eslint-plugin-secure-coding 1.0.0

package/src/rules/security/detect-non-literal-fs-filename.js

@@ -0,0 +1,322 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectNonLiteralFsFilename = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const FS_OPERATIONS = [
+    {
+        method: 'readFile',
+        dangerous: true,
+        vulnerability: 'file-access',
+        safePattern: 'path.resolve(SAFE_DIR, path.basename(userInput))',
+        example: {
+            bad: 'fs.readFile(userPath, callback)',
+            good: 'const safePath = path.join(SAFE_UPLOADS_DIR, path.basename(userPath)); fs.readFile(safePath, callback)'
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'writeFile',
+        dangerous: true,
+        vulnerability: 'file-access',
+        safePattern: 'path.resolve(SAFE_DIR, path.basename(userInput))',
+        example: {
+            bad: 'fs.writeFile(userPath, data, callback)',
+            good: 'const safePath = path.join(SAFE_WRITES_DIR, path.basename(userPath)); fs.writeFile(safePath, data, callback)'
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'stat',
+        dangerous: true,
+        vulnerability: 'path-traversal',
+        safePattern: 'path.resolve(baseDir, userInput) with validation',
+        example: {
+            bad: 'fs.stat(userPath, callback)',
+            good: 'const resolvedPath = path.resolve(SAFE_DIR, userPath);\nif (!resolvedPath.startsWith(SAFE_DIR)) return;\nfs.stat(resolvedPath, callback)'
+        },
+        effort: '15-20 minutes'
+    },
+    {
+        method: 'readdir',
+        dangerous: true,
+        vulnerability: 'directory-traversal',
+        safePattern: 'Validate directory is within allowed paths',
+        example: {
+            bad: 'fs.readdir(userDir, callback)',
+            good: 'const resolvedDir = path.resolve(ALLOWED_DIRS, userDir);\nif (!resolvedDir.startsWith(ALLOWED_DIRS)) return;\nfs.readdir(resolvedDir, callback)'
+        },
+        effort: '15-20 minutes'
+    }
+];
+exports.detectNonLiteralFsFilename = (0, eslint_devkit_2.createRule)({
+    name: 'detect-non-literal-fs-filename',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system',
+        },
+        messages: {
+            // 🎯 Token optimization: 39% reduction (49→30 tokens) - template variables still work
+            fsPathTraversal: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: '🔑',
+                issueName: 'Path traversal',
+                cwe: 'CWE-22',
+                description: 'Path traversal vulnerability',
+                severity: '{{riskLevel}}',
+                fix: '{{safePattern}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
+            }),
+            usePathResolve: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use path.resolve',
+                description: 'Use path.resolve() to normalize paths',
+                severity: 'LOW',
+                fix: 'path.resolve(SAFE_DIR, userInput)',
+                documentationLink: 'https://nodejs.org/api/path.html#pathresolvepaths',
+            }),
+            validatePath: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Path',
+                description: 'Validate resolved path starts with allowed base',
+                severity: 'LOW',
+                fix: 'if (!resolved.startsWith(SAFE_DIR)) throw new Error()',
+                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
+            }),
+            useBasename: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use path.basename',
+                description: 'Use path.basename() to strip directory components',
+                severity: 'LOW',
+                fix: 'path.basename(userInput)',
+                documentationLink: 'https://nodejs.org/api/path.html#pathbasenamepath-suffix',
+            }),
+            createSafeDir: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Define Safe Directory',
+                description: 'Define SAFE_DIR constant',
+                severity: 'LOW',
+                fix: 'const SAFE_DIR = path.resolve(__dirname, "uploads")',
+                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
+            }),
+            whitelistExtensions: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Whitelist Extensions',
+                description: 'Whitelist allowed file extensions',
+                severity: 'LOW',
+                fix: 'const ALLOWED_EXT = [".txt", ".pdf"]; if (!ALLOWED_EXT.includes(ext)) throw',
+                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiterals: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow literal string paths'
+                    },
+                    additionalMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional fs methods to check'
+                    },
+                    allowedExtensions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Allowed file extensions (e.g., [".txt", ".json"])'
+                    }
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiterals: false,
