npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S049_short_validity_tokens.dart ADDED Viewed

@@ -0,0 +1,145 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S049: Short Validity Tokens
+/// Security tokens should have short validity periods
+class S049ShortValidityTokensAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S049';
+  // Token creation indicators - must be actual creation, not reading
+  static const _tokenCreationPatterns = [
+    'createtoken', 'create_token', 'generatetoken', 'generate_token',
+    'signtoken', 'sign_token', 'issuetoken', 'issue_token',
+    'newtoken', 'new_token', 'buildtoken', 'build_token',
+  ];
+  // Reading/getting/saving patterns - these are NOT token creation
+  // These operations don't create tokens, they just store, retrieve, or validate existing ones
+  static const _tokenReadPatterns = [
+    // Get/read operations
+    'gettoken', 'get_token', 'getaccesstoken', 'get_access_token',
+    'getrefreshtoken', 'get_refresh_token', 'readtoken', 'read_token',
+    'fetchtoken', 'fetch_token', 'loadtoken', 'load_token',
+    'retrievetoken', 'retrieve_token', 'parsetoken', 'parse_token',
+    'decodetoken', 'decode_token', 'verifytoken', 'verify_token',
+    'validatetoken', 'validate_token',
+    // Save/store operations (NOT token creation)
+    'savetoken', 'save_token', 'storetoken', 'store_token',
+    'settoken', 'set_token', 'setstring', 'set_string',
+    'cachetoken', 'cache_token', 'persisttoken', 'persist_token',
+    'usertoken', 'user_token',  // Common variable names
+    'preferencekey', 'preference_key',  // Shared preferences
+    'securestorage', 'secure_storage',  // Secure storage
+    // Firebase token operations (not creating JWT, just getting Firebase's token)
+    'getidtoken', 'get_id_token', 'currentuser',
+    // Update/refresh patterns (not creating new tokens, just refreshing existing)
+    'updatetoken', 'update_token', 'updatefcmtoken', 'update_fcm_token',
+    'refreshtoken', 'refresh_token', 'renewtoken', 'renew_token',
+    // Save access token patterns
+    'saveaccesstoken', 'save_access_token',
+  ];
+  // Long expiry values (in seconds) - 30 days = 2592000
+  static const int _maxRecommendedExpiry = 86400; // 24 hours
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S049Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S049Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S049ShortValidityTokensAnalyzer analyzer;
+  _S049Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase().replaceAll('_', '');
+    // Skip if this is reading/getting a token, not creating one
+    bool isTokenRead = S049ShortValidityTokensAnalyzer._tokenReadPatterns
+        .any((p) => source.contains(p.replaceAll('_', '')));
+    if (isTokenRead) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+    bool isTokenCreation = S049ShortValidityTokensAnalyzer._tokenCreationPatterns
+        .any((p) => source.contains(p.replaceAll('_', '')));
+    if (isTokenCreation) {
+      // Check for expiry/ttl settings
+      bool hasExpiryCheck = source.contains('expir') ||
+          source.contains('ttl') ||
+          source.contains('validity') ||
+          source.contains('lifetime');
+      if (!hasExpiryCheck) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Token creation should have explicit expiry time',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final paramName = node.name.label.name.toLowerCase();
+    // Check for expiry-related parameters
+    if (paramName.contains('expir') || paramName.contains('ttl') || paramName.contains('lifetime')) {
+      final expression = node.expression;
+      // Check if value is too large
+      if (expression is IntegerLiteral) {
+        final value = expression.value ?? 0;
+        // Assuming value is in seconds
+        if (value > S049ShortValidityTokensAnalyzer._maxRecommendedExpiry) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Token expiry time is too long - consider shorter validity periods',
+          ));
+        }
+      }
+    }
+    super.visitNamedExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S050_reference_tokens_entropy.dart ADDED Viewed

