eslint-plugin-node-security 4.0.0

package/src/rules/no-weak-hash-algorithm/index.js

@@ -0,0 +1,218 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noWeakHashAlgorithm = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const WEAK_HASH_PATTERNS = [
+    {
+        pattern: /\bmd5\b/i,
+        name: 'MD5',
+        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
+        replacement: 'sha256',
+    },
+    {
+        pattern: /\bmd4\b/i,
+        name: 'MD4',
+        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
+        replacement: 'sha256',
+    },
+    {
+        pattern: /\bsha1\b/i,
+        name: 'SHA-1',
+        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
+        replacement: 'sha256',
+    },
+    {
+        pattern: /\bripemd\b/i,
+        name: 'RIPEMD',
+        alternatives: ['SHA-256', 'SHA-512'],
+        replacement: 'sha256',
+    },
+];
+/**
+ * Check if a string contains a weak hash algorithm
+ */
+function findWeakHash(value, additionalPatterns) {
+    // Check standard patterns
+    for (const pattern of WEAK_HASH_PATTERNS) {
+        if (pattern.pattern.test(value)) {
+            return pattern;
+        }
+    }
+    // Check additional patterns
+    for (const additionalPattern of additionalPatterns) {
+        const regex = new RegExp(`\\b${additionalPattern}\\b`, 'i');
+        if (regex.test(value)) {
+            return {
+                pattern: regex,
+                name: additionalPattern.toUpperCase(),
+                alternatives: ['SHA-256', 'SHA-512'],
+                replacement: 'sha256',
+            };
+        }
+    }
+    return null;
+}
+exports.noWeakHashAlgorithm = (0, eslint_devkit_1.createRule)({
+    name: 'no-weak-hash-algorithm',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow weak hash algorithms (MD5, SHA1, MD4)',
+        },
+        hasSuggestions: true,
+        messages: {
+            weakHashAlgorithm: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Weak hash algorithm',
+                cwe: 'CWE-327',
+                description: 'Use of weak hash algorithm: {{algorithm}}. {{algorithm}} is cryptographically broken and unsuitable for security purposes.',
+                severity: 'CRITICAL',
+                fix: 'Replace with {{replacement}}: crypto.createHash("{{replacement}}").update(data)',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
+            }),
+            useSha256: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use SHA-256',
+                description: 'Replace with SHA-256 for secure hashing',
+                severity: 'LOW',
+                fix: 'crypto.createHash("sha256").update(data)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatehashmethod-options',
+            }),
+            useSha512: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use SHA-512',
+                description: 'Replace with SHA-512 for stronger hashing',
+                severity: 'LOW',
+                fix: 'crypto.createHash("sha512").update(data)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatehashmethod-options',
+            }),
+            useSha3: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use SHA-3',
+                description: 'Replace with SHA-3 for latest standard',
+                severity: 'LOW',
+                fix: 'crypto.createHash("sha3-256").update(data)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatehashmethod-options',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    additionalWeakAlgorithms: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional weak algorithms to detect',
+                    },
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow weak hashes in test files',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            additionalWeakAlgorithms: [],
+            allowInTests: false,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { additionalWeakAlgorithms = [], allowInTests = false, } = options;
+        const filename = context.filename;
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        /**
+         * Check if a call expression uses a weak hash
+         */
+        function checkCallExpression(node) {
+            if (isTestFile)
+                return;
+            // Check for crypto.createHash() pattern
+            if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                node.callee.property.name === 'createHash') {
+                checkHashArgument(node);
+            }
+            // Check for standalone createHash() pattern
+            if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                node.callee.name === 'createHash') {
+                checkHashArgument(node);
+            }
+            // Check for crypto-hash package: sha1(), md5()
+            if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                const funcName = node.callee.name.toLowerCase();
+                if (funcName === 'sha1' || funcName === 'md5' || funcName === 'md4') {
+                    const weakPattern = findWeakHash(funcName, additionalWeakAlgorithms);
+                    if (weakPattern) {
+                        context.report({
+                            node,
+                            messageId: 'weakHashAlgorithm',
+                            data: {
+                                algorithm: weakPattern.name,
+                                replacement: weakPattern.replacement,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useSha256',
+                                    fix: (fixer) => {
+                                        if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                                            return fixer.replaceText(node.callee, 'sha256');
+                                        }
+                                        return null;
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        /**
+         * Check the algorithm argument passed to createHash
+         */
+        function checkHashArgument(node) {
+            for (const arg of node.arguments) {
+                if (arg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof arg.value === 'string') {
+                    const weakPattern = findWeakHash(arg.value, additionalWeakAlgorithms);
+                    if (weakPattern) {
+                        context.report({
+                            node: arg,
+                            messageId: 'weakHashAlgorithm',
+                            data: {
