eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-insecure-cookie-settings.js

@@ -0,0 +1,305 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsecureCookieSettings = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+/**
+ * Check if a node is inside a cookie configuration
+ */
+function isInsideCookieConfig(node, sourceCode) {
+    let current = node;
+    // Traverse up the parent chain
+    while (current && 'parent' in current && current.parent) {
+        current = current.parent;
+        // Check for cookie-related method calls
+        if (current.type === 'CallExpression') {
+            const callExpr = current;
+            // Check for res.cookie() calls
+            if (callExpr.callee.type === 'MemberExpression') {
+                const memberExpr = callExpr.callee;
+                if (memberExpr.property.type === 'Identifier' && memberExpr.property.name === 'cookie') {
+                    // Check if the node is an argument of this call
+                    if (callExpr.arguments.some((arg) => arg === node || (arg.type === 'ObjectExpression' && sourceCode.getText(arg).includes(sourceCode.getText(node))))) {
+                        return true;
+                    }
+                }
+            }
+            // Check for other cookie-related calls using text matching
+            const callText = sourceCode.getText(current);
+            if (/\b(cookie|cookies|setCookie|res\.cookie|document\.cookie)\b/i.test(callText)) {
+                const callee = callExpr.callee;
+                // Specific check for cookies.set / cookie.set
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    callee.property.name === 'set') {
+                    return true;
+                }
+                // Check if node is part of this call
+                const nodeText = sourceCode.getText(node);
+                if (callText.includes(nodeText)) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Check if an object expression has secure cookie settings
+ */
+function hasSecureCookieSettings(node, sourceCode) {
+    const text = sourceCode.getText(node);
+    // Check for httpOnly flag (case-insensitive)
+    const hasHttpOnly = /\bhttpOnly\s*:\s*(true|'true'|"true")/i.test(text);
+    // Check for secure flag (case-insensitive)
+    const hasSecure = /\bsecure\s*:\s*(true|'true'|"true")/i.test(text);
+    // Check for sameSite flag (should be 'strict', 'lax', or 'none')
+    const hasSameSite = /\bsameSite\s*:\s*['"](strict|lax|none)['"]/i.test(text);
+    return { hasHttpOnly, hasSecure, hasSameSite };
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, ignorePatterns) {
+    return ignorePatterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+exports.noInsecureCookieSettings = (0, eslint_devkit_1.createRule)({
+    name: 'no-insecure-cookie-settings',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects insecure cookie configurations (missing httpOnly, secure, sameSite flags)',
+        },
+        hasSuggestions: true,
+        messages: {
+            insecureCookieSettings: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Insecure Cookie Configuration',
+                cwe: 'CWE-614',
+                description: 'Insecure cookie settings detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/614.html',
+            }),
+            addSecureFlags: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add Secure Flags',
+                description: 'Set secure cookie flags',
+                severity: 'LOW',
+                fix: '{ httpOnly: true, secure: true, sameSite: "strict" }',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow insecure cookies in test files',
+                    },
+                    cookieLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Cookie library patterns to recognize',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            cookieLibraries: [],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, ignorePatterns = [], } = options;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkObjectExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check if this ObjectExpression is the third argument of a cookie call
+            // First, check if parent is directly a CallExpression
+            if (node.parent && node.parent.type === 'CallExpression') {
+                const parentCall = node.parent;
+                const callee = parentCall.callee;
+                // Check if it's a cookie call
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    callee.property.name === 'cookie') {
+                    // Check if this node is the third argument (index 2)
+                    // Use both reference check and range check for reliability
+                    const thirdArg = parentCall.arguments.length >= 3 ? parentCall.arguments[2] : null;
+                    const isThirdArg = thirdArg && (thirdArg === node ||
+                        (thirdArg.type === 'ObjectExpression' &&
+                            thirdArg.range[0] === node.range[0] &&
+                            thirdArg.range[1] === node.range[1]));
+                    if (isThirdArg) {
+                        // Check if the parent call is ignored
+                        const callText = sourceCode.getText(parentCall);
