npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S023_no_json_injection.dart ADDED Viewed

@@ -0,0 +1,550 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S023: Use output encoding when building dynamic JavaScript/JSON
+/// Prevent JavaScript and JSON injection by applying proper output encoding
+/// when dynamically building JavaScript content or JSON data.
+///
+/// Detects:
+/// - Dynamic code execution patterns (Function.apply, mirrors, runZoned)
+/// - JavaScript injection via WebView/InAppWebView
+/// - String interpolation/concatenation to build JavaScript code
+/// - JSON construction without proper encoding
+/// - innerHTML-like patterns in Flutter web
+/// - Inline event handlers with user data
+class S023NoJsonInjectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S023';
+  // Methods that are safe for string interpolation (logging, debugging)
+  static const _safeLoggingMethods = [
+    'debugprint', 'print', 'log', 'info', 'warn', 'warning',
+    'error', 'debug', 'trace', 'verbose', 'loginfo', 'logerror',
+    'logwarning', 'logdebug', 'logger', 'console',
+  ];
+  // Patterns that indicate actual JSON construction (not just logging)
+  static const _jsonConstructionPatterns = [
+    'response.write', 'response.send', 'jsonresponse',
+    'res.json', 'res.send', 'http.post', 'http.put',
+    'dio.post', 'dio.put', 'request.body',
+  ];
+  // Dangerous JavaScript execution methods in WebView
+  static const _jsExecutionMethods = [
+    'evaluatejavascript',
+    'runjavascript',
+    'runjavascriptreturningresult',
+    'callasyncdart',
+    'injectjavascriptfilefrompublicassetfile',
+  ];
+  // User input sources to track
+  static const _userInputPatterns = [
+    'textcontroller',
+    'texteditingcontroller',
+    'formfield',
+    'inputdecoration',
+    'sharedpreferences',
+    'securestorage',
+    'getstring',
+    'request.body',
+    'request.query',
+    'uri.queryparameters',
+    'platformmessenger',
+    'methodchannel',
+  ];
+  // Safe encoding functions
+  static const _safeEncodingFunctions = [
+    'jsonencode',
+    'json.encode',
+    'htmlescape',
+    'uriencode',
+    'uri.encodefull',
+    'uri.encodecomponent',
+    'uri.encodequerycomponent',
+    'sanitize',
+    'escape',
+  ];
+  // Variable names that typically indicate safe/encoded data
+  static const _safeVariablePatterns = [
+    'safejson',
+    'encodedjson',
+    'jsonstr',
+    'jsonstring',
+    'encoded',
+    'sanitized',
+    'escaped',
+    'safe',
+  ];
+  // Patterns that indicate constant/config values (not user input)
+  static const _constantPatterns = [
+    'constants.',   // Constants.fieldName
+    'config.',      // Config.value
+    'appconfig.',   // AppConfig.value
+    'env.',         // Environment variables
+    'settings.',    // Settings values
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S023Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+  /// Check if method is a safe logging method
+  static bool isSafeLoggingMethod(String methodName) {
+    return _safeLoggingMethods.any((m) => methodName.contains(m));
+  }
+  /// Check if method is a JavaScript execution method (WebView)
+  static bool isJsExecutionMethod(String methodName) {
+    return _jsExecutionMethods.any((m) => methodName.contains(m));
+  }
+  /// Check if expression contains user input
+  static bool containsUserInput(String source) {
+    final lowerSource = source.toLowerCase();
+    return _userInputPatterns.any((p) => lowerSource.contains(p));
+  }
+  /// Check if expression has safe encoding
+  static bool hasSafeEncoding(String source) {
+    final lowerSource = source.toLowerCase();
+    return _safeEncodingFunctions.any((f) => lowerSource.contains(f));
+  }
+  /// Check if variable name indicates it's already encoded/safe
+  static bool hasSafeVariableName(String source) {
+    final lowerSource = source.toLowerCase();
+    return _safeVariablePatterns.any((p) => lowerSource.contains(p));
+  }
+  /// Check if interpolation contains only constant values (not user input)
