eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-sensitive-data-exposure.d.ts

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Sensitive data patterns. Default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card'] */
+    sensitivePatterns?: string[];
+    /** Check console.log statements. Default: true */
+    checkConsoleLog?: boolean;
+    /** Check error messages. Default: true */
+    checkErrorMessages?: boolean;
+    /** Check API responses. Default: true */
+    checkApiResponses?: boolean;
+}
+export declare const noSensitiveDataExposure: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-sensitive-data-exposure.js

@@ -0,0 +1,251 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataExposure = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if string contains sensitive data patterns
+ */
+function containsSensitiveData(text, patterns) {
+    const lowerText = text.toLowerCase();
+    return patterns.some(pattern => lowerText.includes(pattern.toLowerCase()));
+}
+exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
+    name: 'no-sensitive-data-exposure',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects PII/credentials in logs, responses, or error messages',
+        },
+        hasSuggestions: true,
+        messages: {
+            sensitiveDataExposure: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Sensitive data exposure',
+                cwe: 'CWE-532',
+                description: 'Sensitive data detected in {{context}}: {{dataType}}',
+                severity: 'HIGH',
+                fix: 'Redact or mask sensitive data before logging/exposing',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            redactData: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Redact Data',
+                description: 'Redact sensitive data before logging',
+                severity: 'LOW',
+                fix: 'Redact sensitive fields before logging',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            useMasking: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Masking',
+                description: 'Use data masking function',
+                severity: 'LOW',
+                fix: 'maskSensitive(data)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            removeFromLogs: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Remove From Logs',
+                description: 'Remove sensitive data from logs and errors',
+                severity: 'LOW',
+                fix: 'Filter sensitive data before logging',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    sensitivePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+                        description: 'Sensitive data patterns',
+                    },
+                    checkConsoleLog: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check console.log statements',
+                    },
+                    checkErrorMessages: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check error messages',
+                    },
+                    checkApiResponses: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check API responses',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            sensitivePatterns: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+            checkConsoleLog: true,
+            checkErrorMessages: true,
+            checkApiResponses: true,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { sensitivePatterns = ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'], checkConsoleLog = true, checkErrorMessages = true, } = options || {};
+        /**
+         * Check CallExpression for logging calls with sensitive data
+         */
+        function checkCallExpression(node) {
+            // Check if it's a logging call (console.*, logger.*)
+            const isLoggingCall = (() => {
+                if (node.callee.type === 'MemberExpression') {
+                    const object = node.callee.object;
+                    const property = node.callee.property;
+                    if (property.type === 'Identifier') {
+                        const methodName = property.name.toLowerCase();
+                        if (['log', 'info', 'warn', 'error', 'debug', 'trace'].includes(methodName)) {
+                            // Check if it's console.* or logger.*
+                            if (object.type === 'Identifier') {
+                                const objName = object.name.toLowerCase();
+                                if (objName === 'console' || objName === 'logger') {
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+                }
+                else if (node.callee.type === 'Identifier') {
+                    // Check for logger.info() pattern
+                    const calleeName = node.callee.name.toLowerCase();
+                    if (calleeName.includes('log') || calleeName.includes('logger')) {
+                        return true;
+                    }
+                }
+                return false;
+            })();
+            if (isLoggingCall && checkConsoleLog) {
+                // Check if any argument contains sensitive data
+                for (const arg of node.arguments) {
+                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        const text = arg.value;
+                        if (containsSensitiveData(text, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'logs',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per call
+                        }
+                    }
+                    else if (arg.type === 'Identifier' && arg.name) {
+                        const name = arg.name.toLowerCase();