+            additionalMethods: []
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowLiterals = false, additionalMethods = [] } = options || {};
+        /**
+         * File system methods that can be dangerous with user input
+         */
+        const dangerousMethods = [
+            'readFile', 'readFileSync',
+            'writeFile', 'writeFileSync',
+            'appendFile', 'appendFileSync',
+            'stat', 'statSync',
+            'lstat', 'lstatSync',
+            'readdir', 'readdirSync',
+            'unlink', 'unlinkSync',
+            'mkdir', 'mkdirSync',
+            'rmdir', 'rmdirSync',
+            'access', 'accessSync',
+            'createReadStream', 'createWriteStream',
+            ...additionalMethods
+        ];
+        /**
+         * Check if a node is a literal string (safe)
+         */
+        const isLiteralString = (node) => {
+            return node.type === 'Literal' && typeof node.value === 'string';
+        };
+        /**
+         * Check if path has dangerous patterns like ../ or ..\
+         */
+        const hasTraversalPatterns = (pathStr) => {
+            return /\.\.[/\\]/.test(pathStr) || /^\.\.[/\\]/.test(pathStr);
+        };
+        /**
+         * Extract path argument from fs call
+         */
+        const extractPathArgument = (node) => {
+            const method = node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier'
+                ? node.callee.property.name
+                : 'unknown';
+            const operation = FS_OPERATIONS.find(op => op.method === method) || null;
+            // First argument is usually the path
+            const pathNode = node.arguments.length > 0 ? node.arguments[0] : null;
+            const sourceCode = context.sourceCode || context.sourceCode;
+            const path = pathNode ? sourceCode.getText(pathNode) : '';
+            return { path, pathNode, method, operation };
+        };
+        /**
+         * Determine if the path argument is potentially dangerous
+         */
+        const isDangerousPath = (pathNode, pathStr) => {
+            // Allow literals if configured
+            if (allowLiterals && pathNode && isLiteralString(pathNode)) {
+                return false;
+            }
+            // Check for obvious traversal patterns in literals
+            if (pathNode && isLiteralString(pathNode) && hasTraversalPatterns(pathStr)) {
+                return true;
+            }
+            // Any non-literal is dangerous
+            return !pathNode || !isLiteralString(pathNode);
+        };
+        /**
+         * Generate refactoring steps based on the operation
+         */
+        const generateRefactoringSteps = (operation) => {
+            switch (operation.method) {
+                case 'readFile':
+                case 'writeFile':
+                    return [
+                        '   1. Define a SAFE_DIR constant for allowed operations',
+                        '   2. Use path.basename() to strip directory components',
+                        '   3. Combine with SAFE_DIR: path.join(SAFE_DIR, path.basename(userPath))',
+                        '   4. Optionally validate file extensions',
+                        '   5. Add error handling for invalid paths'
+                    ].join('\n');
+                case 'stat':
+                    return [
+                        '   1. Use path.resolve() to normalize the path',
+                        '   2. Check if resolved path starts with allowed base directory',
+                        '   3. Reject requests that escape the allowed directory',
+                        '   4. Use path.relative() for additional validation',
+                        '   5. Log security events for monitoring'
+                    ].join('\n');
+                case 'readdir':
+                    return [
+                        '   1. Resolve the directory path: path.resolve(ALLOWED_DIRS, userDir)',
+                        '   2. Validate resolved path starts with ALLOWED_DIRS',
+                        '   3. Check directory exists and is readable',
+                        '   4. Consider whitelisting allowed directories',
+                        '   5. Add rate limiting to prevent enumeration attacks'
+                    ].join('\n');
+                default:
+                    return [
+                        '   1. Identify the specific file operation needed',
+                        '   2. Define safe base directories for operations',
+                        '   3. Use path.resolve() and validate containment',
+                        '   4. Sanitize user input (basename, extension validation)',
+                        '   5. Add comprehensive error handling'
+                    ].join('\n');
+            }
+        };
+        /**
+         * Determine risk level based on the operation and path
+         */
+        const determineRiskLevel = (operation, pathStr) => {
