npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-directive-injection/no-directive-injection.test.ts ADDED Viewed

@@ -0,0 +1,305 @@
+/**
+ * Comprehensive tests for no-directive-injection rule
+ * Security: CWE-96 (Improper Neutralization of Directives in Statically Saved Code)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noDirectiveInjection } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+) with JSX support
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-directive-injection', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - safe directive usage', noDirectiveInjection, {
+      valid: [
+        // Safe innerHTML with text content (not innerHTML)
+        {
+          code: 'element.textContent = userInput;',
+        },
+        // Trusted directive names (string literal, not user input)
+        {
+          code: 'Vue.directive("my-directive", { /* safe */ });',
+        },
+        // Static HTML (no user input variables)
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: "static content" }} />',
+        },
+        // innerHTML with non-user input
+        {
+          code: 'element.innerHTML = staticContent;',
+        },
+        // Handlebars compile with non-user input
+        {
+          code: 'const compiled = Handlebars.compile(staticTemplate);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - dangerouslySetInnerHTML', () => {
+    ruleTester.run('invalid - dangerous innerHTML usage', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // userInput is a recognized user input variable
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: userInput }} />',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+          ],
+        },
+        // req.body.content contains 'body' which is a user input variable
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: req.body.content }} />',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Template Injection', () => {
+    ruleTester.run('invalid - template injection in JSX', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // Template literal with userInput in dangerouslySetInnerHTML
+        // Only triggers dangerousInnerHTML (JSX context doesn't trigger templateInjection via TemplateLiteral visitor)
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: `Hello ${userInput}!` }} />',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+            {
+              messageId: 'templateInjection',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - innerHTML Assignments', () => {
+    ruleTester.run('invalid - unsafe innerHTML assignments', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        {
+          code: 'element.innerHTML = userInput;',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+          ],
+        },
+        {
+          code: 'document.getElementById("content").innerHTML = req.body.html;',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Dynamic Component Binding', () => {
+    ruleTester.run('invalid - unsafe component binding', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // JSX is={userInput} - userInput is in user input variables
+        // Rule only detects Identifiers (not MemberExpressions like req.query.x)
+        {
+          code: '<div is={userInput}></div>',
+          errors: [
+            {
+              messageId: 'unsafeComponentBinding',
+            },
+          ],
+        },
+        // data is in user input variables
+        {
+          code: '<div is={data}></div>',
+          errors: [
+            {
+              messageId: 'unsafeComponentBinding',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Template Compilation', () => {
+    ruleTester.run('invalid - unsafe template compilation', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // Handlebars.compile with userInput variable
+        {
+          code: 'const compiled = Handlebars.compile(userInput);',
+          errors: [
+            {
+              messageId: 'userControlledTemplate',
+            },
+          ],
+        },
+        // _.template with variable containing "input"
+        {
+          code: 'const template = _.template(userInput);',
+          errors: [
+            {
+              messageId: 'userControlledTemplate',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Dynamic Directive Creation', () => {
+    ruleTester.run('invalid - dynamic directive creation', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // Vue.directive with userInput as directive name
+        {
+          code: 'Vue.directive(userInput, directiveDefinition);',
+          errors: [
+            {
+              messageId: 'unsafeDirectiveName',
+            },
+          ],
+        },
+        // directive() with userInput as directive name
+        {
+          code: 'directive(userInput, function() { /* ... */ });',
+          errors: [
+            {
+              messageId: 'dynamicDirectiveCreation',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noDirectiveInjection, {
+      valid: [
+        // safeHtml is not a user input variable, so it's valid
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: safeHtml }} />',
+        },
+        // safeTemplate doesn't contain user input variable names
+        {
+          code: 'const compiled = Handlebars.compile(safeTemplate);',
+        },
+        // Trusted directive names (string literal)
+        {
+          code: 'Vue.directive("my-safe-directive", definition);',
+        },
+        // Static HTML string doesn't trigger
+        {
+          code: 'element.innerHTML = "<strong>Safe</strong>";',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - user input variables', noDirectiveInjection, {
+      valid: [
+        // customVar is not in default user input variables
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: customVar }} />',
+        },
+      ],
+      invalid: [
+        // requestData contains 'request' which is in user input variables
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: requestData }} />',
+          errors: [
+            {
+              messageId: 'dangerousInnerHTML',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Complex Directive Injection Scenarios', () => {
+    ruleTester.run('complex - real-world directive injection attacks', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // innerHTML assignment with template literal containing user input
+        {
+          code: 'element.innerHTML = `<div>${userInput}</div>`;',
+          errors: [
+            { messageId: 'dangerousInnerHTML' },
+            { messageId: 'templateInjection' },
+          ],
+        },
+        // Dangerous template literal inside dangerouslySetInnerHTML (Now properly detected by fix)
+        {
+          code: '<div dangerouslySetInnerHTML={{ __html: `Hello ${userInput}!` }} />',
+          errors: [
+            { messageId: 'dangerousInnerHTML' },
+            { messageId: 'templateInjection' },
+          ],
+        },
+        // Multiple dangerous patterns
+        {
+          code: `
+            element.innerHTML = req.body.html;
+            const tpl = Handlebars.compile(userInput);
