npm - @agjs/tsforge - Versions diffs - 0.1.19 → 0.2.1 - Mend

@agjs/tsforge 0.1.19 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/src/rule-packs/security/index.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { TSESLint } from "@typescript-eslint/utils";
+import { catchMustHandleRule } from "./rules/catch-must-handle";
+import { noAuthTokenInStorageRule } from "./rules/no-auth-token-in-storage";
+import { noChildProcessExecRule } from "./rules/no-child-process-exec";
+import { noDynamicRegexpRule } from "./rules/no-dynamic-regexp";
+import { noInnerHtmlAssignmentRule } from "./rules/no-inner-html-assignment";
+import { noSpawnWithShellRule } from "./rules/no-spawn-with-shell";
+import type { IRulePack } from "../rule-packs.types";
+const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>> = {
+  "catch-must-handle": catchMustHandleRule,
+  "no-auth-token-in-storage": noAuthTokenInStorageRule,
+  "no-child-process-exec": noChildProcessExecRule,
+  "no-dynamic-regexp": noDynamicRegexpRule,
+  "no-inner-html-assignment": noInnerHtmlAssignmentRule,
+  "no-spawn-with-shell": noSpawnWithShellRule,
+};
+export const securityPack: IRulePack = {
+  id: "security",
+  description:
+    "Application security guardrails: command injection, ReDoS, DOM XSS, and silent error masking",
+  rules,
+  rulesConfig: {
+    "catch-must-handle": "error",
+    "no-auth-token-in-storage": "error",
+    "no-child-process-exec": "error",
+    "no-dynamic-regexp": "error",
+    "no-inner-html-assignment": "error",
+    "no-spawn-with-shell": "error",
+  },
+};
+export default securityPack;

package/src/rule-packs/security/rules/catch-must-handle.ts ADDED Viewed

@@ -0,0 +1,126 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+import { walkSome } from "../../utils";
+export const RULE_NAME = "catch-must-handle";
+type MessageIds = "silentCatch";
+function isSilentDefaultReturn(node: TSESTree.Node): boolean {
+  if (node.type === AST_NODE_TYPES.ReturnStatement) {
+    const arg = node.argument;
+    if (arg === null) {
+      return true;
+    }
+    if (arg.type === AST_NODE_TYPES.Identifier && arg.name === "undefined") {
+      return true;
+    }
+    if (arg.type === AST_NODE_TYPES.Literal && arg.value === null) {
+      return true;
+    }
+    if (
+      arg.type === AST_NODE_TYPES.ArrayExpression &&
+      arg.elements.length === 0
+    ) {
+      return true;
+    }
+    if (
+      arg.type === AST_NODE_TYPES.ObjectExpression &&
+      arg.properties.length === 0
+    ) {
+      return true;
+    }
+  }
+  return false;
+}
+function catchBodyHandlesError(body: TSESTree.BlockStatement): boolean {
+  if (body.body.length === 0) {
+    return false;
+  }
+  if (
+    walkSome(body, (node) => {
+      if (node.type === AST_NODE_TYPES.ThrowStatement) {
+        return true;
+      }
+      if (node.type !== AST_NODE_TYPES.CallExpression) {
+        return false;
+      }
+      const callee = node.callee;
+      if (callee.type === AST_NODE_TYPES.MemberExpression && !callee.computed) {
+        const object = callee.object;
+        const property = callee.property;
+        if (
+          object.type === AST_NODE_TYPES.Identifier &&
+          object.name === "console" &&
+          property.type === AST_NODE_TYPES.Identifier &&
+          (property.name === "error" || property.name === "warn")
+        ) {
+          return true;
+        }
+        if (
+          object.type === AST_NODE_TYPES.Identifier &&
+          object.name === "logger" &&
+          property.type === AST_NODE_TYPES.Identifier
+        ) {
+          return true;
+        }
+      }
+      return false;
+    })
+  ) {
+    return true;
+  }
+  const onlySilentReturns = body.body.every((stmt) => {
+    if (stmt.type === AST_NODE_TYPES.ReturnStatement) {
+      return isSilentDefaultReturn(stmt);
+    }
+    return false;
+  });
+  return !onlySilentReturns;
+}
+export const catchMustHandleRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Catch blocks must log, rethrow, or propagate errors — not silently return empty defaults on failure.",
+    },
+    schema: [],
+    messages: {
+      silentCatch:
+        "Catch block silently masks failure — log with `logger.error`/`console.warn`, rethrow, or return a typed error result instead of an empty default.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CatchClause(node: TSESTree.CatchClause) {
+        const body = node.body;
+        if (!catchBodyHandlesError(body)) {
+          context.report({ node, messageId: "silentCatch" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/security/rules/no-auth-token-in-storage.ts ADDED Viewed

