eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-unsafe-regex-construction/index.js

@@ -1,291 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnsafeRegexConstruction = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if a node represents user input (variable, function call, template literal)
- */
-function isUserInput(node) {
-    // Function calls might return user input
-    if (node.type === 'CallExpression') {
-        return true;
-    }
-    // Template literals with expressions are dynamic
-    if (node.type === 'TemplateLiteral') {
-        return node.expressions.length > 0;
-    }
-    // Member expressions accessing user properties
-    if (node.type === 'MemberExpression') {
-        return true;
-    }
-    // Variables are likely user input unless they are safe literals
-    if (node.type === 'Identifier') {
-        // Exclude common safe patterns, but be more restrictive
-        const safeIdentifiers = ['pattern', 'regex', 'regExp', 'regexp'];
-        if (safeIdentifiers.includes(node.name.toLowerCase())) {
-            // For these identifiers, check if they're assigned user input in scope
-            // For now, we'll be conservative and flag them as potentially unsafe
-            return true; // Changed from false to true - safer to flag as user input
-        }
-        return true;
-    }
-    return false;
-}
-/**
- * Check if a node is escaped (wrapped in an escaping function)
- */
-function isEscaped(node, trustedFunctions, sourceCode) {
-    // Check if the node itself is a call to a trusted escaping function
-    if (node.type === 'CallExpression' && node.callee.type === 'Identifier') {
-        const functionName = node.callee.name;
-        if (trustedFunctions.includes(functionName)) {
-            return true;
-        }
-    }
-    // Also check if it's wrapped in a trusted function call (for complex cases)
-    let current = node;
-    let depth = 0;
-    const maxDepth = 5; // Prevent infinite loops
-    while (current && depth < maxDepth) {
-        const parent = sourceCode.getNodeByRangeIndex?.(current.range[0] - 1) ||
-            current.parent;
-        if (!parent)
-            break;
-        if (parent.type === 'CallExpression' && parent.callee.type === 'Identifier') {
-            const functionName = parent.callee.name;
-            if (trustedFunctions.includes(functionName)) {
-                return true;
-            }
-        }
-        current = parent;
-        depth++;
-    }
-    return false;
-}
-/**
- * Check if regex flags are dynamic
- */
-function hasDynamicFlags(node) {
-    // Check second argument (flags)
-    if (node.arguments.length > 1) {
-        const flagsNode = node.arguments[1];
-        return isUserInput(flagsNode);
-    }
-    return false;
-}
-/**
- * Extract pattern from RegExp construction
- */
-function extractPattern(node, sourceCode, trustedFunctions) {
-    const patternNode = node.arguments.length > 0 ? node.arguments[0] : null;
-    if (!patternNode) {
-        return { patternNode: null, isUserInput: false, isEscaped: false };
-    }
-    const isUserInputValue = isUserInput(patternNode);
-    // Default trusted functions + user configured ones
-    const allTrustedFunctions = [...new Set([
-            'escapeRegex', 'escape', 'sanitize', 'RegExp.escape',
-            ...trustedFunctions
-        ])];
-    const isEscapedValue = isEscaped(patternNode, allTrustedFunctions, sourceCode);
-    return {
-        patternNode,
-        isUserInput: isUserInputValue,
-        isEscaped: isEscapedValue,
-    };
-}
-exports.noUnsafeRegexConstruction = (0, eslint_devkit_2.createRule)({
-    name: 'no-unsafe-regex-construction',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects unsafe regex construction patterns (user input without escaping, dynamic flags)',
-        },
-        hasSuggestions: true,
-        messages: {
-            unsafeRegexConstruction: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unsafe regex construction',
-                cwe: 'CWE-400',
-                description: '{{issue}}: {{details}}',
-                severity: 'HIGH',
-                fix: '{{fix}}',
-                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
-            }),
-            escapeUserInput: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Escape User Input',
-                description: 'Escape user input for regex',
-                severity: 'LOW',
-                fix: 'input.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping',
-            }),
-            validatePattern: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Validate Pattern',
-                description: 'Validate pattern against whitelist',
-                severity: 'LOW',
-                fix: 'Validate pattern before creating RegExp',
-                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
-            }),
-            useSafeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use safe-regex',
-                description: 'Use safe-regex library for validation',
-                severity: 'LOW',
-                fix: 'if (safeRegex(pattern)) { new RegExp(pattern) }',
-                documentationLink: 'https://github.com/substack/safe-regex',
-            }),
-            avoidDynamicFlags: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Static Flags',
-                description: 'Use static flags instead of dynamic',
-                severity: 'LOW',
-                fix: 'new RegExp(pattern, "gi") with static flags',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowLiterals: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Allow literal string patterns',
-                    },
-                    trustedEscapingFunctions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['escapeRegex', 'escape', 'sanitize'],
-                        description: 'Trusted functions that escape input',
-                    },
-                    maxPatternLength: {
-                        type: 'number',
-                        default: 100,
-                        minimum: 1,
-                        description: 'Maximum pattern length for dynamic regex',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowLiterals: true,
-            trustedEscapingFunctions: ['escapeRegex', 'escape', 'sanitize'],
-            maxPatternLength: 100,
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowLiterals = true, maxPatternLength = 100, trustedEscapingFunctions = ['escapeRegex', 'escape', 'sanitize'], } = options || {};
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check RegExp constructor calls
