eslint-plugin-secure-coding 1.0.0

package/src/rules/security/detect-child-process.js

@@ -0,0 +1,460 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectChildProcess = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const COMMAND_PATTERNS = [
+    {
+        method: 'exec',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['execFile', 'spawn'],
+        example: {
+            bad: 'exec(`git clone ${repoUrl}`)',
+            good: [
+                'execFile(\'git\', [\'clone\', repoUrl], {shell: false})',
+                'spawn(\'git\', [\'clone\', repoUrl], {shell: false})'
+            ]
+        },
+        effort: '15-25 minutes'
+    },
+    {
+        method: 'execSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['execFileSync', 'spawnSync'],
+        example: {
+            bad: 'execSync(`npm install ${packageName}`)',
+            good: [
+                'execFileSync(\'npm\', [\'install\', packageName], {shell: false})',
+                'spawnSync(\'npm\', [\'install\', packageName], {shell: false})'
+            ]
+        },
+        effort: '15-25 minutes'
+    },
+    {
+        method: 'spawn',
+        dangerous: false,
+        vulnerability: 'argument-injection',
+        safeAlternatives: ['spawn with validation'],
+        example: {
+            bad: 'spawn(\'bash\', [\'-c\', userCommand])',
+            good: [
+                'spawn(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '20-30 minutes'
+    },
+    {
+        method: 'execFile',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawn'],
+        example: {
+            bad: 'execFile(userCommand, userArgs, callback)',
+            good: [
+                'spawn(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'execFileSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawnSync'],
+        example: {
+            bad: 'execFileSync(userCommand, userArgs)',
+            good: [
+                'spawnSync(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'spawnSync',
+        dangerous: false,
+        vulnerability: 'argument-injection',
+        safeAlternatives: ['spawnSync with validation'],
+        example: {
+            bad: 'spawnSync(\'bash\', [\'-c\', userCommand])',
+            good: [
+                'spawnSync(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '15-20 minutes'
+    },
+    {
+        method: 'fork',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawn'],
+        example: {
+            bad: 'fork(userScript)',
+            good: [
+                'spawn(\'node\', [validatedScript], {shell: false})',
+                '// Validate script path first'
+            ]
+        },
+        effort: '15-20 minutes'
+    },
+    {
+        method: 'forkSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawnSync'],
+        example: {
+            bad: 'forkSync(userScript)',
+            good: [
+                'spawnSync(\'node\', [validatedScript], {shell: false, stdio: \'inherit\'})',
+                '// Validate script path first'
+            ]
+        },
+        effort: '15-20 minutes'
+    }
+];
+exports.detectChildProcess = (0, eslint_devkit_2.createRule)({
+    name: 'detect-child-process',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects child_process usage that may allow command injection',
+        },
+        messages: {
+            // 🎯 Token optimization: 44% reduction (55→31 tokens) - removes ❌/✅/📚 labels
+            childProcessCommandInjection: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.WARNING,
+                issueName: 'Command injection',
+                cwe: 'CWE-78',
+                description: 'Command injection detected',
+                severity: 'CRITICAL',
+                fix: 'Use execFile/spawn with {shell: false} and array args',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            useExecFile: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use execFile',
+                description: 'Use execFile() with argument array',
+                severity: 'LOW',
+                fix: 'execFile(cmd, [arg1, arg2], { shell: false })',
+                documentationLink: 'https://nodejs.org/api/child_process.html#child_processexecfilefile-args-options-callback',
+            }),
+            useSpawn: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use spawn',
+                description: 'Use spawn() with separate arguments',
