@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S011_ech_tls_config.dart

@@ -0,0 +1,175 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S011: Enable Encrypted Client Hello (ECH) for TLS
+/// Detect TLS configurations that should enable ECH for privacy
+class S011EchTlsConfigAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S011';
+
+  // TLS configuration patterns
+  static const _tlsConfigPatterns = [
+    'securitycontext',
+    'sslcontext',
+    'tlsconfig',
+    'tls_config',
+    'httpclient',
+    'sslsocket',
+  ];
+
+  // ECH-related patterns (enabled)
+  static const _echEnabledPatterns = [
+    'ech',
+    'encryptedclienthello',
+    'encrypted_client_hello',
+    'echconfig',
+    'ech_config',
+  ];
+
+  // TLS version patterns
+  static const _tls13Patterns = [
+    'tls1.3',
+    'tls_1_3',
+    'tlsv1_3',
+    'version: 1.3',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S011Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S011Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S011EchTlsConfigAnalyzer analyzer;
+
+  bool _hasTlsConfig = false;
+  bool _hasTls13 = false;
+  bool _hasEch = false;
+
+  _S011Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitClassDeclaration(ClassDeclaration node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check if this is a TLS configuration class
+    bool isTlsConfig = S011EchTlsConfigAnalyzer._tlsConfigPatterns
+        .any((p) => source.contains(p));
+
+    if (isTlsConfig) {
+      _hasTlsConfig = true;
+
+      // Check for TLS 1.3
+      _hasTls13 = S011EchTlsConfigAnalyzer._tls13Patterns
+          .any((p) => source.contains(p));
+
+      // Check for ECH configuration
+      _hasEch = S011EchTlsConfigAnalyzer._echEnabledPatterns
+          .any((p) => source.contains(p));
+
+      // If TLS 1.3 is used but ECH is not configured, suggest enabling it
+      if (_hasTls13 && !_hasEch) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'TLS 1.3 configuration should enable ECH (Encrypted Client Hello) for enhanced privacy',
+        ));
+      }
+    }
+
+    super.visitClassDeclaration(node);
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Check for TLS/SSL context creation
+    if (methodName.contains('security') ||
+        methodName.contains('ssl') ||
+        methodName.contains('tls')) {
+      bool isTlsConfig = S011EchTlsConfigAnalyzer._tlsConfigPatterns
+          .any((p) => source.contains(p));
+
+      if (isTlsConfig) {
+        bool hasTls13 = S011EchTlsConfigAnalyzer._tls13Patterns
+            .any((p) => source.contains(p));
+
+        bool hasEch = S011EchTlsConfigAnalyzer._echEnabledPatterns
+            .any((p) => source.contains(p));
+
+        // Recommend ECH for TLS 1.3 configurations
+        if (hasTls13 && !hasEch) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Consider enabling ECH for TLS 1.3 to protect SNI from network observers',
+          ));
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Check for SecurityContext or similar
+    if (typeName.contains('security') ||
+        typeName.contains('ssl') ||
+        typeName.contains('tls')) {
+      bool hasTls13 = S011EchTlsConfigAnalyzer._tls13Patterns
+          .any((p) => source.contains(p));
+
+      bool hasEch = S011EchTlsConfigAnalyzer._echEnabledPatterns
+          .any((p) => source.contains(p));
+
+      if (hasTls13 && !hasEch) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'TLS configuration with 1.3 should consider ECH for protecting server name',
+        ));
+      }
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S012_hardcoded_secrets.dart

@@ -0,0 +1,255 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S012: Hardcoded Secrets
+/// Detect hardcoded secrets, API keys, passwords in source code
+class S012HardcodedSecretsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S012';
+
+  // Secret variable name patterns (only truly sensitive ones)
+  static const _secretPatterns = [
+    'password', 'passwd', 'pwd', 'secret',
+    'privatekey', 'private_key', 'secretkey', 'secret_key',
+    'authtoken', 'auth_token', 'accesstoken', 'access_token',
+    'bearer', 'connectionstring', 'connection_string',
+    'dbpassword', 'db_password', 'encryptionkey', 'encryption_key',
+  ];
+
+  // Error code class patterns - these contain error strings, not secrets
+  static const _errorCodeClassPatterns = [
+    'errorcode', 'error_code', 'errorcodes', 'error_codes',
+    'autherrorcode', 'auth_error_code',
+  ];
+