+                        if (containsSensitiveData(name, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'logs',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per call
+                        }
+                    }
+                }
+            }
+        }
+        /**
+         * Check NewExpression for Error with sensitive data
+         */
+        function checkNewExpression(node) {
+            if (!checkErrorMessages) {
+                return;
+            }
+            if (node.callee && node.callee.type === 'Identifier' && node.callee.name === 'Error') {
+                // Check all arguments for sensitive data (report only once per error)
+                for (const arg of node.arguments) {
+                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        const text = arg.value;
+                        if (containsSensitiveData(text, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'error messages',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per error
+                        }
+                    }
+                    else if (arg.type === 'BinaryExpression' && arg.operator === '+') {
+                        // Check left side if it's a literal
+                        if (arg.left && arg.left.type === 'Literal' && typeof arg.left.value === 'string') {
+                            const leftText = arg.left.value;
+                            if (containsSensitiveData(leftText, sensitivePatterns)) {
+                                context.report({
+                                    node: arg.left,
+                                    messageId: 'sensitiveDataExposure',
+                                    data: {
+                                        context: 'error messages',
+                                        dataType: 'password',
+                                    },
+                                    suggest: [
+                                        { messageId: 'redactData', fix: () => null },
+                                        { messageId: 'useMasking', fix: () => null },
+                                        { messageId: 'removeFromLogs', fix: () => null },
+                                    ],
+                                });
+                                return; // Only report once per error
+                            }
+                        }
+                        // Check right side if it's an identifier
+                        if (arg.right && arg.right.type === 'Identifier' && arg.right.name) {
+                            const rightName = arg.right.name.toLowerCase();
+                            if (containsSensitiveData(rightName, sensitivePatterns)) {
+                                context.report({
+                                    node: arg.right,
+                                    messageId: 'sensitiveDataExposure',
+                                    data: {
+                                        context: 'error messages',
+                                        dataType: 'password',
+                                    },
+                                    suggest: [
+                                        { messageId: 'redactData', fix: () => null },
+                                        { messageId: 'useMasking', fix: () => null },
+                                        { messageId: 'removeFromLogs', fix: () => null },
+                                    ],
+                                });
+                                return; // Only report once per error
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+            NewExpression: checkNewExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-sensitive-data-exposure.js.map

package/src/rules/security/no-sensitive-data-exposure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-sensitive-data-exposure.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-sensitive-data-exposure.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAwBtD;;GAEG;AACH,SAAS,qBAAqB,CAC5B,IAAY,EACZ,QAAkB;IAElB,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC7E,CAAC;AAGY,QAAA,uBAAuB,GAAG,IAAA,0BAAU,EAA0B;IACzE,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,+DAA+D;SAC7E;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,sDAAsD;gBACnE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,UAAU,EAAE,IAAA,gCAAgB,EAAC;gBAC3B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,aAAa;gBACxB,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,wCAAwC;gBAC7C,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,UAAU,EAAE,IAAA,gCAAgB,EAAC;gBAC3B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,aAAa;gBACxB,WAAW,EAAE,2BAA2B;gBACxC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sCAAsC;gBAC3C,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;wBAC7F,WAAW,EAAE,yBAAyB;qBACvC;oBACD,eAAe,EAAE;wBACf,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,8BAA8B;qBAC5C;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,sBAAsB;qBACpC;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,qBAAqB;qBACnC;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,iBAAiB,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;YACvG,eAAe,EAAE,IAAI;YACrB,kBAAkB,EAAE,IAAI;YACxB,iBAAiB,EAAE,IAAI;SACxB;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACV,iBAAiB,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,EAClG,eAAe,GAAG,IAAI,EACtB,kBAAkB,GAAG,IAAI,GAE9B,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,qDAAqD;YACrD,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE;gBAC1B,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;oBAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;oBACtC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBACnC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;wBAC/C,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