@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S015_insecure_tls_certificate.dart

@@ -0,0 +1,315 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S015: Insecure TLS Certificate
+/// Only accept trusted TLS certificates and reject weak ciphers
+/// - Do not accept untrusted/self-signed certificates automatically
+/// - Disable weak cipher suites (RC4, 3DES, NULL, MD5, SHA1)
+/// - Use modern ciphers (AES-GCM, ChaCha20-Poly1305, TLS_ECDHE)
+class S015InsecureTlsCertificateAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S015';
+
+  // Patterns indicating certificate verification bypass
+  static const _insecureCertPatterns = [
+    'badcertificatecallback',
+    'allowbadcertificates',
+    'trustbadcertificate',
+    'onbadcertificate',
+    'allowselfsigned',
+    'allow_self_signed',
+    'skipverify',
+    'skip_verify',
+    'verifycertificate: false',
+    'verify_certificate: false',
+    'ignorecertificate',
+    'ignore_certificate',
+    'trustallcertificates',
+    'trust_all_certificates',
+  ];
+
+  // Weak cipher patterns
+  static const _weakCipherPatterns = [
+    'rc4',
+    'des',
+    '3des',
+    'tripledes',
+    'null_cipher',
+    'nullcipher',
+    'export_cipher',
+    'exportcipher',
+    'md5',
+    'sha1',
+  ];
+
+  // Insecure TLS versions
+  static const _insecureTlsVersions = [
+    'sslv2',
+    'sslv3',
+    'ssl_v2',
+    'ssl_v3',
+    'tlsv1.0',
+    'tlsv1_0',
+    'tls_v1_0',
+    'tlsv1.1',
+    'tlsv1_1',
+    'tls_v1_1',
+    'tls1.0',
+    'tls1.1',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S015Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S015Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S015InsecureTlsCertificateAnalyzer analyzer;
+
+  _S015Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Check for certificate verification bypass
+    _checkInsecureCertPatterns(source, node.offset);
+
+    // Check for weak ciphers in method calls
+    _checkWeakCiphers(source, node.offset);
+
+    // Check for insecure TLS versions
+    _checkInsecureTlsVersions(source, node.offset);
+
+    // Check for badCertificateCallback that always returns true
+    if (methodName == 'badcertificatecallback' ||
+        source.contains('onbadcertificate')) {
+      // Check if callback returns true (accepts all certs)
+      if (source.contains('=> true') ||
+          source.contains('return true') ||
+          source.contains('(_) => true') ||
+          source.contains('(_, __, ___) => true')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Certificate callback accepts all certificates - only trust valid certificates from trusted CAs',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+    final expression = node.expression;
+    final source = node.toSource().toLowerCase();
+
+    // Check for certificate verification parameters set to false
+    if (_isCertVerificationParam(paramName)) {
+      if (expression is BooleanLiteral && !expression.value) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Certificate verification disabled - this allows man-in-the-middle attacks',
+        ));
+      }
+    }
+
+    // Check for badCertificateCallback parameter
+    if (paramName.contains('badcertificate') ||
+        paramName.contains('onbadcertificate')) {
+      if (source.contains('=> true') ||
+          source.contains('(_) => true') ||
+          source.contains('return true')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Bad certificate callback accepts all certificates - only trust valid certificates',
+        ));
+      }
+    }
+
+    // Check for weak ciphers in parameters
+    _checkWeakCiphers(source, node.offset);
+
+    // Check for insecure TLS versions in parameters
+    _checkInsecureTlsVersions(source, node.offset);
+
+    super.visitNamedExpression(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final source = node.toSource().toLowerCase();
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+
+    // Check SecurityContext or HttpClient configuration
+    if (typeName == 'securitycontext' ||
+        typeName == 'httpclient' ||
+        typeName == 'httpsclient') {
+      _checkInsecureCertPatterns(source, node.offset);
+      _checkWeakCiphers(source, node.offset);
+      _checkInsecureTlsVersions(source, node.offset);
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+
+    // Check for weak cipher strings
+    _checkWeakCiphers(value, node.offset);
+
+    // Check for insecure TLS version strings
+    _checkInsecureTlsVersions(value, node.offset);
+
+    super.visitSimpleStringLiteral(node);
+  }
+
+  @override
+  void visitFunctionExpression(FunctionExpression node) {
+    // Check if this is a callback that always returns true (bad certificate handler)
+    final parent = node.parent;
+    if (parent is NamedExpression) {
+      final paramName = parent.name.label.name.toLowerCase();
+      if (paramName.contains('badcertificate') ||
+          paramName.contains('certificate')) {
+        final body = node.body;
+        if (body != null) {
