eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-hardcoded-credentials.js

@@ -0,0 +1,377 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHardcodedCredentials = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Common credential patterns
+ */
+const CREDENTIAL_PATTERNS = {
+    // API Keys (typically 32+ character alphanumeric strings)
+    apiKey: /^(?:[A-Za-z0-9_-]{32,}|sk_[A-Za-z0-9_-]{32,}|pk_[A-Za-z0-9_-]{32,}|AKIA[0-9A-Z]{16})$/,
+    // JWT Tokens (three base64 parts separated by dots)
+    jwtToken: /^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,
+    // OAuth tokens
+    oauthToken: /^(?:ghp_|gho_|ghu_|ghs_|ghr_)[A-Za-z0-9]{36,}$/,
+    // AWS Access Keys
+    awsAccessKey: /^AKIA[0-9A-Z]{16}$/,
+    // Database connection strings with credentials
+    databaseString: /^(?:mysql|postgres|mongodb|redis):\/\/[^:]+:[^@]+@/,
+    // Generic password patterns (common weak passwords) - no length requirement
+    commonPassword: /^(?:password|admin|123456|qwerty|letmein|welcome|monkey|1234567890|12345678|password123|root|test|guest)$/i,
+    // Secret keys (base64-like or hex strings)
+    secretKey: /^(?:[A-Za-z0-9+/]{32,}={0,2}|[A-Fa-f0-9]{32,})$/,
+};
+// Note: CREDENTIAL_VARIABLE_NAMES is reserved for future use when we want to
+// check variable names in addition to values
+// @coverage-note: Not currently used, reserved for future enhancement
+/**
+ * Check if a string literal looks like a hardcoded credential
+ */
+function looksLikeCredential(value, options, ignorePatterns) {
+    // Check ignore patterns first
+    if (ignorePatterns.some(pattern => pattern.test(value))) {
+        return { isCredential: false, type: '' };
+    }
+    // Check custom patterns first (highest priority)
+    for (const customPattern of options.customPatterns) {
+        try {
+            const regex = new RegExp(customPattern.pattern);
+            if (regex.test(value)) {
+                return { isCredential: true, type: customPattern.type };
+            }
+            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        }
+        catch (error) {
+            // Invalid regex pattern, skip it
+            continue;
+        }
+    }
+    // Check passwords (common weak passwords) - no length requirement, check first
+    if (options.detectPasswords) {
+        if (CREDENTIAL_PATTERNS.commonPassword.test(value)) {
+            return { isCredential: true, type: 'Common password' };
+        }
+    }
+    // Check database connection strings - no length requirement
+    if (options.detectDatabaseStrings) {
+        if (CREDENTIAL_PATTERNS.databaseString.test(value)) {
+            return { isCredential: true, type: 'Database connection string' };
+        }
+    }
+    // Check minimum length for other patterns
+    if (value.length < options.minLength) {
+        return { isCredential: false, type: '' };
+    }
+    // Check tokens first (more specific patterns)
+    if (options.detectTokens) {
+        if (CREDENTIAL_PATTERNS.jwtToken.test(value)) {
+            return { isCredential: true, type: 'JWT token' };
+        }
+        if (CREDENTIAL_PATTERNS.oauthToken.test(value)) {
+            return { isCredential: true, type: 'OAuth token' };
+        }
+    }
+    // Check secret keys first (before generic API key patterns)
+    if (value.length >= 32 && CREDENTIAL_PATTERNS.secretKey.test(value)) {
+        return { isCredential: true, type: 'Secret key' };
+    }
+    // Check API keys
+    if (options.detectApiKeys) {
+        if (CREDENTIAL_PATTERNS.awsAccessKey.test(value)) {
+            return { isCredential: true, type: 'AWS access key' };
+        }
+        // Generic API key pattern (long alphanumeric strings)
+        if (/^[A-Za-z0-9_-]{32,}$/.test(value)) {
+            return { isCredential: true, type: 'API key' };
+        }
+    }
+    return { isCredential: false, type: '' };
+}
+// Note: isCredentialVariableName is reserved for future use when we want to
+// check variable names in addition to values
+// @coverage-note: Not currently used, reserved for future enhancement
+exports.noHardcodedCredentials = (0, eslint_devkit_2.createRule)({
+    name: 'no-hardcoded-credentials',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects hardcoded passwords, API keys, tokens, and other sensitive credentials',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            useEnvironmentVariable: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Hard-coded Credential',
+                cwe: 'CWE-798',
+                description: 'Hard-coded {{credentialType}} detected',
+                severity: 'CRITICAL',
+                fix: 'Use environment variable: process.env.{{envVarName}} or secret management service',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            useSecretManager: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Use Secret Manager',
