eslint-plugin-node-security 4.0.0

package/src/rules/no-dynamic-require/index.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDynamicRequire = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noDynamicRequire = (0, eslint_devkit_1.createRule)({
+    name: 'no-dynamic-require',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Forbid `require()` calls with expressions',
+        },
+        hasSuggestions: false,
+        messages: {
+            dynamicRequire: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.WARNING,
+                issueName: 'Dynamic Require',
+                description: 'Require call uses dynamic expression',
+                severity: 'HIGH',
+                fix: 'Use static string literals for require() calls',
+                documentationLink: 'https://github.com/import-js/eslint-plugin-import/blob/main/docs/rules/no-dynamic-require.md',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowContexts: {
+                        type: 'array',
+                        items: {
+                            type: 'string',
+                            enum: ['test', 'config', 'build', 'runtime'],
+                        },
+                        description: 'Allow dynamic requires in specific contexts.',
+                    },
+                    allowPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        description: 'Regex patterns for allowed dynamic require paths.',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [{
+            allowContexts: [],
+            allowPatterns: []
+        }],
+    create(context) {
+        const [options] = context.options;
+        const { allowContexts = [], allowPatterns = [], } = options || {};
+        const filename = context.getFilename() || '';
+        function isInAllowedContext() {
+            if (allowContexts.includes('test') && (filename.includes('.test.') || filename.includes('.spec.') || filename.includes('/__tests__/'))) {
+                return true;
+            }
+            if (allowContexts.includes('config') && (filename.includes('config') || filename.includes('webpack') || filename.includes('rollup'))) {
+                return true;
+            }
+            if (allowContexts.includes('build') && (filename.includes('build') || filename.includes('scripts') || filename.includes('tools'))) {
+                return true;
+            }
+            if (allowContexts.includes('runtime') && (filename.includes('runtime') || filename.includes('dynamic'))) {
+                return true;
+            }
+            return false;
+        }
+        /* v8 ignore start -- allowPatterns check is unreachable: static literals return early before this check */
+        function isAllowedPattern(requirePath) {
+            return allowPatterns.some((pattern) => {
+                try {
+                    const regex = new RegExp(pattern);
+                    return regex.test(requirePath);
+                }
+                catch {
+                    return false;
+                }
+            });
+        }
+        /* v8 ignore stop */
+        function isStaticLiteral(node) {
+            return node.type === 'Literal' && typeof node.value === 'string';
+        }
+        return {
+            CallExpression(node) {
+                if (node.callee.type === 'Identifier' &&
+                    node.callee.name === 'require' &&
+                    node.arguments.length === 1) {
+                    const requireArg = node.arguments[0];
+                    if (isInAllowedContext()) {
+                        return;
+                    }
+                    // Check if it's a static literal
+                    if (isStaticLiteral(requireArg)) {
+                        // Static requires are allowed
+                        return;
+                    }
+                    /* v8 ignore start -- unreachable: static literals already returned above */
+                    // Check allow patterns
+                    if (requireArg.type === 'Literal' && typeof requireArg.value === 'string') {
+                        if (isAllowedPattern(requireArg.value)) {
+                            return;
+                        }
+                    }
+                    /* v8 ignore stop */
+                    // Report dynamic require
+                    context.report({
+                        node: requireArg,
+                        messageId: 'dynamicRequire',
+                    });