+                        if (matchesIgnorePattern(callText, ignorePatterns)) {
+                            return;
+                        }
+                    }
+                }
+            }
+            // If not handled above, check if it's inside a cookie config using helper
+            if (!isInsideCookieConfig(node, sourceCode)) {
+                return;
+            }
+            // If it's inside a cookie config, check it
+            const text = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(text, ignorePatterns)) {
+                return;
+            }
+            const { hasHttpOnly, hasSecure, hasSameSite } = hasSecureCookieSettings(node, sourceCode);
+            const issues = [];
+            if (!hasHttpOnly) {
+                issues.push('missing httpOnly flag');
+            }
+            if (!hasSecure) {
+                issues.push('missing secure flag');
+            }
+            if (!hasSameSite) {
+                issues.push('missing sameSite flag');
+            }
+            if (issues.length > 0) {
+                const issueDescription = issues.join(', ');
+                const safeAlternative = 'Set httpOnly: true, secure: true, sameSite: "strict"';
+                context.report({
+                    node,
+                    messageId: 'insecureCookieSettings',
+                    data: {
+                        issue: issueDescription,
+                        safeAlternative,
+                    },
+                    suggest: [
+                        {
+                            messageId: 'addSecureFlags',
+                            fix(fixer) {
+                                // Find the last property in the object
+                                const properties = node.properties;
+                                if (properties.length === 0) {
+                                    // Empty object - add all flags
+                                    return fixer.replaceText(node, '{ httpOnly: true, secure: true, sameSite: "strict" }');
+                                }
+                                const lastProperty = properties[properties.length - 1];
+                                const lastPropertyText = sourceCode.getText(lastProperty);
+                                const needsComma = !lastPropertyText.trim().endsWith(',');
+                                const insertPosition = lastProperty.range[1];
+                                const missingFlags = [];
+                                if (!hasHttpOnly)
+                                    missingFlags.push('httpOnly: true');
+                                if (!hasSecure)
+                                    missingFlags.push('secure: true');
+                                if (!hasSameSite)
+                                    missingFlags.push('sameSite: "strict"');
+                                const prefix = needsComma ? ',' : '';
+                                const insertion = prefix + '\n  ' + missingFlags.join(',\n  ');
+                                return fixer.insertTextAfterRange([insertPosition, insertPosition], insertion);
+                            },
+                        },
+                    ],
+                });
+            }
+        }
+        function checkCallExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            const callee = node.callee;
+            const callText = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(callText, ignorePatterns)) {
+                return;
+            }
+            // Check for res.cookie() calls or cookies.set() calls
+            const isResCookie = callee.type === 'MemberExpression' &&
+                callee.property.type === 'Identifier' &&
+                callee.property.name === 'cookie';
+            const isUniversalCookie = callee.type === 'MemberExpression' &&
+                callee.property.type === 'Identifier' &&
+                callee.property.name === 'set' &&
+                callee.object.type === 'Identifier' &&
+                (callee.object.name === 'cookies' || callee.object.name === 'cookie');
+            if (isResCookie || isUniversalCookie) {
+                // Check if third argument (options) is provided
+                if (node.arguments.length < 3) {
+                    context.report({
+                        node,
+                        messageId: 'insecureCookieSettings',
+                        data: {
+                            issue: 'missing cookie options with httpOnly, secure, and sameSite flags',
+                            safeAlternative: 'Add options object: res.cookie(name, value, { httpOnly: true, secure: true, sameSite: "strict" })',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'addSecureFlags',
+                                fix(fixer) {
+                                    // Add options as third argument
+                                    const lastArg = node.arguments[node.arguments.length - 1];
+                                    const insertPosition = lastArg.range[1];
+                                    return fixer.insertTextAfterRange([insertPosition, insertPosition], `, { httpOnly: true, secure: true, sameSite: "strict" }`);
+                                },
+                            },
