eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-timing-attack.js

@@ -0,0 +1,358 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noTimingAttack = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noTimingAttack = (0, eslint_devkit_1.createRule)({
+    name: 'no-timing-attack',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects timing attack vulnerabilities in authentication code',
+        },
+        fixable: 'code',
+        messages: {
+            timingAttack: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Timing Attack Vulnerability',
+                cwe: 'CWE-208',
+                description: 'Timing attack possible - execution time reveals secret information',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
+            }),
+            insecureStringComparison: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insecure String Comparison',
+                cwe: 'CWE-208',
+                description: 'String comparison may leak timing information',
+                severity: 'HIGH',
+                fix: 'Use crypto.timingSafeEqual() for comparing secrets',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
+            }),
+            earlyReturnLeakage: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Early Return Timing Leak',
+                cwe: 'CWE-208',
+                description: 'Early return may leak information through timing',
+                severity: 'MEDIUM',
+                fix: 'Process all inputs consistently to avoid timing differences',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
+            }),
+            useTimingSafeEqual: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Timing Safe Equal',
+                description: 'Use crypto.timingSafeEqual for constant-time comparison',
+                severity: 'LOW',
+                fix: 'crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
+            }),
+            useConstantTimeComparison: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Constant Time Comparison',
+                description: 'Implement constant-time comparison algorithm',
+                severity: 'LOW',
+                fix: 'Compare all bytes regardless of content',
+                documentationLink: 'https://en.wikipedia.org/wiki/Timing_attack',
+            }),
+            avoidEarlyReturns: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Avoid Early Returns',
+                description: 'Avoid early returns in security-sensitive code',
+                severity: 'LOW',
+                fix: 'Process all inputs before making decisions',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
+            }),
+            strategyTimingSafe: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Timing Safe Strategy',
+                description: 'Use built-in timing-safe comparison functions',
+                severity: 'LOW',
+                fix: 'Use crypto.timingSafeEqual or equivalent library functions',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
+            }),
+            strategyConstantTime: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Constant Time Strategy',
+                description: 'Implement custom constant-time comparison',
+                severity: 'LOW',
+                fix: 'Compare all characters/bytes with consistent timing',
+                documentationLink: 'https://en.wikipedia.org/wiki/Timing_attack',
+            }),
+            strategyConsistentTiming: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Consistent Timing Strategy',
+                description: 'Ensure consistent execution time for all inputs',
+                severity: 'LOW',
+                fix: 'Pad inputs or use fixed-time operations',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    authFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'],
+                    },
+                    sensitiveVariables: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['password', 'token', 'secret', 'key', 'credentials', 'auth'],
+                    },
+                    allowEarlyReturns: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow early returns outside security-sensitive contexts'
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as timing-safe',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as timing-safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            authFunctions: ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'],
+            sensitiveVariables: ['password', 'token', 'secret', 'key', 'credentials', 'auth'],
+            allowEarlyReturns: false,
+            trustedSanitizers: ['sanitize'],
+            trustedAnnotations: ['@timing-safe'],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { authFunctions = ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'], sensitiveVariables = ['password', 'token', 'secret', 'key', 'credentials', 'auth'], allowEarlyReturns = false, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        // Track variables that contain sensitive data
+        const sensitiveVars = new Set();
+        /**
+         * Check if a variable name indicates sensitive/auth data
+         */
+        const isSensitiveVariable = (varName) => {
+            return sensitiveVariables.some(sensitive => varName.toLowerCase().includes(sensitive.toLowerCase()));
+        };
+        /**
+         * Check if we're in an authentication/security context
+         */
+        const isInAuthContext = (node) => {
