@archpublicwebsite/eslint-config 1.0.15 → 1.0.16

package/README.md

@@ -66,6 +66,8 @@ On install or when you run the setup script manually, the package prepares the c
 - `.hooks/prepare-commit-msg`
 - `.hooks/commit-msg`
 - `.hooks/post-commit`
+- `safe-reinstall.sh` (supports `--check-only` for pre-commit safety checks)
+- `scan-global.sh` (global IOC scanner)
 - `eslint.config.mjs` when one does not already exist
 - `.prettierrc` plugin entry for `prettier-plugin-tailwindcss`
 - `.vscode/settings.json` with ESLint flat-config settings
@@ -181,7 +183,10 @@ Make sure the tarball contains only the intended public files: `eslint.config.mj
   "scripts": {
     "lint": "pnpm lint:fix",
     "lint:check": "turbo run lint",
-    "lint:fix": "((pnpm format || true) && turbo run lint --continue=always -- --fix) || true"
+    "lint:fix": "((pnpm format || true) && turbo run lint --continue=always -- --fix) || true",
+    "precommit": "node node_modules/@archpublicwebsite/eslint-config/tools/git-hooks/pre-commit.mjs",
+    "security:global-scan": "bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/scan-global.sh",
+    "security:safe-check": "bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/safe-reinstall.sh --check-only"
   },
   "lint-staged": {
     "*.{js,ts,tsx,vue}": ["eslint --fix"]
@@ -189,6 +194,19 @@ Make sure the tarball contains only the intended public files: `eslint.config.mj
 }
 ```
 
+Pre-commit now runs in this order:
+
+1. `node tools/security/scan.mjs`
+2. `bash ./safe-reinstall.sh --check-only` (if present)
+3. `bash ./scan-global.sh` (if present)
+4. `pnpm lint-staged`
+
+If you need to skip the global machine scan in CI or emergency situations, set:
+
+```bash
+SKIP_GLOBAL_SCAN=1
+```
+
 ## Verification
 
 After making config changes, validate the package by checking the installed consumer workflow or by running the setup script in a test project.

package/eslint.config.mjs

@@ -36,6 +36,63 @@ export function createArchipelagoConfig(...overrides) {
     // ── Tailwind ──────────────────────────────────────────────────────────────
     ...tailwind.configs['flat/recommended'],
 
+    // ── Security — OWASP / supply-chain hardening ─────────────────────────────
+    // These rules catch patterns that appear in real-world npm supply-chain
+    // attacks (eval payloads, implied eval, script-URL injection, etc.).
+    // They apply to ALL project files.
+    {
+      name: 'archipelago/security',
+      rules: {
+        // Eval family — arbitrary code execution
+        'no-eval': 'error',
+        'no-new-func': 'error',
+        'no-implied-eval': 'error',
+        // javascript: URI as href/src — XSS vector
+        'no-script-url': 'error',
+        // Dangerous globals that accept strings as code
+        'no-restricted-globals': [
+          'error',
+          { name: 'eval', message: 'eval() is a security risk — use a safe alternative' },
+        ],
+      },
+    },
+
+    // ── Extra security for build / config files ───────────────────────────────
+    // Importing child_process, http, https, net, or dns inside a Tailwind /
+    // Vite / PostCSS / ESLint config is always a red flag (supply-chain attack
+    // pattern). The same code is legitimate inside scripts/ — this rule only
+    // targets config file globs.
