eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (361) hide show
  1. package/README.md +1 -0
  2. package/package.json +3 -10
  3. package/src/index.ts +605 -0
  4. package/src/rules/__tests__/integration-demo.test.ts +290 -0
  5. package/src/rules/__tests__/integration-llm.test.ts +89 -0
  6. package/src/rules/database-injection/database-injection.test.ts +456 -0
  7. package/src/rules/database-injection/index.ts +488 -0
  8. package/src/rules/detect-child-process/detect-child-process.test.ts +207 -0
  9. package/src/rules/detect-child-process/index.ts +634 -0
  10. package/src/rules/detect-eval-with-expression/detect-eval-with-expression.test.ts +416 -0
  11. package/src/rules/detect-eval-with-expression/index.ts +463 -0
  12. package/src/rules/detect-mixed-content/detect-mixed-content.test.ts +28 -0
  13. package/src/rules/detect-mixed-content/index.ts +52 -0
  14. package/src/rules/detect-non-literal-fs-filename/detect-non-literal-fs-filename.test.ts +269 -0
  15. package/src/rules/detect-non-literal-fs-filename/index.ts +551 -0
  16. package/src/rules/detect-non-literal-regexp/detect-non-literal-regexp.test.ts +189 -0
  17. package/src/rules/detect-non-literal-regexp/index.ts +490 -0
  18. package/src/rules/detect-object-injection/detect-object-injection.test.ts +440 -0
  19. package/src/rules/detect-object-injection/index.ts +674 -0
  20. package/src/rules/detect-suspicious-dependencies/detect-suspicious-dependencies.test.ts +32 -0
  21. package/src/rules/detect-suspicious-dependencies/index.ts +84 -0
  22. package/src/rules/detect-weak-password-validation/detect-weak-password-validation.test.ts +31 -0
  23. package/src/rules/detect-weak-password-validation/index.ts +68 -0
  24. package/src/rules/no-allow-arbitrary-loads/index.ts +54 -0
  25. package/src/rules/no-allow-arbitrary-loads/no-allow-arbitrary-loads.test.ts +28 -0
  26. package/src/rules/no-arbitrary-file-access/index.ts +238 -0
  27. package/src/rules/no-arbitrary-file-access/no-arbitrary-file-access.test.ts +119 -0
  28. package/src/rules/no-buffer-overread/index.ts +724 -0
  29. package/src/rules/no-buffer-overread/no-buffer-overread.test.ts +313 -0
  30. package/src/rules/no-clickjacking/index.ts +481 -0
  31. package/src/rules/no-clickjacking/no-clickjacking.test.ts +253 -0
  32. package/src/rules/no-client-side-auth-logic/index.ts +81 -0
  33. package/src/rules/no-client-side-auth-logic/no-client-side-auth-logic.test.ts +33 -0
  34. package/src/rules/no-credentials-in-query-params/index.ts +69 -0
  35. package/src/rules/no-credentials-in-query-params/no-credentials-in-query-params.test.ts +33 -0
  36. package/src/rules/no-credentials-in-storage-api/index.ts +64 -0
  37. package/src/rules/no-credentials-in-storage-api/no-credentials-in-storage-api.test.ts +31 -0
  38. package/src/rules/no-data-in-temp-storage/index.ts +75 -0
  39. package/src/rules/no-data-in-temp-storage/no-data-in-temp-storage.test.ts +33 -0
  40. package/src/rules/no-debug-code-in-production/index.ts +59 -0
  41. package/src/rules/no-debug-code-in-production/no-debug-code-in-production.test.ts +26 -0
  42. package/src/rules/no-directive-injection/index.ts +551 -0
  43. package/src/rules/no-directive-injection/no-directive-injection.test.ts +305 -0
  44. package/src/rules/no-disabled-certificate-validation/index.ts +72 -0
  45. package/src/rules/no-disabled-certificate-validation/no-disabled-certificate-validation.test.ts +33 -0
  46. package/src/rules/no-document-cookie/index.ts +113 -0
  47. package/src/rules/no-document-cookie/no-document-cookie.test.ts +382 -0
  48. package/src/rules/no-dynamic-dependency-loading/index.ts +60 -0
  49. package/src/rules/no-dynamic-dependency-loading/no-dynamic-dependency-loading.test.ts +27 -0
  50. package/src/rules/no-electron-security-issues/index.ts +504 -0
  51. package/src/rules/no-electron-security-issues/no-electron-security-issues.test.ts +324 -0
  52. package/src/rules/no-exposed-debug-endpoints/index.ts +73 -0
  53. package/src/rules/no-exposed-debug-endpoints/no-exposed-debug-endpoints.test.ts +40 -0
  54. package/src/rules/no-exposed-sensitive-data/index.ts +428 -0
  55. package/src/rules/no-exposed-sensitive-data/no-exposed-sensitive-data.test.ts +75 -0
  56. package/src/rules/no-format-string-injection/index.ts +801 -0
  57. package/src/rules/no-format-string-injection/no-format-string-injection.test.ts +437 -0
  58. package/src/rules/no-graphql-injection/index.ts +508 -0
  59. package/src/rules/no-graphql-injection/no-graphql-injection.test.ts +371 -0
  60. package/src/rules/no-hardcoded-credentials/index.ts +478 -0
  61. package/src/rules/no-hardcoded-credentials/no-hardcoded-credentials.test.ts +639 -0
  62. package/src/rules/no-hardcoded-session-tokens/index.ts +69 -0
  63. package/src/rules/no-hardcoded-session-tokens/no-hardcoded-session-tokens.test.ts +42 -0
  64. package/src/rules/no-http-urls/index.ts +131 -0
  65. package/src/rules/no-http-urls/no-http-urls.test.ts +60 -0
  66. package/src/rules/no-improper-sanitization/index.ts +502 -0
  67. package/src/rules/no-improper-sanitization/no-improper-sanitization.test.ts +156 -0
  68. package/src/rules/no-improper-type-validation/index.ts +572 -0
  69. package/src/rules/no-improper-type-validation/no-improper-type-validation.test.ts +372 -0
  70. package/src/rules/no-insecure-comparison/index.ts +232 -0
  71. package/src/rules/no-insecure-comparison/no-insecure-comparison.test.ts +218 -0
  72. package/src/rules/no-insecure-cookie-settings/index.ts +391 -0
  73. package/src/rules/no-insecure-cookie-settings/no-insecure-cookie-settings.test.ts +409 -0