+            // Check if we're inside an authentication function
+            let current = node;
+            /* c8 ignore start -- defensive auth context detection */
+            while (current) {
+                if (current.type === 'FunctionDeclaration' || current.type === 'FunctionExpression' || current.type === 'ArrowFunctionExpression') {
+                    const funcName = current.id?.name;
+                    if (funcName) {
+                        // Check exact matches first
+                        if (authFunctions.includes(funcName)) {
+                            return true;
+                        }
+                        // Check pattern matches for common auth function names
+                        const authPatterns = ['auth', 'login', 'verify', 'token', 'password', 'credential', 'authenticate'];
+                        if (authPatterns.some(pattern => funcName.toLowerCase().includes(pattern))) {
+                            return true;
+                        }
+                    }
+                }
+                if (current.type === 'CallExpression') {
+                    const callee = current.callee;
+                    if (callee.type === 'Identifier') {
+                        if (authFunctions.includes(callee.name)) {
+                            return true;
+                        }
+                        // Check pattern matches
+                        const authPatterns = ['auth', 'login', 'verify', 'token', 'password', 'credential', 'authenticate'];
+                        if (authPatterns.some(pattern => callee.name.toLowerCase().includes(pattern))) {
+                            return true;
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+            // Check if we're dealing with sensitive variables
+            return sensitiveVars.size > 0;
+            /* c8 ignore stop */
+        };
+        /**
+         * Check if a comparison is timing-safe
+         */
+        const isTimingSafeComparison = (node) => {
+            // Check for crypto.timingSafeEqual calls
+            let current = node;
+            while (current) {
+                if (current.type === 'CallExpression') {
+                    const callee = current.callee;
+                    if (callee.type === 'MemberExpression' &&
+                        callee.object.type === 'Identifier' &&
+                        callee.object.name === 'crypto' &&
+                        callee.property.type === 'Identifier' &&
+                        callee.property.name === 'timingSafeEqual') {
+                        return true;
+                    }
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check if early return is in a security-sensitive context
+         */
+        const isEarlyReturnInAuthContext = (node) => {
+            // If early returns are explicitly allowed, don't flag them
+            if (allowEarlyReturns) {
+                /* c8 ignore next */
+                return false;
+            }
+            return isInAuthContext(node);
+        };
+        return {
+            // Track sensitive variable declarations
+            VariableDeclarator(node) {
+                if (node.id.type === 'Identifier' && isSensitiveVariable(node.id.name)) {
+                    sensitiveVars.add(node.id.name);
+                }
+                // Also check if the variable is assigned sensitive data
+                if (node.init && node.id.type === 'Identifier') {
+                    const initText = sourceCode.getText(node.init).toLowerCase();
+                    if (sensitiveVariables.some(sensitive => initText.includes(sensitive))) {
+                        sensitiveVars.add(node.id.name);
+                    }
+                }
+            },
+            // Check binary expressions for insecure comparisons
+            BinaryExpression(node) {
+                if (node.operator !== '===' && node.operator !== '==') {
+                    return;
+                }
+                // Skip if already using timing-safe comparison
+                if (isTimingSafeComparison(node)) {
+                    return;
+                }
+                // FALSE POSITIVE REDUCTION: Skip if annotated as safe
+                if (safetyChecker.isSafe(node, context)) {
+                    return;
+                }
+                // Check if either side involves sensitive data
+                const leftText = sourceCode.getText(node.left).toLowerCase();
+                const rightText = sourceCode.getText(node.right).toLowerCase();
+                const involvesSensitiveData = [leftText, rightText].some(text => sensitiveVariables.some(sensitive => text.toLowerCase().includes(sensitive.toLowerCase())));
+                if (!involvesSensitiveData && !isInAuthContext(node)) {
+                    return;
+                }
+                context.report({
+                    node,
+                    messageId: 'insecureStringComparison',
+                    data: {
+                        filePath: filename,
+                        line: String(node.loc?.start.line ?? 0),
+                    },
+                });
+            },
+            // Check for early returns that could leak timing information
+            ReturnStatement(node) {
+                // FALSE POSITIVE REDUCTION: Skip if annotated as safe
+                if (safetyChecker.isSafe(node, context)) {
+                    return;
+                }
+                if (!isEarlyReturnInAuthContext(node)) {
