eslint-plugin-mongodb-security 8.0.0

package/src/index.js

@@ -0,0 +1,148 @@
+"use strict";
+/**
+ * eslint-plugin-mongodb-security
+ *
+ * Security-focused ESLint plugin for MongoDB & Mongoose.
+ * Detects NoSQL injection, operator attacks, credential exposure,
+ * and ODM-specific vulnerabilities with AI-optimized fix guidance.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - OWASP Top 10 coverage (A01-A07)
+ * - CVE detection (CVE-2025-23061, CVE-2024-53900)
+ * - Full support for mongodb, mongoose, mongodb-client-encryption
+ *
+ * @see https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-mongodb-security
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configs = exports.plugin = exports.rules = void 0;
+// Critical - NoSQL Injection
+const no_unsafe_query_1 = require("./rules/no-unsafe-query");
+const no_operator_injection_1 = require("./rules/no-operator-injection");
+const no_unsafe_where_1 = require("./rules/no-unsafe-where");
+const no_unsafe_regex_query_1 = require("./rules/no-unsafe-regex-query");
+// High - Credentials & Connection
+const no_hardcoded_connection_string_1 = require("./rules/no-hardcoded-connection-string");
+const no_hardcoded_credentials_1 = require("./rules/no-hardcoded-credentials");
+const require_tls_connection_1 = require("./rules/require-tls-connection");
+const require_auth_mechanism_1 = require("./rules/require-auth-mechanism");
+// Medium - Mongoose ODM
+const require_schema_validation_1 = require("./rules/require-schema-validation");
+const no_select_sensitive_fields_1 = require("./rules/no-select-sensitive-fields");
+const no_bypass_middleware_1 = require("./rules/no-bypass-middleware");
+const no_unsafe_populate_1 = require("./rules/no-unsafe-populate");
+// Low - Best Practices
+const no_unbounded_find_1 = require("./rules/no-unbounded-find");
+const require_projection_1 = require("./rules/require-projection");
+const require_lean_queries_1 = require("./rules/require-lean-queries");
+const no_debug_mode_production_1 = require("./rules/no-debug-mode-production");
+/**
+ * Collection of all MongoDB security rules
+ */
+exports.rules = {
+    // Critical - NoSQL Injection (OWASP A03)
+    'no-unsafe-query': no_unsafe_query_1.noUnsafeQuery,
+    'no-operator-injection': no_operator_injection_1.noOperatorInjection,
+    'no-unsafe-where': no_unsafe_where_1.noUnsafeWhere,
+    'no-unsafe-regex-query': no_unsafe_regex_query_1.noUnsafeRegexQuery,
+    // High - Credentials & Connection (OWASP A02, A07)
+    'no-hardcoded-connection-string': no_hardcoded_connection_string_1.noHardcodedConnectionString,
+    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
+    'require-tls-connection': require_tls_connection_1.requireTlsConnection,
+    'require-auth-mechanism': require_auth_mechanism_1.requireAuthMechanism,
+    // Medium - Mongoose ODM (OWASP A01, A04)
+    'require-schema-validation': require_schema_validation_1.requireSchemaValidation,
+    'no-select-sensitive-fields': no_select_sensitive_fields_1.noSelectSensitiveFields,
+    'no-bypass-middleware': no_bypass_middleware_1.noBypassMiddleware,
+    'no-unsafe-populate': no_unsafe_populate_1.noUnsafePopulate,
+    // Low - Best Practices
+    'no-unbounded-find': no_unbounded_find_1.noUnboundedFind,
+    'require-projection': require_projection_1.requireProjection,
+    'require-lean-queries': require_lean_queries_1.requireLeanQueries,
+    'no-debug-mode-production': no_debug_mode_production_1.noDebugModeProduction,
+};
+/**
+ * ESLint Plugin object
+ */
+exports.plugin = {
+    meta: {
+        name: 'eslint-plugin-mongodb-security',
+        version: '1.0.0',
+    },
+    rules: exports.rules,
+};
+/**
+ * Recommended rules configuration
+ */
+const recommendedRules = {
+    // Critical - NoSQL Injection
+    'mongodb-security/no-unsafe-query': 'error',
+    'mongodb-security/no-operator-injection': 'error',
+    'mongodb-security/no-unsafe-where': 'error',
+    'mongodb-security/no-unsafe-regex-query': 'error',
+    // High - Credentials & Connection
+    'mongodb-security/no-hardcoded-connection-string': 'error',
+    'mongodb-security/no-hardcoded-credentials': 'error',
+    'mongodb-security/require-tls-connection': 'warn',
+    'mongodb-security/require-auth-mechanism': 'warn',