+  static bool containsOnlyConstants(String source) {
+    final lowerSource = source.toLowerCase();
+    // Check for known constant patterns
+    if (_constantPatterns.any((p) => lowerSource.contains(p))) {
+      return true;
+    }
+    // Check for all-uppercase variable names which typically indicate constants
+    // Pattern: ${CONSTANT_NAME} or $CONSTANT_NAME
+    final constPattern = RegExp(r'\$\{?[A-Z][A-Z0-9_]*\}?');
+    if (constPattern.hasMatch(source)) {
+      return true;
+    }
+    return false;
+  }
+  /// Check if the interpolation elements appear to be dynamic user data
+  /// Returns true if it looks like user-controlled input, false if it looks like safe data
+  static bool looksLikeUserInput(String source) {
+    final lowerSource = source.toLowerCase();
+    // Check for user input patterns
+    if (containsUserInput(source)) {
+      return true;
+    }
+    // Check for common patterns that indicate runtime/dynamic data
+    final dynamicPatterns = [
+      'widget.',      // Widget properties (often from user)
+      'state.',       // State values
+      '.text',        // TextField values
+      'input',        // Input variables
+      'param',        // Parameters that could be user input
+      'data[',        // Array/map access
+      'body[',        // Request body access
+      'query[',       // Query parameter access
+    ];
+    return dynamicPatterns.any((p) => lowerSource.contains(p));
+  }
+}
+class _S023Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S023NoJsonInjectionAnalyzer analyzer;
+  _S023Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  /// Track if we're inside a logging method call or toString method
+  bool _insideLoggingMethod = false;
+  bool _insideToString = false;
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    final methodName = node.name.lexeme.toLowerCase();
+    // Skip toString methods - they're not JSON construction
+    if (methodName == 'tostring') {
+      _insideToString = true;
+      super.visitMethodDeclaration(node);
+      _insideToString = false;
+      return;
+    }
+    super.visitMethodDeclaration(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Check if this is a logging method
+    bool isLoggingMethod = S023NoJsonInjectionAnalyzer.isSafeLoggingMethod(methodName);
+    if (isLoggingMethod) {
+      _insideLoggingMethod = true;
+      super.visitMethodInvocation(node);
+      _insideLoggingMethod = false;
+      return;
+    }
+    // 1. Check for JavaScript execution in WebView with user data
+    if (S023NoJsonInjectionAnalyzer.isJsExecutionMethod(methodName)) {
+      _checkJsExecutionMethod(node);
+    }
+    // 2. Check for Function.apply with dynamic data (Dart's equivalent to eval)
+    if (methodName == 'apply' && _isFunctionApply(node)) {
+      _checkFunctionApply(node);
+    }
+    // 3. Check for dart:mirrors usage with user data
+    if (methodName == 'invoke' || methodName == 'getfield' || methodName == 'setfield') {
+      _checkMirrorsUsage(node);
+    }
+    // 4. Check for manual JSON construction in non-logging methods
+    if (methodName == 'write' || methodName == 'writeln' || methodName == 'add') {
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation) {
+          final source = arg.toSource();
+          // Only flag if it looks like structured JSON (key-value pairs)
+          if (_looksLikeJsonStructure(source)) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'JSON injection risk - use jsonEncode() for proper JSON encoding',
+            ));
+          }
+        }
+      }
+    }
+    // 5. Check for setInnerHtml or similar HTML injection methods
+    if (methodName == 'setinnerhtml' || methodName == 'appendhtml') {
+      _checkHtmlInjection(node);
+    }
+    super.visitMethodInvocation(node);
+  }
+  /// Check JavaScript execution methods for user data injection
+  void _checkJsExecutionMethod(MethodInvocation node) {
+    for (final arg in node.argumentList.arguments) {
+      final source = arg.toSource();
+      // Skip if source indicates safe encoding or safe variable names
