eslint-plugin-secure-coding 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +196 -0
- package/CHANGELOG.md +105 -0
- package/LICENSE +23 -0
- package/README.md +377 -0
- package/package.json +80 -0
- package/src/index.d.ts +32 -0
- package/src/index.js +345 -0
- package/src/index.js.map +1 -0
- package/src/rules/security/database-injection.d.ts +13 -0
- package/src/rules/security/database-injection.js +407 -0
- package/src/rules/security/database-injection.js.map +1 -0
- package/src/rules/security/detect-child-process.d.ts +11 -0
- package/src/rules/security/detect-child-process.js +460 -0
- package/src/rules/security/detect-child-process.js.map +1 -0
- package/src/rules/security/detect-eval-with-expression.d.ts +9 -0
- package/src/rules/security/detect-eval-with-expression.js +393 -0
- package/src/rules/security/detect-eval-with-expression.js.map +1 -0
- package/src/rules/security/detect-non-literal-fs-filename.d.ts +7 -0
- package/src/rules/security/detect-non-literal-fs-filename.js +322 -0
- package/src/rules/security/detect-non-literal-fs-filename.js.map +1 -0
- package/src/rules/security/detect-non-literal-regexp.d.ts +9 -0
- package/src/rules/security/detect-non-literal-regexp.js +387 -0
- package/src/rules/security/detect-non-literal-regexp.js.map +1 -0
- package/src/rules/security/detect-object-injection.d.ts +11 -0
- package/src/rules/security/detect-object-injection.js +411 -0
- package/src/rules/security/detect-object-injection.js.map +1 -0
- package/src/rules/security/no-buffer-overread.d.ts +14 -0
- package/src/rules/security/no-buffer-overread.js +519 -0
- package/src/rules/security/no-buffer-overread.js.map +1 -0
- package/src/rules/security/no-clickjacking.d.ts +10 -0
- package/src/rules/security/no-clickjacking.js +381 -0
- package/src/rules/security/no-clickjacking.js.map +1 -0
- package/src/rules/security/no-directive-injection.d.ts +12 -0
- package/src/rules/security/no-directive-injection.js +446 -0
- package/src/rules/security/no-directive-injection.js.map +1 -0
- package/src/rules/security/no-document-cookie.d.ts +5 -0
- package/src/rules/security/no-document-cookie.js +90 -0
- package/src/rules/security/no-document-cookie.js.map +1 -0
- package/src/rules/security/no-electron-security-issues.d.ts +10 -0
- package/src/rules/security/no-electron-security-issues.js +421 -0
- package/src/rules/security/no-electron-security-issues.js.map +1 -0
- package/src/rules/security/no-exposed-sensitive-data.d.ts +11 -0
- package/src/rules/security/no-exposed-sensitive-data.js +341 -0
- package/src/rules/security/no-exposed-sensitive-data.js.map +1 -0
- package/src/rules/security/no-format-string-injection.d.ts +17 -0
- package/src/rules/security/no-format-string-injection.js +653 -0
- package/src/rules/security/no-format-string-injection.js.map +1 -0
- package/src/rules/security/no-graphql-injection.d.ts +12 -0
- package/src/rules/security/no-graphql-injection.js +410 -0
- package/src/rules/security/no-graphql-injection.js.map +1 -0
- package/src/rules/security/no-hardcoded-credentials.d.ts +26 -0
- package/src/rules/security/no-hardcoded-credentials.js +377 -0
- package/src/rules/security/no-hardcoded-credentials.js.map +1 -0
- package/src/rules/security/no-improper-sanitization.d.ts +12 -0
- package/src/rules/security/no-improper-sanitization.js +408 -0
- package/src/rules/security/no-improper-sanitization.js.map +1 -0
- package/src/rules/security/no-improper-type-validation.d.ts +10 -0
- package/src/rules/security/no-improper-type-validation.js +420 -0
- package/src/rules/security/no-improper-type-validation.js.map +1 -0
- package/src/rules/security/no-insecure-comparison.d.ts +7 -0
- package/src/rules/security/no-insecure-comparison.js +125 -0
- package/src/rules/security/no-insecure-comparison.js.map +1 -0
- package/src/rules/security/no-insecure-cookie-settings.d.ts +9 -0
- package/src/rules/security/no-insecure-cookie-settings.js +305 -0
- package/src/rules/security/no-insecure-cookie-settings.js.map +1 -0
- package/src/rules/security/no-insecure-jwt.d.ts +10 -0
- package/src/rules/security/no-insecure-jwt.js +338 -0
- package/src/rules/security/no-insecure-jwt.js.map +1 -0
- package/src/rules/security/no-insecure-redirects.d.ts +7 -0
- package/src/rules/security/no-insecure-redirects.js +215 -0
- package/src/rules/security/no-insecure-redirects.js.map +1 -0
- package/src/rules/security/no-insufficient-postmessage-validation.d.ts +14 -0
- package/src/rules/security/no-insufficient-postmessage-validation.js +390 -0
- package/src/rules/security/no-insufficient-postmessage-validation.js.map +1 -0