@@ -0,0 +1,234 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S050: Reference tokens must be unique with 128-bit entropy using CSPRNG
+/// Detect weak token generation patterns
+class S050ReferenceTokensEntropyAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S050';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S050Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S050Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S050ReferenceTokensEntropyAnalyzer analyzer;
+  // Patterns indicating token/session/ID context
+  static const _tokenContextPatterns = [
+    'token',
+    'session',
+    'sessionid',
+    'accesstoken',
+    'refreshtoken',
+    'apikey',
+    'authcode',
+  ];
+  // Safe patterns - DateTime used for timing/logging, not token generation
+  static const _safeTimestampPatterns = [
+    'starttime',     // Request timing
+    'endtime',       // Request timing
+    'duration',      // Duration calculation
+    'elapsed',       // Elapsed time
+    'timestamp',     // Logging timestamp (if not in token context)
+    'logdate',       // Logging date
+    'logtime',       // Logging time
+    'createdat',     // Record creation timestamp
+    'updatedat',     // Record update timestamp
+    'lastseen',      // Last seen tracking
+    'expiresat',     // Expiration tracking
+    'formatter',     // Date formatting
+    'dateformat',    // Date formatting
+    'extra[',        // Dio interceptor extra data
+  ];
+  _S050Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for Random() (not secure) in token context
+    if (methodName == 'nextint' || methodName == 'nextdouble') {
+      // Skip if using Random.secure() - check target variable name
+      final target = node.target?.toSource().toLowerCase() ?? '';
+      if (target.contains('secure') || source.contains('secure')) {
+        // Using Random.secure() - this is safe
+        super.visitMethodInvocation(node);
+        return;
+      }
+      if (_isInTokenContext(node) && !_isSecureRandomContext(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Random() is not cryptographically secure - use Random.secure() for tokens',
+        ));
+      }
+    }
+    // Check for DateTime.now() used as token
+    if (methodName == 'now' && source.contains('datetime')) {
+      // Skip if used for timing/logging purposes
+      if (!_isSafeTimestampUsage(node) && _isInTokenContext(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Timestamp-based tokens are predictable - use CSPRNG with 128-bit entropy',
+        ));
+      }
+    }
+    // Check for uuid without secure random (some uuid packages use weak random)
+    if (methodName == 'v1' && source.contains('uuid')) {
+      if (_isInTokenContext(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'UUID v1 is time-based and predictable - use UUID v4 with secure random',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+    // Check for Random() (not Random.secure()) in token context
+    if (typeName == 'random') {
+      final constructorName =
+          node.constructorName.name?.name.toLowerCase() ?? '';
+      if (constructorName != 'secure') {
+        if (_isInTokenContext(node)) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Random() is not cryptographically secure - use Random.secure() for tokens',
+          ));
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final left = node.leftHandSide.toSource().toLowerCase();
+    final right = node.rightHandSide.toSource().toLowerCase();
+    // Check for sequential token generation (++counter, counter++)
+    if (_tokenContextPatterns.any((p) => left.contains(p))) {
+      if (right.contains('++') || right.contains('--') || right == left) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Sequential tokens are predictable - use CSPRNG with 128-bit entropy',
+        ));
+      }
+    }
+    super.visitAssignmentExpression(node);
+  }
+  bool _isInTokenContext(AstNode node) {
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 10) {
+      final source = current.toSource().toLowerCase();
+      if (_tokenContextPatterns.any((p) => source.contains(p))) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+  bool _isSecureRandomContext(AstNode node) {
+    // Check if this node is using Random.secure()
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 5) {
+      final source = current.toSource().toLowerCase();
+      // Check for secure random patterns
+      if (source.contains('random.secure') ||
+          source.contains('securerandom') ||
+          source.contains('_securerandom') ||
+          source.contains('_secure')) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+  /// Check if DateTime.now() is used for safe purposes (timing, logging)
+  bool _isSafeTimestampUsage(AstNode node) {
+    // Check immediate parent and surrounding context
+    AstNode? current = node.parent;
+    int depth = 0;
+    while (current != null && depth < 5) {
+      final source = current.toSource().toLowerCase();
+      // Check for safe timestamp patterns
+      if (_safeTimestampPatterns.any((p) => source.contains(p))) {
+        return true;
+      }
+      // Check for timing operations
+      if (source.contains('.difference(') ||
+          source.contains('.inmilliseconds') ||
+          source.contains('.inseconds') ||
+          source.contains('.inminutes') ||
+          source.contains('format(')) {
+        return true;
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+}

package/dart_analyzer/lib/rules/security/S051_password_length_policy.dart ADDED Viewed

