@sun-asterisk/sunlint 1.3.46 → 1.3.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (102) hide show
  1. package/config/rules/rules-registry-generated.json +1717 -282
  2. package/core/adapters/sunlint-rule-adapter.js +16 -0
  3. package/core/architecture-integration.js +57 -15
  4. package/core/cli-action-handler.js +51 -36
  5. package/core/config-manager.js +6 -0
  6. package/core/config-merger.js +33 -0
  7. package/core/config-validator.js +37 -2
  8. package/core/output-service.js +12 -3
  9. package/core/rule-selection-service.js +24 -3
  10. package/core/scoring-service.js +12 -6
  11. package/core/summary-report-service.js +9 -4
  12. package/engines/heuristic-engine.js +6 -1
  13. package/engines/impact/cli.js +54 -39
  14. package/engines/impact/config/default-config.js +105 -5
  15. package/engines/impact/core/impact-analyzer.js +12 -15
  16. package/engines/impact/core/utils/gitignore-parser.js +123 -0
  17. package/engines/impact/core/utils/method-call-graph.js +272 -87
  18. package/origin-rules/dart-en.md +1 -1
  19. package/origin-rules/go-en.md +231 -0
  20. package/origin-rules/php-en.md +107 -0
  21. package/origin-rules/python-en.md +113 -0
  22. package/origin-rules/ruby-en.md +607 -0
  23. package/package.json +2 -2
  24. package/scripts/copy-arch-detect.js +5 -1
  25. package/scripts/copy-impact-analyzer.js +5 -1
  26. package/scripts/generate-rules-registry.js +30 -14
  27. package/skill-assets/sunlint-code-quality/SKILL.md +3 -2
  28. package/skill-assets/sunlint-code-quality/rules/go/G001-explicit-error-handling.md +53 -0
  29. package/skill-assets/sunlint-code-quality/rules/go/G002-context-first-argument.md +44 -0
  30. package/skill-assets/sunlint-code-quality/rules/go/G003-receiver-consistency.md +38 -0
  31. package/skill-assets/sunlint-code-quality/rules/go/G004-avoid-panic.md +49 -0
  32. package/skill-assets/sunlint-code-quality/rules/go/G005-goroutine-leak-prevention.md +49 -0
  33. package/skill-assets/sunlint-code-quality/rules/go/G006-interface-consumer-definition.md +45 -0
  34. package/skill-assets/sunlint-code-quality/rules/go/GN001-gin-binding-validation.md +57 -0
  35. package/skill-assets/sunlint-code-quality/rules/go/GN002-gin-error-response.md +48 -0
  36. package/skill-assets/sunlint-code-quality/rules/go/GN003-graceful-shutdown.md +57 -0
  37. package/skill-assets/sunlint-code-quality/rules/go/GN004-gin-route-logical-grouping.md +54 -0
  38. package/skill-assets/sunlint-code-quality/rules/ruby/C006-verb-noun-functions.md +63 -0
  39. package/skill-assets/sunlint-code-quality/rules/ruby/C013-no-dead-code.md +48 -0
  40. package/skill-assets/sunlint-code-quality/rules/ruby/C014-dependency-injection.md +42 -0
  41. package/skill-assets/sunlint-code-quality/rules/ruby/C017-no-constructor-logic.md +42 -0
  42. package/skill-assets/sunlint-code-quality/rules/ruby/C018-generic-errors.md +41 -0
  43. package/skill-assets/sunlint-code-quality/rules/ruby/C019-error-log-level.md +41 -0
  44. package/skill-assets/sunlint-code-quality/rules/ruby/C020-no-unused-imports.md +36 -0
  45. package/skill-assets/sunlint-code-quality/rules/ruby/C022-no-unused-variables.md +31 -0
  46. package/skill-assets/sunlint-code-quality/rules/ruby/C023-no-duplicate-names.md +39 -0
  47. package/skill-assets/sunlint-code-quality/rules/ruby/C024-centralize-constants.md +35 -0
  48. package/skill-assets/sunlint-code-quality/rules/ruby/C029-catch-log-root-cause.md +34 -0
  49. package/skill-assets/sunlint-code-quality/rules/ruby/C030-custom-error-classes.md +32 -0
  50. package/skill-assets/sunlint-code-quality/rules/ruby/C033-separate-data-access.md +52 -0
  51. package/skill-assets/sunlint-code-quality/rules/ruby/C035-error-context-logging.md +34 -0
  52. package/skill-assets/sunlint-code-quality/rules/ruby/C041-no-hardcoded-secrets.md +29 -0
  53. package/skill-assets/sunlint-code-quality/rules/ruby/C042-boolean-naming.md +38 -0
  54. package/skill-assets/sunlint-code-quality/rules/ruby/C052-controller-parsing.md +37 -0
  55. package/skill-assets/sunlint-code-quality/rules/ruby/C060-superclass-logic.md +38 -0
  56. package/skill-assets/sunlint-code-quality/rules/ruby/C067-no-hardcoded-config.md +37 -0
  57. package/skill-assets/sunlint-code-quality/rules/ruby/S003-open-redirect.md +58 -0
  58. package/skill-assets/sunlint-code-quality/rules/ruby/S004-no-log-credentials.md +38 -0
  59. package/skill-assets/sunlint-code-quality/rules/ruby/S005-server-authorization.md +37 -0
