npm - @sun-asterisk/sunlint - Versions diffs - 1.3.46 → 1.3.47 - Mend

@sun-asterisk/sunlint 1.3.46 → 1.3.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/skill-assets/sunlint-code-quality/rules/ruby/C041-no-hardcoded-secrets.md ADDED Viewed

@@ -0,0 +1,29 @@
+---
+title: No Hardcoded Secrets
+impact: CRITICAL
+impactDescription: prevents sensitive data exposure and potential security breaches
+tags: security, secrets, vulnerability, quality
+---
+## No Hardcoded Secrets
+Never hardcode passwords, API keys, or tokens in your source code. Use environment variables or encrypted credential files.
+**Incorrect (hardcoded secret):**
+```ruby
+client = Stripe::Client.new(api_key: "sk_test_51Mz...")
+```
+**Correct (config/credentials):**
+```ruby
+# Using Rails credentials
+client = Stripe::Client.new(api_key: Rails.application.credentials.stripe_api_key)
+# Or using ENV
+client = Stripe::Client.new(api_key: ENV['STRIPE_API_KEY'])
+```
+**Tools:** git-secrets, Brakeman, RuboCop
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C042-boolean-naming.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Boolean Naming Conventions
+impact: LOW
+impactDescription: improves readability and makes boolean logic intuitive
+tags: naming, boolean, readability, conventions, quality
+---
+## Boolean Naming Conventions
+In Ruby, boolean-returning methods (predicates) should always end with a question mark (`?`). Avoid prefixes like `is_` or `has_` except when it makes sense as part of the method name before the `?`.
+**Incorrect (vague or non-idiomatic):**
+```ruby
+def valid
+  # returns true/false
+end
+def is_admin
+end
+```
+**Correct (Ruby idiomatic predicate):**
+```ruby
+# Standard Ruby Style
+def valid?
+end
+def admin?
+end
+def has_permission?
+end
+```
+**Tools:** RuboCop (`Naming/PredicateName`)
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C052-controller-parsing.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: Use Strong Parameters for Controller Input
+impact: HIGH
+impactDescription: prevents Mass Assignment vulnerabilities
+tags: rails, security, mass-assignment, vulnerability, quality
+---
+## Use Strong Parameters for Controller Input
+Explicitly define which parameters are allowed for mass assignment in Rails controllers to prevent malicious users from updating unintended fields.
+**Incorrect (unsafe params):**
+```ruby
+def update
+  @user = User.find(params[:id])
+  @user.update(params[:user]) # Mass alignment vulnerability
+end
+```
+**Correct (strong parameters):**
+```ruby
+def update
+  @user = User.find(params[:id])
+  @user.update(user_params)
+end
+private
+def user_params
+  params.require(:user).permit(:first_name, :last_name, :email)
+end
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C060-superclass-logic.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Use Composition and Concerns over Deep Inheritance
+impact: MEDIUM
+impactDescription: avoids fragile base classes and promotes reusable logic
+tags: architecture, inheritance, composition, rails-concerns, quality
+---
+## Use Composition and Concerns over Deep Inheritance
+Avoid deep class hierarchies. In Rails, use `ActiveSupport::Concern` to extract shared behavior into modules that can be included in multiple classes.
+**Incorrect (deep inheritance):**
+```ruby
+class BaseUser < ActiveRecord::Base; end
+class StaffUser < BaseUser; end
+class AdminUser < StaffUser; end # Too deep, fragile
+```
+**Correct (using concerns):**
+```ruby
+# app/models/concerns/authenticatable.rb
+module Authenticatable
+  extend ActiveSupport::Concern
+  included do
+    validates :email, presence: true
+  end
+end
+class User < ApplicationRecord
+  include Authenticatable
+end
+```
+**Tools:** RuboCop
+---

