npm - eslint-plugin-sdl-2 - Versions diffs - 1.0.4 - Mend

eslint-plugin-sdl-2 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/docs/rules/no-electron-webview-node-integration.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-electron-webview-node-integration
+Disallow Electron `<webview>` configurations that enable node integration.
+## Targeted pattern scope
+Electron `<webview>` configurations enabling node integration flags.
+## What this rule reports
+`webview` `nodeintegration`/`nodeintegrationinsubframes`/`webpreferences` node-integration flags.
+## Why this rule exists
+Node integration in untrusted renderer contexts can break isolation and enable code-execution paths.
+## ❌ Incorrect
+```ts
+const view = <webview nodeintegration src="https://example.com" />;
+```
+## ✅ Correct
+```ts
+const view = <webview src="https://example.com" webpreferences="sandbox=yes" />;
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-electron-webview-node-integration": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for legacy webview flows with documented trust guarantees and compensating isolation controls.
+## Package documentation
+- [Rule source](../../src/rules/no-electron-webview-node-integration.ts)
+## Further reading
+> **Rule catalog ID:** R039
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-html-method.md ADDED Viewed

@@ -0,0 +1,58 @@
+# no-html-method
+Disallow unsafe HTML injection through jQuery-like `html()` method usage.
+## Targeted pattern scope
+This rule targets calls to `html(...)` methods on DOM wrapper libraries where
+arguments are interpreted as HTML.
+## What this rule reports
+This rule reports `html(...)` invocations that write markup directly to the DOM.
+## Why this rule exists
+Direct HTML insertion can execute attacker-controlled markup and script payloads
+when inputs are not strongly sanitized.
+## ❌ Incorrect
+```ts
+$("#content").html(userSuppliedHtml);
+```
+## ✅ Correct
+```ts
+$("#content").text(userSuppliedHtml);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-html-method": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for trusted, static markup paths where inputs are guaranteed safe.
+## Package documentation
+- [Rule source](../../src/rules/no-html-method.ts)
+## Further reading
+> **Rule catalog ID:** R018
+- [Legacy rule inspiration](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noInnerHtml.ts)

package/docs/rules/no-http-request-to-insecure-protocol.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-http-request-to-insecure-protocol
+Disallow application HTTP client calls that use insecure `http://` endpoints.
+## Targeted pattern scope
+Network client calls to insecure `http://` endpoints.
+## What this rule reports
+`http`/`https`/`fetch` calls whose URL literal starts with `http://`.
+## Why this rule exists
+Unencrypted HTTP can expose credentials, tokens, and payload integrity to active network attackers.
+## ❌ Incorrect
+```ts
+http.get("http://api.example.com/status");
+```
+## ✅ Correct
+```ts
+https.get("https://api.example.com/status");
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-http-request-to-insecure-protocol": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for local development or legacy endpoints that are explicitly non-production and otherwise protected.
+## Package documentation
+- [Rule source](../../src/rules/no-http-request-to-insecure-protocol.ts)
+## Further reading
+> **Rule catalog ID:** R040
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-iframe-srcdoc.md ADDED Viewed

@@ -0,0 +1,76 @@
+# no-iframe-srcdoc
+Disallow populating `iframe.srcdoc` with inline HTML documents.
+## Targeted pattern scope
+This rule targets:
+- `iframe.srcdoc = ...`
+- `iframe.setAttribute("srcdoc", ...)`
+- `<iframe srcDoc={...} />` in JSX.
+## What this rule reports
+This rule reports inline iframe document creation through `srcdoc` writes and
+JSX `srcDoc` attributes.
+## Why this rule exists
+`srcdoc` embeds a full HTML document directly into the page. That increases the
+risk of shipping unsafe inline markup, weakens review boundaries compared with a
+separate reviewed document URL, and makes it easier to introduce script-capable
+content in places that look like simple attribute assignments.
+## ❌ Incorrect
+```ts
+iframe.srcdoc = userHtml;
+```
+```tsx
+const frame = <iframe srcDoc={userHtml} />;
+```
+## ✅ Correct
+```ts
+iframe.src = "https://example.com/embed.html";
+```
+```tsx
+const frame = <iframe src="https://example.com/embed.html" />;
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-iframe-srcdoc": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your application intentionally serves inline iframe documents,
+those documents are tightly controlled, and a reviewed sandboxing strategy
+exists outside this rule.
+## Package documentation
+- [Rule source](../../src/rules/no-iframe-srcdoc.ts)
+## Further reading
+> **Rule catalog ID:** R053
+- [MDN: `HTMLIFrameElement.srcdoc`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/srcdoc)
+- [MDN: `<iframe>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe)
+- [OWASP Cross Site Scripting Prevention Cheat Sheet](https://owasp.org/www-community/xss-prevention)

