eslint-plugin-node-security 4.0.0

package/CHANGELOG.md

@@ -0,0 +1,83 @@
+# Changelog
+
+All notable changes to `eslint-plugin-node-security` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Documentation
+
+- 📘 Launched new documentation site: [eslint.interlace.tools](https://eslint.interlace.tools/)
+- 📝 Achieved 100% documentation parity (both .md and .mdx files)
+
+## [1.0.0] - 2026-01-26
+
+### Added
+
+- Initial stable release with 31 Node.js security rules
+- LLM-optimized error messages with CWE references and OWASP mapping
+- 100% test coverage across all rules
+- ESLint 8 and ESLint 9 flat config support
+- TypeScript type definitions for all rule options
+
+### Rule Categories
+
+#### Cryptography Rules (12)
+
+- `no-sha1-hash` - Disallow SHA-1 for security-sensitive operations (CWE-328)
+- `no-weak-hash-algorithm` - Disallow MD5, SHA-1 for cryptographic hashing (CWE-328)
+- `no-ecb-mode` - Disallow ECB mode for block ciphers (CWE-327)
+- `no-static-iv` - Disallow static initialization vectors (CWE-329)
+- `no-insecure-key-derivation` - Require secure key derivation functions (CWE-916)
+- `no-insecure-rsa-padding` - Require OAEP padding for RSA (CWE-780)
+- `no-self-signed-certs` - Detect disabled TLS certificate validation (CWE-295)
+- `no-timing-unsafe-compare` - Require timing-safe comparison for secrets (CWE-208)
+- `no-cryptojs` - Prefer native crypto over CryptoJS (CWE-327)
+- `no-cryptojs-weak-random` - Disallow CryptoJS weak random (CWE-338)
+- `no-deprecated-cipher-method` - Disallow deprecated crypto methods (CWE-327)
+- `prefer-native-crypto` - Prefer Node.js native crypto module
+
+#### File System Rules (7)
+
+- `no-path-traversal` - Prevent path traversal attacks (CWE-22)
+- `no-unsafe-file-permissions` - Enforce secure file permissions (CWE-732)
+- `no-symlink-attacks` - Prevent symlink-based attacks (CWE-59)
+- `require-file-validation` - Require file type validation (CWE-434)
+- `no-temp-file-exposure` - Prevent temp file security issues (CWE-377)
+- `no-hardcoded-paths` - Prevent hardcoded sensitive paths (CWE-426)
+- `require-safe-path-join` - Require path.join for path construction (CWE-22)
+
+#### Process & Shell Rules (6)
+
+- `no-child-process-injection` - Prevent command injection (CWE-78)
+- `no-shell-exec` - Disallow shell: true in spawn options (CWE-78)
+- `no-env-exposure` - Prevent environment variable exposure (CWE-214)
+- `require-process-sanitization` - Require input sanitization for process args (CWE-88)
+- `no-unsafe-exec` - Disallow exec with dynamic input (CWE-78)
+- `no-eval-alternatives` - Disallow Function constructor, vm runInContext (CWE-95)
+
+#### Network Rules (6)
+
+- `require-tls-verification` - Require TLS certificate validation (CWE-295)
+- `no-dns-rebinding` - Prevent DNS rebinding attacks (CWE-350)
+- `no-ssrf` - Prevent Server-Side Request Forgery (CWE-918)
+- `require-https` - Require HTTPS for external requests (CWE-319)
+- `no-unsafe-redirect` - Prevent open redirects (CWE-601)
+- `require-host-validation` - Require host header validation (CWE-20)
+
+### Presets
+
+- `recommended` - Balanced security for Node.js applications
+- `strict` - All rules as errors
+- `crypto` - Cryptography-focused subset
+- `filesystem` - File system security subset
+- `network` - Network security subset
+
+### Features
+
+- Comprehensive detection patterns for Node.js core modules
+- Support for popular libraries (fs-extra, glob, rimraf)
+- Auto-fix capabilities where safe
+- ESLint MCP integration for AI assistants