package/skill-assets/sunlint-code-quality/rules/ruby/C067-no-hardcoded-config.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: No Hardcoded Configuration
+impact: MEDIUM
+impactDescription: enables environment-specific configurations without code changes
+tags: configuration, environment, quality
+---
+## No Hardcoded Configuration
+Avoid hardcoding settings like service endpoints, timeouts, or business thresholds in the code. Use configuration files or environment variables.
+**Incorrect (hardcoded values):**
+```ruby
+class ExternalApi
+  def endpoint
+    "https://api.production.com/v1" # Hardcoded URL
+  end
+end
+```
+**Correct (configured values):**
+```ruby
+# config/settings.yml
+# production:
+#   api_endpoint: "https://api.production.com/v1"
+class ExternalApi
+  def endpoint
+    Rails.configuration.api_endpoint
+  end
+end
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S003-open-redirect.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: URL Redirects Must Be In Allow List
+impact: LOW
+impactDescription: prevents open redirect vulnerabilities
+tags: redirect, url, allow-list, validation, security
+---
+## URL Redirects Must Be In Allow List
+Open redirect vulnerabilities allows attackers to redirect users to malicious sites, often used in phishing attacks. In Rails, always validate external redirects.
+**Incorrect (unvalidated redirect URL):**
+```ruby
+# Open redirect vulnerability
+def redirect_to_url
+  url = params[:url]
+  redirect_to url # Attacker: ?url=https://evil.com
+end
+```
+**Correct (allow list or relative path):**
+```ruby
+ALLOWED_HOSTS = ['example.com', 'app.example.com']
+def redirect_to_url
+  url = params[:url]
+  uri = URI.parse(url)
+  if ALLOWED_HOSTS.include?(uri.host)
+    redirect_to url, allow_other_host: true
+  else
+    redirect_to root_path, alert: "Invalid redirect"
+  end
+rescue URI::InvalidURIError
+  redirect_to root_path
+end
+# Or force relative path
+def safe_redirect
+  path = params[:path]
+  # Ensure it starts with / and not //
+  if path.start_with?('/') && !path.start_with?('//')
+    redirect_to path
+  else
+    redirect_to root_path
+  end
+end
+```
+**Protection strategies:**
+1. Allow list of trusted domains via `allow_other_host: true` after validation.
+2. Use relative URLs only.
+3. Validate URIs with `URI.parse`.
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S004-no-log-credentials.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: No Sensitive Information in Logs
+impact: HIGH
+impactDescription: prevents accidental exposure of credentials in logs
+tags: security, logging, credentials, vulnerability
+---
+## No Sensitive Information in Logs
+Ensure sensitive data like passwords, credit card numbers, and tokens are filtered from application logs.
+**Incorrect (logging sensitive data):**
+```ruby
+# In a controller
+def create
+  Rails.logger.info "Creating user with params: #{params.inspect}"
+  # Log output: ... "password"=>"secret123", "credit_card"=>"1234..."
+end
+```
+**Correct (parameter filtering):**
+```ruby
+# config/initializers/filter_parameter_logging.rb
+Rails.application.config.filter_parameters += [
+  :password, :password_confirmation, :token, :credit_card, :ssn
+]
+# In controller
+def create
+  # Parameters will be automatically filtered in logs
+  # Log output: ... "password"=>"[FILTERED]"
+end
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S005-server-authorization.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: Ensure Proper Server-Side Authorization
+impact: CRITICAL
+impactDescription: prevents unauthorized access to resources and data
+tags: security, authorization, access-control, quality
+---
+## Ensure Proper Server-Side Authorization
+Always verify that the current user has permission to perform the requested action on the specific resource. Do not rely solely on authentication.
+**Incorrect (missing authorization):**
+```ruby
+def show
+  @post = Post.find(params[:id])
+  # No check if @post belongs to current_user
+end
+```
+**Correct (using Pundit or CanCanCan):**
+```ruby
+# Using Pundit
+def show
+  @post = Post.find(params[:id])
+  authorize @post # Checks PostPolicy#show?
+end
+# Using scopes
+def index
+  @posts = policy_scope(Post) # Only returns posts user can see
+end
+```
+**Tools:** Brakeman, Pundit, CanCanCan
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S006-default-credentials.md ADDED Viewed

@@ -0,0 +1,29 @@
+---
+title: Avoid Default Credentials
+impact: CRITICAL
+impactDescription: prevents easy access for attackers through well-known defaults
+tags: security, credentials, authentication, hardcoded
+---
+## Avoid Default Credentials
+Never use default passwords or hardcoded administrative credentials in production. Ensure every environment has unique, strong credentials.
+**Incorrect (default values in code):**
+```ruby
+ADMIN_PASSWORD = "admin" # Default password
+```
+**Correct (randomized or environment-specific):**
+```ruby
+# Use Rails credentials
+ADMIN_PASSWORD = Rails.application.credentials.admin_password
+# Or use ENV with a fail-safe check
+raise "Set ADMIN_PASSWORD" if Rails.env.production? && ENV['ADMIN_PASSWORD'].blank?
+```
+**Tools:** Manual Review, Security audits
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S007-output-encoding.md ADDED Viewed

