getdoorman 1.0.0

package/src/rules/security/dart.js

@@ -0,0 +1,835 @@
+/**
+ * Dart / Flutter Security Rules (SEC-DART-001 through SEC-DART-040)
+ */
+
+const isDart = (f) => f.endsWith('.dart');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build|\.dart_tool)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-DART-001: Insecure HTTP connections
+  {
+    id: 'SEC-DART-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure HTTP Connection',
+    description: 'Using http:// instead of https:// transmits data in plaintext, vulnerable to man-in-the-middle attacks.',
+    fix: { suggestion: 'Use https:// for all network connections.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /['"]http:\/\/(?!localhost|127\.0\.0\.1|10\.|192\.168\.)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-002: Hardcoded API keys
+  {
+    id: 'SEC-DART-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded API Key or Secret',
+    description: 'API keys or secrets hardcoded in Dart code can be extracted from the compiled app.',
+    fix: { suggestion: 'Use --dart-define, environment variables, or a secrets manager instead of hardcoding keys.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:const|final|var)\s+\w*(?:apiKey|api_key|secret|password|token|apiSecret|api_secret)\w*\s*=\s*['"]/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-003: SharedPreferences for sensitive data
+  {
+    id: 'SEC-DART-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sensitive Data in SharedPreferences',
+    description: 'SharedPreferences stores data in plaintext XML/plist files accessible on rooted devices.',
+    fix: { suggestion: 'Use flutter_secure_storage which uses Keychain (iOS) and EncryptedSharedPreferences (Android).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /SharedPreferences.*(?:password|token|secret|apiKey|api_key|credential|auth)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-004: Missing certificate pinning
+  {
+    id: 'SEC-DART-004',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Disabled Certificate Verification',
+    description: 'Setting badCertificateCallback to always return true disables all certificate validation.',
+    fix: { suggestion: 'Implement proper certificate pinning with trusted certificates or use http_certificate_pinning package.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /badCertificateCallback\s*=.*(?:true|=>.*true)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-005: Insecure WebView
+  {
+    id: 'SEC-DART-005',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure WebView Configuration',
+    description: 'JavascriptMode.unrestricted enables JavaScript in WebView without content restrictions.',
+    fix: { suggestion: 'Use JavascriptMode.disabled when JavaScript is not needed, or implement NavigationDelegate to restrict URLs.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /javascriptMode\s*:\s*JavascriptMode\.unrestricted|JavaScriptMode\.unrestricted/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-006: Platform channel injection
+  {
+    id: 'SEC-DART-006',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Platform Channel Without Input Validation',
+    description: 'MethodChannel calls passing user input to native code without validation can lead to injection.',
+    fix: { suggestion: 'Validate and sanitize all data passed through platform channels before processing on the native side.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /MethodChannel\s*\(|\.invokeMethod\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-007: Debug mode check
+  {
+    id: 'SEC-DART-007',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Debug Mode Check Missing or Misused',
+    description: 'kDebugMode or assert-based debug checks may leak sensitive behavior in non-standard builds.',
+    fix: { suggestion: 'Use kReleaseMode for production-only code paths and ensure debug features are properly gated.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /kDebugMode|assert\s*\(.*debug/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-008: SQL injection in sqflite
+  {
+    id: 'SEC-DART-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection in sqflite',
+    description: 'String interpolation in rawQuery/rawInsert/rawUpdate/rawDelete enables SQL injection.',
+    fix: { suggestion: 'Use parameterized queries with ? placeholders and pass values as the second argument.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /raw(?:Query|Insert|Update|Delete)\s*\(\s*['"].*\$/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-009: Insecure random
+  {
+    id: 'SEC-DART-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure Random Number Generation',
+    description: 'dart:math Random() is not cryptographically secure and should not be used for security purposes.',
+    fix: { suggestion: 'Use Random.secure() for cryptographically secure random numbers.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Random\s*\(\s*\)(?!.*secure)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-010: print() with sensitive data
+  {
+    id: 'SEC-DART-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'print() with Sensitive Data in Production',
+    description: 'print() statements remain in release builds and can leak sensitive information in logs.',
