eslint-plugin-node-security 4.0.0

package/src/rules/no-toctou-vulnerability/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-toctou-vulnerability
+ * Detects Time-of-Check-Time-of-Use vulnerabilities
+ * CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
+ *
+ * @see https://cwe.mitre.org/data/definitions/367.html
+ * @see https://owasp.org/www-community/vulnerabilities/TOCTOU_Race_Condition
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'toctouVulnerability' | 'useAtomicOperations' | 'useFsPromises' | 'addProperLocking';
+export interface Options {
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+    /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
+    fsMethods?: string[];
+}
+type RuleOptions = [Options?];
+export declare const noToctouVulnerability: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-toctou-vulnerability/index.js

@@ -0,0 +1,214 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noToctouVulnerability = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noToctouVulnerability = (0, eslint_devkit_2.createRule)({
+    name: 'no-toctou-vulnerability',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
+        },
+        hasSuggestions: true,
+        messages: {
+            toctouVulnerability: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'TOCTOU vulnerability',
+                cwe: 'CWE-367',
+                description: 'Time-of-check Time-of-use race condition detected',
+                severity: 'HIGH',
+                fix: 'Use atomic operations or fs.promises for file operations',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
+            }),
+            useAtomicOperations: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Atomic Operations',
+                description: 'Use atomic file operations',
+                severity: 'LOW',
+                fix: 'fs.promises.access() then fs.promises.readFile()',
+                documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
+            }),
+            useFsPromises: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use fs.promises',
+                description: 'Use fs.promises API',
+                severity: 'LOW',
+                fix: 'await fs.promises.readFile() instead of sync operations',
+                documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
+            }),
+            addProperLocking: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add File Locking',
+                description: 'Add proper locking mechanism',
+                severity: 'LOW',
+                fix: 'Use proper-lockfile or similar for concurrent access',
+                documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    fsMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignoreInTests: true,
+            fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { ignoreInTests = true } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check for TOCTOU patterns
+         */
+        function checkCallExpression(node) {
+            // 1. Identify the file operation (Use)
+            let useMethodName = '';
+            if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
+                const objectName = node.callee.object.type === 'Identifier' ? node.callee.object.name : '';
+                if (objectName === 'fs' || objectName === 'fsPromises') {
+                    useMethodName = node.callee.property.name;
+                }
+            }
+            else if (node.callee.type === 'Identifier') {
+                useMethodName = node.callee.name;
+            }
+            const riskyUseMethods = ['readFileSync', 'writeFileSync', 'readFile', 'writeFile', 'openSync', 'open', 'unlinkSync', 'unlink'];
+            if (!riskyUseMethods.includes(useMethodName)) {
+                return;
+            }
+            const useArg = node.arguments[0];
+            if (!useArg)
+                return;
+            // 2. Walk up to find the condition (Check)
+            let current = node.parent;
+            while (current) {
+                if (current.type === 'IfStatement') {
+                    // Extract the condition node
+                    let condition = current.test;
+                    // Handle negated condition: if (!exists(path)) { create(path) } -> also TOCTOU but different logic? 
+                    // Actually TOCTOU is usually Check(exists) -> Use(read).
+                    // If (!exists) -> create is Check -> Use.
+                    // But strict TOCTOU is checking state then acting.
