npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-clickjacking/no-clickjacking.test.ts ADDED Viewed

@@ -0,0 +1,253 @@
+/**
+ * Comprehensive tests for no-clickjacking rule
+ * Security: CWE-1021 (Improper Restriction of Rendered UI Layers or Frames)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noClickjacking } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+) with JSX support
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-clickjacking', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - protected against clickjacking', noClickjacking, {
+      valid: [
+        // Trusted iframe sources (starts with /)
+        {
+          code: '<iframe src="/local-content.html"></iframe>',
+        },
+        // Proper CSP (would be set server-side) - no UI elements
+        {
+          code: '// CSP: frame-ancestors \'self\'; const x = 1;',
+        },
+        // Code without UI elements doesn't require frame-busting
+        {
+          code: 'const data = { name: "test" };',
+        },
+        // Frame-busting detection (marks hasFrameBusting=true)
+        {
+          code: 'if (top != self) { console.log("framed"); }',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Missing Frame Busting', () => {
+    // Note: missingFrameBusting now only triggers on entry point files (index/app/page.tsx/jsx)
+    // These tests use the default test filename which is not an entry point
+    ruleTester.run('valid - non-entry-point files skip frame-busting check', noClickjacking, {
+      valid: [
+        // Code with button (UI element) but no frame-busting - now valid since not entry point
+        {
+          code: 'const x = 1; function handleClick() {} button;',
+        },
+        // Code with onClick handler but no frame-busting - now valid since not entry point
+        {
+          code: 'element.onClick = handler;',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Unsafe iframe Usage', () => {
+    ruleTester.run('invalid - unsafe iframe sources', noClickjacking, {
+      valid: [],
+      invalid: [
+        // External HTTP source is untrusted
+        // missingFrameBusting only triggers for UI elements (button|input|form|a|div)
+        {
+          code: '<iframe src="http://external-site.com"></iframe>',
+          errors: [
+            {
+              messageId: 'unsafeIframeUsage',
+            },
+          ],
+        },
+        // HTTPS untrusted source
+        {
+          code: '<iframe src="https://untrusted.com/widget"></iframe>',
+          errors: [
+            {
+              messageId: 'unsafeIframeUsage',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Frame Manipulation', () => {
+    ruleTester.run('invalid - dangerous frame manipulation', noClickjacking, {
+      valid: [],
+      invalid: [
+        // Direct assignment to top.location
+        // missingFrameBusting only triggers for UI elements
+        {
+          code: 'top.location = "http://evil.com";',
+          errors: [
+            {
+              messageId: 'frameManipulation',
+            },
+          ],
+        },
+        // Assignment to window.location
+        {
+          code: 'window.location = "http://evil.com";',
+          errors: [
+            {
+              messageId: 'frameManipulation',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Transparent Overlays', () => {
+    ruleTester.run('invalid - transparent elements that could hide attacks', noClickjacking, {
+      valid: [],
+      invalid: [
+        // Literal must include 'style=' or 'css' to trigger
+        // missingFrameBusting only triggers for UI elements
+        {
+          code: 'const css = "style=opacity: 0; position: absolute; top: 0; left: 0;";',
+          errors: [
+            {
+              messageId: 'transparentFrameOverlay',
+            },
+          ],
+        },
+        // cssText with visibility hidden
+        {
+          code: 'element.cssText = "css visibility: hidden; z-index: -1;";',
+          errors: [
+            {
+              messageId: 'transparentFrameOverlay',
+            },
+          ],
+        },
+        // Template literal with 'style' keyword
+        {
+          code: 'const style = `style opacity: 0; position: absolute; top: 0; left: 0;`;',
+          errors: [
+            {
+              messageId: 'transparentFrameOverlay',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noClickjacking, {
+      valid: [
+        // Trusted sources (starts with /)
+        {
+          code: '<iframe src="/local-content.html"></iframe>',
+        },
+        // Safe frame-busting comparison (doesn't assign)
+        {
+          code: 'if (top !== self) { console.log("framed"); }',
+        },
+        // String without 'style=' or 'css' doesn't trigger overlay check