+    {
+      name: 'archipelago/security-config-files',
+      files: [
+        '**/tailwind.config.*',
+        '**/vite.config.*',
+        '**/nuxt.config.*',
+        '**/webpack.config.*',
+        '**/rollup.config.*',
+        '**/postcss.config.*',
+        '**/babel.config.*',
+        '**/jest.config.*',
+        '**/vitest.config.*',
+        '**/eslint.config.*',
+      ],
+      rules: {
+        'no-restricted-imports': [
+          'error',
+          { name: 'child_process',      message: 'child_process is not allowed in build config files — supply-chain risk' },
+          { name: 'node:child_process', message: 'child_process is not allowed in build config files — supply-chain risk' },
+          { name: 'http',               message: 'http is not allowed in build config files — exfiltration risk' },
+          { name: 'node:http',          message: 'http is not allowed in build config files — exfiltration risk' },
+          { name: 'https',              message: 'https is not allowed in build config files — exfiltration risk' },
+          { name: 'node:https',         message: 'https is not allowed in build config files — exfiltration risk' },
+          { name: 'dns',                message: 'dns is not allowed in build config files — DNS tunnelling risk' },
+          { name: 'node:dns',           message: 'dns is not allowed in build config files — DNS tunnelling risk' },
+          { name: 'net',                message: 'net is not allowed in build config files — reverse-shell risk' },
+          { name: 'node:net',           message: 'net is not allowed in build config files — reverse-shell risk' },
+        ],
+      },
+    },
+
     // ── Canonical rules ───────────────────────────────────────────────────────
     {
       name: 'archipelago/rules',
@@ -90,10 +147,9 @@ export function createArchipelagoConfig(...overrides) {
         'ts/no-empty-object-type': 'off',
         'ts/no-explicit-any': 'warn',
         'ts/no-var-requires': 'warn',
-        'ts/consistent-type-imports': ['error', {
-          prefer: 'type-imports',
-          fixStyle: 'inline-type-imports',
-        }],
+        // Keep disabled globally to avoid parserServices errors on plain JS
+        // config files (tailwind/postcss/vite) during lint-staged runs.
+        'ts/consistent-type-imports': 'off',
 
         // ── Import ordering ──────────────────────────────────────────────────
         'import/order': 'off',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.15",
+  "version": "1.0.16",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",
@@ -29,6 +29,8 @@
     "flat-config",
     "vue",
     "git-hooks",
+    "security",
+    "supply-chain",
     "vscode"
   ],
   "private": false,
@@ -38,6 +40,10 @@
   "scripts": {
     "postinstall": "node ./tools/setup/install.mjs",
     "setup": "node ./tools/setup/install.mjs",
+    "security-scan": "node ./tools/security/scan.mjs",
+    "security:global-scan": "bash ./tools/security/scan-global.sh",
+    "security:safe-check": "bash ./tools/security/safe-reinstall.sh --check-only",
+    "security-test": "node ./tools/security/test-patterns.mjs",
     "prepublishOnly": "npm pack --dry-run",
     "version:patch": "node ../../scripts/bump-version.mjs patch",
     "version:minor": "node ../../scripts/bump-version.mjs minor",

package/tools/git-hooks/pre-commit.mjs

@@ -1,10 +1,40 @@
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { existsSync } from 'node:fs'
 import { hasCommand, run } from './shared.mjs'
 
+const __dirname = dirname(fileURLToPath(import.meta.url))
+const SCAN_SCRIPT = join(__dirname, '../security/scan.mjs')
+
+function runIfExists(scriptPath, command) {
+  if (!existsSync(scriptPath)) {
+    return
+  }
+
+  console.log(`\nRunning ${scriptPath}...`)
+  run(command, { stdio: 'inherit' })
+}
+
 if (!hasCommand('pnpm')) {
   console.error('\nCOMMIT FAILED: pnpm is required but not found.\n')
   process.exit(1)
 }
 
+// ── 1. Security scan — blocks on critical/high findings ───────────────────────
+run(`node "${SCAN_SCRIPT}"`, { stdio: 'inherit' })
+
+// ── 2. Optional shell guards at repo root ─────────────────────────────────────
+// These scripts are auto-generated by setup when missing.
+runIfExists('./safe-reinstall.sh', 'bash ./safe-reinstall.sh --check-only')
+if (process.env.SKIP_GLOBAL_SCAN === '1') {
+  console.log('\nSkipping global IOC scan (SKIP_GLOBAL_SCAN=1).')
