npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/detect-suspicious-dependencies/detect-suspicious-dependencies.test.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * @fileoverview Tests for detect-suspicious-dependencies
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { detectSuspiciousDependencies } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('detect-suspicious-dependencies', detectSuspiciousDependencies, {
+  valid: [
+    // Valid popular package names
+    { code: "import React from 'react'" },
+    { code: "import _ from 'lodash'" },
+    { code: "import express from 'express'" },
+    // Local imports
+    { code: "import foo from './foo'" },
+    // Scoped packages
+    { code: "import pkg from '@scope/package'" },
+  ],
+  invalid: [
+    // Typosquatting-like names (within 2 Levenshtein distance of popular packages)
+    { code: "import r from 'reakt'", errors: [{ messageId: 'violationDetected' }] },
+    { code: "import l from 'lodas'", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/detect-suspicious-dependencies/index.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * @fileoverview Detect potential typosquatting in dependencies
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/506.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const detectSuspiciousDependencies = createRule<RuleOptions, MessageIds>({
+  name: 'detect-suspicious-dependencies',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detect typosquatting in package names',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Suspicious Dependency',
+        cwe: 'CWE-506',
+        description: 'Suspicious package name detected - possible typosquatting',
+        severity: 'HIGH',
+        fix: 'Verify package authenticity on npm registry',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/506.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    const popularPackages = ['react', 'lodash', 'express', 'axios', 'webpack'];
+    function levenshtein(a: string, b: string): number {
+      const matrix = [];
+      for (let i = 0; i <= b.length; i++) {
+        matrix[i] = [i];
+      }
+      for (let j = 0; j <= a.length; j++) {
+        matrix[0][j] = j;
+      }
+      for (let i = 1; i <= b.length; i++) {
+        for (let j = 1; j <= a.length; j++) {
+          if (b.charAt(i - 1) === a.charAt(j - 1)) {
+            matrix[i][j] = matrix[i - 1][j - 1];
+          } else {
+            matrix[i][j] = Math.min(
+              matrix[i - 1][j - 1] + 1,
+              matrix[i][j - 1] + 1,
+              matrix[i - 1][j] + 1
+            );
+          }
+        }
+      }
+      return matrix[b.length][a.length];
+    }
+    return {
+      ImportDeclaration(node: TSESTree.ImportDeclaration) {
+        const source = node.source.value;
+        if (typeof source === 'string' && !source.startsWith('.') && !source.startsWith('@')) {
+          for (const popular of popularPackages) {
+            const distance = levenshtein(source, popular);
+            if (distance > 0 && distance <= 2) {
+              context.report({
+                node,
+                messageId: 'violationDetected',
+                data: { name: source, similar: popular },
+              });
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/detect-weak-password-validation/detect-weak-password-validation.test.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * @fileoverview Tests for detect-weak-password-validation
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { detectWeakPasswordValidation } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('detect-weak-password-validation', detectWeakPasswordValidation, {
+  valid: [
+    // Strong password requirements
+    { code: "if (password.length >= 12) { valid() }" },
+    { code: "if (pwd.length >= 8) { valid() }" },
+    // Non-password length checks
+    { code: "if (name.length >= 2) { valid() }" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Weak password requirements
+    { code: "if (password.length >= 4) { accept() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (pwd.length >= 6) { proceed() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (pass.length > 3) { ok() }", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/detect-weak-password-validation/index.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * @fileoverview Identify weak password requirements
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const detectWeakPasswordValidation = createRule<RuleOptions, MessageIds>({
+  name: 'detect-weak-password-validation',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Identify weak password requirements',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Weak Password Validation',
+        cwe: 'CWE-521',
+        description: 'Password length requirement is too weak (less than 8 characters)',
+        severity: 'CRITICAL',
+        fix: 'Require at least 12 characters with complexity requirements',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    return {
+      BinaryExpression(node: TSESTree.BinaryExpression) {
