eslint-plugin-sdl-2 1.0.4

package/docs/rules/no-electron-insecure-certificate-error-handler.md

@@ -0,0 +1,72 @@
+# no-electron-insecure-certificate-error-handler
+
+Disallow Electron `certificate-error` handlers that explicitly trust invalid certificates.
+
+## Targeted pattern scope
+
+This rule targets `.on("certificate-error", handler)` registrations where the
+handler callback is called with `true`.
+
+## What this rule reports
+
+This rule reports `certificate-error` handlers that invoke the callback with
+`true`, which accepts invalid certificates.
+
+## Why this rule exists
+
+The `certificate-error` event should be handled conservatively. Calling the
+callback with `true` bypasses certificate validation and can enable active
+man-in-the-middle interception.
+
+## ❌ Incorrect
+
+```ts
+app.on(
+ "certificate-error",
+ (_event, _webContents, _url, _error, _certificate, callback) => {
+  callback(true);
+ }
+);
+```
+
+## ✅ Correct
+
+```ts
+app.on(
+ "certificate-error",
+ (_event, _webContents, _url, _error, _certificate, callback) => {
+  callback(false);
+ }
+);
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-insecure-certificate-error-handler": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if your runtime deliberately implements certificate pinning or
+enterprise trust logic outside this callback path and has security sign-off.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-insecure-certificate-error-handler.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R015
+
+- [Electron app certificate-error event](https://www.electronjs.org/docs/latest/api/app#event-certificate-error)
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)

package/docs/rules/no-electron-insecure-certificate-verify-proc.md

@@ -0,0 +1,63 @@
+# no-electron-insecure-certificate-verify-proc
+
+Disallow Electron certificate verification callbacks that trust invalid certificates.
+
+## Targeted pattern scope
+
+Electron `session.setCertificateVerifyProc` handlers that trust invalid certificates.
+
+## What this rule reports
+
+Verify-proc handlers that `callback(0)` or return `0`.
+
+## Why this rule exists
+
+Overriding certificate checks can silently disable TLS trust guarantees.
+
+## ❌ Incorrect
+
+```ts
+session.defaultSession.setCertificateVerifyProc((request, callback) => {
+ callback(0);
+});
+```
+
+## ✅ Correct
+
+```ts
+session.defaultSession.setCertificateVerifyProc((request, callback) => {
+ callback(-3);
+});
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-insecure-certificate-verify-proc": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if certificate trust is enforced through a reviewed pinning or enterprise policy outside the callback return value.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-insecure-certificate-verify-proc.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R034
+
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-electron-insecure-permission-request-handler.md

@@ -0,0 +1,67 @@
+# no-electron-insecure-permission-request-handler
+
+Disallow Electron permission request handlers that blanket-allow permissions.
+
+## Targeted pattern scope
+
+Electron permission handlers that blanket-allow permission requests.
+
+## What this rule reports
+
+`setPermissionRequestHandler` callbacks that unconditionally `callback(true)` or return `true`.
+
+## Why this rule exists
+
+Blindly granting permissions can expose camera, microphone, clipboard, and notification abuse vectors.
+
+## ❌ Incorrect
+
+```ts
+session.defaultSession.setPermissionRequestHandler(
+ (wc, permission, callback) => {
+  callback(true);
+ }
+);
+```
+
+## ✅ Correct
+
+```ts
+session.defaultSession.setPermissionRequestHandler(
+ (wc, permission, callback) => {
+  callback(permission === "notifications");
+ }
+);
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-insecure-permission-request-handler": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if the runtime has a reviewed permission policy that intentionally allows a constrained set of requests.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-insecure-permission-request-handler.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R035
+
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-electron-node-integration.md