  74. package/src/rules/no-insecure-jwt/index.ts +467 -0
  75. package/src/rules/no-insecure-jwt/no-insecure-jwt.test.ts +259 -0
  76. package/src/rules/no-insecure-redirects/index.ts +267 -0
  77. package/src/rules/no-insecure-redirects/no-insecure-redirects.test.ts +108 -0
  78. package/src/rules/no-insecure-websocket/index.ts +72 -0
  79. package/src/rules/no-insecure-websocket/no-insecure-websocket.test.ts +42 -0
  80. package/src/rules/no-insufficient-postmessage-validation/index.ts +497 -0
  81. package/src/rules/no-insufficient-postmessage-validation/no-insufficient-postmessage-validation.test.ts +360 -0
  82. package/src/rules/no-insufficient-random/index.ts +288 -0
  83. package/src/rules/no-insufficient-random/no-insufficient-random.test.ts +246 -0
  84. package/src/rules/no-ldap-injection/index.ts +547 -0
  85. package/src/rules/no-ldap-injection/no-ldap-injection.test.ts +317 -0
  86. package/src/rules/no-missing-authentication/index.ts +408 -0
  87. package/src/rules/no-missing-authentication/no-missing-authentication.test.ts +350 -0
  88. package/src/rules/no-missing-cors-check/index.ts +453 -0
  89. package/src/rules/no-missing-cors-check/no-missing-cors-check.test.ts +392 -0
  90. package/src/rules/no-missing-csrf-protection/index.ts +229 -0
  91. package/src/rules/no-missing-csrf-protection/no-missing-csrf-protection.test.ts +222 -0
  92. package/src/rules/no-missing-security-headers/index.ts +266 -0
  93. package/src/rules/no-missing-security-headers/no-missing-security-headers.test.ts +98 -0
  94. package/src/rules/no-password-in-url/index.ts +64 -0
  95. package/src/rules/no-password-in-url/no-password-in-url.test.ts +27 -0
  96. package/src/rules/no-permissive-cors/index.ts +78 -0
  97. package/src/rules/no-permissive-cors/no-permissive-cors.test.ts +28 -0
  98. package/src/rules/no-pii-in-logs/index.ts +83 -0
  99. package/src/rules/no-pii-in-logs/no-pii-in-logs.test.ts +26 -0
  100. package/src/rules/no-postmessage-origin-wildcard/index.ts +67 -0
  101. package/src/rules/no-postmessage-origin-wildcard/no-postmessage-origin-wildcard.test.ts +27 -0
  102. package/src/rules/no-privilege-escalation/index.ts +403 -0
  103. package/src/rules/no-privilege-escalation/no-privilege-escalation.test.ts +306 -0
  104. package/src/rules/no-redos-vulnerable-regex/index.ts +379 -0
  105. package/src/rules/no-redos-vulnerable-regex/no-redos-vulnerable-regex.test.ts +83 -0
  106. package/src/rules/no-sensitive-data-exposure/index.ts +294 -0
  107. package/src/rules/no-sensitive-data-exposure/no-sensitive-data-exposure.test.ts +262 -0
  108. package/src/rules/no-sensitive-data-in-analytics/index.ts +73 -0
  109. package/src/rules/no-sensitive-data-in-analytics/no-sensitive-data-in-analytics.test.ts +42 -0
  110. package/src/rules/no-sensitive-data-in-cache/index.ts +59 -0
  111. package/src/rules/no-sensitive-data-in-cache/no-sensitive-data-in-cache.test.ts +32 -0
  112. package/src/rules/no-sql-injection/index.ts +424 -0
  113. package/src/rules/no-sql-injection/no-sql-injection.test.ts +303 -0
  114. package/src/rules/no-timing-attack/index.ts +552 -0
  115. package/src/rules/no-timing-attack/no-timing-attack.test.ts +348 -0
  116. package/src/rules/no-toctou-vulnerability/index.ts +250 -0
  117. package/src/rules/no-toctou-vulnerability/no-toctou-vulnerability.test.ts +60 -0
  118. package/src/rules/no-tracking-without-consent/index.ts +78 -0
  119. package/src/rules/no-tracking-without-consent/no-tracking-without-consent.test.ts +34 -0
  120. package/src/rules/no-unchecked-loop-condition/index.ts +781 -0
  121. package/src/rules/no-unchecked-loop-condition/no-unchecked-loop-condition.test.ts +459 -0
  122. package/src/rules/no-unencrypted-local-storage/index.ts +73 -0
  123. package/src/rules/no-unencrypted-local-storage/no-unencrypted-local-storage.test.ts +41 -0
  124. package/src/rules/no-unencrypted-transmission/index.ts +296 -0
  125. package/src/rules/no-unencrypted-transmission/no-unencrypted-transmission.test.ts +287 -0
  126. package/src/rules/no-unescaped-url-parameter/index.ts +424 -0
  127. package/src/rules/no-unescaped-url-parameter/no-unescaped-url-parameter.test.ts +263 -0
  128. package/src/rules/no-unlimited-resource-allocation/index.ts +767 -0
  129. package/src/rules/no-unlimited-resource-allocation/no-unlimited-resource-allocation.test.ts +544 -0
  130. package/src/rules/no-unsafe-deserialization/index.ts +593 -0
  131. package/src/rules/no-unsafe-deserialization/no-unsafe-deserialization.test.ts +310 -0
  132. package/src/rules/no-unsafe-dynamic-require/index.ts +125 -0
  133. package/src/rules/no-unsafe-dynamic-require/no-unsafe-dynamic-require.test.ts +151 -0
  134. package/src/rules/no-unsafe-regex-construction/index.ts +370 -0
  135. package/src/rules/no-unsafe-regex-construction/no-unsafe-regex-construction.test.ts +181 -0
  136. package/src/rules/no-unsanitized-html/index.ts +400 -0
  137. package/src/rules/no-unsanitized-html/no-unsanitized-html.test.ts +488 -0
  138. package/src/rules/no-unvalidated-deeplinks/index.ts +73 -0
  139. package/src/rules/no-unvalidated-deeplinks/no-unvalidated-deeplinks.test.ts +29 -0
  140. package/src/rules/no-unvalidated-user-input/index.ts +498 -0
  141. package/src/rules/no-unvalidated-user-input/no-unvalidated-user-input.test.ts +463 -0
  142. package/src/rules/no-verbose-error-messages/index.ts +83 -0
  143. package/src/rules/no-verbose-error-messages/no-verbose-error-messages.test.ts +34 -0
  144. package/src/rules/no-weak-crypto/index.ts +447 -0
