npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-insecure-comparison/no-insecure-comparison.test.ts ADDED Viewed

@@ -0,0 +1,218 @@
+/**
+ * Comprehensive tests for no-insecure-comparison rule
+ * CWE-697: Incorrect Comparison
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noInsecureComparison } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-insecure-comparison', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - strict equality operators', noInsecureComparison, {
+      valid: [
+        {
+          code: 'if (x === y) {}',
+        },
+        {
+          code: 'if (x !== y) {}',
+        },
+        {
+          code: 'const result = a === b ? 1 : 0;',
+        },
+        {
+          code: 'if (value !== null && value !== undefined) {}',
+        },
+        {
+          code: 'if (user.id === userId) {}',
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'if (x == y) {}',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+        // Ignored patterns
+        {
+          code: 'if (x == y) {}',
+          options: [{ ignorePatterns: ['x == y'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Loose Equality', () => {
+    ruleTester.run('invalid - loose equality operator', noInsecureComparison, {
+      valid: [],
+      invalid: [
+        {
+          code: 'if (x == y) {}',
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (x === y) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (x === y) {}',
+        },
+        {
+          code: 'if (user.id == userId) {}',
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (user.id === userId) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (user.id === userId) {}',
+        },
+        {
+          code: 'const result = a == b ? 1 : 0;',
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'const result = a === b ? 1 : 0;',
+                },
+              ],
+            },
+          ],
+          output: 'const result = a === b ? 1 : 0;',
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Loose Inequality', () => {
+    ruleTester.run('invalid - loose inequality operator', noInsecureComparison, {
+      valid: [],
+      invalid: [
+        {
+          code: 'if (x != y) {}',
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (x !== y) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (x !== y) {}',
+        },
+        {
+          code: 'if (value != null) {}',
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (value !== null) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (value !== null) {}',
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - allowInTests', noInsecureComparison, {
+      valid: [
+        {
+          code: 'if (x == y) {}',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'if (x == y) {}',
+          filename: 'server.ts',
+          options: [{ allowInTests: true }],
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (x === y) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (x === y) {}',
+        },
+      ],
+    });
+    ruleTester.run('options - ignorePatterns', noInsecureComparison, {
+      valid: [
+        {
+          code: 'if (x == y) {}',
+          options: [{ ignorePatterns: ['x == y'] }],
+        },
+        {
+          code: 'if (a != b) {}',
+          options: [{ ignorePatterns: ['a != b'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'if (x == y) {}',
+          options: [{ ignorePatterns: ['other'] }],
+          errors: [
+            {
+              messageId: 'insecureComparison',
+              suggestions: [
+                {
+                  messageId: 'useStrictEquality',
+                  output: 'if (x === y) {}',
+                },
+              ],
+            },
+          ],
+          output: 'if (x === y) {}',
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-insecure-cookie-settings/index.ts ADDED Viewed

@@ -0,0 +1,391 @@
+/**
+ * ESLint Rule: no-insecure-cookie-settings
+ * Detects insecure cookie configurations (missing httpOnly, secure, sameSite flags)
+ * CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+ *
+ * @see https://cwe.mitre.org/data/definitions/614.html
+ * @see https://owasp.org/www-community/HttpOnly
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons, createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureCookieSettings' | 'addSecureFlags';
+export interface Options {
+  /** Allow insecure cookies in test files. Default: false */
+  allowInTests?: boolean;
+  /** Cookie library patterns to recognize. Default: ['cookie', 'js-cookie', 'universal-cookie'] */
+  cookieLibraries?: string[];
+  /** Additional safe patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Check if a node is inside a cookie configuration
+ */
+function isInsideCookieConfig(
+  node: TSESTree.Node,
+  sourceCode: TSESLint.SourceCode
+): boolean {
+  let current: TSESTree.Node | null = node;
+  // Traverse up the parent chain
+  while (current && 'parent' in current && current.parent) {
+    current = current.parent as TSESTree.Node;
+    // Check for cookie-related method calls
+    if (current.type === 'CallExpression') {
+      const callExpr = current as TSESTree.CallExpression;
+      // Check for res.cookie() calls
+      if (callExpr.callee.type === 'MemberExpression') {
+        const memberExpr = callExpr.callee;
+        if (memberExpr.property.type === 'Identifier' && memberExpr.property.name === 'cookie') {
