eslint-plugin-secure-coding 1.0.0

package/src/rules/security/no-weak-password-recovery.js

@@ -0,0 +1,401 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noWeakPasswordRecovery = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noWeakPasswordRecovery = (0, eslint_devkit_1.createRule)({
+    name: 'no-weak-password-recovery',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects weak password recovery mechanisms',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            weakPasswordRecovery: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Weak Password Recovery',
+                cwe: 'CWE-640',
+                description: 'Password recovery mechanism has security weaknesses',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            missingRateLimit: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Rate Limit',
+                cwe: 'CWE-640',
+                description: 'Password recovery attempts not rate limited',
+                severity: 'HIGH',
+                fix: 'Implement rate limiting on recovery requests',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            predictableRecoveryToken: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Predictable Recovery Token',
+                cwe: 'CWE-640',
+                description: 'Recovery token can be predicted or guessed',
+                severity: 'CRITICAL',
+                fix: 'Use cryptographically secure random tokens',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            unlimitedRecoveryAttempts: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Recovery Attempts',
+                cwe: 'CWE-640',
+                description: 'No limit on password recovery attempts',
+                severity: 'MEDIUM',
+                fix: 'Limit recovery attempts per time period',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            insufficientTokenEntropy: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insufficient Token Entropy',
+                cwe: 'CWE-640',
+                description: 'Recovery token has insufficient randomness',
+                severity: 'HIGH',
+                fix: 'Use at least 128-bit entropy for tokens',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            missingTokenExpiration: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Token Expiration',
+                cwe: 'CWE-640',
+                description: 'Recovery tokens never expire',
+                severity: 'HIGH',
+                fix: 'Implement token expiration (15-60 minutes)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            recoveryLoggingSensitiveData: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Recovery Logging Sensitive Data',
+                cwe: 'CWE-640',
+                description: 'Logging sensitive data during password recovery',
+                severity: 'MEDIUM',
+                fix: 'Never log passwords, tokens, or sensitive recovery data',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            weakRecoveryVerification: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Weak Recovery Verification',
+                cwe: 'CWE-640',
+                description: 'Recovery request verification is insufficient',
+                severity: 'HIGH',
+                fix: 'Require strong verification (email + SMS, security questions)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            tokenReuseVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Token Reuse Vulnerability',
+                cwe: 'CWE-640',
+                description: 'Recovery tokens can be reused',
+                severity: 'HIGH',
+                fix: 'Mark tokens as used after successful recovery',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            implementRateLimiting: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Rate Limiting',
+                description: 'Add rate limiting to recovery endpoints',
+                severity: 'LOW',
+                fix: 'Limit recovery attempts to 5 per hour per IP/user',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            useCryptographicallySecureTokens: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Cryptographically Secure Tokens',
+                description: 'Generate tokens with crypto.randomBytes()',
+                severity: 'LOW',
+                fix: 'const token = crypto.randomBytes(32).toString("hex");',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptorandombytessize-callback',
+            }),
+            implementTokenExpiration: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Token Expiration',
+                description: 'Set reasonable token expiration times',
+                severity: 'LOW',
+                fix: 'Expire tokens after 15-60 minutes',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            secureRecoveryFlow: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Secure Recovery Flow',
+                description: 'Implement secure password recovery flow',
+                severity: 'LOW',
+                fix: 'Verify identity, send secure link, require current password',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html',
+            }),
+            strategyMultiFactor: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Multi-Factor Strategy',
+                description: 'Require multiple verification factors',
+                severity: 'LOW',
+                fix: 'Email + SMS verification for password recovery',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            strategyOutOfBandVerification: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Out-of-Band Verification Strategy',