+                                algorithm: weakPattern.name,
+                                replacement: weakPattern.replacement,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useSha256',
+                                    fix: (fixer) => fixer.replaceText(arg, `"sha256"`),
+                                },
+                                {
+                                    messageId: 'useSha512',
+                                    fix: (fixer) => fixer.replaceText(arg, `"sha512"`),
+                                },
+                                {
+                                    messageId: 'useSha3',
+                                    fix: (fixer) => fixer.replaceText(arg, `"sha3-256"`),
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-weak-hash-algorithm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-weak-hash-algorithm/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAUH,4DAAsG;AA+BtG,MAAM,kBAAkB,GAAsB;IAC5C;QACE,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,KAAK;QACX,YAAY,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;QAC7C,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,KAAK;QACX,YAAY,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;QAC7C,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,OAAO;QACb,YAAY,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;QAC7C,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE,QAAQ;QACd,YAAY,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QACpC,WAAW,EAAE,QAAQ;KACtB;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,YAAY,CACnB,KAAa,EACb,kBAA4B;IAE5B,0BAA0B;IAC1B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,iBAAiB,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,iBAAiB,CAAC,WAAW,EAAE;gBACrC,YAAY,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;gBACpC,WAAW,EAAE,QAAQ;aACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAEY,QAAA,mBAAmB,GAAG,IAAA,0BAAU,EAA0B;IACrE,IAAI,EAAE,wBAAwB;IAC9B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,gDAAgD;SAC9D;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,qBAAqB;gBAChC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,4HAA4H;gBACzI,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,iFAAiF;gBACtF,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;YACF,SAAS,EAAE,IAAA,gCAAgB,EAAC;gBAC1B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,aAAa;gBACxB,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0CAA0C;gBAC/C,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;YACF,SAAS,EAAE,IAAA,gCAAgB,EAAC;gBAC1B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,aAAa;gBACxB,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0CAA0C;gBAC/C,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;YACF,OAAO,EAAE,IAAA,gCAAgB,EAAC;gBACxB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,WAAW;gBACtB,WAAW,EAAE,wCAAwC;gBACrD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,wBAAwB,EAAE;wBACxB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,sCAAsC;qBACpD;oBACD,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,iCAAiC;qBAC/C;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,wBAAwB,EAAE,EAAE;YAC5B,YAAY,EAAE,KAAK;SACpB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,wBAAwB,GAAG,EAAE,EAC7B,YAAY,GAAG,KAAK,GACrB,GAAG,OAAkB,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpF;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU;gBAAE,OAAO;YAEvB,wCAAwC;YACxC,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB;gBACpD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBACvD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAC1C,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;YAED,4CAA4C;YAC5C,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBAC9C,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EACjC,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;YAED,+CAA+C;YAC/C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU,EAAE,CAAC;gBACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChD,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;oBACpE,MAAM,WAAW,GAAG,YAAY,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;oBACrE,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,mBAAmB;4BAC9B,IAAI,EAAE;gCACJ,SAAS,EAAE,WAAW,CAAC,IAAI;gCAC3B,WAAW,EAAE,WAAW,CAAC,WAAW;6BACrC;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU,EAAE,CAAC;4CACnD,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;wCAClD,CAAC;wCACD,OAAO,IAAI,CAAC;oCACd,CAAC;iCACF;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED;;WAEG;QACH,SAAS,iBAAiB,CAAC,IAA6B;YACtD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,IAAI,KAAK,8BAAc,CAAC,OAAO,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACzE,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;oBAEtE,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,GAAG;4BACT,SAAS,EAAE,mBAAmB;4BAC9B,IAAI,EAAE;gCACJ,SAAS,EAAE,WAAW,CAAC,IAAI;gCAC3B,WAAW,EAAE,WAAW,CAAC,WAAW;6BACrC;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC;iCACvE;gCACD;oCACE,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC;iCACvE;gCACD;oCACE,SAAS,EAAE,SAAS;oCACpB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,YAAY,CAAC;iCACzE;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-zip-slip/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-zip-slip
+ * Detects zip slip/archive extraction vulnerabilities (CWE-22)
+ *
+ * Zip slip vulnerabilities occur when extracting archives without properly
+ * validating file paths, allowing attackers to write files outside the
+ * intended extraction directory using path traversal sequences like "../".
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe archive extraction patterns
+ * - Path validation functions
+ * - JSDoc annotations (@safe, @validated)
+ * - Trusted extraction libraries
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'zipSlipVulnerability' | 'unsafeArchiveExtraction' | 'pathTraversalInArchive' | 'unvalidatedArchivePath' | 'dangerousArchiveDestination' | 'useSafeArchiveExtraction' | 'validateArchivePaths' | 'sanitizeArchiveNames' | 'strategyPathValidation' | 'strategySafeLibraries' | 'strategySandboxing';
+export interface Options {
+    /** Archive extraction functions to check */
+    archiveFunctions?: string[];
+    /** Functions that safely validate archive paths */
+    pathValidationFunctions?: string[];
+    /** Safe archive extraction libraries */
+    safeLibraries?: string[];
+}
+type RuleOptions = [Options?];
+export declare const noZipSlip: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};