+                        ],
+                    });
+                    return;
+                }
+            }
+        }
+        function checkAssignmentExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for document.cookie assignments
+            if (node.left.type === 'MemberExpression' &&
+                node.left.object.type === 'Identifier' &&
+                node.left.object.name === 'document' &&
+                node.left.property.type === 'Identifier' &&
+                node.left.property.name === 'cookie') {
+                const text = sourceCode.getText(node);
+                // Check if it matches any ignore pattern
+                if (matchesIgnorePattern(text, ignorePatterns)) {
+                    return;
+                }
+                context.report({
+                    node,
+                    messageId: 'insecureCookieSettings',
+                    data: {
+                        issue: 'using document.cookie directly (cannot set httpOnly flag)',
+                        safeAlternative: 'Use server-side cookie setting with httpOnly: true, secure: true, sameSite: "strict"',
+                    },
+                });
+            }
+        }
+        return {
+            ObjectExpression: checkObjectExpression,
+            CallExpression: checkCallExpression,
+            AssignmentExpression: checkAssignmentExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-insecure-cookie-settings.js.map

package/src/rules/security/no-insecure-cookie-settings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-insecure-cookie-settings.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-insecure-cookie-settings.ts"],"names":[],"mappings":";;;AASA,4DAAsF;AAiBtF;;GAEG;AACH,SAAS,oBAAoB,CAC3B,IAAmB,EACnB,UAA+B;IAE/B,IAAI,OAAO,GAAyB,IAAI,CAAC;IAEzC,+BAA+B;IAC/B,OAAO,OAAO,IAAI,QAAQ,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACxD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;QAE1C,wCAAwC;QACxC,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,OAAkC,CAAC;YAEpD,+BAA+B;YAC/B,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAChD,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;gBACnC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACvF,gDAAgD;oBAChD,IAAI,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAkB,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,kBAAkB,IAAI,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBACrK,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;YACH,CAAC;YAED,2DAA2D;YAC3D,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,8DAA8D,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClF,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;gBAC/B,8CAA8C;gBAC7C,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;oBAChC,OAAO,IAAI,CAAC;gBAChB,CAAC;gBAEF,qCAAqC;gBACrC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC1C,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChC,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,IAA+B,EAC/B,UAA+B;IAE/B,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtC,6CAA6C;IAC7C,MAAM,WAAW,GAAG,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAExE,2CAA2C;IAC3C,MAAM,SAAS,GAAG,sCAAsC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEpE,iEAAiE;IACjE,MAAM,WAAW,GAAG,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAY,EAAE,cAAwB;IAClE,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAEY,QAAA,wBAAwB,GAAG,IAAA,0BAAU,EAA0B;IAC1E,IAAI,EAAE,6BAA6B;IACnC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,mFAAmF;SACjG;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,+BAA+B;gBAC1C,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,8CAA8C;gBAC3D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,yBAAyB;gBACtC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,oEAAoE;aACxF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,sCAAsC;qBACpD;oBACD,eAAe,EAAE;wBACf,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,sCAAsC;qBACpD;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,oCAAoC;qBAClD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;YACnB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;SACnB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,YAAY,GAAG,KAAK,EACpB,cAAc,GAAG,EAAE,GACpB,GAAG,OAAkB,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D,SAAS,qBAAqB,CAAC,IAA+B;YAC5D,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,wEAAwE;YACxE,sDAAsD;YACtD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACzD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAiC,CAAC;gBAC1D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;gBAEjC,8BAA8B;gBAC9B,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,EACjC,CAAC;oBACD,qDAAqD;oBACrD,2DAA2D;oBAC3D,MAAM,QAAQ,GAAG,UAAU,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;oBACnF,MAAM,UAAU,GAAG,QAAQ,IAAI,CAC7B,QAAQ,KAAK,IAAI;wBACjB,CAAC,QAAQ,CAAC,IAAI,KAAK,kBAAkB;4BACpC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;4BACnC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CACtC,CAAC;oBAEF,IAAI,UAAU,EAAE,CAAC;wBACf,sCAAsC;wBACtC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;wBAChD,IAAI,oBAAoB,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;4BACnD,OAAO;wBACT,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,0EAA0E;YAC1E,