npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S024_xpath_xxe_protection.dart ADDED Viewed

@@ -0,0 +1,299 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S024: XPath/XXE Protection
+/// Prevent XPath injection and XML External Entity attacks
+class S024XpathXxeProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S024';
+  // XML parsing methods - must be in XML context
+  static const _xmlParsingMethods = [
+    'parsestring', 'parsefragment', 'xmldocument',
+    'parsexml', 'loadxml', 'fromxml', 'readxml',
+  ];
+  // XPath query methods - must be exact match or in XML context
+  // Exclude JavaScript evaluation methods like evaluateJavascript
+  static const _xpathMethods = [
+    'xpath', 'xquery', 'selectnodes', 'selectsinglenode',
+  ];
+  // Methods that contain 'evaluate' but are NOT XPath
+  static const _excludeEvaluateMethods = [
+    'evaluatejavascript', 'evaluatejs', 'runjavascript', 'executejs',
+  ];
+  // XML context indicators
+  static const _xmlContextPatterns = [
+    'xmldocument', 'xmlparser', 'xdocument',
+    'saxparser', 'domparser', 'xmlreader',
+    'xmlelement', 'xmlnode', 'xpathdocument',
+  ];
+  // Non-XML parse methods to exclude (Dart standard library)
+  static const _nonXmlParseMethods = [
+    'uri', 'int', 'double', 'num', 'datetime', 'bigint',
+    'json', 'duration', 'bool', 'string', 'regexp',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S024Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S024Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S024XpathXxeProtectionAnalyzer analyzer;
+  _S024Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for XPath query methods with user input
+    // Skip JavaScript evaluation methods
+    bool isExcludedEvaluate = S024XpathXxeProtectionAnalyzer._excludeEvaluateMethods
+        .any((m) => methodName.contains(m));
+    bool isXpathMethod = !isExcludedEvaluate &&
+        (S024XpathXxeProtectionAnalyzer._xpathMethods.any((m) => methodName.contains(m)) ||
+         (methodName == 'evaluate' && _isInXmlContext(node)));
+    if (isXpathMethod) {
+      // Check for user input in arguments
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation ||
+            (arg is SimpleIdentifier && _looksLikeUserInput(arg.name))) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'XPath injection risk - use parameterized XPath queries',
+          ));
+          break;
+        }
+      }
+    }
+    // Check for explicit XML parsing methods
+    // Method name must EXACTLY match or be prefixed with xml/Xml
+    bool isXmlParsingMethod =
+        S024XpathXxeProtectionAnalyzer._xmlParsingMethods.any((m) => methodName == m) ||
+        (methodName.startsWith('xml') && methodName.contains('parse')) ||
+        (methodName.startsWith('parse') && methodName.contains('xml'));
+    // Also check if method is 'parse' or 'tryparse' but ONLY when target is explicitly XML related
+    // e.g., xmlParser.parse(), XmlDocument.parse()
+    // Exclude common Dart standard library parse methods: Uri.parse, int.parse, etc.
+    final targetStr = node.target?.toSource().toLowerCase() ?? '';
+    // Skip if target is a known non-XML type
+    bool isNonXmlParseMethod = S024XpathXxeProtectionAnalyzer._nonXmlParseMethods
+        .any((t) => targetStr == t || targetStr.endsWith('.$t'));
+    bool isParseInXmlContext = (methodName == 'parse' || methodName == 'tryparse') &&
+        !isNonXmlParseMethod &&
+        S024XpathXxeProtectionAnalyzer._xmlContextPatterns.any((p) => targetStr.contains(p));
+    if (isXmlParsingMethod || isParseInXmlContext) {
+      // Check for user input in arguments
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation ||
+            (arg is SimpleIdentifier && _looksLikeUserInput(arg.name))) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'XXE risk - disable external entity processing when parsing XML',
+          ));
+          break;
+        }
+      }
+    }
+    // Check for DOCTYPE with ENTITY in XML strings (XXE risk)
+    // Skip HTML doctypes (<!DOCTYPE html>) as they are not XXE risks
+    bool hasXmlDoctype = source.contains('<!doctype') && !source.contains('<!doctype html');
+    bool hasEntity = source.contains('<!entity');
+    if ((hasXmlDoctype || hasEntity) && _isInXmlContext(node)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'XXE risk - DOCTYPE declarations can enable external entity attacks',
+      ));
+    }
+    super.visitMethodInvocation(node);
+  }
+  bool _looksLikeUserInput(String name) {
+    final lower = name.toLowerCase();
+    return lower.contains('input') ||
+        lower.contains('request') ||
+        lower.contains('param') ||
+        lower.contains('query') ||
+        lower.contains('body') ||
+        lower.contains('data');
+  }
+  bool _isInXmlContext(MethodInvocation node) {
+    // Check if target or parent context contains XML indicators
+    final targetStr = node.target?.toSource().toLowerCase() ?? '';
+    if (S024XpathXxeProtectionAnalyzer._xmlContextPatterns.any((p) => targetStr.contains(p))) {
+      return true;
+    }
+    // Check parent context
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 5) {
+      final source = current.toSource().toLowerCase();
+      if (S024XpathXxeProtectionAnalyzer._xmlContextPatterns.any((p) => source.contains(p))) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    final source = node.toSource().toLowerCase();
+    // Check for XPath expressions with user input
+    // XPath patterns: //node[@attr='value'], //node[condition], /root/child
+    // Must be in XML context OR have clear XPath indicators