+            if (hasTraversalPatterns(pathStr)) {
+                return 'CRITICAL';
+            }
+            if (operation.dangerous) {
+                return 'HIGH';
+            }
+            return 'MEDIUM';
+        };
+        /**
+         * Check fs method calls for path traversal vulnerabilities
+         */
+        const checkFsCall = (node) => {
+            // Check if it's an fs method call
+            if (node.callee.type !== 'MemberExpression' ||
+                node.callee.object.type !== 'Identifier' ||
+                node.callee.object.name !== 'fs' ||
+                node.callee.property.type !== 'Identifier') {
+                return;
+            }
+            const methodName = node.callee.property.name;
+            // Skip if not a dangerous method
+            if (!dangerousMethods.includes(methodName)) {
+                return;
+            }
+            const { path, pathNode, method, operation } = extractPathArgument(node);
+            // Check if the path argument is dangerous
+            if (!isDangerousPath(pathNode, path)) {
+                return;
+            }
+            const riskLevel = determineRiskLevel(operation || FS_OPERATIONS[0], path);
+            const steps = operation ? generateRefactoringSteps(operation) : 'Review file system access patterns';
+            const safePattern = operation?.safePattern || 'Use path.resolve() with validation';
+            context.report({
+                node,
+                messageId: 'fsPathTraversal',
+                data: {
+                    method,
+                    path,
+                    riskLevel,
+                    vulnerability: operation?.vulnerability || 'path traversal',
+                    safePattern,
+                    steps,
+                    effort: operation?.effort || '15-20 minutes'
+                },
+                suggest: [
+                    {
+                        messageId: 'usePathResolve',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'validatePath',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useBasename',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'createSafeDir',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'whitelistExtensions',
+                        fix: () => null
+                    }
+                ]
+            });
+        };
+        return {
+            CallExpression: checkFsCall
+        };
+    },
+});
+//# sourceMappingURL=detect-non-literal-fs-filename.js.map

package/src/rules/security/detect-non-literal-fs-filename.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect-non-literal-fs-filename.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/detect-non-literal-fs-filename.ts"],"names":[],"mappings":";;;AASA,4DAA0E;AAC1E,4DAAsD;AAgCtD,MAAM,aAAa,GAAkB;IACnC;QACE,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,aAAa;QAC5B,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE;YACP,GAAG,EAAE,iCAAiC;YACtC,IAAI,EAAE,wGAAwG;SAC/G;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,WAAW;QACnB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,aAAa;QAC5B,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE;YACP,GAAG,EAAE,wCAAwC;YAC7C,IAAI,EAAE,8GAA8G;SACrH;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,MAAM;QACd,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,gBAAgB;QAC/B,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE;YACP,GAAG,EAAE,6BAA6B;YAClC,IAAI,EAAE,0IAA0I;SACjJ;QACD,MAAM,EAAE,eAAe;KACxB;IACD;QACE,MAAM,EAAE,SAAS;QACjB,SAAS,EAAE,IAAI;QACf,aAAa,EAAE,qBAAqB;QACpC,WAAW,EAAE,4CAA4C;QACzD,OAAO,EAAE;YACP,GAAG,EAAE,+BAA+B;YACpC,IAAI,EAAE,iJAAiJ;SACxJ;QACD,MAAM,EAAE,eAAe;KACxB;CACF,CAAC;AAEW,QAAA,0BAA0B,GAAG,IAAA,0BAAU,EAA0B;IAC5E,IAAI,EAAE,gCAAgC;IACtC,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,oHAAoH;SAClI;QACD,QAAQ,EAAE;YACR,sFAAsF;YACtF,eAAe,EAAE,IAAA,gCAAgB,EAAC;gBAChC,IAAI,EAAE,IAAI;gBACV,SAAS,EAAE,gBAAgB;gBAC3B,GAAG,EAAE,QAAQ;gBACb,WAAW,EAAE,8BAA8B;gBAC3C,QAAQ,EAAE,eAAe;gBACzB,GAAG,EAAE,iBAAiB;gBACtB,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;YACF,cAAc,EAAE,IAAA,gCAAgB,EAAC;gBAC/B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,WAAW,EAAE,uCAAuC;gBACpD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,mCAAmC;gBACxC,iBAAiB,EAAE,mDAAmD;aACvE,CAAC;YACF,YAAY,EAAE,IAAA,gCAAgB,EAAC;gBAC7B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,eAAe;gBAC1B,WAAW,EAAE,iDAAiD;gBAC9D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;YACF,WAAW,EAAE,IAAA,gCAAgB,EAAC;gBAC5B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,WAAW,EAAE,mDAAmD;gBAChE,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,0BAA0B;gBAC/B,iBAAiB,EAAE,0DAA0D;aAC9E,CAAC;YACF,aAAa,EAAE,IAAA,gCAAgB,EAAC;gBAC9B,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,uBAAuB;gBAClC,WAAW,EAAE,0BAA0B;gBACvC,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,qDAAqD;gBAC1D,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,sBAAsB;gBACjC,WAAW,EAAE,mCAAmC;gBAChD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