package/README.md

@@ -0,0 +1,50 @@
+# eslint-plugin-node-security
+
+Security-focused ESLint plugin for Node.js built-in modules (fs, child_process, vm, path, Buffer). Detects command injection, path traversal, code execution vulnerabilities with AI-parseable error messages.
+
+Part of the [Interlace ESLint Ecosystem](https://github.com/ofri-peretz/eslint).
+
+## Features
+
+- **LLM-Optimized**: Error messages are designed to be easily parsed and resolved by AI assistants (Cursor, GitHub Copilot, etc.).
+- **OWASP Coverage**: Implements rules for OWASP Top 10 and OWASP Mobile Top 10.
+- **Node.js Core Security**: Specific focus on built-in modules which are most susceptible to critical vulnerabilities.
+- **Strict Interface**: Verified with high-fidelity unit tests.
+
+## Installation
+
+```bash
+npm add -D eslint-plugin-node-security
+```
+
+## Usage (Flat Config)
+
+```javascript
+import nodeSecurity from 'eslint-plugin-node-security';
+
+export default [
+  nodeSecurity.configs.recommended,
+  {
+    rules: {
+      'node-security/detect-child-process': 'error',
+    },
+  },
+];
+```
+
+## Rules
+
+| Rule                                                                               | Description                                | CWE     |
+| :--------------------------------------------------------------------------------- | :----------------------------------------- | :------ |
+| [`detect-child-process`](./docs/rules/detect-child-process.md)                     | Detects dangerous child_process.exec calls | CWE-78  |
+| [`detect-eval-with-expression`](./docs/rules/detect-eval-with-expression.md)       | Detects eval() with dynamic expressions    | CWE-95  |
+| [`detect-non-literal-fs-filename`](./docs/rules/detect-non-literal-fs-filename.md) | Detects user-controlled file paths         | CWE-22  |
+| [`no-unsafe-dynamic-require`](./docs/rules/no-unsafe-dynamic-require.md)           | Prevents arbitrary module loading          | CWE-706 |
+| [`no-buffer-overread`](./docs/rules/no-buffer-overread.md)                         | Detects buffer access beyond bounds        | CWE-126 |
+| [`no-toctou-vulnerability`](./docs/rules/no-toctou-vulnerability.md)               | Detects Race Conditions in file ops        | CWE-367 |
+| [`no-zip-slip`](./docs/rules/no-zip-slip.md)                                       | Prevents Zip Slip directory traversal      | CWE-22  |
+| [`no-arbitrary-file-access`](./docs/rules/no-arbitrary-file-access.md)             | Prevents arbitrary file read/write         | CWE-22  |
+
+## License
+
+MIT © [Ofri Peretz](https://ofriperetz.dev)

package/package.json

@@ -0,0 +1,79 @@
+{
+  "name": "eslint-plugin-node-security",
+  "version": "4.0.0",
+  "description": "Security-focused ESLint plugin for Node.js built-in modules (fs, child_process, vm, path, Buffer). Detects command injection, path traversal, code execution vulnerabilities with AI-parseable error messages.",
+  "type": "commonjs",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./src/index.d.ts",
+      "default": "./src/index.js"
+    },
+    "./types": {
+      "types": "./src/types/index.d.ts",
+      "default": "./src/types/index.js"
+    }
+  },
+  "author": "Ofri Peretz <ofriperetzdev@gmail.com>",
+  "license": "MIT",
+  "homepage": "https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-node-security#readme",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ofri-peretz/eslint",
+    "directory": "packages/eslint-plugin-node-security"
+  },
+  "bugs": {
+    "url": "https://github.com/ofri-peretz/eslint/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "src/",
+    "dist/",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md",
+    "AGENTS.md"
+  ],
+  "keywords": [
+    "eslint",
+    "eslint-plugin",
+    "eslintplugin",
+    "interlace-security",
+    "security",
+    "node-security",
+    "nodejs",
+    "child-process",
+    "command-injection",
+    "path-traversal",
+    "fs",
+    "vm",
+    "buffer",
+    "owasp",
+    "cwe",
+    "vulnerability",
+    "llm-optimized",
+    "ai-assistant",
+    "auto-fix",
+    "typescript",
+    "linting",
+    "code-quality",
+    "ast",
+    "static-analysis",
+    "mcp",
+    "model-context-protocol"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "tslib": "^2.3.0",
+    "@interlace/eslint-devkit": "^1.2.1"
+  },
+  "devDependencies": {
+    "@typescript-eslint/parser": "^8.46.2",
+    "@typescript-eslint/rule-tester": "^8.46.2"
+  }
+}

package/src/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * eslint-plugin-node-security
+ *
+ * Security rules for Node.js built-in modules (fs, child_process, vm, path, etc.)
+ */
+import { TSESLint } from '@interlace/eslint-devkit';
+export declare const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>>;
+export declare const plugin: TSESLint.FlatConfig.Plugin;
+export declare const configs: Record<string, TSESLint.FlatConfig.Config>;
+export default plugin;

