eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-unencrypted-transmission.d.ts

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Allow unencrypted transmission in test files. Default: false */
+    allowInTests?: boolean;
+    /** Insecure protocol patterns. Default: ['http://', 'ws://', 'ftp://', 'tcp://', 'mongodb://', 'redis://', 'mysql://'] */
+    insecureProtocols?: string[];
+    /** Secure protocol alternatives mapping. Default: { 'http://': 'https://', 'ws://': 'wss://', ... } */
+    secureAlternatives?: Record<string, string>;
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noUnencryptedTransmission: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-unencrypted-transmission.js

@@ -0,0 +1,237 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnencryptedTransmission = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Default insecure protocol patterns
+ */
+const DEFAULT_INSECURE_PROTOCOLS = [
+    'http://',
+    'ws://',
+    'ftp://',
+    'tcp://',
+    'mongodb://',
+    'redis://',
+    'mysql://',
+];
+/**
+ * Secure protocol alternatives
+ */
+const SECURE_ALTERNATIVES = {
+    'http://': 'https://',
+    'ws://': 'wss://',
+    'ftp://': 'ftps://',
+    'tcp://': 'tls://',
+    'mongodb://': 'mongodb+srv://',
+    'redis://': 'rediss://',
+    'mysql://': 'mysqls://',
+};
+/**
+ * Check if a string contains insecure protocol
+ */
+function containsInsecureProtocol(value, insecureProtocols, secureAlternatives) {
+    const lowerValue = value.toLowerCase();
+    for (const protocol of insecureProtocols) {
+        const lowerProtocol = protocol.toLowerCase();
+        // Check if the protocol appears in the value (as a URL scheme)
+        if (lowerValue.includes(lowerProtocol)) {
+            // Check if it's not already using the secure version
+            const secureAlternative = secureAlternatives[lowerProtocol];
+            if (secureAlternative) {
+                // Only report if secure version is not present
+                if (!lowerValue.includes(secureAlternative.toLowerCase())) {
+                    return { isInsecure: true, protocol };
+                }
+            }
+            else {
+                // No secure alternative defined, so it's insecure
+                return { isInsecure: true, protocol };
+            }
+        }
+    }
+    return { isInsecure: false, protocol: '' };
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+/* c8 ignore start -- ignore-pattern matching is defensive */
+function matchesIgnorePattern(text, patterns) {
+    return patterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+/* c8 ignore stop */
+exports.noUnencryptedTransmission = (0, eslint_devkit_2.createRule)({
+    name: 'no-unencrypted-transmission',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)',
+        },
+        hasSuggestions: true,
+        messages: {
+            unencryptedTransmission: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unencrypted Transmission',
+                cwe: 'CWE-319',
+                description: 'Unencrypted transmission detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+            }),
+            useHttps: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use HTTPS',
+                description: 'Use secure protocol',
+                severity: 'LOW',
+                fix: 'Replace http:// with https://',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow unencrypted transmission in test files',
+                    },
+                    insecureProtocols: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Insecure protocol patterns to detect',
+                    },
+                    secureAlternatives: {
+                        type: 'object',
+                        additionalProperties: { type: 'string' },
+                        default: {},
+                        description: 'Mapping of insecure protocols to their secure alternatives',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            insecureProtocols: [],
+            secureAlternatives: {},
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, insecureProtocols, secureAlternatives, ignorePatterns = [], } = options;
+        const protocolsToCheck = insecureProtocols && insecureProtocols.length > 0
+            ? insecureProtocols
+            : DEFAULT_INSECURE_PROTOCOLS;
+        // Merge user-provided secure alternatives with defaults
+        const secureAlternativesToUse = secureAlternatives && Object.keys(secureAlternatives).length > 0
+            ? { ...SECURE_ALTERNATIVES, ...secureAlternatives }
+            : SECURE_ALTERNATIVES;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkLiteral(node) {
+            if (typeof node.value !== 'string') {
+                return;
+            }
+            const value = node.value;