+                    return;
+                }
+                // Look for conditional returns (if/else returns)
+                let current = node;
+                let isConditionalReturn = false;
+                while (current && !isConditionalReturn) {
+                    if (current.type === 'IfStatement') {
+                        isConditionalReturn = true;
+                        break;
+                    }
+                    current = current.parent;
+                }
+                if (!isConditionalReturn) {
+                    return;
+                }
+                // Check if this return involves sensitive data
+                const returnText = sourceCode.getText(node).toLowerCase();
+                const involvesSensitiveData = sensitiveVariables.some(sensitive => returnText.includes(sensitive));
+                if (!involvesSensitiveData && !isInAuthContext(node)) {
+                    return;
+                }
+                context.report({
+                    node,
+                    messageId: 'earlyReturnLeakage',
+                    data: {
+                        filePath: filename,
+                        line: String(node.loc?.start.line ?? 0),
+                    },
+                });
+            },
+            // Check function calls for timing-sensitive operations
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for insecure comparison functions
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    ['equals', 'compare', 'matches'].includes(callee.property.name)) {
+                    // Skip known timing-safe libraries
+                    const objectName = callee.object.type === 'Identifier' ? callee.object.name : null;
+                    if (objectName) {
+                        // Known timing-safe comparison libraries
+                        const timingSafeLibraries = ['bcrypt', 'crypto'];
+                        if (timingSafeLibraries.includes(objectName) && callee.property.name === 'compare') {
+                            return; // bcrypt.compare and crypto.compare are timing-safe
+                        }
+                    }
+                    // Check if arguments involve sensitive data
+                    const argsText = node.arguments
+                        .map((arg) => sourceCode.getText(arg).toLowerCase())
+                        .join(' ');
+                    const involvesSensitiveData = sensitiveVariables.some(sensitive => argsText.includes(sensitive));
+                    if (involvesSensitiveData || isInAuthContext(node)) {
+                        // FALSE POSITIVE REDUCTION: Skip if annotated as safe
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        context.report({
+                            node,
+                            messageId: 'timingAttack',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                                severity: 'HIGH',
+                                safeAlternative: 'Use constant-time comparison functions',
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});
+//# sourceMappingURL=no-timing-attack.js.map

package/src/rules/security/no-timing-attack.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-timing-attack.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-timing-attack.ts"],"names":[],"mappings":";;;AAiBA,4DAAsD;AACtD,4DAA0E;AAC1E,4DAGkC;AA0BrB,QAAA,cAAc,GAAG,IAAA,0BAAU,EAA0B;IAChE,IAAI,EAAE,kBAAkB;IACxB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,8DAA8D;SAC5E;QACD,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE;YACR,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,6BAA6B;gBACxC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,oEAAoE;gBACjF,QAAQ,EAAE,cAAc;gBACxB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,oDAAoD;gBACzD,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,kDAAkD;gBAC/D,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,6DAA6D;gBAClE,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,yDAAyD;gBACtE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,wDAAwD;gBAC7D,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,yBAAyB,EAAE,IAAA,gCAAgB,EAAC;gBAC1C,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,0BAA0B;gBACrC,WAAW,EAAE,8CAA8C;gBAC3D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,6CAA6C;aACjE,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,gDAAgD;gBAC7D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,sBAAsB;gBACjC,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4DAA4D;gBACjE,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,6CAA6C;aACjE,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,WAAW,EAAE,iDAAiD;gBAC9D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,qBAAqB,CAAC;qBAC1F;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC;qBACvE;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,yDAAyD;qBACvE;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,sDAAsD;qBACpE;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,iEAAiE;qBAC/E;oBACD,UAAU,EAAE;wBACV,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,oDAAoD;qBAClE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,CAAC,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,qBAAqB,CAAC;YAC/F,kBAAkB,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC;YACjF,iBAAiB,EAAE,KAAK;YACxB,iBAAiB,EAAE,CAAC,UAAU,CAAC;YAC/B,kBAAkB,EAAE,CAAC,cAAc,CAAC;YACpC,UAAU,EAAE,KAAK;SAClB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,aAAa,GAAG,CAAC,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