npm - @sun-asterisk/sunlint - Versions diffs - 1.3.45 → 1.3.47 - Mend

@sun-asterisk/sunlint 1.3.45 → 1.3.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/skill-assets/sunlint-code-quality/rules/ruby/C029-catch-log-root-cause.md ADDED Viewed

@@ -0,0 +1,34 @@
+---
+title: Catch and Log Root Cause
+impact: MEDIUM
+impactDescription: facilitates faster debugging and resolution
+tags: error-handling, maintenance, quality
+---
+## Catch and Log Root Cause
+When catching an error, ensure you log the original error message and backtrace to facilitate debugging.
+**Incorrect (losing context):**
+```ruby
+begin
+  process_data
+rescue => e
+  Rails.logger.error "Something went wrong" # No root cause logged
+end
+```
+**Correct (logging root cause):**
+```ruby
+begin
+  process_data
+rescue => e
+  Rails.logger.error "Data processing failed: #{e.message}"
+  Rails.logger.error e.backtrace.join("\n") # Log backtrace for context
+end
+```
+**Tools:** Manual Review, Sentry/Honeybadger
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C030-custom-error-classes.md ADDED Viewed

@@ -0,0 +1,32 @@
+---
+title: Use Custom Error Classes
+impact: LOW
+impactDescription: allows specific rescue blocks and better error hierarchy
+tags: error-handling, architecture, quality
+---
+## Use Custom Error Classes
+Define specific error classes for your application domain rather than relying on generic ones.
+**Incorrect (generic errors):**
+```ruby
+def process(amount)
+  raise "Invalid amount" if amount <= 0 # Generic RuntimeError
+end
+```
+**Correct (custom errors):**
+```ruby
+class PaymentError < StandardError; end
+class InvalidAmountError < PaymentError; end
+def process(amount)
+  raise InvalidAmountError, "Amount must be positive" if amount <= 0
+end
+```
+**Tools:** PR review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C033-separate-data-access.md ADDED Viewed

@@ -0,0 +1,52 @@
+---
+title: Separate Processing and Data Access
+impact: HIGH
+impactDescription: enables testable business logic and better code organization
+tags: separation-of-concerns, repository, service, architecture, quality
+---
+## Separate Processing and Data Access
+Keep business logic separate from direct database access. Use Service Objects to handle logic and ActiveRecord models primarily for data access and persistence.
+**Incorrect (mixed concerns):**
+```ruby
+class OrderController < ApplicationController
+  def create
+    # Business logic in controller
+    if params[:amount] > 100
+      discount = params[:amount] * 0.1
+      total = params[:amount] - discount
+    end
+    Order.create(amount: total, user_id: current_user.id)
+  end
+end
+```
+**Correct (separated concerns):**
+```ruby
+# app/services/create_order_service.rb
+class CreateOrderService
+  def initialize(user, params)
+    @user = user
+    @params = params
+  end
+  def call
+    total = calculate_total(@params[:amount])
+    Order.create!(amount: total, user: @user)
+  end
+  private
+  def calculate_total(amount)
+    return amount if amount <= 100
+    amount * 0.9
+  end
+end
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C035-error-context-logging.md ADDED Viewed

@@ -0,0 +1,34 @@
+---
+title: Include Context in Error Logging
+impact: MEDIUM
+impactDescription: provides necessary details for triaging issues
+tags: logging, error-handling, maintenance, quality
+---
+## Include Context in Error Logging
+When an error occurs, include relevant contextual data (IDs, parameters, state) in the log message.
+**Incorrect (missing context):**
+```ruby
+begin
+  update_profile(params)
+rescue => e
+  Rails.logger.error "Profile update failed: #{e.message}"
+end
+```
+**Correct (with context):**
+```ruby
+begin
+  update_profile(params)
+rescue => e
+  # Log which record failed and with what data
+  Rails.logger.error "Profile update failed for User ID: #{current_user.id}. Params: #{params.inspect}. Error: #{e.message}"
+end
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C041-no-hardcoded-secrets.md ADDED Viewed