+    // Medium - Mongoose ODM
+    'mongodb-security/require-schema-validation': 'warn',
+    'mongodb-security/no-select-sensitive-fields': 'warn',
+    'mongodb-security/no-bypass-middleware': 'warn',
+    'mongodb-security/no-unsafe-populate': 'error',
+    // Low - Best Practices
+    'mongodb-security/no-unbounded-find': 'warn',
+    'mongodb-security/require-projection': 'off',
+    'mongodb-security/require-lean-queries': 'off',
+    'mongodb-security/no-debug-mode-production': 'error',
+};
+/**
+ * Preset configurations
+ */
+exports.configs = {
+    /**
+     * Recommended configuration
+     * Critical rules as errors, high as warnings
+     */
+    recommended: {
+        plugins: {
+            'mongodb-security': exports.plugin,
+        },
+        rules: recommendedRules,
+    },
+    /**
+     * Strict configuration
+     * All rules as errors
+     */
+    strict: {
+        plugins: {
+            'mongodb-security': exports.plugin,
+        },
+        rules: Object.fromEntries(Object.keys(exports.rules).map((ruleName) => [`mongodb-security/${ruleName}`, 'error'])),
+    },
+    /**
+     * Mongoose-focused configuration
+     * ODM-specific rules for Mongoose projects
+     */
+    mongoose: {
+        plugins: {
+            'mongodb-security': exports.plugin,
+        },
+        rules: {
+            'mongodb-security/no-unsafe-query': 'error',
+            'mongodb-security/no-operator-injection': 'error',
+            'mongodb-security/no-unsafe-where': 'error',
+            'mongodb-security/require-schema-validation': 'error',
+            'mongodb-security/no-select-sensitive-fields': 'error',
+            'mongodb-security/no-bypass-middleware': 'error',
+            'mongodb-security/no-unsafe-populate': 'error',
+            'mongodb-security/require-lean-queries': 'warn',
+            'mongodb-security/no-debug-mode-production': 'error',
+        },
+    },
+};
+/**
+ * Default export for ESLint plugin
+ */
+exports.default = exports.plugin;
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/eslint-plugin-mongodb-security/src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAIH,6BAA6B;AAC7B,6DAAwD;AACxD,yEAAoE;AACpE,6DAAwD;AACxD,yEAAmE;AAEnE,kCAAkC;AAClC,2FAAqF;AACrF,+EAA0E;AAC1E,2EAAsE;AACtE,2EAAsE;AAEtE,wBAAwB;AACxB,iFAA4E;AAC5E,mFAA6E;AAC7E,uEAAkE;AAClE,mEAA8D;AAE9D,uBAAuB;AACvB,iEAA4D;AAC5D,mEAA+D;AAC/D,uEAAkE;AAClE,+EAAyE;AAEzE;;GAEG;AACU,QAAA,KAAK,GAAoE;IACpF,yCAAyC;IACzC,iBAAiB,EAAE,+BAAa;IAChC,uBAAuB,EAAE,2CAAmB;IAC5C,iBAAiB,EAAE,+BAAa;IAChC,uBAAuB,EAAE,0CAAkB;IAE3C,mDAAmD;IACnD,gCAAgC,EAAE,4DAA2B;IAC7D,0BAA0B,EAAE,iDAAsB;IAClD,wBAAwB,EAAE,6CAAoB;IAC9C,wBAAwB,EAAE,6CAAoB;IAE9C,yCAAyC;IACzC,2BAA2B,EAAE,mDAAuB;IACpD,4BAA4B,EAAE,oDAAuB;IACrD,sBAAsB,EAAE,yCAAkB;IAC1C,oBAAoB,EAAE,qCAAgB;IAEtC,uBAAuB;IACvB,mBAAmB,EAAE,mCAAe;IACpC,oBAAoB,EAAE,sCAAiB;IACvC,sBAAsB,EAAE,yCAAkB;IAC1C,0BAA0B,EAAE,gDAAqB;CACwB,CAAC;AAE5E;;GAEG;AACU,QAAA,MAAM,GAA+B;IAChD,IAAI,EAAE;QACJ,IAAI,EAAE,gCAAgC;QACtC,OAAO,EAAE,OAAO;KACjB;IACD,KAAK,EAAL,aAAK;CAC+B,CAAC;AAEvC;;GAEG;AACH,MAAM,gBAAgB,GAAkD;IACtE,6BAA6B;IAC7B,kCAAkC,EAAE,OAAO;IAC3C,wCAAwC,EAAE,OAAO;IACjD,kCAAkC,EAAE,OAAO;IAC3C,wCAAwC,EAAE,OAAO;IAEjD,kCAAkC;IAClC,iDAAiD,EAAE,OAAO;IAC1D,2CAA2C,EAAE,OAAO;IACpD,yCAAyC,EAAE,MAAM;IACjD,yCAAyC,EAAE,MAAM;IAEjD,wBAAwB;IACxB,4CAA4C,EAAE,MAAM;IACpD,6CAA6C,EAAE,MAAM;IACrD,uCAAuC,EAAE,MAAM;IAC/C,qCAAqC,EAAE,OAAO;IAE9C,uBAAuB;IACvB,oCAAoC,EAAE,MAAM;IAC5C,qCAAqC,EAAE,KAAK;IAC5C,uCAAuC,EAAE,KAAK;IAC9C,2CAA2C,EAAE,OAAO;CACrD,CAAC;AAEF;;GAEG;AACU,QAAA,OAAO,GAA+C;IACjE;;;OAGG;IACH,WAAW,EAAE;QACX,OAAO,EAAE;YACP,kBAAkB,EAAE,cAAM;SAC3B;QACD,KAAK,EAAE,gBAAgB;KACa;IAEtC;;;OAGG;IACH,MAAM,EAAE;QACN,OAAO,EAAE;YACP,kBAAkB,EAAE,cAAM;SAC3B;QACD,KAAK,EAAE,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,IAAI,CAAC,aAAK,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,oBAAoB,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAC,CAChF;KACmC;IAEtC;;;OAGG;IACH,QAAQ,EAAE;QACR,OAAO,EAAE;YACP,kBAAkB,EAAE,cAAM;SAC3B;QACD,KAAK,EAAE;YACL,kCAAkC,EAAE,OAAO;YAC3C,wCAAwC,EAAE,OAAO;YACjD,kCAAkC,EAAE,OAAO;YAC3C,4CAA4C,EAAE,OAAO;YACrD,6CAA6C,EAAE,OAAO;YACtD,uCAAuC,EAAE,OAAO;YAChD,qCAAqC,EAAE,OAAO;YAC9C,uCAAuC,EAAE,MAAM;YAC/C,2CAA2C,EAAE,OAAO;SACrD;KACmC;CACvC,CAAC;AAEF;;GAEG;AACH,kBAAe,cAAM,CAAC"}

