eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-timing-attack/index.js

@@ -1,447 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noTimingAttack = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-exports.noTimingAttack = (0, eslint_devkit_1.createRule)({
-    name: 'no-timing-attack',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-crypto/no-timing-unsafe-compare'],
-        docs: {
-            description: 'Detects timing attack vulnerabilities in authentication code',
-        },
-        fixable: 'code',
-        messages: {
-            timingAttack: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Timing Attack Vulnerability',
-                cwe: 'CWE-208',
-                description: 'Timing attack possible - execution time reveals secret information',
-                severity: '{{severity}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
-            }),
-            insecureStringComparison: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Insecure String Comparison',
-                cwe: 'CWE-208',
-                description: 'String comparison may leak timing information',
-                severity: 'HIGH',
-                fix: 'Use crypto.timingSafeEqual() for comparing secrets',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
-            }),
-            earlyReturnLeakage: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Early Return Timing Leak',
-                cwe: 'CWE-208',
-                description: 'Early return may leak information through timing',
-                severity: 'MEDIUM',
-                fix: 'Process all inputs consistently to avoid timing differences',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
-            }),
-            useTimingSafeEqual: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Timing Safe Equal',
-                description: 'Use crypto.timingSafeEqual for constant-time comparison',
-                severity: 'LOW',
-                fix: 'crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
-            }),
-            useConstantTimeComparison: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Constant Time Comparison',
-                description: 'Implement constant-time comparison algorithm',
-                severity: 'LOW',
-                fix: 'Compare all bytes regardless of content',
-                documentationLink: 'https://en.wikipedia.org/wiki/Timing_attack',
-            }),
-            avoidEarlyReturns: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Avoid Early Returns',
-                description: 'Avoid early returns in security-sensitive code',
-                severity: 'LOW',
-                fix: 'Process all inputs before making decisions',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
-            }),
-            strategyTimingSafe: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Timing Safe Strategy',
-                description: 'Use built-in timing-safe comparison functions',
-                severity: 'LOW',
-                fix: 'Use crypto.timingSafeEqual or equivalent library functions',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequal',
-            }),
-            strategyConstantTime: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Constant Time Strategy',
-                description: 'Implement custom constant-time comparison',
-                severity: 'LOW',
-                fix: 'Compare all characters/bytes with consistent timing',
-                documentationLink: 'https://en.wikipedia.org/wiki/Timing_attack',
-            }),
-            strategyConsistentTiming: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Consistent Timing Strategy',
-                description: 'Ensure consistent execution time for all inputs',
-                severity: 'LOW',
-                fix: 'Pad inputs or use fixed-time operations',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/208.html',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    authFunctions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'],
-                    },
-                    sensitiveVariables: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['password', 'token', 'secret', 'key', 'credentials', 'auth'],
-                    },
-                    allowEarlyReturns: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow early returns outside security-sensitive contexts'
-                    },
-                    trustedSanitizers: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional function names to consider as timing-safe',
-                    },
-                    trustedAnnotations: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional JSDoc annotations to consider as timing-safe markers',
-                    },
-                    strictMode: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Disable all false positive detection (strict mode)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            authFunctions: ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'],
-            sensitiveVariables: ['password', 'token', 'secret', 'key', 'credentials', 'auth'],
-            allowEarlyReturns: false,
-            trustedSanitizers: ['sanitize'],
