npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S017_use_parameterized_queries.dart ADDED Viewed

@@ -0,0 +1,191 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S017: Use Parameterized Queries
+/// Detect SQL injection vulnerabilities - use parameterized queries
+class S017UseParameterizedQueriesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S017';
+  // SQL statement patterns that strongly indicate a query (not just keywords)
+  static const _sqlStatementPatterns = [
+    'select * from', 'select ', 'insert into', 'update ',
+    'delete from', 'drop table', 'create table', 'alter table',
+    'truncate table', 'exec ', 'execute ',
+  ];
+  // Raw query method names in common Dart/Flutter DB packages
+  static const _rawQueryMethods = [
+    'rawquery', 'rawinsert', 'rawupdate', 'rawdelete',
+    'execute', 'query', 'executesql',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Skip UI files - they don't have SQL
+    final fileName = filePath.toLowerCase();
+    if (fileName.contains('screen') ||
+        fileName.contains('widget') ||
+        fileName.contains('view') ||
+        fileName.contains('page') ||
+        fileName.contains('component')) {
+      return [];
+    }
+    final violations = <Violation>[];
+    final visitor = _S017Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+  /// Check if source looks like actual SQL
+  static bool looksLikeSql(String source) {
+    final lowerSource = source.toLowerCase();
+    return _sqlStatementPatterns.any((p) => lowerSource.contains(p));
+  }
+}
+class _S017Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S017UseParameterizedQueriesAnalyzer analyzer;
+  _S017Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    // Skip if this is inside a logging call - not SQL context
+    if (_isInLoggingContext(node)) {
+      super.visitStringInterpolation(node);
+      return;
+    }
+    final source = node.toSource();
+    // Only check if it looks like actual SQL (not just contains common words)
+    if (S017UseParameterizedQueriesAnalyzer.looksLikeSql(source)) {
+      // Check if there are interpolation elements
+      bool hasInterpolation = node.elements.any((e) => e is InterpolationExpression);
+      if (hasInterpolation) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'SQL injection risk - use parameterized queries instead of string interpolation',
+        ));
+      }
+    }
+    super.visitStringInterpolation(node);
+  }
+  /// Check if the node is inside a logging/debug context
+  bool _isInLoggingContext(AstNode node) {
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 5) {
+      if (current is MethodInvocation) {
+        final methodName = current.methodName.name.toLowerCase();
+        // Logging method patterns
+        if (methodName.contains('log') ||
+            methodName == 'print' ||
+            methodName == 'debugprint' ||
+            methodName == 'info' ||
+            methodName == 'debug' ||
+            methodName == 'warn' ||
+            methodName == 'error' ||
+            methodName == 'trace') {
+          return true;
+        }
+        // Check if target is a logging utility
+        final target = current.target?.toSource().toLowerCase() ?? '';
+        if (target.contains('log') || target.contains('logger')) {
+          return true;
+        }
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for raw query methods
+    bool isRawQueryMethod = S017UseParameterizedQueriesAnalyzer._rawQueryMethods
+        .any((m) => methodName.contains(m));
+    if (isRawQueryMethod && node.argumentList.arguments.isNotEmpty) {
+      final firstArg = node.argumentList.arguments.first;
+      if (firstArg is StringInterpolation) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'SQL injection risk in raw query - use parameterized version',
+        ));
+      } else if (firstArg is BinaryExpression &&
+          firstArg.operator.type.lexeme == '+') {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'SQL injection risk - avoid string concatenation in raw queries',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitBinaryExpression(BinaryExpression node) {
+    // Only check string concatenation in database-related contexts
+    if (node.operator.type.lexeme == '+') {
+      final combined = node.toSource();
+      // Only flag if it clearly looks like SQL
+      if (S017UseParameterizedQueriesAnalyzer.looksLikeSql(combined)) {
+        bool concatenatingVariable = node.rightOperand is SimpleIdentifier ||
+            node.rightOperand is PrefixedIdentifier;
+        if (concatenatingVariable) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'SQL injection risk - use parameterized queries instead of string concatenation',
+          ));
+        }
+      }
+    }
+    super.visitBinaryExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S018_no_sensitive_browser_storage.dart ADDED Viewed