+        // Detect weak length requirements like password.length >= 4
+        if (['>=', '>', '==', '==='].includes(node.operator)) {
+          // Check if left side is .length
+          if (node.left.type === 'MemberExpression' &&
+              node.left.property.type === 'Identifier' &&
+              node.left.property.name === 'length') {
+            // Check if comparing to a weak number
+            if (node.right.type === 'Literal' &&
+                typeof node.right.value === 'number' &&
+                node.right.value < 8) {
+              // Check if variable name suggests password
+              if (node.left.object.type === 'Identifier') {
+                const varName = node.left.object.name.toLowerCase();
+                if (varName.includes('password') || varName.includes('pwd') || varName.includes('pass')) {
+                  report(node);
+                }
+              }
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-allow-arbitrary-loads/index.ts ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * @fileoverview Prevent configuration allowing insecure loads
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/749.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noAllowArbitraryLoads = createRule<RuleOptions, MessageIds>({
+  name: 'no-allow-arbitrary-loads',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent configuration allowing insecure loads',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M5'],
+      cweIds: ["CWE-749"],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'violation Detected',
+        cwe: 'CWE-295',
+        description: 'Prevent configuration allowing insecure loads detected - allowArbitraryLoads: true',
+        severity: 'HIGH',
+        fix: 'Review and apply secure practices',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      Property(node: TSESTree.Property) {
+        if (node.key.type === 'Identifier' &&
+            node.key.name === 'allowArbitraryLoads' &&
+            node.value.type === 'Literal' &&
+            node.value.value === true) {
+          context.report({ node, messageId: 'violationDetected' });
+        }
+      },
+    };
+  },
+});

package/src/rules/no-allow-arbitrary-loads/no-allow-arbitrary-loads.test.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * @fileoverview Tests for no-allow-arbitrary-loads
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noAllowArbitraryLoads } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-allow-arbitrary-loads', noAllowArbitraryLoads, {
+  valid: [
+    // Secure configuration
+    { code: "const config = { allowArbitraryLoads: false }" },
+    { code: "const settings = { secureMode: true }" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Insecure configuration
+    { code: "const config = { allowArbitraryLoads: true }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "module.exports = { NSAppTransportSecurity: { allowArbitraryLoads: true } }", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-arbitrary-file-access/index.ts ADDED Viewed

@@ -0,0 +1,238 @@
+/**
+ * @fileoverview Prevent file access from user input
+ *
+ * False Positive Reduction:
+ * This rule detects safe patterns including:
+ * - path.basename() sanitization
+ * - path.join() with validated base directories
+ * - startsWith() validation guards
+ * - Early-return throw patterns
+ */
+import { AST_NODE_TYPES, createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noArbitraryFileAccess = createRule<RuleOptions, MessageIds>({
+  name: 'no-arbitrary-file-access',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent file access from user input',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Arbitrary File Access',
+        cwe: 'CWE-22',
+        description: 'File path from user input - path traversal vulnerability',
+        severity: 'HIGH',
+        fix: 'Validate and sanitize file paths, use allowlists',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    const sourceCode = context.sourceCode;
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const fsReadMethods = ['readFile', 'readFileSync', 'readdir', 'readdirSync', 'stat', 'statSync'];
+    const fsWriteMethods = ['writeFile', 'writeFileSync', 'appendFile', 'appendFileSync'];
+    const userInputSources = ['req', 'request', 'params', 'query', 'body'];
+    // Track variables that have been sanitized with path.basename()
+    const sanitizedVariables = new Set<string>();
+    // Track variables that have been validated with startsWith() guards
+    const validatedVariables = new Set<string>();
+    /**
+     * Check if a variable is assigned from path.basename() or path.join() with basename
+     */
+    function checkVariableDeclaration(node: TSESTree.VariableDeclarator) {
+      if (node.id.type !== 'Identifier' || !node.init) {
+        return;
+      }
+      const varName = node.id.name;
+      const init = node.init;
+      // Check for path.basename() assignment
+      if (init.type === 'CallExpression' &&
+          init.callee.type === 'MemberExpression' &&
+          init.callee.object.type === 'Identifier' &&
