@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S027_mtls_certificate_validation.dart

@@ -0,0 +1,195 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S027: Validate mTLS client certificates before authentication
+/// Ensure mTLS client certificates are properly validated before trusting certificate identity
+class S027MtlsCertificateValidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S027';
+
+  // Patterns for excluded URLs/paths
+  static final _excludedUrlPatterns = [
+    RegExp(r'localhost', caseSensitive: false),
+    RegExp(r'127\.0\.0\.1'),
+    RegExp(r'\[::1\]'),
+    RegExp(r'0\.0\.0\.0'),
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S027Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S027Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S027MtlsCertificateValidationAnalyzer analyzer;
+
+  _S027Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check for badCertificateCallback = (args) => true (disables cert validation)
+    if (source.contains('badcertificatecallback') && source.contains('=> true')) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'mTLS certificate validation disabled. badCertificateCallback should validate certificates properly',
+      ));
+    }
+
+    super.visitAssignmentExpression(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final name = node.name.label.name.toLowerCase();
+    final expression = node.expression;
+
+    // Check for badCertificateCallback returning true (disabling validation)
+    if (name == 'badcertificatecallback' && expression is FunctionExpression) {
+      final body = expression.body;
+      if (body is ExpressionFunctionBody) {
+        final bodySource = body.expression.toSource().toLowerCase();
+        if (bodySource == 'true') {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'mTLS certificate validation disabled. Implement proper certificate validation',
+          ));
+        }
+      }
+    }
+
+    // Check for onBadCertificate: (cert) => true
+    if (name == 'onbadcertificate' && expression is FunctionExpression) {
+      final body = expression.body;
+      if (body is ExpressionFunctionBody) {
+        final bodySource = body.expression.toSource().toLowerCase();
+        if (bodySource == 'true') {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Certificate validation bypassed in onBadCertificate. Validate certificates properly',
+          ));
+        }
+      }
+    }
+
+    // Check for context.setTrustedCertificatesBytes with allowInvalidCertificates: true
+    if (name == 'allowinvalidcertificates' &&
+        expression is BooleanLiteral &&
+        expression.value) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'allowInvalidCertificates enabled. This bypasses certificate validation',
+      ));
+    }
+
+    // Check for insecure SecurityContext options
+    if (name == 'onbadcertificate' || name == 'badcertificatecallback') {
+      // Check if the callback always returns true (inline)
+      if (expression is SimpleIdentifier) {
+        // Could be a function reference - need deeper analysis
+      }
+    }
+
+    super.visitNamedExpression(node);
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Check for SecurityContext methods that bypass validation
+    if (methodName == 'settrustanchorsfrombytes' ||
+        methodName == 'settrustedcertificatesbytes') {
+      // Check if used with allowInvalidCertificates: true in arguments
+      for (final arg in node.argumentList.arguments) {
+        if (arg is NamedExpression) {
+          final argName = arg.name.label.name.toLowerCase();
+          if (argName == 'allowinvalidcertificates') {
+            final expr = arg.expression;
+            if (expr is BooleanLiteral && expr.value) {
+              violations.add(analyzer.createViolation(
+                filePath: filePath,
+                line: analyzer.getLine(lineInfo, node.offset),
+                column: analyzer.getColumn(lineInfo, node.offset),
+                message: 'Certificate validation bypassed with allowInvalidCertificates: true',
+              ));
+            }
+          }
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+
+    // Check for HttpClient or SecurityContext creation with insecure options
+    if (typeName == 'httpclient' || typeName == 'securitycontext') {
+      for (final arg in node.argumentList.arguments) {
+        if (arg is NamedExpression) {
