npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-improper-sanitization/index.ts ADDED Viewed

@@ -0,0 +1,502 @@
+/**
+ * ESLint Rule: no-improper-sanitization
+ * Detects improper sanitization of user input (CWE-94, CWE-79, CWE-116)
+ *
+ * Improper sanitization occurs when user input is not properly cleaned
+ * before use in sensitive contexts. This can lead to injection attacks,
+ * XSS, or other security vulnerabilities.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Known safe sanitization patterns
+ * - Trusted sanitization libraries
+ * - JSDoc annotations (@sanitized, @safe)
+ * - Context-aware validation
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import {
+  createSafetyChecker,
+  type SecurityRuleOptions,
+} from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'improperSanitization'
+  | 'insufficientXssProtection'
+  | 'incompleteHtmlEscaping'
+  | 'unsafeReplaceSanitization'
+  | 'missingContextEncoding'
+  | 'dangerousSanitizerUsage'
+  | 'sqlInjectionSanitization'
+  | 'commandInjectionSanitization'
+  | 'useProperSanitization'
+  | 'validateSanitization'
+  | 'implementContextAware'
+  | 'strategyDefenseInDepth'
+  | 'strategyInputValidation'
+  | 'strategyOutputEncoding';
+export interface Options extends SecurityRuleOptions {
+  /** Safe sanitization functions */
+  safeSanitizers?: string[];
+  /** Characters that should be escaped */
+  dangerousChars?: string[];
+  /** Contexts that require different encoding */
+  contexts?: string[];
+  /** Trusted sanitization libraries */
+  trustedLibraries?: string[];
+}
+type RuleOptions = [Options?];
+export const noImproperSanitization = createRule<RuleOptions, MessageIds>({
+  name: 'no-improper-sanitization',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects improper sanitization of user input',
+    },
+    fixable: 'code',
+    hasSuggestions: true,
+    messages: {
+      improperSanitization: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Improper Sanitization',
+        cwe: 'CWE-116',
+        description: 'User input sanitization is insufficient or incorrect',
+        severity: '{{severity}}',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+      }),
+      insufficientXssProtection: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Insufficient XSS Protection',
+        cwe: 'CWE-79',
+        description: 'XSS protection is incomplete or missing',
+        severity: 'HIGH',
+        fix: 'Use comprehensive XSS prevention or trusted sanitization library',
+        documentationLink: 'https://owasp.org/www-community/attacks/xss/',
+      }),
+      incompleteHtmlEscaping: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Incomplete HTML Escaping',
+        cwe: 'CWE-116',
+        description: 'HTML escaping misses dangerous characters',
+        severity: 'MEDIUM',
+        fix: 'Escape all HTML special characters: & < > " \'',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+      }),
+      unsafeReplaceSanitization: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Unsafe Replace Sanitization',
+        cwe: 'CWE-116',
+        description: 'Simple replace() calls are insufficient for sanitization',
+        severity: 'MEDIUM',
+        fix: 'Use comprehensive sanitization libraries',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+      }),
+      missingContextEncoding: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Missing Context Encoding',
+        cwe: 'CWE-116',
+        description: 'Output encoding missing for specific context',
+        severity: 'MEDIUM',
+        fix: 'Encode output according to usage context (HTML, URL, SQL, etc.)',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+      }),
+      dangerousSanitizerUsage: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Dangerous Sanitizer Usage',
+        cwe: 'CWE-94',
+        description: 'Custom sanitizer may be incomplete or bypassable',
+        severity: 'LOW',
+        fix: 'Use well-tested sanitization libraries',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/94.html',
+      }),
+      sqlInjectionSanitization: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'SQL Injection Sanitization',
+        cwe: 'CWE-89',
+        description: 'SQL input sanitization is insufficient',
+        severity: 'HIGH',
+        fix: 'Use parameterized queries instead of sanitization',
+        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+      }),
+      commandInjectionSanitization: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Command Injection Sanitization',
+        cwe: 'CWE-78',
+        description: 'Command input sanitization is insufficient',
+        severity: 'CRITICAL',
+        fix: 'Avoid shell commands with user input, use safe APIs',
+        documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+      }),
+      useProperSanitization: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Proper Sanitization',
+        description: 'Use proper sanitization methods for each context',
+        severity: 'LOW',
+        fix: 'HTML: DOMPurify, URL: encodeURIComponent, SQL: parameterized queries',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
+      }),
+      validateSanitization: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Validate Sanitization',
+        description: 'Validate that sanitization is effective',
+        severity: 'LOW',
+        fix: 'Test sanitization with malicious inputs',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+      }),
+      implementContextAware: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Implement Context Aware Sanitization',