+          init.callee.object.name === 'path' &&
+          init.callee.property.type === 'Identifier' &&
+          init.callee.property.name === 'basename') {
+        sanitizedVariables.add(varName);
+      }
+      // Check for path.join() with a sanitized variable or literal base
+      if (init.type === 'CallExpression' &&
+          init.callee.type === 'MemberExpression' &&
+          init.callee.object.type === 'Identifier' &&
+          init.callee.object.name === 'path' &&
+          init.callee.property.type === 'Identifier' &&
+          init.callee.property.name === 'join') {
+        // Check if any argument is a sanitized variable
+        const hasSanitizedArg = init.arguments.some((arg: TSESTree.CallExpressionArgument) =>
+          arg.type === 'Identifier' && sanitizedVariables.has(arg.name)
+        );
+        // Check if first arg is a safe base (literal or known safe variable)
+        const firstArg = init.arguments[0];
+        const hasSafeBase = firstArg && (
+          firstArg.type === 'Literal' ||
+          (firstArg.type === 'Identifier' && /^(SAFE|BASE|ROOT|UPLOAD|PUBLIC)/i.test(firstArg.name))
+        );
+        if (hasSanitizedArg && hasSafeBase) {
+          sanitizedVariables.add(varName);
+        }
+      }
+    }
+    /**
+     * Check if there's a startsWith() guard validation for this variable
+     * Looks for patterns like:
+     * if (!path.startsWith(baseDir)) { throw ... }
+     * if (!path.startsWith(baseDir)) { return ... }
+     */
+    function hasStartsWithGuard(node: TSESTree.Node, varName: string): boolean {
+      // Already validated
+      if (validatedVariables.has(varName)) {
+        return true;
+      }
+      // Walk up to find the containing block or function
+      let current: TSESTree.Node | undefined = node.parent;
+      while (current) {
+        // If we've reached a function body or block, search its statements
+        if (current.type === AST_NODE_TYPES.BlockStatement) {
+          const statements = current.body;
+          // Look for IF statements in this block that validate our variable
+          for (const stmt of statements) {
+            if (stmt.type === AST_NODE_TYPES.IfStatement) {
+              const testText = sourceCode.getText(stmt.test).toLowerCase();
+              // Check for startsWith() validation pattern with our variable
+              if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+                // Check if this is a guard clause (negated condition with throw/return)
+                const consequent = stmt.consequent;
+                // Handle block statement: if (...) { throw/return; }
+                if (consequent.type === AST_NODE_TYPES.BlockStatement && consequent.body.length > 0) {
+                  const firstStmt = consequent.body[0];
+                  if (firstStmt.type === AST_NODE_TYPES.ThrowStatement || firstStmt.type === AST_NODE_TYPES.ReturnStatement) {
+                    validatedVariables.add(varName);
+                    return true;
+                  }
+                }
+                // Handle direct statement: if (...) throw/return;
+                if (consequent.type === AST_NODE_TYPES.ThrowStatement || consequent.type === AST_NODE_TYPES.ReturnStatement) {
+                  validatedVariables.add(varName);
+                  return true;
+                }
+              }
+            }
+          }
+        }
+        // Also check if current IS an if statement (when node is inside the consequent)
+        if (current.type === AST_NODE_TYPES.IfStatement) {
+          const testText = sourceCode.getText(current.test).toLowerCase();
+          if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+            validatedVariables.add(varName);
+            return true;
+          }
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+    /**
+     * Check if a variable comes from a sanitized/validated source
+     */
+    function isVariableSafe(varName: string, node: TSESTree.Node): boolean {
+      // Already tracked as sanitized
+      if (sanitizedVariables.has(varName)) {
+        return true;
+      }
+      // Has startsWith guard validation
+      if (hasStartsWithGuard(node, varName)) {
+        return true;
+      }
+      // Check naming conventions that suggest safety
+      if (/^(safe|sanitized|validated|clean)/i.test(varName)) {
+        return true;
+      }
+      return false;
+    }
+    return {
+      // Track variable declarations for sanitization patterns
+      VariableDeclarator(node: TSESTree.VariableDeclarator) {
+        checkVariableDeclaration(node);
+      },
+      CallExpression(node: TSESTree.CallExpression) {
+        // Detect fs.* with user input
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.object.type === 'Identifier' &&
+            node.callee.object.name === 'fs' &&
+            node.callee.property.type === 'Identifier' &&
+            [...fsReadMethods, ...fsWriteMethods].includes(node.callee.property.name)) {
+          const pathArg = node.arguments[0];
+          // Skip if path is a literal (safe)