+          final bodySource = body.toSource().toLowerCase();
+          if (bodySource.contains('return true') ||
+              bodySource == '=> true' ||
+              bodySource.contains('=> true')) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message:
+                  'Certificate callback blindly trusts all certificates - validate certificates properly',
+            ));
+          }
+        }
+      }
+    }
+
+    super.visitFunctionExpression(node);
+  }
+
+  bool _isCertVerificationParam(String paramName) {
+    return paramName.contains('verify') ||
+        paramName.contains('validate') ||
+        paramName.contains('check') && paramName.contains('cert') ||
+        paramName.contains('ssl') ||
+        paramName.contains('tls') ||
+        paramName == 'secure';
+  }
+
+  void _checkInsecureCertPatterns(String source, int offset) {
+    for (final pattern
+        in S015InsecureTlsCertificateAnalyzer._insecureCertPatterns) {
+      if (source.contains(pattern.replaceAll('_', ''))) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, offset),
+          column: analyzer.getColumn(lineInfo, offset),
+          message:
+              'Insecure certificate handling detected - only trust valid certificates from trusted CAs',
+        ));
+        return; // Avoid duplicate violations
+      }
+    }
+  }
+
+  void _checkWeakCiphers(String source, int offset) {
+    // Only flag if in crypto/cipher context
+    if (!_isInCipherContext(source)) return;
+
+    for (final cipher
+        in S015InsecureTlsCertificateAnalyzer._weakCipherPatterns) {
+      if (source.contains(cipher)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, offset),
+          column: analyzer.getColumn(lineInfo, offset),
+          message:
+              'Weak cipher "$cipher" detected - use AES-GCM, ChaCha20-Poly1305, or other modern ciphers',
+        ));
+        return;
+      }
+    }
+  }
+
+  void _checkInsecureTlsVersions(String source, int offset) {
+    // Only flag if in TLS/SSL context
+    if (!_isInTlsContext(source)) return;
+
+    for (final version
+        in S015InsecureTlsCertificateAnalyzer._insecureTlsVersions) {
+      if (source.contains(version)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, offset),
+          column: analyzer.getColumn(lineInfo, offset),
+          message:
+              'Insecure TLS version detected - use TLS 1.2 or TLS 1.3 only',
+        ));
+        return;
+      }
+    }
+  }
+
+  bool _isInCipherContext(String source) {
+    return source.contains('cipher') ||
+        source.contains('encrypt') ||
+        source.contains('ssl') ||
+        source.contains('tls') ||
+        source.contains('security');
+  }
+
+  bool _isInTlsContext(String source) {
+    return source.contains('tls') ||
+        source.contains('ssl') ||
+        source.contains('https') ||
+        source.contains('security') ||
+        source.contains('protocol') ||
+        source.contains('version');
+  }
+}

package/dart_analyzer/lib/rules/security/S016_no_sensitive_querystring.dart

@@ -0,0 +1,244 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S016: No Sensitive Data in Query Strings
+/// Sensitive data should not be passed in URL query strings
+class S016NoSensitiveQuerystringAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S016';
+
+  // Sensitive parameter names (truly sensitive data only)
+  static const _sensitiveParams = [
+    'password', 'passwd', 'pwd', 'secret', 'apikey', 'api_key',
+    'accesskey', 'access_key', 'sessionid', 'session_id',
+    'credit_card', 'creditcard', 'cardnumber', 'card_number', 'cvv', 'ssn',
+    'otp', 'pin', 'credential', 'bearer', 'private_key',
+  ];
+
+  // Non-sensitive keys that may contain "key" or "token" but are not secrets
+  // These are business domain identifiers, not security tokens
+  static const _nonSensitiveKeys = [
+    'objective_key', 'objectivekey', // Business objective identifier
+    'device_token', 'devicetoken',   // Push notification token (not auth)
+    'fcm_token', 'fcmtoken',         // Firebase Cloud Messaging token
+    'apns_token', 'apnstoken',       // Apple Push Notification token
+    'primary_key', 'primarykey',     // Database key
+    'foreign_key', 'foreignkey',     // Database key
+    'sort_key', 'sortkey',           // Sorting key
+    'cache_key', 'cachekey',         // Cache identifier
+    'lookup_key', 'lookupkey',       // Lookup identifier
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S016Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S016Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S016NoSensitiveQuerystringAnalyzer analyzer;
+
+  _S016Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+
+    // Check for URLs with sensitive query params
+    if (value.contains('?') || value.contains('&')) {
+      for (final param in S016NoSensitiveQuerystringAnalyzer._sensitiveParams) {
+        // Match patterns like ?password= or &token=
+        if (RegExp('[?&]$param=').hasMatch(value)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive data "$param" should not be in query string - use POST body or headers',