+}
+else {
+  runIfExists('./scan-global.sh', 'bash ./scan-global.sh')
+}
+
+// ── 3. Lint-staged — auto-fix & format staged files ───────────────────────────
 console.log('\nRunning lint-staged (auto-fix staged files)...')
 run('pnpm lint-staged', { stdio: 'inherit' })
+
 console.log('\nCOMMIT CHECKS PASSED\n')

package/tools/security/patterns.mjs

@@ -0,0 +1,352 @@
+/**
+ * @archipelago/security-scan — pattern definitions
+ *
+ * Inspired by socket.dev. Every pattern here represents a real-world attack
+ * vector observed in npm supply-chain incidents (event-stream, ua-parser-js,
+ * node-ipc, polyfill.io, XZ Utils, etc.).
+ *
+ * Patterns are kept as non-global RegExp so they can safely be re-tested
+ * across lines without needing to reset `lastIndex`.
+ */
+
+// ─── Source-file patterns ──────────────────────────────────────────────────────
+
+/**
+ * Patterns scanned in every staged .js/.ts/.vue file.
+ *
+ * @type {Array<{
+ *   id: string,
+ *   severity: 'critical'|'high'|'medium',
+ *   message: string,
+ *   regex: RegExp,
+ *   configOnly?: boolean,
+ * }>}
+ */
+export const FILE_PATTERNS = [
+  // ── Arbitrary code execution ───────────────────────────────────────────────
+  {
+    id: 'no-eval',
+    severity: 'critical',
+    message: 'eval() executes arbitrary strings — primary vector for malware delivery',
+    regex: /\beval\s*\(/,
+  },
+  {
+    id: 'no-new-func',
+    severity: 'critical',
+    message: 'new Function() executes arbitrary strings — equivalent to eval()',
+    regex: /\bnew\s+Function\s*\(/,
+  },
+  {
+    id: 'no-implied-eval',
+    severity: 'high',
+    message: 'setTimeout/setInterval with a string argument executes code dynamically',
+    regex: /\b(?:setTimeout|setInterval)\s*\(\s*['"]/,
+  },
+
+  // ── Payload delivery & obfuscation ────────────────────────────────────────
+  {
+    id: 'base64-decode',
+    severity: 'high',
+    message: 'Buffer.from(…, "base64") — frequently used to hide malicious payloads',
+    regex: /Buffer\.from\s*\([^)]*,\s*['"]base64['"]\)/,
+  },
+  {
+    id: 'atob-usage',
+    severity: 'medium',
+    message: 'atob() decodes base64 — verify it is not decoding a hidden payload',
+    regex: /\batob\s*\(/,
+  },
+  {
+    id: 'charcode-obfuscation',
+    severity: 'high',
+    message: 'String.fromCharCode sequence — common technique to obfuscate malicious strings',
+    regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){4,}\d+\s*\)/,
+  },
+  {
+    id: 'unicode-bidi-control',
+    severity: 'critical',
+    message: 'Unicode bidi control characters detected — hidden code/trick rendering attack (Trojan Source)',
+    regex: /[\u202A-\u202E\u2066-\u2069]/,
+  },
+  {
+    id: 'zero-width-hidden-char',
+    severity: 'high',
+    message: 'Zero-width/invisible Unicode characters detected — possible hidden payload marker',
+    regex: /[\u200B-\u200D\uFEFF]/,
+  },
+  {
+    id: 'hex-string-obfuscation',
+    severity: 'high',
+    message: 'Dense hex-encoded string — possible obfuscated payload',
+    regex: /['"](?:\\x[0-9a-fA-F]{2}){20,}['"]/,
+  },
+
+  // ── Dangerous imports in build / config context ───────────────────────────
+  // These are legitimate in scripts/ but not in Tailwind/Vite/PostCSS configs.