+      if (S023NoJsonInjectionAnalyzer.hasSafeEncoding(source) ||
+          S023NoJsonInjectionAnalyzer.hasSafeVariableName(source)) {
+        continue;
+      }
+      // Check if argument contains interpolation or user input
+      if (arg is StringInterpolation || source.contains('+')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'JavaScript injection risk - encode user data before passing to WebView JavaScript execution',
+        ));
+        return;
+      }
+      // Check for user input patterns
+      if (S023NoJsonInjectionAnalyzer.containsUserInput(source)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'JavaScript injection risk - sanitize user input before WebView JavaScript execution',
+        ));
+        return;
+      }
+    }
+  }
+  /// Check if this is Function.apply call
+  bool _isFunctionApply(MethodInvocation node) {
+    final target = node.target;
+    if (target is Identifier) {
+      // Check if target type might be Function
+      final name = target.name.toLowerCase();
+      return name.contains('function') || name.contains('callback') || name.contains('handler');
+    }
+    return false;
+  }
+  /// Check Function.apply for dynamic code execution risks
+  void _checkFunctionApply(MethodInvocation node) {
+    final source = node.toSource();
+    if (S023NoJsonInjectionAnalyzer.containsUserInput(source)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Dynamic code execution risk - avoid Function.apply with user-controlled data',
+      ));
+    }
+  }
+  /// Check dart:mirrors usage for reflection-based injection
+  void _checkMirrorsUsage(MethodInvocation node) {
+    final source = node.toSource();
+    if (S023NoJsonInjectionAnalyzer.containsUserInput(source)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Reflection injection risk - validate user input before using with dart:mirrors',
+      ));
+    }
+  }
+  /// Check HTML injection methods
+  void _checkHtmlInjection(MethodInvocation node) {
+    for (final arg in node.argumentList.arguments) {
+      final source = arg.toSource();
+      // Check for unescaped user data in HTML
+      if ((arg is StringInterpolation || source.contains('+')) &&
+          !S023NoJsonInjectionAnalyzer.hasSafeEncoding(source)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'HTML injection risk - use HtmlEscape or sanitize user data before inserting into HTML',
+        ));
+        return;
+      }
+    }
+  }
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    // Skip if inside logging method or toString
+    if (_insideLoggingMethod || _insideToString) {
+      super.visitStringInterpolation(node);
+      return;
+    }
+    final source = node.toSource();
+    // Check if there are interpolation elements
+    bool hasInterpolation = node.elements.any((e) => e is InterpolationExpression);
+    if (!hasInterpolation) {
+      super.visitStringInterpolation(node);
+      return;
+    }
+    // Skip if source contains safe encoding or safe variable names
+    if (S023NoJsonInjectionAnalyzer.hasSafeEncoding(source) ||
+        S023NoJsonInjectionAnalyzer.hasSafeVariableName(source)) {
+      super.visitStringInterpolation(node);
+      return;
+    }
+    // Skip if interpolation contains only constants (not user input)
+    if (S023NoJsonInjectionAnalyzer.containsOnlyConstants(source)) {
+      super.visitStringInterpolation(node);
+      return;
+    }
+    // 1. Check for JavaScript code being built
+    if (_looksLikeJavaScriptCode(source)) {
+      // Only flag if it looks like user input is being used
+      // Skip if the interpolated values don't appear to be user-controlled
+      if (S023NoJsonInjectionAnalyzer.looksLikeUserInput(source) ||
+          S023NoJsonInjectionAnalyzer.containsUserInput(source)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'JavaScript injection risk - encode data before building JavaScript code strings',
+        ));
+        super.visitStringInterpolation(node);
+        return;
+      }
+      // For JavaScript code without clear user input, skip to reduce false positives