+        description: 'Use different sanitization for different contexts',
+        severity: 'LOW',
+        fix: 'HTML context: escape <>&"\' , URL context: encodeURIComponent',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+      }),
+      strategyDefenseInDepth: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'Defense in Depth Strategy',
+        description: 'Implement multiple layers of input validation',
+        severity: 'LOW',
+        fix: 'Validate input, sanitize output, use CSP, implement rate limiting',
+        documentationLink: 'https://owasp.org/www-community/controls/Defense_in_depth',
+      }),
+      strategyInputValidation: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'Input Validation Strategy',
+        description: 'Validate input at multiple layers',
+        severity: 'LOW',
+        fix: 'Client-side, server-side, and database-level validation',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
+      }),
+      strategyOutputEncoding: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'Output Encoding Strategy',
+        description: 'Encode output according to context',
+        severity: 'LOW',
+        fix: 'Use appropriate encoding for HTML, JavaScript, CSS, URL contexts',
+        documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+      })
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          safeSanitizers: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'],
+          },
+          dangerousChars: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'],
+          },
+          contexts: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['html', 'url', 'sql', 'command', 'javascript', 'css'],
+          },
+          trustedLibraries: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['DOMPurify', 'he', 'validator', 'express-validator'],
+          },
+          trustedSanitizers: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional function names to consider as sanitizers',
+          },
+          trustedAnnotations: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional JSDoc annotations to consider as safe markers',
+          },
+          strictMode: {
+            type: 'boolean',
+            default: false,
+            description: 'Disable all false positive detection (strict mode)',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      safeSanitizers: ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'],
+      dangerousChars: ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'],
+      contexts: ['html', 'url', 'sql', 'command', 'javascript', 'css'],
+      trustedLibraries: ['DOMPurify', 'he', 'validator', 'express-validator'],
+      trustedSanitizers: [],
+      trustedAnnotations: [],
+      strictMode: false,
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
+    const options = context.options[0] || {};
+    const {
+      safeSanitizers = ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'],
+      dangerousChars = ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'],
+      trustedSanitizers = [],
+      trustedAnnotations = [],
+      strictMode = false,
+    }: Options = options;
+    const sourceCode = context.sourceCode || context.sourceCode;
+    const filename = context.filename || context.getFilename();
+    // Create safety checker for false positive detection
+    const safetyChecker = createSafetyChecker({
+      trustedSanitizers,
+      trustedAnnotations,
+      trustedOrmPatterns: [],
+      strictMode,
+    });
+    /**
+     * Check if sanitization is safe
+     */
+    const isSafeSanitizer = (callText: string): boolean => {
+      return safeSanitizers.some(sanitizer => callText.includes(sanitizer));
+    };
+    /**
+     * Check if replace sanitization is incomplete
+     */
+    const isIncompleteReplaceSanitization = (callExpression: TSESTree.CallExpression): boolean => {
+      const callText = sourceCode.getText(callExpression);
+      // Check for incomplete HTML escaping (any quote style)
+      const escapesOnlyTags = /replace\(\s*\/[<>]/.test(callText);
+      if (escapesOnlyTags) {
+        // If only escaping < or > but not other dangerous chars, it's incomplete
+        const hasQuoteEscaping = /&quot;|&#x27;|&#039;/.test(callText);
+        const hasAmpersandEscaping = /&amp;/.test(callText);
+        return !(hasQuoteEscaping && hasAmpersandEscaping);
+      }
+      return false;
+    };
+    /**
+     * Check if output context suggests needed encoding
+     */
+    const needsContextEncoding = (outputNode: TSESTree.Node): string | null => {
+      let current: TSESTree.Node | undefined = outputNode;
+      // Look for context clues in surrounding code
+      while (current) {
+        const text = sourceCode.getText(current).toLowerCase();
+        if (text.includes('innerhtml') || text.includes('outerhtml')) {
+          return 'html';
+        }
+        if (text.includes('href') || text.includes('src') || text.includes('url')) {
+          return 'url';
+        }
+        if (text.includes('sql') || text.includes('query') || text.includes('execute')) {
+          return 'sql';
+        }
+        if (text.includes('exec') || text.includes('spawn') || text.includes('command')) {
+          return 'command';
+        }
+        current = current.parent as TSESTree.Node;
+      }
+      return null;
+    };
+    return {
+      // Check call expressions for sanitization issues
+      CallExpression(node: TSESTree.CallExpression) {
+        const callee = node.callee;
+        // Check for replace() sanitization
+        if (callee.type === 'MemberExpression' &&
+            callee.property.type === 'Identifier' &&