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC5C,OAAO;YACT,CAAC;YAED,2CAA2C;YAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEtC,yCAAyC;YACzC,IAAI,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,uBAAuB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAE1F,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACvC,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACrC,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACvC,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3C,MAAM,eAAe,GAAG,sDAAsD,CAAC;gBAE/E,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,wBAAwB;oBACnC,IAAI,EAAE;wBACJ,KAAK,EAAE,gBAAgB;wBACvB,eAAe;qBAChB;oBACD,OAAO,EAAE;wBACP;4BACE,SAAS,EAAE,gBAAgB;4BAC3B,GAAG,CAAC,KAAyB;gCAC3B,uCAAuC;gCACvC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gCACnC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oCAC5B,+BAA+B;oCAC/B,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,sDAAsD,CAAC,CAAC;gCACzF,CAAC;gCAED,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gCACvD,MAAM,gBAAgB,GAAG,UAAU,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;gCAC1D,MAAM,UAAU,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;gCAC1D,MAAM,cAAc,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gCAE7C,MAAM,YAAY,GAAa,EAAE,CAAC;gCAClC,IAAI,CAAC,WAAW;oCAAE,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;gCACtD,IAAI,CAAC,SAAS;oCAAE,YAAY,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gCAClD,IAAI,CAAC,WAAW;oCAAE,YAAY,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gCAE1D,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gCACrC,MAAM,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gCAE/D,OAAO,KAAK,CAAC,oBAAoB,CAC/B,CAAC,cAAc,EAAE,cAAc,CAAC,EAChC,SAAS,CACV,CAAC;4BACJ,CAAC;yBACF;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,SAAS,mBAAmB,CAAC,IAA6B;YACxD,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC3B,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE1C,yCAAyC;YACzC,IAAI,oBAAoB,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;gBACnD,OAAO;YACT,CAAC;YAED,sDAAsD;YACtD,MAAM,WAAW,GACf,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC;YAEpC,MAAM,iBAAiB,GACrB,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK;gBAC9B,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACnC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YAExE,IAAI,WAAW,IAAI,iBAAiB,EAAE,CAAC;gBACrC,gDAAgD;gBAChD,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC9B,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,wBAAwB;wBACnC,IAAI,EAAE;4BACJ,KAAK,EAAE,kEAAkE;4BACzE,eAAe,EAAE,mGAAmG;yBACrH;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,gBAAgB;gCAC3B,GAAG,CAAC,KAAyB;oCAC3B,gCAAgC;oCAChC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;oCAC1D,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oCACxC,OAAO,KAAK,CAAC,oBAAoB,CAC/B,CAAC,cAAc,EAAE,cAAc,CAAC,EAChC,wDAAwD,CACzD,CAAC;gCACJ,CAAC;6BACF;yBACF;qBACF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC;QAED,SAAS,yBAAyB,CAAC,IAAmC;YACpE,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,wCAAwC;YACxC,IACE,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB;gBACrC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACtC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,UAAU;gBACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,EACpC,CAAC;gBACD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAEtC,yCAAyC;gBACzC,IAAI,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;oBAC/C,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,wBAAwB;oBACnC,IAAI,EAAE;wBACJ,KAAK,EAAE,2DAA2D;wBAClE,eAAe,EAAE,sFAAsF;qBACxG;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,gBAAgB,EAAE,qBAAqB;YACvC,cAAc,EAAE,mBAAmB;YACnC,oBAAoB,EAAE,yBAAyB;SAChD,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-insecure-jwt.d.ts

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Allow specific insecure algorithms for legacy compatibility. Default: [] (strict) */
+    allowedInsecureAlgorithms?: string[];
+    /** Minimum key length for HMAC secrets. Default: 32 (256 bits) */
+    minSecretLength?: number;
+    /** JWT libraries to consider safe. Default: jsonwebtoken, jose, jwt */
+    trustedJwtLibraries?: string[];
+}
+export declare const noInsecureJwt: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-insecure-jwt.js

@@ -0,0 +1,338 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsecureJwt = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noInsecureJwt = (0, eslint_devkit_1.createRule)({
+    name: 'no-insecure-jwt',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects insecure JWT operations and missing signature verification',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            insecureJwtAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insecure JWT Algorithm',
+                cwe: 'CWE-347',
+                description: 'JWT algorithm confusion vulnerability',
+                severity: 'CRITICAL',
+                fix: 'Use RS256/ES256 and validate algorithm before verification',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            missingSignatureVerification: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing JWT Signature Verification',
+                cwe: 'CWE-347',
+                description: 'JWT parsed without signature verification',