+            const text = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(text, ignorePatterns)) {
+                return;
+            }
+            // Skip test files (allow localhost in test files)
+            if (isTestFile) {
+                // Only allow localhost URLs in test files
+                if (text.includes('localhost')) {
+                    return;
+                }
+                // For other URLs in test files, still check them
+            }
+            const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+            if (isInsecure) {
+                // Allow localhost URLs in test files
+                if (isTestFile && text.includes('localhost')) {
+                    return;
+                }
+                const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+                const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+                context.report({
+                    node,
+                    messageId: 'unencryptedTransmission',
+                    data: {
+                        issue: `using insecure protocol ${protocol}`,
+                        safeAlternative,
+                    },
+                    suggest: [
+                        {
+                            messageId: 'useHttps',
+                            data: {
+                                protocol,
+                                secureProtocol,
+                            },
+                            fix(fixer) {
+                                if (secureProtocol && secureProtocol !== 'secure protocol') {
+                                    // Replace the insecure protocol with secure one
+                                    const newValue = value.replace(new RegExp(protocol.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'gi'), secureProtocol);
+                                    return fixer.replaceText(node, JSON.stringify(newValue));
+                                }
+                                return null;
+                            },
+                        },
+                    ],
+                });
+            }
+        }
+        function checkTemplateLiteral(node) {
+            if (isTestFile) {
+                return;
+            }
+            const text = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(text, ignorePatterns)) {
+                return;
+            }
+            // Check each quasis (static parts) and expressions
+            for (const quasi of node.quasis) {
+                const value = quasi.value.raw;
+                const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+                if (isInsecure) {
+                    const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+                    const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+                    context.report({
+                        node: quasi,
+                        messageId: 'unencryptedTransmission',
+                        data: {
+                            issue: `using insecure protocol ${protocol} in template literal`,
+                            safeAlternative,
+                        },
+                        // Don't provide auto-fix for template literals (too risky - might break interpolation)
+                    });
+                }
+            }
+        }
+        return {
+            Literal: checkLiteral,
+            TemplateLiteral: checkTemplateLiteral,
+        };
+    },
+});
+//# sourceMappingURL=no-unencrypted-transmission.js.map

package/src/rules/security/no-unencrypted-transmission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-unencrypted-transmission.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-unencrypted-transmission.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAoBtD;;GAEG;AACH,MAAM,0BAA0B,GAAG;IACjC,SAAS;IACT,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,YAAY;IACZ,UAAU;IACV,UAAU;CACX,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAA2B;IAClD,SAAS,EAAE,UAAU;IACrB,OAAO,EAAE,QAAQ;IACjB,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,QAAQ;IAClB,YAAY,EAAE,gBAAgB;IAC9B,UAAU,EAAE,WAAW;IACvB,UAAU,EAAE,WAAW;CACxB,CAAC;AAEF;;GAEG;AACH,SAAS,wBAAwB,CAC/B,KAAa,EACb,iBAA2B,EAC3B,kBAA0C;IAE1C,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAEvC,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QACzC,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC7C,+DAA+D;QAC/D,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACvC,qDAAqD;YACrD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;YAC5D,IAAI,iBAAiB,EAAE,CAAC;gBACtB,+CAA+C;gBAC/C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC1D,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;gBACxC,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,6DAA6D;AAC7D,SAAS,oBAAoB,CAAC,IAAY,EAAE,QAAkB;IAC5D,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AACD,oBAAoB;AAEP,QAAA,yBAAyB,GAAG,IAAA,0BAAU,EAA0B;IAC3E,IAAI,EAAE,6BAA6B;IACnC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,6EAA6E;SAC3F;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,8CAA8C;gBAC3D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,QAAQ,EAAE,IAAA,gCAAgB,EAAC;gBACzB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,WAAW;gBACtB,WAAW,EAAE,qBAAqB;gBAClC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+BAA+B;gBACpC,iBAAiB,EAAE,gFAAgF;aACpG,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,8CAA8C;qBAC5D;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,sCAAsC;qBACpD;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,QAAQ;wBACd,oBAAoB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACxC,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,4DAA4D;qBAC1E;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,oCAAoC;qBAClD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;YACnB,iBAAiB,EAAE,EAAE;YACrB,kBAAkB,EAAE,EAAE;YACtB,cAAc,EAAE,EAAE;SACnB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,YAAY,GAAG,KAAK,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,GAAG,EAAE,GACpB,GAAG,OAAkB,CAAC;QAEvB,MAAM,gBAAgB,GAAG,iBAAiB,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC;YACxE,CAAC,CAAC,iBAAiB;YACnB,CAAC,CAAC,0BAA0B,CAAC;QAE/B,wDAAwD;QACxD,MAAM,uBAAuB,GAAG,kBAAkB,IAAI,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,CAAC;YAC9F,CAAC,CAAC,EAAE,GAAG,mBAAmB,EAAE,GAAG,kBAAkB,EAAE;YACnD,CAAC,CAAC,mBAAmB,CAAC;QAExB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D,SAAS,YAAY,CAAC,IAAsB;YAC1C,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnC,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YACzB,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEtC,yCAAyC;YACzC,IAAI,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,kDAAkD;YAClD,IAAI,UAAU,EAAE,CAAC;gBACf,0CAA0C;gBAC1C,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/B,OAAO;gBACT,CAAC;gBACD,iDAAiD;YACnD,CAAC;YAED,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,wBAAwB,CAAC,KAAK,EAAE,gBAAgB,EAAE,uBAAuB,CAAC,CAAC;YAE5G,IAAI,UAAU,EAAE,CAAC;gBACf,qCAAqC;gBACrC,IAAI,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC7C,OAAO;gBACT,CAAC;gBAED,MAAM,cAAc,GAAG,uBAAuB,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,iBAAiB,CAAC;gBAC5F,MAAM,eAAe,GAAG,OAAO,cAAc,eAAe,QAAQ,EAAE,CAAC;gBAEvE,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,yBAAyB;oBACpC,IAAI,EAAE;wBACJ,KAAK,EAAE,2BAA2B,QAAQ,EAAE;wBAC5C,eAAe;qBAChB;oBACD,OAAO,EAAE;wBACL;4BACE,SAAS,EAAE,UAAU;4BACrB,IAAI,EAAE;gCACJ,QAAQ;gCACR,cAAc;6BACf;4BACD,GAAG,CAAC,KAAyB;gCAC3B,IAAI,cAAc,IAAI,cAAc,KAAK,iBAAiB,EAAE,CAAC;oCAC3D,gDAAgD;oCAChD,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,EAAE,cAAc,CAAC,CAAC;oCAClH,OAAO,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;gCAC3D,CAAC;gCACD,OAAO,IAAI,CAAC;4BACd,CAAC;yBACJ;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,SAAS,oBAAoB,CAAC,IAA8B;YAC1D,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEtC,yCAAyC;YACzC,IAAI,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,mDAAmD;YACnD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC;gBAC9B,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,wBAAwB,CAAC,KAAK,EAAE,gBAAgB,EAAE,uBAAuB,CAAC,CAAC;gBAE5G,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,cAAc,GAAG,uBAAuB,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,iBAAiB,CAAC;oBAC5F,MAAM,eAAe,GAAG,OAAO,cAAc,eAAe,QAAQ,EAAE,CAAC;oBAEvE,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,KAAK;wBACX,SAAS,EAAE,yBAAyB;wBACpC,IAAI,EAAE;4BACJ,KAAK,EAAE,2BAA2B,QAAQ,sBAAsB;4BAChE,eAAe;yBAChB;wBACD,uFAAuF;qBACxF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,YAAY;YACrB,eAAe,EAAE,oBAAoB;SACtC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-unescaped-url-parameter.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow unescaped URL parameters in test files. Default: false */
+    allowInTests?: boolean;
+    /** Trusted URL construction libraries. Default: ['url', 'querystring'] */
+    trustedLibraries?: string[];
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noUnescapedUrlParameter: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-unescaped-url-parameter.js

@@ -0,0 +1,266 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnescapedUrlParameter = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if a node is inside a URL encoding function call
+ */
+function isInsideEncodingCall(node, sourceCode, trustedLibraries) {
+    let current = node;
+    while (current) {
+        if (current.type === 'CallExpression') {
+            const callee = current.callee;
+            // Check for encodeURIComponent, encodeURI
+            if (callee.type === 'Identifier') {
+                const calleeName = callee.name;
+                if (['encodeURIComponent', 'encodeURI', 'escape'].includes(calleeName)) {
+                    return true;
