@sun-asterisk/sunlint 1.3.43 → 1.3.44

package/dart_analyzer/lib/rules/security/S053_generic_error_messages.dart

@@ -0,0 +1,159 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S053: Return generic error messages, hide internal details
+/// Detect exposure of internal details in error responses
+class S053GenericErrorMessagesAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S053';
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S053Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S053Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S053GenericErrorMessagesAnalyzer analyzer;
+
+  // Track if we're inside a catch block
+  bool _inCatchBlock = false;
+
+  _S053Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitCatchClause(CatchClause node) {
+    _inCatchBlock = true;
+    super.visitCatchClause(node);
+    _inCatchBlock = false;
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Check for HTTP response methods that expose error details
+    if (_inCatchBlock) {
+      // Check for Response or json methods with error details
+      if (methodName == 'json' ||
+          methodName == 'send' ||
+          methodName == 'write') {
+        // Check if error stack trace is exposed
+        if (source.contains('.stacktrace') || source.contains('.stack')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Stack trace exposed in response - return generic error message',
+          ));
+        }
+
+        // Check if error message is directly exposed
+        if (source.contains('error.message') ||
+            source.contains('exception.message') ||
+            source.contains('e.message')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message:
+                'Internal error message exposed - return generic error message',
+          ));
+        }
+
+        // Check for SQL/database details
+        if (source.contains('sql') ||
+            source.contains('query') ||
+            source.contains('database')) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'SQL/database details may be exposed in response',
+          ));
+        }
+      }
+    }
+
+    // Check for toString() on exceptions in response context
+    if (methodName == 'tostring' && _inCatchBlock) {
+      final target = node.target?.toSource().toLowerCase() ?? '';
+      if (target.contains('error') ||
+          target.contains('exception') ||
+          target == 'e') {
+        // Check if this is being sent to client
+        AstNode? current = node.parent;
+        int depth = 0;
+        while (current != null && depth < 5) {
+          final parentSource = current.toSource().toLowerCase();
+          if (parentSource.contains('response') ||
+              parentSource.contains('json') ||
+              parentSource.contains('send')) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message:
+                  'Exception toString() exposed to client - use generic message',
+            ));
+            break;
+          }
+          current = current.parent;
+          depth++;
+        }
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitThrowExpression(ThrowExpression node) {
+    final source = node.toSource().toLowerCase();
+
+    // Check for throwing exceptions with sensitive details
+    if (source.contains('file path') ||
+        source.contains('directory') ||
+        source.contains('connection string') ||
+        source.contains('password') ||
+        source.contains('secret')) {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'Exception may contain sensitive details - use generic message',
+      ));
+    }
+
+    super.visitThrowExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S054_no_default_accounts.dart

@@ -0,0 +1,141 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S054: No Default Accounts
+/// Avoid hardcoded default accounts/credentials
+class S054NoDefaultAccountsAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S054';
+
+  // Common default account patterns
+  static const _defaultAccountPatterns = [
+    'admin', 'administrator', 'root', 'superuser', 'super_user',
+    'guest', 'test', 'demo', 'default', 'system',
+  ];
+
+  // Default password patterns
+  static const _defaultPasswordPatterns = [
+    'admin', 'password', '123456', 'admin123', 'password123',
+    'root', 'guest', 'default', 'changeme', 'test',
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S054Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S054Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S054NoDefaultAccountsAnalyzer analyzer;
+
+  _S054Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+
+    // Check for default user/account names
+    if ((varName.contains('user') || varName.contains('account') || varName.contains('login')) &&
+        varName.contains('default')) {
+      if (initializer is SimpleStringLiteral) {
+        final value = initializer.value.toLowerCase();
