npm - @sun-asterisk/sunlint - Versions diffs - 1.3.43 → 1.3.44 - Mend

@sun-asterisk/sunlint 1.3.43 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dart_analyzer/lib/rules/security/S056_log_injection_protection.dart ADDED Viewed

@@ -0,0 +1,119 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S056: Log Injection Protection
+/// Sanitize user input before logging to prevent log injection
+class S056LogInjectionProtectionAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S056';
+  // Logging methods
+  static const _logMethods = [
+    'log', 'info', 'debug', 'warn', 'warning', 'error', 'trace',
+    'verbose', 'print', 'writeln',
+  ];
+  // User input indicators - be specific to avoid false positives
+  static const _userInputPatterns = [
+    'request.body', 'request.query', 'request.params', 'request.input',
+    'req.body', 'req.query', 'req.params', 'req.input',
+    'userinput', 'user_input', 'userdata', 'user_data',
+    'forminput', 'form_input', 'formdata', 'form_data',
+    'rawbody', 'raw_body', 'rawinput', 'raw_input',
+  ];
+  // Safe patterns that should be skipped
+  static const _safePatterns = [
+    'requestoptions', 'request_options', 'response',
+    'statuscode', 'status_code', 'path', 'url', 'method',
+    'contenttype', 'content_type', 'headers',
+    // Controller values - sanitized by framework
+    'controller', '.text', '.value',
+    // Class/widget names containing "forminput" but not actual user input
+    'forminputbirthday', 'forminputname', 'forminputemail', 'forminputphone',
+    'forminputaddress', 'forminputcard', 'forminputpassword',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S056Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S056Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S056LogInjectionProtectionAnalyzer analyzer;
+  _S056Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    bool isLogMethod = S056LogInjectionProtectionAnalyzer._logMethods
+        .any((m) => methodName == m || methodName.endsWith(m));
+    if (isLogMethod) {
+      for (final arg in node.argumentList.arguments) {
+        final argSource = arg.toSource().toLowerCase().replaceAll('_', '');
+        // Skip safe patterns (response metadata, etc.)
+        bool isSafe = S056LogInjectionProtectionAnalyzer._safePatterns
+            .any((p) => argSource.contains(p.replaceAll('_', '')));
+        if (isSafe) {
+          continue;
+        }
+        // Check if logging user input
+        bool hasUserInput = S056LogInjectionProtectionAnalyzer._userInputPatterns
+            .any((p) => argSource.contains(p.replaceAll('_', '')));
+        if (hasUserInput) {
+          // Check for sanitization
+          bool isSanitized = argSource.contains('sanitize') ||
+              argSource.contains('escape') ||
+              argSource.contains('encode') ||
+              argSource.contains('replace');
+          if (!isSanitized && (arg is StringInterpolation || arg is SimpleIdentifier)) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'Log injection risk - sanitize user input before logging',
+            ));
+            break;
+          }
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S057_utc_logging.dart ADDED Viewed

@@ -0,0 +1,114 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S057: UTC Logging
+/// Use UTC timestamps in logs for consistency across time zones
+class S057UtcLoggingAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S057';
+  // Logging methods
+  static const _logMethods = [
+    'log', 'info', 'debug', 'warn', 'warning', 'error', 'trace',
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S057Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S057Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S057UtcLoggingAnalyzer analyzer;
+  _S057Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    bool isLogMethod = S057UtcLoggingAnalyzer._logMethods
+        .any((m) => methodName == m);
+    if (isLogMethod) {
+      final source = node.toSource().toLowerCase();
+      // Check for DateTime.now() without .toUtc()
+      if (source.contains('datetime.now()') && !source.contains('.toutc()')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Use UTC timestamps in logs - call .toUtc() on DateTime',
+        ));
+      }
+      // Check for local time methods
+      if (source.contains('tolocal()') || source.contains('localtime')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Avoid local time in logs - use UTC for consistency',
+        ));
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final varName = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    // Only check for LOG timestamp variables, not general timestamps
+    // uploadTimestamp, activityTime, etc. are NOT logging timestamps
+    // Must have 'log' in name to be considered a logging timestamp
+    bool isLogTimestamp = (varName.contains('log') && varName.contains('time')) ||
+        (varName.contains('log') && varName.contains('timestamp')) ||
+        varName == 'logtime' || varName == 'log_time' ||
+        varName == 'logtimestamp' || varName == 'log_timestamp';
+    if (isLogTimestamp && initializer != null) {
+      final initSource = initializer.toSource().toLowerCase();
+      if (initSource.contains('datetime.now()') && !initSource.contains('.toutc()')) {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'Log timestamp should use UTC',
+        ));
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S058_no_ssrf.dart ADDED Viewed

