npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S031_secure_session_cookies.dart ADDED Viewed

@@ -0,0 +1,118 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S031: Secure Session Cookies
+/// Ensure session cookies have Secure flag enabled
+class S031SecureSessionCookiesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S031';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S031Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S031Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S031SecureSessionCookiesAnalyzer analyzer;
+  _S031Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    // Check for Cookie creation
+    if (typeName == 'cookie') {
+      final source = node.toSource().toLowerCase();
+      // Check for session-related cookies
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        // Check for Secure flag
+        bool hasSecureFlag = source.contains('secure: true') ||
+            source.contains('secure:true');
+        if (!hasSecureFlag) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie should have Secure flag enabled (secure: true)',
+          ));
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for cookie setting methods - must be cookie-related context
+    bool isCookieContext = source.contains('cookie') ||
+        source.contains('setcookie') ||
+        source.contains('set-cookie') ||
+        (node.target?.toSource().toLowerCase().contains('cookie') ?? false);
+    // Skip if not cookie context (e.g., interceptors.add(), list.add(), etc.)
+    if (!isCookieContext) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+    if (methodName == 'setcookie' || methodName == 'set' || methodName == 'add') {
+      // Check if it's a session cookie
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        bool hasSecureFlag = source.contains('secure');
+        if (!hasSecureFlag) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie without Secure flag',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S032_httponly_session_cookies.dart ADDED Viewed

@@ -0,0 +1,114 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S032: HttpOnly Session Cookies
+/// Ensure session cookies have HttpOnly flag enabled
+class S032HttpOnlySessionCookiesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S032';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S032Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S032Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S032HttpOnlySessionCookiesAnalyzer analyzer;
+  _S032Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    if (typeName == 'cookie') {
+      final source = node.toSource().toLowerCase();
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        bool hasHttpOnly = source.contains('httponly: true') ||
+            source.contains('httponly:true');
+        if (!hasHttpOnly) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie should have HttpOnly flag (httpOnly: true) to prevent XSS attacks',
+          ));
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for cookie setting methods - must be cookie-related context
+    bool isCookieContext = source.contains('cookie') ||
+        source.contains('setcookie') ||
+        source.contains('set-cookie') ||
+        (node.target?.toSource().toLowerCase().contains('cookie') ?? false);
+    // Skip if not cookie context
+    if (!isCookieContext) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+    if (methodName == 'setcookie' || methodName == 'set' || methodName == 'add') {
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        bool hasHttpOnly = source.contains('httponly');
+        if (!hasHttpOnly) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie without HttpOnly flag - vulnerable to XSS',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S033_samesite_session_cookies.dart ADDED Viewed

@@ -0,0 +1,120 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S033: SameSite Session Cookies
+/// Ensure session cookies have SameSite attribute set
+class S033SameSiteSessionCookiesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S033';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S033Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S033Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S033SameSiteSessionCookiesAnalyzer analyzer;
+  _S033Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    if (typeName == 'cookie') {
+      final source = node.toSource().toLowerCase();
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        bool hasSameSite = source.contains('samesite');
+        if (!hasSameSite) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie should have SameSite attribute (Strict or Lax) to prevent CSRF',
+          ));
+        } else if (source.contains('samesite: none') || source.contains("samesite:'none'")) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'SameSite=None makes cookies vulnerable to CSRF - use Strict or Lax',
+          ));
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for cookie setting methods - must be cookie-related context
+    bool isCookieContext = source.contains('cookie') ||
+        source.contains('setcookie') ||
+        source.contains('set-cookie') ||
+        (node.target?.toSource().toLowerCase().contains('cookie') ?? false);
+    // Skip if not cookie context
+    if (!isCookieContext) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+    if (methodName == 'setcookie' || methodName == 'set' || methodName == 'add') {
+      bool isSessionCookie = source.contains('session') ||
+          source.contains('token') ||
+          source.contains('auth');
+      if (isSessionCookie) {
+        bool hasSameSite = source.contains('samesite');
+        if (!hasSameSite) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie without SameSite attribute',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S034_host_prefix_session_cookies.dart ADDED Viewed