+  // Files that are typically auto-generated and contain public keys (not secrets)
+  static const _excludedFiles = [
+    'firebase_options.dart',
+    'generated_plugin_registrant.dart',
+    'GeneratedPluginRegistrant.java',
+    'AppDelegate.swift',
+  ];
+
+  // Parameter names that are public identifiers, not secrets
+  static const _publicKeyParams = [
+    'apikey', 'api_key',      // Firebase/Google API keys are public
+    'appid', 'app_id',        // App identifiers
+    'projectid', 'project_id', // Project identifiers
+    'messagingsenderid', 'messaging_sender_id',
+    'storagebucket', 'storage_bucket',
+    'measurementid', 'measurement_id',
+    'iosbundleid', 'ios_bundle_id',
+    'clientid', 'client_id',   // Public OAuth client ID
+  ];
+
+  // Patterns that look like actual secrets (more specific patterns)
+  static const _secretValuePatterns = [
+    // Specific API key patterns (not generic Base64)
+    RegexPattern(r'^sk_[a-zA-Z0-9]{24,}$', 'Stripe secret key'),
+    RegexPattern(r'^pk_[a-zA-Z0-9]{24,}$', 'Stripe publishable key'),
+    RegexPattern(r'^ghp_[a-zA-Z0-9]{36,}$', 'GitHub personal access token'),
+    RegexPattern(r'^gho_[a-zA-Z0-9]{36,}$', 'GitHub OAuth token'),
+    RegexPattern(r'^xox[baprs]-[a-zA-Z0-9-]+$', 'Slack token'),
+    RegexPattern(r'^AKIA[0-9A-Z]{16}$', 'AWS access key'),
+    // Note: Removed generic Base64 pattern - too many false positives
+  ];
+
+  // Patterns to exclude (not secrets)
+  static const _excludePatterns = [
+    'route', 'screen', 'page', 'widget', 'args', 'params',
+    'hash_code', 'gkc_', 'generated', 'color', 'theme',
+    'icon', 'image', 'asset', 'font', 'style',
+  ];
+
+  // Variable names that are preference/storage keys, not actual secrets
+  static const _keyNamePatterns = [
+    'key', // ends with 'key' like _accessTokenKey
+    '_key', // contains '_key'
+    'pref', // preference related
+  ];
+
+  // String values that look like storage keys or identifiers (not secrets)
+  static bool _isStorageKeyValue(String value) {
+    final lower = value.toLowerCase();
+    // Pattern: word_word_key or wordWordKey - these are storage key names
+    if ((lower.endsWith('_key') || lower.endsWith('key')) &&
+        (lower.contains('_') || RegExp(r'^[a-z_]+$').hasMatch(lower)) &&
+        !lower.contains('=') &&
+        value.length < 50) {
+      return true;
+    }
+    // Pattern: simple identifiers like 'accessToken', 'password_empty', 'X-Access-Token'
+    // These are preference keys, header names, or localization keys - not secrets
+    if (RegExp(r'^[a-zA-Z][a-zA-Z0-9_-]*$').hasMatch(value) && value.length < 50) {
+      return true;
+    }
+    return false;
+  }
+
+  /// Check if file is an error code file (contains error strings, not secrets)
+  static bool isErrorCodeFile(String filePath) {
+    final fileNameLower = filePath.split('/').last.toLowerCase().replaceAll('_', '');
+    return _errorCodeClassPatterns.any((p) => fileNameLower.contains(p.replaceAll('_', '')));
+  }
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Skip excluded files (auto-generated configs with public keys)
+    final fileName = filePath.split('/').last;
+    if (_excludedFiles.any((f) => fileName.contains(f))) {
+      return [];
+    }
+
+    // Skip error code files (contain error strings, not secrets)
+    if (isErrorCodeFile(filePath)) {
+      return [];
+    }
+
+    final violations = <Violation>[];
+    final visitor = _S012Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+
+  /// Check if parameter name is a public key (not a secret)
+  static bool isPublicKeyParam(String paramName) {
+    return _publicKeyParams.any((p) => paramName.contains(p));
+  }
+}
+
+class RegexPattern {
+  final String pattern;
+  final String description;
+  const RegexPattern(this.pattern, this.description);
+}
+
+class _S012Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S012HardcodedSecretsAnalyzer analyzer;
+
+  _S012Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+
+    // Skip if variable name ends with 'key' (it's a storage key name, not a secret)
+    // e.g., _accessTokenKey, _refreshTokenKey are key names for SharedPreferences
+    if (varName.endsWith('key') || varName.contains('_key')) {
+      super.visitVariableDeclaration(node);
+      return;
+    }
+
+    // Check if variable name suggests a secret
+    bool isSecretVar = S012HardcodedSecretsAnalyzer._secretPatterns
+        .any((p) => varName.contains(p));
+
+    if (isSecretVar && initializer is StringLiteral) {