+                }
+            }
+            // Check if it's a trusted library call
+            if (callee.type === 'MemberExpression') {
+                const object = callee.object;
+                if (object.type === 'Identifier') {
+                    const objectName = object.name.toLowerCase();
+                    if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
+                        return true;
+                    }
+                }
+            }
+        }
+        // Traverse up the AST
+        if ('parent' in current && current.parent) {
+            current = current.parent;
+        }
+        else {
+            break;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, ignorePatterns) {
+    return ignorePatterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+/**
+ * Check if a node is a URL construction pattern
+ */
+function isUrlConstruction(node, sourceCode) {
+    const text = sourceCode.getText(node);
+    // Check for URL construction patterns
+    const urlPatterns = [
+        /\bhttps?:\/\//, // HTTP/HTTPS URLs
+        /\bnew\s+URL\s*\(/,
+        /\burl\s*[=:]\s*/, // url = or url:
+        /\burl\s*\+/, // url +
+        /\bwindow\.location/,
+        /\blocation\.href/,
+        /\bwindow\.open\s*\(/,
+        /\?[^=]+=/, // Query parameters
+    ];
+    return urlPatterns.some(pattern => pattern.test(text));
+}
+exports.noUnescapedUrlParameter = (0, eslint_devkit_2.createRule)({
+    name: 'no-unescaped-url-parameter',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unescaped URL parameters',
+        },
+        hasSuggestions: true,
+        messages: {
+            unescapedUrlParameter: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unescaped URL Parameter',
+                cwe: 'CWE-79',
+                description: 'Unescaped URL parameter detected: {{parameter}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
+            }),
+            useEncodeURIComponent: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use encodeURIComponent',
+                description: 'Use encodeURIComponent for URL params',
+                severity: 'LOW',
+                fix: '`https://example.com?q=${encodeURIComponent(param)}`',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent',
+            }),
+            useURLSearchParams: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use URLSearchParams',
+                description: 'Use URLSearchParams for safe URL construction',
+                severity: 'LOW',
+                fix: 'new URLSearchParams({ q: param }).toString()',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow unescaped URL parameters in test files',
+                    },
+                    trustedLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['url', 'querystring'],
+                        description: 'Trusted URL construction libraries',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            trustedLibraries: ['url', 'querystring'],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, trustedLibraries = ['url', 'querystring'], ignorePatterns = [], } = options;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkTemplateLiteral(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check if this is a URL construction
+            if (!isUrlConstruction(node, sourceCode)) {
+                return;
+            }
+            // Check each expression in the template
+            for (const expression of node.expressions) {
+                const text = sourceCode.getText(expression);
+                // Check if it matches any ignore pattern
+                if (matchesIgnorePattern(text, ignorePatterns)) {
+                    continue;
+                }
+                // Check if it's already encoded
+                if (isInsideEncodingCall(expression, sourceCode, trustedLibraries)) {
+                    continue;
+                }
+                // Check if it's a user input pattern
+                const userInputPatterns = [
+                    /\breq\.(query|params|body|headers|cookies)/,
+                    /\brequest\.(query|params|body)/,
+                    /\buserInput\b/i,
+                    /\binput\b/i,
+                    /\bsearchParams\b/,
+                    /\bparam\b/i, // Generic param variable
+                ];
+                // Check both the expression text and the full template literal
+                // This catches nested patterns like req.query.id
+                const fullText = sourceCode.getText(node);
+                const exprText = sourceCode.getText(expression);
+                const isUserInput = userInputPatterns.some(pattern => pattern.test(text)) ||
+                    userInputPatterns.some(pattern => pattern.test(fullText)) ||
+                    userInputPatterns.some(pattern => pattern.test(exprText)) ||