+                severity: 'LOW',
+                fix: 'spawn(cmd, [arg1, arg2], { shell: false })',
+                documentationLink: 'https://nodejs.org/api/child_process.html#child_processspawncommand-args-options',
+            }),
+            useSaferLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Safer Library',
+                description: 'Consider safer command execution libraries',
+                severity: 'LOW',
+                fix: 'Use execa, zx, or cross-spawn instead',
+                documentationLink: 'https://github.com/sindresorhus/execa',
+            }),
+            validateInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Input',
+                description: 'Add input validation and sanitization',
+                severity: 'LOW',
+                fix: 'Validate user input before passing to command',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            useShellFalse: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Disable Shell',
+                description: 'Use shell: false option',
+                severity: 'LOW',
+                fix: '{ shell: false } to prevent shell interpretation',
+                documentationLink: 'https://nodejs.org/api/child_process.html#spawning-bat-and-cmd-files-on-windows',
+            }),
+            strategyValidate: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Validate Strategy',
+                description: 'Comprehensive input validation',
+                severity: 'LOW',
+                fix: 'Add allowlist validation before command execution',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            strategySanitize: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Sanitize Strategy',
+                description: 'Sanitize and escape command arguments',
+                severity: 'LOW',
+                fix: 'Escape special characters in command arguments',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            strategyRestrict: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Restrict Strategy',
+                description: 'Restrict to predefined safe commands',
+                severity: 'LOW',
+                fix: 'Define allowlist of permitted commands',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiteralStrings: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow exec() with literal strings'
+                    },
+                    allowLiteralSpawn: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow spawn() with literal arguments'
+                    },
+                    additionalMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional child_process methods to check'
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['validate', 'sanitize', 'restrict', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing command injection (auto = smart detection)'
+                    }
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiteralStrings: false,
+            allowLiteralSpawn: false,
+            additionalMethods: [],
+            strategy: 'auto'
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowLiteralStrings = false, allowLiteralSpawn = false, additionalMethods = [], } = options || {};
+        /**
+         * Child process methods that can be dangerous
+         */
+        const dangerousMethods = [
+            'exec',
+            'execSync',
+            'execFile',
+            'execFileSync',
+            'spawn',
+            'spawnSync',
+            'fork',
+            'forkSync',
+            ...additionalMethods
+        ];
+        /**
+         * Check if a node contains string interpolation or concatenation
+         */
+        const containsDynamicStrings = (node) => {
+            if (node.type === 'TemplateLiteral') {
+                return node.expressions.length > 0;
+            }
+            if (node.type === 'BinaryExpression' && node.operator === '+') {
+                return true;
+            }
+            // Check for variable references
+            if (node.type === 'Identifier') {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if arguments contain only literals (safe)
+         */
+        const hasOnlyLiteralArgs = (args) => {
+            return args.every(arg => arg.type === 'Literal' ||
+                (arg.type === 'ArrayExpression' &&
+                    arg.elements.every((el) => el?.type === 'Literal')));
