eslint-plugin-node-security 4.0.0

package/src/rules/lock-file/index.js

@@ -0,0 +1,94 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.lockFile = void 0;
+/**
+ * @fileoverview Ensure package lock file exists
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/829.html
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.lockFile = (0, eslint_devkit_1.createRule)({
+    name: 'lock-file',
+    meta: {
+        type: 'suggestion',
+        docs: {
+            description: 'Ensure package lock file exists for the configured package manager',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Lock File Missing',
+                cwe: 'CWE-829',
+                description: 'Package lock file missing ({{ lockFile }}) for {{ packageManager }}. Commit the lock file to ensure supply chain integrity.',
+                severity: 'HIGH',
+                fix: 'Generate and commit the {{ lockFile }} file.',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/829.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    packageManager: {
+                        type: 'string',
+                        enum: ['npm', 'yarn', 'pnpm'],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [{ packageManager: 'npm' }],
+    create(context) {
+        const fs = require('node:fs');
+        const path = require('node:path');
+        // Check once per file
+        let checked = false;
+        const options = context.options[0] || {};
+        const packageManager = options.packageManager || 'npm';
+        const lockFiles = {
+            npm: 'package-lock.json',
+            yarn: 'yarn.lock',
+            pnpm: 'pnpm-lock.yaml',
+        };
+        const targetLockFile = lockFiles[packageManager];
+        return {
+            Program(node) {
+                if (checked)
+                    return;
+                checked = true;
+                // Find project root (simplified)
+                let dir = path.dirname(context.filename);
+                let found = false;
+                // Search up to 10 levels for the lock file
+                for (let i = 0; i < 10; i++) {
+                    const lockPath = path.join(dir, targetLockFile);
+                    if (fs.existsSync(lockPath)) {
+                        found = true;
+                        break;
+                    }
+                    const parentDir = path.dirname(dir);
+                    if (parentDir === dir)
+                        break;
+                    dir = parentDir;
+                }
+                if (!found) {
+                    context.report({
+                        node,
+                        messageId: 'violationDetected',
+                        data: {
+                            packageManager,
+                            lockFile: targetLockFile,
+                        }
+                    });
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/lock-file/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/lock-file/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH;;;;GAIG;AAEH,4DAAsF;AAWzE,QAAA,QAAQ,GAAG,IAAA,0BAAU,EAA0B;IAC1D,IAAI,EAAE,WAAW;IACjB,IAAI,EAAE;QACJ,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE;YACJ,WAAW,EAAE,oEAAoE;SAClF;QACD,QAAQ,EAAE;YACR,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,6HAA6H;gBAC1I,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,cAAc,EAAE;wBACd,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;qBAC9B;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE,CAAC,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;IAC3C,MAAM,CAAC,OAAO;QACZ,MAAM,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QAElC,sBAAsB;QACtB,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,KAAK,CAAC;QAEvD,MAAM,SAAS,GAA2B;YACxC,GAAG,EAAE,mBAAmB;YACxB,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,gBAAgB;SACvB,CAAC;QAEF,MAAM,cAAc,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;QAEjD,OAAO;YACL,OAAO,CAAC,IAAsB;gBAC5B,IAAI,OAAO;oBAAE,OAAO;gBACpB,OAAO,GAAG,IAAI,CAAC;gBAEf,iCAAiC;gBACjC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACzC,IAAI,KAAK,GAAG,KAAK,CAAC;gBAElB,2CAA2C;gBAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;oBAChD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC5B,KAAK,GAAG,IAAI,CAAC;wBACb,MAAM;oBACR,CAAC;oBACD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBACpC,IAAI,SAAS,KAAK,GAAG;wBAAE,MAAM;oBAC7B,GAAG,GAAG,SAAS,CAAC;gBAClB,CAAC;gBAED,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,mBAAmB;wBAC9B,IAAI,EAAE;4BACJ,cAAc;4BACd,QAAQ,EAAE,cAAc;yBACzB;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-arbitrary-file-access/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+export interface Options {
+}
+type RuleOptions = [Options?];
+export declare const noArbitraryFileAccess: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-arbitrary-file-access/index.js

@@ -0,0 +1,201 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noArbitraryFileAccess = void 0;
+/**
+ * @fileoverview Prevent file access from user input
+ *
+ * False Positive Reduction:
+ * This rule detects safe patterns including:
+ * - path.basename() sanitization