+                    // If checking for negation
+                    if (condition.type === 'UnaryExpression' && condition.operator === '!') {
+                        condition = condition.argument;
+                    }
+                    if (condition.type === 'CallExpression') {
+                        // Check if it's a file check method
+                        let checkMethodName = '';
+                        if (condition.callee.type === 'MemberExpression' && condition.callee.property.type === 'Identifier') {
+                            checkMethodName = condition.callee.property.name;
+                        }
+                        else if (condition.callee.type === 'Identifier') {
+                            checkMethodName = condition.callee.name;
+                        }
+                        const checkMethods = ['existsSync', 'statSync', 'accessSync', 'exists', 'stat', 'access'];
+                        if (checkMethods.includes(checkMethodName)) {
+                            // Compare arguments
+                            const checkArg = condition.arguments[0];
+                            if (checkArg) {
+                                // Method 1: Identifier match (same variable)
+                                if (checkArg.type === 'Identifier' && useArg.type === 'Identifier' && checkArg.name === useArg.name) {
+                                    reportToctou(node);
+                                    return;
+                                }
+                                // Method 2: Text match (fallback)
+                                const checkArgText = sourceCode.getText(checkArg).replace(/\s/g, '');
+                                const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                                if (checkArgText === useArgText) {
+                                    reportToctou(node);
+                                    return;
+                                }
+                            }
+                        }
+                        // Handle stats.isFile() / stats.isDirectory() pattern
+                        if (condition.callee.type === 'MemberExpression' &&
+                            condition.callee.property.type === 'Identifier' &&
+                            ['isFile', 'isDirectory'].includes(condition.callee.property.name) &&
+                            condition.callee.object.type === 'Identifier') {
+                            const statsVarName = condition.callee.object.name;
+                            let currentScope = sourceCode.getScope(condition);
+                            let variable = null;
+                            while (currentScope) {
+                                variable = currentScope.variables.find(v => v.name === statsVarName) || null;
+                                if (variable)
+                                    break;
+                                currentScope = currentScope.upper;
+                            }
+                            if (variable && variable.defs.length > 0) {
+                                const def = variable.defs[0];
+                                if (def.type === 'Variable' && def.node.init && def.node.init.type === 'CallExpression') {
+                                    const init = def.node.init;
+                                    if (init.callee.type === 'MemberExpression' &&
+                                        init.callee.property.type === 'Identifier' &&
+                                        ['statSync', 'lstatSync', 'stat', 'lstat'].includes(init.callee.property.name)) {
+                                        const statArg = init.arguments[0];
+                                        if (statArg) {
+                                            const checkArgText = sourceCode.getText(statArg).replace(/\s/g, '');
+                                            const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                                            if (checkArgText === useArgText) {
+                                                reportToctou(node);
+                                                return;
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+        }
+        function reportToctou(node) {
+            context.report({
+                node,
+                messageId: 'toctouVulnerability',
+                suggest: [
+                    {
+                        messageId: 'useAtomicOperations',
+                        fix: () => null,
+                    },
+                    {
+                        messageId: 'useFsPromises',
+                        fix: () => null,
+                    },
+                    {
+                        messageId: 'addProperLocking',
+                        fix: () => null,
+                    },
+                ],
+            });