+          final argName = arg.name.label.name.toLowerCase();
+
+          // Check for badCertificateCallback: (cert, host, port) => true
+          if (argName == 'badcertificatecallback' || argName == 'onbadcertificate') {
+            final expr = arg.expression;
+            if (expr is FunctionExpression) {
+              final body = expr.body;
+              if (body is ExpressionFunctionBody) {
+                final bodySource = body.expression.toSource().toLowerCase();
+                if (bodySource == 'true') {
+                  violations.add(analyzer.createViolation(
+                    filePath: filePath,
+                    line: analyzer.getLine(lineInfo, node.offset),
+                    column: analyzer.getColumn(lineInfo, node.offset),
+                    message: 'Insecure $typeName created with certificate validation disabled',
+                  ));
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S028_file_upload_size_limits.dart

@@ -0,0 +1,186 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S028: File Upload Size Limits
+/// Ensure file upload size limits are enforced
+class S028FileUploadSizeLimitsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S028';
+
+  // File upload methods - ONLY actual implementations that create FormData/MultipartFile
+  // Note: We now focus on FormData/MultipartFile creation, not method names
+  // because many methods call upload functions without implementing the actual upload
+  // This list is kept for special cases where the upload is done differently
+  static const _uploadMethods = <String>[];  // Empty - rely on FormData/MultipartFile detection
+
+  // Patterns that are NOT HTTP uploads (local file operations)
+  // These should be excluded from file size limit requirement
+  static const _localFileOperationPatterns = [
+    'imagegallerysaver',  // Flutter plugin to save to device gallery
+    'gallerysaver',       // Save to gallery
+    'saveimagetogallery', // Save image to gallery
+    'savevideotogallery', // Save video to gallery
+    'filesaver',          // File saver plugins
+    'savetodisk',         // Local disk save
+    'writetofile',        // Local file write
+    'localfilesystem',    // Local filesystem operations
+    'pathprovider',       // Flutter path provider (local storage)
+    'gettemporarydirectory', // Temp directory
+    'getapplicationdocumentsdirectory', // App documents
+    'addpositionlistener', // Audio/video player listeners
+    'addcompletelistener', // Completion listeners
+    'startvideorecording', // Camera recording (local)
+    'stopvideorecording',  // Camera recording (local)
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S028Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S028Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S028FileUploadSizeLimitsAnalyzer analyzer;
+
+  _S028Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  // Patterns to detect size limit checks - with word boundaries
+  static final _sizeLimitPatterns = [
+    RegExp(r'\bsize\b', caseSensitive: false),
+    RegExp(r'\blength\b', caseSensitive: false),
+    RegExp(r'\blimit\b', caseSensitive: false),
+    RegExp(r'\bmaxsize\b', caseSensitive: false),
+    RegExp(r'\bmax_size\b', caseSensitive: false),
+    RegExp(r'\bbytes\b', caseSensitive: false),
+    RegExp(r'\bsizelimit\b', caseSensitive: false),
+    RegExp(r'\bfilesize\b', caseSensitive: false),
+    RegExp(r'\bcontentlength\b', caseSensitive: false),
+  ];
+
+  bool _hasSizeCheck(AstNode node) {
+    AstNode? current = node.parent;
+    int depth = 0;
+
+    // Only check immediate context (within 5 levels), not class-level
+    while (current != null && depth < 5) {
+      // Skip checking class declarations - too broad
+      if (current is ClassDeclaration) {
+        break;
+      }
+
+      final parentSource = current.toSource().toLowerCase();
+      for (final pattern in _sizeLimitPatterns) {
+        if (pattern.hasMatch(parentSource)) {
+          return true;
+        }
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+
+  // Check if the operation is a local file operation (not HTTP upload)
+  bool _isLocalFileOperation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final target = node.target?.toSource().toLowerCase() ?? '';
+
+    // Check if method call target or source matches local file operation patterns
+    return S028FileUploadSizeLimitsAnalyzer._localFileOperationPatterns