+      final value = initializer is SimpleStringLiteral ? initializer.value : '';
+
+      // Skip empty strings, environment variable references, and storage key values
+      if (value.isNotEmpty &&
+          !value.contains('env') &&
+          !value.contains('ENV') &&
+          !value.startsWith('\$') &&
+          !S012HardcodedSecretsAnalyzer._isStorageKeyValue(value) &&
+          value.length > 3) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Hardcoded secret detected in "$varName" - use environment variables',
+        ));
+      }
+    }
+
+    super.visitVariableDeclaration(node);
+  }
+
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value;
+
+    // Skip short strings and common non-secret patterns
+    if (value.length < 20) {
+      super.visitSimpleStringLiteral(node);
+      return;
+    }
+
+    // Skip strings that contain exclude patterns (route names, colors, etc.)
+    final lowerValue = value.toLowerCase();
+    if (S012HardcodedSecretsAnalyzer._excludePatterns.any((p) => lowerValue.contains(p))) {
+      super.visitSimpleStringLiteral(node);
+      return;
+    }
+
+    // Check for specific secret patterns in string values
+    for (final regexPattern in S012HardcodedSecretsAnalyzer._secretValuePatterns) {
+      final regex = RegExp(regexPattern.pattern);
+      if (regex.hasMatch(value)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: '${regexPattern.description} detected - use environment variables',
+        ));
+        break;
+      }
+    }
+
+    super.visitSimpleStringLiteral(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+    final expression = node.expression;
+
+    // Skip public key parameters (Firebase API keys, app IDs, etc.)
+    if (S012HardcodedSecretsAnalyzer.isPublicKeyParam(paramName)) {
+      super.visitNamedExpression(node);
+      return;
+    }
+
+    // Check if named parameter is a secret
+    bool isSecretParam = S012HardcodedSecretsAnalyzer._secretPatterns
+        .any((p) => paramName.contains(p));
+
+    if (isSecretParam && expression is StringLiteral) {
+      final value = expression is SimpleStringLiteral ? expression.value : '';
+      if (value.isNotEmpty && value.length > 3) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Hardcoded secret in parameter "$paramName" - use environment variables',
+        ));
+      }
+    }
+
+    super.visitNamedExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S013_tls_enforcement.dart

@@ -0,0 +1,148 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S013: TLS Enforcement
+/// Ensure HTTPS/TLS is enforced for all external communications
+class S013TlsEnforcementAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S013';
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S013Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S013Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S013TlsEnforcementAnalyzer analyzer;
+
+  _S013Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  // Allowed localhost patterns
+  static const _localhostPatterns = [
+    'localhost', '127.0.0.1', '0.0.0.0', '::1',
+  ];
+
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+
+    // Check for HTTP URLs (not HTTPS)
+    if (value.startsWith('http://')) {
+      // Allow localhost for development
+      bool isLocalhost = _localhostPatterns.any((p) => value.contains(p));
+
+      if (!isLocalhost) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Use HTTPS instead of HTTP for secure communication',
+        ));
+      }
+    }
+
+    // Check for ws:// instead of wss://
+    if (value.startsWith('ws://')) {
+      bool isLocalhost = _localhostPatterns.any((p) => value.contains(p));
+
+      if (!isLocalhost) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Use WSS instead of WS for secure WebSocket communication',
+        ));
+      }
+    }
+
+    super.visitSimpleStringLiteral(node);
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check for SSL certificate verification bypass
+    if (source.contains('badcertificatecallback') ||
+        source.contains('allowbadcertificates') ||
+        source.contains('trustbadcertificate')) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Do not bypass SSL certificate verification',
+      ));
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+    final expression = node.expression;
+
+    // Check for SSL verification disable flags
+    // Must be specifically SSL/TLS/certificate related, not general "verify" parameters
+    // Exclude: isFromVerifyEmail, isVerified, emailVerified, etc.