+        bool isDefaultAccount = S054NoDefaultAccountsAnalyzer._defaultAccountPatterns
+            .any((p) => value == p);
+
+        if (isDefaultAccount) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Avoid hardcoded default account "$value"',
+          ));
+        }
+      }
+    }
+
+    // Check for default passwords
+    if ((varName.contains('password') || varName.contains('pwd')) &&
+        varName.contains('default')) {
+      if (initializer is SimpleStringLiteral) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Hardcoded default password detected',
+        ));
+      }
+    }
+
+    super.visitVariableDeclaration(node);
+  }
+
+  @override
+  void visitMapLiteralEntry(MapLiteralEntry node) {
+    final key = node.key.toSource().toLowerCase().replaceAll("'", '').replaceAll('"', '');
+    final value = node.value;
+
+    // Check for default credentials in config maps
+    if (key.contains('user') || key.contains('account')) {
+      if (value is SimpleStringLiteral) {
+        final valStr = value.value.toLowerCase();
+        bool isDefaultAccount = S054NoDefaultAccountsAnalyzer._defaultAccountPatterns
+            .any((p) => valStr == p);
+
+        if (isDefaultAccount) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Default account in configuration',
+          ));
+        }
+      }
+    }
+
+    if (key.contains('password') || key.contains('pwd')) {
+      if (value is SimpleStringLiteral) {
+        final valStr = value.value.toLowerCase();
+        bool isDefaultPassword = S054NoDefaultAccountsAnalyzer._defaultPasswordPatterns
+            .any((p) => valStr == p);
+
+        if (isDefaultPassword) {
+          violations.add(analyzer.createViolation(
+            filePath: filePath,
+            line: analyzer.getLine(lineInfo, node.offset),
+            column: analyzer.getColumn(lineInfo, node.offset),
+            message: 'Default/weak password in configuration',
+          ));
+        }
+      }
+    }
+
+    super.visitMapLiteralEntry(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S055_content_type_validation.dart

@@ -0,0 +1,324 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+
+/// S055: Content-Type Validation
+/// Validate Content-Type header for uploaded files
+/// Note: This rule should only flag upload implementations,
+/// not callers of upload functions that already validate Content-Type
+class S055ContentTypeValidationAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S055';
+
+  // File upload method patterns - HTTP uploads only
+  // Note: Local file operations (save to gallery, write to disk) are NOT uploads
+  static const _uploadPatterns = [
+    'uploadfile', 'upload_file', 'processupload', 'process_upload',
+    'handlemultipart', 'handle_multipart', 'saveformdata', 'save_form_data',
+  ];
+
+  // Patterns that are NOT HTTP uploads (local file operations)
+  // These should be excluded from Content-Type validation requirement
+  static const _localFileOperationPatterns = [
+    'imagegallerysaver',  // Flutter plugin to save to device gallery
+    'gallerysaver',       // Save to gallery
+    'saveimagetogallery', // Save image to gallery
+    'savevideoTogallery', // Save video to gallery
+    'filesaver',          // File saver plugins
+    'savetodisk',         // Local disk save
+    'writetofile',        // Local file write
+    'localfilesystem',    // Local filesystem operations
+    'pathprovider',       // Flutter path provider (local storage)
+    'gettemporarydirectory', // Temp directory
+    'getapplicationdocumentsdirectory', // App documents
+  ];
+
+  // Patterns that indicate Content-Type is being validated/set
+  static const _contentTypeValidationPatterns = [
+    'lookupmimetype', 'lookup_mime_type', // mime package
+    'getmimetype', 'get_mime_type',
+    'mimetype', 'mime_type',
+    'contenttype', 'content_type',
+    'mediatype', 'media_type',
+  ];
+
+  // Patterns indicating upload is delegated to another function
+  static const _uploadDelegationPatterns = [
+    'uploadimage', 'upload_image', // Calling uploadImage function
+    'uploadfile', 'upload_file',
+    'repository', 'usecase', 'use_case',
+    'mediarepo', 'media_repo',
+  ];
+
+  // Method name patterns that are NOT actual file uploads
+  // These methods create/get URLs but don't upload files themselves
+  static const _nonUploadMethodPatterns = [
+    'createuploadurl', 'create_upload_url',
+    'getuploadurl', 'get_upload_url',
+    'generateuploadurl', 'generate_upload_url',
+    'presignedurl', 'presigned_url',
+    'uploadurl', 'upload_url', // Methods that return URLs, not upload
+  ];
+
+  // Client-side upload patterns that automatically handle Content-Type
+  // Dio's MultipartFile.fromFile() automatically infers Content-Type from file extension
+  // These don't need explicit Content-Type validation in client code
+  static const _clientSideUploadPatterns = [
+    'multipartfile.fromfile',     // Dio: auto-detects Content-Type from extension
