eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-unsafe-dynamic-require.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeDynamicRequire = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noUnsafeDynamicRequire = (0, eslint_devkit_2.createRule)({
+    name: 'no-unsafe-dynamic-require',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent unsafe dynamic require() calls that could enable code injection',
+        },
+        fixable: 'code',
+        hasSuggestions: false,
+        messages: {
+            unsafeDynamicRequire: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Dynamic require()',
+                cwe: 'CWE-95',
+                description: 'Dynamic require() detected',
+                severity: 'CRITICAL',
+                fix: 'Use allowlist: const ALLOWED = ["mod1", "mod2"]; if (!ALLOWED.includes(name)) throw Error("Not allowed")',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowDynamicImport: {
+                        type: 'boolean',
+                        default: false,
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowDynamicImport: false,
+        },
+    ],
+    create(context) {
+        /**
+         * Track variables that reference require
+         * Maps variable name to the node where it was assigned
+         */
+        const requireVariables = new Set();
+        /**
+         * Check if a node is a reference to require
+         */
+        const isRequireReference = (node) => {
+            if (node.type === 'Identifier' && node.name === 'require') {
+                return true;
+            }
+            if (node.type === 'Identifier' && requireVariables.has(node.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if argument is dynamic (not a literal)
+         */
+        const isDynamicArgument = (arg) => {
+            if (arg.type === 'Literal')
+                return false;
+            if (arg.type === 'TemplateLiteral' && arg.expressions.length === 0)
+                return false;
+            return true;
+        };
+        return {
+            VariableDeclarator(node) {
+                // Track when require is assigned to a variable
+                if (node.id.type === 'Identifier' && node.init) {
+                    if (node.init.type === 'Identifier' && node.init.name === 'require') {
+                        requireVariables.add(node.id.name);
+                    }
+                }
+            },
+            CallExpression(node) {
+                // Check for require() calls (direct or via variable)
+                if (node.callee.type !== 'Identifier') {
+                    return;
+                }
+                // Check if callee is require or a variable that references require
+                if (!isRequireReference(node.callee)) {
+                    return;
+                }
+                // Must have at least one argument
+                if (node.arguments.length === 0)
+                    return;
+                const firstArg = node.arguments[0];
+                if (firstArg.type === 'SpreadElement')
+                    return;
+                // Check if dynamic
+                if (!isDynamicArgument(firstArg))
+                    return;
+                context.report({
+                    node,
+                    messageId: 'unsafeDynamicRequire',
+                });
+            },
+        };
+    },
+});
+//# sourceMappingURL=no-unsafe-dynamic-require.js.map

package/src/rules/security/no-unsafe-dynamic-require.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-unsafe-dynamic-require.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-unsafe-dynamic-require.ts"],"names":[],"mappings":";;;AAKA,4DAA0E;AAC1E,4DAAsD;AAWzC,QAAA,sBAAsB,GAAG,IAAA,0BAAU,EAA0B;IACxE,IAAI,EAAE,2BAA2B;IACjC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,yEAAyE;SACvF;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK;QACrB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,4BAA4B;gBACzC,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,0GAA0G;gBAC/G,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,kBAAkB,EAAE;wBAClB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;qBACf;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,kBAAkB,EAAE,KAAK;SAC1B;KACF;IACD,MAAM,CAAC,OAAsD;QAG3D;;;WAGG;QACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE3C;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,IAAmB,EAAW,EAAE;YAC1D,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC1D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,iBAAiB,GAAG,CAAC,GAAiD,EAAW,EAAE;YACvF,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC;YACzC,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,IAAI,GAAG,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,OAAO