npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/dart/D024_avoid_unnecessary_stateful_widget.dart ADDED Viewed

@@ -0,0 +1,194 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// D024: Avoid Unnecessary StatefulWidget
+/// Detects StatefulWidget classes that don't use any state and could be StatelessWidget
+///
+/// A StatefulWidget is considered unnecessary if its State class:
+/// - Has no mutable fields (all fields are final/const)
+/// - Never calls setState()
+/// - Uses no lifecycle methods (initState, dispose, didUpdateWidget, etc.)
+/// - Uses no mixins (AutomaticKeepAliveClientMixin, TickerProviderStateMixin, etc.)
+class D024AvoidUnnecessaryStatefulWidgetAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'D024';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _D024Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _D024Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final D024AvoidUnnecessaryStatefulWidgetAnalyzer analyzer;
+  // Track StatefulWidget classes and their State classes
+  final Map<String, ClassDeclaration> _statefulWidgets = {};
+  final Map<String, _StateClassInfo> _stateClasses = {};
+  _D024Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitCompilationUnit(CompilationUnit node) {
+    // First pass: collect all StatefulWidget and State classes
+    for (final declaration in node.declarations) {
+      if (declaration is ClassDeclaration) {
+        _analyzeClassDeclaration(declaration);
+      }
+    }
+    // Second pass: check for unnecessary StatefulWidgets
+    _checkUnnecessaryStatefulWidgets();
+    super.visitCompilationUnit(node);
+  }
+  void _analyzeClassDeclaration(ClassDeclaration node) {
+    final extendsClause = node.extendsClause;
+    if (extendsClause == null) return;
+    final superclass = extendsClause.superclass.name2.lexeme;
+    final className = node.name.lexeme;
+    if (superclass == 'StatefulWidget') {
+      _statefulWidgets[className] = node;
+    } else if (superclass == 'State') {
+      // Analyze the State class
+      final stateInfo = _StateClassInfo(
+        className: className,
+        node: node,
+      );
+      // Check if State class uses mixins (e.g., AutomaticKeepAliveClientMixin, TickerProviderStateMixin)
+      // Mixins often provide state management capabilities and require StatefulWidget
+      if (node.withClause != null && node.withClause!.mixinTypes.isNotEmpty) {
+        stateInfo.hasMixins = true;
+      }
+      // Check for mutable fields
+      for (final member in node.members) {
+        if (member is FieldDeclaration) {
+          // Check if field is final or const (applies to all variables in this declaration)
+          if (!member.fields.isFinal && !member.fields.isConst) {
+            stateInfo.hasMutableFields = true;
+            break;
+          }
+        }
+      }
+      // Check for setState calls
+      final visitor = _SetStateDetector();
+      node.accept(visitor);
+      stateInfo.hasSetStateCalls = visitor.hasSetState;
+      // Check for lifecycle methods that typically use state
+      for (final member in node.members) {
+        if (member is MethodDeclaration) {
+          final methodName = member.name.lexeme;
+          if (_isStateLifecycleMethod(methodName) &&
+              methodName != 'build' &&
+              methodName != 'createState') {
+            stateInfo.hasLifecycleMethods = true;
+            break;
+          }
+        }
+      }
+      _stateClasses[className] = stateInfo;
+    }
+  }
+  bool _isStateLifecycleMethod(String methodName) {
+    return const [
+      'initState',
+      'dispose',
+      'didUpdateWidget',
+      'didChangeDependencies',
+      'deactivate',
+      'reassemble',
+    ].contains(methodName);
+  }
+  void _checkUnnecessaryStatefulWidgets() {
+    for (final entry in _statefulWidgets.entries) {
+      final widgetName = entry.key;
+      final widgetNode = entry.value;
+      // Find corresponding State class (typically _WidgetNameState)
+      final expectedStateName = '_${widgetName}State';
+      final stateInfo = _stateClasses[expectedStateName];
+      if (stateInfo != null) {
+        // Check if the State class actually uses state
+        // State usage includes: mutable fields, setState calls, lifecycle methods, or mixins
+        if (!stateInfo.hasMutableFields &&
+            !stateInfo.hasSetStateCalls &&
+            !stateInfo.hasLifecycleMethods &&
+            !stateInfo.hasMixins) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, widgetNode.name.offset),
+            column: analyzer.getColumn(lineInfo, widgetNode.name.offset),
+            message:
+                'StatefulWidget "$widgetName" does not use any state. Consider converting to StatelessWidget for better performance.',
+          ));
+        }
+      }
+    }
+  }
+}
+class _StateClassInfo {
+  final String className;
+  final ClassDeclaration node;
+  bool hasMutableFields = false;
+  bool hasSetStateCalls = false;
+  bool hasLifecycleMethods = false;
+  bool hasMixins = false;
+  _StateClassInfo({
+    required this.className,
+    required this.node,
+  });
+}
+class _SetStateDetector extends RecursiveAstVisitor<void> {
+  bool hasSetState = false;
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    if (node.methodName.name == 'setState') {
+      hasSetState = true;
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/dart/D025_avoid_nested_conditional_expressions.dart ADDED Viewed