,6EAA6E;gBAClF,iBAAiB,EAAE,wDAAwD;aAC5E,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,aAAa,EAAE;wBACb,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,4BAA4B;qBAC1C;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,gCAAgC;qBAC9C;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,mDAAmD;qBACjE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,aAAa,EAAE,KAAK;YACpB,iBAAiB,EAAE,EAAE;SACtB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACV,aAAa,GAAG,KAAK,EACf,iBAAiB,GAAG,EAAE,EAE3B,GAAY,OAAO,IAAI,EAAE,CAAC;QAEvB;;WAEG;QACH,MAAM,gBAAgB,GAAG;YACvB,UAAU,EAAE,cAAc;YAC1B,WAAW,EAAE,eAAe;YAC5B,YAAY,EAAE,gBAAgB;YAC9B,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,WAAW;YACpB,SAAS,EAAE,aAAa;YACxB,QAAQ,EAAE,YAAY;YACtB,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,WAAW;YACpB,QAAQ,EAAE,YAAY;YACtB,kBAAkB,EAAE,mBAAmB;YACvC,GAAG,iBAAiB;SACrB,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,IAAmB,EAAW,EAAE;YACvD,OAAO,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC;QACnE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,oBAAoB,GAAG,CAAC,OAAe,EAAW,EAAE;YACxD,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,mBAAmB,GAAG,CAAC,IAA6B,EAKxD,EAAE;YACF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACxC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;gBACxC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI;gBAC3B,CAAC,CAAC,SAAS,CAAC;YAE5B,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC;YAEzE,qCAAqC;YACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACtE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;YAC5D,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAE1D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;QAC/C,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,QAA8B,EAAE,OAAe,EAAW,EAAE;YACnF,+BAA+B;YAC/B,IAAI,aAAa,IAAI,QAAQ,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,mDAAmD;YACnD,IAAI,QAAQ,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3E,OAAO,IAAI,CAAC;YACd,CAAC;YAED,+BAA+B;YAC/B,OAAO,CAAC,QAAQ,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACjD,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,wBAAwB,GAAG,CAAC,SAAsB,EAAU,EAAE;YAClE,QAAQ,SAAS,CAAC,MAAM,EAAE,CAAC;gBACzB,KAAK,UAAU,CAAC;gBAChB,KAAK,WAAW;oBACd,OAAO;wBACL,yDAAyD;wBACzD,yDAAyD;wBACzD,2EAA2E;wBAC3E,2CAA2C;wBAC3C,4CAA4C;qBAC7C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,MAAM;oBACT,OAAO;wBACL,gDAAgD;wBAChD,iEAAiE;wBACjE,yDAAyD;wBACzD,qDAAqD;wBACrD,0CAA0C;qBAC3C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf,KAAK,SAAS;oBACZ,OAAO;wBACL,uEAAuE;wBACvE,uDAAuD;wBACvD,8CAA8C;wBAC9C,iDAAiD;wBACjD,wDAAwD;qBACzD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEf;oBACE,OAAO;wBACL,mDAAmD;wBACnD,mDAAmD;wBACnD,mDAAmD;wBACnD,4DAA4D;wBAC5D,wCAAwC;qBACzC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,SAAsB,EAAE,OAAe,EAAU,EAAE;YAC7E,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,UAAU,CAAC;YACpB,CAAC;YAED,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;gBACxB,OAAO,MAAM,CAAC;YAChB,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,WAAW,GAAG,CAAC,IAA6B,EAAE,EAAE;YACpD,kCAAkC;YAClC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;gBACxC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,IAAI;gBAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YAE7C,iCAAiC;YACjC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3C,OAAO;YACT,CAAC;YAED,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAExE,0CAA0C;YAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO;YACT,CAAC;YAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,SAAS,IAAI,aAAa,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,wBAAwB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,oCAAoC,CAAC;YACrG,MAAM,WAAW,GAAG,SAAS,EAAE,WAAW,IAAI,oCAAoC,CAAC;YAEnF,OAAO,CAAC,MAAM,CAAC;gBACb,IAAI;gBACJ,SAAS,EAAE,iBAAiB;gBAC5B,IAAI,EAAE;oBACJ,MAAM;oBACN,IAAI;oBACJ,SAAS;oBACT,aAAa,EAAE,SAAS,EAAE,aAAa,IAAI,gBAAgB;oBAC3D,WAAW;oBACX,KAAK;oBACL,MAAM,EAAE,SAAS,EAAE,MAAM,IAAI,eAAe;iBAC7C;gBACD,OAAO,EAAE;oBACP;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,cAAc;wBACzB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,aAAa;wBACxB,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,eAAe;wBAC1B,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;oBACD;wBACE,SAAS,EAAE,qBAAqB;wBAChC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI;qBAChB;iBACF;aACF,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,OAAO;YACL,cAAc,EAAE,WAAW;SAC5B,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/src/rules/security/detect-non-literal-regexp.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow literal string regex patterns. Default: false (stricter) */
+    allowLiterals?: boolean;
+    /** Additional RegExp creation patterns to check */
+    additionalPatterns?: string[];
+    /** Maximum allowed pattern length for dynamic regex */
+    maxPatternLength?: number;
+}
+export declare const detectNonLiteralRegexp: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;