;YACL,kBAAkB,CAAC,IAAiC;gBAClD,+CAA+C;gBAC/C,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC/C,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;wBACpE,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;oBACrC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,cAAc,CAAC,IAA6B;gBAC1C,qDAAqD;gBACrD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBACtC,OAAO;gBACT,CAAC;gBAED,mEAAmE;gBACnE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBACrC,OAAO;gBACT,CAAC;gBAED,kCAAkC;gBAClC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,QAAQ,CAAC,IAAI,KAAK,eAAe;oBAAE,OAAO;gBAE9C,mBAAmB;gBACnB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;oBAAE,OAAO;gBAEzC,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,sBAAsB;iBAClC,CAAC,CAAC;YACL,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-unsafe-regex-construction.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow literal string patterns. Default: false */
+    allowLiterals?: boolean;
+    /** Trusted functions that escape input. Default: ['escapeRegex', 'escape', 'sanitize'] */
+    trustedEscapingFunctions?: string[];
+    /** Maximum pattern length for dynamic regex. Default: 100 */
+    maxPatternLength?: number;
+}
+export declare const noUnsafeRegexConstruction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/security/no-unsafe-regex-construction.js

@@ -0,0 +1,292 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeRegexConstruction = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if a node represents user input (variable, function call, template literal)
+ */
+function isUserInput(node) {
+    // Function calls might return user input
+    if (node.type === 'CallExpression') {
+        return true;
+    }
+    // Template literals with expressions are dynamic
+    if (node.type === 'TemplateLiteral') {
+        return node.expressions.length > 0;
+    }
+    // Member expressions accessing user properties
+    if (node.type === 'MemberExpression') {
+        return true;
+    }
+    // Variables are likely user input unless they are safe literals
+    if (node.type === 'Identifier') {
+        // Exclude common safe patterns, but be more restrictive
+        const safeIdentifiers = ['pattern', 'regex', 'regExp', 'regexp'];
+        if (safeIdentifiers.includes(node.name.toLowerCase())) {
+            // For these identifiers, check if they're assigned user input in scope
+            // For now, we'll be conservative and flag them as potentially unsafe
+            return true; // Changed from false to true - safer to flag as user input
+        }
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if a node is escaped (wrapped in an escaping function)
+ */
+function isEscaped(node, trustedFunctions, sourceCode) {
+    // Check if the node itself is a call to a trusted escaping function
+    if (node.type === 'CallExpression' && node.callee.type === 'Identifier') {
+        const functionName = node.callee.name;
+        if (trustedFunctions.includes(functionName)) {
+            return true;
+        }
+    }
+    // Also check if it's wrapped in a trusted function call (for complex cases)
+    let current = node;
+    let depth = 0;
+    const maxDepth = 5; // Prevent infinite loops
+    while (current && depth < maxDepth) {
+        const parent = sourceCode.getNodeByRangeIndex?.(current.range[0] - 1) ||
+            current.parent;
+        if (!parent)
+            break;
+        if (parent.type === 'CallExpression' && parent.callee.type === 'Identifier') {
+            const functionName = parent.callee.name;
+            if (trustedFunctions.includes(functionName)) {
+                return true;
+            }
+        }
+        current = parent;
+        depth++;
+    }
+    return false;
+}
+/**
+ * Check if regex flags are dynamic
+ */
+function hasDynamicFlags(node) {
+    // Check second argument (flags)
+    if (node.arguments.length > 1) {
+        const flagsNode = node.arguments[1];
+        return isUserInput(flagsNode);
+    }
+    return false;
+}
+/**
+ * Extract pattern from RegExp construction
+ */
+function extractPattern(node, sourceCode, trustedFunctions) {
+    const patternNode = node.arguments.length > 0 ? node.arguments[0] : null;
+    if (!patternNode) {
+        return { patternNode: null, isUserInput: false, isEscaped: false };
+    }
+    const isUserInputValue = isUserInput(patternNode);
+    // Default trusted functions + user configured ones
+    const allTrustedFunctions = [...new Set([
+            'escapeRegex', 'escape', 'sanitize', 'RegExp.escape',
+            ...trustedFunctions
+        ])];
+    const isEscapedValue = isEscaped(patternNode, allTrustedFunctions, sourceCode);
+    return {
+        patternNode,
+        isUserInput: isUserInputValue,