@@ -0,0 +1,90 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// D025: Avoid Nested Conditional Expressions
+/// Detects nested conditional expressions (ternary operators) which reduce readability
+class D025AvoidNestedConditionalExpressionsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'D025';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _D025Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _D025Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final D025AvoidNestedConditionalExpressionsAnalyzer analyzer;
+  _D025Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitConditionalExpression(ConditionalExpression node) {
+    // Check if the then or else expression contains another conditional expression
+    final hasNestedInThen = _containsConditionalExpression(node.thenExpression);
+    final hasNestedInElse = _containsConditionalExpression(node.elseExpression);
+    if (hasNestedInThen || hasNestedInElse) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.question.offset),
+        column: analyzer.getColumn(lineInfo, node.question.offset),
+        message:
+            'Avoid nested conditional expressions. Consider using if-else statements or extracting to a function for better readability.',
+      ));
+    }
+    super.visitConditionalExpression(node);
+  }
+  bool _containsConditionalExpression(Expression expression) {
+    // Direct check if the expression itself is a conditional expression
+    if (expression is ConditionalExpression) {
+      return true;
+    }
+    // Check if expression contains conditional expressions
+    final detector = _ConditionalExpressionDetector();
+    expression.accept(detector);
+    return detector.hasConditionalExpression;
+  }
+}
+class _ConditionalExpressionDetector extends RecursiveAstVisitor<void> {
+  bool hasConditionalExpression = false;
+  @override
+  void visitConditionalExpression(ConditionalExpression node) {
+    hasConditionalExpression = true;
+    // Don't call super to stop traversal once we find one
+  }
+}

package/dart_analyzer/lib/rules/security/S001_backend_auth_communications.dart ADDED Viewed

@@ -0,0 +1,155 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S001: Authenticate backend component communications securely
+/// Detect static credentials, long-lived tokens, or shared accounts in service-to-service calls
+class S001BackendAuthCommunicationsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S001';
+  // Static/hardcoded credential patterns
+  static const _staticCredentialPatterns = [
+    'apikey', 'api_key', 'api-key',
+    'secretkey', 'secret_key', 'secret-key',
+    'password', 'passwd',
+    'authtoken', 'auth_token', 'auth-token',
+    'accesskey', 'access_key', 'access-key',
+  ];
+  // Service-to-service communication patterns
+  static const _serviceCallPatterns = [
+    'http.', 'dio.', 'client.',
+    '.get(', '.post(', '.put(', '.delete(',
+    'grpc', 'rabbitmq', 'kafka', 'redis',
+  ];
+  // Secure patterns (short-lived tokens, mTLS)
+  static const _securePatterns = [
+    'jwt', 'oauth', 'bearer',
+    'mtls', 'certificate', 'x509',
+    'shortlived', 'short_lived', 'expir',
+    'refresh', 'rotate',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S001Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S001Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S001BackendAuthCommunicationsAnalyzer analyzer;
+  _S001Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    if (initializer != null) {
+      final initSource = initializer.toSource();
+      // Check for hardcoded static credentials in service context
+      bool isCredentialVar = S001BackendAuthCommunicationsAnalyzer
+          ._staticCredentialPatterns
+          .any((p) => varName.contains(p));
+      // Check if it's a hardcoded string (not from env or config)
+      bool isHardcoded = initializer is StringLiteral &&
+          !initSource.toLowerCase().contains('env') &&
+          !initSource.toLowerCase().contains('config') &&
+          !initSource.toLowerCase().contains('secret');
+      if (isCredentialVar && isHardcoded) {
+        // Check if using secure patterns
+        bool isSecure = S001BackendAuthCommunicationsAnalyzer._securePatterns
+            .any((p) => initSource.toLowerCase().contains(p));
+        if (!isSecure) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Static credentials detected - use short-lived tokens or mTLS for backend communications',
+          ));
+        }
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    // Check for service-to-service calls with static credentials
+    bool isServiceCall = S001BackendAuthCommunicationsAnalyzer
+        ._serviceCallPatterns
+        .any((p) => source.contains(p));
+    if (isServiceCall) {
+      // Check for hardcoded credentials in headers
+      bool hasStaticCredential = S001BackendAuthCommunicationsAnalyzer
+          ._staticCredentialPatterns
+          .any((p) => source.contains(p));
+      // Check for secure patterns
+      bool isSecure = S001BackendAuthCommunicationsAnalyzer._securePatterns
+          .any((p) => source.contains(p));
+      // Check for hardcoded string literals in authorization headers
+      if (hasStaticCredential && !isSecure) {
+        for (final arg in node.argumentList.arguments) {
+          final argSource = arg.toSource().toLowerCase();
+          if (argSource.contains('authorization') ||
+              argSource.contains('x-api-key')) {
+            if (arg.toSource().contains('"') || arg.toSource().contains("'")) {
+              // Check if the value is hardcoded (contains literal string)
+              if (!argSource.contains('env') && !argSource.contains('config')) {
+                violations.add(analyzer.createViolation(
+                  filePath: filePath,
+                  line: analyzer.getLine(lineInfo, node.offset),
+                  column: analyzer.getColumn(lineInfo, node.offset),
+                  message:
+                      'Hardcoded credentials in service call - use environment variables or secrets manager',
+                ));
+                break;
+              }
+            }
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S002_os_command_injection.dart ADDED Viewed