package/src/rules/no-bypass-middleware/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noBypassMiddleware: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noBypassMiddleware;

package/src/rules/no-bypass-middleware/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noBypassMiddleware = void 0;
+/**
+ * ESLint Rule: no-bypass-middleware
+ * Prevents bypassing Mongoose middleware
+ * CWE-284: Improper Access Control
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noBypassMiddleware = (0, eslint_devkit_1.createRule)({
+    name: 'no-bypass-middleware',
+    meta: {
+        type: 'suggestion',
+        docs: { description: 'Prevent bypassing Mongoose pre/post middleware hooks' },
+        hasSuggestions: true,
+        messages: {
+            bypassMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Middleware Bypass',
+                cwe: 'CWE-284',
+                owasp: 'A01:2021',
+                cvss: 5.3,
+                description: 'This method bypasses Mongoose middleware hooks',
+                severity: 'MEDIUM',
+                fix: 'Use findOne + save() pattern to ensure middleware runs',
+                documentationLink: 'https://mongoosejs.com/docs/middleware.html',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noBypassMiddleware;
+//# sourceMappingURL=index.js.map

package/src/rules/no-bypass-middleware/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-bypass-middleware/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,kBAAkB,GAAG,IAAA,0BAAU,EAA0B;IACpE,IAAI,EAAE,sBAAsB;IAC5B,IAAI,EAAE;QACJ,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,EAAE,WAAW,EAAE,sDAAsD,EAAE;QAC7E,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,gDAAgD;gBAC7D,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,wDAAwD;gBAC7D,iBAAiB,EAAE,6CAA6C;aACjE,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,0BAAkB,CAAC"}