+          if (pathArg && pathArg.type === 'Literal') {
+            return;
+          }
+          // Check if path is a variable
+          if (pathArg && pathArg.type === 'Identifier') {
+            const varName = pathArg.name;
+            // Skip if variable is sanitized or validated
+            if (isVariableSafe(varName, node)) {
+              return;
+            }
+            report(node);
+            return;
+          }
+          // Flag if path is from a member expression (user input sources)
+          if (pathArg?.type === 'MemberExpression' &&
+              pathArg.object.type === 'Identifier') {
+            const objName = pathArg.object.name.toLowerCase();
+            if (userInputSources.includes(objName)) {
+              report(node);
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-arbitrary-file-access/no-arbitrary-file-access.test.ts ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * @fileoverview Tests for no-arbitrary-file-access
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noArbitraryFileAccess } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-arbitrary-file-access', noArbitraryFileAccess, {
+  valid: [
+    // Static file paths
+    { code: "fs.readFileSync('./config.json')" },
+    { code: "fs.writeFile('/app/data/log.txt', data, cb)" },
+    { code: "fs.readdir('/safe/path')" },
+    { code: "fs.stat('/known/file.txt')" },
+    // Non-fs code
+    { code: "const x = 1" },
+    { code: "other.readFile(path)" },
+    // ============================================
+    // FALSE POSITIVE PREVENTION TESTS
+    // ============================================
+    // FP-1: path.basename() sanitization
+    {
+      code: `
+        const safeName = path.basename(userFilename);
+        fs.readFileSync(safeName);
+      `,
+    },
+    // FP-2: path.basename() + path.join() with safe base
+    {
+      code: `
+        const safeName = path.basename(userFilename);
+        const safePath = path.join(SAFE_DIR, safeName);
+        fs.readFileSync(safePath);
+      `,
+    },
+    // FP-3: startsWith() validation guard with throw
+    {
+      code: `
+        function readFile(userPath) {
+          const filePath = path.join('/uploads', userPath);
+          if (!filePath.startsWith('/uploads')) {
+            throw new Error('Invalid path');
+          }
+          return fs.readFileSync(filePath);
+        }
+      `,
+    },
+    // FP-4: startsWith() validation guard with return
+    {
+      code: `
+        function readFile(userPath) {
+          const filePath = path.join(baseDir, userPath);
+          if (!filePath.startsWith(baseDir)) {
+            return null;
+          }
+          return fs.readFileSync(filePath);
+        }
+      `,
+    },
+    // FP-5: Variables with safe naming conventions
+    { code: "fs.readFileSync(safePath)" },
+    { code: "fs.readFileSync(sanitizedPath)" },
+    { code: "fs.readFileSync(validatedFilename)" },
+    { code: "fs.readFileSync(cleanPath)" },
+    // FP-6: Combined pattern (real-world safe pattern from safe-patterns.js)
+    {
+      code: `
+        const SAFE_DIR = path.resolve(__dirname, 'uploads');
+        function safeReadFile(userFilename) {
+          const safeName = path.basename(userFilename);
+          const safePath = path.join(SAFE_DIR, safeName);
+          if (!safePath.startsWith(SAFE_DIR)) {
+            throw new Error('Invalid path');
+          }
+          return fs.readFileSync(safePath);
+        }
+      `,
+    },
+  ],
+  invalid: [
+    // Variable file paths - all fs read methods
+    { code: "fs.readFileSync(filePath)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.readFile(userFile, cb)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.readdir(userDir)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.readdirSync(scanPath)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.stat(targetPath)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.statSync(checkPath)", errors: [{ messageId: 'violationDetected' }] },
+    // Variable file paths - all fs write methods
+    { code: "fs.writeFile(outputPath, data, cb)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.writeFileSync(destPath, content)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.appendFile(logPath, text, cb)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.appendFileSync(filePath, data)", errors: [{ messageId: 'violationDetected' }] },
+    // User input from req object
+    { code: "fs.readFile(req.file, cb)", errors: [{ messageId: 'violationDetected' }] },
+    // User input from request object
+    { code: "fs.readFile(request.path, cb)", errors: [{ messageId: 'violationDetected' }] },
+    // User input from params object
+    { code: "fs.readFileSync(params.filename)", errors: [{ messageId: 'violationDetected' }] },
+    // User input from query object
+    { code: "fs.readFile(query.file, cb)", errors: [{ messageId: 'violationDetected' }] },
+    // User input from body object
+    { code: "fs.writeFile(body.path, data, cb)", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});