+  {
+    id: 'child-process-in-config',
+    severity: 'critical',
+    message: 'child_process in build config — potential command-execution backdoor',
+    regex: /require\s*\(\s*['"](?:node:)?child_process['"]\s*\)|from\s+['"](?:node:)?child_process['"]/,
+    configOnly: true,
+  },
+  {
+    id: 'http-in-config-require',
+    severity: 'critical',
+    message: 'HTTP/HTTPS module in build config — potential data-exfiltration vector',
+    regex: /require\s*\(\s*['"](?:node:)?https?['"]\s*\)/,
+    configOnly: true,
+  },
+  {
+    id: 'http-in-config-import',
+    severity: 'critical',
+    message: 'HTTP/HTTPS module in build config — potential data-exfiltration vector',
+    regex: /from\s+['"](?:node:)?https?['"]/,
+    configOnly: true,
+  },
+  {
+    id: 'dns-in-config',
+    severity: 'critical',
+    message: 'DNS module in build config — potential exfiltration via DNS tunnelling',
+    regex: /require\s*\(\s*['"](?:node:)?dns['"]\s*\)|from\s+['"](?:node:)?dns['"]/,
+    configOnly: true,
+  },
+  {
+    id: 'net-in-config',
+    severity: 'critical',
+    message: 'net/socket module in build config — potential reverse-shell vector',
+    regex: /require\s*\(\s*['"](?:node:)?net['"]\s*\)|from\s+['"](?:node:)?net['"]/,
+    configOnly: true,
+  },
+
+  // ── Prototype pollution ────────────────────────────────────────────────────
+  {
+    id: 'prototype-pollution',
+    severity: 'high',
+    message: 'Prototype pollution pattern — can escalate to RCE in some server runtimes',
+    regex: /\.__proto__\s*=|Object\.prototype\s*\[|constructor\s*\.\s*prototype\s*\[/,
+  },
+
+  // ── Suspicious dynamic import ──────────────────────────────────────────────
+  {
+    id: 'dynamic-require',
+    severity: 'medium',
+    message: 'require() with a computed/variable path — can load arbitrary modules at runtime',
+    // Only flag when the argument is not a plain string literal
+    regex: /\brequire\s*\(\s*(?!['"` ])[^'"`)]/,
+  },
+
+  // ── Dropper / malware-loader patterns ─────────────────────────────────────
+  // The patterns below are the exact fingerprints of the supply-chain dropper
+  // observed in the wild (event-stream variant, ua-parser-js, polyfill.io, etc.)
+  // where a shuffled-string decoder bootstraps a dynamic Function() call.
+
+  {
+    id: 'require-global-hijack',
+    severity: 'critical',
+    message: 'global[...] = require — dropper technique to expose require() as a global for later payload use',
+    // Matches both:  global['x'] = require   AND   global[arr[0]] = require
+    regex: /global\s*\[.*?\]\s*=\s*require\b/,
+  },
+  {
+    id: 'shuffle-cipher-iife',
+    severity: 'critical',
+    message: 'Shuffle-cipher IIFE — RC4-variant string decoder used to hide payload strings (seen in event-stream attack)',
+    // Matches: (function(l,e){ ... })("...", number)  — the typical 2-arg encoded-string bootstrapper
+    // [\s\S] instead of [^}] so the body can contain nested {}
+    regex: /\(function\s*\(\w\s*,\s*\w\)[\s\S]{20,}?\}\)\s*\(\s*["'][^"']{4,}["']\s*,\s*\d{4,}\s*\)/,
+  },
+  {
+    id: 'obfuscated-variable-names',
+    severity: 'high',
+    message: 'Obfuscator-generated variable names (_$_XXXX pattern) — strong indicator of minified malware',
+    // Matches: _$_XXXX  where XXXX is 3+ hex/alphanumeric chars
+    regex: /\b_\$_[0-9a-fA-F]{3,}\b/,
+  },
+  {
+    id: 'long-encoded-string',
+    severity: 'high',
+    message: 'Extremely long encoded string literal (>400 chars) — characteristic of embedded payload delivery',
+    // This is checked by the line-length scanner, not regex; placeholder regex below
+    // triggers on strings containing many mixed chars that indicate base64/shuffled encoding
+    regex: /['"][A-Za-z0-9+/=\\]{400,}['"]/,
+  },
+  {
+    id: 'array-fn-call-chain',
+    severity: 'critical',
+    message: 'Decoded-array Function invocation chain — dropper pattern: fn(a,b); result(number)',
+    // Matches the dropper execution tail: jFD(LQI, pYd); Tgw(2509)
+    // i.e. a 2-arg call followed immediately by a 1-numeric-arg call on the result variable
+    regex: /\w+\s*\(\s*\w+\s*,\s*\w+\s*\)\s*;\s*\w+\s*\(\s*\d{3,}\s*\)/,
+  },
+  {
+    id: 'function-constructor-via-array',
+    severity: 'critical',
+    message: 'Function constructor accessed via decoded array — used to run hidden payload without calling new Function() directly',
+    // Generalised: identifier assigned from decoded array accessor, then invoked.