+    // Exclude URL patterns like 'https://example.com/path'
+    bool looksLikeXpath = _looksLikeXpathExpression(source);
+    if (looksLikeXpath && _isStringInterpolationInXmlContext(node)) {
+      bool hasInterpolation = node.elements.any((e) => e is InterpolationExpression);
+      if (hasInterpolation) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'XPath injection risk - avoid string interpolation in XPath queries',
+        ));
+      }
+    }
+    super.visitStringInterpolation(node);
+  }
+  /// Check if string looks like an XPath expression (not a URL or other pattern)
+  bool _looksLikeXpathExpression(String source) {
+    // XPath starts with / or // followed by node name (not :// which is URL protocol)
+    // Valid XPath: /root/child, //node[@attr], ./relative
+    // Invalid (URL): https://example.com, http://api.test
+    // Skip if it looks like a URL (contains ://)
+    if (source.contains('://')) {
+      return false;
+    }
+    // Skip if it starts with http, https, ftp, file protocols
+    if (RegExp(r'(https?|ftp|file|mailto|tel|ws|wss):').hasMatch(source)) {
+      return false;
+    }
+    // Must have XPath-like patterns
+    // - //node (descendant axis)
+    // - /root/child (absolute path)
+    // - @attribute (attribute selector)
+    // - [predicate] (predicate)
+    bool hasXpathAxis = source.contains('//') && !source.contains('://');
+    bool hasAttributeSelector = RegExp(r'\[@[\w-]+').hasMatch(source); // [@attr
+    bool hasXpathPredicate = RegExp(r'/\w+\[').hasMatch(source); // /node[
+    return hasXpathAxis || hasAttributeSelector || hasXpathPredicate;
+  }
+  /// Check if string interpolation is within XML context
+  bool _isStringInterpolationInXmlContext(StringInterpolation node) {
+    // Check parent context for XML-related operations
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 8) {
+      final source = current.toSource().toLowerCase();
+      // Check for XML method invocations
+      if (source.contains('xpath') ||
+          source.contains('xquery') ||
+          source.contains('selectnodes') ||
+          source.contains('selectsinglenode') ||
+          source.contains('xmldocument') ||
+          source.contains('xmlparser')) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for XML parser instantiation with potentially unsafe config
+    bool isXmlParser = typeName.contains('xmlparser') ||
+        typeName.contains('xmldocument') ||
+        typeName.contains('saxparser') ||
+        typeName.contains('domparser');
+    if (isXmlParser) {
+      // Check for unsafe configurations
+      bool hasExternalEntityConfig = source.contains('external') ||
+          source.contains('entity') ||
+          source.contains('dtd');
+      // Only flag if it looks like external entities might be enabled
+      if (hasExternalEntityConfig && !source.contains('false')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'XXE protection - ensure external entity processing is disabled',
+        ));
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S025_server_side_validation.dart ADDED Viewed

@@ -0,0 +1,140 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S025: Server-Side Validation
+/// Ensure proper server-side input validation
+class S025ServerSideValidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S025';
+  // Request/input sources
+  static const _inputSources = [
+    'request.body', 'request.query', 'request.params', 'req.body',
+    'req.query', 'req.params', 'context.request', 'httpcontext',
+  ];
+  // Dangerous operations without validation
+  static const _dangerousOperations = [
+    'database', 'db.', 'repository', 'execute', 'query',
+    'file', 'process', 'system', 'shell', 'eval',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S025Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S025Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S025ServerSideValidationAnalyzer analyzer;
+  // Track variables from request input
+  final Set<String> _inputVariables = {};
+  _S025Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final initializer = node.initializer;
+    if (initializer != null) {
+      final source = initializer.toSource().toLowerCase();
+      // Track if variable comes from request input
+      bool isFromInput = S025ServerSideValidationAnalyzer._inputSources
+          .any((s) => source.contains(s));
+      if (isFromInput) {
+        _inputVariables.add(node.name.lexeme);
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for dangerous operations with input data
+    bool isDangerousOp = S025ServerSideValidationAnalyzer._dangerousOperations
+        .any((op) => source.contains(op) || methodName.contains(op));
+    if (isDangerousOp) {
+      // Check if any argument is from unvalidated input
+      for (final arg in node.argumentList.arguments) {
+        final argSource = arg.toSource();
+        // Check if argument is a known input variable
+        bool isInputVar = _inputVariables.any((v) => argSource.contains(v));
+        // Check if directly accessing request properties
+        bool isDirectInput = S025ServerSideValidationAnalyzer._inputSources
+            .any((s) => argSource.toLowerCase().contains(s));
+        if (isInputVar || isDirectInput) {
+          // Check if validation is present - look at the entire containing method/function
+          bool hasValidation = false;
+          // Traverse up to find containing method/function body
+          AstNode? current = node.parent;
+          while (current != null) {
+            if (current is MethodDeclaration || current is FunctionDeclaration) {