+        .any((p) => source.contains(p) || target.contains(p));
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Skip local file operations (save to gallery, disk, etc.) - NOT HTTP uploads
+    if (_isLocalFileOperation(node)) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for file upload constructor calls (parsed as method invocations in Dart)
+    // MultipartFile(...) or FormData(...) without 'new' keyword
+    if (methodName == 'multipartfile' || methodName == 'formdata') {
+      if (!_hasSizeCheck(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload without size limit - enforce maximum file size',
+        ));
+      }
+    }
+
+    // Skip debug/logging statements - they just mention "upload" in strings
+    if (methodName == 'debugprint' || methodName == 'print' ||
+        methodName == 'log' || methodName.startsWith('log')) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for file upload operations by method name only (not string content)
+    bool isUploadOp = S028FileUploadSizeLimitsAnalyzer._uploadMethods
+        .any((m) => methodName.contains(m));
+
+    if (isUploadOp) {
+      if (!_hasSizeCheck(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload without size limit check - enforce maximum file size',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+
+    // Check for MultipartFile or FormData creation (when 'new' keyword is used)
+    if (typeName == 'multipartfile' || typeName == 'formdata') {
+      if (!_hasSizeCheck(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload creation without size limit',
+        ));
+      }
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S029_csrf_protection.dart

@@ -0,0 +1,171 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S029: CSRF Protection
+/// Ensure CSRF protection is implemented for state-changing HTTP operations
+class S029CsrfProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S029';
+
+  // HTTP client methods that indicate actual network requests
+  static const _httpClientMethods = [
+    'http.post', 'http.put', 'http.patch', 'http.delete',
+    'dio.post', 'dio.put', 'dio.patch', 'dio.delete',
+    'client.post', 'client.put', 'client.patch', 'client.delete',
+  ];
+
+  // HTTP method names when called on HTTP clients
+  static const _httpMethods = ['post', 'put', 'patch', 'delete'];
+
+  // HTTP client class names
+  static const _httpClients = [
+    'http', 'dio', 'client', 'httpclient', 'http_client',
+    'apiservice', 'api_service', 'apiclient', 'api_client',
+  ];
+
+  // CSRF protection indicators
+  static const _csrfIndicators = [
+    'csrf', 'xsrf', '_token', 'csrftoken', 'csrf_token',
+    'x-csrf-token', 'x-xsrf-token', 'antiforgery',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Skip Flutter UI files - they don't make direct HTTP calls
+    final fileName = filePath.toLowerCase();
+    if (fileName.contains('screen') ||
+        fileName.contains('widget') ||
+        fileName.contains('view') ||
+        fileName.contains('page') ||
+        fileName.contains('component') ||
+        fileName.contains('_item') ||
+        fileName.contains('effect_item') ||
+        fileName.contains('stepper') ||
+        fileName.contains('step_')) {
+      return [];
+    }
+
+    final violations = <Violation>[];
+    final visitor = _S029Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S029Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S029CsrfProtectionAnalyzer analyzer;
+
+  _S029Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Only check if it's an HTTP method
+    if (!S029CsrfProtectionAnalyzer._httpMethods.contains(methodName)) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check if the method is called on an HTTP client
+    final target = node.target;
+    if (target == null) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    final targetSource = target.toSource().toLowerCase();
+    bool isHttpClient = S029CsrfProtectionAnalyzer._httpClients
+        .any((c) => targetSource.contains(c));
+
+    if (!isHttpClient) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // This is a state-changing HTTP call - check for CSRF protection
+    final source = node.toSource().toLowerCase();
+
+    bool hasCsrfProtection = S029CsrfProtectionAnalyzer._csrfIndicators
+        .any((i) => source.contains(i));
+
+    if (!hasCsrfProtection) {
+      // Check in surrounding context (headers, options, etc.)
