@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S036_lfi_rfi_protection.dart

@@ -0,0 +1,188 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S036: LFI/RFI Protection
+/// Prevent Local/Remote File Inclusion attacks
+class S036LfiRfiProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S036';
+
+  // Actual risky file operations that read content from paths
+  static const _riskyFileOperations = [
+    'readasstring', 'readasbytes', 'readaslines',
+  ];
+
+  // Safe Flutter/Dart path utilities that should NOT trigger violations
+  static const _safePathMethods = [
+    // path_provider methods
+    'gettemporarydirectory', 'getapplicationdocumentsdirectory',
+    'getapplicationsupportdirectory', 'getdownloadsdirectory',
+    'getexternalstoragedirectory', 'getlibrarypath',
+    // path package methods
+    'join', 'basename', 'dirname', 'extension', 'normalize',
+    'relative', 'absolute', 'separator', 'split', 'context',
+    // Flutter asset methods
+    'rootbundle', 'assetbundle', 'loadstring', 'load',
+    // Future utilities
+    'microtask', 'delayed', 'wait', 'timeout',
+  ];
+
+  // Safe context identifiers that should NOT trigger violations
+  static const _safeContextPatterns = [
+    'element.path',     // Widget element path
+    'route.path',       // Navigation route
+    'widget.path',      // Widget path
+    'context.path',     // Build context
+    'navigator',        // Navigation
+    '.value',           // Value notifier
+    'notifier',         // State notifier
+  ];
+
+  // Path traversal patterns (actual security concern)
+  static const _traversalPatterns = [
+    '..', '%2e%2e', '..%2f', '%2e%2e%2f', '..\\',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S036Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+
+  /// Check if method is a safe path utility
+  static bool isSafeMethod(String source) {
+    final lowerSource = source.toLowerCase();
+    return _safePathMethods.any((m) => lowerSource.contains(m)) ||
+           _safeContextPatterns.any((p) => lowerSource.contains(p));
+  }
+}
+
+class _S036Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S036LfiRfiProtectionAnalyzer analyzer;
+
+  _S036Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Skip safe path methods (path_provider, path package, etc.)
+    if (S036LfiRfiProtectionAnalyzer.isSafeMethod(source)) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Only check actual risky file read operations
+    bool isRiskyFileOp = S036LfiRfiProtectionAnalyzer._riskyFileOperations
+        .any((op) => methodName.contains(op));
+
+    if (isRiskyFileOp) {
+      // Check for user input in file path (only StringInterpolation with external data)
+      for (final arg in node.argumentList.arguments) {
+        if (arg is StringInterpolation) {
+          // Check if interpolation contains potentially dangerous input
+          final argSource = arg.toSource().toLowerCase();
+          if (_containsUserInput(argSource)) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'LFI/RFI risk - validate and sanitize file paths from user input',
+            ));
+            break;
+          }
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme;
+
+    // Only check File class with user input paths
+    if (typeName == 'File') {
+      final args = node.argumentList.arguments;
+      if (args.isNotEmpty) {
+        final firstArg = args.first;
+        final source = node.toSource().toLowerCase();
+
+        // Skip if using safe path methods
+        if (S036LfiRfiProtectionAnalyzer.isSafeMethod(source)) {
+          super.visitInstanceCreationExpression(node);
+          return;
+        }
+
+        // Only flag if path comes from potentially dangerous user input
+        if (firstArg is StringInterpolation) {
+          final argSource = firstArg.toSource().toLowerCase();
+          if (_containsUserInput(argSource)) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'File path with user input - validate against path traversal attacks',
+            ));
+          }
+        }
+      }
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+
+  @override
+  void visitBinaryExpression(BinaryExpression node) {
+    // Skip - too many false positives for path concatenation
+    // Real LFI protection is at the file read level
+    super.visitBinaryExpression(node);
+  }
+
+  /// Check if source likely contains user input (not just internal state)
+  bool _containsUserInput(String source) {
+    // Patterns that suggest external/user input
+    final userInputPatterns = [
+      'request', 'param', 'query', 'body', 'input', 'args',
+      'argument', 'header', 'url', 'uri', 'form', 'upload',
+    ];
+
+    // Skip if source is from safe internal sources
+    final safePatterns = [
+      'document', 'cache', 'temp', 'application', 'bundle',
+      'asset', 'resource', 'config', 'settings',
+    ];
+
+    final hasUserInput = userInputPatterns.any((p) => source.contains(p));
+    final isSafeSource = safePatterns.any((p) => source.contains(p));
+
+    return hasUserInput && !isSafeSource;
+  }
+}

