@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S003_open_redirect_protection.dart

@@ -0,0 +1,208 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S003: Open Redirect Protection
+/// Prevents open redirect vulnerabilities by detecting:
+/// - URL redirects using user input without validation
+/// - External URL launching with user input
+/// Note: Internal Flutter app navigation is NOT flagged (not a security issue)
+class S003OpenRedirectProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S003';
+
+  /// External redirect methods that could be vulnerable
+  /// Note: Internal Flutter navigation (push, go, navigate, replace) are NOT included
+  /// because they use typed routes, not external URLs
+  static final Set<String> _externalRedirectMethods = {
+    // Web/HTTP redirects (server-side)
+    'redirect',
+    'redirectTo',
+    'sendRedirect',
+    'temporaryRedirect',
+    'permanentRedirect',
+    'movedPermanently',
+    'movedTemporarily',
+    // URL launchers (opens external browser/apps)
+    'launchUrl',
+    'launch',
+    'launchUrlString',
+    'openUrl',
+    'canLaunchUrl',
+    // Web location changes (NOT Flutter router.replace which uses typed routes)
+    'assign',
+    // 'replace' - REMOVED: conflicts with Flutter router.replace()
+    // window.location.replace is detected by checking target is 'location'
+  };
+
+  /// User input sources that could contain malicious URLs
+  static final Set<String> _externalUserInputPatterns = {
+    'request',
+    'queryParameters',
+    'queryParams',
+    'formData',
+    'body',
+    'returnUrl',
+    'returnTo',
+    'redirectUrl',
+    'nextUrl',
+    'callbackUrl',
+    'targetUrl',
+    'destination',
+    'goto',
+  };
+
+  /// Validation/allowlist methods
+  static final Set<String> _validationMethods = {
+    'isAllowed',
+    'isValid',
+    'isValidUrl',
+    'isSafeUrl',
+    'isTrusted',
+    'isWhitelisted',
+    'isAllowlisted',
+    'validateUrl',
+    'checkUrl',
+    'verifyUrl',
+    'sanitizeUrl',
+    'startsWith',
+    'contains',
+  };
+
+  /// Files to skip (Flutter UI, generated code)
+  static const _skipFilePatterns = [
+    '_screen', 'screen.dart', '_page', 'page.dart',
+    '_widget', 'widget.dart', '_view', 'view.dart',
+    '.gr.dart', '.g.dart', 'router', 'route',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Skip Flutter UI files - internal navigation is not a security issue
+    final fileName = filePath.toLowerCase();
+    if (_skipFilePatterns.any((p) => fileName.contains(p))) {
+      return [];
+    }
+
+    final violations = <Violation>[];
+
+    final visitor = _OpenRedirectVisitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+
+    unit.accept(visitor);
+
+    return violations;
+  }
+
+  /// Check if method launches external URLs (not internal navigation)
+  static bool isExternalRedirectMethod(String name) {
+    return _externalRedirectMethods.contains(name) ||
+        name.toLowerCase() == 'launchurl' ||
+        name.toLowerCase() == 'openurl';
+  }
+
+  /// Check if expression contains external user input
+  static bool containsExternalUserInput(String source) {
+    final lowerSource = source.toLowerCase();
+    return _externalUserInputPatterns.any((pattern) => lowerSource.contains(pattern));
+  }
+
+  /// Check if validation is present
+  static bool hasValidation(String source) {
+    final lowerSource = source.toLowerCase();
+    return _validationMethods.any((method) => lowerSource.contains(method));
+  }
+}
+
+class _OpenRedirectVisitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S003OpenRedirectProtectionAnalyzer analyzer;
+
+  _OpenRedirectVisitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name;
+
+    // Only check external redirect methods (launchUrl, etc.)