,qBAAqB,CAAC,EAChG,kBAAkB,GAAG,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,EAClF,iBAAiB,GAAG,KAAK,EACzB,iBAAiB,GAAG,EAAE,EACtB,kBAAkB,GAAG,EAAE,EACvB,UAAU,GAAG,KAAK,GACnB,GAAY,OAAO,CAAC;QAErB,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAA,mCAAmB,EAAC;YACxC,iBAAiB;YACjB,kBAAkB;YAClB,kBAAkB,EAAE,EAAE;YACtB,UAAU;SACX,CAAC,CAAC;QAEH,8CAA8C;QAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;QAExC;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,OAAe,EAAW,EAAE;YACvD,OAAO,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CACzC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CACxD,CAAC;QACJ,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,IAAmB,EAAW,EAAE;YACvD,mDAAmD;YACnD,IAAI,OAAO,GAA8B,IAAI,CAAC;YAC9C,yDAAyD;YACzD,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,IAAI,OAAO,CAAC,IAAI,KAAK,oBAAoB,IAAI,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;oBAClI,MAAM,QAAQ,GAAI,OAAsC,CAAC,EAAE,EAAE,IAAI,CAAC;oBAClE,IAAI,QAAQ,EAAE,CAAC;wBACb,4BAA4B;wBAC5B,IAAI,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;4BACrC,OAAO,IAAI,CAAC;wBACd,CAAC;wBACD,uDAAuD;wBACvD,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;wBACpG,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;4BAC3E,OAAO,IAAI,CAAC;wBACd,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;oBAC9B,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBACjC,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;4BACxC,OAAO,IAAI,CAAC;wBACd,CAAC;wBACD,wBAAwB;wBACxB,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;wBACpG,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;4BAC9E,OAAO,IAAI,CAAC;wBACd,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;YAC5C,CAAC;YAED,kDAAkD;YAClD,OAAO,aAAa,CAAC,IAAI,GAAG,CAAC,CAAC;YAC9B,oBAAoB;QACtB,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,sBAAsB,GAAG,CAAC,IAA+B,EAAW,EAAE;YAC1E,yCAAyC;YACzC,IAAI,OAAO,GAA8B,IAAI,CAAC;YAC9C,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;oBAC9B,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;wBAClC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;wBACnC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ;wBAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,iBAAiB,EAC1C,CAAC;wBACD,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;YAC5C,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,0BAA0B,GAAG,CAAC,IAA8B,EAAW,EAAE;YAC7E,2DAA2D;YAC3D,IAAI,iBAAiB,EAAE,CAAC;gBACtB,oBAAoB;gBACpB,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC,CAAC;QAEF,OAAO;YACL,wCAAwC;YACxC,kBAAkB,CAAC,IAAiC;gBAClD,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvE,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;gBAED,wDAAwD;gBACxD,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;oBAC7D,IAAI,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;wBACvE,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,oDAAoD;YACpD,gBAAgB,CAAC,IAA+B;gBAC9C,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;oBACtD,OAAO;gBACT,CAAC;gBAED,+CAA+C;gBAC/C,IAAI,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,OAAO;gBACT,CAAC;gBAED,sDAAsD;gBACtD,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACxC,OAAO;gBACT,CAAC;gBAED,+CAA+C;gBAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC7D,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;gBAE/D,MAAM,qBAAqB,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9D,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAC3F,CAAC;gBAEF,IAAI,CAAC,qBAAqB,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,0BAA0B;oBACrC,IAAI,EAAE;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;YAED,6DAA6D;YAC7D,eAAe,CAAC,IAA8B;gBAC5C,sDAAsD;gBACtD,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACxC,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtC,OAAO;gBACT,CAAC;gBAED,iDAAiD;gBACjD,IAAI,OAAO,GAA8B,IAAI,CAAC;gBAC9C,IAAI,mBAAmB,GAAG,KAAK,CAAC;gBAEhC,OAAO,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBACvC,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;wBACnC,mBAAmB,GAAG,IAAI,CAAC;wBAC3B,MAAM;oBACR,CAAC;oBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;gBAC5C,CAAC;gBAED,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBACzB,OAAO;gBACT,CAAC;gBAED,+CAA+C;gBAC/C,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC1D,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAChE,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAC/B,CAAC;gBAEF,IAAI,CAAC,qBAAqB,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,oBAAoB;oBAC/B,IAAI,EAAE;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;YAED,uDAAuD;YACvD,cAAc,CAAC,IAA6B;gBAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;gBAE3B,0CAA0C;gBAC1C,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC/D,CAAC;oBACD,mCAAmC;oBACnC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;oBACnF,IAAI,UAAU,EAAE,CAAC;wBACf,yCAAyC;wBACzC,MAAM,mBAAmB,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;wBACjD,IAAI,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;4BACnF,OAAO,CAAC,oDAAoD;wBAC9D,CAAC;oBACH,CAAC;oBAED,4CAA4C;oBAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS;yBAC5B,GAAG,CAAC,CAAC,GAAoC,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;yBACpF,IAAI,CAAC,GAAG,CAAC,CAAC;oBACb,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAChE,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAC7B,CAAC;oBAEJ,IAAI,qBAAqB,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;wBACnD,sDAAsD;wBACtD,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAEC,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,cAAc;4BACzB,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;gCACvC,QAAQ,EAAE,MAAM;gCAChB,eAAe,EAAE,wCAAwC;6BAC1D;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-toctou-vulnerability.d.ts