+    fix: { suggestion: 'Wrap print() in kDebugMode checks or use a logging framework with log levels.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /print\s*\(.*(?:password|token|secret|key|credential|auth)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-011: Unsafe HTML rendering
+  {
+    id: 'SEC-DART-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe HTML Rendering',
+    description: 'Rendering unsanitized HTML content can lead to XSS in WebView or flutter_html widgets.',
+    fix: { suggestion: 'Sanitize HTML content before rendering. Use allowlists for permitted HTML tags and attributes.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Html\s*\(\s*data\s*:|\.loadUrl.*javascript:|evaluateJavascript\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-012: Insecure deep link handling
+  {
+    id: 'SEC-DART-012',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Insecure Deep Link Handling',
+    description: 'Deep links without proper validation can be exploited to navigate to unintended screens or trigger actions.',
+    fix: { suggestion: 'Validate deep link URIs, require authentication for sensitive routes, and use App Links / Universal Links.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /uni_links|getInitialUri|uriLinkStream|getInitialLink|onGenerateRoute.*Uri\.parse/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-013: Missing encryption for local storage
+  {
+    id: 'SEC-DART-013',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unencrypted Local File Storage',
+    description: 'Writing sensitive data to files without encryption exposes it on rooted/jailbroken devices.',
+    fix: { suggestion: 'Encrypt files using encrypt package or use flutter_secure_storage for sensitive key-value data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /File\s*\(.*\)\.writeAs(?:String|Bytes)|writeAsString.*(?:password|token|secret|key)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-014: Missing authentication checks
+  {
+    id: 'SEC-DART-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing Authentication Check in Route',
+    description: 'Routes or screens accessing sensitive data without authentication guards.',
+    fix: { suggestion: 'Implement route guards or middleware to verify authentication before accessing protected screens.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /MaterialPageRoute|CupertinoPageRoute|GoRoute.*(?:admin|settings|profile|account|payment)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-015: Root/jailbreak detection missing
+  {
+    id: 'SEC-DART-015',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Missing Root/Jailbreak Detection',
+    description: 'Apps handling sensitive data should detect rooted/jailbroken devices and adjust behavior.',
+    fix: { suggestion: 'Use flutter_jailbreak_detection or root_checker packages to detect compromised devices.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /flutter_jailbreak_detection|root_checker|SafeDevice/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-016: Hardcoded Firebase config
+  {
+    id: 'SEC-DART-016',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hardcoded Firebase Configuration',
+    description: 'Firebase API keys and project IDs hardcoded in Dart code instead of using configuration files.',
+    fix: { suggestion: 'Use firebase_options.dart generated by FlutterFire CLI and keep it out of version control.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:const|final)\s+\w*(?:firebaseApiKey|firebase_api_key|messagingSenderId|appId)\w*\s*=\s*['"]/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-017: Insecure WebSocket
+  {
+    id: 'SEC-DART-017',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure WebSocket Connection',
+    description: 'Using ws:// instead of wss:// transmits WebSocket data without encryption.',
+    fix: { suggestion: 'Use wss:// for all WebSocket connections.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /WebSocketChannel\.connect\s*\(\s*['"]ws:\/\//;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-018: Disabled certificate check in HttpClient
+  {
+    id: 'SEC-DART-018',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Disabled Certificate Verification in HttpClient',
+    description: 'Setting SecurityContext with allowLegacyUnsafeRenegotiation disables TLS protections.',
+    fix: { suggestion: 'Remove allowLegacyUnsafeRenegotiation and use proper certificate pinning.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /allowLegacyUnsafeRenegotiation\s*=\s*true/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-019: Eval-like code execution
+  {
+    id: 'SEC-DART-019',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Dynamic Code Execution',
+    description: 'Using dart:mirrors or evaluateJavascript with user input can lead to code injection.',
+    fix: { suggestion: 'Avoid dynamic code execution. Use static analysis and predefined operations instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /dart:mirrors|evaluateJavascript\s*\(|runJavascript\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-020: Insecure clipboard usage
+  {
+    id: 'SEC-DART-020',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Sensitive Data Copied to Clipboard',
+    description: 'Clipboard data is accessible to all apps and may persist across device restarts.',
