npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-missing-security-headers/index.js DELETED Viewed

@@ -1,218 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noMissingSecurityHeaders = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const DEFAULT_REQUIRED_HEADERS = [
-    'Content-Security-Policy',
-    'X-Frame-Options',
-    'X-Content-Type-Options',
-];
-/**
- * Extract header name from setHeader call
- */
-function extractHeaderName(node) {
-    if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
-        return String(node.arguments[0].value);
-    }
-    return null;
-}
-/**
- * Check if all security headers are set in the current scope
- */
-function checkFunctionForSecurityHeaders(node, requiredHeaders, context) {
-    const setHeaders = new Set();
-    // Find the function that contains this setHeader call
-    let current = node;
-    let scopeNode = null;
-    while (current) {
-        if (current.type === 'FunctionDeclaration' ||
-            current.type === 'FunctionExpression' ||
-            current.type === 'ArrowFunctionExpression') {
-            scopeNode = current;
-            break;
-        }
-        current = current.parent ?? null;
-    }
-    // If no function found, use the program scope (for test cases)
-    if (!scopeNode) {
-        scopeNode = context.sourceCode.ast;
-    }
-    // Collect all setHeader calls in this scope
-    function collectHeaders(node) {
-        if (node.type === 'CallExpression' &&
-            node.callee.type === 'MemberExpression' &&
-            node.callee.property.type === 'Identifier' &&
-            ['setHeader', 'header', 'set'].includes(node.callee.property.name)) {
-            const headerName = extractHeaderName(node);
-            if (headerName) {
-                setHeaders.add(headerName);
-            }
-        }
-        // Recursively check children - only traverse standard AST properties
-        if (node.type === 'Program' && node.body) {
-            node.body.forEach(collectHeaders);
-        }
-        else if ((node.type === 'FunctionDeclaration' ||
-            node.type === 'FunctionExpression' ||
-            node.type === 'ArrowFunctionExpression') && node.body) {
-            collectHeaders(node.body);
-        }
-        else if (node.type === 'BlockStatement' && node.body) {
-            node.body.forEach(collectHeaders);
-        }
-        else if (node.type === 'ExpressionStatement' && node.expression) {
-            collectHeaders(node.expression);
-        }
-    }
-    if (scopeNode) {
-        collectHeaders(scopeNode);
-    }
-    // Return missing headers
-    return requiredHeaders.filter(header => !setHeaders.has(header));
-}
-exports.noMissingSecurityHeaders = (0, eslint_devkit_2.createRule)({
-    name: 'no-missing-security-headers',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-express-security/require-helmet'],
-        docs: {
-            description: 'Detects missing security headers in HTTP responses',
-        },
-        hasSuggestions: true,
-        messages: {
-            missingSecurityHeader: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Missing security headers',
-                cwe: 'CWE-693',
-                description: 'Missing security headers: {{headers}}',
-                severity: 'HIGH',
-                fix: 'Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options',
-                documentationLink: 'https://owasp.org/www-project-secure-headers/',
-            }),
-            addSecurityHeaders: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Add Security Headers',
-                description: 'Add security headers middleware',
-                severity: 'LOW',
-                fix: 'Add Content-Security-Policy, X-Frame-Options headers',
-                documentationLink: 'https://owasp.org/www-project-secure-headers/',
-            }),
-            useMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Helmet',
-                description: 'Use helmet.js for security headers',
-                severity: 'LOW',
-                fix: 'app.use(helmet())',
-                documentationLink: 'https://helmetjs.github.io/',
-            }),
-            setHeader: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Set Headers',
-                description: 'Set security headers manually',
-                severity: 'LOW',
-                fix: 'res.setHeader("X-Frame-Options", "DENY")',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    requiredHeaders: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: DEFAULT_REQUIRED_HEADERS,
-                    },
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            requiredHeaders: DEFAULT_REQUIRED_HEADERS,
-            ignoreInTests: true,
-        },
-    ],
-    create(context, [options = {}]) {
-        const { requiredHeaders = DEFAULT_REQUIRED_HEADERS, ignoreInTests = true, } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const reportedScopes = new Set();
-        /**
-         * Get a unique key for the current scope
-         */
-        function getScopeKey(node) {
-            // Find the function that contains this call
-            let current = node;
-            while (current) {
-                if (current.type === 'FunctionDeclaration' ||
-                    current.type === 'FunctionExpression' ||
-                    current.type === 'ArrowFunctionExpression') {
-                    return `${current.range?.[0]}-${current.range?.[1]}`;
-                }
-                current = current.parent ?? null;
-            }
-            // If no function found, use program scope
-            return 'program';
-        }
-        /**
-         * Check for response header setting
-         */
-        function checkCallExpression(node) {
-            // Check for res.setHeader, res.header, res.set
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property.type === 'Identifier') {
-                const methodName = node.callee.property.name;
-                if (['setHeader', 'header', 'set'].includes(methodName)) {
-                    const scopeKey = getScopeKey(node);
-                    // Only check once per scope
-                    if (reportedScopes.has(scopeKey)) {
-                        return;
-                    }
-                    const missing = checkFunctionForSecurityHeaders(node, requiredHeaders, context);
-                    if (missing.length > 0) {
-                        reportedScopes.add(scopeKey);
-                        context.report({
-                            node,
-                            messageId: 'missingSecurityHeader',
-                            data: {
-                                headers: missing.join(', '),
-                            },
-                            suggest: [
-                                {
-                                    messageId: 'addSecurityHeaders',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'useMiddleware',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'setHeader',
-                                    fix: () => null,
-                                },
-                            ],
-                        });
-                    }
-                    else {
-                        // Mark as checked even if no error
-                        reportedScopes.add(scopeKey);
-                    }
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});

package/src/rules/no-password-in-url/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent passwords in URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/598.html
- */
-export interface Options {
-}
-export declare const noPasswordInUrl: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-password-in-url/index.js DELETED Viewed