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-dynamic-require/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-dynamic-require/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAOH,4DAAsD;AACtD,4DAA0E;AAa7D,QAAA,gBAAgB,GAAG,IAAA,0BAAU,EAA0B;IAClE,IAAI,EAAE,oBAAoB;IAC1B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EACT,2CAA2C;SAC9C;QACD,cAAc,EAAE,KAAK;QACrB,QAAQ,EAAE;YACR,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,OAAO;gBAC1B,SAAS,EAAE,iBAAiB;gBAC5B,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,gDAAgD;gBACrD,iBAAiB,EAAE,8FAA8F;aAClH,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE;4BACL,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;yBAC7C;wBACD,WAAW,EAAE,8CAA8C;qBAC5D;oBACD,aAAa,EAAE;wBACb,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,WAAW,EAAE,mDAAmD;qBACjE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE,CAAC;YACf,aAAa,EAAE,EAAE;YACjB,aAAa,EAAE,EAAE;SAClB,CAAC;IAEF,MAAM,CAAC,OAAsD;QAC3D,MAAM,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;QAClC,MAAM,EACJ,aAAa,GAAG,EAAE,EAClB,aAAa,GAAG,EAAE,GACnB,GAAG,OAAO,IAAI,EAAE,CAAC;QAElB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QAE7C,SAAS,kBAAkB;YACzB,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;gBACvI,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBACrI,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAClI,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACxG,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED,2GAA2G;QAC3G,SAAS,gBAAgB,CAAC,WAAmB;YAC3C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,OAAe,EAAE,EAAE;gBAC5C,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;oBAClC,OAAO,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACjC,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;QACD,oBAAoB;QAEpB,SAAS,eAAe,CAAC,IAAmB;YAC1C,OAAO,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC;QACnE,CAAC;QAED,OAAO;YACL,cAAc,CAAC,IAA6B;gBAC1C,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACjC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;oBAC9B,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAC3B,CAAC;oBACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBAErC,IAAI,kBAAkB,EAAE,EAAE,CAAC;wBACzB,OAAO;oBACT,CAAC;oBAED,iCAAiC;oBACjC,IAAI,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;wBAChC,8BAA8B;wBAC9B,OAAO;oBACT,CAAC;oBAED,4EAA4E;oBAC5E,uBAAuB;oBACvB,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBAC1E,IAAI,gBAAgB,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;4BACvC,OAAO;wBACT,CAAC;oBACH,CAAC;oBACD,oBAAoB;oBAEpB,yBAAyB;oBACzB,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,UAAU;wBAChB,SAAS,EAAE,gBAAgB;qBAC5B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-ecb-mode/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-ecb-mode
+ * Detects use of ECB encryption mode which leaks data patterns
+ * CWE-327: ECB mode encrypts identical blocks identically
+ *
+ * @see https://blog.cloudflare.com/why-are-some-images-more-secure-than-others/
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'ecbMode' | 'useGcm' | 'useCbc';
+export interface Options {
+    /** Allow ECB in test files. Default: false */
+    allowInTests?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noEcbMode: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as NoEcbModeOptions };

package/src/rules/no-ecb-mode/index.js

@@ -0,0 +1,113 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noEcbMode = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noEcbMode = (0, eslint_devkit_1.createRule)({
+    name: 'no-ecb-mode',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow ECB encryption mode (use GCM or CBC instead)',
+        },
+        hasSuggestions: true,
+        messages: {
+            ecbMode: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'ECB mode detected',
+                cwe: 'CWE-327',
+                description: 'ECB mode encrypts identical plaintext blocks to identical ciphertext, leaking data patterns. Famous example: the "ECB penguin".',
+                severity: 'HIGH',
+                fix: 'Use GCM mode for authenticated encryption: crypto.createCipheriv("aes-256-gcm", key, iv)',
+                documentationLink: 'https://blog.cloudflare.com/why-are-some-images-more-secure-than-others/',
+            }),
+            useGcm: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use GCM mode',
+                description: 'GCM provides authenticated encryption (confidentiality + integrity)',
+                severity: 'LOW',
+                fix: 'crypto.createCipheriv("aes-256-gcm", key, iv)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
+            }),
+            useCbc: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use CBC mode',
+                description: 'CBC with HMAC provides confidentiality (add separate MAC for integrity)',
+                severity: 'LOW',
+                fix: 'crypto.createCipheriv("aes-256-cbc", key, iv)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow ECB mode in test files',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false } = options;
+        const filename = context.filename;
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        function checkCallExpression(node) {
+            if (isTestFile)
+                return;
+            const cipherMethods = new Set(['createCipher', 'createCipheriv', 'createDecipher', 'createDecipheriv']);
+            // Check for crypto.createCipher*() pattern
+            const isCipherCall = (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                cipherMethods.has(node.callee.property.name)) ||
+                (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    cipherMethods.has(node.callee.name));
+            if (isCipherCall && node.arguments.length >= 1) {
+                const algorithmArg = node.arguments[0];