+        {
+          code: 'const loadingStyle = "opacity: 0; transition: opacity 0.3s;";',
+        },
+        // Disabled frame-busting requirement
+        {
+          code: '<button onClick={handleClick}>Click me</button>',
+          options: [{ requireFrameBusting: false }],
+        },
+        // Code without UI elements
+        {
+          code: 'const data = 123;',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - trusted sources', noClickjacking, {
+      valid: [
+        // Trusted source configured - no unsafeIframeUsage
+        // iframe alone doesn't trigger missingFrameBusting
+        {
+          code: '<iframe src="https://trusted.com"></iframe>',
+          options: [{ trustedSources: ['https://trusted.com'] }],
+        },
+      ],
+      invalid: [
+        // Untrusted source - only unsafeIframeUsage (no UI elements for missingFrameBusting)
+        {
+          code: '<iframe src="https://untrusted.com"></iframe>',
+          options: [{ trustedSources: ['https://trusted.com'] }],
+          errors: [
+            {
+              messageId: 'unsafeIframeUsage',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('config - disable frame-busting requirement', noClickjacking, {
+      valid: [
+        // With requireFrameBusting=false, UI elements don't trigger missingFrameBusting
+        {
+          code: '<form><input type="text" /><button>Submit</button></form>',
+          options: [{ requireFrameBusting: false }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Complex Clickjacking Scenarios', () => {
+    ruleTester.run('complex - real-world clickjacking attack patterns', noClickjacking, {
+      valid: [],
+      invalid: [
+        // Untrusted iframe source - only unsafeIframeUsage (iframe doesn't count as UI element)
+        {
+          code: '<iframe src="https://untrusted-social-widget.com/like" width="200" height="50" />',
+          errors: [
+            {
+              messageId: 'unsafeIframeUsage',
+            },
+          ],
+        },
+        // Frame manipulation attempt - only frameManipulation
+        {
+          code: 'window.location = "https://evil.com";',
+          errors: [
+            {
+              messageId: 'frameManipulation',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-client-side-auth-logic/index.ts ADDED Viewed

@@ -0,0 +1,81 @@
+/**
+ * @fileoverview Prevent authentication logic in client code
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noClientSideAuthLogic = createRule<RuleOptions, MessageIds>({
+  name: 'no-client-side-auth-logic',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent authentication logic in client code',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Client-Side Auth Logic',
+        cwe: 'CWE-602',
+        description: 'Authentication logic in client code - easily bypassed',
+        severity: 'CRITICAL',
+        fix: 'Move authentication checks to the server',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/602.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const authKeywords = ['admin', 'authenticated', 'authorized', 'isAdmin', 'isAuthenticated', 'role'];
+    return {
+      IfStatement(node: TSESTree.IfStatement) {
+        // Detect role/auth checks from localStorage
+        if (node.test.type === 'CallExpression' &&
+            node.test.callee.type === 'MemberExpression' &&
+            node.test.callee.object.type === 'Identifier' &&
+            node.test.callee.object.name === 'localStorage' &&
+            node.test.callee.property.type === 'Identifier' &&
+            node.test.callee.property.name === 'getItem') {
+          const keyArg = node.test.arguments[0];
+          if (keyArg && keyArg.type === 'Literal') {
+            const key = String(keyArg.value).toLowerCase();
+            if (authKeywords.some(kw => key.includes(kw))) {
+              report(node);
+            }
+          }
+        }
+        // Detect password comparison
+        if (node.test.type === 'BinaryExpression') {
+          const checkMember = (expr: TSESTree.Expression) => {
+            if (expr.type === 'MemberExpression' &&
+                expr.property.type === 'Identifier' &&
+                ['password', 'secret', 'token'].includes(expr.property.name)) {
+              return true;
+            }
+            return false;
+          };
+          if (checkMember(node.test.left as TSESTree.Expression) ||
+              checkMember(node.test.right as TSESTree.Expression)) {
+            report(node);
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-client-side-auth-logic/no-client-side-auth-logic.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview Tests for no-client-side-auth-logic