+                severity: 'CRITICAL',
+                fix: 'Use jwt.verify() instead of jwt.decode()',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            weakJwtSecret: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Weak JWT Secret',
+                cwe: 'CWE-347',
+                description: 'JWT signed with weak/insufficient secret',
+                severity: 'HIGH',
+                fix: 'Use minimum 256-bit secret (32+ characters)',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            jwtWithoutValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'JWT Without Validation',
+                cwe: 'CWE-347',
+                description: 'JWT used without proper validation',
+                severity: 'HIGH',
+                fix: 'Verify JWT signature before trusting payload',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            unsafeJwtParsing: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe JWT Parsing',
+                cwe: 'CWE-347',
+                description: 'Unsafe JWT parsing pattern detected',
+                severity: 'MEDIUM',
+                fix: 'Use verified JWT libraries with proper error handling',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            useSecureJwtLibrary: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Secure JWT Library',
+                description: 'Use jsonwebtoken or jose library',
+                severity: 'LOW',
+                fix: 'npm install jsonwebtoken && use jwt.verify()',
+                documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
+            }),
+            verifyBeforeTrust: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Verify Before Trust',
+                description: 'Always verify JWT signature before using payload',
+                severity: 'LOW',
+                fix: 'jwt.verify(token, secret, callback)',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            strategyUseVerifiedLibrary: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Verified Library Strategy',
+                description: 'Use battle-tested JWT libraries',
+                severity: 'LOW',
+                fix: 'Use jsonwebtoken, jose, or jwt libraries',
+                documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
+            }),
+            strategyValidateAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Algorithm Validation Strategy',
+                description: 'Validate algorithms before use',
+                severity: 'LOW',
+                fix: 'Whitelist allowed algorithms: ["RS256", "ES256"]',
+                documentationLink: 'https://tools.ietf.org/html/rfc8725',
+            }),
+            strategyStrongSecrets: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Strong Secrets Strategy',
+                description: 'Use cryptographically strong secrets',
+                severity: 'LOW',
+                fix: 'Generate 256-bit secrets: crypto.randomBytes(32)',
+                documentationLink: 'https://nodejs.org/api/crypto.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowedInsecureAlgorithms: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                    },
+                    minSecretLength: {
+                        type: 'number',
+                        minimum: 16,
+                        default: 32,
+                    },
+                    trustedJwtLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['jsonwebtoken', 'jose', 'jwt'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as JWT validators',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowedInsecureAlgorithms: [],
+            minSecretLength: 32,
+            trustedJwtLibraries: ['jsonwebtoken', 'jose', 'jwt'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { minSecretLength = 32, trustedJwtLibraries = ['jsonwebtoken', 'jose', 'jwt'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if secret/key is weak
+         */
+        const isWeakSecret = (secretNode) => {
+            if (secretNode.type === 'Literal' && typeof secretNode.value === 'string') {
+                return secretNode.value.length < minSecretLength;
+            }
+            return false; // Can't determine strength of non-literal secrets
+        };
+        /**
+         * Check if JWT operation has signature verification
+         */
+        const hasSignatureVerification = (jwtCall) => {
+            // Check if it's jwt.verify() call
+            if (jwtCall.callee.type === 'MemberExpression' &&
+                jwtCall.callee.property.type === 'Identifier' &&
+                jwtCall.callee.property.name === 'verify') {
+                return true;
+            }
+            // Check for @verified annotation
+            return (0, eslint_devkit_3.hasSafeAnnotation)(jwtCall, context, trustedAnnotations);
+        };
+        /**
+         * Check if this is a trusted JWT library call
+         */
+        const isTrustedJwtLibrary = (node) => {
+            // Check if callee is a member expression (library.method)
+            if (node.callee.type !== 'MemberExpression') {
+                return false;
+            }
+            // Check if the object is a JWT library
+            const object = node.callee.object;