+                cwe: 'CWE-798',
+                description: 'Use secure secret management service',
+                severity: 'HIGH',
+                fix: 'Use AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or similar',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            strategyEnv: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Environment Variable Strategy',
+                description: 'Move credentials to environment variables',
+                severity: 'MEDIUM',
+                fix: 'Store credentials in environment variables (process.env)',
+                documentationLink: 'https://12factor.net/config',
+            }),
+            strategyConfig: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Configuration File Strategy',
+                description: 'Store credentials in encrypted configuration files',
+                severity: 'MEDIUM',
+                fix: 'Use encrypted configuration files with proper access controls',
+                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Configuration_Management_Cheat_Sheet.html',
+            }),
+            strategyVault: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Secret Vault Strategy',
+                cwe: 'CWE-798',
+                description: 'Use dedicated secret management system',
+                severity: 'HIGH',
+                fix: 'Implement HashiCorp Vault, AWS Secrets Manager, or similar secret vault',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            strategyAuto: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Context-Aware Strategy',
+                description: 'Apply context-aware credential management',
+                severity: 'MEDIUM',
+                fix: 'Choose strategy based on deployment environment and security requirements',
+                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Secrets_Management_Cheat_Sheet.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Regex patterns to ignore',
+                    },
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow credentials in test files',
+                    },
+                    minLength: {
+                        type: 'number',
+                        default: 8,
+                        description: 'Minimum length for credential detection',
+                    },
+                    detectApiKeys: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect API keys',
+                    },
+                    detectPasswords: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect passwords',
+                    },
+                    detectTokens: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect tokens',
+                    },
+                    detectDatabaseStrings: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect database connection strings',
+                    },
+                    customPatterns: {
+                        type: 'array',
+                        items: {
+                            type: 'object',
+                            properties: {
+                                type: {
+                                    type: 'string',
+                                    description: 'The type of credential (e.g., "API key", "token")',
+                                },
+                                pattern: {
+                                    type: 'string',
+                                    description: 'Regex pattern to match',
+                                },
+                            },
+                            required: ['type', 'pattern'],
+                            additionalProperties: false,
+                        },
+                        default: [],
+                        description: 'Custom credential patterns to detect',
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['env', 'config', 'vault', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing hardcoded credentials (auto = smart detection)'
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignorePatterns: [],
+            allowInTests: false,
+            minLength: 8,
+            detectApiKeys: true,
+            detectPasswords: true,
+            detectTokens: true,
+            detectDatabaseStrings: true,
+            customPatterns: [],
+            strategy: 'auto',
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { ignorePatterns = [], allowInTests = false, minLength = 8, detectApiKeys = true, detectPasswords = true, detectTokens = true, detectDatabaseStrings = true, customPatterns = [], } = options || {};
+        const filename = context.filename || context.getFilename();
+        const isTestFile = allowInTests && (filename.includes('.test.') ||
