@fjall/eslint-plugin 2.18.1

package/mask-before-truncate.js

@@ -0,0 +1,154 @@
+/**
+ * ESLint Rule: mask-before-truncate
+ *
+ * Flags `maskSensitiveOutput(<expr-with-truncation>)` where the truncation
+ * happens INSIDE the mask call. Truncating before masking can slice a
+ * credential mid-token and break the masking regex's anchors — a 30-char
+ * remnant of a 40-char AWS secret will not match `{40,}` and lands unmasked.
+ *
+ * Canonical bad shape:
+ *   maskSensitiveOutput(raw.slice(0, 500) + "...")
+ *   maskSensitiveOutput(raw.length > 500 ? raw.slice(0, 500) + "..." : raw)
+ *
+ * Canonical good shape (slice OUTSIDE mask, anchors intact):
+ *   const masked = maskSensitiveOutput(raw);
+ *   const bounded = masked.length > 500 ? masked.slice(0, 500) + "..." : masked;
+ *
+ * Per .claude/rules/security-standards.md § "Mask Before You Truncate".
+ * Recurrence-driven mechanisation (3 surfaces across 2 review passes:
+ * 14th-pass FjallApiClientErrors `maskAndBound` + 25th-pass ImportService × 2
+ * — pre-mask sites; the post-fix shape uses slice OUTSIDE the mask call).
+ */
+
+const TRUNCATION_SUFFIX_RE = /\.\.\.|…|\[truncated\]|\[…\]/;
+const TRUNCATING_METHODS = new Set(["slice", "substring", "substr"]);
+
+/**
+ * Returns true iff `node` is a `.slice(...)` / `.substring(...)` /
+ * `.substr(...)` call with a numeric-literal start index. Single-arg
+ * `.slice(N)` (skip-prefix) is excluded — only multi-arg or zero-start
+ * forms count as truncation candidates.
+ */
+function isTruncatingSliceCall(node) {
+  if (!node || node.type !== "CallExpression") return false;
+  if (node.callee.type !== "MemberExpression") return false;
+  if (node.callee.computed) return false;
+  if (node.callee.property.type !== "Identifier") return false;
+  if (!TRUNCATING_METHODS.has(node.callee.property.name)) return false;
+  if (node.arguments.length === 0) return false;
+
+  const firstArg = node.arguments[0];
+  if (
+    firstArg.type === "Literal" &&
+    typeof firstArg.value === "number" &&
+    firstArg.value === 0 &&
+    node.arguments.length >= 2
+  ) {
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Returns true iff `node` is a string literal containing a truncation
+ * suffix marker (`...`, `…`, `[truncated]`).
+ */
+function isTruncationSuffixLiteral(node) {
+  return (
+    node &&
+    node.type === "Literal" &&
+    typeof node.value === "string" &&
+    TRUNCATION_SUFFIX_RE.test(node.value)
+  );
+}
+
+/**
+ * Walk the argument tree of a `maskSensitiveOutput(...)` call and find
+ * the first `<slice-call> + <truncation-suffix>` BinaryExpression. Recurses
+ * into common nesting nodes (ternaries, logical chains, template literal
+ * expressions) but stops at function-call boundaries (don't peek inside
+ * helper calls — those are someone else's discipline).
+ */
+function findTruncationPattern(node, visited = new Set()) {
+  if (!node) return null;
+  if (visited.has(node)) return null;
+  visited.add(node);
+
+  if (node.type === "BinaryExpression" && node.operator === "+") {
+    const left = node.left;
+    const right = node.right;
+    if (
+      (isTruncatingSliceCall(left) && isTruncationSuffixLiteral(right)) ||
+      (isTruncatingSliceCall(right) && isTruncationSuffixLiteral(left))
+    ) {
+      return node;
+    }
+    return (
+      findTruncationPattern(left, visited) ||
+      findTruncationPattern(right, visited)
+    );
+  }
+
+  if (node.type === "ConditionalExpression") {
+    return (
+      findTruncationPattern(node.consequent, visited) ||
+      findTruncationPattern(node.alternate, visited)
+    );
+  }
+
+  if (node.type === "LogicalExpression") {
+    return (
+      findTruncationPattern(node.left, visited) ||
+      findTruncationPattern(node.right, visited)
+    );
+  }
+
+  if (node.type === "TemplateLiteral") {
+    for (const expr of node.expressions) {
+      const found = findTruncationPattern(expr, visited);
+      if (found) return found;
+    }
+  }
+
+  return null;
+}
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow truncation INSIDE maskSensitiveOutput(...) calls — mask first, then slice the masked output.",
+      category: "Possible Errors",
+      recommended: true
+    },
+    messages: {
+      truncateBeforeMask:
+        'Truncation inside maskSensitiveOutput(...) — slicing before masking can cut a credential mid-token and break the masking regex. Mask first, then slice: `const masked = maskSensitiveOutput(raw); const bounded = masked.length > N ? masked.slice(0, N) + "…" : masked;`'
+    },
+    schema: []
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (
+          node.callee.type !== "Identifier" ||
+          node.callee.name !== "maskSensitiveOutput"
+        ) {
+          return;
+        }
+        if (node.arguments.length !== 1) return;
+
+        const truncation = findTruncationPattern(node.arguments[0]);
+        if (truncation) {
+          context.report({
+            node: truncation,
+            messageId: "truncateBeforeMask"
+          });
+        }
+      }
+    };
+  }
+};