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-toctou-vulnerability/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-toctou-vulnerability/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH,4DAA0E;AAC1E,4DAAsD;AAkBzC,QAAA,qBAAqB,GAAG,IAAA,0BAAU,EAA0B;IACvE,IAAI,EAAE,yBAAyB;IAC/B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,mDAAmD;SACjE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,sBAAsB;gBACjC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,mDAAmD;gBAChE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,0DAA0D;gBAC/D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,4BAA4B;gBACzC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,WAAW,EAAE,qBAAqB;gBAClC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yDAAyD;gBAC9D,iBAAiB,EAAE,6CAA6C;aACjE,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,8BAA8B;gBAC3C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,oDAAoD;aACxE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;oBACD,SAAS,EAAE;wBACT,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,eAAe,CAAC;qBAC3D;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,eAAe,CAAC;SAC7D;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACV,aAAa,GAAG,IAAI,EACnB,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,aAAa,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAErF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,uCAAuC;YACvC,IAAI,aAAa,GAAG,EAAE,CAAC;YACvB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3F,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;oBACtD,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC7C,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7C,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACnC,CAAC;YAED,MAAM,eAAe,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC/H,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7C,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,MAAM;gBAAE,OAAO;YAEpB,2CAA2C;YAC3C,IAAI,OAAO,GAA8B,IAAI,CAAC,MAAM,CAAC;YACrD,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;oBACnC,6BAA6B;oBAC7B,IAAI,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;oBAE7B,qGAAqG;oBACrG,yDAAyD;oBACzD,0CAA0C;oBAC1C,mDAAmD;oBAEnD,2BAA2B;oBAC3B,IAAI,SAAS,CAAC,IAAI,KAAK,iBAAiB,IAAI,SAAS,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;wBACtE,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC;oBAClC,CAAC;oBAED,IAAI,SAAS,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;wBACvC,oCAAoC;wBACpC,IAAI,eAAe,GAAG,EAAE,CAAC;wBACzB,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;4BACnG,eAAe,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACpD,CAAC;6BAAM,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;4BACjD,eAAe,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC;wBAC3C,CAAC;wBAED,MAAM,YAAY,GAAG,CAAC,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;wBAC1F,IAAI,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;4BAE1C,oBAAoB;4BACpB,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;4BACxC,IAAI,QAAQ,EAAE,CAAC;gCACX,6CAA6C;gCAC7C,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;oCAClG,YAAY,CAAC,IAAI,CAAC,CAAC;oCACnB,OAAO;gCACX,CAAC;gCAED,kCAAkC;gCAClC,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gCACrE,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gCACjE,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;oCAC9B,YAAY,CAAC,IAAI,CAAC,CAAC;oCACnB,OAAO;gCACX,CAAC;4BACL,CAAC;wBACJ,CAAC;wBAED,sDAAsD;wBACtD,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;4BAC5C,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;4BAC/C,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAClE,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;4BAEhD,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;4BAClD,IAAI,YAAY,GAAgC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;4BAC/E,IAAI,QAAQ,GAAmC,IAAI,CAAC;4BAEpD,OAAO,YAAY,EAAE,CAAC;gCAClB,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,IAAI,IAAI,CAAC;gCAC7E,IAAI,QAAQ;oCAAE,MAAM;gCACpB,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC;4BACtC,CAAC;4BAED,IAAI,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCACvC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gCAC7B,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oCACtF,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;oCAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;wCACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wCAC1C,CAAC,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wCAE7E,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wCAClC,IAAI,OAAO,EAAE,CAAC;4CACV,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;4CACpE,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;4CACjE,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;gDAC9B,YAAY,CAAC,IAAI,CAAC,CAAC;gDACnB,OAAO;4CACX,CAAC;wCACL,CAAC;oCACT,CAAC;gCACL,CAAC;4BACL,CAAC;wBACL,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,SAAS,YAAY,CAAC,IAAmB;YACtC,OAAO,CAAC,MAAM,CAAC;gBACd,IAAI;gBACJ,SAAS,EAAE,qBAAqB;gBAChC,OAAO,EAAE;oBACP;wBACE,SAAS,EAAE,qBAAqB;wBAChC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,eAAe;wBAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,kBAAkB;wBAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;iBACF;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-unsafe-dynamic-require/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-dynamic-require
+ * Detects dynamic require() calls that could lead to code injection
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+export interface Options {
+    /** Allow dynamic import() expressions. Default: false (stricter) */
+    allowDynamicImport?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noUnsafeDynamicRequire: TSESLint.RuleModule<"unsafeDynamicRequire", RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-unsafe-dynamic-require/index.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeDynamicRequire = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noUnsafeDynamicRequire = (0, eslint_devkit_2.createRule)({