- package/src/rules/security/no-insufficient-random.d.ts +9 -0
- package/src/rules/security/no-insufficient-random.js +207 -0
- package/src/rules/security/no-insufficient-random.js.map +1 -0
- package/src/rules/security/no-ldap-injection.d.ts +10 -0
- package/src/rules/security/no-ldap-injection.js +449 -0
- package/src/rules/security/no-ldap-injection.js.map +1 -0
- package/src/rules/security/no-missing-authentication.d.ts +13 -0
- package/src/rules/security/no-missing-authentication.js +322 -0
- package/src/rules/security/no-missing-authentication.js.map +1 -0
- package/src/rules/security/no-missing-cors-check.d.ts +9 -0
- package/src/rules/security/no-missing-cors-check.js +449 -0
- package/src/rules/security/no-missing-cors-check.js.map +1 -0
- package/src/rules/security/no-missing-csrf-protection.d.ts +11 -0
- package/src/rules/security/no-missing-csrf-protection.js +183 -0
- package/src/rules/security/no-missing-csrf-protection.js.map +1 -0
- package/src/rules/security/no-missing-security-headers.d.ts +7 -0
- package/src/rules/security/no-missing-security-headers.js +217 -0
- package/src/rules/security/no-missing-security-headers.js.map +1 -0
- package/src/rules/security/no-privilege-escalation.d.ts +13 -0
- package/src/rules/security/no-privilege-escalation.js +321 -0
- package/src/rules/security/no-privilege-escalation.js.map +1 -0
- package/src/rules/security/no-redos-vulnerable-regex.d.ts +7 -0
- package/src/rules/security/no-redos-vulnerable-regex.js +307 -0
- package/src/rules/security/no-redos-vulnerable-regex.js.map +1 -0
- package/src/rules/security/no-sensitive-data-exposure.d.ts +11 -0
- package/src/rules/security/no-sensitive-data-exposure.js +251 -0
- package/src/rules/security/no-sensitive-data-exposure.js.map +1 -0
- package/src/rules/security/no-sql-injection.d.ts +10 -0
- package/src/rules/security/no-sql-injection.js +332 -0
- package/src/rules/security/no-sql-injection.js.map +1 -0
- package/src/rules/security/no-timing-attack.d.ts +10 -0
- package/src/rules/security/no-timing-attack.js +358 -0
- package/src/rules/security/no-timing-attack.js.map +1 -0
- package/src/rules/security/no-toctou-vulnerability.d.ts +7 -0
- package/src/rules/security/no-toctou-vulnerability.js +165 -0
- package/src/rules/security/no-toctou-vulnerability.js.map +1 -0
- package/src/rules/security/no-unchecked-loop-condition.d.ts +12 -0
- package/src/rules/security/no-unchecked-loop-condition.js +635 -0
- package/src/rules/security/no-unchecked-loop-condition.js.map +1 -0
- package/src/rules/security/no-unencrypted-transmission.d.ts +11 -0
- package/src/rules/security/no-unencrypted-transmission.js +237 -0
- package/src/rules/security/no-unencrypted-transmission.js.map +1 -0
- package/src/rules/security/no-unescaped-url-parameter.d.ts +9 -0
- package/src/rules/security/no-unescaped-url-parameter.js +266 -0
- package/src/rules/security/no-unescaped-url-parameter.js.map +1 -0
- package/src/rules/security/no-unlimited-resource-allocation.d.ts +12 -0
- package/src/rules/security/no-unlimited-resource-allocation.js +659 -0
- package/src/rules/security/no-unlimited-resource-allocation.js.map +1 -0
- package/src/rules/security/no-unsafe-deserialization.d.ts +10 -0
- package/src/rules/security/no-unsafe-deserialization.js +501 -0
- package/src/rules/security/no-unsafe-deserialization.js.map +1 -0
- package/src/rules/security/no-unsafe-dynamic-require.d.ts +5 -0
- package/src/rules/security/no-unsafe-dynamic-require.js +107 -0
- package/src/rules/security/no-unsafe-dynamic-require.js.map +1 -0
- package/src/rules/security/no-unsafe-regex-construction.d.ts +9 -0
- package/src/rules/security/no-unsafe-regex-construction.js +292 -0
- package/src/rules/security/no-unsafe-regex-construction.js.map +1 -0
- package/src/rules/security/no-unsanitized-html.d.ts +9 -0
- package/src/rules/security/no-unsanitized-html.js +347 -0
- package/src/rules/security/no-unsanitized-html.js.map +1 -0
- package/src/rules/security/no-unvalidated-user-input.d.ts +9 -0
- package/src/rules/security/no-unvalidated-user-input.js +418 -0
- package/src/rules/security/no-unvalidated-user-input.js.map +1 -0
- package/src/rules/security/no-weak-crypto.d.ts +11 -0
- package/src/rules/security/no-weak-crypto.js +350 -0
- package/src/rules/security/no-weak-crypto.js.map +1 -0
- package/src/rules/security/no-weak-password-recovery.d.ts +12 -0
- package/src/rules/security/no-weak-password-recovery.js +401 -0
- package/src/rules/security/no-weak-password-recovery.js.map +1 -0
- package/src/rules/security/no-xpath-injection.d.ts +10 -0
- package/src/rules/security/no-xpath-injection.js +487 -0