+        };
+        /**
+         * Extract command and arguments for analysis
+         */
+        const extractCommandInfo = (node) => {
+            const method = node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier'
+                ? node.callee.property.name
+                : 'unknown';
+            const sourceCode = context.sourceCode || context.sourceCode;
+            const args = node.arguments.map((arg) => sourceCode.getText(arg)).join(', ');
+            const pattern = COMMAND_PATTERNS.find(p => p.method === method) || null;
+            // Check if arguments contain dynamic content
+            const isDynamic = node.arguments.some((arg) => containsDynamicStrings(arg));
+            return { method, args, pattern, isDynamic };
+        };
+        /**
+         * Generate refactoring steps based on the pattern
+         */
+        const generateRefactoringSteps = (pattern) => {
+            switch (pattern.method) {
+                case 'exec':
+                case 'execSync':
+                    return [
+                        '   1. Replace exec() with execFile() or spawn()',
+                        '   2. Split command and arguments into separate array elements',
+                        '   3. Use {shell: false} option to prevent shell interpretation',
+                        '   4. Validate and sanitize all user inputs',
+                        '   5. Consider using execa library for better security'
+                    ].join('\n');
+                case 'spawn':
+                    return [
+                        '   1. Ensure first argument is a safe, validated command path',
+                        '   2. Pass arguments as separate array elements',
+                        '   3. Use {shell: false} to prevent shell injection',
+                        '   4. Validate command exists and is executable',
+                        '   5. Consider using cross-spawn for cross-platform safety'
+                    ].join('\n');
+                case 'execFile':
+                    return [
+                        '   1. Replace execFile() with spawn() for better security',
+                        '   2. Validate command path before execution',
+                        '   3. Ensure arguments are properly sanitized',
+                        '   4. Use {shell: false} option',
+                        '   5. Consider using execa library'
+                    ].join('\n');
+                case 'execFileSync':
+                    return [
+                        '   1. Replace execFileSync() with spawnSync() for better security',
+                        '   2. Validate command path before execution',
+                        '   3. Ensure arguments are properly sanitized',
+                        '   4. Use {shell: false} option',
+                        '   5. Consider using execa library'
+                    ].join('\n');
+                case 'spawnSync':
+                    return [
+                        '   1. Ensure first argument is a safe, validated command path',
+                        '   2. Pass arguments as separate array elements',
+                        '   3. Use {shell: false} to prevent shell injection',
+                        '   4. Validate command exists and is executable',
+                        '   5. Handle synchronous execution properly'
+                    ].join('\n');
+                case 'fork':
+                    return [
+                        '   1. Replace fork() with spawn() for Node.js scripts',
+                        '   2. Validate script path exists and is readable',
+                        '   3. Use spawn(\'node\', [scriptPath], options) instead',
+                        '   4. Add proper error handling',
+                        '   5. Consider using child_process.execFile() for simple scripts'
+                    ].join('\n');
+                case 'forkSync':
+                    return [
+                        '   1. Replace forkSync() with spawnSync() for Node.js scripts',
+                        '   2. Validate script path exists and is readable',
+                        '   3. Use spawnSync(\'node\', [scriptPath], options) instead',
+                        '   4. Add proper error handling and synchronous waiting',
+                        '   5. Consider using child_process.execFileSync() for simple scripts'
