UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

57 lines (52 loc) 1.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
"use strict"; /** * S018 – Positive Input Validation * OWASP ASVS 5.1.3 * Ensure that all input is validated using positive validation (allow lists). */ module.exports = { meta: { type: "problem", docs: { description: "Ensure input validation uses allow lists (whitelisting), not deny lists (blacklisting) wherever possible.", recommended: true, }, schema: [], messages: { denyList: "Do not use deny lists (blacklisting) for input validation. Use allow lists (whitelisting) instead.", }, }, create(context) { // Detect use of common denylist patterns function isDenyListCheck(node) { // Example: if (input.includes('badword')) { ... } return ( node && node.type === "CallExpression" && node.callee.type === "MemberExpression" && (node.callee.property.name === "includes" || node.callee.property.name === "indexOf") && node.arguments.length && node.arguments[0].type === "Literal" && typeof node.arguments[0].value === "string" ); } return { IfStatement(node) { if ( node.test && ((node.test.type === "UnaryExpression" && isDenyListCheck(node.test.argument)) || (node.test.type === "CallExpression" && isDenyListCheck(node.test))) ) { context.report({ node: node.test, messageId: "denyList", }); } }, }; }, };