- package/src/rules/security/no-xpath-injection.js.map +1 -0
- package/src/rules/security/no-xxe-injection.d.ts +7 -0
- package/src/rules/security/no-xxe-injection.js +270 -0
- package/src/rules/security/no-xxe-injection.js.map +1 -0
- package/src/rules/security/no-zip-slip.d.ts +9 -0
- package/src/rules/security/no-zip-slip.js +446 -0
- package/src/rules/security/no-zip-slip.js.map +1 -0
- package/src/types/index.d.ts +131 -0
- package/src/types/index.js +18 -0
- package/src/types/index.js.map +1 -0
|
@@ -0,0 +1,653 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.noFormatStringInjection = void 0;
|
|
4
|
+
const eslint_devkit_1 = require("@interlace/eslint-devkit");
|
|
5
|
+
const eslint_devkit_2 = require("@interlace/eslint-devkit");
|
|
6
|
+
exports.noFormatStringInjection = (0, eslint_devkit_1.createRule)({
|
|
7
|
+
name: 'no-format-string-injection',
|
|
8
|
+
meta: {
|
|
9
|
+
type: 'problem',
|
|
10
|
+
docs: {
|
|
11
|
+
description: 'Detects format string injection vulnerabilities',
|
|
12
|
+
},
|
|
13
|
+
fixable: 'code',
|
|
14
|
+
hasSuggestions: true,
|
|
15
|
+
messages: {
|
|
16
|
+
formatStringInjection: (0, eslint_devkit_2.formatLLMMessage)({
|
|
17
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
18
|
+
issueName: 'Format String Injection',
|
|
19
|
+
cwe: 'CWE-134',
|
|
20
|
+
description: 'Format string controlled by user input',
|
|
21
|
+
severity: '{{severity}}',
|
|
22
|
+
fix: '{{safeAlternative}}',
|
|
23
|
+
documentationLink: 'https://cwe.mitre.org/data/definitions/134.html',
|
|
24
|
+
}),
|
|
25
|
+
unsafeFormatSpecifier: (0, eslint_devkit_2.formatLLMMessage)({
|
|
26
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
27
|
+
issueName: 'Unsafe Format Specifier',
|
|
28
|
+
cwe: 'CWE-134',
|
|
29
|
+
description: 'User input may contain format specifiers',
|
|
30
|
+
severity: 'MEDIUM',
|
|
31
|
+
fix: 'Escape or validate user input before formatting',
|
|
32
|
+
documentationLink: 'https://cwe.mitre.org/data/definitions/134.html',
|
|
33
|
+
}),
|
|
34
|
+
userControlledFormatString: (0, eslint_devkit_2.formatLLMMessage)({
|
|
35
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
36
|
+
issueName: 'User Controlled Format String',
|
|
37
|
+
cwe: 'CWE-134',
|
|
38
|
+
description: 'Format string parameter comes from user input',
|
|
39
|
+
severity: 'CRITICAL',
|
|
40
|
+
fix: 'Use hardcoded format strings or validate user formats',
|
|
41
|
+
documentationLink: 'https://cwe.mitre.org/data/definitions/134.html',
|
|
42
|
+
}),
|
|
43
|
+
missingFormatValidation: (0, eslint_devkit_2.formatLLMMessage)({
|
|
44
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
45
|
+
issueName: 'Missing Format Validation',
|
|
46
|
+
cwe: 'CWE-134',
|
|
47
|
+
description: 'Format string not validated before use',
|
|
48
|
+
severity: 'HIGH',
|
|
49
|
+
fix: 'Validate format strings against allowed patterns',
|
|
50
|
+
documentationLink: 'https://cwe.mitre.org/data/definitions/134.html',
|
|
51
|
+
}),
|
|
52
|
+
escapeFormatString: (0, eslint_devkit_2.formatLLMMessage)({
|
|
53
|
+
icon: eslint_devkit_2.MessageIcons.INFO,
|
|
54
|
+
issueName: 'Escape Format String',
|
|
55
|
+
description: 'Escape format specifiers in user input',
|
|
56
|
+
severity: 'LOW',
|
|
57
|
+
fix: 'Replace % with %% in user input',
|
|
58
|
+
documentationLink: 'https://nodejs.org/api/util.html#utilformatformat-args',
|
|
59
|
+
}),
|
|
60
|
+
useSafeFormatting: (0, eslint_devkit_2.formatLLMMessage)({
|
|
61
|
+
icon: eslint_devkit_2.MessageIcons.INFO,
|
|
62
|
+
issueName: 'Use Safe Formatting',
|
|
63
|
+
description: 'Use safe string formatting methods',
|
|
64
|
+
severity: 'LOW',
|
|
65
|
+
fix: 'Use template literals or safe format libraries',
|
|
66
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals',
|
|
67
|
+
})
|
|
68
|
+
},
|
|
69
|
+
schema: [
|
|
70
|
+
{
|
|
71
|
+
type: 'object',
|
|
72
|
+
properties: {
|
|
73
|
+
formatFunctions: {
|
|
74
|
+
type: 'array',
|
|
75
|
+
items: { type: 'string' },
|
|
76
|
+
default: ['util.format', 'console.log', 'console.error', 'console.warn', 'sprintf', 'printf', 'vsprintf'],
|
|
77
|
+
},
|
|
78
|
+
formatSpecifiers: {
|
|
79
|
+
type: 'array',
|
|
80
|
+
items: { type: 'string' },
|
|
81
|
+
default: ['%s', '%d', '%i', '%f', '%j', '%o', '%O', '%c', '%%'],
|
|
82
|
+
},
|
|
83
|
+
userInputVariables: {
|
|
84
|
+
type: 'array',
|
|
85
|
+
items: { type: 'string' },
|
|
86
|
+
default: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
|
|
87
|
+
},
|
|
88
|
+
safeFormatLibraries: {
|
|
89
|
+
type: 'array',
|
|
90
|
+
items: { type: 'string' },
|
