eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-insecure-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-insecure-jwt.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-insecure-jwt.ts"],"names":[],"mappings":";;;AAaA,4DAAsD;AACtD,4DAA0E;AAC1E,4DAIkC;AA2BrB,QAAA,aAAa,GAAG,IAAA,0BAAU,EAA0B;IAC/D,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,oEAAoE;SAClF;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,wBAAwB;gBACnC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,4DAA4D;gBACjE,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,4BAA4B,EAAE,IAAA,gCAAgB,EAAC;gBAC7C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,oCAAoC;gBAC/C,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,0CAA0C;gBAC/C,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,iBAAiB;gBAC5B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,0CAA0C;gBACvD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,6CAA6C;gBAClD,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,wBAAwB;gBACnC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,oCAAoC;gBACjD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,oBAAoB;gBAC/B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,qCAAqC;gBAClD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,kCAAkC;gBAC/C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,4CAA4C;aAChE,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,kDAAkD;gBAC/D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qCAAqC;gBAC1C,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,0BAA0B,EAAE,IAAA,gCAAgB,EAAC;gBAC3C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,WAAW,EAAE,iCAAiC;gBAC9C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0CAA0C;gBAC/C,iBAAiB,EAAE,4CAA4C;aAChE,CAAC;YACF,yBAAyB,EAAE,IAAA,gCAAgB,EAAC;gBAC1C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,+BAA+B;gBAC1C,WAAW,EAAE,gCAAgC;gBAC7C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;YACF,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,oCAAoC;aACxD,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,yBAAyB,EAAE;wBACzB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;qBACZ;oBACD,eAAe,EAAE;wBACf,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,EAAE;wBACX,OAAO,EAAE,EAAE;qBACZ;oBACD,mBAAmB,EAAE;wBACnB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,CAAC;qBACzC;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,yDAAyD;qBACvE;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,0DAA0D;qBACxE;oBACD,UAAU,EAAE;wBACV,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,oDAAoD;qBAClE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,yBAAyB,EAAE,EAAE;YAC7B,eAAe,EAAE,EAAE;YACnB,mBAAmB,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,CAAC;YACpD,iBAAiB,EAAE,EAAE;YACrB,kBAAkB,EAAE,EAAE;YACtB,UAAU,EAAE,KAAK;SAClB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,eAAe,GAAG,EAAE,EACpB,mBAAmB,GAAG,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,CAAC,EACrD,iBAAiB,GAAG,EAAE,EACtB,kBAAkB,GAAG,EAAE,EACvB,UAAU,GAAG,KAAK,GACnB,GAAY,OAAO,CAAC;QAErB,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAA,mCAAmB,EAAC;YACxC,iBAAiB;YACjB,kBAAkB;YAClB,kBAAkB,EAAE,EAAE;YACtB,UAAU;SACX,CAAC,CAAC;QAEH;;WAEG;QACH,MAAM,YAAY,GAAG,CAAC,UAAyB,EAAW,EAAE;YAC1D,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,UAAU,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC1E,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC;YACnD,CAAC;YACD,OAAO,KAAK,CAAC,CAAC,kDAAkD;QAClE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,wBAAwB,GAAG,CAAC,OAAgC,EAAW,EAAE;YAC7E,kCAAkC;YAClC,IACE,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAC1C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC7C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,EACzC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,OAAO,IAAA,iCAAiB,EAAC,OAAO,EAAE,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACjE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,IAA6B,EAAW,EAAE;YACrE,0DAA0D;YAC1D,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,uCAAuC;YACvC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YAClC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACjC,OAAO,mBAAmB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YACjE,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,cAAc,GAAG,CAAC,IAA6B,EAAE,EAAE;YACvD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE5C,oCAAoC;YACpC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAErE,8BAA8B;YAC9B,MAAM,gBAAgB,GAAG,iDAAiD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC5F,MAAM,gBAAgB,GAAG,gEAAgE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAE3G,OAAO;gBACL,UAAU;gBACV,gBAAgB;gBAChB,gBAAgB;gBAChB,gBAAgB;gBAChB,YAAY,EAAE,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC;gBAC5C,YAAY,EAAE,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC;aAC7C,CAAC;QACJ,CAAC,CAAC;QAEF,OAAO;YACL,iCAAiC;YACjC,cAAc,CAAC,IAA6B;gBAC1C,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/B,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;gBAErC,qDAAqD;gBACrD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;oBAC7B,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,sBAAsB;wBACjC,IAAI,EAAE;4BACJ,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;yBACxC;qBACF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,qDAAqD;gBACrD,IAAI,OAAO,CAAC,gBAAgB,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBACpC,IAAI,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC5B,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,eAAe;4BAC1B,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;wBACH,OAAO;oBACT,CAAC;gBACH,CAAC;gBAED,uDAAuD;gBACvD,IAAI,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;oBAClD,sDAAsD;oBACtD,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;wBACxC,OAAO;oBACT,CAAC;oBAED,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,8BAA8B;wBACzC,IAAI,EAAE;4BACJ,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;yBACxC;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,mBAAmB