+    fix: { suggestion: 'Avoid copying sensitive data. If needed, clear clipboard after a timeout using Clipboard.setData.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Clipboard\.setData\s*\(.*(?:password|token|secret|key)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-021: Unvalidated JSON parsing
+  {
+    id: 'SEC-DART-021',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unvalidated JSON Parsing',
+    description: 'jsonDecode without try-catch can crash the app with malformed server responses.',
+    fix: { suggestion: 'Wrap jsonDecode in try-catch and validate the structure of decoded data before use.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /jsonDecode\s*\((?!.*try)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-022: Hardcoded OAuth credentials
+  {
+    id: 'SEC-DART-022',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded OAuth Client Secret',
+    description: 'OAuth client secrets embedded in mobile apps can be extracted and used to impersonate the app.',
+    fix: { suggestion: 'Use PKCE flow for mobile apps which does not require a client secret, or use a backend proxy.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:clientSecret|client_secret)\s*[:=]\s*['"]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-023: Insecure biometric auth
+  {
+    id: 'SEC-DART-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Insecure Biometric Authentication',
+    description: 'local_auth without additional server-side verification can be bypassed on rooted devices.',
+    fix: { suggestion: 'Combine biometric auth with server-side token verification. Do not rely solely on local authentication.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /LocalAuthentication\s*\(\)|authenticate\s*\(\s*localizedReason/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-024: Screenshot/screen recording not prevented
+  {
+    id: 'SEC-DART-024',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Missing Screenshot Prevention',
+    description: 'Sensitive screens without screenshot prevention can be captured by malicious screen recording.',
+    fix: { suggestion: 'Use FLAG_SECURE on Android and UITextField trick on iOS to prevent screenshots of sensitive content.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /FlutterWindowManager|flutter_windowmanager|FLAG_SECURE/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-025: Weak hashing
+  {
+    id: 'SEC-DART-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Hashing Algorithm (MD5/SHA1)',
+    description: 'MD5 and SHA1 are cryptographically broken and should not be used for security.',
+    fix: { suggestion: 'Use SHA-256 or higher from the crypto package (sha256.convert).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /md5\.convert|sha1\.convert|Hmac\s*\(\s*md5|Hmac\s*\(\s*sha1/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-026: Obfuscation missing
+  {
+    id: 'SEC-DART-026',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Missing Code Obfuscation',
+    description: 'Flutter apps without --obfuscate flag can be easily reverse-engineered.',
+    fix: { suggestion: 'Build with --obfuscate --split-debug-info flags for release builds.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /flutter\s+build.*(?:apk|appbundle|ios|ipa)(?!.*obfuscate)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-027: Insecure image caching
+  {
+    id: 'SEC-DART-027',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Insecure Image Cache',
+    description: 'Cached images are stored unencrypted and may contain sensitive information.',
+    fix: { suggestion: 'Use custom cache managers with encryption or clear caches when the app goes to background.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /CachedNetworkImage|cached_network_image/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-028: Insecure process execution
+  {
+    id: 'SEC-DART-028',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Process Execution with User Input',
+    description: 'Process.run or Process.start with unsanitized input can lead to command injection.',
+    fix: { suggestion: 'Avoid passing user input to Process.run. If necessary, use allowlists and strict validation.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Process\.(?:run|start)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-029: Insecure Hive storage
+  {
+    id: 'SEC-DART-029',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unencrypted Hive Box',
+    description: 'Hive boxes without encryption store data in plaintext on the device.',
+    fix: { suggestion: 'Use Hive.openBox with encryptionCipher parameter using HiveAesCipher.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Hive\.openBox\s*[<(](?!.*encryptionCipher)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-030: Dio without interceptors
+  {
+    id: 'SEC-DART-030',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Dio HTTP Client Without Security Interceptors',
+    description: 'Dio without interceptors for auth token refresh and error handling may leak credentials.',
+    fix: { suggestion: 'Add interceptors for authentication, logging sanitization, and error handling.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Dio\s*\(\s*\)|Dio\s*\(\s*BaseOptions/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-031: Insecure deserialization