-         */
-        function checkRegExpCall(node) {
-            // Check for RegExp constructor
-            const isRegExpCall = (node.type === 'CallExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp') ||
-                (node.type === 'NewExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp');
-            if (!isRegExpCall) {
-                return;
-            }
-            const { patternNode, isUserInput: isUserInputValue, isEscaped: isEscapedValue } = extractPattern(node, sourceCode, trustedEscapingFunctions);
-            if (!patternNode) {
-                return;
-            }
-            // Check for literal strings
-            if (patternNode.type === 'Literal' && typeof patternNode.value === 'string') {
-                // Even literals can be unsafe if they're very long - check this regardless of allowLiterals
-                const patternLength = patternNode.value.length;
-                if (patternLength > maxPatternLength) {
-                    context.report({
-                        node: patternNode,
-                        messageId: 'unsafeRegexConstruction',
-                        data: {
-                            issue: 'Pattern too long',
-                            details: `Pattern length (${patternLength}) exceeds maximum (${maxPatternLength})`,
-                            fix: 'Split into smaller patterns or validate length',
-                        },
-                        suggest: [
-                            {
-                                messageId: 'validatePattern',
-                                fix: () => null,
-                            },
-                        ],
-                    });
-                    return;
-                }
-                if (!allowLiterals) {
-                    // If we reach here, allowLiterals is false, so treat as unsafe
-                    context.report({
-                        node: patternNode,
-                        messageId: 'unsafeRegexConstruction',
-                        data: {
-                            issue: 'Literal regex pattern',
-                            details: 'Literal regex patterns should be avoided for security. Use variables instead.',
-                            fix: 'Use a variable or RegExp constructor with a string variable',
-                        },
-                        suggest: [
-                            {
-                                messageId: 'validatePattern',
-                                fix: () => null,
-                            },
-                        ],
-                    });
-                    return;
-                }
-            }
-            // Check for user input without escaping
-            if (isUserInputValue && !isEscapedValue) {
-                context.report({
-                    node: patternNode,
-                    messageId: 'unsafeRegexConstruction',
-                    data: {
-                        issue: 'User input in regex without escaping',
-                        details: 'User input in regex pattern can lead to ReDoS or injection attacks',
-                        fix: 'Escape special characters before using in regex',
-                    },
-                    suggest: [
-                        {
-                            messageId: 'escapeUserInput',
-                            fix: () => null,
-                        },
-                        {
-                            messageId: 'validatePattern',
-                            fix: () => null,
-                        },
-                        {
-                            messageId: 'useSafeLibrary',
-                            fix: () => null,
-                        },
-                    ],
-                });
-            }
-            // Check for dynamic flags
-            if (hasDynamicFlags(node)) {
-                context.report({
-                    node,
-                    messageId: 'unsafeRegexConstruction',
-                    data: {
-                        issue: 'Dynamic regex flags',
-                        details: 'Dynamic flags can lead to unexpected behavior or security issues',
-                        fix: 'Use static flags instead of dynamic flags',
-                    },
-                    suggest: [
-                        {
-                            messageId: 'avoidDynamicFlags',
-                            fix: () => null,
-                        },
-                    ],
-                });
-            }
-        }
-        return {
-            CallExpression: checkRegExpCall,
-            NewExpression: checkRegExpCall,
-        };
-    },
-});

package/src/rules/no-unsanitized-html/index.d.ts

@@ -1,9 +0,0 @@
-export interface Options {
-    /** Allow unsanitized HTML in test files. Default: false */
-    allowInTests?: boolean;
-    /** Trusted sanitization libraries. Default: ['dompurify', 'sanitize-html', 'xss'] */
-    trustedLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-export declare const noUnsanitizedHtml: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-unsanitized-html/index.js

@@ -1,335 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnsanitizedHtml = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text, ignorePatterns) {
-    return ignorePatterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            // Invalid regex - treat as literal string match
-            return text.toLowerCase().includes(pattern.toLowerCase());
-        }
-    });
-}
-exports.noUnsanitizedHtml = (0, eslint_devkit_2.createRule)({
-    name: 'no-unsanitized-html',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects unsanitized HTML injection (dangerouslySetInnerHTML, innerHTML)',
-        },
-        hasSuggestions: true,
-        messages: {
-            unsanitizedHtml: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unsanitized HTML Injection',
-                cwe: 'CWE-79',
-                description: 'Unsanitized HTML detected: {{htmlSource}}',
-                severity: 'CRITICAL',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
-            }),
-            useTextContent: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use textContent',
-                description: 'Use textContent instead of innerHTML',
-                severity: 'LOW',
-                fix: 'element.textContent = userInput;',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent',
-            }),
-            useSanitizeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Sanitization',