@@ -0,0 +1,107 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+export const RULE_NAME = "no-auth-token-in-storage";
+type MessageIds = "authTokenInStorage";
+const SENSITIVE_KEY = /(?:token|session|auth|jwt)/i;
+function isBrowserStorageObject(
+  node: TSESTree.Node
+): node is TSESTree.Identifier {
+  return (
+    node.type === AST_NODE_TYPES.Identifier &&
+    (node.name === "localStorage" || node.name === "sessionStorage")
+  );
+}
+function storageMethodName(node: TSESTree.CallExpression): string | null {
+  const callee = node.callee;
+  if (
+    callee.type !== AST_NODE_TYPES.MemberExpression ||
+    callee.computed ||
+    !isBrowserStorageObject(callee.object) ||
+    callee.property.type !== AST_NODE_TYPES.Identifier
+  ) {
+    return null;
+  }
+  const method = callee.property.name;
+  if (method !== "setItem" && method !== "getItem") {
+    return null;
+  }
+  return method;
+}
+function keyLooksSensitive(arg: TSESTree.Expression): boolean {
+  if (arg.type === AST_NODE_TYPES.Literal && typeof arg.value === "string") {
+    return SENSITIVE_KEY.test(arg.value);
+  }
+  if (arg.type === AST_NODE_TYPES.Identifier) {
+    return SENSITIVE_KEY.test(arg.name);
+  }
+  return false;
+}
+export const noAuthTokenInStorageRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow storing or reading auth tokens from localStorage/sessionStorage — use httpOnly cookies instead.",
+    },
+    schema: [],
+    messages: {
+      authTokenInStorage:
+        "Do not store auth tokens in `{{storage}}` — use httpOnly, secure cookies so XSS cannot exfiltrate sessions.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        const method = storageMethodName(node);
+        if (method === null) {
+          return;
+        }
+        const keyArg = node.arguments[0];
+        if (
+          keyArg === undefined ||
+          keyArg.type === AST_NODE_TYPES.SpreadElement ||
+          !keyLooksSensitive(keyArg)
+        ) {
+          return;
+        }
+        const callee = node.callee;
+        if (callee.type !== AST_NODE_TYPES.MemberExpression) {
+          return;
+        }
+        const storageObject = callee.object;
+        if (!isBrowserStorageObject(storageObject)) {
+          return;
+        }
+        context.report({
+          node,
+          messageId: "authTokenInStorage",
+          data: { storage: storageObject.name },
+        });
+      },
+    };
+  },
+});

package/src/rule-packs/security/rules/no-child-process-exec.ts ADDED Viewed

@@ -0,0 +1,72 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+export const RULE_NAME = "no-child-process-exec";
+type MessageIds = "noExec";
+const EXEC_METHODS = new Set(["exec", "execSync"]);
+function isChildProcessExecCall(node: TSESTree.CallExpression): boolean {
+  const callee = node.callee;
+  if (callee.type !== AST_NODE_TYPES.MemberExpression || callee.computed) {
+    return false;
+  }
+  if (callee.property.type !== AST_NODE_TYPES.Identifier) {
+    return false;
+  }
+  if (!EXEC_METHODS.has(callee.property.name)) {
+    return false;
+  }
+  const object = callee.object;
+  if (
+    object.type === AST_NODE_TYPES.Identifier &&
+    (object.name === "child_process" || object.name === "cp")
+  ) {
+    return true;
+  }
+  if (
+    object.type === AST_NODE_TYPES.MemberExpression &&
+    !object.computed &&
+    object.object.type === AST_NODE_TYPES.Identifier &&
+    object.object.name === "child_process" &&
+    object.property.type === AST_NODE_TYPES.Identifier
+  ) {
+    return EXEC_METHODS.has(object.property.name);
+  }
+  return false;
+}
+export const noChildProcessExecRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow child_process.exec/execSync — they run commands in a shell. Use execFile or spawn without shell instead.",
+    },
+    schema: [],
+    messages: {
+      noExec:
+        "Do not use `child_process.exec` or `execSync` — use `execFile`/`spawn` without a shell to avoid command injection.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        if (isChildProcessExecCall(node)) {
+          context.report({ node, messageId: "noExec" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/security/rules/no-dynamic-regexp.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+export const RULE_NAME = "no-dynamic-regexp";
+type MessageIds = "dynamicRegexp";
+function isExpression(node: TSESTree.Node): node is TSESTree.Expression {
+  return node.type !== AST_NODE_TYPES.SpreadElement;
+}
+function isStringLiteral(node: TSESTree.Expression): boolean {
+  return node.type === AST_NODE_TYPES.Literal && typeof node.value === "string";
+}
+export const noDynamicRegexpRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow new RegExp(non-literal) — dynamic patterns enable ReDoS. Use string-literal regexes or a safe engine like re2.",
+    },
+    schema: [],
+    messages: {
+      dynamicRegexp:
+        "Do not construct `RegExp` from a runtime value — use a string-literal pattern or a safe regex library to avoid ReDoS.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      NewExpression(node: TSESTree.NewExpression) {
+        const callee = node.callee;
+        if (
+          callee.type !== AST_NODE_TYPES.Identifier ||
+          callee.name !== "RegExp"
+        ) {
+          return;
+        }
+        const patternArg = node.arguments[0];
+        if (patternArg === undefined || !isExpression(patternArg)) {
+          return;
+        }
+        if (!isStringLiteral(patternArg)) {
+          context.report({ node, messageId: "dynamicRegexp" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/security/rules/no-inner-html-assignment.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+export const RULE_NAME = "no-inner-html-assignment";
+type MessageIds = "innerHtmlAssignment";
+export const noInnerHtmlAssignmentRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow assigning to innerHTML — use textContent/innerText or sanitize with DOMPurify before injecting HTML.",
+    },
+    schema: [],
+    messages: {
+      innerHtmlAssignment:
+        "Do not assign to `.innerHTML` — use `textContent` for plain text or sanitize HTML with DOMPurify first.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      AssignmentExpression(node: TSESTree.AssignmentExpression) {
+        const left = node.left;
+        if (
+          left.type !== AST_NODE_TYPES.MemberExpression ||
+          left.computed ||
+          left.property.type !== AST_NODE_TYPES.Identifier ||
+          left.property.name !== "innerHTML"
+        ) {
+          return;
+        }
+        context.report({ node, messageId: "innerHtmlAssignment" });
+      },
+    };
+  },
+});