@@ -0,0 +1,159 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S002: Protect against OS command injection
+/// Detect dangerous shell execution patterns with user input
+class S002OsCommandInjectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S002';
+  // Dangerous shell execution methods
+  static const _shellExecutionMethods = [
+    'Process.run',
+    'Process.runSync',
+    'Process.start',
+    'shell',
+    'exec',
+    'system',
+  ];
+  // Dangerous patterns indicating shell mode
+  static const _shellModePatterns = [
+    'runInShell: true',
+    'shell: true',
+    'runInShell:true',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S002Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S002Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S002OsCommandInjectionAnalyzer analyzer;
+  _S002Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource();
+    final sourceLower = source.toLowerCase();
+    final methodName = node.methodName.name;
+    // Check for Process.run, Process.runSync, Process.start
+    bool isProcessCall = methodName == 'run' ||
+        methodName == 'runSync' ||
+        methodName == 'start';
+    if (isProcessCall) {
+      final target = node.target?.toSource() ?? '';
+      if (target == 'Process' || target.contains('Process')) {
+        // Check for runInShell: true (dangerous)
+        bool hasShellMode = S002OsCommandInjectionAnalyzer._shellModePatterns
+            .any((p) => source.contains(p));
+        if (hasShellMode) {
+          // Check if command contains string interpolation or concatenation
+          bool hasUserInput = _containsUserInput(node);
+          if (hasUserInput) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message:
+                  'OS command injection risk - avoid runInShell:true with user input. Use argument list instead',
+            ));
+          }
+        }
+        // Check for string concatenation in command
+        final firstArg = node.argumentList.arguments.isNotEmpty
+            ? node.argumentList.arguments.first
+            : null;
+        if (firstArg != null) {
+          if (_isStringConcatenation(firstArg) ||
+              _containsInterpolation(firstArg)) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message:
+                  'OS command injection risk - do not concatenate user input into commands. Use parameterized arguments',
+            ));
+          }
+        }
+      }
+    }
+    // Check for shell-like execution patterns
+    if (sourceLower.contains('exec(') || sourceLower.contains('system(')) {
+      if (_containsUserInput(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Potential OS command injection - sanitize input before shell execution',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  bool _containsUserInput(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    // Common patterns indicating user input
+    return source.contains('request.') ||
+        source.contains('params.') ||
+        source.contains('query.') ||
+        source.contains('body.') ||
+        source.contains('input') ||
+        source.contains('userdata') ||
+        source.contains('user_input');
+  }
+  bool _isStringConcatenation(Expression expr) {
+    if (expr is BinaryExpression) {
+      return expr.operator.lexeme == '+';
+    }
+    return false;
+  }
+  bool _containsInterpolation(Expression expr) {
+    if (expr is StringInterpolation) {
+      return true;
+    }
+    final source = expr.toSource();
+    return source.contains(r'$');
+  }
+}