npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S041_session_token_invalidation.dart ADDED Viewed

@@ -0,0 +1,201 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S041: Session Token Invalidation
+/// Ensure session tokens are properly invalidated on logout
+class S041SessionTokenInvalidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S041';
+  // Logout method indicators
+  static const _logoutMethods = [
+    'logout', 'log_out', 'signout', 'sign_out', 'logoff', 'log_off',
+  ];
+  // Session invalidation methods
+  static const _invalidateMethods = [
+    'destroy', 'invalidate', 'clear', 'delete', 'remove', 'revoke',
+    'terminate', 'expire', 'end',
+  ];
+  // SDK logout patterns that handle token invalidation internally
+  static const _sdkLogoutPatterns = [
+    // Auth0
+    'auth0', 'webauthentication.logout', 'credentialsmanager.clearcredentials',
+    'clearcredentials',
+    // Firebase
+    'firebaseauth', 'firebase_auth', 'signout',
+    // Google Sign-In
+    'googlesignin', 'google_sign_in',
+    // Apple Sign-In
+    'signinwithapple', 'sign_in_with_apple',
+    // Generic OAuth/OIDC
+    'oauth', 'oidc', 'openidconnect',
+    // Flutter Secure Storage
+    'fluttersecurestorage', 'flutter_secure_storage', 'securestorage',
+    // SharedPreferences clear
+    'sharedpreferences',
+  ];
+  // Patterns that indicate proper delegation to another logout method
+  static const _delegationPatterns = [
+    'await_logout', 'awaitlogout', // await _logout() or await logout()
+    '_logout(', 'logout(',         // calling internal logout method
+    '_authservice', '_authmanager',
+    'authservice.logout', 'authmanager.logout', 'auth.logout',
+    'viewmodel.logout', '_auth.logout',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S041Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S041Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S041SessionTokenInvalidationAnalyzer analyzer;
+  _S041Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    // Skip abstract methods (interface declarations) - they have no body to check
+    if (node.isAbstract || node.body == null || node.body is EmptyFunctionBody) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    final methodName = node.name.lexeme.toLowerCase();
+    // Skip setter/getter methods like setClickLogout, isLogout, getLogoutState
+    // These are NOT actual logout implementations
+    if (methodName.startsWith('set') || methodName.startsWith('get') ||
+        methodName.startsWith('is') || methodName.startsWith('has') ||
+        methodName.startsWith('can') || methodName.startsWith('should') ||
+        methodName.contains('click') || methodName.contains('state') ||
+        methodName.contains('status') || methodName.contains('flag')) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    bool isLogoutMethod = S041SessionTokenInvalidationAnalyzer._logoutMethods
+        .any((m) => methodName.contains(m));
+    if (isLogoutMethod) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase().replaceAll('_', '');
+        // Check if using SDK that handles logout internally
+        bool usesAuthSdk = S041SessionTokenInvalidationAnalyzer._sdkLogoutPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '')));
+        if (usesAuthSdk) {
+          // SDK handles token invalidation, skip this method
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check if delegating to another logout method
+        bool delegatesToLogout = S041SessionTokenInvalidationAnalyzer._delegationPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '').replaceAll(' ', '')));
+        if (delegatesToLogout) {
+          // Delegating to another method, skip
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        bool hasInvalidation = S041SessionTokenInvalidationAnalyzer._invalidateMethods
+            .any((m) => bodySource.contains(m));
+        bool hasSessionOp = bodySource.contains('session') || bodySource.contains('token') ||
+            bodySource.contains('credential');
+        if (!hasInvalidation || !hasSessionOp) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Logout should invalidate/destroy session token',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+  @override
+  void visitFunctionDeclaration(FunctionDeclaration node) {
+    final funcName = node.name.lexeme.toLowerCase();
+    bool isLogoutFunc = S041SessionTokenInvalidationAnalyzer._logoutMethods
+        .any((m) => funcName.contains(m));
+    if (isLogoutFunc) {
+      final body = node.functionExpression.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase().replaceAll('_', '');
+        // Check if using SDK that handles logout internally
+        bool usesAuthSdk = S041SessionTokenInvalidationAnalyzer._sdkLogoutPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '')));
+        if (usesAuthSdk) {
+          super.visitFunctionDeclaration(node);
+          return;
+        }
+        // Check if delegating to another logout method
+        bool delegatesToLogout = S041SessionTokenInvalidationAnalyzer._delegationPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '').replaceAll(' ', '')));
+        if (delegatesToLogout) {
+          super.visitFunctionDeclaration(node);
+          return;
+        }
+        bool hasInvalidation = S041SessionTokenInvalidationAnalyzer._invalidateMethods