+          `,
+          errors: [
+            { messageId: 'dangerousInnerHTML' },
+            { messageId: 'userControlledTemplate' },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('invalid - namespaced attributes', noDirectiveInjection, {
+      valid: [],
+      invalid: [
+        // v:bind with user input
+        {
+          code: '<div v:bind={userInput}></div>',
+          errors: [{ messageId: 'directiveInjection' }],
+        },
+        // ng:model with user input
+        {
+          code: '<input ng:model={userInput} />',
+          errors: [{ messageId: 'directiveInjection' }],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-disabled-certificate-validation/index.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * @fileoverview Prevent disabled SSL/TLS certificate validation
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noDisabledCertificateValidation = createRule<RuleOptions, MessageIds>({
+  name: 'no-disabled-certificate-validation',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent disabled SSL/TLS certificate validation',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Disabled Certificate Validation',
+        cwe: 'CWE-295',
+        description: 'SSL/TLS certificate validation is disabled - man-in-the-middle attack possible',
+        severity: 'CRITICAL',
+        fix: 'Remove rejectUnauthorized: false or verify: false, fix certificate issues properly',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const dangerousProperties = ['rejectUnauthorized', 'strictSSL', 'verify'];
+    return {
+      Property(node: TSESTree.Property) {
+        // Check for dangerous SSL options set to false
+        if (node.key.type === 'Identifier' &&
+            dangerousProperties.includes(node.key.name) &&
+            node.value.type === 'Literal' &&
+            node.value.value === false) {
+          report(node);
+        }
+      },
+      AssignmentExpression(node: TSESTree.AssignmentExpression) {
+        // Check for NODE_TLS_REJECT_UNAUTHORIZED = '0'
+        if (node.left.type === 'MemberExpression' &&
+            node.left.object.type === 'MemberExpression' &&
+            node.left.object.object.type === 'Identifier' &&
+            node.left.object.object.name === 'process' &&
+            node.left.object.property.type === 'Identifier' &&
+            node.left.object.property.name === 'env' &&
+            node.left.property.type === 'Identifier' &&
+            node.left.property.name === 'NODE_TLS_REJECT_UNAUTHORIZED') {
+          if (node.right.type === 'Literal' && node.right.value === '0') {
+            report(node);
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-disabled-certificate-validation/no-disabled-certificate-validation.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview Tests for no-disabled-certificate-validation
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noDisabledCertificateValidation } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-disabled-certificate-validation', noDisabledCertificateValidation, {
+  valid: [
+    // Proper SSL configuration
+    { code: "const options = { rejectUnauthorized: true }" },
+    { code: "const config = { strictSSL: true }" },
+    { code: "const settings = { verify: true }" },
+    // Non-SSL code
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Disabled certificate validation
+    { code: "const options = { rejectUnauthorized: false }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "https.request({ strictSSL: false })", errors: [{ messageId: 'violationDetected' }] },
+    { code: "const config = { verify: false }", errors: [{ messageId: 'violationDetected' }] },
+    // Environment variable disable
+    { code: "process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-document-cookie/index.ts ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * ESLint Rule: no-document-cookie
+ * Prevent direct usage of document.cookie
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+type MessageIds = 'noDocumentCookie';
+export interface Options {
+  /** Allow reading document.cookie for parsing */
+  allowReading?: boolean;
+}
+type RuleOptions = [Options?];
+export const noDocumentCookie = createRule<RuleOptions, MessageIds>({
+  name: 'no-document-cookie',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent direct usage of document.cookie - use Cookie Store API or cookie libraries instead',
+    },
+    hasSuggestions: false,
+    messages: {
+      noDocumentCookie: formatLLMMessage({
+        icon: MessageIcons.WARNING,
+        issueName: 'Document Cookie',
+        description: 'Avoid direct document.cookie usage',
+        severity: 'MEDIUM',
+        fix: 'Use Cookie Store API or cookie library instead',
+        documentationLink: 'https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/no-document-cookie.md',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowReading: {
+            type: 'boolean',
+            default: true,
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [{ allowReading: true }],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
+    const [options] = context.options;
+    const { allowReading = true } = options || {};
+    function isDocumentCookieAccess(node: TSESTree.MemberExpression): boolean {
+      // Check if this is accessing document.cookie
+      return (
+        node.object.type === 'Identifier' &&
+        node.object.name === 'document' &&
+        ((node.property.type === 'Identifier' && node.property.name === 'cookie') ||
+         (node.computed && node.property.type === 'Literal' && node.property.value === 'cookie'))
+      );
+    }
+    function isAssignmentToCookie(node: TSESTree.MemberExpression): boolean {
+      // Check if this is an assignment to document.cookie
+      const parent = node.parent;
+      // Check direct assignment
+      if (parent?.type === 'AssignmentExpression' && parent.left === node) {
+        return true;
+      }
+      // Check compound assignment (+=, -=, etc.)
+      if (parent?.type === 'AssignmentExpression' &&
+          parent.operator &&
+          parent.operator.includes('=') &&
+          parent.left === node) {
+        return true;
+      }
+      // Variable declarator (const/let/var x = document.cookie) - this is reading, not assigning
+      if (parent?.type === 'VariableDeclarator' && parent.init === node) {
+        return false;
+      }
+      return false;
+    }
+    return {
+      MemberExpression(node: TSESTree.MemberExpression) {
+        if (isDocumentCookieAccess(node)) {
+          const isAssigning = isAssignmentToCookie(node);
+          // If allowReading is true, only flag assignments
+          // If allowReading is false, flag everything
+          if (allowReading && !isAssigning) {
+            return; // Allow reading when option is enabled
+          }
+          // Flag document.cookie usage
+          context.report({
+            node,
+            messageId: 'noDocumentCookie',
+            data: {
+              operation: isAssigning ? 'assignment to' : 'reading from',
+            },
+          });
+        }
+      },
+    };
+  },
+});