@@ -0,0 +1,29 @@
+---
+title: No Hardcoded Secrets
+impact: CRITICAL
+impactDescription: prevents sensitive data exposure and potential security breaches
+tags: security, secrets, vulnerability, quality
+---
+## No Hardcoded Secrets
+Never hardcode passwords, API keys, or tokens in your source code. Use environment variables or encrypted credential files.
+**Incorrect (hardcoded secret):**
+```ruby
+client = Stripe::Client.new(api_key: "sk_test_51Mz...")
+```
+**Correct (config/credentials):**
+```ruby
+# Using Rails credentials
+client = Stripe::Client.new(api_key: Rails.application.credentials.stripe_api_key)
+# Or using ENV
+client = Stripe::Client.new(api_key: ENV['STRIPE_API_KEY'])
+```
+**Tools:** git-secrets, Brakeman, RuboCop
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C042-boolean-naming.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Boolean Naming Conventions
+impact: LOW
+impactDescription: improves readability and makes boolean logic intuitive
+tags: naming, boolean, readability, conventions, quality
+---
+## Boolean Naming Conventions
+In Ruby, boolean-returning methods (predicates) should always end with a question mark (`?`). Avoid prefixes like `is_` or `has_` except when it makes sense as part of the method name before the `?`.
+**Incorrect (vague or non-idiomatic):**
+```ruby
+def valid
+  # returns true/false
+end
+def is_admin
+end
+```
+**Correct (Ruby idiomatic predicate):**
+```ruby
+# Standard Ruby Style
+def valid?
+end
+def admin?
+end
+def has_permission?
+end
+```
+**Tools:** RuboCop (`Naming/PredicateName`)
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C052-controller-parsing.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: Use Strong Parameters for Controller Input
+impact: HIGH
+impactDescription: prevents Mass Assignment vulnerabilities
+tags: rails, security, mass-assignment, vulnerability, quality
+---
+## Use Strong Parameters for Controller Input
+Explicitly define which parameters are allowed for mass assignment in Rails controllers to prevent malicious users from updating unintended fields.
+**Incorrect (unsafe params):**
+```ruby
+def update
+  @user = User.find(params[:id])
+  @user.update(params[:user]) # Mass alignment vulnerability
+end
+```
+**Correct (strong parameters):**
+```ruby
+def update
+  @user = User.find(params[:id])
+  @user.update(user_params)
+end
+private
+def user_params
+  params.require(:user).permit(:first_name, :last_name, :email)
+end
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C060-superclass-logic.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Use Composition and Concerns over Deep Inheritance
+impact: MEDIUM
+impactDescription: avoids fragile base classes and promotes reusable logic
+tags: architecture, inheritance, composition, rails-concerns, quality
+---
+## Use Composition and Concerns over Deep Inheritance
+Avoid deep class hierarchies. In Rails, use `ActiveSupport::Concern` to extract shared behavior into modules that can be included in multiple classes.
+**Incorrect (deep inheritance):**
+```ruby
+class BaseUser < ActiveRecord::Base; end
+class StaffUser < BaseUser; end
+class AdminUser < StaffUser; end # Too deep, fragile
+```
+**Correct (using concerns):**
+```ruby
+# app/models/concerns/authenticatable.rb
+module Authenticatable
+  extend ActiveSupport::Concern
+  included do
+    validates :email, presence: true
+  end
+end
+class User < ApplicationRecord
+  include Authenticatable
+end
+```
+**Tools:** RuboCop
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C067-no-hardcoded-config.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: No Hardcoded Configuration
+impact: MEDIUM
+impactDescription: enables environment-specific configurations without code changes
+tags: configuration, environment, quality
+---
+## No Hardcoded Configuration
+Avoid hardcoding settings like service endpoints, timeouts, or business thresholds in the code. Use configuration files or environment variables.
+**Incorrect (hardcoded values):**
+```ruby
+class ExternalApi
+  def endpoint
+    "https://api.production.com/v1" # Hardcoded URL
+  end
+end
+```
+**Correct (configured values):**
+```ruby
+# config/settings.yml
+# production:
+#   api_endpoint: "https://api.production.com/v1"
+class ExternalApi
+  def endpoint
+    Rails.configuration.api_endpoint
+  end
+end
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S003-open-redirect.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: URL Redirects Must Be In Allow List
+impact: LOW
+impactDescription: prevents open redirect vulnerabilities
+tags: redirect, url, allow-list, validation, security
+---
+## URL Redirects Must Be In Allow List
+Open redirect vulnerabilities allows attackers to redirect users to malicious sites, often used in phishing attacks. In Rails, always validate external redirects.
+**Incorrect (unvalidated redirect URL):**
+```ruby
+# Open redirect vulnerability
+def redirect_to_url
+  url = params[:url]
+  redirect_to url # Attacker: ?url=https://evil.com
+end
+```
+**Correct (allow list or relative path):**
+```ruby
+ALLOWED_HOSTS = ['example.com', 'app.example.com']
+def redirect_to_url
+  url = params[:url]
+  uri = URI.parse(url)
+  if ALLOWED_HOSTS.include?(uri.host)
+    redirect_to url, allow_other_host: true
+  else
+    redirect_to root_path, alert: "Invalid redirect"
+  end
+rescue URI::InvalidURIError
+  redirect_to root_path
+end
+# Or force relative path
+def safe_redirect
+  path = params[:path]
+  # Ensure it starts with / and not //
+  if path.start_with?('/') && !path.start_with?('//')
+    redirect_to path
+  else
+    redirect_to root_path
+  end
+end
+```
+**Protection strategies:**
+1. Allow list of trusted domains via `allow_other_host: true` after validation.
+2. Use relative URLs only.
+3. Validate URIs with `URI.parse`.
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S004-no-log-credentials.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: No Sensitive Information in Logs
+impact: HIGH
+impactDescription: prevents accidental exposure of credentials in logs
+tags: security, logging, credentials, vulnerability
+---
+## No Sensitive Information in Logs
+Ensure sensitive data like passwords, credit card numbers, and tokens are filtered from application logs.
+**Incorrect (logging sensitive data):**
+```ruby
+# In a controller
+def create
+  Rails.logger.info "Creating user with params: #{params.inspect}"
+  # Log output: ... "password"=>"secret123", "credit_card"=>"1234..."
+end
+```
+**Correct (parameter filtering):**
+```ruby
+# config/initializers/filter_parameter_logging.rb
+Rails.application.config.filter_parameters += [
+  :password, :password_confirmation, :token, :credit_card, :ssn
+]
+# In controller
+def create
+  # Parameters will be automatically filtered in logs
+  # Log output: ... "password"=>"[FILTERED]"
+end
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S005-server-authorization.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: Ensure Proper Server-Side Authorization
+impact: CRITICAL
+impactDescription: prevents unauthorized access to resources and data
+tags: security, authorization, access-control, quality
+---
+## Ensure Proper Server-Side Authorization
+Always verify that the current user has permission to perform the requested action on the specific resource. Do not rely solely on authentication.
+**Incorrect (missing authorization):**
+```ruby
+def show
+  @post = Post.find(params[:id])
+  # No check if @post belongs to current_user
+end
+```
+**Correct (using Pundit or CanCanCan):**
+```ruby
+# Using Pundit
+def show
+  @post = Post.find(params[:id])
+  authorize @post # Checks PostPolicy#show?
+end
+# Using scopes
+def index
+  @posts = policy_scope(Post) # Only returns posts user can see
+end
+```
+**Tools:** Brakeman, Pundit, CanCanCan
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S006-default-credentials.md ADDED Viewed

