@archpublicwebsite/eslint-config 1.0.18 → 1.0.20

package/eslint.config.mjs

@@ -37,23 +37,108 @@ export function createArchipelagoConfig(...overrides) {
     ...tailwind.configs['flat/recommended'],
 
     // ── Security — OWASP / supply-chain hardening ─────────────────────────────
-    // These rules catch patterns that appear in real-world npm supply-chain
-    // attacks (eval payloads, implied eval, script-URL injection, etc.).
-    // They apply to ALL project files.
+    // Covers: A01 Broken Access Control, A02 Cryptographic Failures,
+    //         A03 Injection (XSS, eval, prototype pollution),
+    //         A08 Software and Data Integrity Failures (supply-chain).
+    // Risk taxonomy: packages/eslint-config/tools/security/risks.mjs
+    // Pre-commit pattern scanner: tools/security/scan.mjs
+    // These rules apply to ALL project files.
     {
       name: 'archipelago/security',
       rules: {
-        // Eval family — arbitrary code execution
+        // ── A03: Injection — arbitrary code execution ─────────────────────────
+        // eval() / new Function() / setTimeout("string") allow an attacker to
+        // execute arbitrary code. Primary dropper entry-points in supply-chain
+        // attacks (event-stream, polyfill.io, etc.).
         'no-eval': 'error',
         'no-new-func': 'error',
         'no-implied-eval': 'error',
-        // javascript: URI as href/src — XSS vector
+
+        // ── A03: Injection — XSS via javascript: URI ──────────────────────────
+        // javascript: in href/src executes in the page's origin context — XSS.
         'no-script-url': 'error',
-        // Dangerous globals that accept strings as code
+
+        // ── A03: Injection — prototype pollution ──────────────────────────────
+        // __proto__ / Object.prototype assignment poisons all objects and can
+        // escalate to RCE in some server-side Node.js frameworks.
+        'no-prototype-builtins': 'error',
+
+        // ── A03: Injection — DOM XSS sinks ───────────────────────────────────
+        // innerHTML / outerHTML / insertAdjacentHTML / document.write let
+        // unescaped strings execute as HTML/script in the browser.
+        // Use textContent, innerText, or a trusted sanitiser (DOMPurify) instead.
+        'no-restricted-syntax': [
+          'error',
+          // innerHTML / outerHTML assignment
+          {
+            selector: 'AssignmentExpression[left.property.name=/^(inner|outer)HTML$/]',
+            message:
+              '[security/xss] innerHTML/outerHTML is a DOM XSS sink — use textContent or sanitise with DOMPurify',
+          },
+          // insertAdjacentHTML()
+          {
+            selector: 'CallExpression[callee.property.name="insertAdjacentHTML"]',
+            message:
+              '[security/xss] insertAdjacentHTML() is a DOM XSS sink — use insertAdjacentText() or sanitise first',
+          },
+          // document.write / document.writeln
+          {
+            selector:
+              'CallExpression[callee.object.name="document"][callee.property.name=/^write(ln)?$/]',
+            message:
+              '[security/xss] document.write() is deprecated and a direct XSS sink — remove it',
+          },
+          // Object.__proto__ assignment (belt-and-suspenders with no-prototype-builtins)
+          {
+            selector: 'AssignmentExpression[left.property.name="__proto__"]',
+            message:
+              '[security/prototype-pollution] __proto__ assignment pollutes all objects — use Object.create(null) or Object.assign()',
+          },
+        ],
+
+        // ── A08: Supply-chain — dangerous globals ─────────────────────────────
         'no-restricted-globals': [
           'error',
-          { name: 'eval', message: 'eval() is a security risk — use a safe alternative' },
+          {
+            name: 'eval',
+            message: '[security/rce] eval() is a security risk — use a safe alternative',
+          },
+          {
+            name: 'isFinite',
+            message: 'Use Number.isFinite() instead of the global isFinite()',
+          },
+          {
+            name: 'isNaN',
+            message: 'Use Number.isNaN() instead of the global isNaN()',
+          },
         ],
+
+        // ── A02: Cryptographic failures — weak algorithms ─────────────────────
+        // MD5 and SHA-1 are cryptographically broken.
+        'no-restricted-imports': [
+          'error',
+          {
+            name: 'md5',
+            message: '[security/crypto] MD5 is cryptographically broken — use SHA-256 or better',
+          },
+          {
+            name: 'sha1',
+            message: '[security/crypto] SHA-1 is cryptographically broken — use SHA-256 or better',
+          },
+        ],
+      },
+    },
+
+    // ── Security — Vue-specific XSS hardening ─────────────────────────────────
+    // v-html renders raw HTML without escaping. If the bound value contains
+    // user-controlled content it is a direct XSS sink.
+    // Warn (not error): v-html is legitimate for trusted CMS content, but every
+    // usage must be explicitly reviewed.
+    {
+      name: 'archipelago/security-vue',
+      files: ['**/*.vue'],
+      rules: {
+        'vue/no-v-html': 'warn',
       },
     },
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.18",
+  "version": "1.0.20",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",