+            if (object.type === 'Identifier') {
+                return trustedJwtLibraries.includes(object.name.toLowerCase());
+            }
+            return false;
+        };
+        /**
+         * Extract JWT-related information from a call
+         */
+        const extractJwtInfo = (node) => {
+            const sourceText = sourceCode.getText(node);
+            // Check for algorithm specification
+            const hasAlgorithmSpec = /\b(algorithms?|alg)\s*:/i.test(sourceText);
+            // Check for insecure patterns
+            const hasNoneAlgorithm = /\b(alg|algorithms?)\s*:\s*['"`]\s*none\s*['"`]/i.test(sourceText);
+            const hasWeakAlgorithm = /\b(alg|algorithms?)\s*:\s*['"`]\s*(HS256|HS384|HS512)\s*['"`]/i.test(sourceText);
+            return {
+                sourceText,
+                hasAlgorithmSpec,
+                hasNoneAlgorithm,
+                hasWeakAlgorithm,
+                isDecodeCall: /\bdecode\b/i.test(sourceText),
+                isVerifyCall: /\bverify\b/i.test(sourceText),
+            };
+        };
+        return {
+            // Check JWT library method calls
+            CallExpression(node) {
+                if (!isTrustedJwtLibrary(node)) {
+                    return;
+                }
+                const jwtInfo = extractJwtInfo(node);
+                // CRITICAL: Algorithm confusion attack (alg: "none")
+                if (jwtInfo.hasNoneAlgorithm) {
+                    context.report({
+                        node,
+                        messageId: 'insecureJwtAlgorithm',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                    return;
+                }
+                // HIGH: Weak algorithm without proper key validation
+                if (jwtInfo.hasWeakAlgorithm && node.arguments.length >= 2) {
+                    const secretArg = node.arguments[1];
+                    if (isWeakSecret(secretArg)) {
+                        context.report({
+                            node,
+                            messageId: 'weakJwtSecret',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                        return;
+                    }
+                }
+                // CRITICAL: Using jwt.decode() instead of jwt.verify()
+                if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
+                    // FALSE POSITIVE REDUCTION: Skip if annotated as safe
+                    if (safetyChecker.isSafe(node, context)) {
+                        return;
+                    }
+                    context.report({
+                        node,
+                        messageId: 'missingSignatureVerification',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                        suggest: [
+                            {
+                                messageId: 'verifyBeforeTrust',
+                                fix: () => null // Could be complex to auto-fix
+                            },
+                        ],
+                    });
+                }
+            },
+            // Check for JWT-related variable declarations and assignments
+            VariableDeclarator(node) {
+                if (!node.init || node.init.type !== 'CallExpression') {
+                    return;
+                }
+                const initCall = node.init;
+                if (!isTrustedJwtLibrary(initCall)) {
+                    return;
+                }
+                const jwtInfo = extractJwtInfo(initCall);
+                // Variable assigned with unverified JWT data
+                if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
+                    // FALSE POSITIVE REDUCTION
+                    if (safetyChecker.isSafe(initCall, context)) {
+                        return;
+                    }
+                    context.report({
+                        node,
+                        messageId: 'jwtWithoutValidation',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                }
+            },
+            // Check for JWT token usage without verification
+            Literal(node) {
+                if (typeof node.value !== 'string') {
+                    return;
+                }
+                const value = node.value;
+                // Look for JWT patterns in strings
+                if (value.includes('eyJ') && value.split('.').length === 3) { // JWT structure
+                    // Check if this JWT is used unsafely
+                    let current = node;
+                    let isVerified = false;
+                    // Walk up to find if this is within a verified JWT operation
+                    while (current && !isVerified) {
+                        if (current.type === 'CallExpression' && hasSignatureVerification(current)) {
+                            isVerified = true;
+                            break;
+                        }
+                        current = current.parent;
+                    }
+                    if (!isVerified && !safetyChecker.isSafe(node, context)) {
+                        context.report({
+                            node,
+                            messageId: 'unsafeJwtParsing',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});
+//# sourceMappingURL=no-insecure-jwt.js.map