  145. package/src/rules/no-weak-crypto/no-weak-crypto.test.ts +297 -0
  146. package/src/rules/no-weak-password-recovery/index.ts +509 -0
  147. package/src/rules/no-weak-password-recovery/no-weak-password-recovery.test.ts +184 -0
  148. package/src/rules/no-xpath-injection/index.ts +596 -0
  149. package/src/rules/no-xpath-injection/no-xpath-injection.test.ts +405 -0
  150. package/src/rules/no-xxe-injection/index.ts +342 -0
  151. package/src/rules/no-xxe-injection/no-xxe-injection.test.ts +122 -0
  152. package/src/rules/no-zip-slip/index.ts +526 -0
  153. package/src/rules/no-zip-slip/no-zip-slip.test.ts +305 -0
  154. package/src/rules/require-backend-authorization/index.ts +71 -0
  155. package/src/rules/require-backend-authorization/require-backend-authorization.test.ts +31 -0
  156. package/src/rules/require-code-minification/index.ts +54 -0
  157. package/src/rules/require-code-minification/require-code-minification.test.ts +30 -0
  158. package/src/rules/require-csp-headers/index.ts +74 -0
  159. package/src/rules/require-csp-headers/require-csp-headers.test.ts +34 -0
  160. package/src/rules/require-data-minimization/index.ts +65 -0
  161. package/src/rules/require-data-minimization/require-data-minimization.test.ts +31 -0
  162. package/src/rules/require-dependency-integrity/index.ts +78 -0
  163. package/src/rules/require-dependency-integrity/require-dependency-integrity.test.ts +44 -0
  164. package/src/rules/require-https-only/index.ts +75 -0
  165. package/src/rules/require-https-only/require-https-only.test.ts +26 -0
  166. package/src/rules/require-mime-type-validation/index.ts +77 -0
  167. package/src/rules/require-mime-type-validation/require-mime-type-validation.test.ts +32 -0
  168. package/src/rules/require-network-timeout/index.ts +58 -0
  169. package/src/rules/require-network-timeout/require-network-timeout.test.ts +26 -0
  170. package/src/rules/require-package-lock/index.ts +75 -0
  171. package/src/rules/require-package-lock/require-package-lock.test.ts +27 -0
  172. package/src/rules/require-secure-credential-storage/index.ts +60 -0
  173. package/src/rules/require-secure-credential-storage/require-secure-credential-storage.test.ts +26 -0
  174. package/src/rules/require-secure-defaults/index.ts +54 -0
  175. package/src/rules/require-secure-defaults/require-secure-defaults.test.ts +26 -0
  176. package/src/rules/require-secure-deletion/index.ts +52 -0
  177. package/src/rules/require-secure-deletion/require-secure-deletion.test.ts +29 -0
  178. package/src/rules/require-storage-encryption/index.ts +60 -0
  179. package/src/rules/require-storage-encryption/require-storage-encryption.test.ts +26 -0
  180. package/src/rules/require-url-validation/index.ts +85 -0
  181. package/src/rules/require-url-validation/require-url-validation.test.ts +32 -0
  182. package/src/types/{index.d.ts → index.ts} +157 -53
  183. package/src/index.d.ts +0 -32
  184. package/src/index.js +0 -465
  185. package/src/rules/database-injection/index.d.ts +0 -13
  186. package/src/rules/database-injection/index.js +0 -406
  187. package/src/rules/detect-child-process/index.d.ts +0 -11
  188. package/src/rules/detect-child-process/index.js +0 -529
  189. package/src/rules/detect-eval-with-expression/index.d.ts +0 -9
  190. package/src/rules/detect-eval-with-expression/index.js +0 -392
  191. package/src/rules/detect-mixed-content/index.d.ts +0 -8
  192. package/src/rules/detect-mixed-content/index.js +0 -44
  193. package/src/rules/detect-non-literal-fs-filename/index.d.ts +0 -7
  194. package/src/rules/detect-non-literal-fs-filename/index.js +0 -454
  195. package/src/rules/detect-non-literal-regexp/index.d.ts +0 -9
  196. package/src/rules/detect-non-literal-regexp/index.js +0 -403
  197. package/src/rules/detect-object-injection/index.d.ts +0 -11
  198. package/src/rules/detect-object-injection/index.js +0 -560
  199. package/src/rules/detect-suspicious-dependencies/index.d.ts +0 -8
  200. package/src/rules/detect-suspicious-dependencies/index.js +0 -71
  201. package/src/rules/detect-weak-password-validation/index.d.ts +0 -6
  202. package/src/rules/detect-weak-password-validation/index.js +0 -58
  203. package/src/rules/no-allow-arbitrary-loads/index.d.ts +0 -8
  204. package/src/rules/no-allow-arbitrary-loads/index.js +0 -47
  205. package/src/rules/no-arbitrary-file-access/index.d.ts +0 -13
  206. package/src/rules/no-arbitrary-file-access/index.js +0 -195
  207. package/src/rules/no-buffer-overread/index.d.ts +0 -29
  208. package/src/rules/no-buffer-overread/index.js +0 -606
  209. package/src/rules/no-clickjacking/index.d.ts +0 -10
  210. package/src/rules/no-clickjacking/index.js +0 -396
  211. package/src/rules/no-client-side-auth-logic/index.d.ts +0 -6
  212. package/src/rules/no-client-side-auth-logic/index.js +0 -69
  213. package/src/rules/no-credentials-in-query-params/index.d.ts +0 -8
  214. package/src/rules/no-credentials-in-query-params/index.js +0 -57
  215. package/src/rules/no-credentials-in-storage-api/index.d.ts +0 -6
  216. package/src/rules/no-credentials-in-storage-api/index.js +0 -54
  217. package/src/rules/no-data-in-temp-storage/index.d.ts +0 -6
  218. package/src/rules/no-data-in-temp-storage/index.js +0 -64
  219. package/src/rules/no-debug-code-in-production/index.d.ts +0 -8
  220. package/src/rules/no-debug-code-in-production/index.js +0 -51
  221. package/src/rules/no-directive-injection/index.d.ts +0 -12
  222. package/src/rules/no-directive-injection/index.js +0 -457
  223. package/src/rules/no-disabled-certificate-validation/index.d.ts +0 -6