;gCAC9B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,+BAA+B;6BAChD;yBACF;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,kBAAkB,CAAC,IAAiC;gBAClD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACtD,OAAO;gBACT,CAAC;gBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;gBAC3B,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnC,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAEzC,6CAA6C;gBAC7C,IAAI,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;oBAClD,2BAA2B;oBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;wBAC5C,OAAO;oBACT,CAAC;oBAED,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,sBAAsB;wBACjC,IAAI,EAAE;4BACJ,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;yBACxC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,iDAAiD;YACjD,OAAO,CAAC,IAAsB;gBAC5B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACnC,OAAO;gBACT,CAAC;gBAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,mCAAmC;gBACnC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC,CAAC,gBAAgB;oBAC5E,qCAAqC;oBACrC,IAAI,OAAO,GAA8B,IAAI,CAAC;oBAC9C,IAAI,UAAU,GAAG,KAAK,CAAC;oBAEvB,6DAA6D;oBAC7D,OAAO,OAAO,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;4BAC3E,UAAU,GAAG,IAAI,CAAC;4BAClB,MAAM;wBACR,CAAC;wBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;oBAC5C,CAAC;oBAED,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;wBACxD,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,kBAAkB;4BAC7B,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-insecure-redirects.d.ts

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+    /** Allowed redirect domains. Default: [] */
+    allowedDomains?: string[];
+}
+export declare const noInsecureRedirects: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-insecure-redirects.js

@@ -0,0 +1,215 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsecureRedirects = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if redirect URL is validated
+ */
+function isRedirectValidated(node, sourceCode) {
+    const callText = sourceCode.getText(node);
+    // Check if URL is from user input (req.query, req.body, req.params)
+    const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
+    if (!userInputPattern.test(callText)) {
+        // Not from user input, assume safe
+        return true;
+    }
+    // Look for validation patterns in the surrounding code
+    // This is a simplified static analysis - in practice, would need data flow analysis
+    const program = sourceCode.ast;
+    const nodeStart = node.loc?.start;
+    const nodeEnd = node.loc?.end;
+    if (!nodeStart || !nodeEnd || !program) {
+        return false;
+    }
+    // Check for validation function calls before this redirect
+    const validationPatterns = [
+        /\b(validateUrl|validateRedirect|isValidUrl|isSafeUrl)\s*\(/,
+        /\b(whitelist|allowedDomains|permittedUrls)\s*\./,
+        /\b(url\.hostname|url\.host)\s*===/,
+        /\ballowedDomains\.includes\s*\(/,
+        /\bstartsWith\s*\(\s*['"]/,
+        /\bendsWith\s*\(\s*['"]/,
+        /\bindexOf\s*\(\s*['"]/,
+        /\bmatch\s*\(\s*\//,
+    ];
+    // Look for validation in the same function scope
+    let current = node;
+    let depth = 0;
+    const maxDepth = 20;
+    while (current && depth < maxDepth) {
+        // Check siblings before this node
+        const parent = current.parent;
+        if (!parent)
+            break;
+        if (parent.type === 'BlockStatement') {
+            const body = parent.body;
+            const currentIndex = body.indexOf(current);
+            // Check previous statements in the same block
+            for (let i = currentIndex - 1; i >= 0 && i >= currentIndex - 5; i--) {
+                const stmt = body[i];
+                const stmtText = sourceCode.getText(stmt);
+                if (validationPatterns.some(pattern => pattern.test(stmtText))) {
+                    return true; // Found validation
+                }
+            }
+        }
+        current = parent;
+        depth++;
+    }
+    // No validation found
+    return false;
+}
+exports.noInsecureRedirects = (0, eslint_devkit_2.createRule)({
+    name: 'no-insecure-redirects',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects open redirect vulnerabilities',
+        },
+        hasSuggestions: true,
+        messages: {
+            insecureRedirect: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Open redirect',
+                cwe: 'CWE-601',
+                description: 'Unvalidated redirect detected - user-controlled URL',
+                severity: 'HIGH',
+                fix: 'Whitelist allowed domains or validate redirect target',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+            }),
+            whitelistDomains: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Whitelist Domains',
+                description: 'Whitelist allowed redirect domains',
+                severity: 'LOW',
+                fix: 'if (allowedDomains.includes(url.hostname)) redirect(url)',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+            }),
+            validateRedirect: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Redirect',
+                description: 'Validate redirect URL before use',
+                severity: 'LOW',
+                fix: 'validateRedirectUrl(userInput) before redirect',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+            }),
+            useRelativeUrl: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Relative URL',
+                description: 'Use relative URLs for internal redirects',
+                severity: 'LOW',
+                fix: 'redirect("/internal/path") instead of absolute URLs',
+                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    allowedDomains: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignoreInTests: true,
+            allowedDomains: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { ignoreInTests = true } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check redirect calls and assignments
