npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S045_brute_force_protection.dart ADDED Viewed

@@ -0,0 +1,253 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S045: Brute Force Protection
+/// Implement rate limiting and account lockout for authentication
+/// Note: For mobile apps using Auth SDKs (Auth0, Firebase, etc.),
+/// rate limiting is handled server-side by the SDK provider
+class S045BruteForceProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S045';
+  // Authentication method indicators
+  static const _authMethods = [
+    'login', 'signin', 'sign_in', 'authenticate', 'verifypassword',
+    'verify_password', 'checkpassword', 'check_password',
+  ];
+  // Method name patterns that contain auth words but are NOT actual authentication
+  // These are helper methods, UI methods, or unrelated functionality
+  static const _nonAuthMethodPatterns = [
+    // URL/navigation checkers
+    'isopen', 'is_open',           // isOpenLogin, isOpenLoginIntro - URL checks
+    // Login bonus/reward related (not authentication)
+    'loginbonus', 'login_bonus',   // resetLoginBonus, getDailyLoginBonus
+    'dailylogin', 'daily_login',
+    // UI builders
+    'build',                        // _buildLoginWidget, buildLoginScreen
+    // State getters/setters (checking login state, not performing auth)
+    'getlogin', 'get_login', 'setlogin', 'set_login',
+    'isloggedin', 'is_logged_in',
+    // Check/validate UI state (not actual auth)
+    'checklogin', 'check_login',   // checkLogin() - UI state check
+    'checkrelogin', 'check_relogin', // checkReLogin() - UI state check
+    'checkuserlogin', 'check_user_login', // checkUserLogin() - check login state
+    'checkuserlogintime', 'check_user_login_time', // checkUserLoginTime() - session check
+    'validatepassword', 'validate_password', // validatePassword() - input validation
+    // Reset/clear operations (not auth attempts)
+    'resetlogin', 'reset_login', 'clearlogin', 'clear_login',
+    // Get from local/cache
+    'fromlocal', 'from_local', 'fromcache', 'from_cache',
+    // Notification related
+    'notification', 'push', 'fcm', 'sendlog', 'send_log',
+    // Update/show dialog (UI related)
+    'updateshow', 'update_show', 'showdialog', 'show_dialog',
+    // Badge related (app notification badges, not auth)
+    'badge', 'removebadge', 'remove_badge', 'updatebadge', 'update_badge',
+    'clearbadge', 'clear_badge', 'appbadge', 'app_badge',
+    // Logging utilities (log writing, not login)
+    'loginfo', 'log_info', 'logerror', 'log_error', 'logdebug', 'log_debug',
+    'logutils', 'log_utils', 'writelog', 'write_log',
+    'logupload', 'log_upload', 'uploadinfo', 'upload_info',
+    // "notlogin" or "notloggedin" checks - checking if user is NOT logged in
+    'notlogin', 'not_login', 'notloggedin', 'not_logged_in',
+    'whennotlogin', 'when_not_login',
+  ];
+  // Rate limiting indicators
+  static const _rateLimitIndicators = [
+    'ratelimit', 'rate_limit', 'throttle', 'lockout', 'lock_out',
+    'maxattempts', 'max_attempts', 'failedattempts', 'failed_attempts',
+    'cooldown', 'cool_down', 'delay', 'backoff',
+  ];
+  // Auth SDKs that handle rate limiting server-side
+  // Mobile apps using these don't need client-side rate limiting
+  static const _authSdkPatterns = [
+    // Auth0
+    'auth0', 'webauthentication', 'credentialsmanager',
+    // Firebase Auth
+    'firebaseauth', 'firebase_auth',
+    // Google Sign-In
+    'googlesignin', 'google_sign_in',
+    // Apple Sign-In
+    'signinwithapple', 'sign_in_with_apple',
+    // AWS Amplify
+    'amplify', 'cognitoauth',
+    // Generic OAuth
+    'oauth', 'oidc',
+  ];
+  // Delegation patterns - method delegates to another auth method
+  static const _delegationPatterns = [
+    'usecase', 'use_case', // Clean architecture use case
+    'repository', 'service', 'manager', 'provider',
+    'authmanager', 'auth_manager', 'authservice', 'auth_service',
+  ];
+  // Repository/data layer patterns - rate limiting handled by backend
+  // These classes only call APIs, rate limiting is server-side
+  static const _repositoryClassPatterns = [
+    'repositoryimpl', 'repository_impl',
+    'datasource', 'data_source',
+    'remotedatasource', 'remote_data_source',
+  ];
+  // GraphQL/API call patterns - backend handles rate limiting
+  static const _apiCallPatterns = [
+    'greq', 'gql', 'graphql', // GraphQL requests
+    'clienthelper', 'client_helper',
+    'dio.', 'http.', 'request(',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S045Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S045Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S045BruteForceProtectionAnalyzer analyzer;
+  _S045Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  // Track if the containing class has rate limiting
+  bool _classHasRateLimit = false;
+  // Track if class is a repository/data layer (rate limiting handled by backend)
+  bool _isRepositoryClass = false;
+  @override
+  void visitClassDeclaration(ClassDeclaration node) {
+    final className = node.name.lexeme.toLowerCase().replaceAll('_', '');
+    // Check class level for rate limit indicators
+    final classSource = node.toSource().toLowerCase().replaceAll('_', '');
+    _classHasRateLimit = S045BruteForceProtectionAnalyzer._rateLimitIndicators