+        isEscaped: isEscapedValue,
+    };
+}
+exports.noUnsafeRegexConstruction = (0, eslint_devkit_2.createRule)({
+    name: 'no-unsafe-regex-construction',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unsafe regex construction patterns (user input without escaping, dynamic flags)',
+        },
+        hasSuggestions: true,
+        messages: {
+            unsafeRegexConstruction: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe regex construction',
+                cwe: 'CWE-400',
+                description: '{{issue}}: {{details}}',
+                severity: 'HIGH',
+                fix: '{{fix}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            escapeUserInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Escape User Input',
+                description: 'Escape user input for regex',
+                severity: 'LOW',
+                fix: 'input.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping',
+            }),
+            validatePattern: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Pattern',
+                description: 'Validate pattern against whitelist',
+                severity: 'LOW',
+                fix: 'Validate pattern before creating RegExp',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useSafeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use safe-regex',
+                description: 'Use safe-regex library for validation',
+                severity: 'LOW',
+                fix: 'if (safeRegex(pattern)) { new RegExp(pattern) }',
+                documentationLink: 'https://github.com/substack/safe-regex',
+            }),
+            avoidDynamicFlags: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Static Flags',
+                description: 'Use static flags instead of dynamic',
+                severity: 'LOW',
+                fix: 'new RegExp(pattern, "gi") with static flags',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiterals: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Allow literal string patterns',
+                    },
+                    trustedEscapingFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['escapeRegex', 'escape', 'sanitize'],
+                        description: 'Trusted functions that escape input',
+                    },
+                    maxPatternLength: {
+                        type: 'number',
+                        default: 100,
+                        minimum: 1,
+                        description: 'Maximum pattern length for dynamic regex',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiterals: true,
+            trustedEscapingFunctions: ['escapeRegex', 'escape', 'sanitize'],
+            maxPatternLength: 100,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowLiterals = true, maxPatternLength = 100, trustedEscapingFunctions = ['escapeRegex', 'escape', 'sanitize'], } = options || {};
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check RegExp constructor calls
+         */
+        function checkRegExpCall(node) {
+            // Check for RegExp constructor
+            const isRegExpCall = (node.type === 'CallExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp') ||
+                (node.type === 'NewExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp');
+            if (!isRegExpCall) {
+                return;
+            }
+            const { patternNode, isUserInput: isUserInputValue, isEscaped: isEscapedValue } = extractPattern(node, sourceCode, trustedEscapingFunctions);
+            if (!patternNode) {
+                return;
+            }
+            // Check for literal strings
+            if (patternNode.type === 'Literal' && typeof patternNode.value === 'string') {
+                // Even literals can be unsafe if they're very long - check this regardless of allowLiterals
+                const patternLength = patternNode.value.length;
+                if (patternLength > maxPatternLength) {
+                    context.report({
+                        node: patternNode,
+                        messageId: 'unsafeRegexConstruction',
+                        data: {
+                            issue: 'Pattern too long',
+                            details: `Pattern length (${patternLength}) exceeds maximum (${maxPatternLength})`,
+                            fix: 'Split into smaller patterns or validate length',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'validatePattern',
+                                fix: () => null,
+                            },
+                        ],
+                    });
+                    return;
+                }
+                if (!allowLiterals) {
+                    // If we reach here, allowLiterals is false, so treat as unsafe