+         */
+        function checkCallExpression(node) {
+            // Check for res.redirect, window.location, etc.
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier') {
+                const methodName = node.callee.property.name;
+                if (['redirect', 'replace', 'assign'].includes(methodName)) {
+                    // Check if redirect URL is validated
+                    if (!isRedirectValidated(node, sourceCode)) {
+                        context.report({
+                            node,
+                            messageId: 'insecureRedirect',
+                            suggest: [
+                                {
+                                    messageId: 'whitelistDomains',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'validateRedirect',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'useRelativeUrl',
+                                    fix: () => null,
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        /**
+         * Check assignment expressions like window.location.href = ...
+         */
+        function checkAssignmentExpression(node) {
+            // Check for window.location.href assignments
+            if (node.left.type === 'MemberExpression' &&
+                node.left.object.type === 'MemberExpression' &&
+                node.left.object.object.type === 'Identifier' &&
+                node.left.object.object.name === 'window' &&
+                node.left.object.property.type === 'Identifier' &&
+                node.left.object.property.name === 'location' &&
+                node.left.property.type === 'Identifier' &&
+                ['href', 'replace', 'assign'].includes(node.left.property.name)) {
+                // Check if assignment value comes from user input
+                const rightText = sourceCode.getText(node.right);
+                const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
+                if (userInputPattern.test(rightText)) {
+                    context.report({
+                        node,
+                        messageId: 'insecureRedirect',
+                        suggest: [
+                            {
+                                messageId: 'whitelistDomains',
+                                fix: () => null,
+                            },
+                            {
+                                messageId: 'validateRedirect',
+                                fix: () => null,
+                            },
+                            {
+                                messageId: 'useRelativeUrl',
+                                fix: () => null,
+                            },
+                        ],
+                    });
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+            AssignmentExpression: checkAssignmentExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-insecure-redirects.js.map

package/src/rules/security/no-insecure-redirects.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-insecure-redirects.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-insecure-redirects.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAkBtD;;GAEG;AACH,SAAS,mBAAmB,CAC1B,IAA6B,EAC7B,UAA+B;IAE/B,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1C,oEAAoE;IACpE,MAAM,gBAAgB,GAAG,oEAAoE,CAAC;IAE9F,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrC,mCAAmC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uDAAuD;IACvD,oFAAoF;IAEpF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC;IAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;IAE9B,IAAI,CAAC,SAAS,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2DAA2D;IAC3D,MAAM,kBAAkB,GAAG;QACzB,4DAA4D;QAC5D,iDAAiD;QACjD,mCAAmC;QACnC,iCAAiC;QACjC,0BAA0B;QAC1B,wBAAwB;QACxB,uBAAuB;QACvB,mBAAmB;KACpB,CAAC;IAEF,iDAAiD;IACjD,IAAI,OAAO,GAAyB,IAAI,CAAC;IACzC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,MAAM,QAAQ,GAAG,EAAE,CAAC;IAEpB,OAAO,OAAO,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;QACnC,kCAAkC;QAClC,MAAM,MAAM,GAA+B,OAAsD,CAAC,MAAM,CAAC;QACzG,IAAI,CAAC,MAAM;YAAE,MAAM;QAEnB,IAAI,MAAM,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACzB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAA6B,CAAC,CAAC;YAEjE,8CAA8C;YAC9C,KAAK,IAAI,CAAC,GAAG,YAAY,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpE,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;oBAC/D,OAAO,IAAI,CAAC,CAAC,mBAAmB;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,GAAG,MAAM,CAAC;QACjB,KAAK,EAAE,CAAC;IACV,CAAC;IAED,sBAAsB;IACtB,OAAO,KAAK,CAAC;AACf,CAAC;AAEY,QAAA,mBAAmB,GAAG,IAAA,0BAAU,EAA0B;IACrE,IAAI,EAAE,uBAAuB;IAC7B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,uCAAuC;SACrD;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,eAAe;gBAC1B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,qDAAqD;gBAClE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,oFAAoF;aACxG,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,oCAAoC;gBACjD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0DAA0D;gBAC/D,iBAAiB,EAAE,oFAAoF;aACxG,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,kCAAkC;gBAC/C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,gDAAgD;gBACrD,iBAAiB,EAAE,oFAAoF;aACxG,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,0CAA0C;gBACvD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,oFAAoF;aACxG,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;qBACZ;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,IAAI;YACnB,cAAc,EAAE,EAAE;SACnB;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACV,aAAa,GAAG,IAAI,EACnB,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,aAAa,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAErF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,gDAAgD;YAChD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAE7C,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC3D,qCAAqC;oBACrC