@@ -0,0 +1,175 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S018: Do not store sensitive data in browser storage
+/// Detect sensitive data being stored in localStorage, sessionStorage, IndexedDB
+class S018NoSensitiveBrowserStorageAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S018';
+  // Browser storage patterns
+  static const _browserStoragePatterns = [
+    'localstorage',
+    'sessionstorage',
+    'indexeddb',
+    'sharedpreferences', // Flutter equivalent
+    'securestorage', // Should use this instead
+    'setstring',
+    'setitem',
+    'put(',
+  ];
+  // Sensitive data patterns that should NOT be stored
+  static const _sensitiveDataPatterns = [
+    'password',
+    'passwd',
+    'secret',
+    'apikey',
+    'api_key',
+    'accesstoken',
+    'access_token',
+    'refreshtoken',
+    'refresh_token',
+    'privatekey',
+    'private_key',
+    'creditcard',
+    'credit_card',
+    'cardnumber',
+    'card_number',
+    'cvv',
+    'ssn',
+    'socialsecurity',
+    'bankaccount',
+    'bank_account',
+    'encryptionkey',
+    'encryption_key',
+  ];
+  // Allowed patterns (session token is acceptable with proper handling)
+  static const _allowedPatterns = [
+    'encrypted',
+    'hashed',
+    'securestorage',
+    'flutter_secure_storage',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S018Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S018Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S018NoSensitiveBrowserStorageAnalyzer analyzer;
+  _S018Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+    // Check if this is a storage operation
+    bool isStorageOp =
+        S018NoSensitiveBrowserStorageAnalyzer._browserStoragePatterns
+            .any((p) => source.contains(p) || methodName.contains(p));
+    if (isStorageOp) {
+      // Check if storing sensitive data
+      bool hasSensitiveData =
+          S018NoSensitiveBrowserStorageAnalyzer._sensitiveDataPatterns
+              .any((p) => source.contains(p));
+      // Check if using secure storage or encryption
+      bool isSecureUsage =
+          S018NoSensitiveBrowserStorageAnalyzer._allowedPatterns
+              .any((p) => source.contains(p));
+      if (hasSensitiveData && !isSecureUsage) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Sensitive data should not be stored in browser storage - use flutter_secure_storage or server-side sessions',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitMapLiteralEntry(MapLiteralEntry node) {
+    final key = node.key.toSource().toLowerCase();
+    final value = node.value.toSource().toLowerCase();
+    final fullSource = node.toSource().toLowerCase();
+    // Check if key indicates sensitive data
+    bool hasSensitiveKey =
+        S018NoSensitiveBrowserStorageAnalyzer._sensitiveDataPatterns
+            .any((p) => key.contains(p));
+    if (hasSensitiveKey) {
+      // Check context - is this being stored in browser storage?
+      bool isStorageContext = _isInStorageContext(node);
+      // Check if encrypted
+      bool isSecure = S018NoSensitiveBrowserStorageAnalyzer._allowedPatterns
+          .any((p) => fullSource.contains(p));
+      if (isStorageContext && !isSecure) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Sensitive data in storage context - encrypt before storing or use secure storage',
+        ));
+      }
+    }
+    super.visitMapLiteralEntry(node);
+  }
+  bool _isInStorageContext(AstNode node) {
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 10) {
+      final source = current.toSource().toLowerCase();
+      if (S018NoSensitiveBrowserStorageAnalyzer._browserStoragePatterns
+          .any((p) => source.contains(p))) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+}

package/dart_analyzer/lib/rules/security/S019_smtp_injection_protection.dart ADDED Viewed