  224. package/src/rules/no-disabled-certificate-validation/index.js +0 -61
  225. package/src/rules/no-document-cookie/index.d.ts +0 -5
  226. package/src/rules/no-document-cookie/index.js +0 -89
  227. package/src/rules/no-dynamic-dependency-loading/index.d.ts +0 -8
  228. package/src/rules/no-dynamic-dependency-loading/index.js +0 -51
  229. package/src/rules/no-electron-security-issues/index.d.ts +0 -10
  230. package/src/rules/no-electron-security-issues/index.js +0 -423
  231. package/src/rules/no-exposed-debug-endpoints/index.d.ts +0 -6
  232. package/src/rules/no-exposed-debug-endpoints/index.js +0 -62
  233. package/src/rules/no-exposed-sensitive-data/index.d.ts +0 -11
  234. package/src/rules/no-exposed-sensitive-data/index.js +0 -340
  235. package/src/rules/no-format-string-injection/index.d.ts +0 -17
  236. package/src/rules/no-format-string-injection/index.js +0 -660
  237. package/src/rules/no-graphql-injection/index.d.ts +0 -12
  238. package/src/rules/no-graphql-injection/index.js +0 -411
  239. package/src/rules/no-hardcoded-credentials/index.d.ts +0 -26
  240. package/src/rules/no-hardcoded-credentials/index.js +0 -376
  241. package/src/rules/no-hardcoded-session-tokens/index.d.ts +0 -6
  242. package/src/rules/no-hardcoded-session-tokens/index.js +0 -59
  243. package/src/rules/no-http-urls/index.d.ts +0 -12
  244. package/src/rules/no-http-urls/index.js +0 -114
  245. package/src/rules/no-improper-sanitization/index.d.ts +0 -12
  246. package/src/rules/no-improper-sanitization/index.js +0 -411
  247. package/src/rules/no-improper-type-validation/index.d.ts +0 -10
  248. package/src/rules/no-improper-type-validation/index.js +0 -475
  249. package/src/rules/no-insecure-comparison/index.d.ts +0 -7
  250. package/src/rules/no-insecure-comparison/index.js +0 -193
  251. package/src/rules/no-insecure-cookie-settings/index.d.ts +0 -9
  252. package/src/rules/no-insecure-cookie-settings/index.js +0 -306
  253. package/src/rules/no-insecure-jwt/index.d.ts +0 -10
  254. package/src/rules/no-insecure-jwt/index.js +0 -380
  255. package/src/rules/no-insecure-redirects/index.d.ts +0 -7
  256. package/src/rules/no-insecure-redirects/index.js +0 -216
  257. package/src/rules/no-insecure-websocket/index.d.ts +0 -6
  258. package/src/rules/no-insecure-websocket/index.js +0 -61
  259. package/src/rules/no-insufficient-postmessage-validation/index.d.ts +0 -14
  260. package/src/rules/no-insufficient-postmessage-validation/index.js +0 -392
  261. package/src/rules/no-insufficient-random/index.d.ts +0 -9
  262. package/src/rules/no-insufficient-random/index.js +0 -208
  263. package/src/rules/no-ldap-injection/index.d.ts +0 -10
  264. package/src/rules/no-ldap-injection/index.js +0 -455
  265. package/src/rules/no-missing-authentication/index.d.ts +0 -13
  266. package/src/rules/no-missing-authentication/index.js +0 -333
  267. package/src/rules/no-missing-cors-check/index.d.ts +0 -9
  268. package/src/rules/no-missing-cors-check/index.js +0 -399
  269. package/src/rules/no-missing-csrf-protection/index.d.ts +0 -11
  270. package/src/rules/no-missing-csrf-protection/index.js +0 -180
  271. package/src/rules/no-missing-security-headers/index.d.ts +0 -7
  272. package/src/rules/no-missing-security-headers/index.js +0 -218
  273. package/src/rules/no-password-in-url/index.d.ts +0 -8
  274. package/src/rules/no-password-in-url/index.js +0 -54
  275. package/src/rules/no-permissive-cors/index.d.ts +0 -8
  276. package/src/rules/no-permissive-cors/index.js +0 -65
  277. package/src/rules/no-pii-in-logs/index.d.ts +0 -8
  278. package/src/rules/no-pii-in-logs/index.js +0 -70
  279. package/src/rules/no-postmessage-origin-wildcard/index.d.ts +0 -8
  280. package/src/rules/no-postmessage-origin-wildcard/index.js +0 -56
  281. package/src/rules/no-privilege-escalation/index.d.ts +0 -13
  282. package/src/rules/no-privilege-escalation/index.js +0 -321
  283. package/src/rules/no-redos-vulnerable-regex/index.d.ts +0 -7
  284. package/src/rules/no-redos-vulnerable-regex/index.js +0 -306
  285. package/src/rules/no-sensitive-data-exposure/index.d.ts +0 -11
  286. package/src/rules/no-sensitive-data-exposure/index.js +0 -250
  287. package/src/rules/no-sensitive-data-in-analytics/index.d.ts +0 -8
  288. package/src/rules/no-sensitive-data-in-analytics/index.js +0 -62
  289. package/src/rules/no-sensitive-data-in-cache/index.d.ts +0 -8
  290. package/src/rules/no-sensitive-data-in-cache/index.js +0 -52
  291. package/src/rules/no-sql-injection/index.d.ts +0 -10
  292. package/src/rules/no-sql-injection/index.js +0 -335
  293. package/src/rules/no-timing-attack/index.d.ts +0 -10
  294. package/src/rules/no-timing-attack/index.js +0 -447
  295. package/src/rules/no-toctou-vulnerability/index.d.ts +0 -7
  296. package/src/rules/no-toctou-vulnerability/index.js +0 -208
  297. package/src/rules/no-tracking-without-consent/index.d.ts +0 -6
  298. package/src/rules/no-tracking-without-consent/index.js +0 -67
  299. package/src/rules/no-unchecked-loop-condition/index.d.ts +0 -12
  300. package/src/rules/no-unchecked-loop-condition/index.js +0 -646
  301. package/src/rules/no-unencrypted-local-storage/index.d.ts +0 -8
  302. package/src/rules/no-unencrypted-local-storage/index.js +0 -61
  303. package/src/rules/no-unencrypted-transmission/index.d.ts +0 -11
  304. package/src/rules/no-unencrypted-transmission/index.js +0 -236
  305. package/src/rules/no-unescaped-url-parameter/index.d.ts +0 -9
  306. package/src/rules/no-unescaped-url-parameter/index.js +0 -355