+            .any((m) => bodySource.contains(m));
+        if (!hasInvalidation) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Logout function should invalidate session',
+          ));
+        }
+      }
+    }
+    super.visitFunctionDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S042_require_re_authentication_for_long_lived.dart ADDED Viewed

@@ -0,0 +1,158 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S042: Require Re-authentication for Long-Lived Sessions
+/// Sensitive operations should require re-authentication for long-lived sessions
+class S042RequireReAuthenticationForLongLivedAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S042';
+  // Sensitive operations that need re-auth (critical account/security changes only)
+  static const _sensitiveOperations = [
+    // Password changes
+    'changepassword', 'change_password', 'updatepassword', 'update_password',
+    'resetpassword', 'reset_password',
+    // Email address changes (not notification settings)
+    'changeemail', 'change_email', 'changeemailaddress', 'change_email_address',
+    // Account deletion
+    'deleteaccount', 'delete_account', 'removeaccount', 'remove_account',
+    // Payment/financial
+    'updatepayment', 'update_payment', 'changepayment', 'change_payment',
+    'addpayment', 'add_payment', 'deletepayment', 'delete_payment',
+    // Security settings
+    'changesecurity', 'change_security', 'enable2fa', 'disable2fa',
+    'enablemfa', 'disablemfa', 'setup2fa', 'remove2fa',
+  ];
+  // Patterns to exclude (not sensitive despite similar names)
+  static const _excludePatterns = [
+    'notification', 'notificationsetting', 'emailnotification',
+    'pushnotification', 'settings', 'preference', 'consent', 'terms',
+    // Forgot password flow - user is NOT logged in, can't require re-auth
+    'forgot', 'forgotpassword', 'forgot_password',
+    'canreset', 'can_reset', 'checkreset', 'check_reset',
+    // Validation/getter methods (not actual operations)
+    'validate', 'check', 'verify', 'isvalid', 'is_valid',
+    'cansend', 'can_send', 'isempty', 'is_empty',
+    // Getter methods like canChangePassword, canChangeEmail - these are NOT operations
+    'canchange', 'can_change',
+    // Setter/state methods - these just set UI state, not actual operations
+    'setclick', 'set_click',  // setClickDeleteAccount, setClickChangePassword
+    'isclick', 'is_click',    // isClickDeleteAccount
+    // Handler methods that run AFTER user confirmation (cleanup, not initiation)
+    'handlelogout', 'handle_logout', 'handledelete', 'handle_delete',
+    'handlelogoutordelete', 'handle_logout_or_delete',
+    'onlogout', 'on_logout', 'ondelete', 'on_delete',
+    'dologout', 'do_logout', 'dodelete', 'do_delete',
+  ];
+  // Files/layers where re-auth is NOT expected (data layer, not UI)
+  // Re-auth should be handled in UI/presentation layer, not repository/datasource
+  static const _excludedFileSuffixes = [
+    'repository_impl.dart', 'repository.dart',
+    'data_source.dart', 'datasource.dart',
+    'remote_data_source.dart', 'local_data_source.dart',
+    'api_service.dart', 'api_client.dart',
+  ];
+  // Re-auth check indicators
+  static const _reAuthIndicators = [
+    'verifypassword', 'verify_password', 'confirmpassword', 'confirm_password',
+    'reauthenticate', 're_authenticate', 'requireauth', 'require_auth',
+    'checkpassword', 'check_password', 'validatepassword', 'validate_password',
+    'confirmdialog', 'confirm_dialog', 'showconfirm', // UI confirmation
+    // Firebase/OAuth re-authentication (user must provide password again)
+    'signinwithemailandpassword', 'signin_with_email_and_password',
+    'signinwithcredential', 'signin_with_credential',
+    'reauthenticatewithcredential', 'reauthenticate_with_credential',
+    // Password confirmation - user provides current password to verify identity
+    'currentpassword', 'current_password', 'oldpassword', 'old_password',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    // Skip data layer files - re-auth is UI/presentation layer concern
+    final fileNameLower = filePath.toLowerCase();
+    if (_excludedFileSuffixes.any((suffix) => fileNameLower.endsWith(suffix))) {
+      return [];
+    }
+    final violations = <Violation>[];
+    final visitor = _S042Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S042Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S042RequireReAuthenticationForLongLivedAnalyzer analyzer;
+  _S042Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    // Skip abstract methods (interface declarations) - they have no body to check
+    if (node.isAbstract || node.body == null || node.body is EmptyFunctionBody) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    final methodName = node.name.lexeme.toLowerCase().replaceAll('_', '');
+    // Check if method name matches exclude patterns (not sensitive)
+    bool isExcluded = S042RequireReAuthenticationForLongLivedAnalyzer._excludePatterns
+        .any((p) => methodName.contains(p.replaceAll('_', '')));
+    if (isExcluded) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    bool isSensitiveOp = S042RequireReAuthenticationForLongLivedAnalyzer._sensitiveOperations
+        .any((op) => methodName.contains(op.replaceAll('_', '')));