+    if (S003OpenRedirectProtectionAnalyzer.isExternalRedirectMethod(methodName)) {
+      _checkExternalRedirect(node);
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  void _checkExternalRedirect(MethodInvocation node) {
+    for (final arg in node.argumentList.arguments) {
+      final argSource = arg.toSource();
+
+      // Skip string literals - hardcoded URLs are safe
+      if (arg is SimpleStringLiteral || arg is AdjacentStrings) {
+        continue;
+      }
+
+      // Skip const values
+      if (argSource.contains('Constants.') || argSource.contains('const ')) {
+        continue;
+      }
+
+      // Check if argument contains external user input
+      if (S003OpenRedirectProtectionAnalyzer.containsExternalUserInput(argSource)) {
+        // Check if validation is present
+        if (!S003OpenRedirectProtectionAnalyzer.hasValidation(argSource)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Open redirect risk - validate URL before launching: ${_truncate(argSource, 40)}',
+            severity: 'error',
+          ));
+        }
+      }
+
+      // Check for dynamic URL with interpolation going to external launch
+      if (arg is StringInterpolation) {
+        // Check if it's launching an external URL with user input
+        final interpolatedVars = arg.elements
+            .whereType<InterpolationExpression>()
+            .map((e) => e.toSource())
+            .join(' ');
+
+        if (S003OpenRedirectProtectionAnalyzer.containsExternalUserInput(interpolatedVars)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Dynamic URL construction with user input - validate against allowlist',
+            severity: 'warning',
+          ));
+        }
+      }
+    }
+  }
+
+  String _truncate(String s, int maxLen) {
+    if (s.length <= maxLen) return s;
+    return '${s.substring(0, maxLen)}...';
+  }
+}

package/dart_analyzer/lib/rules/security/S004_sensitive_data_logging.dart

@@ -0,0 +1,391 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S004: Sensitive Data Logging Protection
+/// Prevents logging of sensitive information:
+/// - Passwords, tokens, API keys
+/// - Credit card numbers, SSN
+/// - Personal identifiable information (PII)
+/// - Authentication credentials
+class S004SensitiveDataLoggingAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S004';
+
+  /// Patterns for sensitive variable/field names
+  /// NOTE: Use word boundaries (\b) to avoid matching substrings like "passwordLength"
+  static final List<RegExp> sensitivePatterns = [
+    // Credentials - match actual password variables, not validation labels
+    RegExp(r'^_?password$', caseSensitive: false),  // _password, password
+    RegExp(r'^_?newPassword$', caseSensitive: false),  // _newPassword
+    RegExp(r'^_?currentPassword$', caseSensitive: false),
+    RegExp(r'^_?oldPassword$', caseSensitive: false),
+    RegExp(r'passwd', caseSensitive: false),
+    RegExp(r'^pwd$', caseSensitive: false),
+    RegExp(r'^_?secret$', caseSensitive: false),
+    RegExp(r'^_?credential', caseSensitive: false),
+    // Tokens - actual token values
+    RegExp(r'^_?userToken$', caseSensitive: false),
+    RegExp(r'^_?accessToken$', caseSensitive: false),
+    RegExp(r'^_?refreshToken$', caseSensitive: false),
+    RegExp(r'^_?authToken$', caseSensitive: false),
+    RegExp(r'^_?idToken$', caseSensitive: false),
+    RegExp(r'^_?saveToken$', caseSensitive: false),
+    RegExp(r'api[_-]?key', caseSensitive: false),
+    RegExp(r'apikey', caseSensitive: false),
+    RegExp(r'auth[_-]?key', caseSensitive: false),
+    RegExp(r'^bearer', caseSensitive: false),
+    RegExp(r'^jwt$', caseSensitive: false),
+    // Keys
+    RegExp(r'private[_-]?key', caseSensitive: false),