  307. package/src/rules/no-unlimited-resource-allocation/index.d.ts +0 -12
  308. package/src/rules/no-unlimited-resource-allocation/index.js +0 -643
  309. package/src/rules/no-unsafe-deserialization/index.d.ts +0 -10
  310. package/src/rules/no-unsafe-deserialization/index.js +0 -491
  311. package/src/rules/no-unsafe-dynamic-require/index.d.ts +0 -5
  312. package/src/rules/no-unsafe-dynamic-require/index.js +0 -106
  313. package/src/rules/no-unsafe-regex-construction/index.d.ts +0 -9
  314. package/src/rules/no-unsafe-regex-construction/index.js +0 -291
  315. package/src/rules/no-unsanitized-html/index.d.ts +0 -9
  316. package/src/rules/no-unsanitized-html/index.js +0 -335
  317. package/src/rules/no-unvalidated-deeplinks/index.d.ts +0 -6
  318. package/src/rules/no-unvalidated-deeplinks/index.js +0 -62
  319. package/src/rules/no-unvalidated-user-input/index.d.ts +0 -9
  320. package/src/rules/no-unvalidated-user-input/index.js +0 -420
  321. package/src/rules/no-verbose-error-messages/index.d.ts +0 -8
  322. package/src/rules/no-verbose-error-messages/index.js +0 -68
  323. package/src/rules/no-weak-crypto/index.d.ts +0 -11
  324. package/src/rules/no-weak-crypto/index.js +0 -351
  325. package/src/rules/no-weak-password-recovery/index.d.ts +0 -12
  326. package/src/rules/no-weak-password-recovery/index.js +0 -424
  327. package/src/rules/no-xpath-injection/index.d.ts +0 -10
  328. package/src/rules/no-xpath-injection/index.js +0 -487
  329. package/src/rules/no-xxe-injection/index.d.ts +0 -7
  330. package/src/rules/no-xxe-injection/index.js +0 -266
  331. package/src/rules/no-zip-slip/index.d.ts +0 -9
  332. package/src/rules/no-zip-slip/index.js +0 -445
  333. package/src/rules/require-backend-authorization/index.d.ts +0 -6
  334. package/src/rules/require-backend-authorization/index.js +0 -60
  335. package/src/rules/require-code-minification/index.d.ts +0 -8
  336. package/src/rules/require-code-minification/index.js +0 -47
  337. package/src/rules/require-csp-headers/index.d.ts +0 -6
  338. package/src/rules/require-csp-headers/index.js +0 -64
  339. package/src/rules/require-data-minimization/index.d.ts +0 -8
  340. package/src/rules/require-data-minimization/index.js +0 -53
  341. package/src/rules/require-dependency-integrity/index.d.ts +0 -6
  342. package/src/rules/require-dependency-integrity/index.js +0 -64
  343. package/src/rules/require-https-only/index.d.ts +0 -8
  344. package/src/rules/require-https-only/index.js +0 -62
  345. package/src/rules/require-mime-type-validation/index.d.ts +0 -6
  346. package/src/rules/require-mime-type-validation/index.js +0 -66
  347. package/src/rules/require-network-timeout/index.d.ts +0 -8
  348. package/src/rules/require-network-timeout/index.js +0 -50
  349. package/src/rules/require-package-lock/index.d.ts +0 -8
  350. package/src/rules/require-package-lock/index.js +0 -63
  351. package/src/rules/require-secure-credential-storage/index.d.ts +0 -8
  352. package/src/rules/require-secure-credential-storage/index.js +0 -50
  353. package/src/rules/require-secure-defaults/index.d.ts +0 -8
  354. package/src/rules/require-secure-defaults/index.js +0 -47
  355. package/src/rules/require-secure-deletion/index.d.ts +0 -8
  356. package/src/rules/require-secure-deletion/index.js +0 -44
  357. package/src/rules/require-storage-encryption/index.d.ts +0 -8
  358. package/src/rules/require-storage-encryption/index.js +0 -50
  359. package/src/rules/require-url-validation/index.d.ts +0 -6
  360. package/src/rules/require-url-validation/index.js +0 -72
  361. package/src/types/index.js +0 -17
package/src/rules/no-hardcoded-credentials/no-hardcoded-credentials.test.ts ADDED
@@ -0,0 +1,639 @@
1
+ /**
2
+ * Comprehensive tests for no-hardcoded-credentials rule
3
+ * CWE-798: Use of Hard-coded Credentials
4
+ */
5
+ import { RuleTester } from '@typescript-eslint/rule-tester';
6
+ import { describe, it, afterAll } from 'vitest';
7
+ import parser from '@typescript-eslint/parser';
8
+ import { noHardcodedCredentials } from './index';
9
+
10
+ // Configure RuleTester for Vitest
11
+ RuleTester.afterAll = afterAll;
12
+ RuleTester.it = it;
13
+ RuleTester.itOnly = it.only;
14
+ RuleTester.describe = describe;
15
+
16
+ // Use Flat Config format (ESLint 9+)
17
+ const ruleTester = new RuleTester({
18
+ languageOptions: {
19
+ parser,
20
+ ecmaVersion: 2022,
21
+ sourceType: 'module',
22
+ parserOptions: {
23
+ ecmaFeatures: {
24
+ jsx: true,
25
+ },
26
+ },
27
+ },
28
+ });
29
+
30
+ describe('no-hardcoded-credentials', () => {
31
+ describe('Valid Code', () => {
32
+ ruleTester.run('valid - no hardcoded credentials', noHardcodedCredentials, {
33
+ valid: [
34
+ // Environment variables
35
+ {
36
+ code: 'const apiKey = process.env.API_KEY;',
37
+ },
38
+ {
39
+ code: 'const password = process.env.DATABASE_PASSWORD;',
40
+ },
41
+ {
42
+ code: 'const config = { apiKey: process.env.API_KEY };',
43
+ },
44
+ // Short strings (below minLength)
45
+ {
46
+ code: 'const key = "short";',
47
+ },
48
+ {
49
+ code: 'const pass = "1234567";', // 7 chars, below default minLength of 8
50
+ },
51
+ // Non-credential strings
52
+ {
53
+ code: 'const message = "Hello, world!";',
54
+ },
55
+ {
56
+ code: 'const url = "https://example.com/api";',
57
+ },
58
+ // Ignored patterns
59
+ {
60
+ code: 'const testKey = "test-api-key-12345";',
61
+ options: [{ ignorePatterns: ['^test-'] }],
62
+ },
63
+ // Test files (when allowInTests is true)
64
+ {
65
+ code: 'const apiKey = "sk_test_FAKE_TEST_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890";',