+        .any((r) => classSource.contains(r.replaceAll('_', '')));
+    // Check if this is a repository/data layer class
+    _isRepositoryClass = S045BruteForceProtectionAnalyzer._repositoryClassPatterns
+        .any((p) => className.contains(p.replaceAll('_', '')));
+    super.visitClassDeclaration(node);
+    // Reset after processing class
+    _classHasRateLimit = false;
+    _isRepositoryClass = false;
+  }
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    final methodName = node.name.lexeme.toLowerCase();
+    final methodNameNormalized = methodName.replaceAll('_', '');
+    bool isAuthMethod = S045BruteForceProtectionAnalyzer._authMethods
+        .any((m) => methodName.contains(m));
+    // Skip methods that contain auth words but are not actual authentication
+    bool isNonAuthMethod = S045BruteForceProtectionAnalyzer._nonAuthMethodPatterns
+        .any((p) => methodNameNormalized.contains(p.replaceAll('_', '')));
+    if (isNonAuthMethod) {
+      super.visitMethodDeclaration(node);
+      return;
+    }
+    if (isAuthMethod) {
+      final body = node.body;
+      if (body != null) {
+        // Skip arrow functions (helper functions like `=> true`)
+        if (body is ExpressionFunctionBody) {
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        final bodySource = body.toSource().toLowerCase().replaceAll('_', '');
+        // Skip very short helper functions
+        if (bodySource.length < 30) {
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Skip repository/data layer classes - rate limiting is backend responsibility
+        if (_isRepositoryClass) {
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check if using Auth SDK that handles rate limiting server-side
+        bool usesAuthSdk = S045BruteForceProtectionAnalyzer._authSdkPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '')));
+        if (usesAuthSdk) {
+          // Auth SDK handles rate limiting on server-side
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check if method makes API/GraphQL calls - rate limiting handled by backend
+        bool makesApiCall = S045BruteForceProtectionAnalyzer._apiCallPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '')));
+        if (makesApiCall) {
+          // API calls - rate limiting is server-side responsibility
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check if method delegates to another auth service/use case
+        bool delegatesToAuth = S045BruteForceProtectionAnalyzer._delegationPatterns
+            .any((p) => bodySource.contains(p.replaceAll('_', '')));
+        if (delegatesToAuth) {
+          // Delegating to another layer that may handle rate limiting
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check method body for rate limiting
+        bool hasRateLimit = S045BruteForceProtectionAnalyzer._rateLimitIndicators
+            .any((r) => bodySource.contains(r.replaceAll('_', '')));
+        // Also consider class-level rate limiting
+        if (!hasRateLimit && !_classHasRateLimit) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Authentication should have brute force protection (rate limiting/lockout)',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S046_jwt_algorithm_allowlist.dart ADDED Viewed

@@ -0,0 +1,113 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S046: Use algorithm allowlist for self-contained tokens
+/// Detect JWT/token verification without algorithm restriction
+class S046JwtAlgorithmAllowlistAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S046';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S046Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S046Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S046JwtAlgorithmAllowlistAnalyzer analyzer;
+  _S046Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for JWT decode without verification (security risk)
+    if (methodName == 'decode' && source.contains('jwt')) {
+      // Check if verify is false or not specified
+      if (!source.contains('verify') || source.contains('verify: false')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'JWT decode without verification - use verify() with algorithm allowlist',
+        ));
+      }
+    }
+    // Check for JWT verify without algorithm specification
+    if (methodName == 'verify' && source.contains('jwt')) {
+      // Look for algorithm specification in arguments
+      if (!source.contains('algorithm') && !source.contains('alg')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'JWT verify without algorithm specification - specify allowed algorithms',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+    // Check for 'none' algorithm in JWT context
+    if (value == 'none') {
+      // Check surrounding context for JWT-related code
+      AstNode? current = node.parent;
+      int depth = 0;
+      while (current != null && depth < 5) {
+        final parentSource = current.toSource().toLowerCase();
+        if (parentSource.contains('jwt') ||
+            parentSource.contains('algorithm') ||
+            parentSource.contains('token')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                "Algorithm 'none' detected - this disables signature verification",
+          ));
+          break;
+        }
+        current = current.parent;
+        depth++;
+      }
+    }