@@ -0,0 +1,31 @@
+---
+title: Use Safe Output Encoding
+impact: HIGH
+impactDescription: prevents Cross-Site Scripting (XSS) attacks
+tags: security, xss, encoding, rails-erb
+---
+## Use Safe Output Encoding
+Rails ERB automatically escapes output by default. Avoid using `.html_safe` or `raw` on user-supplied data as it bypasses this protection.
+**Incorrect (bypassing auto-escaping):**
+```erb
+<%# XSS vulnerability if params[:name] contains <script> %>
+<%= raw "Hello, #{params[:name]}" %>
+<%= "Your bio: #{user.bio}".html_safe %>
+```
+**Correct (relying on auto-escaping):**
+```erb
+<%# Safe by default %>
+<%= "Hello, #{params[:name]}" %>
+<%# If you must use HTML, sanitize it %>
+<%= sanitize(user.bio) %>
+```
+**Tools:** Brakeman, Rails default
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S009-approved-crypto.md ADDED Viewed

@@ -0,0 +1,31 @@
+---
+title: Use Approved Cryptographic Algorithms
+impact: CRITICAL
+impactDescription: ensures data is protected by strong, vetted encryption
+tags: security, cryptography, encryption, standards
+---
+## Use Approved Cryptographic Algorithms
+Avoid custom or weak cryptographic algorithms (like MD5, SHA1 for passwords). Use industry standards like AES-256 for encryption and BCrypt for password hashing.
+**Incorrect (weak or custom crypto):**
+```ruby
+# MD5 is insecure for password hashing
+digest = Digest::MD5.hexdigest(password)
+```
+**Correct (industry standards):**
+```ruby
+# For passwords
+password_digest = BCrypt::Password.create(password)
+# For symmetric encryption (Rails MessageEncryptor uses AES-256-GCM by default)
+crypt = ActiveSupport::MessageEncryptor.new(key)
+encrypted_data = crypt.encrypt_and_sign(data)
+```
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S010-csprng.md ADDED Viewed

@@ -0,0 +1,30 @@
+---
+title: Use Cryptographically Secure Pseudo-Random Number Generators (CSPRNG)
+impact: HIGH
+impactDescription: prevents predictable random values that can be exploited
+tags: security, cryptography, random
+---
+## Use CSPRNG
+For security-sensitive random values (tokens, salts, temporary passwords), use `SecureRandom` instead of the basic `rand` method.
+**Incorrect (predictable random):**
+```ruby
+# rand is not cryptographically secure
+temp_token = rand(100000..999999).to_s
+```
+**Correct (SecureRandom):**
+```ruby
+require 'securerandom'
+# Use hex, base64 or uuid for unique tokens
+temp_token = SecureRandom.hex(16)
+session_token = SecureRandom.uuid
+```
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S011-encrypted-client-hello.md ADDED Viewed

@@ -0,0 +1,27 @@
+---
+title: Encrypted Connection Parameters
+impact: MEDIUM
+impactDescription: ensures sensitive connection details are not exposed in transport or transit
+tags: security, encryption, connections
+---
+## Encrypted Connection Parameters
+Ensure connection strings and parameters for external services are encrypted or managed via secure credential stores.
+**Incorrect (plaintext secrets in strings):**
+```ruby
+DATABASE_URL = "postgres://user:mypassword@db.example.com/mydb"
+```
+**Correct (using credentials):**
+```ruby
+# In database.yml
+# production:
+#   url: <%= Rails.application.credentials.db_url %>
+```
+**Tools:** Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S012-secrets-management.md ADDED Viewed

@@ -0,0 +1,28 @@
+---
+title: Use Secure Secrets Management
+impact: CRITICAL
+impactDescription: prevents secrets from being leaked through source control or compromised environments
+tags: security, secrets, infrastructure
+---
+## Use Secure Secrets Management
+Use specialized secrets management tools (HCP Vault, AWS Secrets Manager, Rails Credentials) instead of plaintext environment variables or local files.
+**Incorrect (plaintext file or hardcoded):**
+```ruby
+# .env file (often accidentally committed)
+API_KEY=12345
+```
+**Correct (Rails Credentials):**
+```ruby
+# EDITOR=vim rails credentials:edit
+# This creates/edits config/credentials.yml.enc (encrypted)
+api_key = Rails.application.credentials.api_key
+```
+**Tools:** Brakeman, git-secrets
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S013-tls-connections.md ADDED Viewed