+    name: 'no-unsafe-dynamic-require',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent unsafe dynamic require() calls that could enable code injection',
+        },
+        fixable: 'code',
+        hasSuggestions: false,
+        messages: {
+            unsafeDynamicRequire: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Dynamic require()',
+                cwe: 'CWE-95',
+                description: 'Dynamic require() detected',
+                severity: 'CRITICAL',
+                fix: 'Use allowlist: const ALLOWED = ["mod1", "mod2"]; if (!ALLOWED.includes(name)) throw Error("Not allowed")',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowDynamicImport: {
+                        type: 'boolean',
+                        default: false,
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowDynamicImport: false,
+        },
+    ],
+    create(context) {
+        /**
+         * Track variables that reference require
+         * Maps variable name to the node where it was assigned
+         */
+        const requireVariables = new Set();
+        /**
+         * Check if a node is a reference to require
+         */
+        const isRequireReference = (node) => {
+            if (node.type === 'Identifier' && node.name === 'require') {
+                return true;
+            }
+            if (node.type === 'Identifier' && requireVariables.has(node.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if argument is dynamic (not a literal)
+         */
+        const isDynamicArgument = (arg) => {
+            if (arg.type === 'Literal')
+                return false;
+            if (arg.type === 'TemplateLiteral' && arg.expressions.length === 0)
+                return false;
+            return true;
+        };
+        return {
+            VariableDeclarator(node) {
+                // Track when require is assigned to a variable
+                if (node.id.type === 'Identifier' && node.init) {
+                    if (node.init.type === 'Identifier' && node.init.name === 'require') {
+                        requireVariables.add(node.id.name);
+                    }
+                }
+            },
+            CallExpression(node) {
+                // Check for require() calls (direct or via variable)
+                if (node.callee.type !== 'Identifier') {
+                    return;
+                }
+                // Check if callee is require or a variable that references require
+                if (!isRequireReference(node.callee)) {
+                    return;
+                }
+                // Must have at least one argument
+                if (node.arguments.length === 0)
+                    return;
+                const firstArg = node.arguments[0];
+                if (firstArg.type === 'SpreadElement')
+                    return;
+                // Check if dynamic
+                if (!isDynamicArgument(firstArg))
+                    return;
+                context.report({
+                    node,
+                    messageId: 'unsafeDynamicRequire',
+                });
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-unsafe-dynamic-require/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-unsafe-dynamic-require/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAOH,4DAA0E;AAC1E,4DAAsD;AAWzC,QAAA,sBAAsB,GAAG,IAAA,0BAAU,EAA0B;IACxE,IAAI,EAAE,2BAA2B;IACjC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,yEAAyE;SACvF;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK;QACrB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,4BAA4B;gBACzC,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,0GAA0G;gBAC/G,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,kBAAkB,EAAE;wBAClB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;qBACf;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,kBAAkB,EAAE,KAAK;SAC1B;KACF;IACD,MAAM,CAAC,OAAsD;QAG3D;;;WAGG;QACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE3C;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,IAAmB,EAAW,EAAE;YAC1D,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC1D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,iBAAiB,GAAG,CAAC,GAAiD,EAAW,EAAE;YACvF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC;YACzC,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,IAAI,GAAG,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,OAAO;YACL,kBAAkB,CAAC,IAAiC;gBAClD,+CAA+C;gBAC/C,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC/C,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;wBACpE,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;oBACrC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,cAAc,CAAC,IAA6B;gBAC1C,qDAAqD;gBACrD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBACtC,OAAO;gBACT,CAAC;gBAED,mEAAmE;gBACnE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBACrC,OAAO;gBACT,CAAC;gBAED,kCAAkC;gBAClC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,QAAQ,CAAC,IAAI,KAAK,eAAe;oBAAE,OAAO;gBAE9C,mBAAmB;gBACnB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;oBAAE,OAAO;gBAEzC,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,sBAAsB;iBAClC,CAAC,CAAC;YACL,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-weak-cipher-algorithm/index.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-weak-cipher-algorithm