+                description: 'Use out-of-band verification channels',
+                severity: 'LOW',
+                fix: 'Send recovery codes via SMS or authenticator app',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html',
+            }),
+            strategyTimeBoundTokens: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Time-Bound Tokens Strategy',
+                description: 'Use time-bound recovery tokens',
+                severity: 'LOW',
+                fix: 'Tokens expire quickly and can only be used once',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    minTokenEntropy: {
+                        type: 'number',
+                        minimum: 64,
+                        default: 128,
+                    },
+                    maxTokenLifetimeHours: {
+                        type: 'number',
+                        minimum: 0.25,
+                        default: 1,
+                    },
+                    recoveryKeywords: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['reset', 'password', 'recovery', 'forgot', 'token', 'resetToken'],
+                    },
+                    secureTokenFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as secure',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            minTokenEntropy: 128,
+            maxTokenLifetimeHours: 1,
+            recoveryKeywords: ['reset', 'password', 'recovery', 'forgot', 'token', 'resetToken'],
+            secureTokenFunctions: ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { recoveryKeywords = ['reset', 'password', 'recovery', 'forgot', 'token', 'resetToken'], secureTokenFunctions = ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'], trustedSanitizers = [], trustedAnnotations = ['secure-recovery', 'rate-limited'], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if code is related to password recovery
+         */
+        const isRecoveryRelated = (text) => {
+            const lowerText = text.toLowerCase();
+            return recoveryKeywords.some(keyword => lowerText.includes(keyword));
+        };
+        /**
+         * Check if token generation is cryptographically secure
+         */
+        const isSecureTokenGeneration = (callExpression) => {
+            const callText = sourceCode.getText(callExpression);
+            return secureTokenFunctions.some(func => callText.includes(func));
+        };
+        /**
+         * Check if token has expiration
+         */
+        const hasTokenExpiration = (functionNode) => {
+            const functionText = sourceCode.getText(functionNode).toLowerCase();
+            return functionText.includes('expire') ||
+                functionText.includes('ttl') ||
+                functionText.includes('timeout') ||
+                functionText.includes('lifetime');
+        };
+        return {
+            // Check variable declarations for recovery tokens
+            VariableDeclarator(node) {
+                if (!node.init || node.id.type !== 'Identifier') {
+                    return;
+                }
+                const varName = node.id.name.toLowerCase();
+                // Check if variable is recovery-related
+                if (recoveryKeywords.some(keyword => varName.includes(keyword))) {
+                    const initText = sourceCode.getText(node.init);
+                    // Check for weak token generation
+                    if (node.init.type === 'CallExpression') {
+                        if (!isSecureTokenGeneration(node.init)) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context) || (node.parent && safetyChecker.isSafe(node.parent, context))) {
+                                return;
+                            }
+                            context.report({
+                                node: node.init,
+                                messageId: 'predictableRecoveryToken',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                    else if (node.init.type === 'BinaryExpression') {
+                        // Check for predictable patterns
+                        const weakPatterns = ['Date.now()', 'Math.random()', 'timestamp', 'new Date()'];
+                        if (weakPatterns.some(pattern => initText.includes(pattern))) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context) || (node.parent && safetyChecker.isSafe(node.parent, context))) {
+                                return;
+                            }
+                            context.report({
+                                node: node.init,
+                                messageId: 'insufficientTokenEntropy',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check function declarations for recovery logic
+            FunctionDeclaration(node) {
+                if (!node.id) {
+                    return;
+                }
+                const functionName = node.id.name.toLowerCase();
+                const functionText = sourceCode.getText(node).toLowerCase();
+                // Check if function is recovery-related
+                if (isRecoveryRelated(functionName) || isRecoveryRelated(functionText)) {
+                    // Check for token expiration
+                    if (!hasTokenExpiration(node)) {
+                        // FALSE POSITIVE REDUCTION
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        context.report({
+                            node: node.id,
+                            messageId: 'missingTokenExpiration',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                    // Check for rate limiting (very basic check)
+                    if (!functionText.includes('limit') && !functionText.includes('rate')) {
+                        // FALSE POSITIVE REDUCTION