|
91
|
+
default: ['mustache', 'handlebars', 'ejs', 'pug'],
|
|
92
|
+
},
|
|
93
|
+
trustedSanitizers: {
|
|
94
|
+
type: 'array',
|
|
95
|
+
items: { type: 'string' },
|
|
96
|
+
default: [],
|
|
97
|
+
description: 'Additional function names to consider as format string sanitizers',
|
|
98
|
+
},
|
|
99
|
+
trustedAnnotations: {
|
|
100
|
+
type: 'array',
|
|
101
|
+
items: { type: 'string' },
|
|
102
|
+
default: [],
|
|
103
|
+
description: 'Additional JSDoc annotations to consider as safe markers',
|
|
104
|
+
},
|
|
105
|
+
strictMode: {
|
|
106
|
+
type: 'boolean',
|
|
107
|
+
default: false,
|
|
108
|
+
description: 'Disable all false positive detection (strict mode)',
|
|
109
|
+
},
|
|
110
|
+
},
|
|
111
|
+
additionalProperties: false,
|
|
112
|
+
},
|
|
113
|
+
],
|
|
114
|
+
},
|
|
115
|
+
defaultOptions: [
|
|
116
|
+
{
|
|
117
|
+
formatFunctions: ['util.format', 'console.log', 'console.error', 'console.warn', 'sprintf', 'printf', 'vsprintf'],
|
|
118
|
+
formatSpecifiers: ['%s', '%d', '%i', '%f', '%j', '%o', '%O', '%c', '%%'],
|
|
119
|
+
userInputVariables: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
|
|
120
|
+
safeFormatLibraries: ['mustache', 'handlebars', 'ejs', 'pug'],
|
|
121
|
+
trustedSanitizers: ['validateFormat', 'sanitizeFormat', 'escapeFormat', 'cleanFormat', 'sanitizeFormatString', 'validate', 'sanitize', 'escape', 'clean'],
|
|
122
|
+
trustedAnnotations: [],
|
|
123
|
+
strictMode: false,
|
|
124
|
+
},
|
|
125
|
+
],
|
|
126
|
+
create(context) {
|
|
127
|
+
const defaultOptions = {
|
|
128
|
+
formatFunctions: ['util.format', 'console.log', 'console.error', 'console.warn', 'sprintf', 'printf', 'vsprintf'],
|
|
129
|
+
formatSpecifiers: ['%s', '%d', '%i', '%f', '%j', '%o', '%O', '%c', '%%'],
|
|
130
|
+
userInputVariables: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
|
|
131
|
+
safeFormatLibraries: ['mustache', 'handlebars', 'ejs', 'pug'],
|
|
132
|
+
trustedSanitizers: ['validateFormat', 'sanitizeFormat', 'escapeFormat', 'cleanFormat', 'sanitizeFormatString', 'validate', 'sanitize', 'escape', 'clean'],
|
|
133
|
+
trustedAnnotations: [],
|
|
134
|
+
strictMode: false,
|
|
135
|
+
};
|
|
136
|
+
const options = { ...defaultOptions, ...(context.options[0] || {}) };
|
|
137
|
+
const { formatSpecifiers, userInputVariables, trustedSanitizers, } = options;
|
|
138
|
+
const filename = context.filename || context.getFilename();
|
|
139
|
+
// Create safety checker for false positive detection (simplified implementation)
|
|
140
|
+
const safetyChecker = {
|
|
141
|
+
isSafe: (node, context) => {
|
|
142
|
+
// Check for JSDoc @safe-format annotation
|
|
143
|
+
const comments = context.sourceCode.getCommentsBefore(node);
|
|
144
|
+
for (const comment of comments) {
|
|
145
|
+
if (comment.type === 'Block' && comment.value.includes('@safe-format')) {
|
|
146
|
+
return true;
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
// Check if the node is a validated/sanitized variable
|
|
150
|
+
if (node.type === 'Identifier' && validatedVariables.has(node.name)) {
|
|
151
|
+
return true;
|
|
152
|
+
}
|
|
153
|
+
// For CallExpression nodes, check if first argument is safe
|
|
154
|
+
if (node.type === 'CallExpression' && node.arguments.length > 0) {
|
|
155
|
+
const firstArg = node.arguments[0];
|
|
156
|
+
if (firstArg.type === 'Identifier' && validatedVariables.has(firstArg.name)) {
|
|
157
|
+
return true;
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
return false;
|
|
161
|
+
}
|
|
162
|
+
};
|
|
163
|
+
/**
|
|
164
|
+
* Check if a variable contains user input
|
|
165
|
+
*/
|
|
166
|
+
const isUserInput = (varName) => {
|
|
167
|
+
const lowerName = varName.toLowerCase();
|
|
168
|
+
return userInputVariables.some(input => lowerName.includes(input.toLowerCase())) ||
|
|
169
|
+
lowerName === 'user' ||
|
|
170
|
+
lowerName.includes('userinput') ||
|
|
171
|
+
lowerName.includes('userdata') ||
|
|
172
|
+
lowerName.includes('userparam') ||
|
|
173
|
+
lowerName.includes('usermessage') ||
|
|
174
|
+
lowerName.includes('usertemplate') ||
|
|
175
|
+
lowerName.includes('userformat') ||
|
|
176
|
+
lowerName.includes('uservar');
|
|
177
|
+
};
|
|
178
|
+
/**
|
|
179
|
+
* Check if a node represents user input (including member expressions)
|
|
180
|
+
*/
|
|
181
|
+
const isUserInputNode = (node) => {
|
|
182
|
+
if (node.type === 'Identifier') {
|
|
183
|
+
return isUserInput(node.name) || dangerousVariables.has(node.name);
|
|
184
|
+
}
|
|
185
|
+
if (node.type === 'MemberExpression') {
|
|
186
|
+
// Check patterns like req.query.*, req.body.*, req.params.*, etc.