-            trustedAnnotations: ['@timing-safe'],
-            strictMode: false,
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { authFunctions = ['authenticate', 'login', 'verifyPassword', 'checkToken', 'validateCredentials'], sensitiveVariables = ['password', 'token', 'secret', 'key', 'credentials', 'auth'], allowEarlyReturns = false, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
-        const sourceCode = context.sourceCode || context.sourceCode;
-        const filename = context.filename || context.getFilename();
-        // Create safety checker for false positive detection
-        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
-            trustedSanitizers,
-            trustedAnnotations,
-            trustedOrmPatterns: [],
-            strictMode,
-        });
-        // Pre-compute Set for O(1) lookups (performance optimization)
-        const sensitiveVarSet = new Set(sensitiveVariables.map(s => s.toLowerCase()));
-        const authFunctionSet = new Set(authFunctions.map(f => f.toLowerCase()));
-        // Track variables that contain sensitive data
-        const sensitiveVars = new Set();
-        /**
-         * Check if a variable name indicates sensitive/auth data
-         * Uses Set-based lookup for O(1) performance
-         */
-        const isSensitiveVariable = (varName) => {
-            const lowerName = varName.toLowerCase();
-            // Check if any sensitive keyword is a substring
-            for (const sensitive of sensitiveVarSet) {
-                if (lowerName.includes(sensitive))
-                    return true;
-            }
-            return false;
-        };
-        // Pre-compute auth patterns set for O(1) lookups
-        const authPatternSet = new Set(['auth', 'login', 'verify', 'token', 'password', 'credential', 'authenticate']);
-        /**
-         * Check if we're in an authentication/security context
-         * Uses Set-based lookups for O(1) performance
-         */
-        const isInAuthContext = (node) => {
-            // Check if we're inside an authentication function
-            let current = node;
-            /* c8 ignore start -- defensive auth context detection */
-            while (current) {
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.FunctionDeclaration || current.type === eslint_devkit_1.AST_NODE_TYPES.FunctionExpression || current.type === eslint_devkit_1.AST_NODE_TYPES.ArrowFunctionExpression) {
-                    const funcName = current.id?.name;
-                    if (funcName) {
-                        const lowerName = funcName.toLowerCase();
-                        // Check exact matches first (O(1) with Set)
-                        if (authFunctionSet.has(lowerName)) {
-                            return true;
-                        }
-                        // Check pattern matches for common auth function names
-                        for (const pattern of authPatternSet) {
-                            if (lowerName.includes(pattern))
-                                return true;
-                        }
-                    }
-                }
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                    const callee = current.callee;
-                    if (callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                        const lowerName = callee.name.toLowerCase();
-                        if (authFunctionSet.has(lowerName)) {
-                            return true;
-                        }
-                        // Check pattern matches
-                        for (const pattern of authPatternSet) {
-                            if (lowerName.includes(pattern))
-                                return true;
-                        }
-                    }
-                }
-                current = current.parent;
-            }
-            // NOTE: Removed sensitiveVars.size check - it was causing false positives
-            // by flagging every function when ANY sensitive variable exists in the file.
-            // Instead, we now check sensitive data involvement at the specific point of use.
-            return false;
-            /* c8 ignore stop */
-        };
-        /**
-         * Check if a comparison is timing-safe
-         */
-        const isTimingSafeComparison = (node) => {
-            // Check for crypto.timingSafeEqual calls
-            let current = node;
-            while (current) {
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                    const callee = current.callee;
-                    if (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                        callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                        callee.object.name === 'crypto' &&
-                        callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                        callee.property.name === 'timingSafeEqual') {
-                        return true;
-                    }
-                }
-                current = current.parent;
-            }
-            return false;
-        };
-        /**
-         * Check if we're inside a function that uses crypto.timingSafeEqual.
-         * Length checks before timingSafeEqual are necessary and safe.