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noClientSideAuthLogic } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-client-side-auth-logic', noClientSideAuthLogic, {
+  valid: [
+    // Server-side auth checks
+    { code: "if (await verifyToken(token)) { proceed() }" },
+    { code: "const isAuth = await authService.verify()" },
+    // Non-auth localStorage usage
+    { code: "if (localStorage.getItem('theme')) { setTheme() }" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Local storage auth checks
+    { code: "if (localStorage.getItem('isAdmin')) { showAdmin() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (localStorage.getItem('authenticated')) { proceed() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (localStorage.getItem('role')) { checkRole() }", errors: [{ messageId: 'violationDetected' }] },
+    // Password comparison
+    { code: "if (user.password === input) { login() }", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-credentials-in-query-params/index.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * @fileoverview Disallow credentials in URL query parameters
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noCredentialsInQueryParams = createRule<RuleOptions, MessageIds>({
+  name: 'no-credentials-in-query-params',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Disallow credentials in URL query parameters',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Credentials in Query Parameters',
+        cwe: 'CWE-798',
+        description: 'Credentials detected in URL query parameters - this is a security risk',
+        severity: 'CRITICAL',
+        fix: 'Use secure methods: POST body, headers (Authorization), or secure cookies',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    const sourceCode = context.sourceCode;
+    const sensitiveParams = ['password=', 'token=', 'apikey=', 'secret=', 'auth='];
+    function report(node: TSESTree.Node) {
+      context.report({
+        node,
+        messageId: 'violationDetected',
+      });
+    }
+    return {
+      Literal(node: TSESTree.Literal) {
+        if (typeof node.value === 'string') {
+          const url = node.value.toLowerCase();
+          if (sensitiveParams.some(param => url.includes('?' + param) || url.includes('&' + param))) {
+            report(node);
+          }
+        }
+      },
+      TemplateLiteral(node: TSESTree.TemplateLiteral) {
+        const text = sourceCode.getText(node).toLowerCase();
+        if (sensitiveParams.some(param => text.includes(param))) {
+          report(node);
+        }
+      },
+    };
+  },
+});

package/src/rules/no-credentials-in-query-params/no-credentials-in-query-params.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview Tests for no-credentials-in-query-params
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noCredentialsInQueryParams } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-credentials-in-query-params', noCredentialsInQueryParams, {
+  valid: [
+    // Safe URLs without credentials
+    { code: "const url = 'https://api.example.com/data'" },
+    { code: "const url = 'https://api.example.com?user=john'" },
+    { code: "fetch('https://api.example.com/users')" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // URLs with credentials in query params
+    { code: "const url = 'https://api.example.com?password=secret123'", errors: [{ messageId: 'violationDetected' }] },
+    { code: "const url = 'https://api.example.com?token=abc123'", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fetch('https://api.example.com?apikey=xyz789')", errors: [{ messageId: 'violationDetected' }] },
+    { code: "const url = 'https://api.com?user=john&password=xyz'", errors: [{ messageId: 'violationDetected' }] },
+    // Template literals with credentials
+    { code: "const url = `https://api.com?token=${token}`", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-credentials-in-storage-api/index.ts ADDED Viewed

@@ -0,0 +1,64 @@
+/**
+ * @fileoverview Disallow storing credentials in browser/mobile storage APIs
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noCredentialsInStorageApi = createRule<RuleOptions, MessageIds>({
+  name: 'no-credentials-in-storage-api',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Disallow storing credentials in browser/mobile storage APIs',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Credentials in Storage',
+        cwe: 'CWE-522',
+        description: 'Credentials stored in insecure browser/mobile storage',
+        severity: 'CRITICAL',
+        fix: 'Use secure storage like Keychain, SecureStore, or encrypted storage',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/522.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const sensitiveKeys = ['password', 'token', 'apikey', 'secret', 'credential', 'auth', 'key'];
+    const storageObjects = ['localStorage', 'sessionStorage', 'AsyncStorage'];