+ * Detects use of weak cipher algorithms (DES, 3DES, RC4, Blowfish)
+ * CWE-327: Use of a Broken or Risky Cryptographic Algorithm
+ *
+ * @see https://cwe.mitre.org/data/definitions/327.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'weakCipherAlgorithm' | 'useAes256Gcm' | 'useChaCha20';
+export interface Options {
+    /** Additional weak ciphers to detect. Default: [] */
+    additionalWeakCiphers?: string[];
+    /** Allow weak ciphers in test files. Default: false */
+    allowInTests?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noWeakCipherAlgorithm: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as NoWeakCipherAlgorithmOptions };

package/src/rules/no-weak-cipher-algorithm/index.js

@@ -0,0 +1,190 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noWeakCipherAlgorithm = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const WEAK_CIPHER_PATTERNS = [
+    {
+        pattern: /\bdes\b(?!-ede)/i,
+        name: 'DES',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+    {
+        pattern: /\bdes-ede3?\b|\b3des\b|\btripledes\b/i,
+        name: '3DES',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+    {
+        pattern: /\brc4\b|\barc4\b/i,
+        name: 'RC4',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+    {
+        pattern: /\bblowfish\b|\bbf\b/i,
+        name: 'Blowfish',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+    {
+        pattern: /\brc2\b/i,
+        name: 'RC2',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+    {
+        pattern: /\bidea\b/i,
+        name: 'IDEA',
+        alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+        replacement: 'aes-256-gcm',
+    },
+];
+/**
+ * Check if a string contains a weak cipher algorithm
+ */
+function findWeakCipher(value, additionalPatterns) {
+    // Check standard patterns
+    for (const pattern of WEAK_CIPHER_PATTERNS) {
+        if (pattern.pattern.test(value)) {
+            return pattern;
+        }
+    }
+    // Check additional patterns
+    for (const additionalPattern of additionalPatterns) {
+        const regex = new RegExp(`\\b${additionalPattern}\\b`, 'i');
+        if (regex.test(value)) {
+            return {
+                pattern: regex,
+                name: additionalPattern.toUpperCase(),
+                alternatives: ['AES-256-GCM', 'ChaCha20-Poly1305'],
+                replacement: 'aes-256-gcm',
+            };
+        }
+    }
+    return null;
+}
+exports.noWeakCipherAlgorithm = (0, eslint_devkit_1.createRule)({
+    name: 'no-weak-cipher-algorithm',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow weak cipher algorithms (DES, 3DES, RC4, Blowfish)',
+        },
+        hasSuggestions: true,
+        messages: {
+            weakCipherAlgorithm: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Weak cipher algorithm',
+                cwe: 'CWE-327',
+                description: 'Use of weak cipher algorithm: {{algorithm}}. {{algorithm}} has known vulnerabilities and should not be used.',
+                severity: 'CRITICAL',
+                fix: 'Replace with {{replacement}}: crypto.createCipheriv("{{replacement}}", key, iv)',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
+            }),
+            useAes256Gcm: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use AES-256-GCM',
+                description: 'Replace with AES-256-GCM for authenticated encryption',
+                severity: 'LOW',
+                fix: 'crypto.createCipheriv("aes-256-gcm", key, iv)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
+            }),
+            useChaCha20: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use ChaCha20-Poly1305',
+                description: 'Replace with ChaCha20-Poly1305 for modern encryption',
+                severity: 'LOW',
+                fix: 'crypto.createCipheriv("chacha20-poly1305", key, iv)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    additionalWeakCiphers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional weak ciphers to detect',
+                    },
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow weak ciphers in test files',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            additionalWeakCiphers: [],
+            allowInTests: false,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { additionalWeakCiphers = [], allowInTests = false, } = options;
+        const filename = context.filename;
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        /**
+         * Check if a call expression uses a weak cipher
+         */
+        function checkCallExpression(node) {
+            if (isTestFile)
+                return;
+            const cipherMethods = new Set(['createCipher', 'createCipheriv', 'createDecipher', 'createDecipheriv']);
+            // Check for crypto.createCipher*() pattern
+            if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                cipherMethods.has(node.callee.property.name)) {
+                checkCipherArgument(node);
+            }
+            // Check for standalone createCipher*() pattern
+            if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                cipherMethods.has(node.callee.name)) {
+                checkCipherArgument(node);
+            }
+        }
+        /**