+              final bodySource = current.toSource().toLowerCase();
+              hasValidation = bodySource.contains('validate') ||
+                  bodySource.contains('sanitize') ||
+                  bodySource.contains('isvalid') ||
+                  bodySource.contains('is_valid') ||
+                  bodySource.contains('checkinput') ||
+                  bodySource.contains('check_input') ||
+                  bodySource.contains('verifyinput') ||
+                  bodySource.contains('verify_input') ||
+                  // Check for conditional with throw/return before the dangerous op
+                  (bodySource.contains('if') && bodySource.contains('throw'));
+              break;
+            }
+            current = current.parent;
+          }
+          if (!hasValidation) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Server-side validation required before using request input in sensitive operations',
+            ));
+          }
+          break;
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S026_tls_all_connections.dart ADDED Viewed

@@ -0,0 +1,196 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S026: Use TLS encryption for all inbound and outbound connections
+/// Ensure all application connections use encrypted TLS protocol
+class S026TlsAllConnectionsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S026';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S026Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S026Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S026TlsAllConnectionsAnalyzer analyzer;
+  // Patterns for excluded URLs (not actual connections)
+  static final _excludedUrlPatterns = [
+    RegExp(r'w3\.org/\d{4}/'), // XML/SVG namespaces
+    RegExp(r'schema\.org', caseSensitive: false), // Schema.org metadata
+    RegExp(r'example\.(com|org|net)', caseSensitive: false), // Example URLs
+    RegExp(r'localhost', caseSensitive: false), // Localhost
+    RegExp(r'127\.0\.0\.1'), // Loopback IPv4
+    RegExp(r'\[::1\]'), // Loopback IPv6
+    RegExp(r'0\.0\.0\.0'), // Any address
+  ];
+  _S026Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value;
+    _checkInsecureUrl(value, node);
+    super.visitSimpleStringLiteral(node);
+  }
+  @override
+  void visitStringInterpolation(StringInterpolation node) {
+    // Check the static parts of interpolated strings
+    for (final element in node.elements) {
+      if (element is InterpolationString) {
+        _checkInsecureUrl(element.value, node);
+      }
+    }
+    super.visitStringInterpolation(node);
+  }
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final source = node.toSource().toLowerCase();
+    // Check for ssl: false, tls: false patterns
+    if (_isInsecureSslSetting(source)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'SSL/TLS explicitly disabled. Enable encryption for secure connections',
+      ));
+    }
+    // Check for badCertificateCallback = (args) => true
+    if (source.contains('badcertificatecallback') && source.contains('=> true')) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'TLS certificate validation disabled. This allows MITM attacks',
+      ));
+    }
+    super.visitAssignmentExpression(node);
+  }
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final name = node.name.label.name.toLowerCase();
+    final expression = node.expression;
+    // Check for badCertificateCallback returning true (disabling validation)
+    if (name == 'badcertificatecallback' && expression is FunctionExpression) {
+      final body = expression.body;
+      if (body is ExpressionFunctionBody) {
+        final bodySource = body.expression.toSource().toLowerCase();
+        if (bodySource == 'true') {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'TLS certificate validation disabled. This allows MITM attacks',
+          ));
+        }
+      }
+    }
+    // Check for ssl: false, tls: false in named parameters
+    if ((name == 'ssl' || name == 'tls' || name == 'secure') &&
+        expression is BooleanLiteral &&
+        !expression.value) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'SSL/TLS disabled in connection settings. Enable encryption',
+      ));
+    }
+    super.visitNamedExpression(node);
+  }
+  void _checkInsecureUrl(String value, AstNode node) {
+    // Skip if URL is excluded (namespace, localhost, example)
+    if (_isExcludedUrl(value)) {
+      return;
+    }
+    // Check for insecure HTTP URLs
+    if (RegExp(r'^http://[^/]+').hasMatch(value)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Insecure HTTP connection detected. Use HTTPS instead: "$value"',
+      ));
+      return;
+    }
+    // Check for insecure WebSocket URLs
+    if (RegExp(r'^ws://[^/]+').hasMatch(value)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Insecure WebSocket connection detected. Use WSS instead: "$value"',
+      ));
+      return;
+    }
+    // Check for insecure FTP URLs
+    if (RegExp(r'^ftp://').hasMatch(value)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Insecure FTP connection detected. Use SFTP instead: "$value"',
+      ));
+      return;
+    }
+  }
+  bool _isExcludedUrl(String url) {
+    for (final pattern in _excludedUrlPatterns) {
+      if (pattern.hasMatch(url)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  bool _isInsecureSslSetting(String source) {
+    return source.contains('ssl = false') ||
+        source.contains('ssl: false') ||
+        source.contains('tls = false') ||
+        source.contains('tls: false') ||
+        source.contains('secure = false') ||
+        source.contains('secure: false');
+  }
+}