npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-hardcoded-session-tokens/index.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * @fileoverview Detect hardcoded session/JWT tokens
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noHardcodedSessionTokens = createRule<RuleOptions, MessageIds>({
+  name: 'no-hardcoded-session-tokens',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detect hardcoded session/JWT tokens',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Hardcoded Token',
+        cwe: 'CWE-798',
+        description: 'Hardcoded session or JWT token detected - credentials at risk',
+        severity: 'CRITICAL',
+        fix: 'Use environment variables or secure credential management',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    return {
+      Literal(node: TSESTree.Literal) {
+        if (typeof node.value !== 'string') return;
+        // Detect JWT tokens (start with eyJ and contain 2 dots)
+        if (node.value.startsWith('eyJ') && node.value.length > 50 &&
+            (node.value.match(/\./g) || []).length >= 2) {
+          report(node);
+        }
+        // Detect Bearer tokens
+        if (node.value.startsWith('Bearer ') && node.value.length > 20) {
+          report(node);
+        }
+        // Detect session_id patterns
+        const parent = node.parent;
+        if (parent?.type === 'VariableDeclarator' &&
+            parent.id.type === 'Identifier') {
+          const varName = parent.id.name.toLowerCase();
+          if ((varName.includes('session') || varName.includes('token')) &&
+              node.value.length >= 16 && /^[a-zA-Z0-9]+$/.test(node.value)) {
+            report(node);
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-hardcoded-session-tokens/no-hardcoded-session-tokens.test.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * @fileoverview Tests for no-hardcoded-session-tokens
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noHardcodedSessionTokens } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-hardcoded-session-tokens', noHardcodedSessionTokens, {
+  valid: [
+    // Environment variables
+    { code: "const token = process.env.JWT_TOKEN" },
+    { code: "const session = getSession()" },
+    // Short strings (not tokens)
+    { code: "const id = 'abc'" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // JWT tokens
+    {
+      code: "const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.Rq8IjqGXVV'",
+      errors: [{ messageId: 'violationDetected' }]
+    },
+    // Bearer tokens
+    {
+      code: "const auth = 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'",
+      errors: [{ messageId: 'violationDetected' }]
+    },
+    // Session tokens in variables
+    {
+      code: "const sessionToken = 'abc123def456ghi789'",
+      errors: [{ messageId: 'violationDetected' }]
+    },
+  ],
+});

package/src/rules/no-http-urls/index.ts ADDED Viewed

@@ -0,0 +1,131 @@
+/**
+ * @fileoverview Disallow hardcoded HTTP URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/319.html
+ */
+import { TSESTree, createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureHttp' | 'insecureHttpWithException';
+export interface Options {
+  /** List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1) */
+  allowedHosts?: string[];
+  /** List of ports allowed for HTTP (e.g., 3000, 8080 for development) */
+  allowedPorts?: number[];
+}
+type RuleOptions = [Options?];
+export const noHttpUrls = createRule<RuleOptions, MessageIds>({
+  name: 'no-http-urls',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Disallow hardcoded HTTP URLs (require HTTPS)',
+    },
+    messages: {
+      insecureHttp: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Insecure HTTP URL',
+        cwe: 'CWE-319',
+        owasp: 'A02:2021',
+        cvss: 7.5,
+        description: 'Hardcoded HTTP URL detected: "{{url}}"',
+        severity: 'HIGH',
+        compliance: ['SOC2', 'PCI-DSS', 'HIPAA'],
+        fix: 'Use HTTPS instead: const url = "https://..."',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+      }),
+      insecureHttpWithException: formatLLMMessage({
+        icon: MessageIcons.WARNING,
+        issueName: 'Insecure HTTP URL',
+        cwe: 'CWE-319',
+        owasp: 'A02:2021',
+        cvss: 5.3,
+        description: 'HTTP URL detected: "{{url}}"',
+        severity: 'MEDIUM',
+        fix: 'Use HTTPS or add to allowedHosts config',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowedHosts: {
+            type: 'array',
+            items: { type: 'string' },
+            description: 'List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1)',
+          },
+          allowedPorts: {
+            type: 'array',
+            items: { type: 'number' },
+            description: 'List of ports allowed for HTTP (e.g., 3000, 8080 for development)',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowedHosts: ['localhost', '127.0.0.1'],
+      allowedPorts: [],
+    },
+  ],
+  create(context) {
+    const [options = {}] = context.options;
+    const allowedHosts = options.allowedHosts ?? ['localhost', '127.0.0.1'];
+    const allowedPorts = options.allowedPorts ?? [];
+    function isAllowedException(url: string): boolean {
+      try {
+        const parsedUrl = new URL(url);
+        // Check if host is in allowed list
+        if (allowedHosts.includes(parsedUrl.hostname)) {
+          return true;
+        }
+        // Check if port is in allowed list
+        if (parsedUrl.port && allowedPorts.includes(parseInt(parsedUrl.port, 10))) {
+          return true;
+        }
+        return false;
+      } catch {
+        // If URL parsing fails, treat as pattern match
+        return allowedHosts.some(host => url.includes(host));
+      }
+    }
+    function checkStringValue(node: TSESTree.Node, value: string): void {
+      const httpPattern = /^http:\/\//i;
+      if (httpPattern.test(value) && !isAllowedException(value)) {
+        context.report({
+          node,
+          messageId: allowedHosts.length > 0 || allowedPorts.length > 0
+            ? 'insecureHttpWithException'
+            : 'insecureHttp',
+          data: { url: value },
+        });
+      }
+    }
+    return {
+      Literal(node) {
+        if (typeof node.value === 'string') {
+          checkStringValue(node, node.value);
+        }
+      },
+      TemplateElement(node) {
+        if (node.value.cooked) {
+          checkStringValue(node, node.value.cooked);
+        }
+      },
+    };
+  },
+});

package/src/rules/no-http-urls/no-http-urls.test.ts ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * @fileoverview Tests for no-http-urls
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noHttpUrls } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-http-urls', noHttpUrls, {
+  valid: [
+    // HTTPS URLs
+    { code: "const apiUrl = 'https://api.example.com/data'" },
+    { code: "fetch('https://secure.example.com/api')" },
+    // Allowed localhost
+    { code: "const devUrl = 'http://localhost:3000'" },
+    { code: "const localApi = 'http://127.0.0.1:8080/api'" },
+    // Allowed hosts via options
+    {
+      code: "const devUrl = 'http://dev.local/api'",
+      options: [{ allowedHosts: ['dev.local'] }]
+    },
+    // Allowed ports via options
+    {
+      code: "const devUrl = 'http://0.0.0.0:5000/api'",
+      options: [{ allowedHosts: ['0.0.0.0'], allowedPorts: [5000] }]
+    },
+    // Non-URL strings
+    { code: "const protocol = 'http'" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Insecure http URLs
+    {
+      code: "const apiUrl = 'http://api.example.com/data'",
+      errors: [{ messageId: 'insecureHttpWithException' }]
+    },
+    {
+      code: "fetch('http://insecure.example.com/api')",
+      errors: [{ messageId: 'insecureHttpWithException' }]
+    },
+    // Template literals
+    {
+      code: "const url = `http://external.com/api/${path}`",
+      errors: [{ messageId: 'insecureHttpWithException' }]
+    },
+    // Without allowed hosts (uses insecureHttp message)
+    {
+      code: "const url = 'http://prod.example.com/api'",
+      options: [{ allowedHosts: [] }],
+      errors: [{ messageId: 'insecureHttp' }]
+    },
+  ],
+});