;4BAC5E,sCAAsC;4BACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gCACjC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gCAC1C,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;oCAClD,OAAO,IAAI,CAAC;gCACd,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC7C,kCAAkC;oBAClC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;oBAClD,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAChE,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,aAAa,IAAI,eAAe,EAAE,CAAC;gBAErC,gDAAgD;gBAChD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC;wBACvB,IAAI,qBAAqB,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;4BACnD,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,GAAG;gCACT,SAAS,EAAE,uBAAuB;gCAClC,IAAI,EAAE;oCACJ,OAAO,EAAE,MAAM;oCACf,QAAQ,EAAE,UAAU;iCACrB;gCACD,OAAO,EAAE;oCACP,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;iCACjD;6BACF,CAAC,CAAC;4BACH,OAAO,CAAC,4BAA4B;wBACtC,CAAC;oBACH,CAAC;yBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;wBACjD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;wBACpC,IAAI,qBAAqB,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;4BACnD,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,GAAG;gCACT,SAAS,EAAE,uBAAuB;gCAClC,IAAI,EAAE;oCACJ,OAAO,EAAE,MAAM;oCACf,QAAQ,EAAE,UAAU;iCACrB;gCACD,OAAO,EAAE;oCACP,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;iCACjD;6BACF,CAAC,CAAC;4BACH,OAAO,CAAC,4BAA4B;wBACtC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED;;WAEG;QACH,SAAS,kBAAkB,CAAC,IAA4B;YACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;YACT,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACrF,sEAAsE;gBACtE,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACjC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;wBAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC;wBACvB,IAAI,qBAAqB,CAAC,IAAI,EAAE,iBAAiB,CAAC,EAAE,CAAC;4BACnD,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,GAAG;gCACT,SAAS,EAAE,uBAAuB;gCAClC,IAAI,EAAE;oCACJ,OAAO,EAAE,gBAAgB;oCACzB,QAAQ,EAAE,UAAU;iCACrB;gCACD,OAAO,EAAE;oCACP,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;oCAC5C,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;iCACjD;6BACF,CAAC,CAAC;4BACH,OAAO,CAAC,6BAA6B;wBACvC,CAAC;oBACH,CAAC;yBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,kBAAkB,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;wBACnE,oCAAoC;wBACpC,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;4BAClF,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;4BAChC,IAAI,qBAAqB,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC;gCACvD,OAAO,CAAC,MAAM,CAAC;oCACb,IAAI,EAAE,GAAG,CAAC,IAAI;oCACd,SAAS,EAAE,uBAAuB;oCAClC,IAAI,EAAE;wCACJ,OAAO,EAAE,gBAAgB;wCACzB,QAAQ,EAAE,UAAU;qCACrB;oCACD,OAAO,EAAE;wCACP,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;wCAC5C,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;wCAC5C,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;qCACjD;iCACF,CAAC,CAAC;gCACH,OAAO,CAAC,6BAA6B;4BACvC,CAAC;wBACH,CAAC;wBACD,yCAAyC;wBACzC,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,YAAY,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;4BACnE,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;4BAC/C,IAAI,qBAAqB,CAAC,SAAS,EAAE,iBAAiB,CAAC,EAAE,CAAC;gCACxD,OAAO,CAAC,MAAM,CAAC;oCACb,IAAI,EAAE,GAAG,CAAC,KAAK;oCACf,SAAS,EAAE,uBAAuB;oCAClC,IAAI,EAAE;wCACJ,OAAO,EAAE,gBAAgB;wCACzB,QAAQ,EAAE,UAAU;qCACrB;oCACD,OAAO,EAAE;wCACP,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;wCAC5C,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;wCAC5C,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE;qCACjD;iCACF,CAAC,CAAC;gCACH,OAAO,CAAC,6BAA6B;4BACvC,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;YACnC,aAAa,EAAE,kBAAkB;SAClC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-sql-injection.d.ts

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Allow dynamic table names in queries. Default: false (stricter) */
+    allowDynamicTableNames?: boolean;
+    /** Functions considered safe for building queries */
+    trustedFunctions?: string[];
+    /** Strategy for fixing SQL injection: 'parameterize', 'orm', 'sanitize', or 'auto' */
+    strategy?: 'parameterize' | 'orm' | 'sanitize' | 'auto';
+}
+export declare const noSqlInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-sql-injection.js

@@ -0,0 +1,332 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSqlInjection = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noSqlInjection = (0, eslint_devkit_1.createRule)({
+    name: 'no-sql-injection',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent SQL injection vulnerabilities with educational context',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            // Enterprise-grade message with auto-enriched OWASP 2025, CVSS, and compliance data
+            sqlInjection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'SQL Injection',
+                cwe: 'CWE-89', // Auto-enriches: A05:2025, CVSS:9.8, [SOC2,PCI-DSS,HIPAA,ISO27001]
+                description: 'SQL Injection detected',
+                severity: 'CRITICAL',
+                fix: 'Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId])',
+                documentationLink: 'https://owasp.org/Top10/2025/A05_2025-Injection/',
+            }),
+            useParameterized: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Parameterized Query',
+                description: 'Use parameterized query',
+                severity: 'LOW',
+                fix: 'db.query("SELECT * FROM users WHERE id = ?", [userId])',
+                documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+            }),
+            useORM: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use ORM',
+                description: 'Use ORM/Query Builder',