|
|
187
|
+
if (node.object.type === 'MemberExpression' &&
|
|
188
|
+
node.object.object.type === 'Identifier' &&
|
|
189
|
+
node.object.object.name === 'req' &&
|
|
190
|
+
node.object.property.type === 'Identifier' &&
|
|
191
|
+
['query', 'body', 'params', 'param'].includes(node.object.property.name)) {
|
|
192
|
+
return true;
|
|
193
|
+
}
|
|
194
|
+
// Check patterns like req.*
|
|
195
|
+
if (node.object.type === 'Identifier' && node.object.name === 'req') {
|
|
196
|
+
return true;
|
|
197
|
+
}
|
|
198
|
+
// Check other user input patterns
|
|
199
|
+
const fullName = getMemberExpressionName(node);
|
|
200
|
+
return isUserInput(fullName);
|
|
201
|
+
}
|
|
202
|
+
return false;
|
|
203
|
+
};
|
|
204
|
+
/**
|
|
205
|
+
* Get the full name of a member expression (e.g., req.query.format)
|
|
206
|
+
*/
|
|
207
|
+
const getMemberExpressionName = (node) => {
|
|
208
|
+
if (node.object.type === 'Identifier') {
|
|
209
|
+
if (node.property.type === 'Identifier') {
|
|
210
|
+
return `${node.object.name}.${node.property.name}`;
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
else if (node.object.type === 'MemberExpression') {
|
|
214
|
+
const objectName = getMemberExpressionName(node.object);
|
|
215
|
+
if (node.property.type === 'Identifier') {
|
|
216
|
+
return `${objectName}.${node.property.name}`;
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
return '';
|
|
220
|
+
};
|
|
221
|
+
/**
|
|
222
|
+
* Check if a string contains format specifiers
|
|
223
|
+
*/
|
|
224
|
+
const containsFormatSpecifiers = (text) => {
|
|
225
|
+
return formatSpecifiers.some(specifier => text.includes(specifier));
|
|
226
|
+
};
|
|
227
|
+
/**
|
|
228
|
+
* Check if a call expression uses format functions
|
|
229
|
+
*/
|
|
230
|
+
const isConsoleMethod = (node) => {
|
|
231
|
+
const callee = node.callee;
|
|
232
|
+
return callee.type === 'MemberExpression' &&
|
|
233
|
+
callee.object.type === 'Identifier' &&
|
|
234
|
+
callee.object.name === 'console' &&
|
|
235
|
+
callee.property.type === 'Identifier' &&
|
|
236
|
+
['log', 'error', 'warn', 'info', 'debug'].includes(callee.property.name);
|
|
237
|
+
};
|
|
238
|
+
const isFormatFunctionCall = (node) => {
|
|
239
|
+
const callee = node.callee;
|
|
240
|
+
// Check for util.format
|
|
241
|
+
if (callee.type === 'MemberExpression' &&
|
|
242
|
+
callee.object.type === 'Identifier' &&
|
|
243
|
+
callee.object.name === 'util' &&
|
|
244
|
+
callee.property.type === 'Identifier' &&
|
|
245
|
+
callee.property.name === 'format') {
|
|
246
|
+
return true;
|
|
247
|
+
}
|
|
248
|
+
// Check for console methods
|
|
249
|
+
if (callee.type === 'MemberExpression' &&
|
|
250
|
+
callee.object.type === 'Identifier' &&
|
|
251
|
+
callee.object.name === 'console' &&
|
|
252
|
+
callee.property.type === 'Identifier' &&
|
|
253
|
+
['log', 'error', 'warn', 'info', 'debug'].includes(callee.property.name)) {
|
|
254
|
+
return true;
|
|
255
|
+
}
|
|
256
|
+
// Check for sprintf/printf functions
|
|
257
|
+
if (callee.type === 'Identifier' &&
|
|
258
|
+
['sprintf', 'printf', 'vsprintf'].includes(callee.name)) {
|
|
259
|
+
return true;
|
|
260
|
+
}
|
|
261
|
+
return false;
|
|
262
|
+
};
|
|
263
|
+
// Track variables that have been validated/sanitized
|
|
264
|
+
const validatedVariables = new Set();
|
|
265
|
+
const dangerousVariables = new Set();
|
|
266
|
+
/**
|
|
267
|
+
* Check if input has been validated/sanitized
|
|
268
|
+
*/
|
|
269
|
+
const isInputValidated = (inputNode) => {
|
|
270
|
+
// Check if this is a validated variable
|
|
271
|
+
if (inputNode.type === 'Identifier' && validatedVariables.has(inputNode.name)) {
|
|
272
|
+
return true;
|
|
273
|
+
}
|
|
274
|
+
let current = inputNode;
|
|
275
|
+
while (current) {
|
|
276
|
+
if (current.type === 'CallExpression' &&
|
|
277
|
+
current.callee.type === 'Identifier' &&
|
|
278
|
+
trustedSanitizers.includes(current.callee.name)) {
|
|
279
|
+
return true;
|
|
280
|
+
}
|
|
281
|
+
current = current.parent;
|
|
282
|
+
}
|
|
283
|
+
return false;
|
|
284
|
+
};
|
|
285
|
+
/**
|
|
286
|
+
* Check if string literal contains format specifiers
|
|
287
|
+
*/
|
|
288
|
+
const hasFormatSpecifiers = (node) => {
|
|
289
|
+
if (typeof node.value !== 'string') {
|
|
290
|
+
return false;
|
|
291
|
+
}
|
|
292
|
+
return containsFormatSpecifiers(node.value);
|
|
293
|
+
};
|
|
294
|
+
// Helper functions for expression analysis
|
|
295
|
+
function containsFormatSpecifiersInExpression(expr) {
|
|
296
|
+
if (expr.left.type === 'Literal' && typeof expr.left.value === 'string' && containsFormatSpecifiers(expr.left.value)) {
|
|
297
|
+
return true;
|
|
298
|
+
}
|
|
299
|
+
if (expr.right.type === 'Literal' && typeof expr.right.value === 'string' && containsFormatSpecifiers(expr.right.value)) {
|
|
300
|
+
return true;
|
|
301
|
+
}
|
|
302
|
+