@@ -0,0 +1,30 @@
+---
+title: Use TLS for All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from eavesdropping and interception
+tags: security, tls, ssl, transport
+---
+## Use TLS for All Connections
+Always use HTTPS/TLS for all external API calls and database connections. In Rails, enforce SSL application-wide.
+**Incorrect (insecure protocol):**
+```ruby
+# HTTP is insecure
+response = Net::HTTP.get(URI("http://api.example.com/data"))
+```
+**Correct (force SSL/TLS):**
+```ruby
+# config/environments/production.rb
+config.force_ssl = true
+# Using secure protocol
+response = Net::HTTP.get(URI("https://api.example.com/data"))
+```
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S016-no-sensitive-query-string.md ADDED Viewed

@@ -0,0 +1,37 @@
+---
+title: Do Not Pass Sensitive Data In Query String
+impact: HIGH
+impactDescription: prevents credential leakage in logs and history
+tags: url, query-string, sensitive-data, leakage, security
+---
+## Do Not Pass Sensitive Data In Query String
+Query strings appear in logs, browser history, referrer headers, and can be cached. Avoid passing tokens, passwords, or PII in URLs.
+**Incorrect (sensitive data in URL):**
+```ruby
+# Tokens/Passwords in GET params
+get "/login?user=admin&token=#{access_token}"
+```
+**Correct (sensitive data in body or headers):**
+```ruby
+# Use POST with Request Body
+post "/login", params: { user: "admin", token: access_token }
+# Pass tokens in Authorization Header
+headers = { 'Authorization' => "Bearer #{access_token}" }
+response = RestClient.get("https://api.example.com", headers)
+```
+**Where query strings leak:**
+- Server access logs (nginx, Apache, Rails logs)
+- Browser history
+- Referrer headers
+- Proxy/CDN logs
+**Tools:** Brakeman, Manual Review
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S017-parameterized-queries.md ADDED Viewed

@@ -0,0 +1,33 @@
+---
+title: Use Parameterized Queries
+impact: CRITICAL
+impactDescription: prevents SQL Injection attacks
+tags: security, sql-injection, database, rails-active-record
+---
+## Use Parameterized Queries
+Never build SQL queries using string interpolation of user-supplied data. Use ActiveRecord's built-in parameterization or sanitization methods.
+**Incorrect (SQL Injection vulnerability):**
+```ruby
+User.where("name = '#{params[:name]}'")
+# Attacker name: ' OR '1'='1
+```
+**Correct (parameterized queries):**
+```ruby
+# Using Hash syntax (auto-parameterized)
+User.where(name: params[:name])
+# Using Array placeholders
+User.where("name = ?", params[:name])
+# Using Named placeholders
+User.where("name = :name", name: params[:name])
+```
+**Tools:** Brakeman, RuboCop (`Rails/WhereNotWithInterpolation`)
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S019-email-input-sanitization.md ADDED Viewed

@@ -0,0 +1,31 @@
+---
+title: Sanitize Email Input
+impact: MEDIUM
+impactDescription: prevents injection attacks via email fields
+tags: security, e-mail, validation, sanitization
+---
+## Sanitize Email Input
+When handling email addresses, validate the format and sanitize the input before using it in mailers or database queries.
+**Incorrect (missing validation):**
+```ruby
+def send_email
+  @user_email = params[:email]
+  UserMailer.welcome(@user_email).deliver_now
+end
+```
+**Correct (regex validation):**
+```ruby
+class User < ApplicationRecord
+  VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
+  validates :email, presence: true, format: { with: VALID_EMAIL_REGEX }
+end
+```
+**Tools:** Rails Validations, Mail gem
+---

package/skill-assets/sunlint-code-quality/rules/ruby/S020-eval-code-execution.md ADDED Viewed

@@ -0,0 +1,36 @@
+---
+title: Avoid Dynamic Code Execution
+impact: CRITICAL
+impactDescription: prevents Remote Code Execution (RCE) vulnerabilities
+tags: security, eval, rce, dynamic-code
+---
+## Avoid Dynamic Code Execution
+Avoid using `eval`, `instance_eval`, `class_eval`, or `send` with untrusted user input, as it can lead to arbitrary code execution.
+**Incorrect (unsafe eval):**
+```ruby
+# Extremely dangerous: RCE vulnerability
+eval(params[:code])
+# Dangerous: Method calling vulnerability
+User.send(params[:method]) # Attacker: ?method=destroy_all
+```
+**Correct (safe alternatives):**
+```ruby
+# Use a white-list for dynamic methods
+ALLOWED_METHODS = ['profile', 'settings'].freeze
+if ALLOWED_METHODS.include?(params[:method])
+  user.send(params[:method])
+end
+# Use JSON parser instead of eval for data
+data = JSON.parse(params[:json_string])
+```
+**Tools:** Brakeman, RuboCop (`Security/Eval`)
+---