+                severity: 'LOW',
+                fix: 'db.user.findWhere({ id: userId })',
+                documentationLink: 'https://www.prisma.io/docs',
+            }),
+            strategyParameterize: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Parameterize Strategy',
+                description: 'Use parameterized queries',
+                severity: 'LOW',
+                fix: 'Use ? or :name placeholders',
+                documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+            }),
+            strategyORM: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'ORM Strategy',
+                description: 'Migrate to ORM for automatic protection',
+                severity: 'LOW',
+                fix: 'Use Prisma, TypeORM, or Sequelize',
+                documentationLink: 'https://www.prisma.io/docs',
+            }),
+            strategySanitize: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Sanitize Strategy',
+                description: 'Add input sanitization (last resort)',
+                severity: 'LOW',
+                fix: 'Sanitize input as last resort',
+                documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowDynamicTableNames: {
+                        type: 'boolean',
+                        default: false,
+                    },
+                    trustedFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['parameterize', 'orm', 'sanitize', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing SQL injection (auto = smart detection)'
+                    },
+                    // Security utilities options for false positive reduction
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as sanitizers',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers (e.g., @safe)',
+                    },
+                    trustedOrmPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional ORM patterns to consider safe',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowDynamicTableNames: false,
+            trustedFunctions: [],
+            strategy: 'auto',
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            trustedOrmPatterns: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const opts = context.options[0] || {};
+        const { allowDynamicTableNames = false, trustedSanitizers = [], trustedAnnotations = [], trustedOrmPatterns = [], strictMode = false, } = opts;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns,
+            strictMode,
+        });
+        /**
+         * Check if a node contains SQL keywords
+         */
+        const containsSQLKeywords = (node) => {
+            // Use getText for all node types - it works correctly for template literals
+            const text = sourceCode.getText(node).toLowerCase();
+            const sqlKeywords = [
+                'select',
+                'insert',
+                'update',
+                'delete',
+                'drop',
+                'create',
+                'alter',
+                'exec',
+                'execute',
+            ];
+            return sqlKeywords.some((keyword) => text.includes(keyword));
+        };
+        /**
+         * Check if string interpolation contains user input
+         */
+        const containsUnsafeInterpolation = (node) => {
+            if (node.type === 'TemplateLiteral') {
+                // Template literal with expressions is potentially unsafe
+                return node.expressions.length > 0;
+            }
+            if (node.type === 'BinaryExpression' && node.operator === '+') {
+                // String concatenation with variables is unsafe
+                return (node.left.type !== 'Literal' || node.right.type !== 'Literal');
+            }
+            return false;
+        };
+        /**
+         * Check if template literal only has dynamic table name (if option allows it)
+         */
+        const isOnlyDynamicTableName = (node) => {
+            if (!allowDynamicTableNames) {
+                return false;
+            }
+            // Must have exactly one expression (the table name)
+            if (node.expressions.length !== 1) {
+                return false;
+            }
+            // Check if the pattern is just "SELECT * FROM ${tableName}" (no WHERE clause)
+            // sourceCode.getText(node) returns the template literal with backticks
+            const text = sourceCode.getText(node).toLowerCase();
+            // Pattern: `SELECT * FROM ${tableName}` - must match the full template literal
+            // The text will be like: `select * from ${tablename}`
+            const tableNameOnlyPattern = /^`select\s+\*\s+from\s+\$\{[^}]+\}`$/;
+            // Also check if it has WHERE or other clauses (still unsafe)
+            const hasWhereOrOtherClauses = /where|order\s+by|group\s+by|having|limit|offset/i.test(text);
+            return !hasWhereOrOtherClauses && tableNameOnlyPattern.test(text);
+        };
+        /**
+         * Check if all interpolated expressions in a template literal are safe
+         */
+        const areAllExpressionsSafe = (node) => {
+            return node.expressions.every((expr) => {
+                // Check if the expression is sanitized or has safe annotation
+                if (safetyChecker.isSafe(expr, context)) {
+                    return true;
+                }
+                // Check if expression is from a sanitization call directly
+                if ((0, eslint_devkit_3.isSanitizedInput)(expr, context, trustedSanitizers)) {
+                    return true;
+                }
+                return false;
+            });
+        };
+        /**
+         * Find the parent statement (VariableDeclaration, ExpressionStatement, etc.)