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;wBAC3C,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,kBAAkB;4BAC7B,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,kBAAkB;oCAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;gCACD;oCACE,SAAS,EAAE,kBAAkB;oCAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;gCACD;oCACE,SAAS,EAAE,gBAAgB;oCAC3B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;iCAChB;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED;;WAEG;QACH,SAAS,yBAAyB,CAAC,IAAmC;YACpE,6CAA6C;YAC7C,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB;gBACrC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBAC5C,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBAC7C,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ;gBACzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAC/C,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,UAAU;gBAC7C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACxC,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEpE,kDAAkD;gBAClD,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACjD,MAAM,gBAAgB,GAAG,oEAAoE,CAAC;gBAE9F,IAAI,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;oBACrC,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI;wBACJ,SAAS,EAAE,kBAAkB;wBAC7B,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,kBAAkB;gCAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6BAChB;4BACD;gCACE,SAAS,EAAE,kBAAkB;gCAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6BAChB;4BACD;gCACE,SAAS,EAAE,gBAAgB;gCAC3B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6BAChB;yBACF;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;YACnC,oBAAoB,EAAE,yBAAyB;SAChD,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-insufficient-postmessage-validation.d.ts

@@ -0,0 +1,14 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Allowed origins for postMessage communication */
+    allowedOrigins?: string[];
+    /** Whether to allow wildcard origins in development */
+    allowWildcardInDev?: boolean;
+    /** Message event handler patterns to check */
+    messageHandlerPatterns?: string[];
+    /** Origins considered safe (e.g., localhost, development domains) */
+    safeOrigins?: string[];
+    /** Whether to perform deep origin validation analysis */
+    deepValidation?: boolean;
+}
+export declare const noInsufficientPostmessageValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-insufficient-postmessage-validation.js

@@ -0,0 +1,390 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noInsufficientPostmessageValidation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noInsufficientPostmessageValidation = (0, eslint_devkit_1.createRule)({
+    name: 'no-insufficient-postmessage-validation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects insufficient postMessage origin validation',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            insufficientPostmessageValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insufficient postMessage Validation',
+                cwe: 'CWE-20',
+                description: 'postMessage origin validation is insufficient',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            wildcardOrigin: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Wildcard postMessage Origin',
+                cwe: 'CWE-20',
+                description: 'postMessage uses wildcard origin (*)',
+                severity: 'CRITICAL',
+                fix: 'Use specific trusted origins instead of "*"',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            missingOriginCheck: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Origin Check',
+                cwe: 'CWE-20',
+                description: 'Message handler missing origin validation',
+                severity: 'HIGH',
+                fix: 'Check event.origin against trusted origins',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            unsafeMessageHandler: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Message Handler',
+                cwe: 'CWE-20',
+                description: 'Message event handler processes data without validation',
+                severity: 'MEDIUM',
+                fix: 'Validate event.origin and event.data before processing',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            useSpecificOrigins: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Specific Origins',
+                description: 'Specify trusted origins explicitly',
+                severity: 'LOW',
+                fix: 'postMessage(data, "https://trusted-domain.com")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            validateMessageOrigin: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Message Origin',
+                description: 'Validate message origin before processing',
+                severity: 'LOW',
+                fix: 'if (event.origin === "https://trusted.com") { /* process */ }',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            implementOriginWhitelist: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Origin Whitelist',
+                description: 'Use whitelist of allowed origins',
+                severity: 'LOW',
+                fix: 'const allowedOrigins = ["https://app1.com", "https://app2.com"];',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            strategyOriginValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Origin Validation Strategy',
+                description: 'Validate message origins against trusted list',
+                severity: 'LOW',
+                fix: 'Check event.origin against predefined allowed origins',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            strategyContentValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Content Validation Strategy',
+                description: 'Validate message content in addition to origin',
+                severity: 'LOW',
+                fix: 'Validate both event.origin and event.data structure',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            }),