+    RegExp(r'encryption[_-]?key', caseSensitive: false),
+    RegExp(r'ssh[_-]?key', caseSensitive: false),
+    RegExp(r'signing[_-]?key', caseSensitive: false),
+    // Financial
+    RegExp(r'credit[_-]?card', caseSensitive: false),
+    RegExp(r'card[_-]?number', caseSensitive: false),
+    RegExp(r'^cvv$', caseSensitive: false),
+    RegExp(r'^cvc$', caseSensitive: false),
+    RegExp(r'bank[_-]?account', caseSensitive: false),
+    // PII
+    RegExp(r'^ssn$', caseSensitive: false),
+    RegExp(r'social[_-]?security', caseSensitive: false),
+    RegExp(r'tax[_-]?id', caseSensitive: false),
+    RegExp(r'national[_-]?id', caseSensitive: false),
+    // Auth - actual OTP/PIN values
+    RegExp(r'^_?otp$', caseSensitive: false),
+    RegExp(r'^_?otpCode$', caseSensitive: false),
+    RegExp(r'pin[_-]?code', caseSensitive: false),
+    RegExp(r'^mfa$', caseSensitive: false),
+    RegExp(r'^2fa$', caseSensitive: false),
+    RegExp(r'^totp$', caseSensitive: false),
+    // Headers
+    RegExp(r'^authorization$', caseSensitive: false),
+    RegExp(r'x-api-key', caseSensitive: false),
+  ];
+
+  /// Patterns that look like sensitive names but are actually safe
+  /// These are localization keys, validation labels, error messages, etc.
+  static final List<RegExp> safePatterns = [
+    // Localization/i18n keys (l10n.passwordXXX)
+    RegExp(r'l10n\.password', caseSensitive: false),
+    RegExp(r'l10n\.token', caseSensitive: false),
+    // Validation/requirement labels
+    RegExp(r'password.*Length', caseSensitive: false),
+    RegExp(r'password.*Requirement', caseSensitive: false),
+    RegExp(r'password.*Invalid', caseSensitive: false),
+    RegExp(r'password.*Error', caseSensitive: false),
+    RegExp(r'password.*Require', caseSensitive: false),
+    RegExp(r'password.*Width', caseSensitive: false),
+    RegExp(r'password.*Character', caseSensitive: false),
+    RegExp(r'password.*Message', caseSensitive: false),
+    RegExp(r'password.*Label', caseSensitive: false),
+    RegExp(r'password.*Hint', caseSensitive: false),
+    RegExp(r'password.*Placeholder', caseSensitive: false),
+    RegExp(r'password.*Title', caseSensitive: false),
+    RegExp(r'password.*Description', caseSensitive: false),
+    RegExp(r'token.*Expired', caseSensitive: false),
+    RegExp(r'token.*Error', caseSensitive: false),
+    // Route/navigation parameters
+    RegExp(r'LoginRoute', caseSensitive: false),
+    RegExp(r'RegisterRoute', caseSensitive: false),
+    // Enum values for analytics events
+    RegExp(r'UserEvent\.\w*password', caseSensitive: false),
+    RegExp(r'AnalyticsEvent\.\w*password', caseSensitive: false),
+    // Constants for validation
+    RegExp(r'min.*Password', caseSensitive: false),
+    RegExp(r'max.*Password', caseSensitive: false),
+  ];
+
+  /// Logging functions to check
+  static final Set<String> loggingFunctions = {
+    // Dart core
+    'print',
+    'debugPrint',
+    // Logger packages
+    'log',
+    'logInfo',
+    'logDebug',
+    'logWarning',
+    'logError',
+    'info',
+    'debug',
+    'warning',
+    'error',
+    'severe',
+    'fine',
+    'finer',
+    'finest',
+    'trace',
+    'verbose',
+    // stdout/stderr
+    'write',
+    'writeln',
+    'writeAll',
+    // Console
+    'console.log',
+    'console.info',
+    'console.warn',
+    'console.error',
+    'console.debug',
+  };
+
+  /// Analytics/event tracking functions - these log event names, not sensitive data
+  static final Set<String> analyticsEventFunctions = {
+    'sendlogevent', 'sendeventlog', 'sendevent',
+    'logevent', 'trackevent', 'recordevent',
+    'firebaseevent', 'analyticsevent',
+    'sendlogcustomevent',
+  };
+