package/tools/git-hooks/pre-push.mjs

@@ -0,0 +1,235 @@
+#!/usr/bin/env node
+/**
+ * @archipelago/pre-push
+ *
+ * Full-branch security gate — runs before code leaves the local machine.
+ * Stricter than the pre-commit scanner: operates over ALL committed JS/TS/Vue
+ * files in the push range and checks all package.json deps for known CVEs
+ * and typosquatting.
+ *
+ * ┌────────────────────────────────────────────────────────┐
+ * │  What is checked                                       │
+ * │  1. All .js/.ts/.vue files in the push range against   │
+ * │     all FILE_PATTERNS (eval, XSS, secrets, SSRF, …)   │
+ * │  2. pnpm audit --audit-level=high (CVE scan)           │
+ * │  3. Typosquatting check on all package.json deps       │
+ * └────────────────────────────────────────────────────────┘
+ *
+ * Environment flags:
+ *   SKIP_SECURITY_SCAN=1   Bypass all checks (logged loudly to stderr)
+ *   SKIP_PUSH_AUDIT=1      Skip the pnpm audit step only
+ *
+ * Git push stdin lines: <local-ref> <local-sha1> <remote-ref> <remote-sha1>
+ */
+
+import { existsSync, readFileSync } from 'node:fs'
+import { extname, join } from 'node:path'
+import { SCAN_EXTENSIONS } from '../security/patterns.mjs'
+import { partitionFindings, sortFindings } from '../security/risks.mjs'
+import {
+  BOLD,
+  DIM,
+  GRN,
+  R,
+  YLW,
+  collectObfuscatedLineFindings,
+  collectPatternFindings,
+  detectTyposquat,
+  isConfigFile,
+  printFileFinding,
+  printScanFooter,
+  printScanHeader,
+  printSupplyFinding,
+  shouldSkip,
+} from '../security/scanner.mjs'
+import { getRepoRoot, runSafe } from './shared.mjs'
+
+// ─── Parse git push stdin refs ─────────────────────────────────────────────────
+
+const ZERO_SHA = '0000000000000000000000000000000000000000'
+
+/**
+ * Parse git push stdin lines and return push ranges.
+ * @returns {{ localSha: string, remoteSha: string }[]}
+ */
+function parsePushRefs() {
+  let stdin = ''
+  try { stdin = readFileSync('/dev/stdin', 'utf8') }
+  catch { return [] }
+
+  return stdin.trim().split('\n').filter(Boolean).map((line) => {
+    const parts = line.trim().split(/\s+/)
+    return { localSha: parts[1] ?? '', remoteSha: parts[3] ?? ZERO_SHA }
+  }).filter(({ localSha }) => localSha && localSha !== ZERO_SHA)
+}
+
+// ─── Collect files in push range ───────────────────────────────────────────────
+
+/**
+ * @param {{ localSha: string, remoteSha: string }[]} refs
+ * @returns {string[]}
+ */
+function collectPushFiles(refs) {
+  const seen = new Set()
+  for (const { localSha, remoteSha } of refs) {
+    const range = remoteSha === ZERO_SHA ? localSha : `${remoteSha}..${localSha}`
+    const output = runSafe(`git diff-tree --no-commit-id --name-only -r ${range}`)
+    if (!output) continue
+    for (const f of output.split('\n').filter(Boolean)) {
+      if (SCAN_EXTENSIONS.has(extname(f))) seen.add(f)
+    }
+  }
+  return [...seen]
+}
+
+// ─── Scan committed files ──────────────────────────────────────────────────────
+
+/**
+ * @param {string[]} files
+ * @param {string}   repoRoot
+ * @returns {import('../security/scanner.mjs').FileFinding[]}
+ */
+function scanFiles(files, repoRoot) {
+  if (files.length === 0) return []
+
+  process.stdout.write(`\nScanning ${files.length} file(s) in push range...\n`)
+
+  const findings = []
+  let skipped = 0
+
+  for (const filePath of files) {
+    if (shouldSkip(filePath)) { skipped++; continue }
+
+    const content = runSafe(`git show "HEAD:${filePath}"`)
+      || (() => {
+        const abs = join(repoRoot, filePath)
+        return existsSync(abs) ? readFileSync(abs, 'utf8') : ''
+      })()
+
+    if (!content) continue
+
+    const lines = content.split('\n')
+    findings.push(
+      ...collectPatternFindings(lines, isConfigFile(filePath), filePath),
+      ...collectObfuscatedLineFindings(lines, filePath),