+  {
+    id: 'SEC-DART-031',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Insecure Deserialization',
+    description: 'Deserializing untrusted data without schema validation can lead to unexpected behavior.',
+    fix: { suggestion: 'Validate JSON structure against a schema before deserialization. Use json_serializable for type safety.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /fromJson\s*\(\s*(?:jsonDecode|json\.decode)\s*\(\s*(?:response|body|data)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-032: Logging interceptor in production
+  {
+    id: 'SEC-DART-032',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Logging Interceptor in Production',
+    description: 'HTTP logging interceptors can log sensitive headers (Authorization) and request bodies.',
+    fix: { suggestion: 'Disable or sanitize LogInterceptor in release builds. Guard with kDebugMode.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /LogInterceptor\s*\(|\.interceptors\.add\s*\(\s*LogInterceptor/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-033: Exported content provider
+  {
+    id: 'SEC-DART-033',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Exposed Android Content Provider',
+    description: 'Exported content providers or broadcast receivers can be accessed by other apps.',
+    fix: { suggestion: 'Set android:exported=false or add permission requirements to restrict access.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /android:exported\s*=\s*"true"/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-034: Missing network security config
+  {
+    id: 'SEC-DART-034',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Network Security Configuration',
+    description: 'Without a network_security_config.xml, Android 9+ blocks cleartext traffic by default but older versions do not.',
+    fix: { suggestion: 'Create res/xml/network_security_config.xml with cleartextTrafficPermitted=false.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /usesCleartextTraffic\s*=\s*"true"|cleartextTrafficPermitted\s*=\s*"true"/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-035: Regex DoS
+  {
+    id: 'SEC-DART-035',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Potential Regex Denial of Service',
+    description: 'Complex regex patterns with nested quantifiers can cause catastrophic backtracking.',
+    fix: { suggestion: 'Simplify regex patterns, add length limits on input, or use timeout for regex operations.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /RegExp\s*\(\s*['"].*(?:\+\+|\*\*|\{\d+,\}.*\{\d+,\})/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-036: Path traversal
+  {
+    id: 'SEC-DART-036',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal Vulnerability',
+    description: 'Using user input in file paths without sanitization allows reading arbitrary files.',
+    fix: { suggestion: 'Canonicalize paths and verify they are within the expected directory. Reject paths containing "..".' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /File\s*\(\s*['"]?\$|Directory\s*\(\s*['"]?\$/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-037: Insecure token storage
+  {
+    id: 'SEC-DART-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Token Stored in Plain Variable',
+    description: 'Storing auth tokens in plain String variables makes them accessible via memory inspection.',
+    fix: { suggestion: 'Store tokens in flutter_secure_storage and clear from memory when not needed.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:static|const|final)\s+String\s+\w*(?:token|jwt|accessToken|refreshToken)\w*\s*=\s*['"]/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-038: Insecure intent handling
+  {
+    id: 'SEC-DART-038',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Insecure Intent/Scheme Handling',
+    description: 'Processing intents or URL schemes without validation can lead to unauthorized actions.',
+    fix: { suggestion: 'Validate and sanitize all data received through intents. Verify the calling package.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /getStringExtra|intent\.data|launch\s*\(\s*Uri\.parse/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-039: Missing timeout on HTTP requests
+  {
+    id: 'SEC-DART-039',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Missing HTTP Request Timeout',
+    description: 'HTTP requests without timeouts can hang indefinitely, leading to resource exhaustion.',
+    fix: { suggestion: 'Set connectTimeout and receiveTimeout on Dio, or use http package with timeout parameter.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /http\.(?:get|post|put|delete|patch)\s*\(\s*Uri\.parse(?!.*timeout)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-DART-040: Debugging enabled in manifest
+  {
+    id: 'SEC-DART-040',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Debugging Enabled in Android Manifest',
+    description: 'android:debuggable=true in release builds allows debugging and memory inspection.',
+    fix: { suggestion: 'Ensure android:debuggable is set to false or removed (defaults to false in release).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /android:debuggable\s*=\s*"true"/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isDart(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;