npm - eslint-plugin-secure-coding - Versions diffs - 1.0.0 - Mend

eslint-plugin-secure-coding 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/AGENTS.md ADDED Viewed

@@ -0,0 +1,196 @@
+# eslint-plugin-secure-coding - AI Agent Guide
+## Package Overview
+| Field           | Value                                                                                    |
+| --------------- | ---------------------------------------------------------------------------------------- |
+| **Name**        | eslint-plugin-secure-coding                                                              |
+| **Version**     | 1.0.0                                                                                    |
+| **Description** | Security-focused ESLint plugin with 48 LLM-optimized rules for detecting vulnerabilities |
+| **Type**        | ESLint Plugin                                                                            |
+| **Language**    | TypeScript                                                                               |
+| **Node.js**     | >=18.0.0                                                                                 |
+| **ESLint**      | ^8.0.0 \|\| ^9.0.0                                                                       |
+| **License**     | MIT                                                                                      |
+| **Homepage**    | https://github.com/ofri-peretz/eslint#readme                                             |
+| **Repository**  | https://github.com/ofri-peretz/eslint.git                                                |
+| **Directory**   | packages/eslint-plugin-secure-coding                                                     |
+## Installation
+```bash
+npm install --save-dev eslint-plugin-secure-coding
+# or
+pnpm add -D eslint-plugin-secure-coding
+# or
+yarn add -D eslint-plugin-secure-coding
+```
+## Quick Start
+```javascript
+// eslint.config.js
+import secureCoding from 'eslint-plugin-secure-coding';
+export default [secureCoding.configs.recommended];
+```
+## Available Presets
+| Preset           | Rules                       | Description                         |
+| ---------------- | --------------------------- | ----------------------------------- |
+| **recommended**  | 48 rules (mixed error/warn) | Balanced security for most projects |
+| **strict**       | 48 rules (all errors)       | Maximum security enforcement        |
+| **owasp-top-10** | 32 rules                    | OWASP Top 10 2021 compliance        |
+## Rule Categories
+### Injection Prevention (11 rules)
+- `no-sql-injection` - CWE-89 - SQL injection via string concatenation
+- `database-injection` - CWE-89 - Comprehensive SQL/NoSQL/ORM injection
+- `detect-eval-with-expression` - CWE-95 - eval() with dynamic expressions
+- `detect-child-process` - CWE-78 - Command injection in child_process
+- `no-unsafe-dynamic-require` - CWE-95 - Dynamic require() calls
+- `no-graphql-injection` - CWE-943 - GraphQL injection attacks
+- `no-xxe-injection` - CWE-611 - XML External Entity injection
+- `no-xpath-injection` - CWE-643 - XPath injection attacks
+- `no-ldap-injection` - CWE-90 - LDAP injection attacks
+- `no-directive-injection` - CWE-94 - Template directive injection
+- `no-format-string-injection` - CWE-134 - Format string vulnerabilities
+### Path & File Security (3 rules)
+- `detect-non-literal-fs-filename` - CWE-22 - Path traversal in fs operations
+- `no-zip-slip` - CWE-22 - Zip slip vulnerabilities
+- `no-toctou-vulnerability` - CWE-367 - TOCTOU race conditions
+### Regex Security (3 rules)
+- `detect-non-literal-regexp` - CWE-400 - ReDoS in RegExp construction
+- `no-redos-vulnerable-regex` - CWE-1333 - ReDoS-vulnerable patterns
+- `no-unsafe-regex-construction` - CWE-400 - Unsafe regex from user input
+### Object & Prototype (2 rules)
+- `detect-object-injection` - CWE-915 - Prototype pollution