package/src/index.js

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * eslint-plugin-node-security
+ *
+ * Security rules for Node.js built-in modules (fs, child_process, vm, path, etc.)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configs = exports.plugin = exports.rules = void 0;
+const detect_child_process_1 = require("./rules/detect-child-process");
+const detect_eval_with_expression_1 = require("./rules/detect-eval-with-expression");
+const detect_non_literal_fs_filename_1 = require("./rules/detect-non-literal-fs-filename");
+const no_unsafe_dynamic_require_1 = require("./rules/no-unsafe-dynamic-require");
+const no_buffer_overread_1 = require("./rules/no-buffer-overread");
+const no_toctou_vulnerability_1 = require("./rules/no-toctou-vulnerability");
+const no_zip_slip_1 = require("./rules/no-zip-slip");
+const no_arbitrary_file_access_1 = require("./rules/no-arbitrary-file-access");
+const no_data_in_temp_storage_1 = require("./rules/no-data-in-temp-storage");
+// Migrated rules from secure-coding
+const detect_suspicious_dependencies_1 = require("./rules/detect-suspicious-dependencies");
+const lock_file_1 = require("./rules/lock-file");
+const no_dynamic_dependency_loading_1 = require("./rules/no-dynamic-dependency-loading");
+const require_dependency_integrity_1 = require("./rules/require-dependency-integrity");
+const require_secure_credential_storage_1 = require("./rules/require-secure-credential-storage");
+const require_secure_deletion_1 = require("./rules/require-secure-deletion");
+const require_storage_encryption_1 = require("./rules/require-storage-encryption");
+const no_dynamic_require_1 = require("./rules/no-dynamic-require");
+// Migrated rules from crypto
+const no_cryptojs_1 = require("./rules/no-cryptojs");
+const no_cryptojs_weak_random_1 = require("./rules/no-cryptojs-weak-random");
+const no_deprecated_cipher_method_1 = require("./rules/no-deprecated-cipher-method");
+const no_ecb_mode_1 = require("./rules/no-ecb-mode");
+const no_insecure_key_derivation_1 = require("./rules/no-insecure-key-derivation");
+const no_insecure_rsa_padding_1 = require("./rules/no-insecure-rsa-padding");
+const no_self_signed_certs_1 = require("./rules/no-self-signed-certs");
+const no_sha1_hash_1 = require("./rules/no-sha1-hash");
+const no_static_iv_1 = require("./rules/no-static-iv");
+const no_timing_unsafe_compare_1 = require("./rules/no-timing-unsafe-compare");
+const no_weak_cipher_algorithm_1 = require("./rules/no-weak-cipher-algorithm");
+const no_weak_hash_algorithm_1 = require("./rules/no-weak-hash-algorithm");
+const prefer_native_crypto_1 = require("./rules/prefer-native-crypto");
+exports.rules = {
+    'detect-child-process': detect_child_process_1.detectChildProcess,
+    'detect-eval-with-expression': detect_eval_with_expression_1.detectEvalWithExpression,
+    'detect-non-literal-fs-filename': detect_non_literal_fs_filename_1.detectNonLiteralFsFilename,
+    'no-unsafe-dynamic-require': no_unsafe_dynamic_require_1.noUnsafeDynamicRequire,
+    'no-buffer-overread': no_buffer_overread_1.noBufferOverread,
+    'no-toctou-vulnerability': no_toctou_vulnerability_1.noToctouVulnerability,
+    'no-zip-slip': no_zip_slip_1.noZipSlip,
+    'no-arbitrary-file-access': no_arbitrary_file_access_1.noArbitraryFileAccess,
+    'no-data-in-temp-storage': no_data_in_temp_storage_1.noDataInTempStorage,
