generic messages to end-users.
+
+**Incorrect (detailed errors to user):**
+
+```go
+func Handler(w http.ResponseWriter, r *http.Request) {
+    err := db.QueryRow("...").Scan(&id)
+    if err != nil {
+        // Exposes database details!
+        http.Error(w, err.Error(), 500)
+        return
+    }
+}
+
+// User enumeration
+if userNotFound {
+    http.Error(w, "User john@example.com dose not exist", 404)
+}
+```
+
+**Correct (generic errors with internal logging):**
+
+```go
+func Handler(w http.ResponseWriter, r *http.Request) {
+    err := db.QueryRow("...").Scan(&id)
+    if err != nil {
+        // Log internally
+        slog.Error("query failed", "error", err, "request_id", r.Header.Get("X-Request-Id"))
+        
+        // Return generic message
+        http.Error(w, "An internal error occurred", 500)
+        return
+    }
+}
+
+// Same message for "user not found" and "wrong password"
+if !userExists || !passwordMatches {
+    http.Error(w, "Invalid credentials", 401)
+}
+```
+
+**Tools:** Global Error Middleware, `slog`

package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md

@@ -0,0 +1,43 @@
+---
+title: Avoid Default Admin/Root Accounts
+impact: HIGH
+impactDescription: prevents easy initial access by attackers
+tags: admin, default-accounts, credentials, security
+---
+
+## Avoid Default Admin/Root Accounts
+
+Default accounts with known credentials (e.g., admin/admin) are the first thing attackers check.
+
+**Incorrect (default admin in seed):**
+
+```go
+// Seed script
+db.Exec("INSERT INTO users (email, password, role) VALUES ('admin@example.com', 'admin123', 'admin')")
+```
+
+**Correct (secure initial setup):**
+
+```go
+// 1. Setup wizard on first run
+func SetupHandler(w http.ResponseWriter, r *http.Request) {
+    if adminExists() {
+        http.Error(w, "Setup already done", 403)
+        return
+    }
+    // Form to create first admin...
+}
+
+// 2. Or use environment variables for bootstrap
+func BootstrapAdmin() {
+    email := os.Getenv("INITIAL_ADMIN_EMAIL")
+    pass := os.Getenv("INITIAL_ADMIN_PASSWORD")
+    
+    if pass == "" || len(pass) < 16 {
+        log.Fatal("Secure INITIAL_ADMIN_PASSWORD required")
+    }
+    createAdmin(email, pass)
+}
+```
+
+**Tools:** Security Audit, Configuration Review

package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md

@@ -0,0 +1,52 @@
+---
+title: Validate Content-Type In REST Services
+impact: MEDIUM
+impactDescription: prevents content-type confusion attacks
+tags: rest, content-type, validation, api, security
+---
+
+## Validate Content-Type In REST Services
+
+Accepting unexpected content types can lead to parsing vulnerabilities or bypass security controls.
+
+**Incorrect (accepting any content):**
+
+```go
+func Handler(w http.ResponseWriter, r *http.Request) {
+    // No check on Content-Type header
+    var data map[string]interface{}
+    json.NewDecoder(r.Body).Decode(&data)
+}
+```
+
+**Correct (strict content-type validation):**
+
+```go
+func validateContentType(allowed ...string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            ct := r.Header.Get("Content-Type")
+            
+            isValid := false
+            for _, a := range allowed {
+                if strings.Contains(strings.ToLower(ct), strings.ToLower(a)) {
+                    isValid = true
+                    break
+                }
+            }
+            
+            if !isValid {
+                http.Error(w, "Unsupported Media Type", http.StatusUnsupportedMediaType)
+                return
+            }
+            
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+
+// Router usage
+mux.Handle("/api/data", validateContentType("application/json")(http.HandlerFunc(Handler)))
+```
+
+**Tools:** API Gateway, Middleware, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md

@@ -0,0 +1,40 @@
+---
+title: Protect Against Log Injection
+impact: HIGH
+impactDescription: prevents log forging and exploitation
+tags: logging, injection, sanitization, security
+---
+
+## Protect Against Log Injection
+
+Log injection allows attackers to forge log entries, hide their tracks, or inject malicious control characters.
+
+**Incorrect (unsanitized logging):**
+
+```go
+func Handler(w http.ResponseWriter, r *http.Request) {
+    user := r.FormValue("user")
+    slog.Info("User logged in: " + user)
+    // Attacker: "admin\n[ERROR] Payment failed for user: victim"
+}
+```
+
+**Correct (sanitized structured logging):**
+
+```go
+// 1. Use structured logging (automatically handles quotes/escaping in key-value pairs)
+slog.Info("User logged in", "username", sanitizeForLog(user))
+
+// 2. Sanitize input
+func sanitizeForLog(input string) string {
+    // Replace CRLF/tabs with space
+    replacer := strings.NewReplacer("\r", " ", "\n", " ", "\t", " ")
+    return replacer.Replace(input)
+}
+
+// 3. Recommended: Use JSON logger in production
+logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
+logger.Info("User logged in", "username", user)
+```
+
+**Tools:** `log/slog`, `zap`, `gosec`

package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md

@@ -0,0 +1,40 @@
+---
+title: Use Synchronized Time (UTC) In Logs
+impact: MEDIUM
+impactDescription: enables accurate incident correlation
+tags: logging, time, utc, synchronization, security
+---
+
+## Use Synchronized Time (UTC) In Logs
+
+Inconsistent timestamps across servers/services make incident investigation difficult. Use UTC and ISO 8601 format.
+
+**Incorrect (local time/custom formats):**
+
+```go
+// Local time - depends on server TZ
+log.Printf("Event time: %v", time.Now())
+
+// Different formats
+fmt.Println(time.Now().Unix())
+fmt.Println(time.Now().Format("2006-01-02"))
+```
+
+**Correct (UTC, ISO 8601):**
+
+```go
+// Use .UTC() and .Format(time.RFC3339)
+slog.Info("User action", 
+    "timestamp", time.Now().UTC().Format(time.RFC3339Nano), 
+    "action", "login",
+)
+
+// Output: {"timestamp":"2024-01-15T10:30:00.123456Z", "level":"INFO", "message":"User action", "action":"login"}
+```
+
+**Requirements:**
+- Use UTC timezone externally.
+- Use ISO 8601 (RFC 3339) with nanosecond/millisecond precision.
+- Ensure servers are NTP-synchronized.
+
+**Tools:** `time` (Standard Library), `slog`, NTP