+                if (algorithmArg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof algorithmArg.value === 'string') {
+                    const algorithm = algorithmArg.value.toLowerCase();
+                    if (algorithm.includes('-ecb') || algorithm.endsWith('ecb')) {
+                        const gcmReplacement = algorithm.replace(/-?ecb$/, '-gcm');
+                        /* c8 ignore next 18 -- suggestions require output assertions which are impractical for dynamic fixes */
+                        context.report({
+                            node: algorithmArg,
+                            messageId: 'ecbMode',
+                            suggest: [
+                                {
+                                    messageId: 'useGcm',
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(algorithmArg, `"${gcmReplacement}"`);
+                                    },
+                                },
+                                {
+                                    messageId: 'useCbc',
+                                    fix: (fixer) => {
+                                        const cbcReplacement = algorithm.replace(/-?ecb$/, '-cbc');
+                                        return fixer.replaceText(algorithmArg, `"${cbcReplacement}"`);
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-ecb-mode/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-ecb-mode/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAUH,4DAAsG;AAczF,QAAA,SAAS,GAAG,IAAA,0BAAU,EAA0B;IAC3D,IAAI,EAAE,aAAa;IACnB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,uDAAuD;SACrE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,OAAO,EAAE,IAAA,gCAAgB,EAAC;gBACxB,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,iIAAiI;gBAC9I,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,0FAA0F;gBAC/F,iBAAiB,EAAE,0EAA0E;aAC9F,CAAC;YACF,MAAM,EAAE,IAAA,gCAAgB,EAAC;gBACvB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,cAAc;gBACzB,WAAW,EAAE,qEAAqE;gBAClF,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;YACF,MAAM,EAAE,IAAA,gCAAgB,EAAC;gBACvB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,cAAc;gBACzB,WAAW,EAAE,yEAAyE;gBACtF,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,8BAA8B;qBAC5C;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;SACpB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EAAE,YAAY,GAAG,KAAK,EAAE,GAAG,OAAkB,CAAC;QAEpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpF,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU;gBAAE,OAAO;YAEvB,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC,CAAC;YAExG,2CAA2C;YAC3C,MAAM,YAAY,GAChB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB;gBACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBACvD,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC/C,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;oBAC7C,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;YAEzC,IAAI,YAAY,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACvC,IAAI,YAAY,CAAC,IAAI,KAAK,8BAAc,CAAC,OAAO,IAAI,OAAO,YAAY,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC3F,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;oBACnD,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC5D,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;wBAE3D,wGAAwG;wBACxG,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,YAAY;4BAClB,SAAS,EAAE,SAAS;4BACpB,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,QAAQ;oCACnB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,OAAO,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,cAAc,GAAG,CAAC,CAAC;oCAChE,CAAC;iCACF;gCACD;oCACE,SAAS,EAAE,QAAQ;oCACnB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;wCAC3D,OAAO,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,cAAc,GAAG,CAAC,CAAC;oCAChE,CAAC;iCACF;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-insecure-key-derivation/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-insecure-key-derivation
+ * Detects PBKDF2 with insufficient iterations
+ * CWE-916: Use of Password Hash With Insufficient Computational Effort
+ *
+ * OWASP 2023 recommends minimum 600,000 iterations for PBKDF2-SHA256
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'insufficientIterations' | 'useMinIterations' | 'useScrypt' | 'useArgon2';
+export interface Options {
+    /** Minimum PBKDF2 iterations. Default: 100000 */
+    minIterations?: number;
+}
+type RuleOptions = [Options?];
+export declare const noInsecureKeyDerivation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as NoInsecureKeyDerivationOptions };

package/src/rules/no-insecure-key-derivation/index.js

@@ -0,0 +1,116 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsecureKeyDerivation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+// OWASP 2023 recommendations
+const DEFAULT_MIN_ITERATIONS = 100000;
+exports.noInsecureKeyDerivation = (0, eslint_devkit_1.createRule)({
+    name: 'no-insecure-key-derivation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow PBKDF2 with insufficient iterations (< 100,000)',
+        },
+        hasSuggestions: true,
+        messages: {
+            insufficientIterations: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Insufficient PBKDF2 iterations',