+            strategyEnvironmentSeparation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Environment Separation Strategy',
+                description: 'Use different origins for different environments',
+                severity: 'LOW',
+                fix: 'Use environment-specific origin validation',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowedOrigins: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                    },
+                    allowWildcardInDev: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow wildcard origins in development environment'
+                    },
+                    messageHandlerPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['addEventListener', 'onmessage', 'postMessage'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as origin validators',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                    safeOrigins: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['localhost', '127.0.0.1', '0.0.0.0'],
+                        description: 'Origins considered safe for postMessage communication',
+                    },
+                    deepValidation: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Enable deep AST analysis for origin validation detection',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowedOrigins: [],
+            allowWildcardInDev: false,
+            messageHandlerPatterns: ['addEventListener', 'onmessage', 'postMessage'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+            safeOrigins: ['localhost', '127.0.0.1', '0.0.0.0'],
+            deepValidation: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowedOrigins = [], allowWildcardInDev = false, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, deepValidation = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if origin validation is present in a message handler
+         *
+         * ⚠️ STATIC ANALYSIS LIMITATION:
+         * This can only detect simple patterns. Complex validation logic
+         * (external functions, runtime config, dynamic validation) cannot
+         * be detected statically.
+         */
+        const hasOriginValidation = (functionNode) => {
+            if (deepValidation) {
+                // Deep AST analysis (more thorough but slower)
+                try {
+                    let hasOriginCheck = false;
+                    const checkNode = (node) => {
+                        // Check for event.origin comparisons
+                        if (node.type === 'BinaryExpression' &&
+                            ((node.left.type === 'MemberExpression' &&
+                                node.left.property.type === 'Identifier' &&
+                                node.left.property.name === 'origin' &&
+                                node.left.object.type === 'Identifier') ||
+                                (node.right.type === 'MemberExpression' &&
+                                    node.right.property.type === 'Identifier' &&
+                                    node.right.property.name === 'origin' &&
+                                    node.right.object.type === 'Identifier'))) {
+                            hasOriginCheck = true;
+                            return;
+                        }
+                        // Check for includes() calls on origin arrays
+                        if (node.type === 'CallExpression' &&
+                            node.callee.type === 'MemberExpression' &&
+                            node.callee.property.type === 'Identifier' &&
+                            node.callee.property.name === 'includes') {
+                            const objectText = sourceCode.getText(node.callee.object).toLowerCase();
+                            if (objectText.includes('origin') || objectText.includes('allowed')) {
+                                hasOriginCheck = true;
+                                return;
+                            }
+                        }
+                        // Recursively check child nodes
+                        for (const key in node) {
+                            if (key === 'parent' || key === 'range' || key === 'loc')
+                                continue;
+                            const child = node[key];
+                            if (child && typeof child === 'object' && 'type' in child) {
+                                checkNode(child);
+                            }
+                            else if (Array.isArray(child)) {
+                                child.forEach(item => {
+                                    if (item && typeof item === 'object' && 'type' in item) {
+                                        checkNode(item);
+                                    }
+                                });
+                            }
+                        }
+                    };
+                    checkNode(functionNode);
+                    return hasOriginCheck;
+                }
+                catch {
+                    // If AST traversal fails, fall back to simple text matching
+                    return false;
+                }
+            }
+            else {
+                // Simple text-based check (faster, less accurate)
+                const functionText = sourceCode.getText(functionNode).toLowerCase();
+                return functionText.includes('event.origin') ||
+                    (functionText.includes('origin') && functionText.includes('event'));
+            }
+        };
+        return {
+            // Check postMessage calls with wildcard origins
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for any postMessage() calls
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    callee.property.name === 'postMessage') {
+                    // Check allowed origins for non-wildcard origins
+                    const args = node.arguments;
