npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S008_svg_content_sanitization.dart ADDED Viewed

@@ -0,0 +1,211 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S008: Validate and sanitize SVG content
+/// Detect unsafe SVG handling that could allow script injection
+/// NOTE: Skip local assets (SvgPicture.asset) as they are bundled with the app
+class S008SvgContentSanitizationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S008';
+  // Dangerous SVG elements that should be sanitized
+  static const _dangerousSvgElements = [
+    '<script',
+    'foreignobject',
+    'onclick',
+    'onload',
+    'onerror',
+    'onmouseover',
+    'xlink:href',
+  ];
+  // SVG handling patterns
+  static const _svgHandlingPatterns = [
+    'svg',
+    'svgpicture',
+    'svgimage',
+    'flutter_svg',
+  ];
+  // Safe sanitization patterns
+  static const _sanitizationPatterns = [
+    'sanitize',
+    'dompurify',
+    'allowedtags',
+    'allowedelements',
+    'removeattributes',
+    'stripscripts',
+  ];
+  // Safe asset patterns - local bundled resources, not user input
+  static const _safeAssetPatterns = [
+    '.asset(',
+    'assets.',      // Generated assets: Assets.svgs.icon.svg()
+    'assets/',
+    'images.',      // Generated images
+    'images/',
+    'icons.',       // Generated icons
+    'icons/',
+    'svgs.',        // Generated SVGs: Assets.svgs.something.svg()
+    '.svg(',        // SvgGenImage extension method: icon.svg()
+    'res/',
+    'resources/',
+    'assetname',
+    'assetpath',
+    'package:',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S008Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S008Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S008SvgContentSanitizationAnalyzer analyzer;
+  _S008Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for SVG handling from user input
+    bool isSvgHandling = S008SvgContentSanitizationAnalyzer._svgHandlingPatterns
+        .any((p) => source.contains(p) || methodName.contains(p));
+    if (isSvgHandling) {
+      // Skip if it's a safe asset source (local bundled resources)
+      bool isSafeAsset = _isSafeAssetSource(source);
+      if (isSafeAsset) {
+        super.visitMethodInvocation(node);
+        return;
+      }
+      // Check if SVG content comes from user/network
+      bool isUserInput = _isFromUserInput(node);
+      // Check if sanitization is applied
+      bool hasSanitization =
+          S008SvgContentSanitizationAnalyzer._sanitizationPatterns
+              .any((p) => source.contains(p));
+      if (isUserInput && !hasSanitization) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'SVG content from untrusted source should be sanitized to prevent script injection',
+        ));
+      }
+    }
+    // Check for SVG string containing dangerous elements
+    for (final arg in node.argumentList.arguments) {
+      if (arg is StringLiteral) {
+        final content = arg.toSource().toLowerCase();
+        if (content.contains('svg')) {
+          bool hasDangerousElement =
+              S008SvgContentSanitizationAnalyzer._dangerousSvgElements
+                  .any((e) => content.contains(e));
+          if (hasDangerousElement) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, arg.offset),
+              column: analyzer.getColumn(lineInfo, arg.offset),
+              message:
+                  'SVG contains potentially dangerous elements (script, onclick, foreignObject) - sanitize before use',
+            ));
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for SvgPicture constructors
+    if (typeName.contains('svg')) {
+      // Skip safe asset sources (SvgPicture.asset, local paths)
+      bool isSafeAsset = _isSafeAssetSource(source);
+      if (isSafeAsset) {
+        super.visitInstanceCreationExpression(node);
+        return;
+      }
+      bool hasSanitization =
+          S008SvgContentSanitizationAnalyzer._sanitizationPatterns
+              .any((p) => source.contains(p));
+      // Only flag network/string constructors (untrusted sources)
+      if ((source.contains('.network') || source.contains('.string')) &&
+          !hasSanitization) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'SVG from network/string should be sanitized before rendering',
+        ));
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  /// Check if source is from safe local assets
+  bool _isSafeAssetSource(String source) {
+    return S008SvgContentSanitizationAnalyzer._safeAssetPatterns
+        .any((p) => source.contains(p));
+  }
+  bool _isFromUserInput(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    // First check if it's a safe asset - if so, not user input
+    if (_isSafeAssetSource(source)) {
+      return false;
+    }
+    return source.contains('request') ||
+        source.contains('upload') ||
+        source.contains('network') ||
+        source.contains('http') ||
+        source.contains('url') ||
+        source.contains('input');
+  }
+}

package/dart_analyzer/lib/rules/security/S009_no_insecure_encryption.dart ADDED Viewed

