npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-improper-type-validation/no-improper-type-validation.test.ts ADDED Viewed

@@ -0,0 +1,372 @@
+/**
+ * Comprehensive tests for no-improper-type-validation rule
+ * Security: CWE-1287 (Improper Validation of Specified Type of Input)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noImproperTypeValidation } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-improper-type-validation', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - proper type validation', noImproperTypeValidation, {
+      valid: [
+        // Proper type checking with strict equality
+        {
+          code: 'if (value !== null && typeof value === "object") { /* process */ }',
+        },
+        {
+          code: 'if (Array.isArray(data)) { /* process array */ }',
+        },
+        // Non-user-input typeof checks are valid
+        {
+          code: 'if (typeof value === "string" && value.length > 0) { /* process */ }',
+        },
+        // Safe type guards
+        {
+          code: 'if (Number.isNaN(Number(value))) { /* handle NaN */ }',
+        },
+        {
+          code: 'if (Object.prototype.toString.call(value) === "[object Array]") { /* process */ }',
+        },
+        // Strict equality for types
+        {
+          code: 'if (value !== null && value !== undefined) { /* process */ }',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Unsafe typeof Checks', () => {
+    ruleTester.run('invalid - unsafe typeof usage', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // typeof === "object" on user input variable
+        {
+          code: 'if (typeof userInput === "object") { processData(userInput); }',
+          errors: [
+            {
+              messageId: 'unsafeTypeofCheck',
+            },
+          ],
+        },
+        // typeof on data (user input variable)
+        {
+          code: 'const isObject = typeof data === "object";',
+          errors: [
+            {
+              messageId: 'unsafeTypeofCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Unsafe instanceof Usage', () => {
+    ruleTester.run('invalid - unsafe instanceof usage', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // instanceof on user input with allowInstanceofSameRealm: false
+        {
+          code: 'if (userInput instanceof Array) { processArray(userInput); }',
+          options: [{ allowInstanceofSameRealm: false }],
+          errors: [
+            {
+              messageId: 'unsafeInstanceofUsage',
+            },
+          ],
+        },
+        {
+          code: 'if (data instanceof Object) { handleObject(data); }',
+          options: [{ allowInstanceofSameRealm: false }],
+          errors: [
+            {
+              messageId: 'unsafeInstanceofUsage',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Loose Equality Type Checks', () => {
+    ruleTester.run('invalid - loose equality for types', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // Loose equality with null on user input variable - triggers both messages
+        // IfStatement reports missingNullCheck, BinaryExpression reports looseEqualityTypeCheck
+        {
+          code: 'if (input != null) { processInput(input); }',
+          errors: [
+            {
+              messageId: 'missingNullCheck',
+            },
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+        // Loose equality with null (always flagged due to null comparison)
+        {
+          code: 'if (userData == null) { return; }',
+          errors: [
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Missing Null Checks', () => {
+    ruleTester.run('invalid - missing null checks', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // userInput is a user input variable - reports missingNullCheck first (IfStatement),
+        // then looseEqualityTypeCheck (BinaryExpression)
+        {
+          code: 'if (userInput != null) { processData(userInput); }',
+          errors: [
+            {
+              messageId: 'missingNullCheck',
+            },
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+        // req.body involves user input variable - only reports looseEqualityTypeCheck
+        // because req.body as MemberExpression doesn't trigger missingNullCheck
+        {
+          code: 'if (req.body == null) { return; }',
+          errors: [
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Unreliable Constructor Checks', () => {
+    ruleTester.run('invalid - unreliable constructor checks', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const type = userInput.constructor.name;',
+          errors: [
+            {
+              messageId: 'unreliableConstructorCheck',
+            },
+          ],
+        },
+        {
+          code: 'if (data.constructor.name === "Array") { handleArray(data); }',
+          errors: [
+            {
+              messageId: 'unreliableConstructorCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Improper Type Validation', () => {
+    ruleTester.run('invalid - improper type validation patterns', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // typeof userInput === "object" - unsafe typeof check on user input
+        {
+          code: 'const type = typeof userInput === "object";',
+          errors: [
+            {
+              messageId: 'unsafeTypeofCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noImproperTypeValidation, {
+      valid: [
+        // Safe annotations
+        {
+          code: `
+            /** @validated */
+            if (typeof userInput === "object") {
+              processData(userInput);
+            }
+          `,
+        },
+        // TypeScript type guards (would be handled by TS compiler)