+                cwe: 'CWE-916',
+                description: 'PBKDF2 with {{actual}} iterations is too low. Minimum recommended: {{minimum}} iterations (OWASP 2023).',
+                severity: 'HIGH',
+                fix: 'Increase iterations to at least {{minimum}}, or use scrypt/Argon2',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html',
+            }),
+            useMinIterations: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use minimum iterations',
+                description: 'Use at least {{minimum}} iterations for PBKDF2',
+                severity: 'LOW',
+                fix: 'crypto.pbkdf2(password, salt, {{minimum}}, keylen, digest)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptopbkdf2password-salt-iterations-keylen-digest-callback',
+            }),
+            useScrypt: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use scrypt',
+                description: 'scrypt is memory-hard and resistant to GPU/ASIC attacks',
+                severity: 'LOW',
+                fix: 'crypto.scrypt(password, salt, keylen)',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback',
+            }),
+            useArgon2: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Argon2',
+                description: 'Argon2id is the winner of the Password Hashing Competition',
+                severity: 'LOW',
+                fix: 'argon2.hash(password, { type: argon2.argon2id })',
+                documentationLink: 'https://github.com/ranisalt/node-argon2',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    minIterations: {
+                        type: 'number',
+                        default: DEFAULT_MIN_ITERATIONS,
+                        description: 'Minimum required PBKDF2 iterations',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            minIterations: DEFAULT_MIN_ITERATIONS,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { minIterations = DEFAULT_MIN_ITERATIONS } = options;
+        function checkCallExpression(node) {
+            // Check for crypto.pbkdf2() or crypto.pbkdf2Sync()
+            const isPbkdf2Call = (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                (node.callee.property.name === 'pbkdf2' || node.callee.property.name === 'pbkdf2Sync')) ||
+                (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    (node.callee.name === 'pbkdf2' || node.callee.name === 'pbkdf2Sync'));
+            if (isPbkdf2Call) {
+                // pbkdf2(password, salt, iterations, keylen, digest, callback)
+                // iterations is the 3rd argument (index 2)
+                const iterationsArg = node.arguments[2];
+                if (iterationsArg?.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof iterationsArg.value === 'number') {
+                    const iterations = iterationsArg.value;
+                    if (iterations < minIterations) {
+                        context.report({
+                            node: iterationsArg,
+                            messageId: 'insufficientIterations',
+                            data: {
+                                actual: String(iterations),
+                                minimum: String(minIterations),
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useMinIterations',
+                                    data: { minimum: String(minIterations) },
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(iterationsArg, String(minIterations));
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-insecure-key-derivation/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-insecure-key-derivation/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH,4DAAsG;AAetG,6BAA6B;AAC7B,MAAM,sBAAsB,GAAG,MAAM,CAAC;AAEzB,QAAA,uBAAuB,GAAG,IAAA,0BAAU,EAA0B;IACzE,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,0DAA0D;SACxE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,gCAAgC;gBAC3C,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,yGAAyG;gBACtH,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,mEAAmE;gBACxE,iBAAiB,EAAE,kFAAkF;aACtG,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,gDAAgD;gBAC7D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4DAA4D;gBACjE,iBAAiB,EAAE,gGAAgG;aACpH,CAAC;YACF,SAAS,EAAE,IAAA,gCAAgB,EAAC;gBAC1B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,YAAY;gBACvB,WAAW,EAAE,yDAAyD;gBACtE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,uCAAuC;gBAC5C,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,SAAS,EAAE,IAAA,gCAAgB,EAAC;gBAC1B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,YAAY;gBACvB,WAAW,EAAE,4DAA4D;gBACzE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,yCAAyC;aAC7D,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,sBAAsB;wBAC/B,WAAW,EAAE,oCAAoC;qBAClD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,sBAAsB;SACtC;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EAAE,aAAa,GAAG,sBAAsB,EAAE,GAAG,OAAkB,CAAC;QAEtE,SAAS,mBAAmB,CAAC,IAA6B;YACxD,mDAAmD;YACnD,MAAM,YAAY,GAChB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB;gBACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBACvD,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