@reliabilityworks/ruleset-react-native 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +4 -0
  2. package/rules.json +38 -0
package/package.json ADDED
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "@reliabilityworks/ruleset-react-native",
3
+ "version": "0.1.0"
4
+ }
package/rules.json ADDED
@@ -0,0 +1,38 @@
1
+ [
2
+ {
3
+ "id": "rn/cleartext-traffic",
4
+ "severity": "high",
5
+ "title": "Cleartext traffic allowed on Android",
6
+ "description": "Allowing cleartext traffic can expose sensitive data over unencrypted connections.",
7
+ "matcher": {
8
+ "type": "regex",
9
+ "fileGlobs": ["**/AndroidManifest.xml"],
10
+ "pattern": "usesCleartextTraffic\\s*=\\s*\\\"true\\\"",
11
+ "message": "usesCleartextTraffic is enabled"
12
+ }
13
+ },
14
+ {
15
+ "id": "rn/ats-arbitrary-loads",
16
+ "severity": "high",
17
+ "title": "ATS allows arbitrary loads on iOS",
18
+ "description": "Disabling App Transport Security can allow insecure HTTP traffic.",
19
+ "matcher": {
20
+ "type": "regex",
21
+ "fileGlobs": ["**/Info.plist"],
22
+ "pattern": "NSAllowsArbitraryLoads[\\s\\S]*<true\\s*/>",
23
+ "message": "NSAllowsArbitraryLoads appears enabled"
24
+ }
25
+ },
26
+ {
27
+ "id": "rn/asyncstorage-token-key",
28
+ "severity": "high",
29
+ "title": "Potential token stored in AsyncStorage",
30
+ "description": "AsyncStorage is not suitable for storing secrets; prefer platform secure storage for tokens.",
31
+ "matcher": {
32
+ "type": "regex",
33
+ "fileGlobs": ["**/*.{js,jsx,ts,tsx}"],
34
+ "pattern": "AsyncStorage\\.setItem\\(\\s*['\\\"][^'\\\"]*(token|secret|key|password)[^'\\\"]*['\\\"]",
35
+ "message": "AsyncStorage key name suggests sensitive data storage"
36
+ }
37
+ }
38
+ ]