npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-sensitive-data-exposure/index.js DELETED Viewed

@@ -1,250 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataExposure = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if string contains sensitive data patterns
- */
-function containsSensitiveData(text, patterns) {
-    const lowerText = text.toLowerCase();
-    return patterns.some(pattern => lowerText.includes(pattern.toLowerCase()));
-}
-exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
-    name: 'no-sensitive-data-exposure',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects PII/credentials in logs, responses, or error messages',
-        },
-        hasSuggestions: true,
-        messages: {
-            sensitiveDataExposure: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Sensitive data exposure',
-                cwe: 'CWE-532',
-                description: 'Sensitive data detected in {{context}}: {{dataType}}',
-                severity: 'HIGH',
-                fix: 'Redact or mask sensitive data before logging/exposing',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
-            }),
-            redactData: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Redact Data',
-                description: 'Redact sensitive data before logging',
-                severity: 'LOW',
-                fix: 'Redact sensitive fields before logging',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
-            }),
-            useMasking: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Masking',
-                description: 'Use data masking function',
-                severity: 'LOW',
-                fix: 'maskSensitive(data)',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
-            }),
-            removeFromLogs: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Remove From Logs',
-                description: 'Remove sensitive data from logs and errors',
-                severity: 'LOW',
-                fix: 'Filter sensitive data before logging',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    sensitivePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
-                        description: 'Sensitive data patterns',
-                    },
-                    checkConsoleLog: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Check console.log statements',
-                    },
-                    checkErrorMessages: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Check error messages',
-                    },
-                    checkApiResponses: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Check API responses',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            sensitivePatterns: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
-            checkConsoleLog: true,
-            checkErrorMessages: true,
-            checkApiResponses: true,
-        },
-    ],
-    create(context, [options = {}]) {
-        const { sensitivePatterns = ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'], checkConsoleLog = true, checkErrorMessages = true, } = options || {};
-        /**
-         * Check CallExpression for logging calls with sensitive data
-         */
-        function checkCallExpression(node) {
-            // Check if it's a logging call (console.*, logger.*)
-            const isLoggingCall = (() => {
-                if (node.callee.type === 'MemberExpression') {
-                    const object = node.callee.object;
-                    const property = node.callee.property;
-                    if (property.type === 'Identifier') {
-                        const methodName = property.name.toLowerCase();
-                        if (['log', 'info', 'warn', 'error', 'debug', 'trace'].includes(methodName)) {
-                            // Check if it's console.* or logger.*
-                            if (object.type === 'Identifier') {
-                                const objName = object.name.toLowerCase();
-                                if (objName === 'console' || objName === 'logger') {
-                                    return true;
-                                }
-                            }
-                        }
-                    }
-                }
-                else if (node.callee.type === 'Identifier') {
-                    // Check for logger.info() pattern
-                    const calleeName = node.callee.name.toLowerCase();
-                    if (calleeName.includes('log') || calleeName.includes('logger')) {
-                        return true;
-                    }
-                }
-                return false;
-            })();
-            if (isLoggingCall && checkConsoleLog) {
-                // Check if any argument contains sensitive data
-                for (const arg of node.arguments) {
-                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                        const text = arg.value;
-                        if (containsSensitiveData(text, sensitivePatterns)) {
-                            context.report({
-                                node: arg,
-                                messageId: 'sensitiveDataExposure',
-                                data: {
-                                    context: 'logs',
-                                    dataType: 'password',
-                                },
-                                suggest: [
-                                    { messageId: 'redactData', fix: () => null },
-                                    { messageId: 'useMasking', fix: () => null },
-                                    { messageId: 'removeFromLogs', fix: () => null },
-                                ],
-                            });
-                            return; // Only report once per call
-                        }
-                    }
-                    else if (arg.type === 'Identifier' && arg.name) {
-                        const name = arg.name.toLowerCase();
-                        if (containsSensitiveData(name, sensitivePatterns)) {
-                            context.report({
-                                node: arg,
-                                messageId: 'sensitiveDataExposure',
-                                data: {
-                                    context: 'logs',
-                                    dataType: 'password',
-                                },
-                                suggest: [
-                                    { messageId: 'redactData', fix: () => null },
-                                    { messageId: 'useMasking', fix: () => null },
-                                    { messageId: 'removeFromLogs', fix: () => null },
-                                ],
-                            });
-                            return; // Only report once per call
-                        }
-                    }
-                }
-            }
-        }
-        /**
-         * Check NewExpression for Error with sensitive data
-         */
-        function checkNewExpression(node) {
-            if (!checkErrorMessages) {
-                return;
-            }
-            if (node.callee && node.callee.type === 'Identifier' && node.callee.name === 'Error') {
-                // Check all arguments for sensitive data (report only once per error)
-                for (const arg of node.arguments) {
-                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                        const text = arg.value;
-                        if (containsSensitiveData(text, sensitivePatterns)) {
-                            context.report({
-                                node: arg,
-                                messageId: 'sensitiveDataExposure',
-                                data: {
-                                    context: 'error messages',
-                                    dataType: 'password',
-                                },
-                                suggest: [
-                                    { messageId: 'redactData', fix: () => null },
-                                    { messageId: 'useMasking', fix: () => null },
-                                    { messageId: 'removeFromLogs', fix: () => null },
-                                ],
-                            });
-                            return; // Only report once per error
-                        }
-                    }
-                    else if (arg.type === 'BinaryExpression' && arg.operator === '+') {
-                        // Check left side if it's a literal
-                        if (arg.left && arg.left.type === 'Literal' && typeof arg.left.value === 'string') {
-                            const leftText = arg.left.value;
-                            if (containsSensitiveData(leftText, sensitivePatterns)) {
-                                context.report({
-                                    node: arg.left,
-                                    messageId: 'sensitiveDataExposure',
-                                    data: {
-                                        context: 'error messages',
-                                        dataType: 'password',
-                                    },
-                                    suggest: [
-                                        { messageId: 'redactData', fix: () => null },
-                                        { messageId: 'useMasking', fix: () => null },
-                                        { messageId: 'removeFromLogs', fix: () => null },
-                                    ],
-                                });
-                                return; // Only report once per error
-                            }
-                        }
-                        // Check right side if it's an identifier
-                        if (arg.right && arg.right.type === 'Identifier' && arg.right.name) {
-                            const rightName = arg.right.name.toLowerCase();
-                            if (containsSensitiveData(rightName, sensitivePatterns)) {
-                                context.report({
-                                    node: arg.right,
-                                    messageId: 'sensitiveDataExposure',
-                                    data: {
-                                        context: 'error messages',
-                                        dataType: 'password',
-                                    },
-                                    suggest: [
-                                        { messageId: 'redactData', fix: () => null },
-                                        { messageId: 'useMasking', fix: () => null },
-                                        { messageId: 'removeFromLogs', fix: () => null },
-                                    ],
-                                });
-                                return; // Only report once per error
-                            }
-                        }
-                    }
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-            NewExpression: checkNewExpression,
-        };
-    },
-});