package/src/rule-packs/security/rules/no-spawn-with-shell.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+export const RULE_NAME = "no-spawn-with-shell";
+type MessageIds = "spawnWithShell";
+function isExpression(node: TSESTree.Node): node is TSESTree.Expression {
+  return node.type !== AST_NODE_TYPES.SpreadElement;
+}
+function isShellTrue(node: TSESTree.Expression): boolean {
+  if (node.type === AST_NODE_TYPES.Literal && node.value === true) {
+    return true;
+  }
+  return false;
+}
+function optionsEnableShell(optionsArg: TSESTree.Expression): boolean {
+  if (optionsArg.type !== AST_NODE_TYPES.ObjectExpression) {
+    return false;
+  }
+  for (const prop of optionsArg.properties) {
+    if (prop.type !== AST_NODE_TYPES.Property || prop.computed) {
+      continue;
+    }
+    const key = prop.key;
+    if (
+      key.type === AST_NODE_TYPES.Identifier &&
+      key.name === "shell" &&
+      isExpression(prop.value) &&
+      isShellTrue(prop.value)
+    ) {
+      return true;
+    }
+    if (
+      key.type === AST_NODE_TYPES.Literal &&
+      key.value === "shell" &&
+      isExpression(prop.value) &&
+      isShellTrue(prop.value)
+    ) {
+      return true;
+    }
+  }
+  return false;
+}
+function isSpawnCall(node: TSESTree.CallExpression): boolean {
+  const callee = node.callee;
+  if (callee.type === AST_NODE_TYPES.Identifier) {
+    return callee.name === "spawn" || callee.name === "spawnSync";
+  }
+  if (
+    callee.type === AST_NODE_TYPES.MemberExpression &&
+    !callee.computed &&
+    callee.property.type === AST_NODE_TYPES.Identifier &&
+    (callee.property.name === "spawn" || callee.property.name === "spawnSync")
+  ) {
+    return true;
+  }
+  return false;
+}
+export const noSpawnWithShellRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow child_process.spawn/spawnSync with shell: true — shell execution enables command injection.",
+    },
+    schema: [],
+    messages: {
+      spawnWithShell:
+        "Do not pass `{ shell: true }` to `spawn`/`spawnSync` — execute the binary directly with argument arrays instead.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        if (!isSpawnCall(node)) {
+          return;
+        }
+        for (const arg of node.arguments) {
+          if (isExpression(arg) && optionsEnableShell(arg)) {
+            context.report({ node, messageId: "spawnWithShell" });
+            return;
+          }
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/structured-logging/index.ts CHANGED Viewed

@@ -1,11 +1,15 @@
 import type { TSESLint } from "@typescript-eslint/utils";
+import { caughtErrorLogRequiresCauseRule } from "./rules/caught-error-log-requires-cause";
+import { loggerNotConsoleRule } from "./rules/logger-not-console";
 import { maskPiiFieldsRule } from "./rules/mask-pii-fields";
 import { noErrorStringifyRule } from "./rules/no-error-stringify";
 import { requireEventFieldRule } from "./rules/require-event-field";
 import type { IRulePack } from "../rule-packs.types";
 const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>> = {
+  "caught-error-log-requires-cause": caughtErrorLogRequiresCauseRule,
+  "logger-not-console": loggerNotConsoleRule,
   "mask-pii-fields": maskPiiFieldsRule,
   "no-error-stringify": noErrorStringifyRule,
   "require-event-field": requireEventFieldRule,
@@ -17,6 +21,8 @@ export const structuredLoggingPack: IRulePack = {
     "Structured logging best practices: PII masking, error handling, and event field requirements",
   rules,
   rulesConfig: {
+    "caught-error-log-requires-cause": "error",
+    "logger-not-console": "warn",
     "mask-pii-fields": "error",
     "no-error-stringify": "error",
     "require-event-field": "error",