+- `no-unsafe-deserialization` - CWE-502 - Unsafe deserialization
+### Cryptography (6 rules)
+- `no-hardcoded-credentials` - CWE-798 - Hardcoded passwords/keys
+- `no-weak-crypto` - CWE-327 - Weak algorithms (MD5, SHA1)
+- `no-insufficient-random` - CWE-330 - Math.random() for security
+- `no-timing-attack` - CWE-208 - Timing attack vulnerabilities
+- `no-insecure-comparison` - CWE-697 - Insecure string comparison
+- `no-insecure-jwt` - CWE-347 - JWT security issues
+### Input Validation & XSS (5 rules)
+- `no-unvalidated-user-input` - CWE-20 - Unvalidated user input
+- `no-unsanitized-html` - CWE-79 - XSS via innerHTML
+- `no-unescaped-url-parameter` - CWE-79 - XSS via URL parameters
+- `no-improper-sanitization` - CWE-116 - Improper output encoding
+- `no-improper-type-validation` - CWE-20 - Type confusion vulnerabilities
+### Authentication & Authorization (3 rules)
+- `no-missing-authentication` - CWE-306 - Missing auth checks
+- `no-privilege-escalation` - CWE-269 - Privilege escalation
+- `no-weak-password-recovery` - CWE-640 - Insecure password reset
+### Session & Cookies (3 rules)
+- `no-insecure-cookie-settings` - CWE-614 - Missing Secure/HttpOnly
+- `no-missing-csrf-protection` - CWE-352 - Missing CSRF tokens
+- `no-document-cookie` - CWE-565 - Direct cookie manipulation
+### Network & Headers (5 rules)
+- `no-missing-cors-check` - CWE-942 - Missing CORS validation
+- `no-missing-security-headers` - CWE-693 - Missing security headers
+- `no-insecure-redirects` - CWE-601 - Open redirect vulnerabilities
+- `no-unencrypted-transmission` - CWE-319 - HTTP instead of HTTPS
+- `no-clickjacking` - CWE-1021 - Clickjacking vulnerabilities
+### Data Exposure (2 rules)
+- `no-exposed-sensitive-data` - CWE-200 - Sensitive data in responses
+- `no-sensitive-data-exposure` - CWE-532 - Sensitive data in logs
+### Buffer & Memory (1 rule)
+- `no-buffer-overread` - CWE-126 - Buffer over-read
+### DoS & Resource (2 rules)
+- `no-unlimited-resource-allocation` - CWE-770 - Unbounded allocations
+- `no-unchecked-loop-condition` - CWE-835 - Infinite loop conditions
+### Platform-Specific (2 rules)
+- `no-electron-security-issues` - CWE-693 - Electron security misconfig
+- `no-insufficient-postmessage-validation` - CWE-346 - postMessage origin issues
+## Error Message Format
+All rules produce LLM-optimized 2-line structured messages:
+```
+Line 1: [Icon] [CWE] [OWASP] [CVSS] | [Description] | [SEVERITY] [Compliance]
+Line 2:    Fix: [instruction] | [doc-link]
+```
+**Example:**
+```
+🔒 CWE-89 OWASP:A03-Injection CVSS:9.8 | SQL Injection detected | CRITICAL [SOC2,PCI-DSS,HIPAA]
+   Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId]) | https://owasp.org/...
+```
+## ESLint MCP Integration
+Configure in `.cursor/mcp.json`:
+```json
+{
+  "mcpServers": {
+    "eslint": {
+      "command": "npx",
+      "args": ["@eslint/mcp@latest"]
+    }
+  }
+}
+```
+## Key Features
+| Feature              | Value                            |
+| -------------------- | -------------------------------- |
+| **Total Rules**      | 48                               |
+| **CWE Coverage**     | 100% (all rules include CWE IDs) |
+| **OWASP Top 10**     | Full 2021 coverage               |
+| **AI Auto-Fix Rate** | 60-80%                           |
+| **Performance**      | <10ms overhead per file          |
+| **Privacy**          | 100% local, no cloud calls       |
+## FAQ
+**Q: How do I enable all security rules?**
+A: Use `secureCoding.configs.strict`
+**Q: How do I configure a specific rule?**
+A: `'secure-coding/no-sql-injection': ['error', { strategy: 'parameterize' }]`
+**Q: How do I disable a rule inline?**
+A: `// eslint-disable-next-line secure-coding/no-sql-injection`
+**Q: Is it compatible with TypeScript?**
+A: Yes, native TypeScript support.
+**Q: Does it work with ESLint 9 flat config?**
+A: Yes, fully compatible.
+## License
+MIT © Ofri Peretz