+ * - path.join() with validated base directories
+ * - startsWith() validation guards
+ * - Early-return throw patterns
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noArbitraryFileAccess = (0, eslint_devkit_1.createRule)({
+    name: 'no-arbitrary-file-access',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent file access from user input',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Arbitrary File Access',
+                cwe: 'CWE-22',
+                description: 'File path from user input - path traversal vulnerability',
+                severity: 'HIGH',
+                fix: 'Validate and sanitize file paths, use allowlists',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        const sourceCode = context.sourceCode;
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const fsReadMethods = ['readFile', 'readFileSync', 'readdir', 'readdirSync', 'stat', 'statSync'];
+        const fsWriteMethods = ['writeFile', 'writeFileSync', 'appendFile', 'appendFileSync'];
+        const userInputSources = ['req', 'request', 'params', 'query', 'body'];
+        // Track variables that have been sanitized with path.basename()
+        const sanitizedVariables = new Set();
+        // Track variables that have been validated with startsWith() guards
+        const validatedVariables = new Set();
+        /**
+         * Check if a variable is assigned from path.basename() or path.join() with basename
+         */
+        function checkVariableDeclaration(node) {
+            if (node.id.type !== 'Identifier' || !node.init) {
+                return;
+            }
+            const varName = node.id.name;
+            const init = node.init;
+            // Check for path.basename() assignment
+            if (init.type === 'CallExpression' &&
+                init.callee.type === 'MemberExpression' &&
+                init.callee.object.type === 'Identifier' &&
+                init.callee.object.name === 'path' &&
+                init.callee.property.type === 'Identifier' &&
+                init.callee.property.name === 'basename') {
+                sanitizedVariables.add(varName);
+            }
+            // Check for path.join() with a sanitized variable or literal base
+            if (init.type === 'CallExpression' &&
+                init.callee.type === 'MemberExpression' &&
+                init.callee.object.type === 'Identifier' &&
+                init.callee.object.name === 'path' &&
+                init.callee.property.type === 'Identifier' &&
+                init.callee.property.name === 'join') {
+                // Check if any argument is a sanitized variable
+                const hasSanitizedArg = init.arguments.some((arg) => arg.type === 'Identifier' && sanitizedVariables.has(arg.name));
+                // Check if first arg is a safe base (literal or known safe variable)
+                const firstArg = init.arguments[0];
+                const hasSafeBase = firstArg && (firstArg.type === 'Literal' ||
+                    (firstArg.type === 'Identifier' && /^(SAFE|BASE|ROOT|UPLOAD|PUBLIC)/i.test(firstArg.name)));
+                if (hasSanitizedArg && hasSafeBase) {
+                    sanitizedVariables.add(varName);
+                }
+            }
+        }
+        /**
+         * Check if there's a startsWith() guard validation for this variable
+         * Looks for patterns like:
+         * if (!path.startsWith(baseDir)) { throw ... }
+         * if (!path.startsWith(baseDir)) { return ... }
+         */
+        function hasStartsWithGuard(node, varName) {
+            // Already validated
+            if (validatedVariables.has(varName)) {
+                return true;
+            }
+            // Walk up to find the containing block or function
+            let current = node.parent;
+            while (current) {
+                // If we've reached a function body or block, search its statements
+                if (current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement) {
+                    const statements = current.body;
+                    // Look for IF statements in this block that validate our variable
+                    for (const stmt of statements) {
+                        if (stmt.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
+                            const testText = sourceCode.getText(stmt.test).toLowerCase();
+                            // Check for startsWith() validation pattern with our variable
+                            if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+                                // Check if this is a guard clause (negated condition with throw/return)
+                                const consequent = stmt.consequent;
+                                // Handle block statement: if (...) { throw/return; }
+                                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement && consequent.body.length > 0) {
+                                    const firstStmt = consequent.body[0];
+                                    if (firstStmt.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement || firstStmt.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement) {