;gBACzF,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;oBAC7C,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC;YAE1E,IAAI,YAAY,EAAE,CAAC;gBACjB,+DAA+D;gBAC/D,2CAA2C;gBAC3C,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBAExC,IAAI,aAAa,EAAE,IAAI,KAAK,8BAAc,CAAC,OAAO,IAAI,OAAO,aAAa,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC9F,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC;oBAEvC,IAAI,UAAU,GAAG,aAAa,EAAE,CAAC;wBAC/B,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,aAAa;4BACnB,SAAS,EAAE,wBAAwB;4BACnC,IAAI,EAAE;gCACJ,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC;gCAC1B,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC;6BAC/B;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,kBAAkB;oCAC7B,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC,EAAE;oCACxC,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,OAAO,KAAK,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;oCACjE,CAAC;iCACF;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-insecure-rsa-padding/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-insecure-rsa-padding
+ * Detects RSA with PKCS#1 v1.5 padding (Marvin Attack vulnerable)
+ * CVE-2023-46809: Timing side-channel in Node.js privateDecrypt()
+ *
+ * @see https://nvd.nist.gov/vuln/detail/CVE-2023-46809
+ * @see https://people.redhat.com/~hkario/marvin/
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureRsaPadding' | 'useOaep';
+export interface Options {
+    /** Allow in test files. Default: false */
+    allowInTests?: boolean;
+}
+type RuleOptions = [Options?];
+export declare const noInsecureRsaPadding: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export type { Options as NoInsecureRsaPaddingOptions };

package/src/rules/no-insecure-rsa-padding/index.js

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsecureRsaPadding = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+// Constants for PKCS#1 v1.5 padding (insecure)
+const PKCS1_PADDING_NAMES = new Set([
+    'RSA_PKCS1_PADDING',
+    'constants.RSA_PKCS1_PADDING',
+    'crypto.constants.RSA_PKCS1_PADDING',
+]);
+exports.noInsecureRsaPadding = (0, eslint_devkit_1.createRule)({
+    name: 'no-insecure-rsa-padding',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow RSA PKCS#1 v1.5 padding (CVE-2023-46809 Marvin Attack)',
+        },
+        hasSuggestions: true,
+        messages: {
+            insecureRsaPadding: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Insecure RSA padding',
+                cwe: 'CWE-327',
+                description: 'RSA PKCS#1 v1.5 padding is vulnerable to the Marvin Attack (CVE-2023-46809). Timing side-channels allow attackers to decrypt ciphertexts or forge signatures.',
+                severity: 'HIGH',
+                fix: 'Use RSA_PKCS1_OAEP_PADDING instead',
+                documentationLink: 'https://people.redhat.com/~hkario/marvin/',
+            }),
+            useOaep: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use OAEP padding',
+                description: 'Use RSA-OAEP which is not vulnerable to padding oracle attacks',
+                severity: 'LOW',
+                fix: 'padding: crypto.constants.RSA_PKCS1_OAEP_PADDING',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptopublicdecryptkey-buffer',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow in test files',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false } = options;
+        const filename = context.filename;
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode;
+        function checkCallExpression(node) {
+            if (isTestFile)
+                return;
+            // Check for privateDecrypt, publicDecrypt, privateEncrypt, publicEncrypt
+            const rsaMethods = new Set(['privateDecrypt', 'publicDecrypt', 'privateEncrypt', 'publicEncrypt']);
+            const isRsaCall = (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                rsaMethods.has(node.callee.property.name)) ||
+                (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    rsaMethods.has(node.callee.name));
+            if (isRsaCall && node.arguments.length >= 1) {
+                const keyArg = node.arguments[0];
+                // Check if first argument is an object with padding property
+                if (keyArg.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
+                    for (const prop of keyArg.properties) {
+                        if (prop.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
+                            prop.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                            prop.key.name === 'padding') {
+                            const paddingText = sourceCode.getText(prop.value);
+                            if (PKCS1_PADDING_NAMES.has(paddingText) || paddingText.includes('RSA_PKCS1_PADDING')) {
+                                context.report({
+                                    node: prop,
+                                    messageId: 'insecureRsaPadding',
+                                    suggest: [
+                                        {
+                                            messageId: 'useOaep',