66
+ filename: 'test.spec.ts',
67
+ options: [{ allowInTests: true }],
68
+ },
69
+ {
70
+ code: 'const password = "test-password-123";',
71
+ filename: '__tests__/config.test.ts',
72
+ options: [{ allowInTests: true }],
73
+ },
74
+ ],
75
+ invalid: [],
76
+ });
77
+ });
78
+
79
+ describe('Invalid Code - API Keys', () => {
80
+ ruleTester.run('invalid - API keys', noHardcodedCredentials, {
81
+ valid: [],
82
+ invalid: [
83
+ {
84
+ code: 'const apiKey = "sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890";',
85
+ errors: [
86
+ {
87
+ messageId: 'useEnvironmentVariable',
88
+ suggestions: [
89
+ {
90
+ messageId: 'useEnvironmentVariable',
91
+ data: { envVarName: 'API_KEY', credentialType: 'API key' },
92
+ output: 'const apiKey = process.env.API_KEY || \'sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890\';',
93
+ },
94
+ {
95
+ messageId: 'useSecretManager',
96
+ data: { credentialType: 'API key' },
97
+ output: 'const apiKey = await getSecret(\'api_key\');',
98
+ },
99
+ ],
100
+ },
101
+ ],
102
+ },
103
+ {
104
+ code: 'const key = "AKIAIOSFODNN7EXAMPLE";',
105
+ errors: [
106
+ {
107
+ messageId: 'useEnvironmentVariable',
108
+ suggestions: [
109
+ {
110
+ messageId: 'useEnvironmentVariable',
111
+ data: { envVarName: 'KEY', credentialType: 'AWS access key' },
112
+ output: 'const key = process.env.KEY || \'AKIAIOSFODNN7EXAMPLE\';',
113
+ },
114
+ {
115
+ messageId: 'useSecretManager',
116
+ data: { credentialType: 'AWS access key' },
117
+ output: 'const key = await getSecret(\'key\');',
118
+ },
119
+ ],
120
+ },
121
+ ],
122
+ },
123
+ {
124
+ code: 'const awsKey = "AKIA1234567890ABCDEF";',
125
+ errors: [
126
+ {
127
+ messageId: 'useEnvironmentVariable',
128
+ suggestions: [
129
+ {
130
+ messageId: 'useEnvironmentVariable',
131
+ data: { envVarName: 'AWS_KEY', credentialType: 'AWS access key' },
132
+ output: 'const awsKey = process.env.AWS_KEY || \'AKIA1234567890ABCDEF\';',
133
+ },
134
+ {
135
+ messageId: 'useSecretManager',
136
+ data: { credentialType: 'AWS access key' },
137
+ output: 'const awsKey = await getSecret(\'aws_key\');',
138
+ },
139
+ ],
140
+ },
141
+ ],
142
+ },
143
+ {
144
+ code: 'const config = { apiKey: "sk_test_FAKE_TEST_KEY_FOR_TESTING_PURPOSES_ONLY_ABCDEF" };',
145
+ errors: [
146
+ {
147
+ messageId: 'useEnvironmentVariable',
148
+ suggestions: [
149
+ {
150
+ messageId: 'useEnvironmentVariable',
151
+ data: { envVarName: 'API_KEY', credentialType: 'API key' },
152
+ output: 'const config = { apiKey: process.env.API_KEY || \'sk_test_FAKE_TEST_KEY_FOR_TESTING_PURPOSES_ONLY_ABCDEF\' };',
153
+ },
154
+ {
155
+ messageId: 'useSecretManager',
156
+ data: { credentialType: 'API key' },
157
+ output: 'const config = { apiKey: await getSecret(\'api_key\') };',
158
+ },
159
+ ],
160
+ },
161
+ ],
162
+ },
163
+ ],
164
+ });
165
+ });
166
+
167
+ describe('Invalid Code - Tokens', () => {
168
+ ruleTester.run('invalid - tokens', noHardcodedCredentials, {
169
+ valid: [],
170
+ invalid: [
171
+ {
172
+ code: 'const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";',
173
+ errors: [
174
+ {
175
+ messageId: 'useEnvironmentVariable',
176
+ suggestions: [
177
+ {
178
+ messageId: 'useEnvironmentVariable',
179
+ data: { envVarName: 'TOKEN', credentialType: 'JWT token' },
180
+ output: 'const token = process.env.TOKEN || \'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c\';',
181
+ },
182
+ {
183
+ messageId: 'useSecretManager',
184
+ data: { credentialType: 'JWT token' },
185
+ output: 'const token = await getSecret(\'token\');',
186
+ },
187
+ ],
188
+ },
189
+ ],
190
+ },
191
+ {
192
+ code: 'const authToken = "ghp_1234567890123456789012345678901234567890";',
193
+ errors: [
194
+ {
195
+ messageId: 'useEnvironmentVariable',
196
+ suggestions: [
197
+ {
198
+ messageId: 'useEnvironmentVariable',
199
+ data: { envVarName: 'AUTH_TOKEN', credentialType: 'OAuth token' },
200
+ output: 'const authToken = process.env.AUTH_TOKEN || \'ghp_1234567890123456789012345678901234567890\';',
201
+ },
202
+ {
203
+ messageId: 'useSecretManager',
204
+ data: { credentialType: 'OAuth token' },
205
+ output: 'const authToken = await getSecret(\'auth_token\');',
206
+ },
207
+ ],
208
+ },
209
+ ],
210
+ },
211
+ {
212
+ code: 'const token = "gho_1234567890123456789012345678901234567890";',
213
+ errors: [
214
+ {
215
+ messageId: 'useEnvironmentVariable',
216
+ suggestions: [
217
+ {
218
+ messageId: 'useEnvironmentVariable',
219
+ data: { envVarName: 'TOKEN', credentialType: 'OAuth token' },
220
+ output: 'const token = process.env.TOKEN || \'gho_1234567890123456789012345678901234567890\';',
221
+ },
222
+ {
223
+ messageId: 'useSecretManager',
224
+ data: { credentialType: 'OAuth token' },
225
+ output: 'const token = await getSecret(\'token\');',
226
+ },
227
+ ],
228
+ },
229
+ ],
230
+ },
231
+ {
232
+ code: 'const token = "ghu_1234567890123456789012345678901234567890";',
233
+ errors: [
234
+ {
235
+ messageId: 'useEnvironmentVariable',
236
+ suggestions: [
237
+ {
238
+ messageId: 'useEnvironmentVariable',
239
+ data: { envVarName: 'TOKEN', credentialType: 'OAuth token' },
240
+ output: 'const token = process.env.TOKEN || \'ghu_1234567890123456789012345678901234567890\';',
241
+ },
242
+ {
243
+ messageId: 'useSecretManager',
244
+ data: { credentialType: 'OAuth token' },
245
+ output: 'const token = await getSecret(\'token\');',
246
+ },
247
+ ],
248
+ },
249
+ ],
250
+ },
251
+ {
252
+ code: 'const token = "ghs_1234567890123456789012345678901234567890";',
253
+ errors: [
254
+ {
255
+ messageId: 'useEnvironmentVariable',