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+    /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
+    fsMethods?: string[];
+}
+export declare const noToctouVulnerability: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-toctou-vulnerability.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noToctouVulnerability = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noToctouVulnerability = (0, eslint_devkit_2.createRule)({
+    name: 'no-toctou-vulnerability',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
+        },
+        hasSuggestions: true,
+        messages: {
+            toctouVulnerability: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'TOCTOU vulnerability',
+                cwe: 'CWE-367',
+                description: 'Time-of-check Time-of-use race condition detected',
+                severity: 'HIGH',
+                fix: 'Use atomic operations or fs.promises for file operations',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
+            }),
+            useAtomicOperations: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Atomic Operations',
+                description: 'Use atomic file operations',
+                severity: 'LOW',
+                fix: 'fs.promises.access() then fs.promises.readFile()',
+                documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
+            }),
+            useFsPromises: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use fs.promises',
+                description: 'Use fs.promises API',
+                severity: 'LOW',
+                fix: 'await fs.promises.readFile() instead of sync operations',
+                documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
+            }),
+            addProperLocking: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add File Locking',
+                description: 'Add proper locking mechanism',
+                severity: 'LOW',
+                fix: 'Use proper-lockfile or similar for concurrent access',
+                documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    fsMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignoreInTests: true,
+            fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { ignoreInTests = true } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check for TOCTOU patterns
+         */
+        function checkCallExpression(node) {
+            const nodeText = sourceCode.getText(node);
+            // Only flag file operations (not checks) that are part of check-then-use patterns
+            if (!/\b(fs\.readFileSync|fs\.writeFileSync|fs\.openSync|fs\.unlinkSync)\s*\(/.test(nodeText)) {
+                return; // Not a file operation we care about
+            }
+            // Check if this operation is inside an if statement that contains a file check
+            let current = node.parent;
+            while (current) {
+                if (current.type === 'IfStatement') {
+                    // Check if the test (condition) contains a file check
+                    const test = current.test;
+                    if (test.type === 'CallExpression') {
+                        const testText = sourceCode.getText(test);
+                        if (/\b(fs\.existsSync|fs\.statSync|fs\.accessSync)\s*\(/.test(testText)) {
+                            // Check if the file paths match
+                            const testCall = test;
+                            const currentCall = node;
+                            if (testCall.arguments.length > 0 && currentCall.arguments.length > 0) {
+                                const testArg = testCall.arguments[0];
+                                const currentArg = currentCall.arguments[0];
+                                if (testArg.type === 'Literal' && currentArg.type === 'Literal' &&
+                                    testArg.value === currentArg.value) {
+                                    context.report({
+                                        node,
+                                        messageId: 'toctouVulnerability',
+                                        suggest: [
+                                            {
+                                                messageId: 'useAtomicOperations',
+                                                fix: () => null,
+                                            },
+                                            {
+                                                messageId: 'useFsPromises',
+                                                fix: () => null,
+                                            },
+                                            {
+                                                messageId: 'addProperLocking',
+                                                fix: () => null,
+                                            },
+                                        ],
+                                    });
+                                    return; // Found a match, stop searching
+                                }
+                            }
+                        }
+                    }
+                    // Also check for stat-then-use patterns
+                    if (test.type === 'CallExpression' || test.type === 'MemberExpression') {