+    )
+  }
+
+  if (skipped > 0) {
+    process.stdout.write(`Skipped ${skipped} self-referential file(s).\n`)
+  }
+
+  return findings
+}
+
+// ─── Dependency checks ─────────────────────────────────────────────────────────
+
+/**
+ * Scan all package.json deps in the repo root for typosquatted names.
+ * @param {string} repoRoot
+ */
+function scanDependencies(repoRoot) {
+  const pkgJsonPath = join(repoRoot, 'package.json')
+  if (!existsSync(pkgJsonPath)) return []
+
+  let pkg
+  try { pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) }
+  catch { return [] }
+
+  const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']
+  return depFields.flatMap((field) => {
+    const deps = pkg[field]
+    if (!deps || typeof deps !== 'object') return []
+    return Object.keys(deps).flatMap((name) => {
+      const similar = detectTyposquat(name)
+      return similar
+        ? [{
+            pkg: name,
+            patternId: 'typosquat',
+            severity: 'high',
+            message: `Possible typosquat of "${similar}" in ${field} — verify the package name`,
+            lineContent: `"${name}" is 1 edit away from "${similar}"`,
+            category: 'supply-chain',
+          }]
+        : []
+    })
+  })
+}
+
+/**
+ * Run pnpm audit and surface a single finding if vulnerabilities are detected.
+ * @returns {object[]}
+ */
+function runAudit() {
+  if (process.env.SKIP_PUSH_AUDIT === '1') {
+    process.stdout.write(`${DIM}Skipping pnpm audit (SKIP_PUSH_AUDIT=1)${R}\n`)
+    return []
+  }
+
+  process.stdout.write(`\nRunning pnpm audit --audit-level=high...\n`)
+  const result = runSafe('pnpm audit --audit-level=high 2>&1')
+  if (!result) return []
+
+  const lines = result.split('\n').filter(Boolean)
+  const hasVulns = /vulnerabilit(?:y|ies)|moderate|high|critical/i.test(result)
+
+  if (hasVulns) {
+    console.log(`\n${BOLD}pnpm audit output:${R}`)
+    console.log(`${DIM}${result}${R}`)
+    return [{
+      pkg: 'pnpm-audit',
+      patternId: 'known-cve',
+      severity: 'high',
+      message: `pnpm audit detected known CVEs — run 'pnpm audit --fix' or pin safe versions`,
+      lineContent: lines.find(l => /vulnerabilit/i.test(l)) ?? result.slice(0, 120),
+      category: 'supply-chain',
+    }]
+  }
+
+  process.stdout.write(`${GRN}pnpm audit: no known vulnerabilities found.${R}\n`)
+  return []
+}
+
+// ─── Entry point ───────────────────────────────────────────────────────────────
+
+function main() {
+  if (process.env.SKIP_SECURITY_SCAN === '1') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — pre-push security checks bypassed.${R}\n`
+      + `${YLW}   This bypass is intentional and has been logged.${R}\n\n`,
+    )
+    return
+  }
+
+  const repoRoot = getRepoRoot()
+  const refs = parsePushRefs()
+
+  printScanHeader('@archipelago/pre-push', 'full-branch security gate')
+
+  const files = refs.length > 0
+    ? collectPushFiles(refs)
+    : (runSafe('git diff-tree --no-commit-id --name-only -r HEAD') || '')
+        .split('\n')
+        .filter(f => SCAN_EXTENSIONS.has(extname(f)))
+
+  const fileFindings  = scanFiles(files, repoRoot)
+  const depsFindings  = scanDependencies(repoRoot)
+  const auditFindings = runAudit()
+
+  const allFindings = sortFindings([...fileFindings, ...depsFindings, ...auditFindings])
+  const { blocking, warnings } = partitionFindings(allFindings)
+
+  if (fileFindings.length > 0) {
+    console.log(`\n${BOLD}Source-file findings:${R}`)
+    fileFindings.forEach(printFileFinding)
+  }
+
+  if (depsFindings.length > 0 || auditFindings.length > 0) {
+    console.log(`\n${BOLD}Dependency findings:${R}`)
+    ;[...depsFindings, ...auditFindings].forEach(printSupplyFinding)
+  }
+
+  printScanFooter(blocking, warnings, 'PUSH BLOCKED', 'SKIP_SECURITY_SCAN=1 git push …')
+}
+
+main()