@@ -0,0 +1,70 @@
+# no-electron-node-integration
+
+Disallow enabling Electron Node.js integration for renderers with remote content.
+
+## Targeted pattern scope
+
+This rule targets Electron BrowserWindow and webPreferences configurations that
+enable `nodeIntegration` where remote content is loaded.
+
+## What this rule reports
+
+This rule reports renderer configurations that combine untrusted content with
+Node.js APIs.
+
+## Why this rule exists
+
+Enabling Node.js integration for remote content increases remote code execution
+risk in Electron apps.
+
+## ❌ Incorrect
+
+```ts
+new BrowserWindow({
+ webPreferences: {
+  nodeIntegration: true,
+ },
+});
+```
+
+## ✅ Correct
+
+```ts
+new BrowserWindow({
+ webPreferences: {
+  nodeIntegration: false,
+  contextIsolation: true,
+ },
+});
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-node-integration": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only for offline renderers with no untrusted input and compensating
+controls.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-node-integration.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R016
+
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [CodeQL reference: Electron renderer Node integration](https://codeql.github.com/codeql-query-help/javascript/js-enabling-electron-renderer-node-integration/)

package/docs/rules/no-electron-permission-check-handler-allow-all.md

@@ -0,0 +1,66 @@
+# no-electron-permission-check-handler-allow-all
+
+Disallow Electron `setPermissionCheckHandler` callbacks that unconditionally
+return `true`.
+
+## Targeted pattern scope
+
+This rule targets `setPermissionCheckHandler(...)` callbacks that always return
+`true` for every permission check.
+
+## What this rule reports
+
+This rule reports inline permission check handlers that resolve to `true`
+without inspecting the request context or permission name.
+
+## Why this rule exists
+
+Blindly approving every permission check weakens Electron's permission boundary
+and can expose capabilities such as media access, notifications, and clipboard
+operations to content that should not receive them.
+
+## ❌ Incorrect
+
+```ts
+session.defaultSession.setPermissionCheckHandler(() => true);
+```
+
+## ✅ Correct
+
+```ts
+session.defaultSession.setPermissionCheckHandler(
+ (_webContents, permission) => permission === "fullscreen"
+);
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-permission-check-handler-allow-all": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if a reviewed Electron permission policy deliberately allows every
+checked permission in a constrained environment.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-permission-check-handler-allow-all.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R050
+
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)
+- [Electron Session API](https://www.electronjs.org/docs/latest/api/session)

package/docs/rules/no-electron-unchecked-ipc-sender.md

@@ -0,0 +1,62 @@
+# no-electron-unchecked-ipc-sender
+
+Disallow privileged Electron IPC handlers that do not validate the sender.
+
+## Targeted pattern scope
+
+`ipcMain.on`/`ipcMain.handle` callbacks without sender/frame trust validation.
+
+## What this rule reports
+
+Privileged IPC handlers that process requests without checking sender origin/frame trust.
+
+## Why this rule exists
+
+Unvalidated IPC senders can let compromised renderers invoke privileged main-process operations.
+
+## ❌ Incorrect
+
+```ts
+ipcMain.handle("read-file", async (event) => readFile("secret.txt"));
+```
+
+## ✅ Correct
+
+```ts
+ipcMain.handle("read-file", async (event) => {
+ if (!event.senderFrame?.url?.startsWith("https://example.com")) return null;
+ return "ok";
+});
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-unchecked-ipc-sender": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if IPC sender trust is enforced by a reviewed abstraction that this rule cannot currently observe.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-unchecked-ipc-sender.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R036
+
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-electron-unrestricted-navigation.md

@@ -0,0 +1,64 @@
+# no-electron-unrestricted-navigation
+
+Disallow Electron navigation handlers that allow unrestricted navigation or window creation.
+
+## Targeted pattern scope
+
+Electron navigation/open handlers that allow unrestricted navigation behavior.
+
+## What this rule reports
+
+`setWindowOpenHandler` returning allow, or `will-navigate` handlers that do not block by default.
+
+## Why this rule exists
+
+Unrestricted navigation can enable tabnabbing, phishing surfaces, and privilege-boundary bypasses.
+
+## ❌ Incorrect
+
+```ts
+contents.setWindowOpenHandler(() => ({ action: "allow" }));
+```
+
+## ✅ Correct
+
+```ts
+contents.on("will-navigate", (event, url) => {
+ event.preventDefault();
+ if (url === "https://example.com") {
+  /* reviewed allowlist path */
+ }
+});
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-unrestricted-navigation": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if navigation and window-opening are governed by a reviewed allowlist abstraction outside the immediate handler.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-unrestricted-navigation.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R037
+
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-electron-untrusted-open-external.md