@@ -0,0 +1,175 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S058: No SSRF (Server-Side Request Forgery)
+/// Prevent SSRF attacks by validating URLs from user input
+class S058NoSsrfAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S058';
+  // HTTP request methods - must be actual HTTP client methods
+  static const _httpMethods = [
+    'fetch', 'httprequest', 'http_request',
+  ];
+  // HTTP client names - check target/receiver
+  static const _httpClients = [
+    'http', 'dio', 'client', 'httpclient', 'http_client',
+    'request', 'axios', 'fetch',
+  ];
+  // User input indicators - be more specific to avoid false positives
+  static const _userInputPatterns = [
+    'request.body', 'request.query', 'request.params', 'request.url',
+    'req.body', 'req.query', 'req.params', 'req.url',
+    'userinput', 'user_input', 'userurl', 'user_url',
+    'externalurl', 'external_url', 'remoteurl', 'remote_url',
+    'targeturl', 'target_url',
+  ];
+  // Variable names that suggest user input
+  static final _userInputVarPatterns = [
+    RegExp(r'\buserurl\b', caseSensitive: false),
+    RegExp(r'\buser_url\b', caseSensitive: false),
+    RegExp(r'\btargeturl\b', caseSensitive: false),
+    RegExp(r'\btarget_url\b', caseSensitive: false),
+    RegExp(r'\bexternalurl\b', caseSensitive: false),
+    RegExp(r'\bexternal_url\b', caseSensitive: false),
+  ];
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S058Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S058Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S058NoSsrfAnalyzer analyzer;
+  _S058Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    final source = node.toSource().toLowerCase();
+    // Check if this is an HTTP client method call
+    bool isHttpRequest = S058NoSsrfAnalyzer._httpMethods
+        .any((m) => methodName == m);
+    // Check target/receiver for HTTP client usage
+    final target = node.target?.toSource().toLowerCase() ?? '';
+    bool isHttpClient = S058NoSsrfAnalyzer._httpClients
+        .any((c) => target.contains(c));
+    // Check for common HTTP patterns: dio.get(), http.post(), client.request()
+    bool isHttpOp = (methodName == 'get' || methodName == 'post' ||
+        methodName == 'put' || methodName == 'patch' ||
+        methodName == 'delete' || methodName == 'head') && isHttpClient;
+    if (isHttpRequest || isHttpOp) {
+      // Check if URL comes from user input
+      for (final arg in node.argumentList.arguments) {
+        final argSource = arg.toSource().toLowerCase();
+        // Check against string patterns
+        bool isUserInput = S058NoSsrfAnalyzer._userInputPatterns
+            .any((p) => argSource.contains(p));
+        // Check against variable name patterns (e.g., userUrl parameter)
+        if (!isUserInput) {
+          isUserInput = S058NoSsrfAnalyzer._userInputVarPatterns
+              .any((p) => p.hasMatch(argSource));
+        }
+        if (isUserInput) {
+          // Check for URL validation
+          bool hasValidation = argSource.contains('validate') ||
+              argSource.contains('whitelist') ||
+              argSource.contains('allowlist') ||
+              argSource.contains('isallowed') ||
+              argSource.contains('is_allowed');
+          if (!hasValidation) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'SSRF risk - validate/whitelist URLs from user input',
+            ));
+          }
+          break;
+        }
+      }
+    }
+    super.visitMethodInvocation(node);
+  }
+  @override
+  void visitInstanceCreationExpression(InstanceCreationExpression node) {
+    final typeName = node.constructorName.type.name2.lexeme;
+    // Check for Uri construction with user input
+    if (typeName == 'Uri') {
+      for (final arg in node.argumentList.arguments) {
+        final argSource = arg.toSource().toLowerCase();
+        // Check against string patterns
+        bool isUserInput = S058NoSsrfAnalyzer._userInputPatterns
+            .any((p) => argSource.contains(p));
+        // Check against variable name patterns
+        if (!isUserInput) {
+          isUserInput = S058NoSsrfAnalyzer._userInputVarPatterns
+              .any((p) => p.hasMatch(argSource));
+        }
+        if (isUserInput) {
+          // Check for validation
+          bool hasValidation = argSource.contains('validate') ||
+              argSource.contains('whitelist') ||
+              argSource.contains('allowlist');
+          if (!hasValidation) {
+            violations.add(analyzer.createViolation(
+              filePath: filePath,
+              line: analyzer.getLine(lineInfo, node.offset),
+              column: analyzer.getColumn(lineInfo, node.offset),
+              message: 'SSRF risk - Uri created from user input without validation',
+            ));
+          }
+          break;
+        }
+      }
+    }
+    super.visitInstanceCreationExpression(node);
+  }
+}

package/dart_analyzer/lib/rules/security/S059_disable_debug_mode.dart ADDED Viewed