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,105 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.0.0] - 2025-01-01
+### Added
+- Initial release with 48 security-focused ESLint rules
+- LLM-optimized error messages with [CWE](https://cwe.mitre.org/) references and [OWASP](https://owasp.org/Top10/) mapping
+- Three preset configurations: `recommended`, `strict`, `owasp-top-10`
+- Full ESLint 9 flat config support
+- TypeScript support
+### Security Rules
+#### Injection Prevention (11 rules)
+- `no-sql-injection` - SQL injection prevention
+- `database-injection` - Comprehensive SQL/NoSQL/ORM injection
+- `detect-eval-with-expression` - Dynamic eval() detection
+- `detect-child-process` - Command injection detection
+- `no-unsafe-dynamic-require` - Dynamic require() prevention
+- `no-graphql-injection` - GraphQL injection prevention
+- `no-xxe-injection` - XXE injection prevention
+- `no-xpath-injection` - XPath injection prevention
+- `no-ldap-injection` - LDAP injection prevention
+- `no-directive-injection` - Template injection prevention
+- `no-format-string-injection` - Format string injection prevention
+#### Path & File Security (3 rules)
+- `detect-non-literal-fs-filename` - Path traversal detection
+- `no-zip-slip` - Zip slip vulnerability prevention
+- `no-toctou-vulnerability` - TOCTOU race condition detection
+#### Regex Security (3 rules)
+- `detect-non-literal-regexp` - ReDoS detection in RegExp
+- `no-redos-vulnerable-regex` - ReDoS pattern detection
+- `no-unsafe-regex-construction` - Unsafe regex prevention
+#### Object & Prototype (2 rules)
+- `detect-object-injection` - Prototype pollution detection
+- `no-unsafe-deserialization` - Unsafe deserialization prevention
+#### Cryptography (6 rules)
+- `no-hardcoded-credentials` - Hardcoded secrets detection
+- `no-weak-crypto` - Weak algorithm detection
+- `no-insufficient-random` - Weak randomness detection
+- `no-timing-attack` - Timing attack prevention
+- `no-insecure-comparison` - Insecure comparison detection
+- `no-insecure-jwt` - JWT security issues detection
+#### Input Validation & XSS (5 rules)
+- `no-unvalidated-user-input` - Input validation enforcement
+- `no-unsanitized-html` - XSS via innerHTML prevention
+- `no-unescaped-url-parameter` - URL parameter XSS prevention
+- `no-improper-sanitization` - Output encoding enforcement
+- `no-improper-type-validation` - Type confusion prevention
+#### Authentication & Authorization (3 rules)
+- `no-missing-authentication` - Auth check enforcement
+- `no-privilege-escalation` - Privilege escalation detection
+- `no-weak-password-recovery` - Secure password reset enforcement
+#### Session & Cookies (3 rules)
+- `no-insecure-cookie-settings` - Cookie security enforcement
+- `no-missing-csrf-protection` - CSRF protection enforcement
+- `no-document-cookie` - Direct cookie access detection
+#### Network & Headers (5 rules)
+- `no-missing-cors-check` - CORS validation enforcement
+- `no-missing-security-headers` - Security header enforcement
+- `no-insecure-redirects` - Open redirect prevention
+- `no-unencrypted-transmission` - HTTPS enforcement
+- `no-clickjacking` - Clickjacking prevention
+#### Data Exposure (2 rules)
+- `no-exposed-sensitive-data` - Data exposure prevention
+- `no-sensitive-data-exposure` - Log sanitization enforcement
+#### Buffer & Memory (1 rule)
+- `no-buffer-overread` - Buffer safety enforcement
+#### DoS & Resource (2 rules)
+- `no-unlimited-resource-allocation` - Resource limit enforcement
+- `no-unchecked-loop-condition` - Infinite loop prevention
+#### Platform-Specific (2 rules)
+- `no-electron-security-issues` - Electron security enforcement
+- `no-insufficient-postmessage-validation` - postMessage validation

package/LICENSE ADDED Viewed

@@ -0,0 +1,23 @@
+MIT License
+Copyright (c) 2025 Ofri Peretz
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.