package/src/rules/no-sensitive-data-in-analytics/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent PII sent to analytics
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/359.html
- */
-export interface Options {
-}
-export declare const noSensitiveDataInAnalytics: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-sensitive-data-in-analytics/index.js DELETED Viewed

@@ -1,62 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent PII sent to analytics
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/359.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInAnalytics = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
-    name: 'no-sensitive-data-in-analytics',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent PII being sent to analytics services',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M6'],
-            cweIds: ['CWE-359'],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Sensitive Data in Analytics',
-                cwe: 'CWE-359',
-                description: 'Sensitive field sent to analytics - this is a privacy violation',
-                severity: 'HIGH',
-                fix: 'Remove PII from analytics tracking data',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        const sensitiveFields = ['email', 'ssn', 'creditcard', 'password', 'phone', 'address'];
-        function report(node, field) {
-            context.report({ node, messageId: 'violationDetected', data: { field } });
-        }
-        return {
-            CallExpression(node) {
-                // analytics.track() with sensitive data
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.name === 'analytics' &&
-                    node.callee.property.name === 'track') {
-                    const dataArg = node.arguments[1];
-                    if (dataArg?.type === 'ObjectExpression') {
-                        dataArg.properties.forEach(prop => {
-                            if (prop.type === 'Property') {
-                                const key = prop.key.name?.toLowerCase();
-                                const matchedField = sensitiveFields.find(f => key?.includes(f));
-                                if (matchedField) {
-                                    report(prop, matchedField);
-                                }
-                            }
-                        });
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-sensitive-data-in-cache/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent caching sensitive data without encryption
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/524.html
- */
-export interface Options {
-}
-export declare const noSensitiveDataInCache: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-sensitive-data-in-cache/index.js DELETED Viewed

@@ -1,52 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent caching sensitive data without encryption
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/524.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInCache = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noSensitiveDataInCache = (0, eslint_devkit_1.createRule)({
-    name: 'no-sensitive-data-in-cache',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent caching sensitive data without encryption',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M9'],
-            cweIds: ["CWE-524"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-200',
-                description: 'Prevent caching sensitive data without encryption detected - Sensitive data in cache',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            CallExpression(node) {
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['set', 'put', 'store'].includes(node.callee.property.name)) {
-                    const keyArg = node.arguments[0];
-                    if (keyArg && keyArg.type === 'Literal') {
-                        const key = keyArg.value.toString().toLowerCase();
-                        if (['password', 'token', 'credit', 'ssn'].some(k => key.includes(k))) {
-                            context.report({ node, messageId: 'violationDetected' });
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-sql-injection/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Allow dynamic table names in queries. Default: false (stricter) */
-    allowDynamicTableNames?: boolean;
-    /** Functions considered safe for building queries */
-    trustedFunctions?: string[];
-    /** Strategy for fixing SQL injection: 'parameterize', 'orm', 'sanitize', or 'auto' */
-    strategy?: 'parameterize' | 'orm' | 'sanitize' | 'auto';
-}
-export declare const noSqlInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;