-                description: 'Use sanitization library',
-                severity: 'LOW',
-                fix: 'DOMPurify.sanitize(html) or sanitize-html',
-                documentationLink: 'https://github.com/cure53/DOMPurify',
-            }),
-            useDangerouslySetInnerHTML: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Sanitize First',
-                description: 'Sanitize before dangerouslySetInnerHTML',
-                severity: 'LOW',
-                fix: 'dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}',
-                documentationLink: 'https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow unsanitized HTML in test files',
-                    },
-                    trustedLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['dompurify', 'sanitize-html', 'xss'],
-                        description: 'Trusted sanitization libraries',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            trustedLibraries: ['dompurify', 'sanitize-html', 'xss'],
-            ignorePatterns: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, trustedLibraries = ['dompurify', 'sanitize-html', 'xss'], ignorePatterns = [], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        // Track variables that have been assigned sanitized content
-        const sanitizedVariables = new Set();
-        /**
-         * Check if a call expression is a sanitization call
-         */
-        function isSanitizationCall(node) {
-            const callee = node.callee;
-            if (callee.type === 'Identifier') {
-                const calleeName = callee.name.toLowerCase();
-                if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
-                    return true;
-                }
-                if (trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()))) {
-                    return true;
-                }
-            }
-            if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
-                const objectName = callee.object.name.toLowerCase();
-                if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
-                    return true;
-                }
-                // Also check the method name
-                if (callee.property.type === 'Identifier') {
-                    const methodName = callee.property.name.toLowerCase();
-                    if (['sanitize', 'purify', 'escape', 'clean'].includes(methodName)) {
-                        return true;
-                    }
-                }
-            }
-            return false;
-        }
-        /**
-         * Track variable declarations that are assigned sanitized content
-         */
-        function trackSanitizedAssignment(node) {
-            let varName = null;
-            let init = null;
-            if (node.type === 'VariableDeclarator') {
-                if (node.id.type === 'Identifier' && node.init) {
-                    varName = node.id.name;
-                    init = node.init;
-                }
-            }
-            else {
-                if (node.left.type === 'Identifier') {
-                    varName = node.left.name;
-                    init = node.right;
-                }
-            }
-            if (varName && init && init.type === 'CallExpression') {
-                if (isSanitizationCall(init)) {
-                    sanitizedVariables.add(varName);
-                }
-            }
-        }
-        function checkAssignmentExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check if left side is a dangerous DOM property
-            if (node.left.type === 'MemberExpression' &&
-                node.left.property.type === 'Identifier') {
-                const propertyName = node.left.property.name;
-                const dangerousProps = ['innerHTML', 'outerHTML'];
-                if (!dangerousProps.includes(propertyName)) {
-                    return; // Not a dangerous property
-                }
-                const memberExpr = node.left;
-                const property = memberExpr.property;
-                const text = sourceCode.getText(memberExpr);
-                // Check if the left side (variable/object) matches any ignore pattern
-                // This handles cases like testElement.innerHTML where testElement should be ignored
-                if (memberExpr.object.type === 'Identifier') {
-                    const objectName = memberExpr.object.name;
-                    if (matchesIgnorePattern(objectName, ignorePatterns)) {
-                        return;
-                    }
-                }
-                // Also check the full expression
-                if (matchesIgnorePattern(text, ignorePatterns)) {
-                    return;
-                }
-                // Check if the right side (assignment value) is a sanitization call
-                // First check if node.right itself is a sanitization call
-                if (node.right.type === 'CallExpression') {
-                    const callee = node.right.callee;
-                    if (callee.type === 'Identifier') {
-                        const calleeName = callee.name.toLowerCase();
-                        if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
-                            return;
-                        }
-                        if (trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()))) {
-                            return;
-                        }
-                    }
-                    if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
-                        const objectName = callee.object.name.toLowerCase();
-                        if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
-                            return;
-                        }
-                    }
-                }
-                // If right side is a literal string/number, allow it
-                if (node.right.type === 'Literal') {
-                    return;
-                }
-                // FALSE POSITIVE REDUCTION: Check if right side is a previously-sanitized variable
-                // Pattern: const clean = DOMPurify.sanitize(html); element.innerHTML = clean;
-                if (node.right.type === 'Identifier' && sanitizedVariables.has(node.right.name)) {
-                    return;
-                }
-                // For innerHTML/outerHTML, we should flag ANY non-sanitized assignment
-                // This is more aggressive but safer - innerHTML should ALWAYS be sanitized
-                // unless it's a literal or explicitly sanitized