+    super.visitSimpleStringLiteral(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S047_oauth_pkce_protection.dart ADDED Viewed

@@ -0,0 +1,124 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S047: Protect OAuth code flow against CSRF attacks
+/// Detect OAuth implementations without PKCE or state parameter
+class S047OAuthPkceProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S047';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S047Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S047Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S047OAuthPkceProtectionAnalyzer analyzer;
+  // Track OAuth-related context
+  bool _inOAuthContext = false;
+  _S047Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value.toLowerCase();
+    // Check for OAuth authorization URLs
+    if (value.contains('authorize') && value.contains('client_id')) {
+      // Check if URL has code_challenge (PKCE) or state parameter
+      final hasCodeChallenge = value.contains('code_challenge');
+      final hasState = value.contains('state=');
+      if (!hasCodeChallenge && !hasState) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'OAuth URL missing PKCE code_challenge or state parameter for CSRF protection',
+        ));
+      }
+    }
+    // Check for hardcoded state values (weak protection)
+    if (value.contains('state=')) {
+      // Extract state value and check if it looks hardcoded
+      final stateMatch = RegExp(r'state=([^&\s]+)').firstMatch(value);
+      if (stateMatch != null) {
+        final stateValue = stateMatch.group(1) ?? '';
+        // Short, simple state values are likely hardcoded
+        if (stateValue.length < 16 &&
+            !stateValue.contains(r'$') &&
+            !stateValue.contains('{')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'OAuth state parameter appears hardcoded - use cryptographically random value',
+          ));
+        }
+      }
+    }
+    super.visitSimpleStringLiteral(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for OAuth/OpenID connect methods without PKCE
+    if ((methodName.contains('oauth') ||
+            methodName.contains('authorize') ||
+            methodName.contains('authenticate')) &&
+        source.contains('client')) {
+      // Check if PKCE parameters are present
+      if (!source.contains('code_challenge') &&
+          !source.contains('codechallenge') &&
+          !source.contains('pkce')) {
+        // Also check for state parameter
+        if (!source.contains('state')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'OAuth flow without PKCE or state parameter - vulnerable to CSRF',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S048_oauth_redirect_uri_validation.dart ADDED Viewed

@@ -0,0 +1,134 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S048: Validate OAuth redirect URIs with exact string comparison
+/// Detect insecure OAuth redirect URI validation
+class S048OAuthRedirectUriValidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S048';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S048Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S048Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S048OAuthRedirectUriValidationAnalyzer analyzer;
+  _S048Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for redirect URI with partial matching (insecure)
+    if (source.contains('redirect') || source.contains('callback')) {
+      // Check for startsWith validation (insecure)
+      if (methodName == 'startswith') {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Redirect URI validated with startsWith() - use exact string comparison',
+        ));
+      }
+      // Check for contains validation (insecure)
+      if (methodName == 'contains' && source.contains('uri')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Redirect URI validated with contains() - use exact string comparison',
+        ));
+      }
+      // Check for regex matching (insecure)
+      if (methodName == 'hasmatch' || methodName == 'firstmatch') {
+        if (source.contains('redirect') || source.contains('callback')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Redirect URI validated with regex - use exact string comparison',
+          ));
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitSimpleStringLiteral(SimpleStringLiteral node) {
+    final value = node.value;
+    // Check for wildcard patterns in redirect URIs
+    if (value.contains('*.') &&
+        (value.contains('redirect') || value.contains('callback'))) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'Wildcard domain pattern for redirect URI - use exact URIs only',
+      ));
+    }
+    // Check for wildcard in URI list context
+    if (value.startsWith('*.')) {
+      AstNode? current = node.parent;
+      int depth = 0;
+      while (current != null && depth < 5) {
+        final parentSource = current.toSource().toLowerCase();
+        if (parentSource.contains('redirect') ||
+            parentSource.contains('callback') ||
+            parentSource.contains('alloweduri') ||
+            parentSource.contains('whitelist')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Wildcard in allowed redirect URIs - use exact URIs only',
+          ));
+          break;
+        }
+        current = current.parent;
+        depth++;
+      }
+    }
+    super.visitSimpleStringLiteral(node);
+  }
+}