+    bool isSSLRelated = (paramName.contains('ssl') ||
+        paramName.contains('tls') ||
+        paramName.contains('certificate') ||
+        paramName == 'verify' ||  // Only exact match for "verify" param
+        paramName.contains('verifycert') ||
+        paramName.contains('verifyssl') ||
+        paramName.contains('verifytls') ||
+        paramName.contains('sslverify') ||
+        paramName.contains('tlsverify'));
+
+    // Exclude common non-SSL verify patterns
+    bool isNonSSLVerify = paramName.contains('email') ||
+        paramName.contains('phone') ||
+        paramName.contains('user') ||
+        paramName.contains('account') ||
+        paramName.contains('identity') ||
+        paramName.contains('from') ||
+        paramName.contains('otp') ||
+        paramName.contains('code');
+
+    if (isSSLRelated && !isNonSSLVerify) {
+      if (expression is BooleanLiteral && !expression.value) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Do not disable SSL/TLS certificate verification',
+        ));
+      }
+    }
+
+    super.visitNamedExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S014_tls_version_enforcement.dart

@@ -0,0 +1,117 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S014: TLS Version Enforcement
+/// Enforce minimum TLS version (1.2 or higher)
+class S014TlsVersionEnforcementAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S014';
+
+  // Insecure TLS/SSL versions
+  static const _insecureVersions = [
+    'ssl2', 'ssl3', 'sslv2', 'sslv3',
+    'tls1.0', 'tls1_0', 'tlsv1', 'tlsv1.0', 'tlsv1_0',
+    'tls1.1', 'tls1_1', 'tlsv1.1', 'tlsv1_1',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S014Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S014Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S014TlsVersionEnforcementAnalyzer analyzer;
+
+  _S014Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase().replaceAll(' ', '');
+
+    for (final version in S014TlsVersionEnforcementAnalyzer._insecureVersions) {
+      if (value.contains(version)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Insecure TLS/SSL version detected - use TLS 1.2 or higher',
+        ));
+        break;
+      }
+    }
+
+    super.visitSimpleStringLiteral(node);
+  }
+
+  @override
+  void visitPrefixedIdentifier(PrefixedIdentifier node) {
+    final source = node.toSource().toLowerCase();
+
+    for (final version in S014TlsVersionEnforcementAnalyzer._insecureVersions) {
+      if (source.contains(version)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Insecure TLS/SSL version - use TLS 1.2 or higher',
+        ));
+        break;
+      }
+    }
+
+    super.visitPrefixedIdentifier(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+
+    if (paramName.contains('minversion') ||
+        paramName.contains('min_version') ||
+        paramName.contains('sslversion') ||
+        paramName.contains('tlsversion')) {
+      final expression = node.expression.toSource().toLowerCase();
+
+      for (final version in S014TlsVersionEnforcementAnalyzer._insecureVersions) {
+        if (expression.contains(version)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Minimum TLS version should be 1.2 or higher',
+          ));
+          break;
+        }
+      }
+    }
+
+    super.visitNamedExpression(node);
+  }
+}