@@ -0,0 +1,172 @@
+import 'package:analyzer/dart/ast/ast.dart';
+import 'package:analyzer/dart/ast/visitor.dart';
+import 'package:analyzer/source/line_info.dart';
+import '../../models/rule.dart';
+import '../../models/violation.dart';
+import '../base_analyzer.dart';
+/// S059: Disable debug modes in production environments
+/// Detect hardcoded debug modes and development features
+class S059DisableDebugModeAnalyzer extends BaseAnalyzer {
+  @override
+  String get ruleId => 'S059';
+  @override
+  List<Violation> analyze({
+    required CompilationUnit unit,
+    required String filePath,
+    required Rule rule,
+    required LineInfo lineInfo,
+  }) {
+    final violations = <Violation>[];
+    final visitor = _S059Visitor(
+      filePath: filePath,
+      lineInfo: lineInfo,
+      violations: violations,
+      analyzer: this,
+    );
+    unit.accept(visitor);
+    return violations;
+  }
+}
+class _S059Visitor extends RecursiveAstVisitor<void> {
+  final String filePath;
+  final LineInfo lineInfo;
+  final List<Violation> violations;
+  final S059DisableDebugModeAnalyzer analyzer;
+  _S059Visitor({
+    required this.filePath,
+    required this.lineInfo,
+    required this.violations,
+    required this.analyzer,
+  });
+  @override
+  void visitVariableDeclaration(VariableDeclaration node) {
+    final name = node.name.lexeme.toLowerCase();
+    final initializer = node.initializer;
+    // Check for debug flags hardcoded to true
+    if ((name == 'debug' ||
+            name == 'isdebug' ||
+            name == 'debugmode' ||
+            name == 'is_debug') &&
+        initializer != null) {
+      final value = initializer.toSource().toLowerCase();
+      if (value == 'true') {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message: 'DEBUG hardcoded to true - use environment variable',
+        ));
+      }
+    }
+    // Check for verbose/logging flags
+    if ((name == 'verbose' || name == 'enablelogging') &&
+        initializer != null) {
+      final value = initializer.toSource().toLowerCase();
+      if (value == 'true') {
+        violations.add(analyzer.createViolation(
+          filePath: filePath,
+          line: analyzer.getLine(lineInfo, node.offset),
+          column: analyzer.getColumn(lineInfo, node.offset),
+          message:
+              'Verbose logging hardcoded to true - disable in production',
+        ));
+      }
+    }
+    super.visitVariableDeclaration(node);
+  }
+  @override
+  void visitNamedExpression(NamedExpression node) {
+    final name = node.name.label.name.toLowerCase();
+    final value = node.expression.toSource().toLowerCase();
+    // Check for debugShowCheckedModeBanner (Flutter)
+    if (name == 'debugshowcheckedmodebanner' && value == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'debugShowCheckedModeBanner: true - set to false in production',
+      ));
+    }
+    // Check for showPerformanceOverlay
+    if (name == 'showperformanceoverlay' && value == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'showPerformanceOverlay: true - disable in production',
+      ));
+    }
+    // Check for debugPaintSizeEnabled
+    if (name == 'debugpaintsizeenabled' && value == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'debugPaintSizeEnabled: true - disable in production',
+      ));
+    }
+    // Check for checkerboardRasterCacheImages
+    if (name == 'checkerboardrastercacheimages' && value == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message:
+            'checkerboardRasterCacheImages: true - disable in production',
+      ));
+    }
+    super.visitNamedExpression(node);
+  }
+  @override
+  void visitAssignmentExpression(AssignmentExpression node) {
+    final left = node.leftHandSide.toSource().toLowerCase();
+    final right = node.rightHandSide.toSource().toLowerCase();
+    // Check for debug assignments
+    if ((left.contains('debug') || left.contains('isdebug')) &&
+        right == 'true') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'Debug mode enabled - use environment check for production',
+      ));
+    }
+    super.visitAssignmentExpression(node);
+  }
+  @override
+  void visitMethodInvocation(MethodInvocation node) {
+    final methodName = node.methodName.name.toLowerCase();
+    // Check for debugPrint in production code
+    if (methodName == 'debugprint') {
+      violations.add(analyzer.createViolation(
+        filePath: filePath,
+        line: analyzer.getLine(lineInfo, node.offset),
+        column: analyzer.getColumn(lineInfo, node.offset),
+        message: 'debugPrint() found - use proper logging or remove in production',
+      ));
+    }
+    super.visitMethodInvocation(node);
+  }
+}