+                    context.report({
+                        node: patternNode,
+                        messageId: 'unsafeRegexConstruction',
+                        data: {
+                            issue: 'Literal regex pattern',
+                            details: 'Literal regex patterns should be avoided for security. Use variables instead.',
+                            fix: 'Use a variable or RegExp constructor with a string variable',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'validatePattern',
+                                fix: () => null,
+                            },
+                        ],
+                    });
+                    return;
+                }
+            }
+            // Check for user input without escaping
+            if (isUserInputValue && !isEscapedValue) {
+                context.report({
+                    node: patternNode,
+                    messageId: 'unsafeRegexConstruction',
+                    data: {
+                        issue: 'User input in regex without escaping',
+                        details: 'User input in regex pattern can lead to ReDoS or injection attacks',
+                        fix: 'Escape special characters before using in regex',
+                    },
+                    suggest: [
+                        {
+                            messageId: 'escapeUserInput',
+                            fix: () => null,
+                        },
+                        {
+                            messageId: 'validatePattern',
+                            fix: () => null,
+                        },
+                        {
+                            messageId: 'useSafeLibrary',
+                            fix: () => null,
+                        },
+                    ],
+                });
+            }
+            // Check for dynamic flags
+            if (hasDynamicFlags(node)) {
+                context.report({
+                    node,
+                    messageId: 'unsafeRegexConstruction',
+                    data: {
+                        issue: 'Dynamic regex flags',
+                        details: 'Dynamic flags can lead to unexpected behavior or security issues',
+                        fix: 'Use static flags instead of dynamic flags',
+                    },
+                    suggest: [
+                        {
+                            messageId: 'avoidDynamicFlags',
+                            fix: () => null,
+                        },
+                    ],
+                });
+            }
+        }
+        return {
+            CallExpression: checkRegExpCall,
+            NewExpression: checkRegExpCall,
+        };
+    },
+});
+//# sourceMappingURL=no-unsafe-regex-construction.js.map

package/src/rules/security/no-unsafe-regex-construction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-unsafe-regex-construction.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-unsafe-regex-construction.ts"],"names":[],"mappings":";;;AAWA,4DAA0E;AAC1E,4DAAsD;AAsBtD;;GAEG;AACH,SAAS,WAAW,CAAC,IAAmB;IACtC,yCAAyC;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iDAAiD;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;IACrC,CAAC;IAED,+CAA+C;IAC/C,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gEAAgE;IAChE,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,wDAAwD;QACxD,MAAM,eAAe,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjE,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACtD,uEAAuE;YACvE,qEAAqE;YACrE,OAAO,IAAI,CAAC,CAAC,2DAA2D;QAC1E,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAChB,IAAmB,EACnB,gBAA0B,EAC1B,UAA+B;IAE/B,oEAAoE;IACpE,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACxE,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QACtC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,IAAI,OAAO,GAAyB,IAAI,CAAC;IACzC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,yBAAyB;IAE7C,OAAO,OAAO,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,UAAU,CAAC,mBAAmB,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACrD,OAAyB,CAAC,MAAM,CAAC;QAEjD,IAAI,CAAC,MAAM;YAAE,MAAM;QAEnB,IAAI,MAAM,CAAC,IAAI,KAAK,gBAAgB,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACxC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,GAAG,MAAuB,CAAC;QAClC,KAAK,EAAE,CAAC;IACV,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAsD;IAC7E,gCAAgC;IAChC,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,IAAsD,EACtD,UAA+B,EAC/B,gBAA0B;IAE1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IAClD,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YACtC,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,eAAe;YACpD,GAAG,gBAAgB;SACpB,CAAC,CAAC,CAAC;IAEJ,MAAM,cAAc,GAAG,SAAS,CAC9B,WAAW,EACX,mBAAmB,EACnB,UAAU,CACX,CAAC;IAEF,OAAO;QACL,WAAW;QACX,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,cAAc;KAC1B,CAAC;AACJ,CAAC;AAEY,QAAA,yBAAyB,GAAG,IAAA,0BAAU,EAA0B;IAC3E,IAAI,EAAE,8BAA8B;IACpC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,yFAAyF;SACvG;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,wBAAwB;gBACrC,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,SAAS;gBACd,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,eAAe,EAAE,IAAA,gCAAgB,EAAC;gBAChC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,6BAA6B;gBAC1C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mDAAmD;gBACxD,iBAAiB,EAAE,4FAA4F;aAChH,CAAC;YACF,eAAe,EAAE,IAAA,gCAAgB,EAAC;gBAChC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,oCAAoC;gBACjD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,gBAAgB;gBAC3B,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,iDAAiD;gBACtD,iBAAiB,EAAE,wCAAwC;aAC5D,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,qCAAqC;gBAClD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,6CAA6C;gBAClD,iBAAiB,EAAE,yFAAyF;aAC7G,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;wBACb,WAAW,EAAE,+BAA+B;qBAC7C;oBACD,wBAAwB,EAAE;wBACxB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,UAAU,CAAC;wBAC9C,WAAW,EAAE,qCAAqC;qBACnD;oBACD,gBAAgB,EAAE;wBAChB,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,GAAG;wBACZ,OAAO,EAAE,CAAC;wBACV,WAAW,EAAE,0CAA0C;qBACxD;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,IAAI;YACnB,wBAAwB,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,UAAU,CAAC;YAC/D,gBAAgB,EAAE,GAAG;SACtB;KACF;IACD,MAAM,CAAC,OAAsD,EAAE,CAAC,OAAO,GAAG,EAAE,CAAC;QAC3E,MAAM,EACJ,aAAa,GAAG,IAAI,EACpB,gBAAgB,GAAG,GAAG,EACtB,wBAAwB,GAAG,CAAC,aAAa,EAAE,QAAQ,EAAE,UAAU,CAAC,GACjE,GAAY,OAAO,IAAI,EAAE,CAAC;QAE3B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAE5D;;WAEG;QACH,SAAS,eAAe,CAAC,IAAsD;YAC7E,+BAA+B;YAC/B,MAAM,YAAY,GAChB,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC;gBACtG,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YAExG,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;YACT,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,cAAc,CAC9F,IAAI,EACJ,UAAU,EACV,wBAAwB,CACzB,CAAC;YAEF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO;YACT,CAAC;YAED,4BAA4B;YAC5B,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,WAAW,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC5E,4FAA4F;gBAC5F,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC;gBAC/C,IAAI,aAAa,GAAG,gBAAgB,EAAE,CAAC;oBACrC,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,WAAW;wBACjB,SAAS,EAAE,yBAAyB;wBACpC,IAAI,EAAE;4BACJ,KAAK,EAAE,kBAAkB;4BACzB,OAAO,EAAE,mBAAmB,aAAa,sBAAsB,gBAAgB,GAAG;4BAClF,GAAG,EAAE,gDAAgD;yBACtD;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,iBAAiB;gCAC5B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6BAChB;yBACF;qBACF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,+DAA+D;oBAC/D,OAAO,CAAC,MAAM,CAAC;wBACb,IAAI,EAAE,WAAW;wBACjB,SAAS,EAAE,yBAAyB;wBACpC,IAAI,EAAE;4BACJ,KAAK,EAAE,uBAAuB;4BAC9B,OAAO,EAAE,+EAA+E;4BACxF,GAAG,EAAE,6DAA6D;yBACnE;wBACD,OAAO,EAAE;4BACP;gCACE,SAAS,EAAE,iBAAiB;gCAC5B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;6BAChB;yBACF;qBACF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;YACH,CAAC;YAED,wCAAwC;YACxC,IAAI,gBAAgB,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxC,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI,EAAE,WAAW;oBACjB,SAAS,EAAE,yBAAyB;oBACpC,IAAI,EAAE;wBACJ,KAAK,EAAE,sCAAsC;wBAC7C,OAAO,EAAE,oEAAoE;wBAC7E,GAAG,EAAE,iDAAiD;qBACvD;oBACD,OAAO,EAAE;wBACP;4BACE,SAAS,EAAE,iBAAiB;4BAC5B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;yBAChB;wBACD;4BACE,SAAS,EAAE,iBAAiB;4BAC5B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;yBAChB;wBACD;4BACE,SAAS,EAAE,gBAAgB;4BAC3B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;yBAChB;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;YAED,0BAA0B;YAC1B,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,MAAM,CAAC;oBACb,IAAI;oBACJ,SAAS,EAAE,yBAAyB;oBACpC,IAAI,EAAE;wBACJ,KAAK,EAAE,qBAAqB;wBAC5B,OAAO,EAAE,kEAAkE;wBAC3E,GAAG,EAAE,2CAA2C;qBACjD;oBACD,OAAO,EAAE;wBACP;4BACE,SAAS,EAAE,mBAAmB;4BAC9B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;yBAChB;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,cAAc,EAAE,eAAe;YAC/B,aAAa,EAAE,eAAe;SAC/B,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-unsanitized-html.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow unsanitized HTML in test files. Default: false */
+    allowInTests?: boolean;
+    /** Trusted sanitization libraries. Default: ['dompurify', 'sanitize-html', 'xss'] */
+    trustedLibraries?: string[];
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noUnsanitizedHtml: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;