@@ -0,0 +1,29 @@
+---
+title: Avoid Default Credentials
+impact: CRITICAL
+impactDescription: prevents easy access for attackers through well-known defaults
+tags: security, credentials, authentication, hardcoded
+---
+## Avoid Default Credentials
+Never use default passwords or hardcoded administrative credentials in production. Ensure every environment has unique, strong credentials.
+**Incorrect (default values in code):**
+```ruby
+ADMIN_PASSWORD = "admin" # Default password
+```
+**Correct (randomized or environment-specific):**
+```ruby
+# Use Rails credentials
+ADMIN_PASSWORD = Rails.application.credentials.admin_password
+# Or use ENV with a fail-safe check
+raise "Set ADMIN_PASSWORD" if Rails.env.production? && ENV['ADMIN_PASSWORD'].blank?
+```
+**Tools:** Manual Review, Security audits
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S007-output-encoding.md ADDED Viewed

@@ -0,0 +1,31 @@
+---
+title: Use Safe Output Encoding
+impact: HIGH
+impactDescription: prevents Cross-Site Scripting (XSS) attacks
+tags: security, xss, encoding, rails-erb
+---
+## Use Safe Output Encoding
+Rails ERB automatically escapes output by default. Avoid using `.html_safe` or `raw` on user-supplied data as it bypasses this protection.
+**Incorrect (bypassing auto-escaping):**
+```erb
+<%# XSS vulnerability if params[:name] contains <script> %>
+<%= raw "Hello, #{params[:name]}" %>
+<%= "Your bio: #{user.bio}".html_safe %>
+```
+**Correct (relying on auto-escaping):**
+```erb
+<%# Safe by default %>
+<%= "Hello, #{params[:name]}" %>
+<%# If you must use HTML, sanitize it %>
+<%= sanitize(user.bio) %>
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S009-approved-crypto.md ADDED Viewed