+          // Check if the node is an argument of this call
+          if (callExpr.arguments.some((arg: TSESTree.Node) => arg === node || (arg.type === 'ObjectExpression' && sourceCode.getText(arg).includes(sourceCode.getText(node))))) {
+            return true;
+          }
+        }
+      }
+      // Check for other cookie-related calls using text matching
+      const callText = sourceCode.getText(current);
+      if (/\b(cookie|cookies|setCookie|res\.cookie|document\.cookie)\b/i.test(callText)) {
+        const callee = callExpr.callee;
+        // Specific check for cookies.set / cookie.set
+         if (callee.type === 'MemberExpression' &&
+            callee.property.type === 'Identifier' &&
+            callee.property.name === 'set') {
+             return true;
+         }
+        // Check if node is part of this call
+        const nodeText = sourceCode.getText(node);
+        if (callText.includes(nodeText)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+/**
+ * Check if an object expression has secure cookie settings
+ */
+function hasSecureCookieSettings(
+  node: TSESTree.ObjectExpression,
+  sourceCode: TSESLint.SourceCode
+): { hasHttpOnly: boolean; hasSecure: boolean; hasSameSite: boolean } {
+  const text = sourceCode.getText(node);
+  // Check for httpOnly flag (case-insensitive)
+  const hasHttpOnly = /\bhttpOnly\s*:\s*(true|'true'|"true")/i.test(text);
+  // Check for secure flag (case-insensitive)
+  const hasSecure = /\bsecure\s*:\s*(true|'true'|"true")/i.test(text);
+  // Check for sameSite flag (should be 'strict', 'lax', or 'none')
+  const hasSameSite = /\bsameSite\s*:\s*['"](strict|lax|none)['"]/i.test(text);
+  return { hasHttpOnly, hasSecure, hasSameSite };
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text: string, ignorePatterns: string[]): boolean {
+  return ignorePatterns.some(pattern => {
+    try {
+      const regex = new RegExp(pattern, 'i');
+      return regex.test(text);
+    } catch {
+      return false;
+    }
+  });
+}
+export const noInsecureCookieSettings = createRule<RuleOptions, MessageIds>({
+  name: 'no-insecure-cookie-settings',
+  meta: {
+    type: 'problem',
+    deprecated: true,
+    replacedBy: ['@see eslint-plugin-express-security/no-insecure-cookie-options'],
+    docs: {
+      description: 'Detects insecure cookie configurations (missing httpOnly, secure, sameSite flags)',
+    },
+    hasSuggestions: true,
+    messages: {
+      insecureCookieSettings: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Insecure Cookie Configuration',
+        cwe: 'CWE-614',
+        description: 'Insecure cookie settings detected: {{issue}}',
+        severity: 'HIGH',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/614.html',
+      }),
+      addSecureFlags: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Add Secure Flags',
+        description: 'Set secure cookie flags',
+        severity: 'LOW',
+        fix: '{ httpOnly: true, secure: true, sameSite: "strict" }',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow insecure cookies in test files',
+          },
+          cookieLibraries: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Cookie library patterns to recognize',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional safe patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      cookieLibraries: [],
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      ignorePatterns = [],
+    } = options as Options;
+    const filename = context.getFilename();
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    const sourceCode = context.sourceCode || context.sourceCode;
+    function checkObjectExpression(node: TSESTree.ObjectExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check if this ObjectExpression is the third argument of a cookie call
+      // First, check if parent is directly a CallExpression
+      if (node.parent && node.parent.type === 'CallExpression') {
+        const parentCall = node.parent as TSESTree.CallExpression;
+        const callee = parentCall.callee;
+        // Check if it's a cookie call
+        if (
+          callee.type === 'MemberExpression' &&
+          callee.property.type === 'Identifier' &&
+          callee.property.name === 'cookie'
+        ) {
+          // Check if this node is the third argument (index 2)
+          // Use both reference check and range check for reliability
+          const thirdArg = parentCall.arguments.length >= 3 ? parentCall.arguments[2] : null;
+          const isThirdArg = thirdArg && (
+            thirdArg === node ||
+            (thirdArg.type === 'ObjectExpression' &&
+             thirdArg.range[0] === node.range[0] &&
+             thirdArg.range[1] === node.range[1])
+          );
+          if (isThirdArg) {
+            // Check if the parent call is ignored
+            const callText = sourceCode.getText(parentCall);
+            if (matchesIgnorePattern(callText, ignorePatterns)) {
+              return;
+            }
+          }
+        }
+      }
+      // If not handled above, check if it's inside a cookie config using helper
+      if (!isInsideCookieConfig(node, sourceCode)) {
+        return;
+      }
+      // If it's inside a cookie config, check it
+      const text = sourceCode.getText(node);
+      // Check if it matches any ignore pattern