+    'multipartfile.frombytes',    // Dio: requires explicit contentType but often inferred
+    'multipartfile.fromstream',   // Dio: similar auto-detection
+    'formdata.frommap',           // Dio FormData constructor
+  ];
+
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S055Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+
+class _S055Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S055ContentTypeValidationAnalyzer analyzer;
+
+  _S055Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+
+  // Patterns to detect content type checks - with word boundaries
+  static final _contentTypePatterns = [
+    RegExp(r'\bcontent[-_]?type\b', caseSensitive: false),
+    RegExp(r'\bcontenttype\b', caseSensitive: false),
+    RegExp(r'\bmime[-_]?type\b', caseSensitive: false),
+    RegExp(r'\bmimetype\b', caseSensitive: false),
+    RegExp(r'\bmedia[-_]?type\b', caseSensitive: false),
+    RegExp(r'\bmediatype\b', caseSensitive: false),
+    RegExp(r'\blookupmimetype\b', caseSensitive: false),
+  ];
+
+  bool _hasContentTypeCheck(AstNode node) {
+    AstNode? current = node.parent;
+    int depth = 0;
+
+    // Only check immediate context (within 5 levels), not class-level
+    while (current != null && depth < 5) {
+      // Skip checking class declarations - too broad
+      if (current is ClassDeclaration) {
+        break;
+      }
+
+      final parentSource = current.toSource().toLowerCase();
+      for (final pattern in _contentTypePatterns) {
+        if (pattern.hasMatch(parentSource)) {
+          return true;
+        }
+      }
+      current = current.parent;
+      depth++;
+    }
+    return false;
+  }
+
+  // Check if the method body delegates to a function that handles content-type
+  bool _delegatesToValidatedUpload(AstNode node) {
+    // Get the containing method body
+    AstNode? current = node;
+    while (current != null && current is! MethodDeclaration && current is! FunctionDeclaration) {
+      current = current.parent;
+    }
+
+    if (current == null) return false;
+
+    String bodySource;
+    if (current is MethodDeclaration) {
+      bodySource = current.body?.toSource().toLowerCase().replaceAll('_', '') ?? '';
+    } else if (current is FunctionDeclaration) {
+      bodySource = current.functionExpression.body?.toSource().toLowerCase().replaceAll('_', '') ?? '';
+    } else {
+      return false;
+    }
+
+    // Check if calling a function that validates content-type
+    return S055ContentTypeValidationAnalyzer._uploadDelegationPatterns
+        .any((p) => bodySource.contains(p.replaceAll('_', '')));
+  }
+
+  // Check if the containing method is a URL creation method (not actual upload)
+  bool _isUrlCreationMethod(AstNode node) {
+    // Get the containing method
+    AstNode? current = node;
+    while (current != null && current is! MethodDeclaration && current is! FunctionDeclaration) {
+      current = current.parent;
+    }
+
+    if (current == null) return false;
+
+    String methodName;
+    if (current is MethodDeclaration) {
+      methodName = current.name.lexeme.toLowerCase().replaceAll('_', '');
+    } else if (current is FunctionDeclaration) {
+      methodName = current.name.lexeme.toLowerCase().replaceAll('_', '');
+    } else {
+      return false;
+    }
+
+    // Check if method name indicates URL creation (not actual upload)
+    return S055ContentTypeValidationAnalyzer._nonUploadMethodPatterns
+        .any((p) => methodName.contains(p.replaceAll('_', '')));
+  }
+
+  // Check if the operation is a local file operation (not HTTP upload)
+  bool _isLocalFileOperation(MethodInvocation node) {
+    final source = node.toSource().toLowerCase();
+    final target = node.target?.toSource().toLowerCase() ?? '';
+
+    // Check if method call target or source matches local file operation patterns
+    return S055ContentTypeValidationAnalyzer._localFileOperationPatterns
+        .any((p) => source.contains(p) || target.contains(p));
+  }
+
+  // Check if using client-side upload that auto-handles Content-Type
+  // Dio's MultipartFile.fromFile() automatically infers Content-Type from file extension
+  bool _isClientSideAutoUpload(String source) {
+    final sourceLower = source.toLowerCase().replaceAll(' ', '');
+    return S055ContentTypeValidationAnalyzer._clientSideUploadPatterns
+        .any((p) => sourceLower.contains(p.replaceAll(' ', '')));
+  }
+
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+
+    // Skip local file operations (save to gallery, disk, etc.) - NOT HTTP uploads
+    if (_isLocalFileOperation(node)) {
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for file upload constructor calls (parsed as method invocations in Dart)
+    // FormData(...) or MultipartFile(...) without 'new' keyword
+    if (methodName == 'formdata' || methodName == 'multipartfile') {
+      // Skip if using Dio's auto Content-Type detection (fromFile, fromMap, etc.)