+  /// Event name patterns that are safe to log (not actual sensitive data)
+  static final List<RegExp> eventNamePatterns = [
+    RegExp(r'^tap', caseSensitive: false),      // tapForgotPassword, tapBtnRegist
+    RegExp(r'^click', caseSensitive: false),    // clickLogin
+    RegExp(r'^on[A-Z]', caseSensitive: false),  // onLogin, onSubmit
+    RegExp(r'event$', caseSensitive: false),    // loginEvent
+    RegExp(r'button$', caseSensitive: false),   // forgotPasswordButton
+    RegExp(r'^screen', caseSensitive: false),   // screenView
+    RegExp(r'^view', caseSensitive: false),     // viewPage
+    RegExp(r'^open', caseSensitive: false),     // openModal
+    RegExp(r'^close', caseSensitive: false),    // closeDialog
+    RegExp(r'^show', caseSensitive: false),     // showPopup
+    RegExp(r'^hide', caseSensitive: false),     // hideModal
+    RegExp(r'action$', caseSensitive: false),   // loginAction
+  ];
+
+  /// Redaction/masking methods
+  static final Set<String> redactionMethods = {
+    'mask',
+    'redact',
+    'sanitize',
+    'obscure',
+    'hide',
+    'censor',
+    'omit',
+    'exclude',
+    'filter',
+    'replace',
+    'substring',
+    'replaceAll',
+    'replaceRange',
+  };
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+
+    final visitor = _SensitiveLoggingVisitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+
+    unit.accept(visitor);
+
+    return violations;
+  }
+
+  /// Check if a name matches sensitive patterns
+  static bool isSensitiveName(String name) {
+    return sensitivePatterns.any((pattern) => pattern.hasMatch(name));
+  }
+
+  /// Check if function is a logging function
+  static bool isLoggingFunction(String name) {
+    final lowerName = name.toLowerCase();
+    return loggingFunctions.any((fn) =>
+        lowerName == fn.toLowerCase() ||
+        lowerName.endsWith('.${fn.toLowerCase()}') ||
+        lowerName.contains(fn.toLowerCase()));
+  }
+
+  /// Check if expression has redaction
+  static bool hasRedaction(String source) {
+    final lowerSource = source.toLowerCase();
+    return redactionMethods.any((method) => lowerSource.contains(method));
+  }
+}
+
+class _SensitiveLoggingVisitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S004SensitiveDataLoggingAnalyzer analyzer;
+
+  _SensitiveLoggingVisitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name;
+    final target = node.target?.toSource() ?? '';
+    final fullName = target.isEmpty ? methodName : '$target.$methodName';
+    final lowerMethodName = methodName.toLowerCase();
+
+    // Skip analytics/event tracking functions - these log event names, not data
+    if (S004SensitiveDataLoggingAnalyzer.analyticsEventFunctions
+        .any((fn) => lowerMethodName.contains(fn))) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for logging sensitive data
+    if (S004SensitiveDataLoggingAnalyzer.isLoggingFunction(fullName) ||
+        S004SensitiveDataLoggingAnalyzer.isLoggingFunction(methodName)) {
+      _checkArgumentsForSensitiveData(node);
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitFunctionExpressionInvocation(FunctionExpressionInvocation node) {
+    final functionName = node.function.toSource();
+
+    if (S004SensitiveDataLoggingAnalyzer.isLoggingFunction(functionName)) {
+      for (final arg in node.argumentList.arguments) {
+        _checkExpressionForSensitiveData(arg, node);
+      }
+    }
+
+    super.visitFunctionExpressionInvocation(node);
+  }
+
+  void _checkArgumentsForSensitiveData(MethodInvocation logCall) {
+    for (final arg in logCall.argumentList.arguments) {
+      _checkExpressionForSensitiveData(arg, logCall);
+    }
+  }
+
+  void _checkExpressionForSensitiveData(Expression expr, AstNode logCall) {