-         *
-         * Pattern:
-         * function safeCompare(a, b) {
-         *   if (a.length !== b.length) return false;  // <-- This is SAFE
-         *   return crypto.timingSafeEqual(a, b);
-         * }
-         */
-        const isInTimingSafeEqualContext = (node) => {
-            // Find enclosing function
-            let funcNode = node;
-            while (funcNode) {
-                if (funcNode.type === eslint_devkit_1.AST_NODE_TYPES.FunctionDeclaration ||
-                    funcNode.type === eslint_devkit_1.AST_NODE_TYPES.FunctionExpression ||
-                    funcNode.type === eslint_devkit_1.AST_NODE_TYPES.ArrowFunctionExpression) {
-                    break;
-                }
-                funcNode = funcNode.parent;
-            }
-            if (!funcNode) {
-                return false;
-            }
-            // Check if the function body contains crypto.timingSafeEqual
-            const funcText = sourceCode.getText(funcNode);
-            if (funcText.includes('timingSafeEqual')) {
-                return true;
-            }
-            // Also check for common timing-safe comparison library patterns
-            const timingSafePatterns = [
-                'scmp', // secure-compare
-                'safe-compare',
-                'constant-time',
-                'constantTimeCompare',
-            ];
-            if (timingSafePatterns.some(pattern => funcText.includes(pattern))) {
-                return true;
-            }
-            return false;
-        };
-        /**
-         * Check if a comparison involves only non-sensitive data like length checks
-         */
-        const isLengthOrNumericComparison = (node) => {
-            const leftText = sourceCode.getText(node.left);
-            const rightText = sourceCode.getText(node.right);
-            // Check for .length comparisons
-            if (leftText.includes('.length') || rightText.includes('.length')) {
-                return true;
-            }
-            // Check for numeric literal comparisons
-            if (node.left.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof node.left.value === 'number') {
-                return true;
-            }
-            if (node.right.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof node.right.value === 'number') {
-                return true;
-            }
-            return false;
-        };
-        /**
-         * Check if early return is in a security-sensitive context
-         */
-        const isEarlyReturnInAuthContext = (node) => {
-            // If early returns are explicitly allowed, don't flag them
-            if (allowEarlyReturns) {
-                /* c8 ignore next */
-                return false;
-            }
-            return isInAuthContext(node);
-        };
-        return {
-            // Track sensitive variable declarations
-            VariableDeclarator(node) {
-                if (node.id.type === 'Identifier' && isSensitiveVariable(node.id.name)) {
-                    sensitiveVars.add(node.id.name);
-                }
-                // Also check if the variable is assigned sensitive data
-                if (node.init && node.id.type === 'Identifier') {
-                    const initText = sourceCode.getText(node.init).toLowerCase();
-                    if (sensitiveVariables.some(sensitive => initText.includes(sensitive))) {
-                        sensitiveVars.add(node.id.name);
-                    }
-                }
-            },
-            // Check binary expressions for insecure comparisons
-            BinaryExpression(node) {
-                if (node.operator !== '===' && node.operator !== '==' &&
-                    node.operator !== '!==' && node.operator !== '!=') {
-                    return;
-                }
-                // Skip if already using timing-safe comparison
-                if (isTimingSafeComparison(node)) {
-                    return;
-                }
-                // FALSE POSITIVE REDUCTION: Skip length/numeric comparisons in timing-safe contexts
-                // Pattern: if (a.length !== b.length) return false; before crypto.timingSafeEqual
-                if (isInTimingSafeEqualContext(node) && isLengthOrNumericComparison(node)) {
-                    return;
-                }
-                // FALSE POSITIVE REDUCTION: Skip if annotated as safe
-                if (safetyChecker.isSafe(node, context)) {
-                    return;
-                }
-                // Check if either side involves sensitive data
-                const leftText = sourceCode.getText(node.left).toLowerCase();
-                const rightText = sourceCode.getText(node.right).toLowerCase();
-                const involvesSensitiveData = [leftText, rightText].some(text => sensitiveVariables.some(sensitive => text.toLowerCase().includes(sensitive.toLowerCase())));
-                if (!involvesSensitiveData && !isInAuthContext(node)) {
-                    return;
-                }
-                context.report({
-                    node,
-                    messageId: 'insecureStringComparison',
-                    data: {
-                        filePath: filename,
-                        line: String(node.loc?.start.line ?? 0),
-                    },
-                });
-            },
-            // Check for early returns that could leak timing information
-            ReturnStatement(node) {
-                // FALSE POSITIVE REDUCTION: Skip if annotated as safe
-                if (safetyChecker.isSafe(node, context)) {
-                    return;
-                }
-                // FALSE POSITIVE REDUCTION: Skip if inside a function using timingSafeEqual
-                // Length check early returns are necessary and safe before timingSafeEqual
-                if (isInTimingSafeEqualContext(node)) {
-                    return;
-                }
-                if (!isEarlyReturnInAuthContext(node)) {
-                    return;
-                }
-                // Look for conditional returns (if/else returns)
-                let current = node;
-                let isConditionalReturn = false;
-                while (current && !isConditionalReturn) {
-                    if (current.type === 'IfStatement') {
-                        isConditionalReturn = true;
-                        break;
-                    }
-                    current = current.parent;
-                }
-                if (!isConditionalReturn) {
-                    return;
-                }