if (expr.left.type === 'BinaryExpression' && containsFormatSpecifiersInExpression(expr.left)) {
|
|
303
|
+
return true;
|
|
304
|
+
}
|
|
305
|
+
if (expr.right.type === 'BinaryExpression' && containsFormatSpecifiersInExpression(expr.right)) {
|
|
306
|
+
return true;
|
|
307
|
+
}
|
|
308
|
+
return false;
|
|
309
|
+
}
|
|
310
|
+
function hasUserInputInExpression(expr) {
|
|
311
|
+
if (isUserInputNode(expr.left)) {
|
|
312
|
+
return true;
|
|
313
|
+
}
|
|
314
|
+
if (isUserInputNode(expr.right)) {
|
|
315
|
+
return true;
|
|
316
|
+
}
|
|
317
|
+
if (expr.left.type === 'BinaryExpression' && hasUserInputInExpression(expr.left)) {
|
|
318
|
+
return true;
|
|
319
|
+
}
|
|
320
|
+
if (expr.right.type === 'BinaryExpression' && hasUserInputInExpression(expr.right)) {
|
|
321
|
+
return true;
|
|
322
|
+
}
|
|
323
|
+
return false;
|
|
324
|
+
}
|
|
325
|
+
return {
|
|
326
|
+
// Check call expressions for format function usage
|
|
327
|
+
CallExpression: function (node) {
|
|
328
|
+
if (!isFormatFunctionCall(node)) {
|
|
329
|
+
return;
|
|
330
|
+
}
|
|
331
|
+
const args = node.arguments;
|
|
332
|
+
if (args.length === 0) {
|
|
333
|
+
return;
|
|
334
|
+
}
|
|
335
|
+
// For util.format and sprintf, first argument is the format string
|
|
336
|
+
const formatArg = args[0];
|
|
337
|
+
// Check if format string comes from user input
|
|
338
|
+
// But skip console methods since they don't use the first arg as a format template
|
|
339
|
+
const isFormatFromUserInput = isUserInputNode(formatArg) ||
|
|
340
|
+
(formatArg.type === 'Identifier' && dangerousVariables.has(formatArg.name)) ||
|
|
341
|
+
(formatArg.type === 'BinaryExpression' && hasUserInputInExpression(formatArg));
|
|
342
|
+
if (isFormatFromUserInput && !isConsoleMethod(node)) {
|
|
343
|
+
// FALSE POSITIVE REDUCTION
|
|
344
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
345
|
+
return;
|
|
346
|
+
}
|
|
347
|
+
context.report({
|
|
348
|
+
node: formatArg,
|
|
349
|
+
messageId: 'userControlledFormatString',
|
|
350
|
+
data: {
|
|
351
|
+
filePath: filename,
|
|
352
|
+
line: String(node.loc?.start.line ?? 0),
|
|
353
|
+
},
|
|
354
|
+
});
|
|
355
|
+
return;
|
|
356
|
+
}
|
|
357
|
+
// Check if format string is a template literal or binary expression with user input
|
|
358
|
+
if (formatArg.type === 'TemplateLiteral') {
|
|
359
|
+
const hasUserInput = formatArg.expressions.some((expr) => isUserInputNode(expr));
|
|
360
|
+
if (hasUserInput) {
|
|
361
|
+
// FALSE POSITIVE REDUCTION
|
|
362
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
363
|
+
return;
|
|
364
|
+
}
|
|
365
|
+
context.report({
|
|
366
|
+
node: formatArg,
|
|
367
|
+
messageId: 'formatStringInjection',
|
|
368
|
+
data: {
|
|
369
|
+
filePath: filename,
|
|
370
|
+
line: String(node.loc?.start.line ?? 0),
|
|
371
|
+
severity: 'HIGH',
|
|
372
|
+
safeAlternative: 'Use hardcoded format strings or validate template input',
|
|
373
|
+
},
|
|
374
|
+
});
|
|
375
|
+
return;
|
|
376
|
+
}
|
|
377
|
+
}
|
|
378
|
+
else if (formatArg.type === 'BinaryExpression' && formatArg.operator === '+') {
|
|
379
|
+
const hasUserInput = hasUserInputInExpression(formatArg);
|
|
380
|
+
if (hasUserInput) {
|
|
381
|
+
// FALSE POSITIVE REDUCTION
|
|
382
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
383
|
+
return;
|
|
384
|
+
}
|
|
385
|
+
context.report({
|
|
386
|
+
node: formatArg,
|
|
387
|
+
messageId: 'formatStringInjection',
|
|
388
|
+
data: {
|
|
389
|
+
filePath: filename,
|
|
390
|
+
line: String(node.loc?.start.line ?? 0),
|
|
391
|
+
severity: 'HIGH',
|
|
392
|
+
safeAlternative: 'Separate user input from format strings',
|
|
393
|
+
},
|
|
394
|
+
});
|
|
395
|
+
return;
|
|
396
|
+
}
|
|
397
|
+
}
|
|
398
|
+
// Check for format specifiers in subsequent arguments (could indicate user input in format position)
|
|
399
|
+
// Only check if the format string itself is not validated/safe
|
|
400
|
+
const firstArg = args[0];
|
|
401
|
+
const isFormatSafe = isInputValidated(firstArg) ||
|
|
402
|
+
(firstArg.type === 'Identifier' && validatedVariables.has(firstArg.name));
|
|
403
|
+
if (!isFormatSafe) {
|
|
404
|
+
let hasUserInputInArgs = false;
|
|
405
|
+
let hasSpecifiersInFormat = false;
|
|
406
|
+
// Check if any argument contains user input (skip first arg which is format string)
|
|
407
|
+
for (let i = 1; i < args.length; i++) {
|
|
408
|
+
const arg = args[i];
|
|
409
|
+
if (isUserInputNode(arg) && !isInputValidated(arg)) {
|
|
410
|
+
hasUserInputInArgs = true;
|
|
411
|
+
break;
|
|
412
|
+
}
|
|
413
|
+
}
|
|
414
|
+
// Check if any argument (potential format string) contains specifiers
|
|
415
|
+
const firstArg = args[0];
|
|
416
|
+
if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
|
|
417
|
+
if (containsFormatSpecifiers(firstArg.value)) {
|
|
418
|
+
hasSpecifiersInFormat = true;
|
|
419
|
+
}
|
|
420
|
+
}
|
|
421
|
+
else if (firstArg.type === 'Identifier') {