+            filename.includes('.spec.') ||
+            filename.includes('__tests__') ||
+            filename.includes('/test/'));
+        // Compile ignore patterns to regex
+        const compiledIgnorePatterns = ignorePatterns.map((pattern) => new RegExp(pattern));
+        const detectionOptions = {
+            minLength,
+            detectApiKeys,
+            detectPasswords,
+            detectTokens,
+            detectDatabaseStrings,
+            customPatterns,
+        };
+        /**
+         * Check a string literal node
+         */
+        function checkStringLiteral(node, parent) {
+            if (typeof node.value !== 'string') {
+                return;
+            }
+            const value = node.value;
+            // Skip if in test files and allowed
+            if (isTestFile) {
+                return;
+            }
+            // Check if it looks like a credential
+            const { isCredential, type } = looksLikeCredential(value, detectionOptions, compiledIgnorePatterns);
+            if (!isCredential) {
+                return;
+            }
+            // Generate environment variable name suggestion
+            let envVarName = 'API_KEY';
+            if (parent && parent.type === 'Property' && parent.key.type === 'Identifier') {
+                const keyName = parent.key.name;
+                envVarName = keyName
+                    .replace(/([a-z])([A-Z])/g, '$1_$2')
+                    .toUpperCase()
+                    .replace(/[^A-Z0-9_]/g, '_');
+            }
+            else if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                const varName = parent.id.name;
+                envVarName = varName
+                    .replace(/([a-z])([A-Z])/g, '$1_$2')
+                    .toUpperCase()
+                    .replace(/[^A-Z0-9_]/g, '_');
+            }
+            context.report({
+                node,
+                messageId: 'useEnvironmentVariable',
+                data: {
+                    credentialType: type,
+                    envVarName,
+                },
+                suggest: [
+                    {
+                        messageId: 'useEnvironmentVariable',
+                        data: { envVarName, credentialType: type },
+                        fix: (fixer) => {
+                            return fixer.replaceText(node, `process.env.${envVarName} || '${value}'`);
+                        },
+                    },
+                    {
+                        messageId: 'useSecretManager',
+                        data: { credentialType: type },
+                        fix: (fixer) => {
+                            return fixer.replaceText(node, `await getSecret('${envVarName.toLowerCase()}')`);
+                        },
+                    },
+                ],
+            });
+        }
+        return {
+            Literal(node) {
+                checkStringLiteral(node, node.parent);
+            },
+            TemplateLiteral(node) {
+                // Check template literal parts for credentials
+                // Only check if there are no interpolations (static template literal)
+                if (node.expressions.length === 0) {
+                    const fullText = node.quasis.map((q) => q.value.raw).join('');
+                    const { isCredential, type } = looksLikeCredential(fullText, detectionOptions, compiledIgnorePatterns);
+                    if (isCredential && !isTestFile) {
+                        context.report({
+                            node,
+                            messageId: 'useEnvironmentVariable',
+                            data: {
+                                credentialType: type,
+                                envVarName: 'API_KEY',
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useEnvironmentVariable',
+                                    data: { envVarName: 'API_KEY', credentialType: type },
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(node, `process.env.API_KEY || \`${fullText}\``);
+                                    },
+                                },
+                                {
+                                    messageId: 'useSecretManager',
+                                    data: { credentialType: type },
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(node, `await getSecret('api_key')`);
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+                else {
+                    // For template literals with interpolations, check each quasi part
+                    for (const quasi of node.quasis) {
+                        if (quasi.value.raw) {
+                            const { isCredential, type } = looksLikeCredential(quasi.value.raw, detectionOptions, compiledIgnorePatterns);