+                    ].join('\n');
+                default:
+                    return [
+                        '   1. Identify the specific command execution need',
+                        '   2. Choose appropriate child_process method',
+                        '   3. Use argument arrays instead of string interpolation',
+                        '   4. Add comprehensive input validation',
+                        '   5. Test with malicious inputs'
+                    ].join('\n');
+            }
+        };
+        /**
+         * Determine risk level based on the call pattern
+         */
+        const determineRiskLevel = (pattern, isDynamic) => {
+            if (pattern?.dangerous && isDynamic) {
+                return 'critical';
+            }
+            if (pattern?.dangerous || isDynamic) {
+                return 'high';
+            }
+            return 'medium';
+        };
+        /**
+         * Check child_process calls for security issues
+         */
+        const checkChildProcessCall = (node) => {
+            // Check if it's a child_process method call
+            if (node.callee.type !== 'MemberExpression' ||
+                node.callee.object.type !== 'Identifier' ||
+                node.callee.object.name !== 'child_process' ||
+                node.callee.property.type !== 'Identifier') {
+                return;
+            }
+            const methodName = node.callee.property.name;
+            // Skip if not a dangerous method
+            if (!dangerousMethods.includes(methodName)) {
+                return;
+            }
+            const { method, args, pattern, isDynamic } = extractCommandInfo(node);
+            // Allow literal strings if configured
+            if (allowLiteralStrings && method === 'exec' && !isDynamic) {
+                return;
+            }
+            // Allow literal spawn if configured
+            if (allowLiteralSpawn && method === 'spawn' && hasOnlyLiteralArgs(node.arguments)) {
+                return;
+            }
+            // Report the security issue
+            const riskLevel = determineRiskLevel(pattern, isDynamic);
+            const steps = pattern ? generateRefactoringSteps(pattern) : 'Review and secure command execution';
+            const alternatives = pattern?.safeAlternatives.join(', ') || 'execFile, spawn with validation';
+            context.report({
+                node,
+                messageId: 'childProcessCommandInjection',
+                data: {
+                    method,
+                    args,
+                    riskLevel,
+                    vulnerability: pattern?.vulnerability || 'command injection',
+                    alternatives,
+                    steps,
+                    effort: pattern?.effort || '15-30 minutes'
+                },
+                suggest: [
+                    {
+                        messageId: 'useExecFile',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useSpawn',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useSaferLibrary',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'validateInput',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useShellFalse',
+                        fix: () => null
+                    }
+                ]
+            });
+        };
+        /**
+         * Check require/import statements for child_process
+         */
+        const checkChildProcessImport = () => {
+            // This could be extended to warn about child_process imports in general
+            // For now, we focus on the actual dangerous calls
+        };
+        return {
+            CallExpression: checkChildProcessCall,
+            ImportDeclaration: checkChildProcessImport
+        };
+    },
+});
+//# sourceMappingURL=detect-child-process.js.map

