npm - eslint-plugin-sdl-2 - Versions diffs - 1.0.4 - Mend

eslint-plugin-sdl-2 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/docs/rules/no-electron-allow-running-insecure-content.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-electron-allow-running-insecure-content
+Disallow enabling Electron `webPreferences.allowRunningInsecureContent`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.allowRunningInsecureContent` to `true`.
+## What this rule reports
+This rule reports `webPreferences.allowRunningInsecureContent: true` in Electron
+renderer configuration objects.
+## Why this rule exists
+Allowing insecure content weakens transport guarantees and allows mixed-content
+execution in renderer processes.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  allowRunningInsecureContent: true,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  allowRunningInsecureContent: false,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-allow-running-insecure-content": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your renderer never loads network content and your runtime has
+strict isolation controls documented outside this rule.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-allow-running-insecure-content.ts)
+## Further reading
+> **Rule catalog ID:** R009
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron BrowserWindow webPreferences](https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions)

package/docs/rules/no-electron-dangerous-blink-features.md ADDED Viewed

@@ -0,0 +1,77 @@
+# no-electron-dangerous-blink-features
+Disallow enabling Blink runtime features through Electron `webPreferences.enableBlinkFeatures`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.enableBlinkFeatures` to a non-empty static string.
+## What this rule reports
+This rule reports non-empty `enableBlinkFeatures` values in `webPreferences`
+objects.
+## Why this rule exists
+`enableBlinkFeatures` turns on Chromium/Blink runtime feature flags. Enabling
+extra features in production renderer contexts can increase attack surface and
+weaken predictable browser hardening.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  enableBlinkFeatures: "CSSVariables,LayoutNG",
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  enableBlinkFeatures: "",
+ },
+});
+new BrowserWindow({
+ webPreferences: {
+  contextIsolation: true,
+  sandbox: true,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-dangerous-blink-features": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable if your application has reviewed, tightly scoped, and well-documented
+Blink feature requirements with compensating security controls.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-dangerous-blink-features.ts)
+## Further reading
+> **Rule catalog ID:** R010
+- [Electron BrowserWindow webPreferences](https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions)
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)

package/docs/rules/no-electron-disable-context-isolation.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-electron-disable-context-isolation
+Disallow disabling Electron `webPreferences.contextIsolation`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.contextIsolation` to `false`.
+## What this rule reports
+This rule reports `webPreferences.contextIsolation: false` in Electron renderer
+configuration objects.
+## Why this rule exists
+Disabling context isolation collapses separation between preload and renderer
+contexts, increasing exposure of privileged APIs.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  contextIsolation: false,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  contextIsolation: true,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-disable-context-isolation": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for legacy renderer code that cannot migrate yet and is protected
+with strict, documented compensating controls.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-disable-context-isolation.ts)
+## Further reading
+> **Rule catalog ID:** R011
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron context isolation](https://www.electronjs.org/docs/latest/tutorial/context-isolation)

package/docs/rules/no-electron-disable-sandbox.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-electron-disable-sandbox
+Disallow disabling Electron renderer sandboxing in `webPreferences`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.sandbox` to `false`.
+## What this rule reports
+This rule reports `webPreferences.sandbox: false` in Electron renderer
+configuration objects.
+## Why this rule exists
+Renderer sandboxing limits process privileges and helps contain renderer
+compromise impact.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  sandbox: false,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  sandbox: true,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-disable-sandbox": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only while migrating legacy renderer code, and only with explicit risk
+acceptance and compensating controls.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-disable-sandbox.ts)
+## Further reading
+> **Rule catalog ID:** R012
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron process sandboxing](https://www.electronjs.org/docs/latest/tutorial/sandbox)

package/docs/rules/no-electron-disable-web-security.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-electron-disable-web-security
+Disallow disabling Electron `webPreferences.webSecurity` for renderer contexts.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.webSecurity` to `false`.
+## What this rule reports
+This rule reports `webPreferences.webSecurity: false` in Electron renderer
+configuration objects.
+## Why this rule exists
+Turning off `webSecurity` removes browser-origin protections and expands the
+attack surface for untrusted renderer content.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  webSecurity: false,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  webSecurity: true,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-disable-web-security": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for tightly controlled offline renderer scenarios with explicit
+compensating controls and no untrusted content.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-disable-web-security.ts)
+## Further reading
+> **Rule catalog ID:** R013
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron BrowserWindow webPreferences](https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions)

package/docs/rules/no-electron-enable-remote-module.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-electron-enable-remote-module
+Disallow enabling Electron `webPreferences.enableRemoteModule`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.enableRemoteModule` to `true`.
+## What this rule reports
+This rule reports `webPreferences.enableRemoteModule: true` in Electron
+renderer configuration objects.
+## Why this rule exists
+Enabling the remote module expands renderer access to privileged main-process
+capabilities and weakens isolation boundaries.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  enableRemoteModule: true,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  enableRemoteModule: false,
+ },
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-enable-remote-module": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for legacy Electron versions where remote cannot be removed yet,
+with strict migration and deprecation plans.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-enable-remote-module.ts)
+## Further reading
+> **Rule catalog ID:** R014
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron BrowserWindow webPreferences](https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions)