package/docs/rules/no-inner-html.md ADDED Viewed

@@ -0,0 +1,65 @@
+# no-inner-html
+Disallow unsafe direct HTML writes through DOM HTML sink properties and methods.
+## Targeted pattern scope
+This rule targets:
+- `element.innerHTML = ...`
+- `element.outerHTML = ...`
+- `element.insertAdjacentHTML(...)`.
+## What this rule reports
+This rule reports direct HTML sink writes that bypass safe text-based DOM APIs.
+## Why this rule exists
+HTML sink APIs are common XSS entry points when they receive unsanitized or
+partially sanitized input.
+## ❌ Incorrect
+```ts
+container.innerHTML = userSuppliedHtml;
+container.insertAdjacentHTML("beforeend", userSuppliedHtml);
+```
+## ✅ Correct
+```ts
+const node = document.createElement("p");
+node.textContent = userSuppliedHtml;
+container.append(node);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-inner-html": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only when a dedicated, reviewed sanitizer guarantees safe markup.
+## Package documentation
+- [Rule source](../../src/rules/no-inner-html.ts)
+## Further reading
+> **Rule catalog ID:** R019
+- [MDN: `innerHTML`](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)
+- [MDN: `insertAdjacentHTML`](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)

package/docs/rules/no-insecure-random.md ADDED Viewed

@@ -0,0 +1,66 @@
+# no-insecure-random
+Disallow non-cryptographic randomness APIs for security-sensitive flows.
+## Targeted pattern scope
+This rule targets insecure randomness APIs such as:
+- `Math.random()`
+- `crypto.pseudoRandomBytes(...)`.
+## What this rule reports
+This rule reports pseudo-random generators used in contexts where
+cryptographic-strength randomness is expected.
+## Why this rule exists
+Predictable random values can undermine tokens, passwords, keys, and related
+security controls.
+## ❌ Incorrect
+```ts
+const token = `${Math.random()}`;
+const bytes = crypto.pseudoRandomBytes(32);
+```
+## ✅ Correct
+```ts
+const bytes = crypto.randomBytes(32);
+const browserBytes = crypto.getRandomValues(new Uint8Array(32));
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-insecure-random": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for non-security simulation or test data where predictability is
+acceptable.
+## Package documentation
+- [Rule source](../../src/rules/no-insecure-random.ts)
+## Further reading
+> **Rule catalog ID:** R020
+- [OWASP: Insecure randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness)
+- [CodeQL query help: Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insecure-randomness/)
+- [Sonar rule RSPEC-2245](https://rules.sonarsource.com/javascript/RSPEC-2245)

package/docs/rules/no-insecure-tls-agent-options.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-insecure-tls-agent-options
+Disallow TLS and HTTPS option objects that disable certificate verification.
+## Targeted pattern scope
+TLS/HTTPS options objects that disable certificate verification.
+## What this rule reports
+`rejectUnauthorized: false` in option objects.
+## Why this rule exists
+Disabling certificate verification removes core TLS trust guarantees.
+## ❌ Incorrect
+```ts
+new https.Agent({ rejectUnauthorized: false });
+```
+## ✅ Correct
+```ts
+new https.Agent({ rejectUnauthorized: true });
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-insecure-tls-agent-options": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only in tightly scoped debugging or local interception scenarios that cannot affect production traffic.
+## Package documentation
+- [Rule source](../../src/rules/no-insecure-tls-agent-options.ts)
+## Further reading
+> **Rule catalog ID:** R041
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-insecure-url.md ADDED Viewed