package/src/rules/no-debug-mode-production/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noDebugModeProduction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noDebugModeProduction;

package/src/rules/no-debug-mode-production/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDebugModeProduction = void 0;
+/**
+ * ESLint Rule: no-debug-mode-production
+ * Prevents Mongoose debug mode in production
+ * CWE-489: Active Debug Code
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noDebugModeProduction = (0, eslint_devkit_1.createRule)({
+    name: 'no-debug-mode-production',
+    meta: {
+        type: 'problem',
+        docs: { description: 'Prevent Mongoose debug mode in production' },
+        hasSuggestions: true,
+        messages: {
+            debugModeProduction: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Debug Mode in Production',
+                cwe: 'CWE-489',
+                owasp: 'A05:2021',
+                cvss: 3.1,
+                description: 'mongoose.set("debug", true) exposes query details in production',
+                severity: 'LOW',
+                fix: 'Use mongoose.set("debug", process.env.NODE_ENV !== "production")',
+                documentationLink: 'https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.set()',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noDebugModeProduction;
+//# sourceMappingURL=index.js.map

package/src/rules/no-debug-mode-production/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-debug-mode-production/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,qBAAqB,GAAG,IAAA,0BAAU,EAA0B;IACvE,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,EAAE,WAAW,EAAE,2CAA2C,EAAE;QAClE,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,iEAAiE;gBAC9E,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kEAAkE;gBACvE,iBAAiB,EAAE,wEAAwE;aAC5F,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,6BAAqB,CAAC"}

package/src/rules/no-hardcoded-connection-string/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noHardcodedConnectionString: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noHardcodedConnectionString;

package/src/rules/no-hardcoded-connection-string/index.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHardcodedConnectionString = void 0;
+/**
+ * ESLint Rule: no-hardcoded-connection-string
+ * Detects hardcoded MongoDB connection strings with credentials
+ * CWE-798: Hardcoded Credentials
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noHardcodedConnectionString = (0, eslint_devkit_1.createRule)({
+    name: 'no-hardcoded-connection-string',
+    meta: {
+        type: 'problem',
+        docs: { description: 'Prevent hardcoded MongoDB connection strings with credentials' },
+        hasSuggestions: true,
+        messages: {
+            hardcodedConnectionString: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Hardcoded Connection String',
+                cwe: 'CWE-798',
+                cvss: 7.5,
+                description: 'MongoDB connection string contains hardcoded credentials',
+                severity: 'HIGH',
+                fix: 'Use process.env.MONGODB_URI instead of hardcoded connection strings',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noHardcodedConnectionString;
+//# sourceMappingURL=index.js.map

package/src/rules/no-hardcoded-connection-string/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-hardcoded-connection-string/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,2BAA2B,GAAG,IAAA,0BAAU,EAA0B;IAC7E,IAAI,EAAE,gCAAgC;IACtC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,EAAE,WAAW,EAAE,+DAA+D,EAAE;QACtF,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,yBAAyB,EAAE,IAAA,gCAAgB,EAAC;gBAC1C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,6BAA6B;gBACxC,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,0DAA0D;gBACvE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qEAAqE;gBAC1E,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,mCAA2B,CAAC"}

package/src/rules/no-hardcoded-credentials/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noHardcodedCredentials: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noHardcodedCredentials;

package/src/rules/no-hardcoded-credentials/index.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHardcodedCredentials = void 0;
+/**
+ * ESLint Rule: no-hardcoded-credentials
+ * Detects hardcoded MongoDB auth credentials
+ * CWE-798: Hardcoded Credentials
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noHardcodedCredentials = (0, eslint_devkit_1.createRule)({
+    name: 'no-hardcoded-credentials',
+    meta: {
+        type: 'problem',
+        docs: { description: 'Prevent hardcoded MongoDB authentication credentials' },
+        hasSuggestions: true,
+        messages: {
+            hardcodedCredentials: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Hardcoded Credentials',
+                cwe: 'CWE-798',
+                cvss: 7.5,
+                description: 'MongoDB authentication credentials are hardcoded',
+                severity: 'HIGH',
+                fix: 'Use environment variables for username and password',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noHardcodedCredentials;
+//# sourceMappingURL=index.js.map