@@ -0,0 +1,31 @@
+---
+title: Use Approved Cryptographic Algorithms
+impact: CRITICAL
+impactDescription: ensures data is protected by strong, vetted encryption
+tags: security, cryptography, encryption, standards
+---
+## Use Approved Cryptographic Algorithms
+Avoid custom or weak cryptographic algorithms (like MD5, SHA1 for passwords). Use industry standards like AES-256 for encryption and BCrypt for password hashing.
+**Incorrect (weak or custom crypto):**
+```ruby
+# MD5 is insecure for password hashing
+digest = Digest::MD5.hexdigest(password)
+```
+**Correct (industry standards):**
+```ruby
+# For passwords
+password_digest = BCrypt::Password.create(password)
+# For symmetric encryption (Rails MessageEncryptor uses AES-256-GCM by default)
+crypt = ActiveSupport::MessageEncryptor.new(key)
+encrypted_data = crypt.encrypt_and_sign(data)
+```
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S010-csprng.md ADDED Viewed

@@ -0,0 +1,30 @@
+---
+title: Use Cryptographically Secure Pseudo-Random Number Generators (CSPRNG)
+impact: HIGH
+impactDescription: prevents predictable random values that can be exploited
+tags: security, cryptography, random
+---
+## Use CSPRNG
+For security-sensitive random values (tokens, salts, temporary passwords), use `SecureRandom` instead of the basic `rand` method.
+**Incorrect (predictable random):**
+```ruby
+# rand is not cryptographically secure
+temp_token = rand(100000..999999).to_s
+```
+**Correct (SecureRandom):**
+```ruby
+require 'securerandom'
+# Use hex, base64 or uuid for unique tokens
+temp_token = SecureRandom.hex(16)
+session_token = SecureRandom.uuid
+```
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S011-encrypted-client-hello.md ADDED Viewed

@@ -0,0 +1,27 @@
+---
+title: Encrypted Connection Parameters
+impact: MEDIUM
+impactDescription: ensures sensitive connection details are not exposed in transport or transit
+tags: security, encryption, connections
+---
+## Encrypted Connection Parameters
+Ensure connection strings and parameters for external services are encrypted or managed via secure credential stores.
+**Incorrect (plaintext secrets in strings):**
+```ruby
+DATABASE_URL = "postgres://user:mypassword@db.example.com/mydb"
+```
+**Correct (using credentials):**
+```ruby
+# In database.yml
+# production:
+#   url: <%= Rails.application.credentials.db_url %>
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S012-secrets-management.md ADDED Viewed

@@ -0,0 +1,28 @@
+---
+title: Use Secure Secrets Management
+impact: CRITICAL
+impactDescription: prevents secrets from being leaked through source control or compromised environments
+tags: security, secrets, infrastructure
+---
+## Use Secure Secrets Management
+Use specialized secrets management tools (HCP Vault, AWS Secrets Manager, Rails Credentials) instead of plaintext environment variables or local files.
+**Incorrect (plaintext file or hardcoded):**
+```ruby
+# .env file (often accidentally committed)
+API_KEY=12345
+```
+**Correct (Rails Credentials):**
+```ruby
+# EDITOR=vim rails credentials:edit
+# This creates/edits config/credentials.yml.enc (encrypted)
+api_key = Rails.application.credentials.api_key
+```
+**Tools:** Brakeman, git-secrets
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S013-tls-connections.md ADDED Viewed

@@ -0,0 +1,30 @@
+---
+title: Use TLS for All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from eavesdropping and interception
+tags: security, tls, ssl, transport
+---
+## Use TLS for All Connections
+Always use HTTPS/TLS for all external API calls and database connections. In Rails, enforce SSL application-wide.
+**Incorrect (insecure protocol):**
+```ruby
+# HTTP is insecure
+response = Net::HTTP.get(URI("http://api.example.com/data"))
+```
+**Correct (force SSL/TLS):**
+```ruby
+# config/environments/production.rb
+config.force_ssl = true
+# Using secure protocol
+response = Net::HTTP.get(URI("https://api.example.com/data"))
+```
+**Tools:** Brakeman, Manual Review
+---