+                                            fix: (fixer) => {
+                                                return fixer.replaceText(prop.value, 'crypto.constants.RSA_PKCS1_OAEP_PADDING');
+                                            },
+                                        },
+                                    ],
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=index.js.map

package/src/rules/no-insecure-rsa-padding/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-node-security/src/rules/no-insecure-rsa-padding/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH,4DAAsG;AAatG,+CAA+C;AAC/C,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,mBAAmB;IACnB,6BAA6B;IAC7B,oCAAoC;CACrC,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,IAAA,0BAAU,EAA0B;IACtE,IAAI,EAAE,yBAAyB;IAC/B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,iEAAiE;SAC/E;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,sBAAsB;gBACjC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,+JAA+J;gBAC5K,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,oCAAoC;gBACzC,iBAAiB,EAAE,2CAA2C;aAC/D,CAAC;YACF,OAAO,EAAE,IAAA,gCAAgB,EAAC;gBACxB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,gEAAgE;gBAC7E,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,kEAAkE;aACtF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,qBAAqB;qBACnC;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;SACpB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EAAE,YAAY,GAAG,KAAK,EAAE,GAAG,OAAkB,CAAC;QAEpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU;gBAAE,OAAO;YAEvB,yEAAyE;YACzE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,eAAe,CAAC,CAAC,CAAC;YAEnG,MAAM,SAAS,GACb,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB;gBACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;gBACvD,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC5C,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;oBAC7C,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;YAEtC,IAAI,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBAEjC,6DAA6D;gBAC7D,IAAI,MAAM,CAAC,IAAI,KAAK,8BAAc,CAAC,gBAAgB,EAAE,CAAC;oBACpD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;wBACrC,IACE,IAAI,CAAC,IAAI,KAAK,8BAAc,CAAC,QAAQ;4BACrC,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,8BAAc,CAAC,UAAU;4BAC3C,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,EAC3B,CAAC;4BACD,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;4BACnD,IAAI,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;gCACtF,OAAO,CAAC,MAAM,CAAC;oCACb,IAAI,EAAE,IAAI;oCACV,SAAS,EAAE,oBAAoB;oCAC/B,OAAO,EAAE;wCACP;4CACE,SAAS,EAAE,SAAS;4CACpB,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;gDACjC,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,EAAE,yCAAyC,CAAC,CAAC;4CAClF,CAAC;yCACF;qCACF;iCACF,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/no-pii-in-logs/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+export interface Options {
+}
+type RuleOptions = [Options?];
+export declare const noPiiInLogs: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-pii-in-logs/index.js

@@ -0,0 +1,74 @@
+"use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPiiInLogs = void 0;
+/**
+ * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
+    name: 'no-pii-in-logs',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent PII (email, SSN, credit cards) in console logs',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-359',
+                description: 'Prevent PII (email, SSN, credit cards) in console logs detected - this is a security risk',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({
+                node,
+                messageId: 'violationDetected',
+            });
+        }
+        return {
+            CallExpression(node) {
+                // Check console.log/error/warn calls
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                    node.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    node.callee.object.name === 'console' &&
+                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
+                    // Check arguments for PII-related property access
+                    for (const arg of node.arguments) {
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                            arg.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                            const propName = arg.property.name.toLowerCase();
+                            const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
+                            if (piiProps.some(p => propName.includes(p))) {
+                                report(node);
+                            }
+                        }
+                        // Check string literals mentioning PII
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof arg.value === 'string') {
+                            const text = arg.value.toLowerCase();
+                            if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
+                                report(node);
+                            }
+                        }
+                    }
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=index.js.map