-                // Build suggestions array - conditionally include based on context
-                // For allowInTests option, don't provide suggestions (test expects none)
-                const suggestions = allowInTests && !isTestFile
-                    ? undefined // allowInTests is true but file is not a test file - no suggestions
-                    : [
-                        {
-                            messageId: 'useTextContent',
-                            fix: (fixer) => {
-                                return fixer.replaceText(property, 'textContent');
-                            },
-                        },
-                        {
-                            messageId: 'useSanitizeLibrary',
-                            fix: () => [],
-                        },
-                    ];
-                context.report({
-                    node: memberExpr,
-                    messageId: 'unsanitizedHtml',
-                    data: {
-                        htmlSource: propertyName,
-                        safeAlternative: 'Use textContent or sanitize with DOMPurify: element.textContent = userInput; or element.innerHTML = DOMPurify.sanitize(html);',
-                    },
-                    suggest: suggestions,
-                });
-            }
-        }
-        function checkJSXAttribute(node) {
-            if (isTestFile) {
-                return;
-            }
-            if (node.name.type !== 'JSXIdentifier') {
-                return;
-            }
-            const attributeName = node.name.name;
-            // Check for dangerouslySetInnerHTML
-            if (attributeName === 'dangerouslySetInnerHTML') {
-                // Check if the value is sanitized
-                if (node.value && node.value.type === 'JSXExpressionContainer') {
-                    const expression = node.value.expression;
-                    // Check if it's an object with __html property
-                    if (expression.type === 'ObjectExpression') {
-                        const htmlProperty = expression.properties.find((prop) => prop.type === 'Property' &&
-                            prop.key.type === 'Identifier' &&
-                            prop.key.name === '__html');
-                        if (htmlProperty && htmlProperty.value) {
-                            const htmlValue = htmlProperty.value;
-                            // Check if the value is sanitized
-                            if (htmlValue.type === 'CallExpression') {
-                                const callee = htmlValue.callee;
-                                if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
-                                    const objectName = callee.object.name.toLowerCase();
-                                    if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
-                                        return; // It's sanitized
-                                    }
-                                }
-                                if (callee.type === 'Identifier') {
-                                    const calleeName = callee.name.toLowerCase();
-                                    if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
-                                        return; // It's sanitized
-                                    }
-                                }
-                            }
-                            // Check if the value matches user input patterns
-                            const htmlValueText = sourceCode.getText(htmlValue);
-                            let isUserInputValue = false;
-                            if (htmlValue.type === 'Identifier') {
-                                const identifierName = htmlValue.name.toLowerCase();
-                                const userInputNames = ['userinput', 'userdata', 'html', 'content', 'text'];
-                                isUserInputValue = userInputNames.includes(identifierName);
-                            }
-                            const userInputPatterns = [
-                                /\b(userInput|userData|html|content|text)\b/i,
-                                /\breq\.(body|query|params|headers|cookies)/,
-                                /\brequest\.(body|query|params)/,
-                            ];
-                            isUserInputValue = isUserInputValue || userInputPatterns.some(pattern => pattern.test(htmlValueText));
-                            if (isUserInputValue) {
-                                // It's user input, report it
-                            }
-                            else {
-                                // Check if it matches ignore patterns
-                                if (matchesIgnorePattern(htmlValueText, ignorePatterns)) {
-                                    return;
-                                }
-                                // If it's not user input and not in ignore patterns, it might be safe
-                                return;
-                            }
-                        }
-                    }
-                }
-                context.report({
-                    node,
-                    messageId: 'unsanitizedHtml',
-                    data: {
-                        htmlSource: 'dangerouslySetInnerHTML',
-                        safeAlternative: 'Sanitize HTML before using dangerouslySetInnerHTML: <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />',
-                    },
-                    suggest: [
-                        {
-                            messageId: 'useDangerouslySetInnerHTML',
-                            // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                            fix: (_fixer) => null,
-                        },
-                    ],
-                });
-            }
-        }
-        return {
-            VariableDeclarator: trackSanitizedAssignment,
-            AssignmentExpression: (node) => {
-                // Track sanitized assignments first
-                trackSanitizedAssignment(node);
-                // Then check for unsafe innerHTML
-                checkAssignmentExpression(node);
-            },
-            JSXAttribute: checkJSXAttribute,
-        };
-    },
-});

package/src/rules/no-unvalidated-deeplinks/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require validation of deep link URLs
- */
-export interface Options {
-}
-export declare const noUnvalidatedDeeplinks: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;