+    final exprSource = expr.toSource();
+
+    // Skip if redaction is present
+    if (S004SensitiveDataLoggingAnalyzer.hasRedaction(exprSource)) {
+      return;
+    }
+
+    // Check string interpolation
+    if (expr is StringInterpolation) {
+      for (final element in expr.elements) {
+        if (element is InterpolationExpression) {
+          _checkExpressionForSensitiveData(element.expression, logCall);
+        }
+      }
+      return;
+    }
+
+    // Check identifiers
+    if (expr is SimpleIdentifier) {
+      _checkIdentifier(expr.name, expr.offset, logCall);
+      return;
+    }
+
+    // Check property access
+    if (expr is PrefixedIdentifier) {
+      _checkIdentifier(expr.identifier.name, expr.offset, logCall);
+      return;
+    }
+
+    // Check property access chain
+    if (expr is PropertyAccess) {
+      _checkIdentifier(expr.propertyName.name, expr.offset, logCall);
+      return;
+    }
+
+    // Check binary expressions (concatenation)
+    if (expr is BinaryExpression) {
+      _checkExpressionForSensitiveData(expr.leftOperand, logCall);
+      _checkExpressionForSensitiveData(expr.rightOperand, logCall);
+      return;
+    }
+
+    // Check parenthesized expressions
+    if (expr is ParenthesizedExpression) {
+      _checkExpressionForSensitiveData(expr.expression, logCall);
+      return;
+    }
+
+    // Check conditional expressions
+    if (expr is ConditionalExpression) {
+      _checkExpressionForSensitiveData(expr.thenExpression, logCall);
+      _checkExpressionForSensitiveData(expr.elseExpression, logCall);
+      return;
+    }
+
+    // Check map/list literals for sensitive keys
+    if (expr is SetOrMapLiteral) {
+      for (final element in expr.elements) {
+        if (element is MapLiteralEntry) {
+          final key = element.key;
+          if (key is SimpleStringLiteral) {
+            if (S004SensitiveDataLoggingAnalyzer.isSensitiveName(key.value)) {
+              violations.add(analyzer.createViolation(
+                filePath: filePath,
+                line: analyzer.getLine(lineInfo, element.offset),
+                column: analyzer.getColumn(lineInfo, element.offset),
+                message:
+                    'Sensitive data "${key.value}" logged in map - mask or redact before logging',
+                severity: 'error',
+                metadata: {
+                  'key': key.value,
+                  'issue': 'sensitive_data_in_map',
+                },
+              ));
+            }
+          }
+        }
+      }
+      return;
+    }
+  }
+
+  void _checkIdentifier(String name, int offset, AstNode logCall) {
+    // Skip if this looks like an event name (analytics tracking)
+    bool isEventName = S004SensitiveDataLoggingAnalyzer.eventNamePatterns
+        .any((pattern) => pattern.hasMatch(name));
+
+    if (isEventName) {
+      return;
+    }
+
+    // Skip safe patterns (localization keys, validation labels, etc.)
+    bool isSafePattern = S004SensitiveDataLoggingAnalyzer.safePatterns
+        .any((pattern) => pattern.hasMatch(name));
+
+    if (isSafePattern) {
+      return;
+    }
+
+    if (S004SensitiveDataLoggingAnalyzer.isSensitiveName(name)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, offset),
+        column: analyzer.getColumn(lineInfo, offset),
+        message:
+            'Sensitive data "$name" logged without redaction - mask or exclude before logging',
+        severity: 'error',
+        metadata: {
+          'variableName': name,
+          'issue': 'sensitive_data_logging',
+          'recommendation': 'Use masking like: "${name.length > 4 ? name.substring(0, 4) : name}****" or omit entirely',
+        },
+      ));
+    }
+  }
+}