+                                        validatedVariables.add(varName);
+                                        return true;
+                                    }
+                                }
+                                // Handle direct statement: if (...) throw/return;
+                                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement || consequent.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement) {
+                                    validatedVariables.add(varName);
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+                }
+                // Also check if current IS an if statement (when node is inside the consequent)
+                if (current.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
+                    const testText = sourceCode.getText(current.test).toLowerCase();
+                    if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+                        validatedVariables.add(varName);
+                        return true;
+                    }
+                }
+                current = current.parent;
+            }
+            return false;
+        }
+        /**
+         * Check if a variable comes from a sanitized/validated source
+         */
+        function isVariableSafe(varName, node) {
+            // Already tracked as sanitized
+            if (sanitizedVariables.has(varName)) {
+                return true;
+            }
+            // Has startsWith guard validation
+            if (hasStartsWithGuard(node, varName)) {
+                return true;
+            }
+            // Check naming conventions that suggest safety
+            if (/^(safe|sanitized|validated|clean)/i.test(varName)) {
+                return true;
+            }
+            return false;
+        }
+        return {
+            // Track variable declarations for sanitization patterns
+            VariableDeclarator(node) {
+                checkVariableDeclaration(node);
+            },
+            CallExpression(node) {
+                // Detect fs.* with user input
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    node.callee.object.name === 'fs' &&
+                    node.callee.property.type === 'Identifier' &&
+                    [...fsReadMethods, ...fsWriteMethods].includes(node.callee.property.name)) {
+                    const pathArg = node.arguments[0];
+                    // Skip if path is a literal (safe)
+                    if (pathArg && pathArg.type === 'Literal') {
+                        return;
+                    }
+                    // Check if path is a variable
+                    if (pathArg && pathArg.type === 'Identifier') {
+                        const varName = pathArg.name;
+                        // Skip if variable is sanitized or validated
+                        if (isVariableSafe(varName, node)) {
+                            return;
+                        }
+                        report(node);
+                        return;
+                    }
+                    // Flag if path is from a member expression (user input sources)
+                    if (pathArg?.type === 'MemberExpression' &&
+                        pathArg.object.type === 'Identifier') {
+                        const objName = pathArg.object.name.toLowerCase();
+                        if (userInputSources.includes(objName)) {
+                            report(node);
+                        }
+                    }
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-arbitrary-file-access/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-arbitrary-file-access/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH;;;;;;;;;GASG;AAEH,4DAAsG;AAUzF,QAAA,qBAAqB,GAAG,IAAA,0BAAU,EAA0B;IACvE,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,qCAAqC;SACnD;QACD,QAAQ,EAAE;YACR,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,0DAA0D;gBACvE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;SACH;QACD,MAAM,EAAE,EAAE;KACX;IACD,cAAc,EAAE,EAAE;IAClB,MAAM,CAAC,OAAO;QACZ,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,SAAS,MAAM,CAAC,IAAmB;YACjC,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACjG,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,eAAe,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;QACtF,MAAM,gBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAEvE,gEAAgE;QAChE,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;QAC7C,oEAAoE;QACpE,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE7C;;WAEG;QACH,SAAS,wBAAwB,CAAC,IAAiC;YACjE,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAChD,OAAO;YACT,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAEvB,uCAAuC;YACvC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;gBAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM;gBAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC7C,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;YAED,kEAAkE;YAClE,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;gBAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM;gBAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAEzC,gDAAgD;gBAChD,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAoC,EAAE,EAAE,CACnF,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAC9D,CAAC;gBAEF,qEAAqE;gBACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACnC,MAAM,WAAW,GAAG,QAAQ,IAAI,CAC9B,QAAQ,CAAC,IAAI,KAAK,SAAS;oBAC3B,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,kCAAkC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAC3F,CAAC;gBAEF,IAAI,eAAe,IAAI,WAAW,EAAE,CAAC;oBACnC,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED;;;;;WAKG;QACH,SAAS,kBAAkB,CAAC,IAAmB,EAAE,OAAe;YAC9D,oBAAoB;YACpB,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mDAAmD;YACnD,IAAI,OAAO,GAA8B,IAAI,CAAC,MAAM,CAAC;YAErD,OAAO,OAAO,EAAE,CAAC;gBACf,mEAAmE;gBACnE,IAAI,OAAO,CAAC,IAAI,KAAK,8BAAc,CAAC,cAAc,EAAE,CAAC;oBACnD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;oBAEhC,kEAAkE;oBAClE,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;wBAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,8BAAc,CAAC,WAAW,EAAE,CAAC;4BAC7C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;4BAE7D,8DAA8D;4BAC9D,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gCAChF,wEAAwE;gCACxE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gCAEnC,qDAAqD;gCACrD,IAAI,UAAU,CAAC,IAAI,KAAK,8BAAc,CAAC,cAAc,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oCACpF,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oCACrC,IAAI,SAAS,CAAC,IAAI,KAAK,8BAAc,CAAC,cAAc,IAAI,SAAS,CAAC,IAAI,KAAK,8BAAc,CAAC,eAAe,EAAE,CAAC;wCAC1G,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wCAChC,OAAO,IAAI,CAAC;oCACd,CAAC;gCACH,CAAC;gCAED,kDAAkD;gCAClD,IAAI,UAAU,CAAC,IAAI,KAAK,8BAAc,CAAC,cAAc,IAAI,UAAU,CAAC,IAAI,KAAK,8BAAc,CAAC,eAAe,EAAE,CAAC;oCAC5G,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oCAChC,OAAO,IAAI,CAAC;gCACd,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,gFAAgF;gBAChF,IAAI,OAAO,CAAC,IAAI,KAAK,8BAAc,CAAC,WAAW,EAAE,CAAC;oBAChD,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;oBAChE,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;wBAChF,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBAChC,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;gBAED,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC3B,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED;;WAEG;QACH,SAAS,cAAc,CAAC,OAAe,EAAE,IAAmB;YAC1D,+BAA+B;YAC/B,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kCAAkC;YAClC,IAAI,kBAAkB,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBACtC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,+CAA+C;YAC/C,IAAI,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO;YACL,wDAAwD;YACxD,kBAAkB,CAAC,IAAiC;gBAClD,wBAAwB,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;YAED,cAAc,CAAC,IAA6B;gBAC1C,8BAA8B;gBAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,IAAI;oBAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBAC1C,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAE9E,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBAElC,mCAAmC;oBACnC,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;wBAC1C,OAAO;oBACT,CAAC;oBAED,8BAA8B;oBAC9B,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;wBAE7B,6CAA6C;wBAC7C,IAAI,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;4BAClC,OAAO;wBACT,CAAC;wBAED,MAAM,CAAC,IAAI,CAAC,CAAC;wBACb,OAAO;oBACT,CAAC;oBAED,gEAAgE;oBAChE,IAAI,OAAO,EAAE,IAAI,KAAK,kBAAkB;wBACpC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBACzC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;wBAClD,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;4BACvC,MAAM,CAAC,IAAI,CAAC,CAAC;wBACf,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-buffer-overread/index.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-buffer-overread
+ * Detects buffer access beyond bounds (CWE-126)
+ *
+ * Buffer overread occurs when reading from buffers beyond their allocated
+ * length, potentially leading to information disclosure, crashes, or
+ * other security issues.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe buffer access patterns
+ * - Bounds checking operations
+ * - JSDoc annotations (@safe, @validated)
+ * - Input validation functions
+ */
+import type { TSESLint, SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'bufferOverread' | 'unsafeBufferAccess' | 'missingBoundsCheck' | 'negativeBufferIndex' | 'userControlledBufferIndex' | 'unsafeBufferSlice' | 'bufferLengthNotChecked' | 'useSafeBufferAccess' | 'validateBufferIndices' | 'checkBufferBounds' | 'strategyBoundsChecking' | 'strategyInputValidation' | 'strategySafeBuffers';
+export interface Options extends SecurityRuleOptions {
+    /** Buffer methods to check for bounds safety */
+    bufferMethods?: string[];
+    /** Functions that validate buffer indices */
+    boundsCheckFunctions?: string[];
+    /** Buffer types to monitor */
+    bufferTypes?: string[];
+    /** Additional function names to consider as buffer index validators */
+    trustedSanitizers?: string[];
+    /** Additional JSDoc annotations to consider as safe markers */
+    strictMode?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noBufferOverread: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};