+    // Migrated rules
+    'detect-suspicious-dependencies': detect_suspicious_dependencies_1.detectSuspiciousDependencies,
+    'lock-file': lock_file_1.lockFile,
+    'no-dynamic-dependency-loading': no_dynamic_dependency_loading_1.noDynamicDependencyLoading,
+    'require-dependency-integrity': require_dependency_integrity_1.requireDependencyIntegrity,
+    'require-secure-credential-storage': require_secure_credential_storage_1.requireSecureCredentialStorage,
+    'require-secure-deletion': require_secure_deletion_1.requireSecureDeletion,
+    'require-storage-encryption': require_storage_encryption_1.requireStorageEncryption,
+    'no-dynamic-require': no_dynamic_require_1.noDynamicRequire,
+    // Migrated crypto rules
+    'no-cryptojs': no_cryptojs_1.noCryptojs,
+    'no-cryptojs-weak-random': no_cryptojs_weak_random_1.noCryptojsWeakRandom,
+    'no-deprecated-cipher-method': no_deprecated_cipher_method_1.noDeprecatedCipherMethod,
+    'no-ecb-mode': no_ecb_mode_1.noEcbMode,
+    'no-insecure-key-derivation': no_insecure_key_derivation_1.noInsecureKeyDerivation,
+    'no-insecure-rsa-padding': no_insecure_rsa_padding_1.noInsecureRsaPadding,
+    'no-self-signed-certs': no_self_signed_certs_1.noSelfSignedCerts,
+    'no-sha1-hash': no_sha1_hash_1.noSha1Hash,
+    'no-static-iv': no_static_iv_1.noStaticIv,
+    'no-timing-unsafe-compare': no_timing_unsafe_compare_1.noTimingUnsafeCompare,
+    'no-weak-cipher-algorithm': no_weak_cipher_algorithm_1.noWeakCipherAlgorithm,
+    'no-weak-hash-algorithm': no_weak_hash_algorithm_1.noWeakHashAlgorithm,
+    'prefer-native-crypto': prefer_native_crypto_1.preferNativeCrypto,
+};
+exports.plugin = {
+    meta: {
+        name: 'eslint-plugin-node-security',
+        version: '1.0.0',
+    },
+    rules: exports.rules,
+};
+const recommendedRules = {
+    'node-security/detect-child-process': 'error',
+    'node-security/detect-eval-with-expression': 'error',
+    'node-security/detect-non-literal-fs-filename': 'error',
+    'node-security/no-unsafe-dynamic-require': 'error',
+    'node-security/no-buffer-overread': 'error',
+    'node-security/no-toctou-vulnerability': 'error',
+    'node-security/no-zip-slip': 'error',
+    'node-security/no-arbitrary-file-access': 'error',
+    'node-security/no-data-in-temp-storage': 'error',
+    // Migrated Rules
+    'node-security/detect-suspicious-dependencies': 'warn',
+    'node-security/lock-file': 'error',
+    'node-security/require-dependency-integrity': 'error',
+    // Crypto rules in recommended
+    'node-security/no-weak-hash-algorithm': 'error',
+    'node-security/no-weak-cipher-algorithm': 'error',
+    'node-security/no-static-iv': 'error',
+    'node-security/no-ecb-mode': 'error',
+    'node-security/no-cryptojs': 'warn',
+};
+exports.configs = {
+    recommended: {
+        plugins: {
+            'node-security': exports.plugin,
+        },
+        rules: recommendedRules,
+    },
+    strict: {
+        plugins: {
+            'node-security': exports.plugin,
+        },
+        rules: Object.fromEntries(Object.keys(exports.rules).map(ruleName => [`node-security/${ruleName}`, 'error'])),
+    },
+};
+exports.default = exports.plugin;