+         * Check the algorithm argument passed to createCipher*
+         */
+        function checkCipherArgument(node) {
+            const firstArg = node.arguments[0];
+            if (firstArg?.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof firstArg.value === 'string') {
+                const weakPattern = findWeakCipher(firstArg.value, additionalWeakCiphers);
+                if (weakPattern) {
+                    context.report({
+                        node: firstArg,
+                        messageId: 'weakCipherAlgorithm',
+                        data: {
+                            algorithm: weakPattern.name,
+                            replacement: weakPattern.replacement,
+                        },
+                        suggest: [
+                            {
+                                messageId: 'useAes256Gcm',
+                                fix: (fixer) => fixer.replaceText(firstArg, `"aes-256-gcm"`),
+                            },
+                            {
+                                messageId: 'useChaCha20',
+                                fix: (fixer) => fixer.replaceText(firstArg, `"chacha20-poly1305"`),
+                            },
+                        ],
+                    });
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-weak-cipher-algorithm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-weak-cipher-algorithm/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAUH,4DAAsG;AA8BtG,MAAM,oBAAoB,GAAwB;IAChD;QACE,OAAO,EAAE,kBAAkB;QAC3B,IAAI,EAAE,KAAK;QACX,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,OAAO,EAAE,uCAAuC;QAChD,IAAI,EAAE,MAAM;QACZ,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,IAAI,EAAE,KAAK;QACX,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,IAAI,EAAE,UAAU;QAChB,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,KAAK;QACX,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,MAAM;QACZ,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;QAClD,WAAW,EAAE,aAAa;KAC3B;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,cAAc,CACrB,KAAa,EACb,kBAA4B;IAE5B,0BAA0B;IAC1B,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,iBAAiB,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,iBAAiB,CAAC,WAAW,EAAE;gBACrC,YAAY,EAAE,CAAC,aAAa,EAAE,mBAAmB,CAAC;gBAClD,WAAW,EAAE,aAAa;aAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAEY,QAAA,qBAAqB,GAAG,IAAA,0BAAU,EAA0B;IACvE,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,4DAA4D;SAC1E;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,8GAA8G;gBAC3H,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,iFAAiF;gBACtF,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;YACF,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,WAAW,EAAE,uDAAuD;gBACpE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;YACF,WAAW,EAAE,IAAA,gCAAgB,EAAC;gBAC5B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,sDAAsD;gBACnE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,qBAAqB,EAAE;wBACrB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,mCAAmC;qBACjD;oBACD,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,kCAAkC;qBAChD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,qBAAqB,EAAE,EAAE;YACzB,YAAY,EAAE,KAAK;SACpB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,qBAAqB,GAAG,EAAE,EAC1B,YAAY,GAAG,KAAK,GACrB,GAAG,OAAkB,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpF;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU;gBAAE,OAAO;YAEvB,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC,CAAC;YAExG,2CAA2C;YAC3C,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB;gBACpD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBACvD,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC5C,CAAC;gBACD,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;YAED,+CAA+C;YAC/C,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBAC9C,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EACnC,CAAC;gBACD,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,QAAQ,EAAE,IAAI,KAAK,8BAAc,CAAC,OAAO,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACpF,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;gBAE1E,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,QAAQ;wBACd,SAAS,EAAE,qBAAqB;wBAChC,IAAI,EAAE;4BACJ,SAAS,EAAE,WAAW,CAAC,IAAI;4BAC3B,WAAW,EAAE,WAAW,CAAC,WAAW;yBACrC;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,cAAc;gCACzB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE,eAAe,CAAC;6BACjF;4BACD;gCACE,SAAS,EAAE,aAAa;gCACxB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE,qBAAqB,CAAC;6BACvF;yBACF;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-weak-hash-algorithm/index.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-weak-hash-algorithm
+ * Detects use of weak hash algorithms (MD5, SHA1, MD4)
+ * CWE-327: Use of a Broken or Risky Cryptographic Algorithm
+ *
+ * @see https://cwe.mitre.org/data/definitions/327.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'weakHashAlgorithm' | 'useSha256' | 'useSha512' | 'useSha3';
+export interface Options {
+    /** Additional weak algorithms to detect. Default: [] */
+    additionalWeakAlgorithms?: string[];
+    /** Allow weak hashes in test files. Default: false */
+    allowInTests?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noWeakHashAlgorithm: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as NoWeakHashAlgorithmOptions };