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        // Check localStorage.setItem/sessionStorage.setItem/AsyncStorage.setItem
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.object.type === 'Identifier' &&
+            storageObjects.includes(node.callee.object.name) &&
+            node.callee.property.type === 'Identifier' &&
+            node.callee.property.name === 'setItem') {
+          const keyArg = node.arguments[0];
+          if (keyArg && keyArg.type === 'Literal' && typeof keyArg.value === 'string') {
+            const key = keyArg.value.toLowerCase();
+            if (sensitiveKeys.some(k => key.includes(k))) {
+              report(node);
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-credentials-in-storage-api/no-credentials-in-storage-api.test.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * @fileoverview Tests for no-credentials-in-storage-api
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noCredentialsInStorageApi } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-credentials-in-storage-api', noCredentialsInStorageApi, {
+  valid: [
+    // Safe storage usage
+    { code: "localStorage.setItem('theme', 'dark')" },
+    { code: "sessionStorage.setItem('language', 'en')" },
+    { code: "AsyncStorage.setItem('settings', json)" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Storing credentials
+    { code: "localStorage.setItem('password', pwd)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "localStorage.setItem('authToken', token)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "sessionStorage.setItem('apiKey', key)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "AsyncStorage.setItem('secret', data)", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-data-in-temp-storage/index.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * @fileoverview Prevent sensitive data in temp directories
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noDataInTempStorage = createRule<RuleOptions, MessageIds>({
+  name: 'no-data-in-temp-storage',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent sensitive data in temp directories',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Temp Storage Data',
+        cwe: 'CWE-312',
+        description: 'Sensitive data written to temp directory - not secure',
+        severity: 'HIGH',
+        fix: 'Use secure storage location or encrypt data before writing',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/312.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const tempPaths = ['/tmp', '/var/tmp', 'temp/', '/temp'];
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        // Detect fs.writeFileSync or fs.writeFile with temp path
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.object.type === 'Identifier' &&
+            node.callee.object.name === 'fs' &&
+            node.callee.property.type === 'Identifier' &&
+            ['writeFileSync', 'writeFile'].includes(node.callee.property.name)) {
+          const pathArg = node.arguments[0];
+          if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
+            if (tempPaths.some(tp => pathArg.value.includes(tp))) {
+              report(node);
+            }
+          }
+        }
+      },
+      Literal(node: TSESTree.Literal) {
+        // Detect temp path literals
+        if (typeof node.value === 'string') {
+          if (tempPaths.some(tp => node.value.includes(tp))) {
+            // Only flag if parent is assignment or variable declaration
+            const parent = node.parent;
+            if (parent?.type === 'VariableDeclarator' || parent?.type === 'AssignmentExpression') {
+              report(node);
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-data-in-temp-storage/no-data-in-temp-storage.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview Tests for no-data-in-temp-storage
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noDataInTempStorage } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-data-in-temp-storage', noDataInTempStorage, {
+  valid: [
+    // Secure storage locations
+    { code: "fs.writeFileSync('/app/data/file.txt', data)" },
+    { code: "fs.writeFile('/secure/path/file.json', data, callback)" },
+    // Non-path literals
+    { code: "console.log('temp data')" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Temp path writes
+    { code: "fs.writeFileSync('/tmp/secrets.json', data)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fs.writeFile('/var/tmp/auth.txt', data, cb)", errors: [{ messageId: 'violationDetected' }] },
+    // Temp path variables
+    { code: "const path = '/tmp/sensitive.txt'", errors: [{ messageId: 'violationDetected' }] },
+    { code: "let file = '/var/tmp/data.json'", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});