+      if (matchesIgnorePattern(text, ignorePatterns)) {
+        return;
+      }
+      const { hasHttpOnly, hasSecure, hasSameSite } = hasSecureCookieSettings(node, sourceCode);
+      const issues: string[] = [];
+      if (!hasHttpOnly) {
+        issues.push('missing httpOnly flag');
+      }
+      if (!hasSecure) {
+        issues.push('missing secure flag');
+      }
+      if (!hasSameSite) {
+        issues.push('missing sameSite flag');
+      }
+      if (issues.length > 0) {
+        const issueDescription = issues.join(', ');
+        const safeAlternative = 'Set httpOnly: true, secure: true, sameSite: "strict"';
+        context.report({
+          node,
+          messageId: 'insecureCookieSettings',
+          data: {
+            issue: issueDescription,
+            safeAlternative,
+          },
+          suggest: [
+            {
+              messageId: 'addSecureFlags',
+              fix(fixer: TSESLint.RuleFixer) {
+                // Find the last property in the object
+                const properties = node.properties;
+                if (properties.length === 0) {
+                  // Empty object - add all flags
+                  return fixer.replaceText(node, '{ httpOnly: true, secure: true, sameSite: "strict" }');
+                }
+                const lastProperty = properties[properties.length - 1];
+                const lastPropertyText = sourceCode.getText(lastProperty);
+                const needsComma = !lastPropertyText.trim().endsWith(',');
+                const insertPosition = lastProperty.range[1];
+                const missingFlags: string[] = [];
+                if (!hasHttpOnly) missingFlags.push('httpOnly: true');
+                if (!hasSecure) missingFlags.push('secure: true');
+                if (!hasSameSite) missingFlags.push('sameSite: "strict"');
+                const prefix = needsComma ? ',' : '';
+                const insertion = prefix + '\n  ' + missingFlags.join(',\n  ');
+                return fixer.insertTextAfterRange(
+                  [insertPosition, insertPosition],
+                  insertion
+                );
+              },
+            },
+          ],
+        });
+      }
+    }
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      if (isTestFile) {
+        return;
+      }
+      const callee = node.callee;
+      const callText = sourceCode.getText(node);
+      // Check if it matches any ignore pattern
+      if (matchesIgnorePattern(callText, ignorePatterns)) {
+        return;
+      }
+      // Check for res.cookie() calls or cookies.set() calls
+      const isResCookie =
+        callee.type === 'MemberExpression' &&
+        callee.property.type === 'Identifier' &&
+        callee.property.name === 'cookie';
+      const isUniversalCookie =
+        callee.type === 'MemberExpression' &&
+        callee.property.type === 'Identifier' &&
+        callee.property.name === 'set' &&
+        callee.object.type === 'Identifier' &&
+        (callee.object.name === 'cookies' || callee.object.name === 'cookie');
+      if (isResCookie || isUniversalCookie) {
+        // Check if third argument (options) is provided
+        if (node.arguments.length < 3) {
+          context.report({
+            node,
+            messageId: 'insecureCookieSettings',
+            data: {
+              issue: 'missing cookie options with httpOnly, secure, and sameSite flags',
+              safeAlternative: 'Add options object: res.cookie(name, value, { httpOnly: true, secure: true, sameSite: "strict" })',
+            },
+            suggest: [
+              {
+                messageId: 'addSecureFlags',
+                fix(fixer: TSESLint.RuleFixer) {
+                  // Add options as third argument
+                  const lastArg = node.arguments[node.arguments.length - 1];
+                  const insertPosition = lastArg.range[1];
+                  return fixer.insertTextAfterRange(
+                    [insertPosition, insertPosition],
+                    `, { httpOnly: true, secure: true, sameSite: "strict" }`
+                  );
+                },
+              },
+            ],
+          });
+          return;
+        }
+      }
+    }
+    function checkAssignmentExpression(node: TSESTree.AssignmentExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check for document.cookie assignments
+      if (
+        node.left.type === 'MemberExpression' &&
+        node.left.object.type === 'Identifier' &&
+        node.left.object.name === 'document' &&
+        node.left.property.type === 'Identifier' &&
+        node.left.property.name === 'cookie'
+      ) {
+        const text = sourceCode.getText(node);
+        // Check if it matches any ignore pattern
+        if (matchesIgnorePattern(text, ignorePatterns)) {
+          return;
+        }
+        context.report({
+          node,
+          messageId: 'insecureCookieSettings',
+          data: {
+            issue: 'using document.cookie directly (cannot set httpOnly flag)',
+            safeAlternative: 'Use server-side cookie setting with httpOnly: true, secure: true, sameSite: "strict"',
+          },
+        });
+      }
+    }
+    return {
+      ObjectExpression: checkObjectExpression,
+      CallExpression: checkCallExpression,
+      AssignmentExpression: checkAssignmentExpression,
+    };
+  },
+});