  60. package/skill-assets/sunlint-code-quality/rules/ruby/S006-default-credentials.md +29 -0
  61. package/skill-assets/sunlint-code-quality/rules/ruby/S007-output-encoding.md +31 -0
  62. package/skill-assets/sunlint-code-quality/rules/ruby/S009-approved-crypto.md +31 -0
  63. package/skill-assets/sunlint-code-quality/rules/ruby/S010-csprng.md +30 -0
  64. package/skill-assets/sunlint-code-quality/rules/ruby/S011-encrypted-client-hello.md +27 -0
  65. package/skill-assets/sunlint-code-quality/rules/ruby/S012-secrets-management.md +28 -0
  66. package/skill-assets/sunlint-code-quality/rules/ruby/S013-tls-connections.md +30 -0
  67. package/skill-assets/sunlint-code-quality/rules/ruby/S016-no-sensitive-query-string.md +37 -0
  68. package/skill-assets/sunlint-code-quality/rules/ruby/S017-parameterized-queries.md +33 -0
  69. package/skill-assets/sunlint-code-quality/rules/ruby/S019-email-input-sanitization.md +31 -0
  70. package/skill-assets/sunlint-code-quality/rules/ruby/S020-eval-code-execution.md +36 -0
  71. package/skill-assets/sunlint-code-quality/rules/ruby/S022-context-escaping.md +36 -0
  72. package/skill-assets/sunlint-code-quality/rules/ruby/S023-dynamic-js-encoding.md +33 -0
  73. package/skill-assets/sunlint-code-quality/rules/ruby/S025-server-validation.md +30 -0
  74. package/skill-assets/sunlint-code-quality/rules/ruby/S026-tls-encryption.md +30 -0
  75. package/skill-assets/sunlint-code-quality/rules/ruby/S027-mtls-validation.md +26 -0
  76. package/skill-assets/sunlint-code-quality/rules/ruby/S028-upload-limits.md +33 -0
  77. package/skill-assets/sunlint-code-quality/rules/ruby/S029-csrf-protection.md +32 -0
  78. package/skill-assets/sunlint-code-quality/rules/ruby/S030-directory-browsing.md +30 -0
  79. package/skill-assets/sunlint-code-quality/rules/ruby/S031-secure-cookie-flag.md +27 -0
  80. package/skill-assets/sunlint-code-quality/rules/ruby/S032-httponly-cookie.md +26 -0
  81. package/skill-assets/sunlint-code-quality/rules/ruby/S033-samesite-cookie.md +29 -0
  82. package/skill-assets/sunlint-code-quality/rules/ruby/S034-host-prefix-cookie.md +30 -0
  83. package/skill-assets/sunlint-code-quality/rules/ruby/S035-app-hostnames.md +28 -0
  84. package/skill-assets/sunlint-code-quality/rules/ruby/S036-internal-file-paths.md +37 -0
  85. package/skill-assets/sunlint-code-quality/rules/ruby/S037-anti-cache-headers.md +31 -0
  86. package/skill-assets/sunlint-code-quality/rules/ruby/S039-tls-certificate-validation.md +29 -0
  87. package/skill-assets/sunlint-code-quality/rules/ruby/S041-logout-invalidation.md +31 -0
  88. package/skill-assets/sunlint-code-quality/rules/ruby/S042-long-lived-sessions.md +27 -0
  89. package/skill-assets/sunlint-code-quality/rules/ruby/S044-critical-changes-reauth.md +34 -0
  90. package/skill-assets/sunlint-code-quality/rules/ruby/S045-brute-force-protection.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/ruby/S047-oauth-csrf-protection.md +33 -0
  92. package/skill-assets/sunlint-code-quality/rules/ruby/S048-oauth-redirect-validation.md +29 -0
  93. package/skill-assets/sunlint-code-quality/rules/ruby/S049-auth-code-expiry.md +31 -0
  94. package/skill-assets/sunlint-code-quality/rules/ruby/S050-token-entropy.md +26 -0
  95. package/skill-assets/sunlint-code-quality/rules/ruby/S051-password-length.md +38 -0
  96. package/skill-assets/sunlint-code-quality/rules/ruby/S052-otp-entropy.md +25 -0
  97. package/skill-assets/sunlint-code-quality/rules/ruby/S053-generic-error-messages.md +33 -0
  98. package/skill-assets/sunlint-code-quality/rules/ruby/S054-no-default-admin.md +29 -0
  99. package/skill-assets/sunlint-code-quality/rules/ruby/S055-content-type-validation.md +24 -0
  100. package/skill-assets/sunlint-code-quality/rules/ruby/S056-log-injection.md +28 -0
  101. package/skill-assets/sunlint-code-quality/rules/ruby/S057-synchronized-time.md +18 -0
  102. package/skill-assets/sunlint-code-quality/rules/ruby/S058-ssrf-protection.md +39 -0
package/skill-assets/sunlint-code-quality/rules/ruby/S055-content-type-validation.md ADDED
@@ -0,0 +1,24 @@
1
+ ---
2
+ title: Validate Content-Type for Uploads
3
+ impact: MEDIUM
4
+ impactDescription: prevents uploading of malicious executable files disguised as data
5
+ tags: security, uploads, validation, mimetypes
6
+ ---
7
+
8
+ ## Validate Content-Type for Uploads
9
+
10
+ Always validate the `Content-Type` and file extension of uploaded files. Check the magic bytes/file header rather than just the extension.