+        {
+          code: `
+            function isString(value: any): value is string {
+              return typeof value === "string";
+            }
+          `,
+        },
+        // Safe type checking functions
+        {
+          code: `
+            if (validateType(userInput, "object")) {
+              processData(userInput);
+            }
+          `,
+        },
+        // Proper null checks
+        {
+          code: `
+            if (userInput !== null && userInput !== undefined) {
+              processData(userInput);
+            }
+          `,
+        },
+        // Safe instanceof within same realm
+        {
+          code: `
+            const arr = [1, 2, 3];
+            if (arr instanceof Array) {
+              processArray(arr);
+            }
+          `,
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - custom user input variables', noImproperTypeValidation, {
+      valid: [
+        // otherInput is NOT in userInputVariables, so it's not flagged
+        {
+          code: 'if (typeof otherInput === "object") { /* process */ }',
+          options: [{ userInputVariables: ['customInput'] }],
+        },
+      ],
+      invalid: [
+        // customInput IS in userInputVariables, so it's flagged
+        {
+          code: 'if (typeof customInput === "object") { /* process */ }',
+          options: [{ userInputVariables: ['customInput'] }],
+          errors: [
+            {
+              messageId: 'unsafeTypeofCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('config - disable instanceof checks', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'if (data instanceof Array) { /* process */ }',
+          options: [{ allowInstanceofSameRealm: false }],
+          errors: [
+            {
+              messageId: 'unsafeInstanceofUsage',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Complex Type Validation Scenarios', () => {
+    ruleTester.run('complex - real-world type validation patterns', noImproperTypeValidation, {
+      valid: [],
+      invalid: [
+        // typeof userInput === "object" triggers unsafeTypeofCheck
+        {
+          code: `
+            function processUserData(userInput) {
+              // DANGEROUS: typeof check misses null
+              if (typeof userInput === "object") {
+                // null would pass this check!
+                Object.keys(userInput).forEach(key => {
+                  processField(key, userInput[key]);
+                });
+              }
+            }
+          `,
+          errors: [
+            {
+              messageId: 'unsafeTypeofCheck',
+            },
+          ],
+        },
+        // credentials != null triggers looseEqualityTypeCheck (null comparison)
+        {
+          code: `
+            // Authentication bypass through type confusion
+            function authenticate(credentials) {
+              // DANGEROUS: loose equality allows type confusion
+              if (credentials != null) {
+                if (credentials.username == "admin") { // == allows string/number confusion
+                  return { role: "admin" };
+                }
+              }
+              return { role: "user" };
+            }
+          `,
+          errors: [
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+        // input != null triggers missingNullCheck (IfStatement) first,
+        // then looseEqualityTypeCheck (BinaryExpression)
+        {
+          code: `
+            // Incomplete type validation
+            function validateAndProcess(input) {
+              // DANGEROUS: only checks != null, misses undefined
+              if (input != null) {
+                if (typeof input === "string") {
+                  processString(input);
+                } else if (Array.isArray(input)) {
+                  processArray(input);
+                }
+                // undefined would pass != null check but cause issues
+              }
+            }
+          `,
+          errors: [
+            {
+              messageId: 'missingNullCheck',
+            },
+            {
+              messageId: 'looseEqualityTypeCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-insecure-comparison/index.ts ADDED Viewed

@@ -0,0 +1,232 @@
+/**
+ * ESLint Rule: no-insecure-comparison
+ * Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities
+ * CWE-697: Incorrect Comparison
+ *
+ * @see https://cwe.mitre.org/data/definitions/697.html
+ * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureComparison' | 'useStrictEquality' | 'timingUnsafeComparison';
+export interface Options {
+  /** Allow insecure comparison in test files. Default: false */
+  allowInTests?: boolean;
+  /** Additional patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+export const noInsecureComparison = createRule<RuleOptions, MessageIds>({
+  name: 'no-insecure-comparison',
+  meta: {
+    type: 'problem',
+    deprecated: true,
+    replacedBy: ['@see eslint-plugin-crypto/no-timing-unsafe-compare'],
+    docs: {
+      description: 'Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities',
+    },
+    fixable: 'code',
+    hasSuggestions: true,
+    messages: {
+      insecureComparison: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Insecure Comparison',
+        cwe: 'CWE-697',
+        description: 'Insecure comparison operator ({{operator}}) detected - can lead to type coercion vulnerabilities',
+        severity: 'HIGH',
+        fix: 'Use strict equality ({{strictOperator}}) instead: {{example}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/697.html',
+      }),
+      useStrictEquality: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Strict Equality',