+                    // Also check for nested member expressions like req.query.id
+                    (expression.type === 'MemberExpression' &&
+                        userInputPatterns.some(pattern => {
+                            // Check the full expression including nested properties
+                            return pattern.test(exprText);
+                        }));
+                if (isUserInput) {
+                    context.report({
+                        node: expression,
+                        messageId: 'unescapedUrlParameter',
+                        data: {
+                            parameter: text,
+                            safeAlternative: `Use encodeURIComponent() or URLSearchParams: const url = \`https://example.com?q=\${encodeURIComponent(${text})}\`;`,
+                        },
+                        suggest: [
+                            {
+                                messageId: 'useEncodeURIComponent',
+                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                fix: (_fixer) => null,
+                            },
+                            {
+                                messageId: 'useURLSearchParams',
+                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                fix: (_fixer) => null,
+                            },
+                        ],
+                    });
+                }
+            }
+        }
+        function checkBinaryExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for string concatenation in URL construction
+            if (node.operator === '+') {
+                if (!isUrlConstruction(node, sourceCode)) {
+                    return;
+                }
+                // Check right side (usually the parameter)
+                if (node.right.type !== 'Literal') {
+                    const rightText = sourceCode.getText(node.right);
+                    // Check if it matches any ignore pattern
+                    if (matchesIgnorePattern(rightText, ignorePatterns)) {
+                        return;
+                    }
+                    // Check if it's already encoded
+                    if (isInsideEncodingCall(node.right, sourceCode, trustedLibraries)) {
+                        return;
+                    }
+                    // Check if it's a user input pattern
+                    const userInputPatterns = [
+                        /\breq\.(query|params|body)/,
+                        /\brequest\.(query|params|body)/,
+                        /\buserInput\b/,
+                        /\binput\b/,
+                    ];
+                    const isUserInput = userInputPatterns.some(pattern => pattern.test(rightText));
+                    if (isUserInput) {
+                        context.report({
+                            node: node.right,
+                            messageId: 'unescapedUrlParameter',
+                            data: {
+                                parameter: rightText,
+                                safeAlternative: `Use encodeURIComponent(): ${sourceCode.getText(node.left)} + encodeURIComponent(${rightText})`,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useEncodeURIComponent',
+                                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                    fix: (_fixer) => null,
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            TemplateLiteral: checkTemplateLiteral,
+            BinaryExpression: checkBinaryExpression,
+        };
+    },
+});
+//# sourceMappingURL=no-unescaped-url-parameter.js.map

package/src/rules/security/no-unescaped-url-parameter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-unescaped-url-parameter.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-unescaped-url-parameter.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAiBtD;;GAEG;AACH,SAAS,oBAAoB,CAC3B,IAAmB,EACnB,UAA+B,EAC/B,gBAA0B;IAE1B,IAAI,OAAO,GAAyB,IAAI,CAAC;IAEzC,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAE9B,0CAA0C;YAC1C,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACjC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;gBAC/B,IAAI,CAAC,oBAAoB,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBACvE,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBACvC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC7B,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBACjC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC7C,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;wBACzE,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,IAAI,QAAQ,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YAC1C,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAY,EAAE,cAAwB;IAClE,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAmB,EAAE,UAA+B;IAC7E,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtC,sCAAsC;IACtC,MAAM,WAAW,GAAG;QAClB,eAAe,EAAG,kBAAkB;QACpC,kBAAkB;QAClB,iBAAiB,EAAG,gBAAgB;QACpC,YAAY,EAAG,QAAQ;QACvB,oBAAoB;QACpB,kBAAkB;QAClB,qBAAqB;QACrB,UAAU,EAAG,mBAAmB;KACjC,CAAC;IAEF,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAEY,QAAA,uBAAuB,GAAG,IAAA,0BAAU,EAA0B;IACzE,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,kCAAkC;SAChD;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,iDAAiD;gBAC9D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,gDAAgD;aACpE,CAAC;YACF,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,wBAAwB;gBACnC,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,qGAAqG;aACzH,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,kEAAkE;aACtF,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,YAAY,EAAE;wBACZ,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,8CAA8C;qBAC5D;oBACD,gBAAgB,EAAE;wBAChB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,KAAK,EAAE,aAAa,CAAC;wBAC/B,WAAW,EAAE,oCAAoC;qBAClD;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,oCAAoC;qBAClD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,YAAY,EAAE,KAAK;YACnB,gBAAgB,EAAE,CAAC,KAAK,EAAE,aAAa,CAAC;YACxC,cAAc,EAAE,EAAE;SACnB;KACF;IACD,MAAM,CACJ,OAAsD,EACtD,CAAC,OAAO,GAAG,EAAE,CAAC;QAEd,MAAM,EACJ,YAAY,GAAG,KAAK,EACpB,gBAAgB,GAAG,CAAC,KAAK,EAAE,aAAa,CAAC,EACzC,cAAc,GAAG,EAAE,GACpB,GAAG,OAAkB,CAAC;QAEvB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,YAAY,IAAI,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D,SAAS,oBAAoB,CAAC,IAA8B;YAC1D,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,sCAAsC;YACtC,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;gBACzC,OAAO;YACT,CAAC;YAED,wCAAwC;YACxC,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAE5C,yCAAyC;gBACzC,IAAI,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;oBAC/C,SAAS;gBACX,CAAC;gBAED,gCAAgC;gBAChC,IAAI,oBAAoB,CAAC,UAAU,EAAE,UAAU,EAAE,gBAAgB,CAAC,EAAE,CAAC;oBACnE,SAAS;gBACX,CAAC;gBAED,qCAAqC;gBACrC,MAAM,iBAAiB,GAAG;oBACxB,4CAA4C;oBAC5C,gCAAgC;oBAChC,gBAAgB;oBAChB,YAAY;oBACZ,kBAAkB;oBAClB,YAAY,EAAE,yBAAyB;iBACxC,CAAC;gBAEF,+DAA+D;gBAC/D,iDAAiD;gBACjD,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC1C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAChD,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtD,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBACzD,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBACzD,6DAA6D;oBAC7D,CAAC,UAAU,CAAC,IAAI,KAAK,kBAAkB;wBACtC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;4BAC/B,wDAAwD;4BACxD,OAAO,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBAChC,CAAC,CAAC,CAAC,CAAC;gBAExB,IAAI,WAAW,EAAE,CAAC;oBAChB,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,UAAU;wBAChB,SAAS,EAAE,uBAAuB;wBAClC,IAAI,EAAE;4BACJ,SAAS,EAAE,IAAI;4BACf,eAAe,EAAE,0GAA0G,IAAI,OAAO;yBACvI;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,uBAAuB;gCAClC,6DAA6D;gCAC7D,GAAG,EAAE,CAAC,MAA0B,EAAE,EAAE,CAAC,IAAI;6BAC1C;4BACD;gCACE,SAAS,EAAE,oBAAoB;gCAC/B,6DAA6D;gCAC7D,GAAG,EAAE,CAAC,MAA0B,EAAE,EAAE,CAAC,IAAI;6BAC1C;yBACF;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,SAAS,qBAAqB,CAAC,IAA+B;YAC5D,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;YACT,CAAC;YAED,qDAAqD;YACrD,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;oBACzC,OAAO;gBACT,CAAC;gBAED,2CAA2C;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBAClC,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBAEjD,yCAAyC;oBACzC,IAAI,oBAAoB,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,CAAC;wBACpD,OAAO;oBACT,CAAC;oBAED,gCAAgC;oBAChC,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,EAAE,UAAU,EAAE,gBAAgB,CAAC,EAAE,CAAC;wBACnE,OAAO;oBACT,CAAC;oBAED,qCAAqC;oBACrC,MAAM,iBAAiB,GAAG;wBACxB,4BAA4B;wBAC5B,gCAAgC;wBAChC,eAAe;wBACf,WAAW;qBACZ,CAAC;oBAEF,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;oBAE/E,IAAI,WAAW,EAAE,CAAC;wBAChB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,IAAI,CAAC,KAAK;4BAChB,SAAS,EAAE,uBAAuB;4BAClC,IAAI,EAAE;gCACJ,SAAS,EAAE,SAAS;gCACpB,eAAe,EAAE,6BAA6B,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,SAAS,GAAG;6BACjH;4BACD,OAAO,EAAE;gCACP;oCACE,SAAS,EAAE,uBAAuB;oCAClC,6DAA6D;oCAC7D,GAAG,EAAE,CAAC,MAA0B,EAAE,EAAE,CAAC,IAAI;iCAC1C;6BACF;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,eAAe,EAAE,oBAAoB;YACrC,gBAAgB,EAAE,qBAAqB;SACxC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-unlimited-resource-allocation.d.ts

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Maximum allowed resource size for static analysis */
+    maxResourceSize?: number;
+    /** Variables that contain user input */
+    userInputVariables?: string[];
+    /** Safe resource allocation functions */
+    safeResourceFunctions?: string[];
+    /** Require resource validation */
+    requireResourceValidation?: boolean;
+}
+export declare const noUnlimitedResourceAllocation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;