@@ -0,0 +1,171 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S051: Password Length Policy
+/// Enforce minimum password length requirements
+class S051PasswordLengthPolicyAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S051';
+  // Minimum recommended password length
+  static const int _minRecommendedLength = 8;
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S051Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S051Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S051PasswordLengthPolicyAnalyzer analyzer;
+  _S051Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    // Check for password min length configuration
+    if ((varName.contains('password') || varName.contains('pwd')) &&
+        (varName.contains('min') || varName.contains('length'))) {
+      if (initializer is IntegerLiteral) {
+        final value = initializer.value ?? 0;
+        if (value < S051PasswordLengthPolicyAnalyzer._minRecommendedLength) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Minimum password length should be at least 8 characters',
+          ));
+        }
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitBinaryExpression(BinaryExpression node) {
+    final source = node.toSource().toLowerCase();
+    // Check for password length comparisons
+    if ((source.contains('password') || source.contains('pwd')) &&
+        source.contains('length')) {
+      // Check for weak minimum length
+      if (node.operator.type.lexeme == '<' || node.operator.type.lexeme == '>=') {
+        final right = node.rightOperand;
+        if (right is IntegerLiteral) {
+          final value = right.value ?? 0;
+          if (value < S051PasswordLengthPolicyAnalyzer._minRecommendedLength) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Password length validation is too weak - require at least 8 characters',
+            ));
+          }
+        }
+      }
+    }
+    super.visitBinaryExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Skip if this is just a call to a validation function (not the implementation)
+    // e.g., loginNotifier.validatePassword(value) - this is a CALL, not implementation
+    // We should only flag the actual implementation of validatePassword
+    if (methodName == 'validatepassword' || methodName == 'validate_password') {
+      // Check if this is inside a method BODY (implementation) vs a method CALL
+      // Method calls have targets like: notifier.validatePassword(value)
+      if (node.target != null) {
+        // This is a call like: something.validatePassword(value) - skip
+        super.visitMethodInvocation(node);
+        return;
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitMethodDeclaration(MethodDeclaration node) {
+    final methodName = node.name.lexeme.toLowerCase();
+    // Check password validation method implementations
+    if (methodName.contains('validatepassword') || methodName.contains('validate_password')) {
+      final body = node.body;
+      if (body != null) {
+        final bodySource = body.toSource().toLowerCase();
+        // Skip if this is just a setter/state-change method (not actual validation)
+        // These methods just store the password value and trigger UI updates
+        // Pattern: { _password = value; someMethod(); notifyListeners(); }
+        bool isSetterPattern = (bodySource.contains('_password =') ||
+            bodySource.contains('password =')) &&
+            (bodySource.contains('notifylisteners') ||
+             bodySource.contains('setstate') ||
+             bodySource.contains('notify()')) &&
+            !bodySource.contains('if ') &&  // No conditional logic = not validation
+            !bodySource.contains('throw') &&
+            !bodySource.contains('error');
+        if (isSetterPattern) {
+          // This is just a state setter, not actual validation - skip
+          super.visitMethodDeclaration(node);
+          return;
+        }
+        // Check if the implementation includes length validation
+        bool hasLengthCheck = bodySource.contains('length') ||
+            bodySource.contains('minlength') ||
+            bodySource.contains('min_length') ||
+            bodySource.contains('>= 8') ||
+            bodySource.contains('>= 12') ||
+            bodySource.contains('< 8') ||
+            bodySource.contains('< 12');
+        if (!hasLengthCheck) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Password validation should include length check',
+          ));
+        }
+      }
+    }
+    super.visitMethodDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S052_weak_otp_entropy.dart ADDED Viewed

@@ -0,0 +1,107 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S052: Weak OTP Entropy
+/// OTP codes should have sufficient entropy (length and randomness)
+class S052WeakOtpEntropyAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S052';
+  // Minimum recommended OTP length
+  static const int _minOtpLength = 6;
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S052Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S052Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S052WeakOtpEntropyAnalyzer analyzer;
+  _S052Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    // Check for OTP length configuration
+    if (varName.contains('otp') && varName.contains('length')) {
+      if (initializer is IntegerLiteral) {
+        final value = initializer.value ?? 0;
+        if (value < S052WeakOtpEntropyAnalyzer._minOtpLength) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'OTP length should be at least 6 digits for adequate security',
+          ));
+        }
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check for OTP generation
+    if (methodName.contains('otp') || source.contains('generateotp') || source.contains('generate_otp')) {
+      // Check if using secure random
+      bool usesSecureRandom = source.contains('random.secure') ||
+          source.contains('securerandom') ||
+          source.contains('crypto');
+      if (!usesSecureRandom && source.contains('random')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'OTP generation should use cryptographically secure random',
+        ));
+      }
+      // Check for weak patterns like sequential or predictable
+      if (source.contains('datetime.now') || source.contains('timestamp')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'OTP should not be based on timestamp - use secure random',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}