+      if (_isClientSideAutoUpload(source)) {
+        super.visitMethodInvocation(node);
+        return;
+      }
+
+      if (!_hasContentTypeCheck(node) && !_delegatesToValidatedUpload(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload without Content-Type validation',
+        ));
+      }
+    }
+
+    // Only flag actual upload IMPLEMENTATIONS, not callers of upload functions
+    // A caller like `uploadVideoToChat(...)` should not be flagged
+    // Only flag if this method directly creates FormData/MultipartFile or uses HTTP upload APIs
+
+    // Check if this is a CALLER of an upload function (not implementation)
+    // Callers just invoke methods like `notifier.uploadVideo()` - these are OK
+    bool isCallingUploadFunction = methodName.contains('upload') &&
+        node.target != null &&  // Has a target (e.g., notifier.uploadX)
+        !source.contains('formdata') &&
+        !source.contains('multipartfile') &&
+        !source.contains('.post(') &&
+        !source.contains('.put(');
+
+    if (isCallingUploadFunction) {
+      // This is just calling an upload function, not implementing upload logic
+      super.visitMethodInvocation(node);
+      return;
+    }
+
+    // Check for actual HTTP upload operations (dio.post with FormData, etc.)
+    // Only match FormData() constructor call or FormData.fromMap() - NOT variable names like formData
+    // Use case-sensitive match to distinguish:
+    //   - FormData() or FormData.fromMap() → Dio HTTP upload class (MUST check)
+    //   - formData → local variable name (skip)
+    final formDataClassPattern = RegExp(r'FormData\s*[.(]');  // FormData() or FormData.fromMap(
+    final multipartFilePattern = RegExp(r'MultipartFile\s*[.(]');  // MultipartFile() or MultipartFile.fromFile(
+
+    bool hasFormData = formDataClassPattern.hasMatch(node.toSource());
+    bool hasMultipartFile = multipartFilePattern.hasMatch(node.toSource());
+
+    bool isActualUploadImplementation =
+        (hasFormData || hasMultipartFile) ||
+        ((methodName == 'post' || methodName == 'put') &&
+            (hasFormData || hasMultipartFile));
+
+    if (isActualUploadImplementation) {
+      // Skip if using Dio's auto Content-Type detection (fromFile, fromMap, etc.)
+      if (_isClientSideAutoUpload(source)) {
+        super.visitMethodInvocation(node);
+        return;
+      }
+
+      // Skip if this is a call to a function that handles content-type validation
+      if (_delegatesToValidatedUpload(node)) {
+        super.visitMethodInvocation(node);
+        return;
+      }
+
+      // Skip if this is inside a URL creation method (not actual file upload)
+      if (_isUrlCreationMethod(node)) {
+        super.visitMethodInvocation(node);
+        return;
+      }
+
+      if (!_hasContentTypeCheck(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload without Content-Type validation',
+        ));
+      }
+    }
+
+    super.visitMethodInvocation(node);
+  }
+
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme.toLowerCase();
+
+    // Check for FormData or MultipartFile creation (when 'new' keyword is used)
+    if (typeName == 'formdata' || typeName == 'multipartfile') {
+      if (!_hasContentTypeCheck(node) && !_delegatesToValidatedUpload(node)) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'File upload creation without Content-Type validation',
+        ));
+      }
+    }
+
+    super.visitInstanceCreationExpression(node);
+  }
+}