+          ));
+          break;
+        }
+      }
+    }
+
+    super.visitSimpleStringLiteral(node);
+  }
+
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check for query string patterns with sensitive data
+    if (source.contains('?') || source.contains('&')) {
+      for (final param in S016NoSensitiveQuerystringAnalyzer._sensitiveParams) {
+        if (source.contains('$param=') || source.contains('${param}=')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive data should not be in query string - use POST body or headers',
+          ));
+          break;
+        }
+      }
+    }
+
+    super.visitStringInterpolation(node);
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Check for Uri construction with sensitive query parameters
+    if (methodName == 'queryparameters' || methodName == 'replace') {
+      final source = node.toSource().toLowerCase();
+      for (final param in S016NoSensitiveQuerystringAnalyzer._sensitiveParams) {
+        if (source.contains("'$param'") || source.contains('"$param"')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive parameter "$param" should not be in query parameters',
+          ));
+          break;
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitMapLiteralEntry(MapLiteralEntry node) {
+    final key = node.key.toSource().toLowerCase().replaceAll("'", '').replaceAll('"', '');
+
+    // Skip non-sensitive keys (business identifiers, not secrets)
+    bool isNonSensitive = S016NoSensitiveQuerystringAnalyzer._nonSensitiveKeys
+        .any((p) => key.contains(p.replaceAll('_', '')));
+
+    if (isNonSensitive) {
+      super.visitMapLiteralEntry(node);
+      return;
+    }
+
+    // Check if this is a query parameter map entry
+    bool isSensitive = S016NoSensitiveQuerystringAnalyzer._sensitiveParams
+        .any((p) => key.contains(p));
+
+    if (isSensitive) {
+      // Check parent context to see if it's for query parameters (NOT headers or POST body)
+      AstNode? current = node.parent;
+      bool isQueryParam = false;
+      bool isHeader = false;
+      bool isPostBody = false;
+      int depth = 0;
+      const maxDepth = 15;
+
+      while (current != null && depth < maxDepth) {
+        final source = current.toSource().toLowerCase();
+
+        // Check if this is a header context - skip these
+        if (source.contains('headers') ||
+            source.contains('header') ||
+            source.contains('authorization')) {
+          isHeader = true;
+          break;
+        }
+
+        // Check if this is a POST/PUT request body (data: {}) - skip these
+        // POST body is secure when using HTTPS
+        if (current is NamedExpression && current.name.label.name == 'data') {
+          final grandParent = current.parent?.parent;
+          if (grandParent != null) {
+            final gpSource = grandParent.toSource().toLowerCase();
+            if (gpSource.contains('.post(') || gpSource.contains('.put(')) {
+              isPostBody = true;
+              break;
+            }
+          }
+        }
+
+        // Check for variable assignment that is used in POST/PUT request body
+        // Pattern: final data = {...}; then _api.post(path, data: data)
+        if (current is VariableDeclaration) {
+          final varName = current.name.lexeme;
+          // Check if parent function/block contains POST/PUT with this variable
+          final enclosingScope = _findEnclosingScope(current);
+          if (enclosingScope != null) {
+            final scopeSource = enclosingScope.toSource().toLowerCase();
+            // Check if there's a .post() or .put() call with data: varName
+            if ((scopeSource.contains('.post(') || scopeSource.contains('.put(')) &&
+                scopeSource.contains('data: ${varName.toLowerCase()}')) {
+              isPostBody = true;
+              break;
+            }
+          }
+        }
+
+        // Check if this is a query parameter context
+        if (source.contains('queryparameters') ||
+            source.contains('query_parameters') ||
+            (source.contains('uri(') && !source.contains('headers'))) {
+          isQueryParam = true;
+          break;
+        }
+
+        current = current.parent;
+        depth++;
+      }
+
+      // Only report if it's query parameters and NOT headers/POST body
+      if (isQueryParam && !isHeader && !isPostBody) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Sensitive data "$key" should not be in query parameters',
+        ));
+      }
+    }
+
+    super.visitMapLiteralEntry(node);
+  }
+
+  /// Find the enclosing function or block scope
+  AstNode? _findEnclosingScope(AstNode node) {
+    AstNode? current = node.parent;
+    while (current != null) {
+      if (current is FunctionBody ||
+          current is MethodDeclaration ||
+          current is FunctionDeclaration ||
+          current is Block) {
+        return current;
+      }
+      current = current.parent;
+    }
+    return null;
+  }
+}