@@ -0,0 +1,160 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S009: No Insecure Encryption Modes, Padding, or Cryptographic Algorithms
+/// Do not use insecure encryption modes, padding, or cryptographic algorithms
+class S009NoInsecureEncryptionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S009';
+  // Insecure algorithms and modes - use word boundaries to avoid false positives
+  static final _insecurePatterns = {
+    RegExp(r'\bdes\b', caseSensitive: false): 'DES is insecure - use AES-256',
+    RegExp(r'\b3des\b', caseSensitive: false): '3DES is deprecated - use AES-256',
+    RegExp(r'\btripledes\b', caseSensitive: false): 'Triple DES is deprecated - use AES-256',
+    RegExp(r'\brc4\b', caseSensitive: false): 'RC4 is broken - use AES-256-GCM',
+    RegExp(r'\brc2\b', caseSensitive: false): 'RC2 is insecure - use AES-256',
+    RegExp(r'\bblowfish\b', caseSensitive: false): 'Blowfish is outdated - use AES-256',
+    RegExp(r'\becb\b', caseSensitive: false): 'ECB mode is insecure - use GCM or CBC with IV',
+    RegExp(r'\bmd5\b', caseSensitive: false): 'MD5 is broken for security purposes - use SHA-256+',
+    RegExp(r'\bsha1\b', caseSensitive: false): 'SHA1 is weak - use SHA-256 or stronger',
+    RegExp(r'\bpkcs1\b', caseSensitive: false): 'PKCS#1 v1.5 is vulnerable - use OAEP padding',
+  };
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S009Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S009Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S009NoInsecureEncryptionAnalyzer analyzer;
+  _S009Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    _checkInsecurePatterns(source, node.offset);
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final source = node.toSource().toLowerCase();
+    _checkInsecurePatterns(source, node.offset);
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    // Skip import/export directives - they are not crypto code
+    AstNode? parent = node.parent;
+    while (parent != null) {
+      if (parent is ImportDirective || parent is ExportDirective || parent is PartDirective) {
+        super.visitSimpleStringLiteral(node);
+        return;
+      }
+      parent = parent.parent;
+    }
+    final value = node.value.toLowerCase();
+    _checkInsecurePatterns(value, node.offset);
+    super.visitSimpleStringLiteral(node);
+  }
+  void _checkInsecurePatterns(String source, int offset) {
+    for (final entry in S009NoInsecureEncryptionAnalyzer._insecurePatterns.entries) {
+      if (entry.key.hasMatch(source)) {
+        // Avoid false positives for variable names containing the pattern
+        if (_isInCryptoContext(source)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, offset),
+            column: analyzer.getColumn(lineInfo, offset),
+            message: entry.value,
+          ));
+        }
+      }
+    }
+  }
+  bool _isInCryptoContext(String source) {
+    // First check for false positive patterns (UI-related, non-crypto)
+    final falsePositivePatterns = [
+      'designsize', 'design_size', 'screensize', 'screen_size',
+      'fontsize', 'font_size', 'textsize', 'text_size',
+      'imagesize', 'image_size', 'iconsize', 'icon_size',
+      'mediaquery', 'media_query', 'screenutil', 'screen_util',
+      'description', 'descriptor', 'destiny', 'desktop', 'destroy',
+      'deserialize', 'deserialization',
+    ];
+    if (falsePositivePatterns.any((p) => source.contains(p))) {
+      return false;
+    }
+    // Non-security use cases for MD5/SHA1 (acceptable uses)
+    // MD5 is fine for: identifiers, cache keys, checksums (non-security)
+    // Only flag when used for security purposes (passwords, tokens, signatures)
+    final nonSecurityContexts = [
+      // Identifier/checksum generation (not security-sensitive)
+      'cid', 'uid', 'id', 'identifier', 'checksum',
+      'cachekey', 'cache_key', 'etag', 'fingerprint',
+      // Deep link / URL parameters
+      'deeplink', 'deep_link', 'urlparam', 'url_param',
+      // File operations (integrity, not security)
+      'filename', 'file_name', 'filepath', 'file_path',
+    ];
+    if (nonSecurityContexts.any((p) => source.contains(p))) {
+      return false;
+    }
+    // Security-critical contexts (must flag)
+    final securityCriticalContexts = [
+      'password', 'passwd', 'pwd', 'secret', 'token',
+      'auth', 'credential', 'session', 'signature',
+      'privatekey', 'private_key', 'apikey', 'api_key',
+    ];
+    if (securityCriticalContexts.any((p) => source.contains(p))) {
+      return true;
+    }
+    // General crypto context - only flag if clearly doing crypto operations
+    final cryptoKeywords = [
+      'cipher', 'encrypt', 'decrypt',
+      'hmac', 'sign', 'verify',
+      'aes', 'rsa', 'createcipher', 'createhash',
+      'pbkdf', 'bcrypt', 'scrypt', 'argon',
+    ];
+    return cryptoKeywords.any((k) => source.contains(k));
+  }
+}

