npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-weak-crypto/index.js DELETED Viewed

@@ -1,351 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noWeakCrypto = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const WEAK_CRYPTO_PATTERNS = [
-    {
-        pattern: /\bmd5\b/i,
-        name: 'MD5',
-        category: 'hash',
-        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
-        example: {
-            bad: 'crypto.createHash("md5").update(data)',
-            good: 'crypto.createHash("sha256").update(data)'
-        },
-        effort: '5 minutes'
-    },
-    {
-        pattern: /\bsha1\b/i,
-        name: 'SHA-1',
-        category: 'hash',
-        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
-        example: {
-            bad: 'crypto.createHash("sha1").update(data)',
-            good: 'crypto.createHash("sha256").update(data)'
-        },
-        effort: '5 minutes'
-    },
-    {
-        pattern: /\bdes\b/i,
-        name: 'DES',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("des", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    },
-    {
-        pattern: /\b3des\b|\btripledes\b/i,
-        name: '3DES',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("des-ede3", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    },
-    {
-        pattern: /\brc4\b/i,
-        name: 'RC4',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("rc4", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    }
-];
-/**
- * Check if a string contains a weak crypto algorithm
- */
-function containsWeakCrypto(value, additionalPatterns) {
-    // Check standard patterns
-    for (const pattern of WEAK_CRYPTO_PATTERNS) {
-        if (pattern.pattern.test(value)) {
-            return pattern;
-        }
-    }
-    // Check additional patterns
-    for (const additionalPattern of additionalPatterns) {
-        const regex = new RegExp(`\\b${additionalPattern}\\b`, 'i');
-        if (regex.test(value)) {
-            return {
-                pattern: regex,
-                name: additionalPattern,
-                category: 'hash',
-                alternatives: ['SHA-256', 'SHA-512'],
-                example: {
-                    bad: `crypto.createHash("${additionalPattern}").update(data)`,
-                    good: 'crypto.createHash("sha256").update(data)'
-                },
-                effort: '10 minutes'
-            };
-        }
-    }
-    return null;
-}
-/**
- * Generate refactoring suggestions based on the weak crypto pattern
- */
-function generateRefactoringSteps(pattern, context) {
-    const suggestions = [];
-    if (pattern.category === 'hash') {
-        suggestions.push({
-            messageId: 'useSha256',
-            fix: `Use SHA-256: crypto.createHash("sha256").update(${context})`
-        });
-    }
-    else if (pattern.category === 'encryption') {
-        suggestions.push({
-            messageId: 'useAes256',
-            fix: `Use AES-256-GCM: crypto.createCipheriv("aes-256-gcm", key, iv)`
-        });
-    }
-    if (pattern.category === 'password') {
-        suggestions.push({
-            messageId: 'useBcrypt',
-            fix: 'Use bcrypt: bcrypt.hash(password, 10)'
-        });
-        suggestions.push({
-            messageId: 'useScrypt',
-            fix: 'Use scrypt: crypto.scrypt(password, salt, 64)'
-        });
-        suggestions.push({
-            messageId: 'useArgon2',
-            fix: 'Use Argon2: argon2.hash(password)'
-        });
-    }
-    return suggestions;
-}
-exports.noWeakCrypto = (0, eslint_devkit_2.createRule)({
-    name: 'no-weak-crypto',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-crypto for 24 crypto security rules'],
-        docs: {
-            description: 'Detects use of weak cryptography algorithms (MD5, SHA1, DES)',
-        },
-        hasSuggestions: true,
-        messages: {
-            weakCrypto: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Weak cryptography',
-                cwe: 'CWE-327',
-                description: 'Use of weak cryptography algorithm: {{algorithm}}',
-                severity: 'CRITICAL',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            useSha256: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use SHA-256',
-                description: 'Use SHA-256 for hashing',
-                severity: 'LOW',
-                fix: 'crypto.createHash("sha256").update(data)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatehashmethod-options',
-            }),
-            useBcrypt: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use bcrypt',
-                description: 'Use bcrypt for password hashing',
-                severity: 'LOW',
-                fix: 'bcrypt.hash(password, 10)',
-                documentationLink: 'https://github.com/kelektiv/node.bcrypt.js',
-            }),
-            useScrypt: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use scrypt',
-                description: 'Use scrypt for password hashing',
-                severity: 'LOW',
-                fix: 'crypto.scrypt(password, salt, 64)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback',
-            }),
-            useArgon2: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Argon2',
-                description: 'Use Argon2 for password hashing',
-                severity: 'LOW',
-                fix: 'argon2.hash(password)',
-                documentationLink: 'https://github.com/ranisalt/node-argon2',
-            }),
-            useAes256: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use AES-256-GCM',
-                description: 'Use AES-256-GCM for encryption',
-                severity: 'LOW',
-                fix: 'Use crypto.createCipheriv("aes-256-gcm", key, iv)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
-            }),
-            strategyAuto: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Auto-fix Strategy',
-                description: 'Automatically suggest the best replacement',
-                severity: 'LOW',
-                fix: 'Apply automatic fix suggestion',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyUpgrade: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Upgrade Strategy',
-                description: 'Upgrade to a stronger algorithm',
-                severity: 'LOW',
-                fix: 'Replace weak algorithm with stronger alternative',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyMigrate: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Migration Strategy',
-                description: 'Plan migration to stronger cryptography',
-                severity: 'LOW',
-                fix: 'Create migration plan for cryptographic upgrade',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyPolicy: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Policy Strategy',