+                            if (isCredential && !isTestFile) {
+                                // Note: Template literals with interpolations are complex to fix automatically
+                                // So we report the error without suggestions
+                                context.report({
+                                    node: quasi,
+                                    messageId: 'useEnvironmentVariable',
+                                    data: {
+                                        credentialType: type,
+                                        envVarName: 'API_KEY',
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=no-hardcoded-credentials.js.map

package/src/rules/security/no-hardcoded-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-hardcoded-credentials.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-hardcoded-credentials.ts"],"names":[],"mappings":";;;AAQA,4DAA0E;AAC1E,4DAAsD;AAwCtD;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,0DAA0D;IAC1D,MAAM,EAAE,uFAAuF;IAE/F,oDAAoD;IACpD,QAAQ,EAAE,wDAAwD;IAElE,eAAe;IACf,UAAU,EAAE,gDAAgD;IAE5D,kBAAkB;IAClB,YAAY,EAAE,oBAAoB;IAElC,+CAA+C;IAC/C,cAAc,EAAE,oDAAoD;IAEpE,4EAA4E;IAC5E,cAAc,EAAE,4GAA4G;IAE5H,2CAA2C;IAC3C,SAAS,EAAE,iDAAiD;CAC7D,CAAC;AAEF,6EAA6E;AAC7E,6CAA6C;AAC7C,sEAAsE;AAEtE;;GAEG;AACH,SAAS,mBAAmB,CAC1B,KAAa,EACb,OAAiJ,EACjJ,cAAwB;IAExB,8BAA8B;IAC9B,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,iDAAiD;IACjD,KAAK,MAAM,aAAa,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YAChD,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,aAAa,CAAC,IAAI,EAAE,CAAC;YAC1D,CAAC;YACH,6DAA6D;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iCAAiC;YACjC,SAAS;QACX,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,IAAI,mBAAmB,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;QACzD,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;QAClC,IAAI,mBAAmB,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,4BAA4B,EAAE,CAAC;QACpE,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,8CAA8C;IAC9C,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,IAAI,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QACnD,CAAC;QACD,IAAI,mBAAmB,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,IAAI,mBAAmB,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;IACpD,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,IAAI,mBAAmB,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC;QACxD,CAAC;QACD,sDAAsD;QACtD,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AAC3C,CAAC;AAED,4EAA4E;AAC5E,6CAA6C;AAC7C,sEAAsE;AAEzD,QAAA,sBAAsB,GAAG,IAAA,0BAAU,EAA0B;IACxE,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,gFAAgF;SAC9F;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,wCAAwC;gBACrD,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,mFAAmF;gBACxF,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,oBAAoB;gBAC/B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,uEAAuE;gBAC5E,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,WAAW,EAAE,IAAA,gCAAgB,EAAC;gBAC5B,IAAI,EAAE,4BAAY,CAAC,WAAW;gBAC9B,SAAS,EAAE,+BAA+B;gBAC1C,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,0DAA0D;gBAC/D,iBAAiB,EAAE,6BAA6B;aACjD,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,WAAW;gBAC9B,SAAS,EAAE,6BAA6B;gBACxC,WAAW,EAAE,oDAAoD;gBACjE,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,+DAA+D;gBACpE,iBAAiB,EAAE,kGAAkG;aACtH,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,wCAAwC;gBACrD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,yEAAyE;gBAC9E,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,WAAW;gBAC9B,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,2EAA2E;gBAChF,iBAAiB,EAAE,4FAA4F;aAChH,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,0BAA0B;qBACxC;oBACD,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,iCAAiC;qBAC/C;oBACD,SAAS,EAAE;wBACT,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,CAAC;wBACV,WAAW,EAAE,yCAAyC;qBACvD;oBACD,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,iBAAiB;qBAC/B;oBACD,eAAe,EAAE;wBACf,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,kBAAkB;qBAChC;oBACD,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,eAAe;qBAC7B;oBACD,qBAAqB,EAAE;wBACrB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,oCAAoC;qBAClD;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE;4BACL,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE;gCACV,IAAI,EAAE;oCACJ,IAAI,EAAE,QAAQ;oCACd,WAAW,EAAE,mDAAmD;iCACjE;gCACD,OAAO,EAAE;oCACP,IAAI,EAAE,QAAQ;oCACd,WAAW,EAAE,wBAAwB;iCACtC;6BACF;4BACD,QAAQ,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC;4BAC7B,oBAAoB,EAAE,KAAK;yBAC5B;wBACD,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,sCAAsC;qBACpD;oBACD,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC;wBACxC,OAAO,EAAE,MAAM;wBACf,WAAW,EAAE,oEAAoE;qBAClF;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,cAAc,EAAE,EAAE;YAClB,YAAY,EAAE,KAAK;YACnB,SAAS,EAAE,CAAC;YACZ,aAAa,EAAE,IAAI;YACnB,eAAe,EAAE,IAAI;YACrB,YAAY,EAAE,IAAI;YAClB,qBAAqB,EAAE,IAAI;YAC3B,cAAc,EAAE,EAAE;YAClB,QAAQ,EAAE,MAAM;SACjB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,cAAc,GAAG,EAAE,EACnB,YAAY,GAAG,KAAK,EACpB,SAAS,GAAG,CAAC,EACb,aAAa,GAAG,IAAI,EACpB,eAAe,GAAG,IAAI,EACtB,YAAY,GAAG,IAAI,EACnB,qBAAqB,GAAG,IAAI,EAC5B,cAAc,GAAG,EAAE,GACpB,GAAY,OAAO,IAAI,EAAE,CAAC;QAE3B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3D,MAAM,UAAU,GAAG,YAAY,IAAI,CACjC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3B,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3B,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAC5B,CAAC;QAEF,mCAAmC;QACnC,MAAM,sBAAsB,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,OAAe,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5F,MAAM,gBAAgB,GAAG;YACvB,SAAS;YACT,aAAa;YACb,eAAe;YACf,YAAY;YACZ,qBAAqB;YACrB,cAAc;SACf,CAAC;QAGF;;WAEG;QACH,SAAS,kBAAkB,CAAC,IAAsB,EAAE,MAAsB;YACxE,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnC,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAEzB,oCAAoC;YACpC,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,sCAAsC;YACtC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAChD,KAAK,EACL,gBAAgB,EAChB,sBAAsB,CACvB,CAAC;YAEF,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;YACT,CAAC;YAED,gDAAgD;YAChD,IAAI,UAAU,GAAG,SAAS,CAAC;YAC3B,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7E,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;gBAChC,UAAU,GAAG,OAAO;qBACjB,OAAO,CAAC,iBAAiB,EAAE,OAAO,CAAC;qBACnC,WAAW,EAAE;qBACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YACjC,CAAC;iBAAM,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,oBAAoB,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7F,MAAM,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC;gBAC/B,UAAU,GAAG,OAAO;qBACjB,OAAO,CAAC,iBAAiB,EAAE,OAAO,CAAC;qBACnC,WAAW,EAAE;qBACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YACjC,CAAC;YAED,OAAO,CAAC,MAAM,CAAC;gBACb,IAAI;gBACJ,SAAS,EAAE,wBAAwB;gBACnC,IAAI,EAAE;oBACJ,cAAc,EAAE,IAAI;oBACpB,UAAU;iBACX;gBACD,OAAO,EAAE;oBACP;wBACE,SAAS,EAAE,wBAAwB;wBACnC,IAAI,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE;wBAC1C,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;4BACjC,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,eAAe,UAAU,QAAQ,KAAK,GAAG,CAAC,CAAC;wBAC5E,CAAC;qBACF;oBACD;wBACE,SAAS,EAAE,kBAAkB;wBAC7B,IAAI,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE;wBAC9B,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;4BACjC,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,oBAAoB,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;wBACnF,CAAC;qBACF;iBACF;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,OAAO,CAAC,IAAsB;gBAC5B,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACxC,CAAC;YAED,eAAe,CAAC,IAA8B;gBAC5C,+CAA+C;gBAC/C,sEAAsE;gBACtE,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAA2B,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACxF,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAChD,QAAQ,EACR,gBAAgB,EAChB,sBAAsB,CACvB,CAAC;oBAEF,IAAI,YAAY,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChC,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,wBAAwB;4BACnC,IAAI,EAAE;gCACJ,cAAc,EAAE,IAAI;gCACpB,UAAU,EAAE,SAAS;6BACtB;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,wBAAwB;oCACnC,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE;oCACrD,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,4BAA4B,QAAQ,IAAI,CAAC,CAAC;oCAC3E,CAAC;iCACF;gCACD;oCACE,SAAS,EAAE,kBAAkB;oCAC7B,IAAI,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE;oCAC9B,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;wCACjC,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,4BAA4B,CAAC,CAAC;oCAC/D,CAAC;iCACF;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,mEAAmE;oBACnE,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;wBAChC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;4BACpB,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAChD,KAAK,CAAC,KAAK,CAAC,GAAG,EACf,gBAAgB,EAChB,sBAAsB,CACvB,CAAC;4BAEF,IAAI,YAAY,IAAI,CAAC,UAAU,EAAE,CAAC;gCAChC,+EAA+E;gCAC/E,6CAA6C;gCAC7C,OAAO,CAAC,MAAM,CAAC;oCACb,IAAI,EAAE,KAAK;oCACX,SAAS,EAAE,wBAAwB;oCACnC,IAAI,EAAE;wCACJ,cAAc,EAAE,IAAI;wCACpB,UAAU,EAAE,SAAS;qCACtB;iCACF,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-improper-sanitization.d.ts

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Safe sanitization functions */
+    safeSanitizers?: string[];
+    /** Characters that should be escaped */
+    dangerousChars?: string[];
+    /** Contexts that require different encoding */
+    contexts?: string[];
+    /** Trusted sanitization libraries */
+    trustedLibraries?: string[];
+}
+export declare const noImproperSanitization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;