|
|
422
|
+
// Check if the identifier name suggests it contains format specifiers
|
|
423
|
+
const varName = firstArg.name.toLowerCase();
|
|
424
|
+
if (varName.includes('format') || varName.includes('template') || varName.includes('pattern')) {
|
|
425
|
+
hasSpecifiersInFormat = true;
|
|
426
|
+
}
|
|
427
|
+
}
|
|
428
|
+
// Special case: For console.log/console.error with single argument, don't flag
|
|
429
|
+
// console.log(userMessage) is equivalent to console.log("%s", userMessage) but is generally safe
|
|
430
|
+
if (!hasSpecifiersInFormat && args.length === 2 && isConsoleMethod(node)) {
|
|
431
|
+
// Don't report
|
|
432
|
+
}
|
|
433
|
+
else if (hasSpecifiersInFormat && hasUserInputInArgs) {
|
|
434
|
+
// FALSE POSITIVE REDUCTION
|
|
435
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
436
|
+
return;
|
|
437
|
+
}
|
|
438
|
+
// Choose message ID based on format string type
|
|
439
|
+
const messageId = firstArg.type === 'Literal' ? 'unsafeFormatSpecifier' : 'missingFormatValidation';
|
|
440
|
+
context.report({
|
|
441
|
+
node: node,
|
|
442
|
+
messageId,
|
|
443
|
+
data: {
|
|
444
|
+
filePath: filename,
|
|
445
|
+
line: String(node.loc?.start.line ?? 0),
|
|
446
|
+
},
|
|
447
|
+
suggest: [
|
|
448
|
+
{
|
|
449
|
+
messageId: 'escapeFormatString',
|
|
450
|
+
fix: (fixer) => {
|
|
451
|
+
// Find the argument that needs escaping
|
|
452
|
+
// This is a bit heuristic, we try to find the first user input argument
|
|
453
|
+
for (let i = 1; i < node.arguments.length; i++) {
|
|
454
|
+
const arg = node.arguments[i];
|
|
455
|
+
if (isUserInputNode(arg)) {
|
|
456
|
+
return fixer.insertTextAfter(arg, '.replace(/%/g, "%%")');
|
|
457
|
+
}
|
|
458
|
+
}
|
|
459
|
+
return null;
|
|
460
|
+
},
|
|
461
|
+
},
|
|
462
|
+
],
|
|
463
|
+
});
|
|
464
|
+
}
|
|
465
|
+
}
|
|
466
|
+
},
|
|
467
|
+
// Check string literals for format specifiers with user input context
|
|
468
|
+
Literal: function (node) {
|
|
469
|
+
if (!hasFormatSpecifiers(node)) {
|
|
470
|
+
return;
|
|
471
|
+
}
|
|
472
|
+
// Only check literals that are dynamically constructed or come from user input
|
|
473
|
+
// Hardcoded string literals with format specifiers are safe when used properly
|
|
474
|
+
const text = node.value;
|
|
475
|
+
// Check if this literal is constructed from user input (e.g., concatenation)
|
|
476
|
+
let current = node;
|
|
477
|
+
let isFromUserInput = false;
|
|
478
|
+
// Walk up to find if this literal is part of a concatenation or template with user input
|
|
479
|
+
while (current && !isFromUserInput) {
|
|
480
|
+
if (current.type === 'BinaryExpression' &&
|
|
481
|
+
current.operator === '+' &&
|
|
482
|
+
(current.left === node || current.right === node)) {
|
|
483
|
+
// Check if the other side contains user input
|
|
484
|
+
const otherSide = current.left === node ? current.right : current.left;
|
|
485
|
+
if (otherSide.type === 'Identifier' && isUserInput(otherSide.name)) {
|
|
486
|
+
isFromUserInput = true;
|
|
487
|
+
break;
|
|
488
|
+
}
|
|
489
|
+
}
|
|
490
|
+
if (current.type === 'VariableDeclarator' &&
|
|
491
|
+
current.init === node.parent &&
|
|
492
|
+
current.id.type === 'Identifier') {
|
|
493
|
+
// console.log('DEBUG: Checking variable declarator', current.id.name);
|
|
494
|
+
// Check if variable name suggests user input
|
|
495
|
+
if (isUserInput(current.id.name)) {
|
|
496
|
+
isFromUserInput = true;
|
|
497
|
+
break;
|
|
498
|
+
}
|
|
499
|
+
}
|
|
500
|
+
current = current.parent;
|
|
501
|
+
}
|
|
502
|
+
// Only flag if the literal is constructed from user input
|
|
503
|
+
if (!isFromUserInput) {
|
|
504
|
+
return;
|
|
505
|
+
}
|
|
506
|
+
// Check if this string is used in a context where it could be dangerous
|
|
507
|
+
current = node;
|
|
508
|
+
let isInDangerousContext = false;
|
|
509
|
+
// Walk up to find if this is passed to a format function
|
|
510
|
+
while (current && !isInDangerousContext) {
|
|
511
|
+
if (current.type === 'CallExpression' && isFormatFunctionCall(current)) {
|
|
512
|
+
// Check if this is the first argument (format string position)
|
|
513
|
+
const args = current.arguments;
|
|
514
|
+
if (args.length > 0 && args[0] === node) {
|
|
515
|
+
isInDangerousContext = true;
|
|
516
|
+
break;
|
|
517
|
+
}
|
|
518
|
+
}
|
|
519
|
+
current = current.parent;
|
|
520
|
+
}
|
|
521
|
+
if (isInDangerousContext && containsFormatSpecifiers(text)) {
|
|
522
|
+
// FALSE POSITIVE REDUCTION
|
|
523
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
524
|
+
return;
|
|
525
|
+
}
|
|
526
|
+
context.report({
|
|
527
|
+
node,
|
|
528
|
+
messageId: 'missingFormatValidation',
|
|
529
|
+
data: {
|
|
530
|
+
filePath: filename,
|
|
531
|
+
line: String(node.loc?.start.line ?? 0),
|
|
532
|
+
},
|
|
533
|
+
});
|
|
534
|
+
}
|
|
535
|
+
},
|
|
536
|
+
// Check template literals for format string injection
|
|
537
|