package/src/rules/security/detect-child-process.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect-child-process.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/detect-child-process.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAyCtD,MAAM,gBAAgB,GAAqB;IACzC;QACE,MAAM,EAAE,MAAM;QACd,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,UAAU,EAAE,OAAO,CAAC;QACvC,OAAO,EAAE;YACP,GAAG,EAAE,8BAA8B;YACnC,IAAI,EAAE;gBACJ,yDAAyD;gBACzD,sDAAsD;aACvD;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,cAAc,EAAE,WAAW,CAAC;QAC/C,OAAO,EAAE;YACP,GAAG,EAAE,wCAAwC;YAC7C,IAAI,EAAE;gBACJ,mEAAmE;gBACnE,gEAAgE;aACjE;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,OAAO;QACf,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,oBAAoB;QACnC,gBAAgB,EAAE,CAAC,uBAAuB,CAAC;QAC3C,OAAO,EAAE;YACP,GAAG,EAAE,wCAAwC;YAC7C,IAAI,EAAE;gBACJ,wDAAwD;gBACxD,oCAAoC;aACrC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,OAAO,CAAC;QAC3B,OAAO,EAAE;YACP,GAAG,EAAE,2CAA2C;YAChD,IAAI,EAAE;gBACJ,wDAAwD;gBACxD,oCAAoC;aACrC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,cAAc;QACtB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,WAAW,CAAC;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,qCAAqC;YAC1C,IAAI,EAAE;gBACJ,4DAA4D;gBAC5D,oCAAoC;aACrC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,WAAW;QACnB,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,oBAAoB;QACnC,gBAAgB,EAAE,CAAC,2BAA2B,CAAC;QAC/C,OAAO,EAAE;YACP,GAAG,EAAE,4CAA4C;YACjD,IAAI,EAAE;gBACJ,4DAA4D;gBAC5D,oCAAoC;aACrC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,MAAM;QACd,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,OAAO,CAAC;QAC3B,OAAO,EAAE;YACP,GAAG,EAAE,kBAAkB;YACvB,IAAI,EAAE;gBACJ,oDAAoD;gBACpD,+BAA+B;aAChC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,mBAAmB;QAClC,gBAAgB,EAAE,CAAC,WAAW,CAAC;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,sBAAsB;YAC3B,IAAI,EAAE;gBACJ,4EAA4E;gBAC5E,+BAA+B;aAChC;SACF;QACD,MAAM,EAAE,eAAe;KACxB;CACF,CAAC;AAEW,QAAA,kBAAkB,GAAG,IAAA,0BAAU,EAA0B;IACpE,IAAI,EAAE,sBAAsB;IAC5B,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,8DAA8D;SAC5E;QACD,QAAQ,EAAE;YACR,8EAA8E;YAC9E,4BAA4B,EAAE,IAAA,gCAAgB,EAAC;gBAC7C,IAAI,EAAE,4BAAY,CAAC,OAAO;gBAC1B,SAAS,EAAE,mBAAmB;gBAC9B,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,4BAA4B;gBACzC,QAAQ,EAAE,UAAU;gBACpB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;YACF,WAAW,EAAE,IAAA,gCAAgB,EAAC;gBAC5B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,cAAc;gBACzB,WAAW,EAAE,oCAAoC;gBACjD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,2FAA2F;aAC/G,CAAC;YACF,QAAQ,EAAE,IAAA,gCAAgB,EAAC;gBACzB,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,WAAW;gBACtB,WAAW,EAAE,qCAAqC;gBAClD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,kFAAkF;aACtG,CAAC;YACF,eAAe,EAAE,IAAA,gCAAgB,EAAC;gBAChC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,4CAA4C;gBACzD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,uCAAuC;gBAC5C,iBAAiB,EAAE,uCAAuC;aAC3D,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,gBAAgB;gBAC3B,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,+CAA+C;gBACpD,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,eAAe;gBAC1B,WAAW,EAAE,yBAAyB;gBACtC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,kDAAkD;gBACvD,iBAAiB,EAAE,iFAAiF;aACrG,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,gCAAgC;gBAC7C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mDAAmD;gBACxD,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,gDAAgD;gBACrD,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,sCAAsC;gBACnD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,wCAAwC;gBAC7C,iBAAiB,EAAE,2DAA2D;aAC/E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,mBAAmB,EAAE;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,mCAAmC;qBACjD;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,sCAAsC;qBACpD;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,2CAA2C;qBACzD;oBACD,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC;wBAClD,OAAO,EAAE,MAAM;wBACf,WAAW,EAAE,gEAAgE;qBAC9E;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,mBAAmB,EAAE,KAAK;YAC1B,iBAAiB,EAAE,KAAK;YACxB,iBAAiB,EAAE,EAAE;YACrB,QAAQ,EAAE,MAAM;SACjB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,mBAAmB,GAAG,KAAK,EAC3B,iBAAiB,GAAG,KAAK,EACzB,iBAAiB,GAAG,EAAE,GACvB,GAAY,OAAO,IAAI,EAAE,CAAC;QAE3B;;WAEG;QACH,MAAM,gBAAgB,GAAG;YACvB,MAAM;YACN,UAAU;YACV,UAAU;YACV,cAAc;YACd,OAAO;YACP,WAAW;YACX,MAAM;YACN,UAAU;YACV,GAAG,iBAAiB;SACrB,CAAC;QAEF;;WAEG;QACH,MAAM,sBAAsB,GAAG,CAAC,IAAmB,EAAW,EAAE;YAC9D,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBACpC,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBAC9D,OAAO,IAAI,CAAC;YACd,CAAC;YAED,gCAAgC;YAChC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,IAAqB,EAAW,EAAE;YAC5D,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CACtB,GAAG,CAAC,IAAI,KAAK,SAAS;gBACtB,CAAC,GAAG,CAAC,IAAI,KAAK,iBAAiB;oBAC9B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAwB,EAAE,EAAE,CAAC,EAAE,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAC3E,CAAC;QACJ,