@@ -0,0 +1,72 @@
+# no-insecure-url
+Disallow insecure URL protocols in application code.
+## Targeted pattern scope
+This rule targets insecure URL patterns such as:
+- `http://...`
+- `ftp://...`
+- configurable blocklisted patterns defined in rule options.
+## What this rule reports
+This rule reports string literals and option-matched values that use insecure
+or explicitly blocked URL schemes.
+## Why this rule exists
+Unencrypted transports can expose credentials, tokens, and sensitive payloads
+to interception or tampering.
+## ❌ Incorrect
+```ts
+const endpoint = "http://api.example.com/v1/data";
+```
+## ✅ Correct
+```ts
+const endpoint = "https://api.example.com/v1/data";
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-insecure-url": [
+    "error",
+    {
+     blocklist: ["^(http|ftp):\\/\\/"],
+     exceptions: ["^http:\\/\\/schemas\\.microsoft\\.com\\/?.*"],
+     varExceptions: ["insecure?.*"],
+    },
+   ],
+  },
+ },
+];
+```
+## When not to use it
+Disable only when scanning datasets or tests that intentionally include insecure
+URLs.
+## Package documentation
+- [Rule source](../../src/rules/no-insecure-url.ts)
+## Further reading
+> **Rule catalog ID:** R021
+- [MDN: HTTPS](https://developer.mozilla.org/en-US/docs/Glossary/HTTPS)
+- [DevSkim DS137138 guidance](https://github.com/microsoft/DevSkim/blob/main/guidance/DS137138.md)
+- [CodeQL insecure download guidance](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-logging-sensitive-info/)

package/docs/rules/no-location-javascript-url.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-location-javascript-url
+Disallow `javascript:` URLs in location-like navigation sinks.
+## Targeted pattern scope
+Location/open navigation sinks assigned `javascript:` URLs.
+## What this rule reports
+Assignments and calls that pass `javascript:` URL strings into navigation sinks.
+## Why this rule exists
+`javascript:` URL execution is a classic DOM XSS sink and should be blocked in modern code.
+## ❌ Incorrect
+```ts
+window.location.href = "javascript:alert(1)";
+```
+## ✅ Correct
+```ts
+window.location.href = "https://example.com";
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-location-javascript-url": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for legacy code that cannot yet migrate away from `javascript:` URLs and has explicit security review sign-off.
+## Package documentation
+- [Rule source](../../src/rules/no-location-javascript-url.ts)
+## Further reading
+> **Rule catalog ID:** R042
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-message-event-without-origin-check.md ADDED Viewed

@@ -0,0 +1,82 @@
+# no-message-event-without-origin-check
+Disallow receiving `message` events and consuming `event.data` without checking
+`event.origin`.
+## Targeted pattern scope
+This rule targets inline `addEventListener("message", ...)` handlers and
+`onmessage = ...` assignments that read message data without validating the
+sender origin.
+## What this rule reports
+This rule reports message event callbacks that:
+- read `event.data`, or
+- destructure `{ data }` from the message event,
+without an observable `origin` validation step.
+## Why this rule exists
+Cross-document messaging is only safe when the receiver validates where the
+message came from. Reading message payloads without checking `event.origin` can
+trust attacker-controlled input from another window, frame, or worker.
+## ❌ Incorrect
+```ts
+window.addEventListener("message", (event) => {
+ consume(event.data);
+});
+```
+## ✅ Correct
+```ts
+window.addEventListener("message", (event) => {
+ if (event.origin !== "https://example.com") {
+  return;
+ }
+ consume(event.data);
+});
+```
+## Behavior and migration notes
+This rule intentionally does not autofix or insert stub origin checks because
+the correct allowlist depends on your deployment model.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-message-event-without-origin-check": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for message handlers that never process untrusted cross-origin
+messages and already rely on a reviewed trust boundary this rule cannot see.
+## Package documentation
+- [Rule source](../../src/rules/no-message-event-without-origin-check.ts)
+## Further reading
+> **Rule catalog ID:** R048
+- [MDN: Window message event](https://developer.mozilla.org/docs/Web/API/Window/message_event)
+- [MDN: Window.postMessage security concerns](https://developer.mozilla.org/docs/Web/API/Window/postMessage#security_concerns)