@@ -0,0 +1,65 @@
+# no-electron-untrusted-open-external
+
+Disallow untrusted or unsafe protocols in Electron `shell.openExternal(...)` calls.
+
+## Targeted pattern scope
+
+This rule targets direct `shell.openExternal(...)` and
+`electron.shell.openExternal(...)` call sites.
+
+## What this rule reports
+
+This rule reports `shell.openExternal(...)` calls when the URL argument is
+non-literal, dynamically constructed, or uses a protocol other than `https:` or
+`mailto:`.
+
+## Why this rule exists
+
+`openExternal` launches external handlers and browsers. Passing untrusted or
+unexpected URLs can create phishing or command-surface abuse paths.
+
+## ❌ Incorrect
+
+```ts
+shell.openExternal("http://example.com");
+shell.openExternal(userProvidedUrl);
+shell.openExternal(`https://${host}`);
+```
+
+## ✅ Correct
+
+```ts
+shell.openExternal("https://example.com/docs");
+shell.openExternal("mailto:security@example.com");
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-untrusted-open-external": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable if your project uses a centralized URL-validation helper and dynamic
+values are already strictly validated before `openExternal`.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-untrusted-open-external.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R017
+
+- [Electron shell.openExternal](https://www.electronjs.org/docs/latest/api/shell#shellopenexternalurl-options)
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)

package/docs/rules/no-electron-webview-allowpopups.md

@@ -0,0 +1,59 @@
+# no-electron-webview-allowpopups
+
+Disallow enabling `allowpopups` on Electron `<webview>` elements.
+
+## Targeted pattern scope
+
+Electron `<webview>` usage with `allowpopups` enabled.
+
+## What this rule reports
+
+JSX `<webview>` attributes that enable `allowpopups`.
+
+## Why this rule exists
+
+Allowing popups from embedded untrusted content expands attack surface and abuse channels.
+
+## ❌ Incorrect
+
+```ts
+const view = <webview allowpopups src="https://example.com" />;
+```
+
+## ✅ Correct
+
+```ts
+const view = <webview src="https://example.com" />;
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-webview-allowpopups": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if the embedded content is fully trusted and popup behavior is part of a reviewed application design.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-webview-allowpopups.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R038
+
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-electron-webview-insecure-webpreferences.md

@@ -0,0 +1,84 @@
+# no-electron-webview-insecure-webpreferences
+
+Disallow unsafe Electron `<webview>` `webpreferences` string flags.
+
+## Targeted pattern scope
+
+This rule targets static `<webview webpreferences="..." />` attributes that
+enable insecure flags such as:
+
+- `allowRunningInsecureContent=yes`
+- `contextIsolation=no`
+- `experimentalFeatures=yes`
+- `sandbox=no`
+- `webSecurity=no`
+
+## What this rule reports
+
+This rule reports static `webpreferences` strings on Electron `webview`
+elements when they contain unsafe hardening overrides.
+
+## Why this rule exists
+
+Electron `webview` attributes often hide security-critical renderer settings
+inside string flags. Those strings can quietly disable isolation or enable risky
+behavior that should stay off for untrusted content.
+
+## ❌ Incorrect
+
+```tsx
+const view = (
+ <webview
+  src="https://example.com"
+  webpreferences="webSecurity=no, contextIsolation=no"
+ />
+);
+```
+
+## ✅ Correct
+
+```tsx
+const view = (
+ <webview
+  src="https://example.com"
+  webpreferences="sandbox=yes, contextIsolation=yes, webSecurity=yes"
+ />
+);
+```
+
+## Behavior and migration notes
+
+This rule currently reports only static string values. Dynamic `webpreferences`
+expressions are ignored to avoid false positives.
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+
+  rules: {
+   "sdl/no-electron-webview-insecure-webpreferences": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if reviewed `webview` content requires these flags and the host
+application enforces compensating controls elsewhere.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-electron-webview-insecure-webpreferences.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R051
+
+- [Electron `<webview>` tag](https://www.electronjs.org/docs/latest/api/webview-tag)
+- [Electron security checklist](https://www.electronjs.org/docs/latest/tutorial/security)