-                description: 'Apply organizational security policy',
-                severity: 'LOW',
-                fix: 'crypto.createCipheriv("aes-256-gcm", key, iv)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow weak crypto in test files',
-                    },
-                    additionalWeakAlgorithms: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional weak algorithms to detect',
-                    },
-                    trustedLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['crypto', 'crypto-js'],
-                        description: 'Trusted crypto libraries',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            additionalWeakAlgorithms: [],
-            trustedLibraries: ['crypto', 'crypto-js'],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, additionalWeakAlgorithms = [], trustedLibraries = ['crypto', 'crypto-js'], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        /**
-         * Check if a call expression uses weak crypto
-         */
-        function checkCallExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check for crypto.createHash, crypto.createCipher, etc.
-            if (node.callee.type === 'MemberExpression') {
-                // Check if it's a crypto method call (e.g., crypto.createHash, crypto.createCipher)
-                if (node.callee.object.type === 'Identifier' &&
-                    node.callee.property.type === 'Identifier') {
-                    const objectName = node.callee.object.name;
-                    const methodName = node.callee.property.name;
-                    // Check if it's a crypto method from a trusted library
-                    const isCryptoMethod = (methodName === 'createHash' ||
-                        methodName === 'createCipher' ||
-                        methodName === 'createCipheriv') &&
-                        (trustedLibraries.includes(objectName) || objectName === 'crypto');
-                    if (isCryptoMethod) {
-                        // Check arguments for weak algorithms
-                        for (const arg of node.arguments) {
-                            if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                                const weakPattern = containsWeakCrypto(arg.value, additionalWeakAlgorithms);
-                                if (weakPattern) {
-                                    const safeAlternative = weakPattern.alternatives[0];
-                                    const refactoringSteps = generateRefactoringSteps(weakPattern, 'data');
-                                    context.report({
-                                        node: arg,
-                                        messageId: 'weakCrypto',
-                                        data: {
-                                            algorithm: weakPattern.name,
-                                            safeAlternative: `Use ${safeAlternative}: ${weakPattern.example.good}`,
-                                        },
-                                        suggest: refactoringSteps.map(step => ({
-                                            messageId: step.messageId,
-                                            fix: (fixer) => {
-                                                // Replace the weak algorithm with a safe one
-                                                if (weakPattern.category === 'hash') {
-                                                    return fixer.replaceText(arg, `"sha256"`);
-                                                }
-                                                else if (weakPattern.category === 'encryption') {
-                                                    return fixer.replaceText(arg, `"aes-256-gcm"`);
-                                                }
-                                                return null;
-                                            },
-                                        })),
-                                    });
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            // Check for standalone crypto function calls (e.g., createHash, createCipher)
-            if (node.callee.type === 'Identifier') {
-                const calleeName = node.callee.name;
-                // Check for common crypto library patterns
-                if (calleeName === 'createHash' || calleeName === 'createCipher' || calleeName === 'createCipheriv') {
-                    for (const arg of node.arguments) {
-                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                            const weakPattern = containsWeakCrypto(arg.value, additionalWeakAlgorithms);
-                            if (weakPattern) {
-                                const safeAlternative = weakPattern.alternatives[0];
-                                context.report({
-                                    node: arg,
-                                    messageId: 'weakCrypto',
-                                    data: {
-                                        algorithm: weakPattern.name,
-                                        safeAlternative: `Use ${safeAlternative}: ${weakPattern.example.good}`,
-                                    },
-                                    suggest: [
-                                        {
-                                            messageId: weakPattern.category === 'hash' ? 'useSha256' : 'useAes256',
-                                            fix: (fixer) => {
-                                                if (weakPattern.category === 'hash') {
-                                                    return fixer.replaceText(arg, `"sha256"`);
-                                                }
-                                                else if (weakPattern.category === 'encryption') {
-                                                    return fixer.replaceText(arg, `"aes-256-gcm"`);
-                                                }
-                                                return null;
-                                            },
-                                        },
-                                    ],
-                                });
-                            }
-                        }
-                    }
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});

package/src/rules/no-weak-password-recovery/index.d.ts DELETED Viewed

@@ -1,12 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Minimum token entropy bits */
-    minTokenEntropy?: number;
-    /** Maximum token lifetime in hours */
-    maxTokenLifetimeHours?: number;
-    /** Recovery-related keywords */
-    recoveryKeywords?: string[];
-    /** Secure token generation functions */
-    secureTokenFunctions?: string[];
-}
-export declare const noWeakPasswordRecovery: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;