+         */
+        const findParentStatement = (node) => {
+            let current = node;
+            while (current?.parent) {
+                if (current.parent.type === 'VariableDeclaration' ||
+                    current.parent.type === 'ExpressionStatement' ||
+                    current.parent.type === 'ReturnStatement') {
+                    return current.parent;
+                }
+                current = current.parent;
+            }
+            return null;
+        };
+        /**
+         * Check if the parent call is using an ORM or parameterized query
+         */
+        const isInSafeContext = (node) => {
+            // Check if parent is an ORM call
+            let current = node;
+            while (current) {
+                if (current.type === 'CallExpression') {
+                    if ((0, eslint_devkit_3.isOrmMethodCall)(current, context, trustedOrmPatterns)) {
+                        return true;
+                    }
+                }
+                current = current.parent;
+            }
+            // Check for safe annotation on containing function
+            if ((0, eslint_devkit_3.hasSafeAnnotation)(node, context, trustedAnnotations)) {
+                return true;
+            }
+            return false;
+        };
+        return {
+            // Check template literals
+            TemplateLiteral(node) {
+                if (!containsSQLKeywords(node) ||
+                    !containsUnsafeInterpolation(node)) {
+                    return;
+                }
+                // Allow dynamic table names if option is set and it's only a table name
+                if (isOnlyDynamicTableName(node)) {
+                    return;
+                }
+                // FALSE POSITIVE REDUCTION:
+                // Skip if all interpolated expressions are sanitized
+                if (areAllExpressionsSafe(node)) {
+                    return;
+                }
+                // Skip if in a safe context (ORM call, @safe annotation)
+                if (isInSafeContext(node)) {
+                    return;
+                }
+                const queryText = sourceCode.getText(node);
+                // Find the parent statement to understand context
+                const parentStatement = findParentStatement(node);
+                const isInVariableDeclaration = parentStatement?.type === 'VariableDeclaration';
+                context.report({
+                    node,
+                    messageId: 'sqlInjection',
+                    data: {
+                        filePath: filename,
+                        line: String(node.loc?.start.line ?? 0),
+                    },
+                    suggest: [
+                        {
+                            messageId: 'useParameterized',
+                            fix: (fixer) => {
+                                // Generate parameterized version
+                                const params = [];
+                                let paramIndex = 1;
+                                const parameterized = queryText.replace(/\$\{([^}]+)\}/g, (_, expr) => {
+                                    params.push(expr);
+                                    return `$${paramIndex++}`;
+                                });
+                                // If assigned to a variable, wrap in db.query() call
+                                // This produces valid JavaScript syntax
+                                if (isInVariableDeclaration && parentStatement) {
+                                    return fixer.replaceText(parentStatement, `${sourceCode.getText(parentStatement).split('=')[0].trim()} = db.query(${parameterized}, [${params.join(', ')}])`);
+                                }
+                                // For standalone template literals, wrap in db.query()
+                                return fixer.replaceText(node, `db.query(${parameterized}, [${params.join(', ')}])`);
+                            },
+                        },
+                    ],
+                });
+            },
+            // Check binary expressions (string concatenation)
+            BinaryExpression(node) {
+                if (node.operator !== '+')
+                    return;
+                if (!containsSQLKeywords(node))
+                    return;
+                if (!containsUnsafeInterpolation(node))
+                    return;
+                // FALSE POSITIVE REDUCTION:
+                // Check if in a safe context (ORM call, @safe annotation)
+                if (isInSafeContext(node)) {
+                    return;
+                }
+                // Check if concatenated values are sanitized
+                const checkSide = (side) => {
+                    if (side.type === 'Literal')
+                        return true;
+                    return safetyChecker.isSafe(side, context);
+                };
+                if (checkSide(node.left) && checkSide(node.right)) {
+                    return;
+                }
+                context.report({
+                    node,
+                    messageId: 'sqlInjection',
+                    data: {
+                        filePath: filename,
+                        line: String(node.loc?.start.line ?? 0),
+                    },
+                });
+            },
+        };
+    },
+});
+//# sourceMappingURL=no-sql-injection.js.map

package/src/rules/security/no-sql-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-sql-injection.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-sql-injection.ts"],"names":[],"mappings":";;;AAYA,4DAAsD;AACtD,4DAA0E;AAC1E,4DAMkC;AAiBrB,QAAA,cAAc,GAAG,IAAA,0BAAU,EAA0B;IAChE,IAAI,EAAE,kBAAkB;IACxB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EACT,gEAAgE;SACnE;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,oFAAoF;YACpF,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,eAAe;gBAC1B,GAAG,EAAE,QAAQ,EAAE,mEAAmE;gBAClF,WAAW,EAAE,wBAAwB;gBACrC,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,iFAAiF;gBACtF,iBAAiB,EAAE,kDAAkD;aACtE,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,yBAAyB;gBACtC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,wDAAwD;gBAC7D,iBAAiB,EAAE,uDAAuD;aAC3E,CAAC;YACF,MAAM,EAAE,IAAA,gCAAgB,EAAC;gBACvB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,SAAS;gBACpB,WAAW,EAAE,uBAAuB;gBACpC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mCAAmC;gBACxC,iBAAiB,EAAE,4BAA4B;aAChD,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,2BAA2B;gBACxC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,6BAA6B;gBAClC,iBAAiB,EAAE,uDAAuD;aAC3E,CAAC;YACF,WAAW,EAAE,IAAA,gCAAgB,EAAC;gBAC5B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,cAAc;gBACzB,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mCAAmC;gBACxC,iBAAiB,EAAE,4BAA4B;aAChD,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+BAA+B;gBACpC,iBAAiB,EAAE,uDAAuD;aAC3E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,sBAAsB,EAAE;wBACtB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;qBACf;oBACD,gBAAgB,EAAE;wBAChB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;qBACZ;oBACD,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,cAAc,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC;wBACjD,OAAO,EAAE,MAAM;wBACf,WAAW,EAAE,4DAA4D;qBAC1E;oBACD,0DAA0D;oBAC1D,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,qDAAqD;qBACnE;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,wEAAwE;qBACtF;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,0CAA0C;qBACxD;oBACD,UAAU,EAAE;wBACV,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,oDAAoD;qBAClE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,sBAAsB,EAAE,KAAK;YAC7B,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,MAAM;YAChB,iBAAiB,EAAE,EAAE;YACrB,kBAAkB,EAAE,EAAE;YACtB,kBAAkB,EAAE,EAAE;YACtB,UAAU,EAAE,KAAK;SAClB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,EACJ,sBAAsB,GAAG,KAAK,EAC9B,iBAAiB,GAAG,EAAE,EACtB,kBAAkB,GAAG,EAAE,EACvB,kBAAkB,GAAG,EAAE,EACvB,UAAU,GAAG,KAAK,GACnB,GAAG,IAAI,CAAC;QAET,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAA,mCAAmB,EAAC;YACxC,iBAAiB;YACjB,kBAAkB;YAClB,kBAAkB;YAClB,UAAU;SACX,CAAC,CAAC;QAGH;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,IAAmB,EAAW,EAAE;YAC3D,4EAA4E;YAC5E,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAEpD,MAAM,WAAW,GAAG;gBAClB,QAAQ;gBACR,QAAQ;gBACR,QAAQ;gBACR,QAAQ;gBACR,MAAM;gBACN,QAAQ;gBACR,OAAO;gBACP,MAAM;gBACN,SAAS;aACV,CAAC;YACF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC/D,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,2BAA2B,GAAG,CAClC,IAA0D,EACjD,EAAE;YACX,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBACpC,0DAA0D;gBAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBAC9D,gDAAgD;gBAChD,OAAO,CACL,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,CAC9D,CAAC;YACJ,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,sBAAsB,GAAG,CAAC,IAA8B,EAAW,EAAE;YACzE,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;YAED,oDAAoD;YACpD,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClC,OAAO,KAAK,CAAC;YACf,CAAC;YAED,8EAA8E;YAC9E,uEAAuE;YACvE,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAEpD,+EAA+E;YAC/E,sDAAsD;YACtD,MAAM,oBAAoB,GAAG,sCAAsC,CAAC;YAEpE,6DAA6D;YAC7D,MAAM,sBAAsB,GAAG,kDAAkD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE7F,OAAO,CAAC,sBAAsB,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,qBAAqB,GAAG,CAAC,IAA8B,EAAW,EAAE;YACxE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,IAAyB,EAAE,EAAE;gBAC1D,8DAA8D;gBAC9D,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACxC,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,IAAA,gCAAgB,EAAC,IAAI,EAAE,OAAO,EAAE,iBAAiB,CAAC,EAAE,CAAC;oBACvD,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,IAAmB,EAAwB,EAAE;YACxE,IAAI,OAAO,GAA8B,IAAI,CAAC;YAC9C,OAAO,OAAO,EAAE,MAAM,EAAE,CAAC;gBACvB,IACE,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,qBAAqB;oBAC7C,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,qBAAqB;oBAC7C,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,iBAAiB,EACzC,CAAC;oBACD,OAAO,OAAO,CAAC,MAAM,CAAC;gBACxB,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC3B,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,IAAmB,EAAW,EAAE;YACvD,iCAAiC;YACjC,IAAI,OAAO,GAA8B,IAAI,CAAC;YAC9C,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACtC,IAAI,IAAA,+BAAe,EAAC,OAAO,EAAE,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC;wBAC1D,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAmC,CAAC;YACxD,CAAC;YAED,mDAAmD;YACnD,IAAI,IAAA,iCAAiB,EAAC,IAAI,EAAE,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC;gBACzD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF,OAAO;YACL,0BAA0B;YAC1B,eAAe,CAAC,IAA8B;gBAC5C,IACE,CAAC,mBAAmB,CAAC,IAAI,CAAC;oBAC1B,CAAC,2BAA2B,CAAC,IAAI,CAAC,EAClC,CAAC;oBACD,OAAO;gBACT,CAAC;gBAED,wEAAwE;gBACxE,IAAI,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,OAAO;gBACT,CAAC;gBAED,4BAA4B;gBAC5B,qDAAqD;gBACrD,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChC,OAAO;gBACT,CAAC;gBAED,yDAAyD;gBACzD,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1B,OAAO;gBACT,CAAC;gBAED,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE3C,kDAAkD;gBAClD,MAAM,eAAe,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;gBAClD,MAAM,uBAAuB,GAAG,eAAe,EAAE,IAAI,KAAK,qBAAqB,CAAC;gBAEhF,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,cAAc;oBACzB,IAAI,EAAE;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;qBACxC;oBACD,OAAO,EAAE;wBACP;4BACE,SAAS,EAAE,kBAAkB;4BAC7B,GAAG,EAAE,CAAC,KAAyB,EAAE,EAAE;gCACjC,iCAAiC;gCACjC,MAAM,MAAM,GAAa,EAAE,CAAC;gCAC5B,IAAI,UAAU,GAAG,CAAC,CAAC;gCAEnB,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CACrC,gBAAgB,EAChB,CAAC,CAAS,EAAE,IAAY,EAAE,EAAE;oCAC1B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oCAClB,OAAO,IAAI,UAAU,EAAE,EAAE,CAAC;gCAC5B,CAAC,CACF,CAAC;gCAEF,qDAAqD;gCACrD,wCAAwC;gCACxC,IAAI,uBAAuB,IAAI,eAAe,EAAE,CAAC;oCAC/C,OAAO,KAAK,CAAC,WAAW,CACtB,eAAe,EACf,GAAG,UAAU,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,eAAe,aAAa,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACnH,CAAC;gCACJ,CAAC;gCAED,uDAAuD;gCACvD,OAAO,KAAK,CAAC,WAAW,CACtB,IAAI,EACJ,YAAY,aAAa,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACrD,CAAC;4BACJ,CAAC;yBACF;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;YAED,kDAAkD;YAClD,gBAAgB,CAAC,IAA+B;gBAC9C,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG;oBAAE,OAAO;gBAElC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC;oBAAE,OAAO;gBACvC,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC;oBAAE,OAAO;gBAE/C,4BAA4B;gBAC5B,0DAA0D;gBAC1D,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1B,OAAO;gBACT,CAAC;gBAED,6CAA6C;gBAC7C,MAAM,SAAS,GAAG,CAAC,IAAmB,EAAW,EAAE;oBACjD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;wBAAE,OAAO,IAAI,CAAC;oBACzC,OAAO,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBAC7C,CAAC,CAAC;gBAEF,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAClD,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,cAAc;oBACzB,IAAI,EAAE;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-timing-attack.d.ts

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Functions that are considered authentication-related */
+    authFunctions?: string[];
+    /** Variables that contain sensitive/auth data */
+    sensitiveVariables?: string[];
+    /** Allow early returns in non-sensitive contexts */
+    allowEarlyReturns?: boolean;
+}
+export declare const noTimingAttack: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;