+        description: 'Use strict equality operator',
+        severity: 'LOW',
+        fix: 'Replace == with === and != with !==',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Strict_equality',
+      }),
+      timingUnsafeComparison: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Timing Attack Risk',
+        cwe: 'CWE-208',
+        description: 'Secret comparison with {{operator}} can leak timing information',
+        severity: 'HIGH',
+        fix: 'Use crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))',
+        documentationLink: 'https://nodejs.org/api/crypto.html#cryptotimingsafeequala-b',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow insecure comparison in test files',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      ignorePatterns = [],
+    } = options as Options;
+    const filename = context.getFilename();
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    const sourceCode = context.sourceCode || context.sourceCode;
+    /**
+     * Check if a string matches any ignore pattern
+     */
+    function matchesIgnorePattern(text: string, patterns: string[]): boolean {
+      return patterns.some(pattern => {
+        try {
+          const regex = new RegExp(pattern, 'i');
+          return regex.test(text);
+        } catch {
+          // Invalid regex - treat as literal string match
+          return text.toLowerCase().includes(pattern.toLowerCase());
+        }
+      });
+    }
+    /**
+     * Check BinaryExpression for insecure comparison operators
+     */
+    function checkBinaryExpression(node: TSESTree.BinaryExpression) {
+      if (isTestFile) {
+        return;
+      }
+      const secretKeywords = ['secret', 'token', 'password', 'apikey', 'api_key', 'signature', 'auth', 'key', 'hash', 'digest', 'mac'];
+      const isSecurityContext = ((): boolean => {
+         let current: TSESTree.Node | undefined = node;
+         while (current) {
+             if ((current.type === 'FunctionDeclaration' ||
+                  current.type === 'FunctionExpression' ||
+                  current.type === 'ArrowFunctionExpression') &&
+                  'id' in current && current.id?.name) {
+                 if (/security|auth|crypto|hash|token|secret|insecure|verify|validate/i.test(current.id.name)) {
+                     return true;
+                 }
+             }
+             if (current.type === 'MethodDefinition' && current.key.type === 'Identifier') {
+                  if (/security|auth|crypto|hash|token|secret|insecure|verify|validate/i.test(current.key.name)) {
+                     return true;
+                 }
+             }
+             current = current.parent;
+         }
+         return false;
+      })();
+      const isPotentialSecret = (expr: TSESTree.Expression): boolean => {
+        const text = sourceCode.getText(expr).toLowerCase();
+        if (secretKeywords.some(keyword => text.includes(keyword))) return true;
+        // In security contexts, treat generic terms as potential secrets
+        if (isSecurityContext) {
+            const contextKeywords = ['provided', 'expected', 'actual', 'input', 'value', 'data'];
+            return contextKeywords.some(keyword => text.includes(keyword));
+        }
+        return false;
+      };
+      // Timing-safe comparison for secrets even with strict equality
+      if ((node.operator === '===' || node.operator === '!==') &&
+          (isPotentialSecret(node.left) || isPotentialSecret(node.right))) {
+        const leftText = sourceCode.getText(node.left);
+        const rightText = sourceCode.getText(node.right);
+        // ... rest of logic uses example ...
+        const example = `crypto.timingSafeEqual(Buffer.from(${leftText}), Buffer.from(${rightText}))`;
+        context.report({
+          node,
+          messageId: 'timingUnsafeComparison',
+          data: {
+            operator: node.operator,
+            strictOperator: node.operator,
+            example: example,
+          },
+          suggest: [
+            {
+              messageId: 'useStrictEquality', // This messageId usage might be wrong for timing safe output, but kept for now or reused?
+               // Wait, previous code used useStrictEquality as suggest?
+               // Ah, the previous code had a fix/suggest structure.
+              fix: (fixer: TSESLint.RuleFixer) => fixer.replaceText(node, example),
+            },
+          ],
+        });
+        return;
+      }
+      // Check for insecure comparison operators
+      if (node.operator === '==' || node.operator === '!=') {
+        const text = sourceCode.getText(node);
+        // Check if it matches any ignore pattern
+        if (matchesIgnorePattern(text, ignorePatterns)) {
+          return;
+        }
+        const strictOperator = node.operator === '==' ? '===' : '!==';
+        const leftText = sourceCode.getText(node.left);
+        const rightText = sourceCode.getText(node.right);
+        const example = `${leftText} ${strictOperator} ${rightText}`;
+        context.report({
+          node: node,
+          messageId: 'insecureComparison',
+          data: {
+            operator: node.operator,
+            strictOperator,
+            example,
+          },
+          fix: (fixer: TSESLint.RuleFixer) => {
+            return fixer.replaceText(node, example);
+          },
+          suggest: [
+            {
+              messageId: 'useStrictEquality',
+              fix: (fixer: TSESLint.RuleFixer) => {
+                return fixer.replaceText(node, example);
+              },
+            },
+          ],
+        });
+      }
+    }
+    return {
+      BinaryExpression: checkBinaryExpression,
+    };
+  },
+});