@@ -0,0 +1,166 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S019: SMTP Injection Protection
+/// Prevent SMTP header injection attacks in email functionality
+class S019SmtpInjectionProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S019';
+  // Email header fields that can be injected
+  // Note: 'x-' removed because it causes false positives with format strings like "index 1-5"
+  // X-headers are less critical anyway and often legitimately contain dynamic content
+  static const _headerFields = [
+    'to:', 'from:', 'cc:', 'bcc:', 'subject:', 'reply-to:',
+    'content-type:', 'mime-version:',
+  ];
+  // Dangerous characters for SMTP injection
+  static const _dangerousChars = ['\r', '\n', '\r\n', '%0d', '%0a'];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S019Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S019Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S019SmtpInjectionProtectionAnalyzer analyzer;
+  _S019Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for email sending methods
+    if (methodName.contains('send') &&
+        (source.contains('mail') || source.contains('email') || source.contains('smtp'))) {
+      // Check if user input is used in email headers without sanitization
+      for (final arg in node.argumentList.arguments) {
+        if (arg is NamedExpression) {
+          final paramName = arg.name.label.name.toLowerCase();
+          // Check if it's a header field
+          bool isHeaderField = ['to', 'from', 'cc', 'bcc', 'subject', 'replyto', 'reply_to']
+              .any((h) => paramName.contains(h));
+          if (isHeaderField) {
+            final value = arg.expression;
+            // Check if value comes from user input (simple heuristic)
+            if (value is SimpleIdentifier || value is StringInterpolation) {
+              violations.add(analyzer.createViolation(
+                filePath: filePath,
+                line: analyzer.getLine(lineInfo, node.offset),
+                column: analyzer.getColumn(lineInfo, node.offset),
+                message: 'SMTP injection risk - sanitize email headers to remove CRLF characters',
+              ));
+              break;
+            }
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    // Skip debug/logging statements - these are not email contexts
+    final parent = node.parent;
+    if (parent is ArgumentList) {
+      final grandParent = parent.parent;
+      if (grandParent is MethodInvocation) {
+        final methodName = grandParent.methodName.name.toLowerCase();
+        if (methodName == 'debugprint' || methodName == 'print' ||
+            methodName == 'log' || methodName.startsWith('log')) {
+          super.visitStringInterpolation(node);
+          return;
+        }
+      }
+    }
+    final source = node.toSource().toLowerCase();
+    // Check if building email headers with user input
+    // Must be in email-related context, not just any string with header-like patterns
+    bool isEmailHeader = S019SmtpInjectionProtectionAnalyzer._headerFields
+        .any((h) => source.contains(h));
+    // Additional check: should also have email-related context
+    bool isEmailContext = source.contains('email') || source.contains('mail') ||
+        source.contains('smtp') || source.contains('message');
+    if (isEmailHeader && isEmailContext) {
+      // Check for interpolation (user input)
+      bool hasInterpolation = node.elements.any((e) => e is InterpolationExpression);
+      if (hasInterpolation) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'SMTP header injection risk - sanitize user input in email headers',
+        ));
+      }
+    }
+    super.visitStringInterpolation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    // Check for Message/Email class construction
+    if (typeName.contains('message') || typeName.contains('email') || typeName.contains('mail')) {
+      for (final arg in node.argumentList.arguments) {
+        if (arg is NamedExpression) {
+          final paramName = arg.name.label.name.toLowerCase();
+          final isHeaderField = ['to', 'from', 'cc', 'bcc', 'subject', 'replyto']
+              .any((h) => paramName == h);
+          if (isHeaderField && arg.expression is StringInterpolation) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'SMTP injection risk in email construction - sanitize header values',
+            ));
+            break;
+          }
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S020_no_eval_dynamic_code.dart ADDED Viewed

@@ -0,0 +1,149 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S020: No Eval or Dynamic Code Execution
+/// Prevent code injection through eval() and similar dynamic code execution
+class S020NoEvalDynamicCodeAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S020';
+  // Dangerous dynamic code execution methods - use exact match to avoid false positives
+  static const _dangerousMethods = [
+    'eval', 'exec', 'execute', 'runcode', 'run_code',
+    'dynamiccode', 'dynamic_code', 'compile',
+  ];
+  // Check if method name exactly matches or ends with a dangerous pattern
+  static bool _isDangerousMethod(String methodName) {
+    final lowerName = methodName.toLowerCase().replaceAll('_', '');
+    // Exact match
+    for (final m in _dangerousMethods) {
+      final pattern = m.replaceAll('_', '');
+      if (lowerName == pattern) return true;
+    }
+    return false;
+  }
+  // Dart-specific dynamic execution patterns
+  static const _dartDangerousPatterns = [
+    'mirror', 'reflect', 'invoke', 'dynamicinvoke',
+    'noSuchMethod', // Can be abused for dynamic invocation
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S020Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S020Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S020NoEvalDynamicCodeAnalyzer analyzer;
+  _S020Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name;
+    // Check for dangerous method names - use exact match to avoid false positives
+    bool isDangerous = S020NoEvalDynamicCodeAnalyzer._isDangerousMethod(methodName);
+    if (isDangerous) {
+      // Check if argument is user input (string interpolation or variable)
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation || arg is SimpleIdentifier) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Dynamic code execution is dangerous - avoid eval/exec with user input',
+          ));
+          break;
+        }
+      }
+    }
+    // Check for reflection with user input
+    final lowerMethodName = methodName.toLowerCase();
+    if (lowerMethodName == 'invoke' || lowerMethodName == 'invokemember') {
+      final source = node.toSource().toLowerCase();
+      if (source.contains('mirror') || source.contains('reflect')) {
+        for (final arg in node.argumentList.arguments) {
+          if (arg is StringInterpolation || arg is SimpleIdentifier) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Reflection with dynamic input is dangerous - validate input strictly',
+            ));
+            break;
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitImportDirective(ImportDirective node) {
+    final uri = node.uri.stringValue?.toLowerCase() ?? '';
+    // Check for mirrors import
+    if (uri.contains('mirrors')) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'dart:mirrors enables reflection - use with caution, can enable code injection',
+      ));
+    }
+    super.visitImportDirective(node);
+  }
+  @override
+  void visitFunctionExpression(FunctionExpression node) {
+    // Check for Function.apply with dynamic arguments
+    final parent = node.parent;
+    if (parent is MethodInvocation) {
+      final methodName = parent.methodName.name.toLowerCase();
+      if (methodName == 'apply') {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Function.apply with dynamic arguments can be dangerous',
+        ));
+      }
+    }
+    super.visitFunctionExpression(node);
+  }
+}