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,IAA6B,EAKvD,EAAE;YACF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACxC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACxC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI;gBAC3B,CAAC,CAAC,SAAS,CAAC;YAE5B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;YAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAkB,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE5F,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC;YAExE,6CAA6C;YAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAkB,EAAE,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC;YAE3F,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QAC9C,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,wBAAwB,GAAG,CAAC,OAAuB,EAAU,EAAE;YACnE,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;gBACvB,KAAK,MAAM,CAAC;gBACZ,KAAK,UAAU;oBACb,OAAO;wBACL,iDAAiD;wBACjD,gEAAgE;wBAChE,iEAAiE;wBACjE,6CAA6C;wBAC7C,wDAAwD;qBACzD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,OAAO;oBACV,OAAO;wBACL,+DAA+D;wBAC/D,iDAAiD;wBACjD,qDAAqD;wBACrD,iDAAiD;wBACjD,4DAA4D;qBAC7D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,UAAU;oBACb,OAAO;wBACL,2DAA2D;wBAC3D,8CAA8C;wBAC9C,+CAA+C;wBAC/C,iCAAiC;wBACjC,oCAAoC;qBACrC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,cAAc;oBACjB,OAAO;wBACL,mEAAmE;wBACnE,8CAA8C;wBAC9C,+CAA+C;wBAC/C,iCAAiC;wBACjC,oCAAoC;qBACrC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,WAAW;oBACd,OAAO;wBACL,+DAA+D;wBAC/D,iDAAiD;wBACjD,qDAAqD;wBACrD,iDAAiD;wBACjD,6CAA6C;qBAC9C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,MAAM;oBACT,OAAO;wBACL,uDAAuD;wBACvD,mDAAmD;wBACnD,0DAA0D;wBAC1D,iCAAiC;wBACjC,kEAAkE;qBACnE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,UAAU;oBACb,OAAO;wBACL,+DAA+D;wBAC/D,mDAAmD;wBACnD,8DAA8D;wBAC9D,yDAAyD;wBACzD,sEAAsE;qBACvE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf;oBACE,OAAO;wBACL,oDAAoD;wBACpD,+CAA+C;wBAC/C,2DAA2D;wBAC3D,0CAA0C;wBAC1C,kCAAkC;qBACnC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,OAA8B,EAAE,SAAkB,EAAkC,EAAE;YAChH,IAAI,OAAO,EAAE,SAAS,IAAI,SAAS,EAAE,CAAC;gBACpC,OAAO,UAAU,CAAC;YACpB,CAAC;YACD,IAAI,OAAO,EAAE,SAAS,IAAI,SAAS,EAAE,CAAC;gBACpC,OAAO,MAAM,CAAC;YAChB,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,qBAAqB,GAAG,CAAC,IAA6B,EAAE,EAAE;YAC9D,4CAA4C;YAC5C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,eAAe;gBAC3C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YAE7C,iCAAiC;YACjC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3C,OAAO;YACT,CAAC;YAED,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YAEtE,sCAAsC;YACtC,IAAI,mBAAmB,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,oCAAoC;YACpC,IAAI,iBAAiB,IAAI,MAAM,KAAK,OAAO,IAAI,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClF,OAAO;YACT,CAAC;YAED,4BAA4B;YAC5B,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YACzD,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,qCAAqC,CAAC;YAClG,MAAM,YAAY,GAAG,OAAO,EAAE,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iCAAiC,CAAC;YAE/F,OAAO,CAAC,MAAM,CAAC;gBACb,IAAI;gBACJ,SAAS,EAAE,8BAA8B;gBACzC,IAAI,EAAE;oBACJ,MAAM;oBACN,IAAI;oBACJ,SAAS;oBACT,aAAa,EAAE,OAAO,EAAE,aAAa,IAAI,mBAAmB;oBAC5D,YAAY;oBACZ,KAAK;oBACL,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,eAAe;iBAC3C;gBACD,OAAO,EAAE;oBACP;wBACE,SAAS,EAAE,aAAa;wBACxB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,UAAU;wBACrB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,iBAAiB;wBAC5B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,eAAe;wBAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,eAAe;wBAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;iBACF;aACF,CAAC,CAAC;QACL,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,uBAAuB,GAAG,GAAG,EAAE;YACnC,wEAAwE;YACxE,kDAAkD;QACpD,CAAC,CAAC;QAEF,OAAO;YACL,cAAc,EAAE,qBAAqB;YACrC,iBAAiB,EAAE,uBAAuB;SAC3C,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/detect-eval-with-expression.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow eval with literal strings. Default: false (stricter) */
+    allowLiteralStrings?: boolean;
+    /** Additional functions to treat as eval-like */
+    additionalEvalFunctions?: string[];
+    /** Strategy for fixing eval usage: 'remove', 'refactor', 'validate', or 'auto' */
+    strategy?: 'remove' | 'refactor' | 'validate' | 'auto';
+}
+export declare const detectEvalWithExpression: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;