+                    if (args.length >= 2) {
+                        const targetOrigin = args[1];
+                        if (targetOrigin.type === 'Literal' &&
+                            typeof targetOrigin.value === 'string' &&
+                            targetOrigin.value !== '*') {
+                            // Check if origin is explicitly allowed
+                            const originValue = targetOrigin.value;
+                            const isAllowed = allowedOrigins.includes(originValue) ||
+                                allowedOrigins.includes('*') ||
+                                allowedOrigins.length === 0; // If no restrictions, allow all specific origins
+                            if (!isAllowed) {
+                                // FALSE POSITIVE REDUCTION
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                context.report({
+                                    node: targetOrigin,
+                                    messageId: 'useSpecificOrigins',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                        origin: originValue,
+                                    },
+                                });
+                            }
+                        }
+                        // Check for wildcard origin
+                        if (targetOrigin.type === 'Literal' &&
+                            typeof targetOrigin.value === 'string' &&
+                            targetOrigin.value === '*') {
+                            // Check if origin is explicitly allowed
+                            const originValue = targetOrigin.value;
+                            const isAllowed = allowedOrigins.includes(originValue) || allowedOrigins.includes('*');
+                            // Allow if explicitly allowed OR in development if configured
+                            if (!isAllowed && !allowWildcardInDev) {
+                                // TEMP: bypass safety checker
+                                // if (safetyChecker.isSafe(node, context)) {
+                                //   return;
+                                // }
+                                context.report({
+                                    node: targetOrigin,
+                                    messageId: 'wildcardOrigin',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+                // Check for addEventListener('message', ...) and IPC calls
+                // Check for addEventListener('message', ...)
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    callee.property.name === 'addEventListener') {
+                    const args = node.arguments;
+                    if (args.length >= 2) {
+                        const eventType = args[0];
+                        const handler = args[1];
+                        // Check if it's a message event
+                        if (eventType.type === 'Literal' &&
+                            typeof eventType.value === 'string' &&
+                            eventType.value === 'message') {
+                            // Check if handler is a function and lacks origin validation
+                            if (handler.type === 'FunctionExpression' ||
+                                handler.type === 'ArrowFunctionExpression') {
+                                if (!hasOriginValidation(handler)) {
+                                    // FALSE POSITIVE REDUCTION
+                                    if (safetyChecker.isSafe(node, context)) {
+                                        return;
+                                    }
+                                    context.report({
+                                        node: handler,
+                                        messageId: 'missingOriginCheck',
+                                        data: {
+                                            filePath: filename,
+                                            line: String(node.loc?.start.line ?? 0),
+                                        },
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            // Check for window.onmessage assignments
+            AssignmentExpression(node) {
+                const left = node.left;
+                if (left.type === 'MemberExpression' &&
+                    left.property.type === 'Identifier' &&
+                    left.property.name === 'onmessage' &&
+                    left.object.type === 'Identifier' &&
+                    left.object.name === 'window') {
+                    const handler = node.right;
+                    if (handler && (handler.type === 'FunctionExpression' ||
+                        handler.type === 'ArrowFunctionExpression')) {
+                        if (!hasOriginValidation(handler)) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            context.report({
+                                node: handler,
+                                messageId: 'missingOriginCheck',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check for event.data usage without origin validation
+            MemberExpression(node) {
+                // Look for event.data usage
+                if (node.property.type === 'Identifier' &&
+                    node.property.name === 'data' &&
+                    node.object.type === 'Identifier' &&
+                    node.object.name === 'event') {
+                    // For now, simplify: only flag if we're clearly in an unsafe context
+                    // The addEventListener check above should handle most cases
+                    // This is a simplified version to avoid complex AST traversal issues
+                    // Only flag if this is clearly in a message handler without validation
+                    // We'll rely on the addEventListener check for the main logic
+                    return;
+                }
+            },
+        };
+    },
+});
+//# sourceMappingURL=no-insufficient-postmessage-validation.js.map