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/eslint-plugin-node-security/src/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,uEAAkE;AAClE,qFAA+E;AAC/E,2FAAoF;AACpF,iFAA2E;AAC3E,mEAA8D;AAC9D,6EAAwE;AACxE,qDAAgD;AAChD,+EAAyE;AACzE,6EAAsE;AAEtE,oCAAoC;AACpC,2FAAsF;AACtF,iDAA6C;AAC7C,yFAAmF;AACnF,uFAAkF;AAClF,iGAA2F;AAC3F,6EAAwE;AACxE,mFAA8E;AAC9E,mEAA8D;AAE9D,6BAA6B;AAC7B,qDAAiD;AACjD,6EAAuE;AACvE,qFAA+E;AAC/E,qDAAgD;AAChD,mFAA6E;AAC7E,6EAAuE;AACvE,uEAAiE;AACjE,uDAAkD;AAClD,uDAAkD;AAClD,+EAAyE;AACzE,+EAAyE;AACzE,2EAAqE;AACrE,uEAAkE;AAIrD,QAAA,KAAK,GAAoE;IACpF,sBAAsB,EAAE,yCAAkB;IAC1C,6BAA6B,EAAE,sDAAwB;IACvD,gCAAgC,EAAE,2DAA0B;IAC5D,2BAA2B,EAAE,kDAAsB;IACnD,oBAAoB,EAAE,qCAAgB;IACtC,yBAAyB,EAAE,+CAAqB;IAChD,aAAa,EAAE,uBAAS;IACxB,0BAA0B,EAAE,gDAAqB;IACjD,yBAAyB,EAAE,6CAAmB;IAE9C,iBAAiB;IACjB,gCAAgC,EAAE,6DAA4B;IAC9D,WAAW,EAAE,oBAAQ;IACrB,+BAA+B,EAAE,0DAA0B;IAC3D,8BAA8B,EAAE,yDAA0B;IAC1D,mCAAmC,EAAE,kEAA8B;IACnE,yBAAyB,EAAE,+CAAqB;IAChD,4BAA4B,EAAE,qDAAwB;IACtD,oBAAoB,EAAE,qCAAgB;IAEtC,wBAAwB;IACxB,aAAa,EAAE,wBAAU;IACzB,yBAAyB,EAAE,8CAAoB;IAC/C,6BAA6B,EAAE,sDAAwB;IACvD,aAAa,EAAE,uBAAS;IACxB,4BAA4B,EAAE,oDAAuB;IACrD,yBAAyB,EAAE,8CAAoB;IAC/C,sBAAsB,EAAE,wCAAiB;IACzC,cAAc,EAAE,yBAAU;IAC1B,cAAc,EAAE,yBAAU;IAC1B,0BAA0B,EAAE,gDAAqB;IACjD,0BAA0B,EAAE,gDAAqB;IACjD,wBAAwB,EAAE,4CAAmB;IAC7C,sBAAsB,EAAE,yCAAkB;CAC3C,CAAC;AAEW,QAAA,MAAM,GAA+B;IAChD,IAAI,EAAE;QACJ,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,OAAO;KACjB;IACD,KAAK,EAAL,aAAK;CACN,CAAC;AAEF,MAAM,gBAAgB,GAAkD;IACtE,oCAAoC,EAAE,OAAO;IAC7C,2CAA2C,EAAE,OAAO;IACpD,8CAA8C,EAAE,OAAO;IACvD,yCAAyC,EAAE,OAAO;IAClD,kCAAkC,EAAE,OAAO;IAC3C,uCAAuC,EAAE,OAAO;IAChD,2BAA2B,EAAE,OAAO;IACpC,wCAAwC,EAAE,OAAO;IACjD,uCAAuC,EAAE,OAAO;IAEhD,iBAAiB;IACjB,8CAA8C,EAAE,MAAM;IACtD,yBAAyB,EAAE,OAAO;IAClC,4CAA4C,EAAE,OAAO;IAErD,8BAA8B;IAC9B,sCAAsC,EAAE,OAAO;IAC/C,wCAAwC,EAAE,OAAO;IACjD,4BAA4B,EAAE,OAAO;IACrC,2BAA2B,EAAE,OAAO;IACpC,2BAA2B,EAAE,MAAM;CACpC,CAAC;AAEW,QAAA,OAAO,GAA+C;IACjE,WAAW,EAAE;QACX,OAAO,EAAE;YACP,eAAe,EAAE,cAAM;SACxB;QACD,KAAK,EAAE,gBAAgB;KACa;IACtC,MAAM,EAAE;QACN,OAAO,EAAE;YACP,eAAe,EAAE,cAAM;SACxB;QACD,KAAK,EAAE,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,IAAI,CAAC,aAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,iBAAiB,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAC,CAC3E;KACmC;CACvC,CAAC;AAGF,kBAAe,cAAM,CAAC"}

package/src/rules/detect-child-process/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: detect-child-process
+ * Detects instances of child_process & non-literal exec() calls
+ * LLM-optimized with comprehensive command injection prevention guidance
+ *
+ * @see https://owasp.org/www-community/attacks/Command_Injection
+ * @see https://cwe.mitre.org/data/definitions/78.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'childProcessCommandInjection' | 'useExecFile' | 'useSpawn' | 'useSaferLibrary' | 'validateInput' | 'useShellFalse' | 'strategyValidate' | 'strategySanitize' | 'strategyRestrict';
+export interface Options {
+    /** Allow exec() with literal strings. Default: false (stricter) */
+    allowLiteralStrings?: boolean;
+    /** Allow spawn() with literal arguments. Default: false (stricter) */
+    allowLiteralSpawn?: boolean;
+    /** Additional child_process methods to check */
+    additionalMethods?: string[];
+    /** Strategy for fixing command injection: 'validate', 'sanitize', 'restrict', or 'auto' */
+    strategy?: 'validate' | 'sanitize' | 'restrict' | 'auto';
+}
+type RuleOptions = [Options?];
+export declare const detectChildProcess: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};