@@ -1,54 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent passwords in URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/598.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPasswordInUrl = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPasswordInUrl = (0, eslint_devkit_1.createRule)({
-    name: 'no-password-in-url',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent passwords in URLs',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M3'],
-            cweIds: ["CWE-598"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-521',
-                description: 'Prevent passwords in URLs detected - this is a security risk',
-                severity: 'CRITICAL',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            Literal(node) {
-                // Check for http://user:password@host patterns
-                if (node.type === 'Literal' && typeof node.value === 'string') {
-                    const urlPattern = /https?:\/\/[^:]+:[^@]+@/;
-                    if (urlPattern.test(node.value)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-permissive-cors/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent overly permissive CORS configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-export interface Options {
-}
-export declare const noPermissiveCors: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-permissive-cors/index.js DELETED Viewed

@@ -1,65 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent overly permissive CORS configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPermissiveCors = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
-    name: 'no-permissive-cors',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
-        docs: {
-            description: 'Prevent overly permissive CORS configuration',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M8'],
-            cweIds: ["CWE-942"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-942',
-                description: 'Prevent overly permissive CORS configuration detected - this is a security risk',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/942.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            CallExpression(node) {
-                // Check for Access-Control-Allow-Origin: *
-                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    node.callee.property?.name === 'setHeader' &&
-                    node.arguments[0]?.value === 'Access-Control-Allow-Origin' &&
-                    node.arguments[1]?.value === '*') {
-                    report(node);
-                }
-                // Check cors({ origin: '*' })
-                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    node.callee.name === 'cors' &&
-                    node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
-                    const originProp = node.arguments[0].properties.find(p => p.key?.name === 'origin');
-                    if (originProp?.value.type === 'Literal' && originProp.value.value === '*') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-pii-in-logs/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/532.html
- */
-export interface Options {
-}
-export declare const noPiiInLogs: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-pii-in-logs/index.js DELETED Viewed

@@ -1,70 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/532.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPiiInLogs = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
-    name: 'no-pii-in-logs',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent PII (email, SSN, credit cards) in console logs',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M6'],
-            cweIds: ["CWE-532"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-359',
-                description: 'Prevent PII (email, SSN, credit cards) in console logs detected - this is a security risk',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            CallExpression(node) {
-                // Check console.log/error/warn calls
-                if (node.type === 'CallExpression' &&
-                    node.callee.type === 'MemberExpression' &&
-                    node.callee.object.name === 'console' &&
-                    ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
-                    // Check arguments for PII-related property access
-                    for (const arg of node.arguments) {
-                        if (arg.type === 'MemberExpression') {
-                            const propName = arg.property.name?.toLowerCase();
-                            const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
-                            if (piiProps.some(p => propName?.includes(p))) {
-                                report(node);
-                            }
-                        }
-                        // Check string literals mentioning PII
-                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                            const text = arg.value.toLowerCase();
-                            if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
-                                report(node);
-                            }
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-postmessage-origin-wildcard/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent wildcard origins in postMessage
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-export interface Options {
-}
-export declare const noPostmessageOriginWildcard: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-postmessage-origin-wildcard/index.js DELETED Viewed

@@ -1,56 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent wildcard origins in postMessage
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPostmessageOriginWildcard = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPostmessageOriginWildcard = (0, eslint_devkit_1.createRule)({
-    name: 'no-postmessage-origin-wildcard',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent wildcard origins in postMessage',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M4'],
-            cweIds: ["CWE-942"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-346',
-                description: 'Prevent wildcard origins in postMessage detected - this is a security risk',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/346.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            CallExpression(node) {
-                // Check postMessage calls
-                if (node.type === 'CallExpression' &&
-                    node.callee.type === 'MemberExpression' &&
-                    node.callee.property.name === 'postMessage') {
-                    const originArg = node.arguments[1];
-                    if (originArg && originArg.type === 'Literal' && originArg.value === '*') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-privilege-escalation/index.d.ts DELETED Viewed

@@ -1,13 +0,0 @@
-export interface Options {
-    /** Allow privilege escalation patterns in test files. Default: false */
-    allowInTests?: boolean;
-    /** Test file pattern regex string. Default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$' */
-    testFilePattern?: string;
-    /** Role check patterns to recognize. Default: ['hasRole', 'checkRole', 'isAdmin', 'isAuthorized'] */
-    roleCheckPatterns?: string[];
-    /** User input patterns that should be validated. Default: ['req.body', 'req.query', 'req.params'] */
-    userInputPatterns?: string[];
-    /** Additional patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-export declare const noPrivilegeEscalation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;