npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S021_referrer_policy.dart ADDED Viewed

@@ -0,0 +1,146 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S021: Set Referrer-Policy to prevent sensitive data leakage
+/// Detect missing or weak Referrer-Policy headers
+class S021ReferrerPolicyAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S021';
+  // HTTP response/header patterns
+  static const _headerPatterns = [
+    'setheader',
+    'addheader',
+    'headers',
+    'response.',
+    'httpresponse',
+  ];
+  // Weak referrer policies
+  static const _weakPolicies = [
+    'unsafe-url',
+    'no-referrer-when-downgrade',
+  ];
+  // Recommended policies
+  static const _recommendedPolicies = [
+    'strict-origin-when-cross-origin',
+    'same-origin',
+    'no-referrer',
+    'strict-origin',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S021Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S021Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S021ReferrerPolicyAnalyzer analyzer;
+  _S021Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for header setting operations
+    bool isHeaderOp = S021ReferrerPolicyAnalyzer._headerPatterns
+        .any((p) => source.contains(p) || methodName.contains(p));
+    if (isHeaderOp && source.contains('referrer')) {
+      // Check for weak policies
+      bool hasWeakPolicy = S021ReferrerPolicyAnalyzer._weakPolicies
+          .any((p) => source.contains(p));
+      if (hasWeakPolicy) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Weak Referrer-Policy - use strict-origin-when-cross-origin or stricter policy',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitMapLiteralEntry(MapLiteralEntry node) {
+    final key = node.key.toSource().toLowerCase();
+    final value = node.value.toSource().toLowerCase();
+    // Check for Referrer-Policy header
+    if (key.contains('referrer-policy') || key.contains('referrerpolicy')) {
+      // Check for weak policies
+      bool hasWeakPolicy = S021ReferrerPolicyAnalyzer._weakPolicies
+          .any((p) => value.contains(p));
+      if (hasWeakPolicy) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Weak Referrer-Policy "$value" - use strict-origin-when-cross-origin instead',
+        ));
+      }
+    }
+    super.visitMapLiteralEntry(node);
+  }
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final left = node.leftHandSide.toSource().toLowerCase();
+    final right = node.rightHandSide.toSource().toLowerCase();
+    // Check for referrer policy assignments
+    if (left.contains('referrer')) {
+      bool hasWeakPolicy = S021ReferrerPolicyAnalyzer._weakPolicies
+          .any((p) => right.contains(p));
+      if (hasWeakPolicy) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Weak Referrer-Policy setting - use strict-origin-when-cross-origin or no-referrer',
+        ));
+      }
+    }
+    super.visitAssignmentExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S022_escape_output_context.dart ADDED Viewed

@@ -0,0 +1,111 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S022: Escape Output Context
+/// Ensure proper output encoding/escaping to prevent XSS
+class S022EscapeOutputContextAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S022';
+  // HTML output contexts
+  static const _htmlMethods = [
+    'innerhtml', 'outerhtml', 'setinnerhtml', 'appendhtml',
+    'insertadjacenthtml', 'document.write', 'createelement',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S022Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S022Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S022EscapeOutputContextAnalyzer analyzer;
+  _S022Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final leftSide = node.leftHandSide.toSource().toLowerCase();
+    // Check for innerHTML assignment
+    if (S022EscapeOutputContextAnalyzer._htmlMethods.any((m) => leftSide.contains(m))) {
+      final rightSide = node.rightHandSide;
+      // Check if right side is user input (not sanitized)
+      if (rightSide is StringInterpolation || rightSide is SimpleIdentifier) {
+        final rightSource = rightSide.toSource().toLowerCase();
+        bool isSanitized = rightSource.contains('escape') ||
+            rightSource.contains('sanitize') ||
+            rightSource.contains('encode') ||
+            rightSource.contains('htmlescape');
+        if (!isSanitized) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'XSS risk - escape/sanitize user input before HTML output',
+          ));
+        }
+      }
+    }
+    super.visitAssignmentExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for HTML manipulation methods
+    if (S022EscapeOutputContextAnalyzer._htmlMethods.any((m) => methodName.contains(m))) {
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation || arg is SimpleIdentifier) {
+          final source = arg.toSource().toLowerCase();
+          bool isSanitized = source.contains('escape') ||
+              source.contains('sanitize') ||
+              source.contains('encode');
+          if (!isSanitized) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'XSS risk - sanitize input before inserting into HTML',
+            ));
+            break;
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}