256
+ suggestions: [
257
+ {
258
+ messageId: 'useEnvironmentVariable',
259
+ data: { envVarName: 'TOKEN', credentialType: 'OAuth token' },
260
+ output: 'const token = process.env.TOKEN || \'ghs_1234567890123456789012345678901234567890\';',
261
+ },
262
+ {
263
+ messageId: 'useSecretManager',
264
+ data: { credentialType: 'OAuth token' },
265
+ output: 'const token = await getSecret(\'token\');',
266
+ },
267
+ ],
268
+ },
269
+ ],
270
+ },
271
+ {
272
+ code: 'const token = "ghr_1234567890123456789012345678901234567890";',
273
+ errors: [
274
+ {
275
+ messageId: 'useEnvironmentVariable',
276
+ suggestions: [
277
+ {
278
+ messageId: 'useEnvironmentVariable',
279
+ data: { envVarName: 'TOKEN', credentialType: 'OAuth token' },
280
+ output: 'const token = process.env.TOKEN || \'ghr_1234567890123456789012345678901234567890\';',
281
+ },
282
+ {
283
+ messageId: 'useSecretManager',
284
+ data: { credentialType: 'OAuth token' },
285
+ output: 'const token = await getSecret(\'token\');',
286
+ },
287
+ ],
288
+ },
289
+ ],
290
+ },
291
+ ],
292
+ });
293
+ });
294
+
295
+ describe('Invalid Code - Passwords', () => {
296
+ ruleTester.run('invalid - passwords', noHardcodedCredentials, {
297
+ valid: [],
298
+ invalid: [
299
+ {
300
+ code: 'const password = "password123";',
301
+ errors: [
302
+ {
303
+ messageId: 'useEnvironmentVariable',
304
+ suggestions: [
305
+ {
306
+ messageId: 'useEnvironmentVariable',
307
+ data: { envVarName: 'PASSWORD', credentialType: 'Common password' },
308
+ output: 'const password = process.env.PASSWORD || \'password123\';',
309
+ },
310
+ {
311
+ messageId: 'useSecretManager',
312
+ data: { credentialType: 'Common password' },
313
+ output: 'const password = await getSecret(\'password\');',
314
+ },
315
+ ],
316
+ },
317
+ ],
318
+ },
319
+ {
320
+ code: 'const pwd = "admin";',
321
+ errors: [
322
+ {
323
+ messageId: 'useEnvironmentVariable',
324
+ suggestions: [
325
+ {
326
+ messageId: 'useEnvironmentVariable',
327
+ data: { envVarName: 'PWD', credentialType: 'Common password' },
328
+ output: 'const pwd = process.env.PWD || \'admin\';',
329
+ },
330
+ {
331
+ messageId: 'useSecretManager',
332
+ data: { credentialType: 'Common password' },
333
+ output: 'const pwd = await getSecret(\'pwd\');',
334
+ },
335
+ ],
336
+ },
337
+ ],
338
+ },
339
+ {
340
+ code: 'const pass = "123456";',
341
+ errors: [
342
+ {
343
+ messageId: 'useEnvironmentVariable',
344
+ suggestions: [
345
+ {
346
+ messageId: 'useEnvironmentVariable',
347
+ data: { envVarName: 'PASS', credentialType: 'Common password' },
348
+ output: 'const pass = process.env.PASS || \'123456\';',
349
+ },
350
+ {
351
+ messageId: 'useSecretManager',
352
+ data: { credentialType: 'Common password' },
353
+ output: 'const pass = await getSecret(\'pass\');',
354
+ },
355
+ ],
356
+ },
357
+ ],
358
+ },
359
+ ],
360
+ });
361
+ });
362
+
363
+ describe('Invalid Code - Database Connection Strings', () => {
364
+ ruleTester.run('invalid - database strings', noHardcodedCredentials, {
365
+ valid: [],
366
+ invalid: [
367
+ {
368
+ code: 'const dbUrl = "mysql://user:password@localhost:3306/dbname";',
369
+ errors: [
370
+ {
371
+ messageId: 'useEnvironmentVariable',
372
+ suggestions: [
373
+ {
374
+ messageId: 'useEnvironmentVariable',
375
+ data: { envVarName: 'DB_URL', credentialType: 'Database connection string' },
376
+ output: 'const dbUrl = process.env.DB_URL || \'mysql://user:password@localhost:3306/dbname\';',
377
+ },
378
+ {
379
+ messageId: 'useSecretManager',
380
+ data: { credentialType: 'Database connection string' },
381
+ output: 'const dbUrl = await getSecret(\'db_url\');',
382
+ },
383
+ ],
384
+ },
385
+ ],
386
+ },
387
+ {
388
+ code: 'const mongoUri = "mongodb://admin:secret123@localhost:27017/mydb";',
389
+ errors: [
390
+ {
391
+ messageId: 'useEnvironmentVariable',
392
+ suggestions: [
393
+ {
394
+ messageId: 'useEnvironmentVariable',
395
+ data: { envVarName: 'MONGO_URI', credentialType: 'Database connection string' },
396
+ output: 'const mongoUri = process.env.MONGO_URI || \'mongodb://admin:secret123@localhost:27017/mydb\';',
397
+ },
398
+ {
399
+ messageId: 'useSecretManager',
400
+ data: { credentialType: 'Database connection string' },
401
+ output: 'const mongoUri = await getSecret(\'mongo_uri\');',
402
+ },
403
+ ],
404
+ },
405
+ ],
406
+ },
407
+ {
408
+ code: 'const connString = "postgres://user:pass@localhost:5432/db";',
409
+ errors: [
410
+ {
411
+ messageId: 'useEnvironmentVariable',
412
+ suggestions: [
413
+ {
414
+ messageId: 'useEnvironmentVariable',
415
+ data: { envVarName: 'CONN_STRING', credentialType: 'Database connection string' },
416
+ output: 'const connString = process.env.CONN_STRING || \'postgres://user:pass@localhost:5432/db\';',
417
+ },
418
+ {
419
+ messageId: 'useSecretManager',
420
+ data: { credentialType: 'Database connection string' },
421
+ output: 'const connString = await getSecret(\'conn_string\');',
422
+ },
423
+ ],
424
+ },
425
+ ],
426
+ },
427
+ ],
428
+ });
429
+ });
430
+
431
+ describe('Invalid Code - Secret Keys', () => {
432
+ ruleTester.run('invalid - secret keys', noHardcodedCredentials, {
433
+ valid: [],
434
+ invalid: [
435
+ {
436
+ code: 'const secret = "dGhpcyBpcyBhIHNlY3JldCBrZXkgdGhhdCBpcyB2ZXJ5IGxvbmc=";',
437
+ errors: [
438
+ {
439
+ messageId: 'useEnvironmentVariable',
440
+ suggestions: [
441
+ {
442
+ messageId: 'useEnvironmentVariable',
443
+ data: { envVarName: 'SECRET', credentialType: 'Secret key' },
444
+ output: 'const secret = process.env.SECRET || \'dGhpcyBpcyBhIHNlY3JldCBrZXkgdGhhdCBpcyB2ZXJ5IGxvbmc=\';',