+    regex: /=\s*\w+\s*\[\s*\w+\s*\]\s*;.{0,80}\w+\s*\(\s*\w+\s*,\s*\w+\s*\(\s*\w+\s*\)\s*\)/,
+  },
+  {
+    id: 'global-bracket-assignment-index',
+    severity: 'high',
+    message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
+    regex: /global\s*\[\s*[\w$]+\s*\[\s*\d+\s*\]\s*\]\s*=/,
+  },
+  {
+    id: 'global-bracket-assignment-string',
+    severity: 'high',
+    message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
+    regex: /global\s*\[\s*['"][^'"]{1,40}['"]\s*\]\s*=/,
+  },
+  {
+    id: 'global-bracket-assignment-var',
+    severity: 'high',
+    message: 'global[variable] assignment — indirect global mutation used to smuggle require/module references',
+    regex: /global\s*\[\s*[\w$]+\s*\]\s*=/,
+  },
+  {
+    id: 'module-global-hijack',
+    severity: 'critical',
+    message: 'global[...] = module — dropper technique to expose Node module reference as a global',
+    regex: /global\s*\[.*?\]\s*=\s*module\b/,
+  },
+  {
+    id: 'define-property-backdoor-getter',
+    severity: 'critical',
+    message: 'Object.defineProperty used to define hidden getter/setter/value with dynamic execution — potential backdoor',
+    regex: /Object\.defineProperty\s*\([^)]*\b(?:get|set)\s*:\s*(?:function|\([^)]*\)\s*=>)/,
+  },
+  {
+    id: 'define-property-backdoor-value',
+    severity: 'critical',
+    message: 'Object.defineProperty used to define hidden getter/setter/value with dynamic execution — potential backdoor',
+    regex: /Object\.defineProperty\s*\([^)]*\bvalue\s*:\s*(?:eval\s*\(|new\s+Function\s*\(|require\s*\()/,
+  },
+]
+
+// ─── Install-script patterns ───────────────────────────────────────────────────
+
+/**
+ * Patterns scanned in node_modules package install scripts
+ * (preinstall / install / postinstall).