package/dart_analyzer/lib/rules/security/S037_cache_headers.dart

@@ -0,0 +1,113 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S037: Cache Headers for Sensitive Data
+/// Ensure proper cache-control headers for sensitive responses
+class S037CacheHeadersAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S037';
+
+  // Sensitive response indicators
+  static const _sensitiveIndicators = [
+    'password', 'token', 'secret', 'auth', 'session',
+    'credit', 'ssn', 'personal', 'private', 'user',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S037Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S037Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S037CacheHeadersAnalyzer analyzer;
+
+  _S037Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    final target = node.target?.toSource().toLowerCase() ?? '';
+
+    // Skip non-HTTP contexts (local storage, file I/O, etc.)
+    final nonHttpContexts = [
+      'securestorage', 'secure_storage', 'sharedpreferences', 'shared_preferences',
+      'hive', 'sqlite', 'database', 'file', 'stream', 'socket',
+      'localstore', 'local_store', 'cache', 'prefs', 'preferences',
+    ];
+    if (nonHttpContexts.any((c) => source.contains(c) || target.contains(c))) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for HTTP response methods with sensitive data
+    // Must be in HTTP context: response.json(), res.send(), http.write()
+    bool isHttpResponse = target.contains('response') ||
+        target.contains('res') ||
+        target.contains('http') ||
+        target.contains('reply');
+
+    if ((methodName == 'json' || methodName == 'send') && isHttpResponse) {
+      bool hasSensitiveData = S037CacheHeadersAnalyzer._sensitiveIndicators
+          .any((i) => source.contains(i));
+
+      if (hasSensitiveData) {
+        // Check for cache-control headers in surrounding context
+        AstNode? current = node.parent;
+        bool hasCacheControl = false;
+        int depth = 0;
+
+        while (current != null && depth < 10) {
+          final parentSource = current.toSource().toLowerCase();
+          if (parentSource.contains('cache-control') ||
+              parentSource.contains('cachecontrol') ||
+              parentSource.contains('no-store') ||
+              parentSource.contains('no-cache')) {
+            hasCacheControl = true;
+            break;
+          }
+          current = current.parent;
+          depth++;
+        }
+
+        if (!hasCacheControl) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive response should have Cache-Control: no-store header',
+          ));
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S038_no_version_headers.dart

@@ -0,0 +1,114 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S038: No Version Headers
+/// Do not expose server/framework version in HTTP headers
+class S038NoVersionHeadersAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S038';
+
+  // Headers that expose version info
+  static const _versionHeaders = [
+    'x-powered-by', 'server', 'x-aspnet-version', 'x-aspnetmvc-version',
+    'x-drupal-cache', 'x-generator', 'x-runtime', 'x-version',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S038Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S038Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S038NoVersionHeadersAnalyzer analyzer;
+
+  _S038Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+
+    // Check for header setting methods
+    if (methodName == 'setheader' || methodName == 'set' || methodName == 'add') {
+      final args = node.argumentList.arguments;
+      if (args.isNotEmpty) {
+        final firstArg = args.first;
+        if (firstArg is SimpleStringLiteral) {
+          final headerName = firstArg.value.toLowerCase();
+
+          bool isVersionHeader = S038NoVersionHeadersAnalyzer._versionHeaders
+              .any((h) => headerName.contains(h));
+
+          if (isVersionHeader) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Do not expose server/framework version in "$headerName" header',
+            ));
+          }
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitMapLiteralEntry(MapLiteralEntry node) {
+    final key = node.key;
+
+    if (key is SimpleStringLiteral) {
+      final headerName = key.value.toLowerCase();
+
+      bool isVersionHeader = S038NoVersionHeadersAnalyzer._versionHeaders
+          .any((h) => headerName.contains(h));
+
+      if (isVersionHeader) {
+        // Check if this is in a headers context
+        AstNode? current = node.parent;
+        while (current != null) {
+          final source = current.toSource().toLowerCase();
+          if (source.contains('header')) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Avoid setting version-revealing header "$headerName"',
+            ));
+            break;
+          }
+          current = current.parent;
+        }
+      }
+    }
+
+    super.visitMapLiteralEntry(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S039_tls_certificate_validation.dart