445
+ },
446
+ {
447
+ messageId: 'useSecretManager',
448
+ data: { credentialType: 'Secret key' },
449
+ output: 'const secret = await getSecret(\'secret\');',
450
+ },
451
+ ],
452
+ },
453
+ ],
454
+ },
455
+ {
456
+ code: 'const key = "abcdef1234567890abcdef1234567890abcdef12";',
457
+ errors: [
458
+ {
459
+ messageId: 'useEnvironmentVariable',
460
+ suggestions: [
461
+ {
462
+ messageId: 'useEnvironmentVariable',
463
+ data: { envVarName: 'KEY', credentialType: 'Secret key' },
464
+ output: 'const key = process.env.KEY || \'abcdef1234567890abcdef1234567890abcdef12\';',
465
+ },
466
+ {
467
+ messageId: 'useSecretManager',
468
+ data: { credentialType: 'Secret key' },
469
+ output: 'const key = await getSecret(\'key\');',
470
+ },
471
+ ],
472
+ },
473
+ ],
474
+ },
475
+ ],
476
+ });
477
+ });
478
+
479
+ describe('Template Literals', () => {
480
+ ruleTester.run('template literals', noHardcodedCredentials, {
481
+ valid: [],
482
+ invalid: [
483
+ {
484
+ code: 'const query = `sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456`;',
485
+ errors: [
486
+ {
487
+ messageId: 'useEnvironmentVariable',
488
+ suggestions: [
489
+ {
490
+ messageId: 'useEnvironmentVariable',
491
+ data: { envVarName: 'API_KEY', credentialType: 'API key' },
492
+ output: 'const query = process.env.API_KEY || `sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456`;',
493
+ },
494
+ {
495
+ messageId: 'useSecretManager',
496
+ data: { credentialType: 'API key' },
497
+ output: 'const query = await getSecret(\'api_key\');',
498
+ },
499
+ ],
500
+ },
501
+ ],
502
+ },
503
+ {
504
+ code: 'const query = `sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456${someVar}`;',
505
+ errors: [
506
+ {
507
+ messageId: 'useEnvironmentVariable',
508
+ // Template literals with interpolations don't have suggestions
509
+ },
510
+ ],
511
+ },
512
+ ],
513
+ });
514
+ });
515
+
516
+ describe('Options', () => {
517
+ ruleTester.run('options testing', noHardcodedCredentials, {
518
+ valid: [
519
+ // Ignore patterns
520
+ {
521
+ code: 'const key = "test-api-key-12345678901234567890";',
522
+ options: [{ ignorePatterns: ['^test-'] }],
523
+ },
524
+ // Custom minLength
525
+ {
526
+ code: 'const key = "short123";',
527
+ options: [{ minLength: 10 }],
528
+ },
529
+ // Disable API key detection
530
+ {
531
+ code: 'const key = "sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890";',
532
+ options: [{ detectApiKeys: false }],
533
+ },
534
+ // Disable password detection
535
+ {
536
+ code: 'const password = "password123";',
537
+ options: [{ detectPasswords: false }],
538
+ },
539
+ // Disable token detection
540
+ {
541
+ code: 'const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";',
542
+ options: [{ detectTokens: false }],
543
+ },
544
+ // Disable database string detection
545
+ {
546
+ code: 'const dbUrl = "mysql://user:password@localhost:3306/dbname";',
547
+ options: [{ detectDatabaseStrings: false }],
548
+ },
549
+ ],
550
+ invalid: [
551
+ // Test file but allowInTests is false
552
+ {
553
+ code: 'const apiKey = "sk_test_FAKE_TEST_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890";',
554
+ filename: 'test.spec.ts',
555
+ options: [{ allowInTests: false }],
556
+ errors: [
557
+ {
558
+ messageId: 'useEnvironmentVariable',
559
+ suggestions: [
560
+ {
561
+ messageId: 'useEnvironmentVariable',
562
+ data: { envVarName: 'API_KEY', credentialType: 'API key' },
563
+ output: 'const apiKey = process.env.API_KEY || \'sk_test_FAKE_TEST_KEY_FOR_TESTING_PURPOSES_ONLY_1234567890\';',
564
+ },
565
+ {
566
+ messageId: 'useSecretManager',
567
+ data: { credentialType: 'API key' },
568
+ output: 'const apiKey = await getSecret(\'api_key\');',
569
+ },
570
+ ],
571
+ },
572
+ ],
573
+ },
574
+ ],
575
+ });
576
+ });
577
+
578
+ describe('Edge Cases', () => {
579
+ ruleTester.run('edge cases', noHardcodedCredentials, {
580
+ valid: [
581
+ // Non-string literals
582
+ {
583
+ code: 'const num = 12345;',
584
+ },
585
+ {
586
+ code: 'const bool = true;',
587
+ },
588
+ {
589
+ code: 'const obj = { key: "value" };',
590
+ },
591
+ ],
592
+ invalid: [
593
+ // Variable in object property
594
+ {
595
+ code: 'const config = { apiKey: "sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456" };',
596
+ errors: [
597
+ {
598
+ messageId: 'useEnvironmentVariable',
599
+ suggestions: [
600
+ {
601
+ messageId: 'useEnvironmentVariable',
602
+ data: { envVarName: 'API_KEY', credentialType: 'API key' },
603
+ output: 'const config = { apiKey: process.env.API_KEY || \'sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456\' };',
604
+ },
605
+ {
606
+ messageId: 'useSecretManager',
607
+ data: { credentialType: 'API key' },
608
+ output: 'const config = { apiKey: await getSecret(\'api_key\') };',
609
+ },
610
+ ],
611
+ },
612
+ ],
613
+ },
614
+ // Variable declaration
615
+ {
616
+ code: 'const myApiKey = "sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456";',
617
+ errors: [
618
+ {
619
+ messageId: 'useEnvironmentVariable',
620
+ suggestions: [
621
+ {
622
+ messageId: 'useEnvironmentVariable',
623
+ data: { envVarName: 'MY_API_KEY', credentialType: 'API key' },
624
+ output: 'const myApiKey = process.env.MY_API_KEY || \'sk_live_FAKE_LIVE_KEY_FOR_TESTING_PURPOSES_ONLY_123456\';',
625
+ },
626
+ {
627
+ messageId: 'useSecretManager',
628
+ data: { credentialType: 'API key' },
629
+ output: 'const myApiKey = await getSecret(\'my_api_key\');',
630
+ },
631
+ ],
632
+ },
633
+ ],
634
+ },
635
+ ],
636
+ });
637
+ });
638
+ });
639
+