+    if (isSensitiveOp) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase().replaceAll('_', '');
+        bool hasReAuth = S042RequireReAuthenticationForLongLivedAnalyzer._reAuthIndicators
+            .any((r) => bodySource.contains(r.replaceAll('_', '')));
+        if (!hasReAuth) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive operation should require re-authentication',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S043_password_changes_invalidate_all_sessions.dart ADDED Viewed

@@ -0,0 +1,88 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S043: Password Changes Should Invalidate All Sessions
+/// When password is changed, all existing sessions should be invalidated
+class S043PasswordChangesInvalidateAllSessionsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S043';
+  // Password change method indicators
+  static const _passwordChangeMethods = [
+    'changepassword', 'change_password', 'updatepassword', 'update_password',
+    'resetpassword', 'reset_password', 'setpassword', 'set_password',
+  ];
+  // Session invalidation indicators
+  static const _invalidateAllIndicators = [
+    'invalidateall', 'invalidate_all', 'revokeall', 'revoke_all',
+    'destroyall', 'destroy_all', 'clearallsessions', 'clear_all_sessions',
+    'logoutall', 'logout_all', 'terminateall', 'terminate_all',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S043Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S043Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S043PasswordChangesInvalidateAllSessionsAnalyzer analyzer;
+  _S043Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    final methodName = node.name.lexeme.toLowerCase().replaceAll('_', '');
+    bool isPasswordChange = S043PasswordChangesInvalidateAllSessionsAnalyzer._passwordChangeMethods
+        .any((m) => methodName.contains(m.replaceAll('_', '')));
+    if (isPasswordChange) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase().replaceAll('_', '');
+        bool invalidatesAll = S043PasswordChangesInvalidateAllSessionsAnalyzer._invalidateAllIndicators
+            .any((i) => bodySource.contains(i.replaceAll('_', '')));
+        if (!invalidatesAll) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Password change should invalidate all existing sessions',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S044_re_authentication_required.dart ADDED Viewed

@@ -0,0 +1,119 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S044: Re-Authentication Required for Sensitive Actions
+/// Require re-authentication before performing sensitive actions
+/// Note: This rule focuses on critical data/permission changes
+/// S042 covers account-level operations like deleteAccount, changePassword
+class S044ReAuthenticationRequiredAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S044';
+  // Sensitive action patterns - focus on data/permission changes
+  // Note: deleteaccount, changepassword are handled by S042
+  static const _sensitiveActions = [
+    'revoke', 'grant', 'transfer', 'withdraw',
+    'admin', 'privilege', 'permission', 'role',
+  ];
+  // Skip patterns already covered by S042
+  static const _s042Patterns = [
+    'deleteaccount', 'delete_account', 'removeaccount', 'remove_account',
+    'changepassword', 'change_password', 'updatepassword', 'update_password',
+    'changeemail', 'change_email',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S044Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S044Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S044ReAuthenticationRequiredAnalyzer analyzer;
+  _S044Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    // Skip abstract methods (interface declarations) - they have no body to check
+    if (node.isAbstract || node.body == null || node.body is EmptyFunctionBody) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    final methodName = node.name.lexeme.toLowerCase().replaceAll('_', '');
+    // Skip patterns already covered by S042 to avoid duplicate warnings
+    bool isCoveredByS042 = S044ReAuthenticationRequiredAnalyzer._s042Patterns
+        .any((p) => methodName.contains(p.replaceAll('_', '')));
+    if (isCoveredByS042) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    // Check if this is a sensitive action
+    bool isSensitive = S044ReAuthenticationRequiredAnalyzer._sensitiveActions
+        .any((a) => methodName.contains(a));
+    // Check if it's related to user/account/data
+    bool isUserRelated = methodName.contains('user') ||
+        methodName.contains('account') ||
+        methodName.contains('profile') ||
+        methodName.contains('member');
+    if (isSensitive && isUserRelated) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase();
+        bool hasReAuth = bodySource.contains('reauth') ||
+            bodySource.contains('re_auth') ||
+            bodySource.contains('verifypassword') ||
+            bodySource.contains('verify_password') ||
+            bodySource.contains('confirmidentity') ||
+            bodySource.contains('confirm_identity') ||
+            bodySource.contains('confirmdialog') ||
+            bodySource.contains('confirm_dialog');
+        if (!hasReAuth) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Sensitive user action should require re-authentication',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+}