11
+
12
+ **Correct (ActiveStorage + Marcel):**
13
+
14
+ ```ruby
15
+ # Rails ActiveStorage uses Marcel gem to check magic bytes
16
+ class User < ApplicationRecord
17
+ has_one_attached :avatar
18
+
19
+ validates :avatar, content_type: ['image/png', 'image/jpeg']
20
+ end
21
+ ```
22
+
23
+ **Tools:** ActiveStorage Validations gem
24
+ ---
package/skill-assets/sunlint-code-quality/rules/ruby/S056-log-injection.md ADDED
@@ -0,0 +1,28 @@
1
+ ---
2
+ title: Prevent Log Injection
3
+ impact: MEDIUM
4
+ impactDescription: prevents attackers from corrupting logs or misleading auditors
5
+ tags: security, logging, sanitization
6
+ ---
7
+
8
+ ## Prevent Log Injection
9
+
10
+ Sanitize all user-input data before including it in log files to prevent attackers from injecting newlines or carriage returns.
11
+
12
+ **Incorrect (unsafe logging):**
13
+
14
+ ```ruby
15
+ # Attacker name: "admin\n[INFO] Login successful for admin"
16
+ logger.info "User update attempted by #{params[:user_name]}"
17
+ ```
18
+
19
+ **Correct (sanitized logging):**
20
+
21
+ ```ruby
22
+ # Replace newlines with spaces or use json logger
23
+ sanitized_name = params[:user_name].gsub(/[\n\r]/, " ")
24
+ logger.info "User update attempted by #{sanitized_name}"
25
+ ```
26
+
27
+ **Tools:** Lograge (default Rails JSON logging avoids this)
28
+ ---
package/skill-assets/sunlint-code-quality/rules/ruby/S057-synchronized-time.md ADDED
@@ -0,0 +1,18 @@
1
+ ---
2
+ title: Ensure Synchronized System Time
3
+ impact: LOW
4
+ impactDescription: crucial for log correlation, audit trails, and time-based security tokens
5
+ tags: security, infrastructure, timing
6
+ ---
7
+
8
+ ## Ensure Synchronized System Time
9
+
10
+ Ensure all servers in your environment are synchronized using a network time protocol (NTP). This is critical for authentication tokens (OTP, JWT) and log correlation.
11
+
12
+ **Details:**
13
+ - Configure NTP/Chrony on all production servers.
14
+ - Monitor time synchronization offset.
15
+ - Important for TOTP (MFA) and token expiry checks.
16
+
17
+ **Tools:** NTP, Chrony, CloudWatch Time Sync
18
+ ---
package/skill-assets/sunlint-code-quality/rules/ruby/S058-ssrf-protection.md ADDED
@@ -0,0 +1,39 @@
1
+ ---
2
+ title: Prevent Server-Side Request Forgery (SSRF)
3
+ impact: HIGH
4
+ impactDescription: prevents attackers from accessing internal resources or services
5
+ tags: security, ssrf, vulnerability, net-http
6
+ ---
7
+
8
+ ## Prevent Server-Side Request Forgery (SSRF)
9
+
10
+ Never allow users to provide the full URL or IP address for your server to fetch. Use an allow-list of domains or a secure proxy.
11
+
12
+ **Incorrect (unvalidated SSRF):**
13
+
14
+ ```ruby
15
+ def fetch_external_report
16
+ # Attacker url: http://localhost:5432 or http://169.254.169.254/metadata
17
+ response = Net::HTTP.get(URI(params[:url]))
18
+ render body: response
19
+ end
20
+ ```
21
+
22
+ **Correct (validated domain):**
23
+
24
+ ```ruby
25
+ ALLOWED_DOMAINS = ['trusted-report-source.com']
26
+
27
+ def fetch_external_report
28
+ uri = URI(params[:url])
29
+ if ALLOWED_DOMAINS.include?(uri.host)
30
+ response = Net::HTTP.get(uri)
31
+ render body: response
32
+ else
33
+ render_403
34
+ end
35
+ end
36
+ ```
37
+
38
+ **Tools:** Brakeman, ssrf_filter gem
39
+ ---