+ *
+ * @type {Array<{id: string, severity: 'critical'|'high'|'medium', message: string, regex: RegExp}>}
+ */
+export const INSTALL_SCRIPT_PATTERNS = [
+  {
+    id: 'install-curl-wget',
+    severity: 'critical',
+    message: 'Install script downloads files from the internet via curl/wget',
+    regex: /\bcurl\b|\bwget\b/,
+  },
+  {
+    id: 'install-net-request',
+    severity: 'critical',
+    message: 'Install script makes HTTP requests at install time',
+    regex: /require\s*\(\s*['"]https?['"]\s*\)|\.get\s*\(\s*['"]https?:\/\//,
+  },
+  {
+    id: 'install-base64-exec',
+    severity: 'critical',
+    message: 'Install script decodes base64 content — hidden payload delivery pattern',
+    regex: /Buffer\.from[^)]*base64|atob\s*\(/,
+  },
+  {
+    id: 'install-eval',
+    severity: 'critical',
+    message: 'Install script calls eval() — arbitrary code execution at install time',
+    regex: /\beval\s*\(/,
+  },
+  {
+    id: 'install-env-credential',
+    severity: 'high',
+    message: 'Install script reads credential/secret environment variables',
+    regex: /process\.env\.(?:AWS_|GITHUB_TOKEN|NPM_TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY|TOKEN)/i,
+  },
+  {
+    id: 'install-system-path',
+    severity: 'critical',
+    message: 'Install script writes to system paths — possible persistence mechanism',
+    regex: /\/etc\/|\/usr\/(?:bin|local)|C:\\Windows\\|\.ssh\//,
+  },
+  {
+    id: 'install-exec-shell',
+    severity: 'high',
+    message: 'Install script spawns child processes via child_process',
+    regex: /\bexecSync\s*\(|\bspawnSync\s*\(|\bexec\s*\(\s*['"]/,
+  },
+  {
+    id: 'install-hex-obfuscation',
+    severity: 'high',
+    message: 'Install script contains dense hex-encoded strings — possible obfuscated payload',
+    regex: /(?:\\x[0-9a-fA-F]{2}){20,}/,
+  },
+]
+
+// ─── Config file name detection ────────────────────────────────────────────────
+
+/**
+ * File paths that match these patterns receive stricter scanning
+ * (configOnly patterns apply).
+ */
+export const CONFIG_FILE_PATTERNS = [
+  /(?:^|\/)tailwind\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)vite\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)nuxt\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)webpack\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)rollup\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)postcss\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)babel\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)jest\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)vitest\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)eslint\.config\.[cm]?[jt]s$/,
+  /(?:^|\/)\.[a-z]+rc\.[cm]?[jt]s$/,
+]
+
+// ─── Extension allow-list ──────────────────────────────────────────────────────
+
+/** Source file extensions to include in the scan. */
+export const SCAN_EXTENSIONS = new Set([
+  '.js',
+  '.mjs',
+  '.cjs',
+  '.ts',
+  '.mts',
+  '.cts',
+  '.vue',
+])
+
+// ─── Typosquatting reference list ──────────────────────────────────────────────
+
+/**
+ * Popular npm packages commonly targeted by typosquatting attacks.
+ * A newly added package within Levenshtein distance 1 of any entry will be flagged.
+ */
+export const POPULAR_PACKAGES = [
+  // Frameworks & meta-frameworks
+  'react', 'vue', 'svelte', 'angular', 'next', 'nuxt', 'remix', 'astro',
+  // Build tools
+  'vite', 'webpack', 'rollup', 'parcel', 'esbuild', 'turbopack',
+  // Styling
+  'tailwindcss', 'postcss', 'autoprefixer', 'sass', 'less',
+  // Utility libraries
+  'lodash', 'axios', 'dayjs', 'moment', 'date-fns', 'zod', 'yup',
+  // State management
+  'pinia', 'vuex', 'redux', 'mobx', 'zustand', 'jotai',
+  // Routing
+  'react-router', 'vue-router',
+  // Testing
+  'vitest', 'jest', 'mocha', 'chai', 'playwright', 'cypress',
+  // TypeScript
+  'typescript', 'ts-node', 'tsx',
+  // Linting
+  'eslint', 'prettier', 'stylelint',
+  // Security / auth
+  'bcrypt', 'jsonwebtoken', 'passport', 'helmet', 'cors',
+  // Database
+  'prisma', 'sequelize', 'mongoose', 'typeorm', 'knex', 'drizzle-orm',
+  // Node utilities
+  'express', 'fastify', 'koa', 'hapi', 'socket.io', 'ws', 'nodemailer',
+  // Package tooling
+  'pnpm', 'yarn', 'npm',
+]