package/tools/git-hooks/verify-commit-message.mjs

@@ -1,9 +1,15 @@
 import { readFileSync } from 'node:fs'
 
+const COMMIT_RE = /^(revert: )?(feat|fix|docs|refactor|perf|test|build|ci|chore|style|types|workflow|release|deps)(\([a-z0-9-]+\))?: \S.*$/
+const RELEASE_RE = /^v\d/
+
+const EXAMPLES = [
+  "feat: add 'comments' option",
+  'fix: handle events on blur (close #28)',
+]
+
 export function isValidCommitMessage(message) {
-  const releaseRE = /^v\d/
-  const commitRE = /^(revert: )?(feat|fix|docs|refactor|perf|test|build|ci|chore|style|types|workflow|release|deps)(\([a-z0-9-]+\))?: \S.*$/
-  return releaseRE.test(message) || commitRE.test(message)
+  return RELEASE_RE.test(message) || COMMIT_RE.test(message)
 }
 
 function getCommitSubject(rawMessage) {
@@ -13,36 +19,49 @@ function getCommitSubject(rawMessage) {
     .find(line => line && !line.startsWith('#')) || ''
 }
 
-function isSkippableCommitSubject(subject) {
-  return !subject || subject.startsWith('Merge ') || subject.startsWith('fixup! ') || subject.startsWith('squash! ')
+function isSkippableSubject(subject) {
+  return !subject
+    || subject.startsWith('Merge ')
+    || subject.startsWith('fixup! ')
+    || subject.startsWith('squash! ')
 }
 
+/**
+ * Verify a commit message file against the conventional-commit format.
+ *
+ * Behaviour is controlled by the environment:
+ *   - Default (no env var): warn to stderr but never block the commit.
+ *   - ARCHI_STRICT_COMMIT_MSG=1: enforce the format and call process.exit(1)
+ *     on an invalid message so CI or git hooks can block the commit.
+ *   - STRICT_COMMIT_MSG=1: alias for ARCHI_STRICT_COMMIT_MSG.
+ *
+ * @param {string} messageFilePath  Path to the COMMIT_EDITMSG file.
+ */
 export function verifyCommitMessageFile(messageFilePath) {
   const rawMessage = readFileSync(messageFilePath, 'utf-8')
   const subject = getCommitSubject(rawMessage)
 
-  if (isSkippableCommitSubject(subject))
-    return
+  if (isSkippableSubject(subject)) return
+  if (isValidCommitMessage(subject)) return
 
-  if (isValidCommitMessage(subject))
-    return
+  const isStrict = process.env.ARCHI_STRICT_COMMIT_MSG === '1'
+    || process.env.STRICT_COMMIT_MSG === '1'
 
-  const examples = [
-    "feat: add 'comments' option",
-    'fix: handle events on blur (close #28)',
-  ]
+  const prefix = isStrict ? '\nERROR' : '\nSUGGESTION'
+  const suffix = isStrict ? 'See README.md for details.\n' : 'See README.md (Auto commit message flow) for details.\n'
 
-  console.warn('\nSUGGESTION: conventional commit format is recommended.\n')
+  console.warn(`${prefix}: commit message does not follow conventional-commit format.\n`)
   console.warn('Required format: <type>(optional-scope): <description>')
   console.warn('Suggested subject length: around 100 characters\n')
   console.warn('Examples:')
-  examples.forEach(example => console.warn(`  - ${example}`))
-  console.warn('\nSee README.md (Auto commit message flow) for details.\n')
+  EXAMPLES.forEach(example => console.warn(`  - ${example}`))
+  console.warn(`\n${suffix}`)
+
+  if (isStrict) process.exit(1)
 }
 
 if (import.meta.url === `file://${process.argv[1]}`) {
   const messageFilePath = process.argv[2]
-  if (!messageFilePath)
-    process.exit(0)
+  if (!messageFilePath) process.exit(0)
   verifyCommitMessageFile(messageFilePath)
 }