+      super.visitStringInterpolation(node);
+      return;
+    }
+    // 2. Check for HTML with event handlers
+    if (_looksLikeHtmlWithEventHandler(source)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Inline event handler injection risk - avoid building HTML with inline event handlers containing user data',
+      ));
+      super.visitStringInterpolation(node);
+      return;
+    }
+    // 3. Check for structured JSON being constructed
+    if (_looksLikeJsonStructure(source)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'JSON injection risk - use jsonEncode() instead of string interpolation for JSON',
+      ));
+    }
+    super.visitStringInterpolation(node);
+  }
+  /// Check if string looks like JavaScript code
+  bool _looksLikeJavaScriptCode(String source) {
+    // Patterns indicating JavaScript code construction
+    final jsPatterns = [
+      RegExp(r'\bvar\s+\w+\s*='),
+      RegExp(r'\blet\s+\w+\s*='),
+      RegExp(r'\bconst\s+\w+\s*='),
+      RegExp(r'\bfunction\s*\('),
+      RegExp(r'=>\s*\{'),
+      RegExp(r'return\s+'),
+      RegExp(r'\beval\s*\('),
+      RegExp(r'\bnew\s+Function\s*\('),
+      RegExp(r'document\.'),
+      RegExp(r'window\.'),
+      RegExp(r'javascript:', caseSensitive: false),
+    ];
+    return jsPatterns.any((pattern) => pattern.hasMatch(source));
+  }
+  /// Check if string looks like HTML with inline event handlers
+  bool _looksLikeHtmlWithEventHandler(String source) {
+    // Pattern for inline event handlers: onclick, onload, onerror, etc.
+    final eventHandlerPattern = RegExp(r'\bon\w+\s*=\s*["\x27]', caseSensitive: false);
+    return eventHandlerPattern.hasMatch(source);
+  }
+  /// Check if string looks like actual JSON structure (not just debug log)
+  bool _looksLikeJsonStructure(String source) {
+    // Must have JSON-like structure: {"key": value} or [...]
+    // Not just "message: $var" which is common in logging
+    // Check for actual JSON object pattern: {"key": or {'key':
+    // Pattern: { followed by optional whitespace, optional quote, word, optional quote, colon
+    final jsonObjectPattern = RegExp(r'\{\s*["\x27]?\w+["\x27]?\s*:');
+    if (jsonObjectPattern.hasMatch(source)) {
+      return true;
+    }
+    // Check for JSON array with objects: [{"
+    if (source.contains('[{') || source.contains('[ {')) {
+      return true;
+    }
+    return false;
+  }
+  @override
+  void visitBinaryExpression(BinaryExpression node) {
+    // Skip if inside logging method or toString
+    if (_insideLoggingMethod || _insideToString) {
+      super.visitBinaryExpression(node);
+      return;
+    }
+    // Check for string concatenation
+    if (node.operator.type.lexeme == '+') {
+      final combined = node.toSource();
+      // Check for JavaScript code building
+      if (_looksLikeJavaScriptCode(combined) && !S023NoJsonInjectionAnalyzer.hasSafeEncoding(combined)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'JavaScript injection risk - avoid string concatenation for JavaScript code',
+        ));
+        super.visitBinaryExpression(node);
+        return;
+      }
+      // Check for JSON structure
+      if (_looksLikeJsonStructure(combined)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'JSON injection risk - avoid string concatenation for JSON, use jsonEncode()',
+        ));
+      }
+    }
+    super.visitBinaryExpression(node);
+  }
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    // Check for innerHTML-like assignments in Flutter web
+    final leftSide = node.leftHandSide.toSource().toLowerCase();
+    if (leftSide.contains('innerhtml') || leftSide.contains('outerhtml')) {
+      final rightSide = node.rightHandSide;
+      final source = rightSide.toSource();
+      if ((rightSide is StringInterpolation || source.contains('+')) &&
+          !S023NoJsonInjectionAnalyzer.hasSafeEncoding(source)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'HTML injection risk - sanitize user data before assigning to innerHTML/outerHTML',
+        ));
+      }
+    }
+    super.visitAssignmentExpression(node);
+  }
+}