@@ -0,0 +1,160 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S034: __Host- Prefix Session Cookies
+/// Use __Host- prefix for secure session cookies
+class S034HostPrefixSessionCookiesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S034';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S034Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S034Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S034HostPrefixSessionCookiesAnalyzer analyzer;
+  _S034Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    if (typeName == 'cookie') {
+      final source = node.toSource().toLowerCase();
+      // Check for session-related cookies - more flexible matching
+      // Match patterns like: session_id, sessionid, session_token, sessionToken, auth_token, etc.
+      bool isSessionCookie = source.contains('session_id') ||
+          source.contains('sessionid') ||
+          source.contains('session_token') ||
+          source.contains('sessiontoken') ||
+          source.contains('auth_token') ||
+          source.contains('authtoken') ||
+          (source.contains('session') && source.contains('token'));
+      if (isSessionCookie) {
+        // Check for __Host- or __Secure- prefix
+        bool hasSecurePrefix = source.contains('__host-') || source.contains('__secure-');
+        if (!hasSecurePrefix) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Consider using __Host- prefix for session cookies for enhanced security',
+          ));
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+    // Check for cookie name that should have prefix
+    if ((value.contains('session') || value.contains('auth')) &&
+        (value.contains('id') || value.contains('token'))) {
+      if (!value.startsWith('__host-') && !value.startsWith('__secure-')) {
+        // Check if this is a cookie name (heuristic)
+        final parent = node.parent;
+        if (parent != null) {
+          final parentSource = parent.toSource().toLowerCase();
+          // Skip non-cookie contexts (JSON keys, API params, annotations, etc.)
+          bool isNonCookieContext =
+              parentSource.contains('jsonkey') ||
+              parentSource.contains('json_key') ||
+              parentSource.contains('@jsonkey') ||
+              parentSource.contains('request') ||
+              parentSource.contains('postinstall') ||
+              parentSource.contains('apiresponse') ||
+              parentSource.contains('api_response') ||
+              parentSource.contains('factory');
+          if (isNonCookieContext) {
+            super.visitSimpleStringLiteral(node);
+            return;
+          }
+          // Only report if it's actually cookie-related
+          if (parentSource.contains('cookie') ||
+              (parentSource.contains('set-cookie') || parentSource.contains('setcookie'))) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Session cookie should use __Host- prefix for security',
+            ));
+          }
+        }
+      }
+    }
+    super.visitSimpleStringLiteral(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for cookie add/set methods
+    if (methodName == 'setcookie' || methodName == 'set' || methodName == 'add') {
+      final source = node.toSource().toLowerCase();
+      // Check for session-related cookies
+      bool isSessionCookie = source.contains('session_id') ||
+          source.contains('sessionid') ||
+          source.contains('session_token') ||
+          source.contains('sessiontoken') ||
+          source.contains('auth_token') ||
+          source.contains('authtoken');
+      if (isSessionCookie) {
+        bool hasSecurePrefix = source.contains('__host-') || source.contains('__secure-');
+        if (!hasSecurePrefix) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session cookie should use __Host- prefix',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S035_separate_app_hostnames.dart ADDED Viewed

@@ -0,0 +1,117 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S035: Host separate applications on different hostnames
+/// Detect patterns suggesting multiple apps sharing same origin (path-based routing)
+class S035SeparateAppHostnamesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S035';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S035Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S035Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S035SeparateAppHostnamesAnalyzer analyzer;
+  // Patterns indicating path-based multi-app on same origin
+  static final _pathBasedAppPatterns = [
+    RegExp(r'/app[12]/'),
+    RegExp(r'/admin/'),
+    RegExp(r'/portal/'),
+    RegExp(r'/dashboard/'),
+  ];
+  _S035Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value;
+    // Check for patterns suggesting path-based multi-app routing
+    // e.g., "https://example.com/app1/api" or "https://example.com/admin/"
+    if (_isPathBasedMultiAppUrl(value)) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Path-based app routing detected. Consider using separate hostnames for security isolation: "$value"',
+      ));
+    }
+    super.visitSimpleStringLiteral(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for route registration with path-based app separation
+    if (methodName == 'route' || methodName == 'addroute' || methodName == 'use') {
+      for (final pattern in _pathBasedAppPatterns) {
+        if (pattern.hasMatch(source)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Path-based application routing. Consider separate hostnames for same-origin policy benefits',
+          ));
+          break;
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  bool _isPathBasedMultiAppUrl(String value) {
+    // Skip if not a URL
+    if (!value.startsWith('http://') && !value.startsWith('https://')) {
+      return false;
+    }
+    // Skip localhost/development URLs
+    if (value.contains('localhost') || value.contains('127.0.0.1')) {
+      return false;
+    }
+    // Check for path-based app patterns after the domain
+    // e.g., https://example.com/app1/... or https://example.com/admin/...
+    for (final pattern in _pathBasedAppPatterns) {
+      if (pattern.hasMatch(value)) {
+        return true;
+      }
+    }
+    return false;
+  }
+}