+                        const testText = sourceCode.getText(test);
+                        // Pattern: if (stats.isFile()) { ... fs.unlinkSync("file") ... }
+                        if (testText.includes('isFile') && nodeText.includes('fs.unlinkSync')) {
+                            context.report({
+                                node,
+                                messageId: 'toctouVulnerability',
+                                suggest: [
+                                    {
+                                        messageId: 'useAtomicOperations',
+                                        fix: () => null,
+                                    },
+                                    {
+                                        messageId: 'useFsPromises',
+                                        fix: () => null,
+                                    },
+                                    {
+                                        messageId: 'addProperLocking',
+                                        fix: () => null,
+                                    },
+                                ],
+                            });
+                            return; // Found a match, stop searching
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-toctou-vulnerability.js.map

package/src/rules/security/no-toctou-vulnerability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-toctou-vulnerability.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-toctou-vulnerability.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAkBzC,QAAA,qBAAqB,GAAG,IAAA,0BAAU,EAA0B;IACvE,IAAI,EAAE,yBAAyB;IAC/B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,mDAAmD;SACjE;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,sBAAsB;gBACjC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,mDAAmD;gBAChE,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,0DAA0D;gBAC/D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,4BAA4B;gBACzC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,WAAW,EAAE,qBAAqB;gBAClC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yDAAyD;gBAC9D,iBAAiB,EAAE,6CAA6C;aACjE,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,8BAA8B;gBAC3C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,oDAAoD;aACxE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;oBACD,SAAS,EAAE;wBACT,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,eAAe,CAAC;qBAC3D;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,IAAI;YACnB,SAAS,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,eAAe,CAAC;SAC7D;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACV,aAAa,GAAG,IAAI,EACnB,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,aAAa,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAErF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D;;WAEG;QACH,SAAS,mBAAmB,CAAC,IAA6B;YACxD,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE1C,kFAAkF;YAClF,IAAI,CAAC,yEAAyE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC9F,OAAO,CAAC,qCAAqC;YAC/C,CAAC;YAED,+EAA+E;YAC/E,IAAI,OAAO,GAA8B,IAAI,CAAC,MAAM,CAAC;YACrD,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;oBACnC,sDAAsD;oBACtD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;oBAC1B,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;wBACnC,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;wBAC1C,IAAI,qDAAqD,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;4BACzE,gCAAgC;4BAChC,MAAM,QAAQ,GAAG,IAAI,CAAC;4BACtB,MAAM,WAAW,GAAG,IAAI,CAAC;4BAEzB,IAAI,QAAQ,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCACtE,MAAM,OAAO,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gCACtC,MAAM,UAAU,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gCAE5C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS;oCAC3D,OAAO,CAAC,KAAK,KAAK,UAAU,CAAC,KAAK,EAAE,CAAC;oCACvC,OAAO,CAAC,MAAM,CAAC;wCACb,IAAI;wCACJ,SAAS,EAAE,qBAAqB;wCAChC,OAAO,EAAE;4CACP;gDACE,SAAS,EAAE,qBAAqB;gDAChC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6CAChB;4CACD;gDACE,SAAS,EAAE,eAAe;gDAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6CAChB;4CACD;gDACE,SAAS,EAAE,kBAAkB;gDAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6CAChB;yCACF;qCACF,CAAC,CAAC;oCACH,OAAO,CAAC,gCAAgC;gCAC1C,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;oBAED,wCAAwC;oBACxC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBACvE,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;wBAE1C,iEAAiE;wBACjE,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;4BACtE,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI;gCACJ,SAAS,EAAE,qBAAqB;gCAChC,OAAO,EAAE;oCACP;wCACE,SAAS,EAAE,qBAAqB;wCAChC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qCAChB;oCACD;wCACE,SAAS,EAAE,eAAe;wCAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qCAChB;oCACD;wCACE,SAAS,EAAE,kBAAkB;wCAC7B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qCAChB;iCACF;6BACF,CAAC,CAAC;4BACH,OAAO,CAAC,gCAAgC;wBAC1C,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,mBAAmB;SACpC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-unchecked-loop-condition.d.ts

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Maximum allowed loop iterations for static analysis */
+    maxStaticIterations?: number;
+    /** Variables that contain user input */
+    userInputVariables?: string[];
+    /** Allow while(true) loops with breaks */
+    allowWhileTrueWithBreak?: boolean;
+    /** Maximum recursion depth to allow */
+    maxRecursionDepth?: number;
+}
+export declare const noUncheckedLoopCondition: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;