+      AstNode? current = node.parent;
+      int depth = 0;
+
+      while (current != null && depth < 5) {
+        final parentSource = current.toSource().toLowerCase();
+        if (S029CsrfProtectionAnalyzer._csrfIndicators.any((i) => parentSource.contains(i))) {
+          hasCsrfProtection = true;
+          break;
+        }
+        current = current.parent;
+        depth++;
+      }
+
+      if (!hasCsrfProtection) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'CSRF protection may be missing for HTTP ${methodName.toUpperCase()} request',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitAnnotation(Annotation node) {
+    final name = node.name.toSource().toLowerCase();
+
+    // Check for route annotations with state-changing methods
+    if (name.contains('route') || name.contains('mapping')) {
+      final source = node.toSource().toLowerCase();
+
+      bool isStateChanging = S029CsrfProtectionAnalyzer._httpMethods
+          .any((m) => source.contains("'$m'") || source.contains('"$m"'));
+
+      if (isStateChanging) {
+        bool hasCsrfProtection = S029CsrfProtectionAnalyzer._csrfIndicators
+            .any((i) => source.contains(i));
+
+        if (!hasCsrfProtection) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Route with state-changing method should have CSRF protection',
+          ));
+        }
+      }
+    }
+
+    super.visitAnnotation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S030_directory_browsing_protection.dart

@@ -0,0 +1,144 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S030: Directory Browsing Protection
+/// Prevent directory listing/browsing attacks on web servers
+class S030DirectoryBrowsingProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S030';
+
+  // Actual static file serving methods in web frameworks
+  static const _webServerMethods = [
+    'createstatichandler', 'staticfilehandler', 'statichandler',
+    'servedir', 'serve_dir', 'servestaticfiles',
+    'staticfilemiddleware', 'staticfiles',
+  ];
+
+  // Web server frameworks/packages
+  static const _webServerPackages = [
+    'shelf_static', 'shelf', 'dart_frog', 'angel',
+    'conduit', 'aqueduct', 'express',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Only analyze files that are likely web server related
+    final fileName = filePath.toLowerCase();
+    final isWebServerFile = fileName.contains('server') ||
+        fileName.contains('handler') ||
+        fileName.contains('middleware') ||
+        fileName.contains('route') ||
+        fileName.contains('api');
+
+    // Skip mobile/Flutter UI files
+    if (fileName.contains('screen') ||
+        fileName.contains('widget') ||
+        fileName.contains('view') ||
+        fileName.contains('page') ||
+        fileName.contains('notifier') ||
+        fileName.contains('provider') ||
+        fileName.contains('state')) {
+      return [];
+    }
+
+    final violations = <Violation>[];
+    final visitor = _S030Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S030Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S030DirectoryBrowsingProtectionAnalyzer analyzer;
+
+  _S030Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Only check actual web server static file serving methods
+    bool isWebServerStaticServe = S030DirectoryBrowsingProtectionAnalyzer._webServerMethods
+        .any((m) => methodName.contains(m) || source.contains(m));
+
+    // Also check if using web server packages
+    bool usesWebServerPackage = S030DirectoryBrowsingProtectionAnalyzer._webServerPackages
+        .any((p) => source.contains(p));
+
+    if (isWebServerStaticServe || usesWebServerPackage) {
+      // Check for listing/browsing configuration
+      bool hasListingConfig = source.contains('listdirectory') ||
+          source.contains('list_directory') ||
+          source.contains('directorylisting') ||
+          source.contains('directory_listing') ||
+          source.contains('allowlisting') ||
+          source.contains('allow_listing');
+
+      // Check if listing is explicitly enabled
+      if (hasListingConfig && source.contains('true')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Directory listing enabled on static file server - security risk',
+        ));
+      } else if (!hasListingConfig && isWebServerStaticServe) {
+        // Only warn if it's definitely a static file handler without config
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Static file handler - ensure directory listing is disabled',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+
+    // Check for directory listing parameter in web server context
+    if (paramName.contains('listing') || paramName.contains('browse')) {
+      if (node.expression is BooleanLiteral) {
+        final value = (node.expression as BooleanLiteral).value;
+        if (value) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Directory listing enabled - security risk',
+          ));
+        }
+      }
+    }
+
+    super.visitNamedExpression(node);
+  }
+}