-                // Check if this return involves sensitive data
-                const returnText = sourceCode.getText(node).toLowerCase();
-                const involvesSensitiveData = sensitiveVariables.some(sensitive => returnText.includes(sensitive));
-                if (!involvesSensitiveData && !isInAuthContext(node)) {
-                    return;
-                }
-                context.report({
-                    node,
-                    messageId: 'earlyReturnLeakage',
-                    data: {
-                        filePath: filename,
-                        line: String(node.loc?.start.line ?? 0),
-                    },
-                });
-            },
-            // Check function calls for timing-sensitive operations
-            CallExpression(node) {
-                const callee = node.callee;
-                // Check for insecure comparison functions
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier' &&
-                    ['equals', 'compare', 'matches'].includes(callee.property.name)) {
-                    // Skip known timing-safe libraries
-                    const objectName = callee.object.type === 'Identifier' ? callee.object.name : null;
-                    if (objectName) {
-                        // Known timing-safe comparison libraries
-                        const timingSafeLibraries = ['bcrypt', 'crypto'];
-                        if (timingSafeLibraries.includes(objectName) && callee.property.name === 'compare') {
-                            return; // bcrypt.compare and crypto.compare are timing-safe
-                        }
-                    }
-                    // Check if arguments involve sensitive data
-                    const argsText = node.arguments
-                        .map((arg) => sourceCode.getText(arg).toLowerCase())
-                        .join(' ');
-                    const involvesSensitiveData = sensitiveVariables.some(sensitive => argsText.includes(sensitive));
-                    if (involvesSensitiveData || isInAuthContext(node)) {
-                        // FALSE POSITIVE REDUCTION: Skip if annotated as safe
-                        if (safetyChecker.isSafe(node, context)) {
-                            return;
-                        }
-                        context.report({
-                            node,
-                            messageId: 'timingAttack',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                                severity: 'HIGH',
-                                safeAlternative: 'Use constant-time comparison functions',
-                            },
-                        });
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/no-toctou-vulnerability/index.d.ts

@@ -1,7 +0,0 @@
-export interface Options {
-    /** Ignore in test files. Default: true */
-    ignoreInTests?: boolean;
-    /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
-    fsMethods?: string[];
-}
-export declare const noToctouVulnerability: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-toctou-vulnerability/index.js

@@ -1,208 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noToctouVulnerability = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-exports.noToctouVulnerability = (0, eslint_devkit_2.createRule)({
-    name: 'no-toctou-vulnerability',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
-        },
-        hasSuggestions: true,
-        messages: {
-            toctouVulnerability: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'TOCTOU vulnerability',
-                cwe: 'CWE-367',
-                description: 'Time-of-check Time-of-use race condition detected',
-                severity: 'HIGH',
-                fix: 'Use atomic operations or fs.promises for file operations',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
-            }),
-            useAtomicOperations: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Atomic Operations',
-                description: 'Use atomic file operations',
-                severity: 'LOW',
-                fix: 'fs.promises.access() then fs.promises.readFile()',
-                documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
-            }),
-            useFsPromises: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use fs.promises',
-                description: 'Use fs.promises API',
-                severity: 'LOW',
-                fix: 'await fs.promises.readFile() instead of sync operations',
-                documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
-            }),
-            addProperLocking: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Add File Locking',
-                description: 'Add proper locking mechanism',
-                severity: 'LOW',
-                fix: 'Use proper-lockfile or similar for concurrent access',
-                documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                    fsMethods: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignoreInTests: true,
-            fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { ignoreInTests = true } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check for TOCTOU patterns
-         */
-        function checkCallExpression(node) {
-            // 1. Identify the file operation (Use)
-            let useMethodName = '';
-            if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
-                const objectName = node.callee.object.type === 'Identifier' ? node.callee.object.name : '';
-                if (objectName === 'fs' || objectName === 'fsPromises') {
-                    useMethodName = node.callee.property.name;
-                }
-            }
-            else if (node.callee.type === 'Identifier') {
-                useMethodName = node.callee.name;
-            }
-            const riskyUseMethods = ['readFileSync', 'writeFileSync', 'readFile', 'writeFile', 'openSync', 'open', 'unlinkSync', 'unlink'];
-            if (!riskyUseMethods.includes(useMethodName)) {
-                return;
-            }
-            const useArg = node.arguments[0];
-            if (!useArg)
-                return;
-            // 2. Walk up to find the condition (Check)
-            let current = node.parent;
-            while (current) {
-                if (current.type === 'IfStatement') {
-                    // Extract the condition node
-                    let condition = current.test;
-                    // Handle negated condition: if (!exists(path)) { create(path) } -> also TOCTOU but different logic? 