package/src/rules/no-hardcoded-credentials/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-hardcoded-credentials/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,sBAAsB,GAAG,IAAA,0BAAU,EAA0B;IACxE,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,EAAE,WAAW,EAAE,sDAAsD,EAAE;QAC7E,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,kDAAkD;gBAC/D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,8BAAsB,CAAC"}

package/src/rules/no-operator-injection/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noOperatorInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noOperatorInjection;

package/src/rules/no-operator-injection/index.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noOperatorInjection = void 0;
+/**
+ * ESLint Rule: no-operator-injection
+ * Detects potential operator injection attacks ($ne, $gt, $lt, etc.)
+ * CWE-943: NoSQL Injection
+ *
+ * @see https://cwe.mitre.org/data/definitions/943.html
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noOperatorInjection = (0, eslint_devkit_1.createRule)({
+    name: 'no-operator-injection',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent MongoDB operator injection attacks via user input',
+        },
+        hasSuggestions: true,
+        messages: {
+            operatorInjection: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'MongoDB Operator Injection',
+                cwe: 'CWE-943',
+                owasp: 'A03:2021',
+                cvss: 9.1,
+                description: 'User input may contain MongoDB operators like { $ne: null } to bypass filters',
+                severity: 'CRITICAL',
+                fix: 'Use { field: { $eq: value } } pattern to prevent operator injection',
+                documentationLink: 'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: { type: 'boolean', default: true },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() {
+        // TODO: Implement rule logic
+        return {};
+    },
+});
+exports.default = exports.noOperatorInjection;
+//# sourceMappingURL=index.js.map

package/src/rules/no-operator-injection/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-operator-injection/index.ts"],"names":[],"mappings":";;;AAAA;;;;;;GAMG;AACH,4DAIkC;AAUrB,QAAA,mBAAmB,GAAG,IAAA,0BAAU,EAA0B;IACrE,IAAI,EAAE,uBAAuB;IAC7B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,2DAA2D;SACzE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,+EAA+E;gBAC5F,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,qEAAqE;gBAC1E,iBAAiB,EAAE,iKAAiK;aACrL,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE;iBACjD;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM;QACJ,6BAA6B;QAC7B,OAAO,EAAE,CAAC;IACZ,CAAC;CACF,CAAC,CAAC;AAEH,kBAAe,2BAAmB,CAAC"}

package/src/rules/no-select-sensitive-fields/index.d.ts

@@ -0,0 +1,6 @@
+export interface Options {
+    allowInTests?: boolean;
+    sensitiveFields?: string[];
+}
+export declare const noSelectSensitiveFields: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noSelectSensitiveFields;

package/src/rules/no-select-sensitive-fields/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSelectSensitiveFields = void 0;
+/**
+ * ESLint Rule: no-select-sensitive-fields
+ * Prevents returning sensitive fields like password
+ * CWE-200: Information Exposure
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noSelectSensitiveFields = (0, eslint_devkit_1.createRule)({
+    name: 'no-select-sensitive-fields',
+    meta: {
+        type: 'problem',
+        docs: { description: 'Prevent returning sensitive fields like password in queries' },
+        hasSuggestions: true,
+        messages: {
+            selectSensitiveFields: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Sensitive Field Exposure',
+                cwe: 'CWE-200',
+                owasp: 'A01:2021',
+                cvss: 5.3,
+                description: 'Query may return sensitive fields like password or token',
+                severity: 'MEDIUM',
+                fix: 'Add .select("-password -refreshToken") to exclude sensitive fields',
+                documentationLink: 'https://mongoosejs.com/docs/api/query.html#Query.prototype.select()',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true }, sensitiveFields: { type: 'array', items: { type: 'string' } } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true, sensitiveFields: ['password', 'refreshToken', 'apiKey', 'secret'] }],
+    create() { return {}; },
+});
+exports.default = exports.noSelectSensitiveFields;
+//# sourceMappingURL=index.js.map

package/src/rules/no-select-sensitive-fields/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-select-sensitive-fields/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,uBAAuB,GAAG,IAAA,0BAAU,EAA0B;IACzE,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,EAAE,WAAW,EAAE,6DAA6D,EAAE;QACpF,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,0DAA0D;gBACvE,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,oEAAoE;gBACzE,iBAAiB,EAAE,qEAAqE;aACzF,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,eAAe,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC3L;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,UAAU,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;IAC3G,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,+BAAuB,CAAC"}