@@ -0,0 +1,131 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S039: TLS clients must validate server certificates
+/// Detect patterns where TLS certificate validation is disabled
+class S039TlsCertificateValidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S039';
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S039Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S039Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S039TlsCertificateValidationAnalyzer analyzer;
+
+  _S039Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check for badCertificateCallback that returns true (bypasses validation)
+    if (source.contains('badcertificatecallback')) {
+      // Check if the callback returns true (bypasses certificate validation)
+      final fullSource = node.toSource();
+      if (fullSource.contains('=> true') ||
+          fullSource.contains('return true')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'TLS certificate validation disabled - badCertificateCallback returns true',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final name = node.name.label.name.toLowerCase();
+    final value = node.expression.toSource().toLowerCase();
+
+    // Check for onBadCertificate: (cert) => true
+    if (name == 'onbadcertificate') {
+      if (value.contains('=> true') || value.contains('return true')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'TLS certificate validation bypassed - onBadCertificate returns true',
+        ));
+      }
+    }
+
+    // Check for allowInvalidCertificates: true (common in http packages)
+    if (name == 'allowinvalidcertificates' && value == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'allowInvalidCertificates: true disables certificate validation',
+      ));
+    }
+
+    // Check for rejectUnauthorized: false
+    if (name == 'rejectunauthorized' && value == 'false') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'rejectUnauthorized: false disables TLS certificate validation',
+      ));
+    }
+
+    super.visitNamedExpression(node);
+  }
+
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final left = node.leftHandSide.toSource().toLowerCase();
+    final right = node.rightHandSide.toSource().toLowerCase();
+
+    // Check for SecurityContext settings that disable validation
+    if (left.contains('securitycontext') &&
+        (right.contains('false') || right.contains('=> true'))) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'SecurityContext configured to bypass certificate validation',
+      ));
+    }
+
+    super.visitAssignmentExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S040_session_fixation_protection.dart

@@ -0,0 +1,155 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S040: Session Fixation Protection
+/// Regenerate session ID after authentication
+class S040SessionFixationProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S040';
+
+  // Login/auth method indicators
+  static const _authMethods = [
+    'login', 'signin', 'sign_in', 'authenticate', 'auth',
+    'logon', 'log_on', 'signon', 'sign_on',
+  ];
+
+  // Session regeneration methods
+  static const _regenerateMethods = [
+    'regenerate', 'regenerateid', 'regenerate_id', 'newsession',
+    'new_session', 'createsession', 'create_session', 'invalidate',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S040Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S040Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S040SessionFixationProtectionAnalyzer analyzer;
+
+  _S040Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    final methodName = node.name.lexeme.toLowerCase();
+
+    // Check if this is an authentication method
+    bool isAuthMethod = S040SessionFixationProtectionAnalyzer._authMethods
+        .any((m) => methodName.contains(m));
+
+    if (isAuthMethod) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase();
+
+        // Skip helper/stub functions (very short bodies or just return statements)
+        // These are typically: `=> true;`, `=> null;`, `async => ...;`
+        if (body is ExpressionFunctionBody) {
+          // Arrow function - likely a helper, skip it
+          super.visitMethodDeclaration(node);
+          return;
+        }
+
+        // Skip if body is too short (less than 50 chars typically means stub)
+        if (bodySource.length < 50) {
+          super.visitMethodDeclaration(node);
+          return;
+        }
+
+        // Skip if method doesn't actually handle session (no session param/usage)
+        if (!bodySource.contains('session')) {
+          super.visitMethodDeclaration(node);
+          return;
+        }
+
+        bool hasRegeneration = S040SessionFixationProtectionAnalyzer._regenerateMethods
+            .any((m) => bodySource.contains(m));
+
+        if (!hasRegeneration) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session fixation risk - regenerate session ID after successful authentication',
+          ));
+        }
+      }
+    }
+
+    super.visitMethodDeclaration(node);
+  }
+
+  @override
+  void visitFunctionDeclaration(FunctionDeclaration node) {
+    final funcName = node.name.lexeme.toLowerCase();
+
+    bool isAuthFunc = S040SessionFixationProtectionAnalyzer._authMethods
+        .any((m) => funcName.contains(m));
+
+    if (isAuthFunc) {
+      final body = node.functionExpression.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase();
+
+        // Skip arrow functions (helper functions)
+        if (body is ExpressionFunctionBody) {
+          super.visitFunctionDeclaration(node);
+          return;
+        }
+
+        // Skip short bodies
+        if (bodySource.length < 50) {
+          super.visitFunctionDeclaration(node);
+          return;
+        }
+
+        // Skip if function doesn't handle session
+        if (!bodySource.contains('session')) {
+          super.visitFunctionDeclaration(node);
+          return;
+        }
+
+        bool hasRegeneration = S040SessionFixationProtectionAnalyzer._regenerateMethods
+            .any((m) => bodySource.contains(m));
+
+        if (!hasRegeneration) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Session fixation risk - regenerate session after login',
+          ));
+        }
+      }
+    }
+
+    super.visitFunctionDeclaration(node);
+  }
+}