+
TemplateLiteral: function (node) {
|
|
538
|
+
// Check if template literal is used as format string
|
|
539
|
+
let current = node;
|
|
540
|
+
let isFormatString = false;
|
|
541
|
+
while (current && !isFormatString) {
|
|
542
|
+
if (current.type === 'CallExpression' && isFormatFunctionCall(current)) {
|
|
543
|
+
const args = current.arguments;
|
|
544
|
+
if (args.length > 0 && args[0] === node) {
|
|
545
|
+
isFormatString = true;
|
|
546
|
+
break;
|
|
547
|
+
}
|
|
548
|
+
}
|
|
549
|
+
current = current.parent;
|
|
550
|
+
}
|
|
551
|
+
if (isFormatString) {
|
|
552
|
+
// Template literal used as format string - let CallExpression visitor handle this
|
|
553
|
+
// to avoid duplicate reporting
|
|
554
|
+
return;
|
|
555
|
+
}
|
|
556
|
+
// Check if template literal contains user input and is used dangerously
|
|
557
|
+
const hasUserInput = node.expressions.some((expr) => isUserInputNode(expr));
|
|
558
|
+
if (hasUserInput) {
|
|
559
|
+
// Check if this template is assigned to a variable that could be used as format string
|
|
560
|
+
let current = node;
|
|
561
|
+
let isAssignedToVariable = false;
|
|
562
|
+
while (current) {
|
|
563
|
+
if (current.type === 'VariableDeclarator') {
|
|
564
|
+
isAssignedToVariable = true;
|
|
565
|
+
break;
|
|
566
|
+
}
|
|
567
|
+
current = current.parent;
|
|
568
|
+
}
|
|
569
|
+
if (isAssignedToVariable) {
|
|
570
|
+
// FALSE POSITIVE REDUCTION
|
|
571
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
572
|
+
return;
|
|
573
|
+
}
|
|
574
|
+
context.report({
|
|
575
|
+
node,
|
|
576
|
+
messageId: 'formatStringInjection',
|
|
577
|
+
data: {
|
|
578
|
+
filePath: filename,
|
|
579
|
+
line: String(node.loc?.start.line ?? 0),
|
|
580
|
+
severity: 'HIGH',
|
|
581
|
+
safeAlternative: 'Extract user input from template and validate separately',
|
|
582
|
+
},
|
|
583
|
+
});
|
|
584
|
+
}
|
|
585
|
+
}
|
|
586
|
+
},
|
|
587
|
+
// Check variable assignments that might create format strings
|
|
588
|
+
VariableDeclarator: function (node) {
|
|
589
|
+
if (!node.init || node.id.type !== 'Identifier') {
|
|
590
|
+
return;
|
|
591
|
+
}
|
|
592
|
+
const varName = node.id.name;
|
|
593
|
+
// Track variables that are assigned the result of sanitization functions
|
|
594
|
+
if (node.init.type === 'CallExpression' &&
|
|
595
|
+
node.init.callee.type === 'Identifier' &&
|
|
596
|
+
trustedSanitizers.includes(node.init.callee.name)) {
|
|
597
|
+
validatedVariables.add(varName);
|
|
598
|
+
}
|
|
599
|
+
// Track variables that are assigned user input (dangerous)
|
|
600
|
+
if (isUserInputNode(node.init) || (node.init.type === 'BinaryExpression' && hasUserInputInExpression(node.init))) {
|
|
601
|
+
dangerousVariables.add(varName);
|
|
602
|
+
}
|
|
603
|
+
const varNameLower = varName.toLowerCase();
|
|
604
|
+
if (!varNameLower.includes('format') && !varNameLower.includes('template') && !varNameLower.includes('fmt') && !varNameLower.includes('str')) {
|
|
605
|
+
return;
|
|
606
|
+
}
|
|
607
|
+
// Check if assigned value contains format specifiers and user input
|
|
608
|
+
if (node.init.type === 'TemplateLiteral') {
|
|
609
|
+
const hasSpecifiers = node.init.quasis.some((quasi) => containsFormatSpecifiers(quasi.value.raw));
|
|
610
|
+
const hasUserInput = node.init.expressions.some((expr) => isUserInputNode(expr));
|
|
611
|
+
if (hasSpecifiers && hasUserInput) {
|
|
612
|
+
// FALSE POSITIVE REDUCTION
|
|
613
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
614
|
+
return;
|
|
615
|
+
}
|
|
616
|
+
context.report({
|
|
617
|
+
node: node.init,
|
|
618
|
+
messageId: 'formatStringInjection',
|
|
619
|
+
data: {
|
|
620
|
+
filePath: filename,
|
|
621
|
+
line: String(node.loc?.start.line ?? 0),
|
|
622
|
+
severity: 'MEDIUM',
|
|
623
|
+
safeAlternative: 'Separate format string from user data',
|
|
624
|
+
},
|
|
625
|
+
});
|
|
626
|
+
}
|
|
627
|
+
}
|
|
628
|
+
// Check if assigned value is a string concatenation with user input
|
|
629
|
+
if (node.init.type === 'BinaryExpression' && node.init.operator === '+') {
|
|
630
|
+
const hasSpecifiers = containsFormatSpecifiersInExpression(node.init);
|
|
631
|
+
const hasUserInput = hasUserInputInExpression(node.init);
|
|
632
|
+
if (hasSpecifiers && hasUserInput) {
|
|
633
|
+
// FALSE POSITIVE REDUCTION
|
|
634
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
635
|
+
return;
|
|
636
|
+
}
|
|
637
|
+
context.report({
|
|
638
|
+
node: node.init,
|
|
639
|
+
messageId: 'formatStringInjection',
|
|
640
|
+
data: {
|
|
641
|
+
filePath: filename,
|
|
642
|
+
line: String(node.loc?.start.line ?? 0),
|
|
643
|
+
severity: 'MEDIUM',
|
|
644
|
+
safeAlternative: 'Separate format string from user data',
|
|
645
|
+
},
|
|
646
|
+
});
|
|
647
|
+
}
|
|
648
|
+
}
|
|
649
|
+
}
|
|
650
|
+
};
|
|
651
|
+
},
|
|
652
|
+
});
|
|
653
|
+
//# sourceMappingURL=no-format-string-injection.js.map
|