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        context.report({
+                            node: node.id,
+                            messageId: 'missingRateLimit',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check call expressions for logging sensitive data
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for console.log, logger calls
+                if ((callee.type === 'MemberExpression' &&
+                    callee.object.type === 'Identifier' &&
+                    (callee.object.name === 'console' || callee.object.name === 'logger') &&
+                    callee.property.type === 'Identifier' &&
+                    ['log', 'info', 'warn', 'error'].includes(callee.property.name)) ||
+                    (callee.type === 'Identifier' && callee.name === 'logger')) {
+                    const args = node.arguments;
+                    for (const arg of args) {
+                        // Ignore literal strings (labels, messages) - focusing on sensitive variables
+                        if (arg.type === 'Literal') {
+                            continue;
+                        }
+                        const argText = sourceCode.getText(arg).toLowerCase();
+                        // Check if logging recovery-related sensitive data
+                        if (isRecoveryRelated(argText) &&
+                            (argText.includes('token') || argText.includes('password') ||
+                                argText.includes('reset') || argText.includes('code'))) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context)) {
+                                continue;
+                            }
+                            context.report({
+                                node: arg,
+                                messageId: 'recoveryLoggingSensitiveData',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check for weak recovery verification
+            IfStatement(node) {
+                const test = node.test;
+                const testText = sourceCode.getText(test).toLowerCase();
+                // Check if this is a recovery-related condition
+                if (isRecoveryRelated(testText)) {
+                    // Look for weak verification (just checking email exists)
+                    if (testText.includes('email') && !testText.includes('verify') &&
+                        !testText.includes('token') && !testText.includes('code') &&
+                        !testText.includes('otp') && !testText.includes('sms')) {
+                        // FALSE POSITIVE REDUCTION
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        context.report({
+                            node: test,
+                            messageId: 'weakRecoveryVerification',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});
+//# sourceMappingURL=no-weak-password-recovery.js.map

package/src/rules/security/no-weak-password-recovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-weak-password-recovery.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-weak-password-recovery.ts"],"names":[],"mappings":";;;AAgBA,4DAAsD;AACtD,4DAA0E;AAC1E,4DAGkC;AAoCrB,QAAA,sBAAsB,GAAG,IAAA,0BAAU,EAA0B;IACxE,IAAI,EAAE,2BAA2B;IACjC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,2CAA2C;SACzD;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,wBAAwB;gBACnC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,qDAAqD;gBAClE,QAAQ,EAAE,cAAc;gBACxB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,oBAAoB;gBAC/B,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,6CAA6C;gBAC1D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,4DAA4D;aAChF,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,yBAAyB,EAAE,IAAA,gCAAgB,EAAC;gBAC1C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,6BAA6B;gBACxC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,wCAAwC;gBACrD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,sBAAsB,EAAE,IAAA,gCAAgB,EAAC;gBACvC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,0BAA0B;gBACrC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,8BAA8B;gBAC3C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,4BAA4B,EAAE,IAAA,gCAAgB,EAAC;gBAC7C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,iCAAiC;gBAC5C,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,iDAAiD;gBAC9D,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,yDAAyD;gBAC9D,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,+DAA+D;gBACpE,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,GAAG,EAAE,SAAS;gBACd,WAAW,EAAE,+BAA+B;gBAC5C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mDAAmD;gBACxD,iBAAiB,EAAE,4DAA4D;aAChF,CAAC;YACF,gCAAgC,EAAE,IAAA,gCAAgB,EAAC;gBACjD,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qCAAqC;gBAChD,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,mEAAmE;aACvF,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,4BAA4B;gBACvC,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mCAAmC;gBACxC,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;YACF,kBAAkB,EAAE,IAAA,gCAAgB,EAAC;gBACnC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,sBAAsB;gBACjC,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,6DAA6D;gBAClE,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,gDAAgD;gBACrD,iBAAiB,EAAE,4DAA4D;aAChF,CAAC;YACF,6BAA6B,EAAE,IAAA,gCAAgB,EAAC;gBAC9C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mCAAmC;gBAC9C,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,WAAW,EAAE,gCAAgC;gBAC7C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,iDAAiD;gBACtD,iBAAiB,EAAE,iDAAiD;aACrE,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,eAAe,EAAE;wBACf,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,EAAE;wBACX,OAAO,EAAE,GAAG;qBACb;oBACD,qBAAqB,EAAE;wBACrB,IAAI,EAAE