package/docs/rules/no-electron-enable-webview-tag.md ADDED Viewed

@@ -0,0 +1,77 @@
+# no-electron-enable-webview-tag
+Disallow enabling Electron `webPreferences.webviewTag`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.webviewTag` to `true`.
+## What this rule reports
+This rule reports `webPreferences.webviewTag: true` in Electron renderer
+configuration objects.
+## Why this rule exists
+Electron recommends avoiding `webview` unless absolutely necessary. Enabling the
+`webviewTag` opt-in expands renderer capabilities and can make isolation harder
+to reason about.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  webviewTag: true,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  webviewTag: false,
+ },
+});
+```
+## Behavior and migration notes
+This rule includes an autofix for literal boolean values.
+- `webviewTag: true` is rewritten to `webviewTag: false`.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-enable-webview-tag": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your Electron application has a reviewed webview threat model
+and cannot migrate away from `webviewTag` yet.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-enable-webview-tag.ts)
+## Further reading
+> **Rule catalog ID:** R047
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron `<webview>` tag](https://www.electronjs.org/docs/latest/api/webview-tag)

package/docs/rules/no-electron-experimental-features.md ADDED Viewed

@@ -0,0 +1,77 @@
+# no-electron-experimental-features
+Disallow enabling Electron `webPreferences.experimentalFeatures`.
+## Targeted pattern scope
+This rule targets Electron `BrowserWindow` and `BrowserView` constructor options
+that set `webPreferences.experimentalFeatures` to `true`.
+## What this rule reports
+This rule reports `webPreferences.experimentalFeatures: true` in Electron
+renderer configuration objects.
+## Why this rule exists
+Electron recommends disabling experimental platform features in production
+renderers because they expand the runtime surface area and can bypass hardening
+assumptions.
+## ❌ Incorrect
+```ts
+new BrowserWindow({
+ webPreferences: {
+  experimentalFeatures: true,
+ },
+});
+```
+## ✅ Correct
+```ts
+new BrowserWindow({
+ webPreferences: {
+  experimentalFeatures: false,
+ },
+});
+```
+## Behavior and migration notes
+This rule includes an autofix for literal boolean values.
+- `experimentalFeatures: true` is rewritten to `experimentalFeatures: false`.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-experimental-features": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for short-lived experiments that explicitly require Electron
+experimental features and are isolated behind documented review gates.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-experimental-features.ts)
+## Further reading
+> **Rule catalog ID:** R046
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron BrowserWindow webPreferences](https://www.electronjs.org/docs/latest/api/browser-window#new-browserwindowoptions)

package/docs/rules/no-electron-expose-raw-ipc-renderer.md ADDED Viewed

@@ -0,0 +1,79 @@
+# no-electron-expose-raw-ipc-renderer
+Disallow exposing raw Electron `ipcRenderer` objects or methods through
+`contextBridge` APIs.
+## Targeted pattern scope
+This rule targets `contextBridge.exposeInMainWorld(...)` and
+`contextBridge.exposeInIsolatedWorld(...)` calls that expose:
+- `ipcRenderer` directly, or
+- object properties that directly reference raw `ipcRenderer` methods.
+## What this rule reports
+This rule reports preload bridge exports that hand renderer code a direct IPC
+primitive instead of a narrow wrapper API.
+## Why this rule exists
+Exposing raw IPC primitives to untrusted renderer code weakens the preload
+boundary. A narrow wrapper API allows the preload layer to validate channels,
+arguments, and return values before crossing trust boundaries.
+## ❌ Incorrect
+```ts
+contextBridge.exposeInMainWorld("api", {
+ send: ipcRenderer.send,
+ invoke: ipcRenderer.invoke,
+});
+```
+## ✅ Correct
+```ts
+contextBridge.exposeInMainWorld("api", {
+ sendSettingsUpdate(payload: SettingsPayload) {
+  ipcRenderer.send("settings:update", payload);
+ },
+});
+```
+## Behavior and migration notes
+This rule does not autofix because the correct preload wrapper shape depends on
+the channels and validation logic your application requires.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-expose-raw-ipc-renderer": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if the exposed IPC surface is intentionally raw, fully reviewed,
+and protected by application-specific controls outside the preload bridge.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-expose-raw-ipc-renderer.ts)
+## Further reading
+> **Rule catalog ID:** R049
+- [Electron context isolation](https://www.electronjs.org/docs/latest/tutorial/context-isolation)
+- [Electron contextBridge](https://www.electronjs.org/docs/latest/api/context-bridge)