-                    // Actually TOCTOU is usually Check(exists) -> Use(read).
-                    // If (!exists) -> create is Check -> Use.
-                    // But strict TOCTOU is checking state then acting.
-                    // If checking for negation
-                    if (condition.type === 'UnaryExpression' && condition.operator === '!') {
-                        condition = condition.argument;
-                    }
-                    if (condition.type === 'CallExpression') {
-                        // Check if it's a file check method
-                        let checkMethodName = '';
-                        if (condition.callee.type === 'MemberExpression' && condition.callee.property.type === 'Identifier') {
-                            checkMethodName = condition.callee.property.name;
-                        }
-                        else if (condition.callee.type === 'Identifier') {
-                            checkMethodName = condition.callee.name;
-                        }
-                        const checkMethods = ['existsSync', 'statSync', 'accessSync', 'exists', 'stat', 'access'];
-                        if (checkMethods.includes(checkMethodName)) {
-                            // Compare arguments
-                            const checkArg = condition.arguments[0];
-                            if (checkArg) {
-                                // Method 1: Identifier match (same variable)
-                                if (checkArg.type === 'Identifier' && useArg.type === 'Identifier' && checkArg.name === useArg.name) {
-                                    reportToctou(node);
-                                    return;
-                                }
-                                // Method 2: Text match (fallback)
-                                const checkArgText = sourceCode.getText(checkArg).replace(/\s/g, '');
-                                const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
-                                if (checkArgText === useArgText) {
-                                    reportToctou(node);
-                                    return;
-                                }
-                            }
-                        }
-                        // Handle stats.isFile() / stats.isDirectory() pattern
-                        if (condition.callee.type === 'MemberExpression' &&
-                            condition.callee.property.type === 'Identifier' &&
-                            ['isFile', 'isDirectory'].includes(condition.callee.property.name) &&
-                            condition.callee.object.type === 'Identifier') {
-                            const statsVarName = condition.callee.object.name;
-                            let currentScope = sourceCode.getScope(condition);
-                            let variable = null;
-                            while (currentScope) {
-                                variable = currentScope.variables.find(v => v.name === statsVarName);
-                                if (variable)
-                                    break;
-                                currentScope = currentScope.upper;
-                            }
-                            if (variable && variable.defs.length > 0) {
-                                const def = variable.defs[0];
-                                if (def.type === 'Variable' && def.node.init && def.node.init.type === 'CallExpression') {
-                                    const init = def.node.init;
-                                    if (init.callee.type === 'MemberExpression' &&
-                                        init.callee.property.type === 'Identifier' &&
-                                        ['statSync', 'lstatSync', 'stat', 'lstat'].includes(init.callee.property.name)) {
-                                        const statArg = init.arguments[0];
-                                        if (statArg) {
-                                            const checkArgText = sourceCode.getText(statArg).replace(/\s/g, '');
-                                            const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
-                                            if (checkArgText === useArgText) {
-                                                reportToctou(node);
-                                                return;
-                                            }
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-                current = current.parent;
-            }
-        }
-        function reportToctou(node) {
-            context.report({
-                node,
-                messageId: 'toctouVulnerability',
-                suggest: [
-                    {
-                        messageId: 'useAtomicOperations',
-                        fix: () => null,
-                    },
-                    {
-                        messageId: 'useFsPromises',
-                        fix: () => null,
-                    },
-                    {
-                        messageId: 'addProperLocking',
-                        fix: () => null,
-                    },
-                ],
-            });
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});

package/src/rules/no-tracking-without-consent/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require consent before tracking
- */
-export interface Options {
-}
-export declare const noTrackingWithoutConsent: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;