package/dart_analyzer/lib/rules/security/S010_use_csprng.dart ADDED Viewed

@@ -0,0 +1,184 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S010: Must use cryptographically secure random number generators (CSPRNG)
+/// Detect usage of insecure random number generators for security purposes
+class S010UseCsprngAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S010';
+  // Insecure random patterns
+  static const _insecureRandomPatterns = [
+    'Random()', // Dart's default Random is not cryptographically secure
+    'Random.nextInt',
+    'Random.nextDouble',
+    'Random.nextBool',
+    'DateTime.now().millisecondsSinceEpoch',
+  ];
+  // Security-sensitive contexts - ONLY actual security-related IDs
+  // Note: 'id' alone is too generic - causes false positives for alarm IDs, notification IDs, etc.
+  static const _securityContexts = [
+    'token', 'session', 'auth', 'key', 'secret', 'password',
+    'nonce', 'salt', 'iv', 'otp', 'code', 'uuid',
+    'apikey', 'api_key', 'accesstoken', 'access_token',
+    'sessionid', 'session_id', 'userid', 'user_id',  // Only compound IDs
+    'securityid', 'security_id', 'authid', 'auth_id',
+  ];
+  // Non-security contexts - these use IDs but are NOT security sensitive
+  static const _nonSecurityContexts = [
+    'alarm', 'notification', 'widget', 'component', 'element',
+    'timer', 'animation', 'screen', 'page', 'view', 'controller',
+    'index', 'counter', 'position', 'offset', 'size', 'duration',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S010Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S010Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S010UseCsprngAnalyzer analyzer;
+  _S010Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    if (initializer != null) {
+      final initSource = initializer.toSource().toLowerCase();
+      // Check if this is a non-security context (alarm, notification, etc.)
+      // These use IDs but are NOT security sensitive
+      bool isNonSecurityContext = S010UseCsprngAnalyzer._nonSecurityContexts
+          .any((ctx) => varName.contains(ctx));
+      // Also check parent/enclosing context for non-security patterns
+      AstNode? current = node.parent;
+      int depth = 0;
+      while (current != null && depth < 5 && !isNonSecurityContext) {
+        final parentSource = current.toSource().toLowerCase();
+        isNonSecurityContext = S010UseCsprngAnalyzer._nonSecurityContexts
+            .any((ctx) => parentSource.contains(ctx));
+        current = current.parent;
+        depth++;
+      }
+      if (isNonSecurityContext) {
+        super.visitVariableDeclaration(node);
+        return;
+      }
+      // Check if variable name suggests security context
+      bool isSecurityContext = S010UseCsprngAnalyzer._securityContexts
+          .any((ctx) => varName.contains(ctx));
+      // Check if using insecure random
+      bool usesInsecureRandom = initSource.contains('random(') ||
+          initSource.contains('random.next') ||
+          initSource.contains('datetime.now');
+      // Check if using secure random
+      bool usesSecureRandom = initSource.contains('random.secure') ||
+          initSource.contains('securerandom');
+      if (isSecurityContext && usesInsecureRandom && !usesSecureRandom) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Use Random.secure() instead of Random() for security-sensitive data',
+        ));
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    // Check for Random() usage in security contexts
+    if (source.contains('random(') && !source.contains('random.secure')) {
+      // Check surrounding context
+      final parent = node.parent;
+      if (parent != null) {
+        final parentSource = parent.toSource().toLowerCase();
+        bool isSecurityContext = S010UseCsprngAnalyzer._securityContexts
+            .any((ctx) => parentSource.contains(ctx));
+        if (isSecurityContext) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Use Random.secure() for cryptographically secure random numbers',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme;
+    if (typeName == 'Random') {
+      // Check if it's Random.secure()
+      final constructorName = node.constructorName.name?.name;
+      if (constructorName != 'secure') {
+        // Check context
+        final parent = node.parent;
+        if (parent != null) {
+          final parentSource = parent.toSource().toLowerCase();
+          bool isSecurityContext = S010UseCsprngAnalyzer._securityContexts
+              .any((ctx) => parentSource.contains(ctx));
+          if (isSecurityContext) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Use Random.secure() instead of Random() for security purposes',
+            ));
+          }
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+}