,QAAQ;wBACd,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE,CAAC;qBACX;oBACD,gBAAgB,EAAE;wBAChB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC;qBAC5E;oBACD,oBAAoB,EAAE;wBACpB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,aAAa,EAAE,qBAAqB,CAAC;qBAC3F;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,iDAAiD;qBAC/D;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,0DAA0D;qBACxE;oBACD,UAAU,EAAE;wBACV,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,oDAAoD;qBAClE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,eAAe,EAAE,GAAG;YACpB,qBAAqB,EAAE,CAAC;YACxB,gBAAgB,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC;YACpF,oBAAoB,EAAE,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,aAAa,EAAE,qBAAqB,CAAC;YACvG,iBAAiB,EAAE,EAAE;YACrB,kBAAkB,EAAE,EAAE;YACtB,UAAU,EAAE,KAAK;SAClB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,gBAAgB,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC,EACrF,oBAAoB,GAAG,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,aAAa,EAAE,qBAAqB,CAAC,EACxG,iBAAiB,GAAG,EAAE,EACtB,kBAAkB,GAAG,CAAC,iBAAiB,EAAE,cAAc,CAAC,EACxD,UAAU,GAAG,KAAK,GACnB,GAAY,OAAO,CAAC;QAErB,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAA,mCAAmB,EAAC;YACxC,iBAAiB;YACjB,kBAAkB;YAClB,kBAAkB,EAAE,EAAE;YACtB,UAAU;SACX,CAAC,CAAC;QAEH;;WAEG;QACH,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAAW,EAAE;YAClD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACvE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,uBAAuB,GAAG,CAAC,cAAuC,EAAW,EAAE;YACnF,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YACpD,OAAO,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,YAA2G,EAAW,EAAE;YAClJ,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;YACpE,OAAO,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC/B,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC5B,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAChC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC3C,CAAC,CAAC;QAEF,OAAO;YACL,kDAAkD;YAClD,kBAAkB,CAAC,IAAiC;gBAClD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAChD,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAE3C,wCAAwC;gBACxC,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBAChE,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAE/C,kCAAkC;oBAClC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;wBACxC,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BACxC,2BAA2B;4BAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;gCACvG,OAAO;4BACT,CAAC;4BAED,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,SAAS,EAAE,0BAA0B;gCACrC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBACjD,iCAAiC;wBACjC,MAAM,YAAY,GAAG,CAAC,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;wBAChF,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;4BAC7D,2BAA2B;4BAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;gCACvG,OAAO;4BACT,CAAC;4BAED,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,SAAS,EAAE,0BAA0B;gCACrC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iDAAiD;YACjD,mBAAmB,CAAC,IAAkC;gBACpD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;oBACb,OAAO;gBACT,CAAC;gBAED,MAAM,YAAY,GAAG,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChD,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAE5D,wCAAwC;gBACxC,IAAI,iBAAiB,CAAC,YAAY,CAAC,IAAI,iBAAiB,CAAC,YAAY,CAAC,EAAE,CAAC;oBACvE,6BAA6B;oBAC7B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,IAAI,CAAC,EAAE;4BACb,SAAS,EAAE,wBAAwB;4BACnC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;oBAED,6CAA6C;oBAC7C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;wBACtE,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,IAAI,CAAC,EAAE;4BACb,SAAS,EAAE,kBAAkB;4BAC7B,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,oDAAoD;YACpD,cAAc,CAAC,IAA6B;gBAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;gBAE3B,sCAAsC;gBACtC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACnC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC;oBACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACjE,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;oBAE/D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC5B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;wBACtB,8EAA8E;wBAC9E,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;4BAC3B,SAAS;wBACX,CAAC;wBACF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;wBAEtD,mDAAmD;wBACnD,IAAI,iBAAiB,CAAC,OAAO,CAAC;4BAC1B,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gCACzD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;4BAC5D,2BAA2B;4BAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gCACxC,SAAS;4BACX,CAAC;4BAED,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI,EAAE,GAAG;gCACT,SAAS,EAAE,8BAA8B;gCACzC,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,WAAW,CAAC,IAA0B;gBACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;gBACvB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAExD,gDAAgD;gBAChD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChC,0DAA0D;oBAC1D,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;wBAC1D,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACzD,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;wBAE3D,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,IAAI;4BACV,SAAS,EAAE,0BAA0B;4BACrC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/no-xpath-injection.d.ts

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** XPath-related function names to check */
+    xpathFunctions?: string[];
+    /** Functions that safely construct XPath queries */
+    safeXpathConstructors?: string[];
+    /** Functions that validate/sanitize XPath input */
+    xpathValidationFunctions?: string[];
+}
+export declare const noXpathInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;