+            callee.property.name === 'replace') {
+          if (isIncompleteReplaceSanitization(node)) {
+            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+            if (safetyChecker.isSafe(node, context)) {
+              return;
+            }
+            /* c8 ignore stop */
+            context.report({
+              node,
+              messageId: 'incompleteHtmlEscaping',
+              data: {
+                filePath: filename,
+                line: String(node.loc?.start.line ?? 0),
+              },
+            });
+          }
+        }
+        // Check for custom sanitizer functions
+        if (callee.type === 'Identifier') {
+          const functionName = callee.name;
+          // Check if it's a known dangerous sanitizer pattern
+          if (functionName.toLowerCase().includes('sanitize') ||
+              functionName.toLowerCase().includes('escape') ||
+              functionName.toLowerCase().includes('clean')) {
+            // If it's not in our safe list, flag it
+            if (!safeSanitizers.some(safe => functionName.includes(safe))) {
+              // Check if arguments contain user input
+              const args = node.arguments;
+              let hasUserInput = false;
+              for (const arg of args) {
+                const argText = sourceCode.getText(arg).toLowerCase();
+                if (argText.includes('req.') || argText.includes('body') ||
+                    argText.includes('query') || argText.includes('params') ||
+                    argText.includes('input') || argText.includes('data')) {
+                  hasUserInput = true;
+                  break;
+                }
+              }
+              if (hasUserInput) {
+                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                if (safetyChecker.isSafe(node, context)) {
+                  return;
+                }
+                /* c8 ignore stop */
+                context.report({
+                  node,
+                  messageId: 'dangerousSanitizerUsage',
+                  data: {
+                    filePath: filename,
+                    line: String(node.loc?.start.line ?? 0),
+                  },
+                });
+              }
+            }
+          }
+        }
+      },
+      // Check assignments that might need sanitization
+      AssignmentExpression(node: TSESTree.AssignmentExpression) {
+        const left = node.left;
+        const right = node.right;
+        // Check for assignments to potentially dangerous properties
+        if (left.type === 'MemberExpression' &&
+            left.property.type === 'Identifier') {
+          const propertyName = left.property.name.toLowerCase();
+          if (['innerhtml', 'outerhtml', 'innertext', 'textcontent'].includes(propertyName)) {
+            const encodingContext = needsContextEncoding(node);
+            if (encodingContext === 'html' && propertyName === 'innerhtml') {
+              // Check if right side is properly sanitized
+              const rightText = sourceCode.getText(right);
+              if (!isSafeSanitizer(rightText)) {
+                // Check if right side contains user input
+                const hasUserInput = rightText.includes('req.') ||
+                                   rightText.includes('body') ||
+                                   rightText.includes('query') ||
+                                   rightText.includes('input');
+                if (hasUserInput) {
+                  /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                  if (safetyChecker.isSafe(node, context)) {
+                    return;
+                  }
+                  /* c8 ignore stop */
+                  context.report({
+                    node: right,
+                    messageId: 'insufficientXssProtection',
+                    data: {
+                      filePath: filename,
+                      line: String(node.loc?.start.line ?? 0),
+                    },
+                  });
+                }
+              }
+            }
+          }
+        }
+      },
+      // Check string literals that might contain dangerous characters
+      Literal(node: TSESTree.Literal) {
+        if (typeof node.value !== 'string') {
+          return;
+        }
+        const text = node.value;
+        // Check if this string is used in a dangerous context
+        let current: TSESTree.Node | undefined = node;
+        let isInDangerousContext = false;
+        while (current && !isInDangerousContext) {
+          if (current.type === 'AssignmentExpression') {
+            const left = current.left;
+            if (left.type === 'MemberExpression' &&
+                left.property.type === 'Identifier' &&
+                ['innerHTML', 'outerHTML'].includes(left.property.name)) {
+              isInDangerousContext = true;
+              break;
+            }
+          } else if (current.type === 'CallExpression') {
+            const callee = current.callee;
+            if (callee.type === 'MemberExpression' &&
+                callee.property.type === 'Identifier' &&
+                ['write', 'send', 'json'].includes(callee.property.name)) {
+              // Could be response output
+              isInDangerousContext = true;
+              break;
+            }
+          }
+          current = current.parent as TSESTree.Node;
+        }
+        if (isInDangerousContext) {
+          // Check if string contains dangerous characters without proper escaping
+          const hasDangerousChars = dangerousChars.some(char => text.includes(char));