package/src/rules/no-unbounded-find/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noUnboundedFind: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noUnboundedFind;

package/src/rules/no-unbounded-find/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnboundedFind = void 0;
+/**
+ * ESLint Rule: no-unbounded-find
+ * Requires limit() on find queries
+ * CWE-400: Resource Exhaustion
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noUnboundedFind = (0, eslint_devkit_1.createRule)({
+    name: 'no-unbounded-find',
+    meta: {
+        type: 'suggestion',
+        docs: { description: 'Require limit() on find queries to prevent resource exhaustion' },
+        hasSuggestions: true,
+        messages: {
+            unboundedFind: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Unbounded Query',
+                cwe: 'CWE-400',
+                owasp: 'A04:2021',
+                cvss: 4.3,
+                description: 'find() without limit() may return excessive data',
+                severity: 'LOW',
+                fix: 'Add .limit(100) or appropriate limit to the query',
+                documentationLink: 'https://www.mongodb.com/docs/manual/reference/method/cursor.limit/',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noUnboundedFind;
+//# sourceMappingURL=index.js.map

package/src/rules/no-unbounded-find/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-unbounded-find/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,eAAe,GAAG,IAAA,0BAAU,EAA0B;IACjE,IAAI,EAAE,mBAAmB;IACzB,IAAI,EAAE;QACJ,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,EAAE,WAAW,EAAE,gEAAgE,EAAE;QACvF,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,kDAAkD;gBAC/D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mDAAmD;gBACxD,iBAAiB,EAAE,oEAAoE;aACxF,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,uBAAe,CAAC"}

package/src/rules/no-unsafe-populate/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    allowInTests?: boolean;
+}
+export declare const noUnsafePopulate: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noUnsafePopulate;

package/src/rules/no-unsafe-populate/index.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafePopulate = void 0;
+/**
+ * ESLint Rule: no-unsafe-populate
+ * Prevents user-controlled populate() (CVE-2025-23061 related)
+ * CWE-943: NoSQL Injection
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noUnsafePopulate = (0, eslint_devkit_1.createRule)({
+    name: 'no-unsafe-populate',
+    meta: {
+        type: 'problem',
+        docs: { description: 'Prevent user-controlled populate() paths (CVE-2025-23061)' },
+        hasSuggestions: true,
+        messages: {
+            unsafePopulate: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe populate()',
+                cwe: 'CWE-943',
+                owasp: 'A03:2021',
+                cvss: 6.5,
+                description: 'User-controlled populate() can lead to data exposure or injection',
+                severity: 'MEDIUM',
+                fix: 'Use hardcoded populate paths instead of user input',
+                documentationLink: 'https://nvd.nist.gov/vuln/detail/CVE-2025-23061',
+            }),
+        },
+        schema: [{ type: 'object', properties: { allowInTests: { type: 'boolean', default: true } }, additionalProperties: false }],
+    },
+    defaultOptions: [{ allowInTests: true }],
+    create() { return {}; },
+});
+exports.default = exports.noUnsafePopulate;
+//# sourceMappingURL=index.js.map

package/src/rules/no-unsafe-populate/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-mongodb-security/src/rules/no-unsafe-populate/index.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,4DAAsF;AAMzE,QAAA,gBAAgB,GAAG,IAAA,0BAAU,EAA0B;IAClE,IAAI,EAAE,oBAAoB;IAC1B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,EAAE,WAAW,EAAE,2DAA2D,EAAE;QAClF,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,UAAU;gBACjB,IAAI,EAAE,GAAG;gBACT,WAAW,EAAE,mEAAmE;gBAChF,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,oDAAoD;gBACzD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;KAC5H;IACD,cAAc,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC,CAAC;CACxB,CAAC,CAAC;AAEH,kBAAe,wBAAgB,CAAC"}

package/src/rules/no-unsafe-query/index.d.ts

@@ -0,0 +1,8 @@
+export interface Options {
+    /** Allow in test files. Default: true */
+    allowInTests?: boolean;
+    /** Additional method names to check. Default: [] */
+    additionalMethods?: string[];
+}
+export declare const noUnsafeQuery: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+export default noUnsafeQuery;