+          const hasEscaping = text.includes('&lt;') || text.includes('&gt;') ||
+                            text.includes('&quot;') || text.includes('&#x27;') ||
+                            text.includes('&amp;');
+          if (hasDangerousChars && !hasEscaping) {
+            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+            if (safetyChecker.isSafe(node, context)) {
+              return;
+            }
+            /* c8 ignore stop */
+            context.report({
+              node,
+              messageId: 'unsafeReplaceSanitization',
+              data: {
+                filePath: filename,
+                line: String(node.loc?.start.line ?? 0),
+              },
+            });
+          }
+        }
+      }
+    };
+  },
+});

package/src/rules/no-improper-sanitization/no-improper-sanitization.test.ts ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * Tests for no-improper-sanitization rule
+ * Security: CWE-116 (Improper Encoding or Escaping of Output)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noImproperSanitization } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-improper-sanitization', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - proper sanitization', noImproperSanitization, {
+      valid: [
+        // Safe sanitization with trusted libraries
+        'element.innerHTML = DOMPurify.sanitize(userInput);',
+        'const safe = he.encode(userInput);',
+        'const encoded = encodeURIComponent(userInput);',
+        // textContent is safe (doesn't interpret HTML)
+        'element.textContent = userInput;',
+        // Direct assignment without user input indicators isn't flagged
+        'element.innerHTML = userInput;',
+        // String concatenation without dangerous context
+        'const html = "<div>" + req.body.content + "</div>";',
+        // Safe annotation
+        `
+          /** @safe */
+          myCustomSanitize(req.body.data);
+        `,
+        // Proper HTML entity escaping
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Incomplete HTML Escaping', () => {
+    ruleTester.run('invalid - incomplete HTML escaping', noImproperSanitization, {
+      valid: [],
+      invalid: [
+        // Incomplete escaping - only escapes < but not other dangerous chars
+        {
+          code: 'element.innerHTML = userInput.replace(/</g, "&lt;");',
+          errors: [
+            {
+              messageId: 'incompleteHtmlEscaping',
+            },
+          ],
+        },
+        // Incomplete escaping - only escapes > but not other dangerous chars
+        {
+          code: 'const safe = data.replace(/>/g, "&gt;");',
+          errors: [
+            {
+              messageId: 'incompleteHtmlEscaping',
+            },
+          ],
+        },
+        // Chained replacement flagged individually (Known Limitation)
+        {
+          code: 'element.innerHTML = userInput.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/&/g, "&amp;");',
+          errors: [
+            { messageId: 'incompleteHtmlEscaping' },
+            { messageId: 'incompleteHtmlEscaping' },
+            { messageId: 'incompleteHtmlEscaping' },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Custom Sanitizer Functions', () => {
+    ruleTester.run('invalid - custom sanitizer with user input', noImproperSanitization, {
+      valid: [],
+      invalid: [
+        // Custom sanitize function with user input
+        {
+          code: 'const clean = mySanitize(req.body.content);',
+          errors: [{ messageId: 'dangerousSanitizerUsage' }],
+        },
+        // Custom escape function with user data
+        {
+          code: 'const safe = myEscape(req.query.data);',
+          errors: [{ messageId: 'dangerousSanitizerUsage' }],
+        },
+        // Custom clean function with user input
+        {
+          code: 'const result = myClean(req.params.id);',
+          errors: [{ messageId: 'dangerousSanitizerUsage' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - innerHTML Without Sanitization', () => {
+    ruleTester.run('invalid - innerHTML with user input', noImproperSanitization, {
+      valid: [],
+      invalid: [
+        // innerHTML with unsanitized user input
+        {
+          code: 'element.innerHTML = req.body.content;',
+          errors: [{ messageId: 'insufficientXssProtection' }],
+        },
+        // innerHTML with query parameter
+        {
+          code: 'div.innerHTML = req.query.html;',
+          errors: [{ messageId: 'insufficientXssProtection' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - String Literals in Dangerous Contexts', () => {
+    ruleTester.run('invalid - unescaped strings in dangerous contexts', noImproperSanitization, {
+      valid: [],
+      invalid: [
+        // String with dangerous chars in innerHTML context
+        {
+          code: 'element.innerHTML = "<script>alert(1)</script>";',
+          errors: [{ messageId: 'unsafeReplaceSanitization' }],
+        },
+        // String with dangerous chars in response send
+        {
+          code: 'res.send("<img src=x onerror=alert(1)>");',
+          errors: [{ messageId: 'unsafeReplaceSanitization' }],
+        },
+      ],
+    });
+  });
+  describe('Context Encoding Detection', () => {
+    ruleTester.run('context - URL and SQL context detection', noImproperSanitization, {
+      valid: [
+        // Proper URL encoding
+        'const url = "https://example.com?q=" + encodeURIComponent(userInput);',
+        // Parameterized query (not direct)
+        'db.query("SELECT * FROM users WHERE id = ?", [userId]);',
+      ],
+      invalid: [],
+    });
+  });
+});