npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-insecure-jwt/no-insecure-jwt.test.ts ADDED Viewed

@@ -0,0 +1,259 @@
+/**
+ * Comprehensive tests for no-insecure-jwt rule
+ * Security: CWE-347 (JWT Security Vulnerabilities)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noInsecureJwt } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-insecure-jwt', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - secure JWT operations', noInsecureJwt, {
+      valid: [
+        // Secure JWT verification
+        {
+          code: 'jwt.verify(token, publicKey, { algorithms: ["RS256"] });',
+        },
+        {
+          code: 'jwt.verify(token, secret, { algorithms: ["HS256"] });',
+        },
+        // Using jose library
+        {
+          code: 'const payload = await jwtVerify(token, publicKey);',
+        },
+        // Strong secrets
+        {
+          code: 'jwt.sign(payload, crypto.randomBytes(32).toString("hex"));',
+        },
+        // Literal JWT strings (not flagged as they might be test data)
+        {
+          code: '// eslint-disable-next-line\nconst testToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";',
+        },
+        // Non-JWT libraries
+        {
+          code: 'const token = crypto.randomBytes(32);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Algorithm Confusion', () => {
+    ruleTester.run('invalid - algorithm confusion attacks', noInsecureJwt, {
+      valid: [],
+      invalid: [
+        // String literal algorithm spec triggers detection
+        {
+          code: 'jwt.verify(token, "secret", { alg: "none" });',
+          errors: [
+            {
+              messageId: 'insecureJwtAlgorithm',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Missing Signature Verification', () => {
+    ruleTester.run('invalid - missing signature verification', noInsecureJwt, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const payload = jwt.decode(token);',
+          errors: [
+            {
+              messageId: 'jwtWithoutValidation',
+            },
+            {
+              messageId: 'missingSignatureVerification',
+            },
+          ],
+        },
+        {
+          code: 'const decoded = jwt.decode(token, { complete: true });',
+          errors: [
+            {
+              messageId: 'jwtWithoutValidation',
+            },
+            {
+              messageId: 'missingSignatureVerification',
+            },
+          ],
+        },
+        {
+          code: 'const user = jwt.decode(authToken);',
+          errors: [
+            {
+              messageId: 'jwtWithoutValidation',
+            },
+            {
+              messageId: 'missingSignatureVerification',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Weak Secrets', () => {
+    ruleTester.run('invalid - weak JWT secrets with weak algorithms', noInsecureJwt, {
+      valid: [
+        // Weak secrets without algorithm spec are not flagged
+        {
+          code: 'jwt.sign(payload, "weak");',
+        },
+        // Strong secret with weak algorithm is OK
+        {
+          code: 'jwt.sign(payload, "ThisIsAVeryLongSecretThatIsDefinitelyLongerThan32Characters", { algorithms: ["HS256"] });',
+        },
+      ],
+      invalid: [
+        // Weak algorithm (HS256) with weak (short) secret - triggers weakJwtSecret
+        {
+          code: 'jwt.verify(token, "weak", { alg: "HS256" });',
+          errors: [{ messageId: 'weakJwtSecret' }],
+        },
+        // Weak algorithm with short secret
+        {
+          code: 'jwt.sign(payload, "short", { algorithm: "HS384" });',
+          errors: [{ messageId: 'weakJwtSecret' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - JWT Without Validation', () => {
+    ruleTester.run('invalid - JWT used without validation', noInsecureJwt, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const payload = jwt.decode(token); const userId = payload.userId;',
+          errors: [
+            {
+              messageId: 'jwtWithoutValidation',
+            },
+            {
+              messageId: 'missingSignatureVerification',
+            },
+          ],
+        },
+        {
+          code: 'const decoded = jwt.decode(authToken); if (decoded.exp < Date.now()) { /* use decoded */ }',
+          errors: [
+            {
+              messageId: 'jwtWithoutValidation',
+            },
+            {
+              messageId: 'missingSignatureVerification',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noInsecureJwt, {
+      valid: [
+        // Safe annotations suppress warnings
+        {
+          code: `
+            /** @verified */
+            const payload = jwt.decode(token);
+          `,
+        },
+        {
+          code: `
+            // @safe
+            const decoded = jwt.decode(authToken);
+          `,
+        },
+        // Strong secrets (no algorithm spec, so not flagged)
+        {
+          code: 'jwt.sign(payload, crypto.randomBytes(32).toString("hex"));',
+        },
+        {
+          code: 'jwt.sign(payload, "ThisIsAVeryLongSecretThatIsDefinitelyLongerThan32Characters");',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Unsafe JWT Parsing', () => {
+    ruleTester.run('invalid - unsafe JWT string usage', noInsecureJwt, {
+      valid: [
+        // Hardcoded JWT but verified (inline)
+        {
+          code: `
+            jwt.verify("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ", secret);
+          `,
+        },
+        // Not a JWT (not 3 parts)
+        {
+          code: 'const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9";',
+        },
+      ],
+      invalid: [
+        // Hardcoded JWT used without verification context
+        {
+          code: 'const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"; console.log(token);',
+          errors: [{ messageId: 'unsafeJwtParsing' }],
+        },
+      ],
+    });
+  });
+  describe('Configuration Options', () => {
+    // Note: allowedInsecureAlgorithms option not fully implemented in rule
+    ruleTester.run('config - custom min secret length', noInsecureJwt, {
+      valid: [
+        // Secret length not checked without algorithm spec
+        {
+          code: 'jwt.sign(payload, "ThisIs16Chars");',
+          options: [{ minSecretLength: 16 }],
+        },
+        // Short secret without algorithm spec is valid
+        {
+          code: 'jwt.sign(payload, "short");',
+          options: [{ minSecretLength: 16 }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('config - custom trusted libraries', noInsecureJwt, {
+      valid: [
+        // Custom trusted library
+        {
+          code: 'myJwt.verify(token, secret);',
+          options: [{ trustedJwtLibraries: ['myJwt'] }],
+        },
+        // Unknown library isn't flagged (rule only checks trusted libraries)
+        {
+          code: 'unknownJwt.verify(token, secret);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+});

package/src/rules/no-insecure-redirects/index.ts ADDED Viewed

@@ -0,0 +1,267 @@
+/**
+ * ESLint Rule: no-insecure-redirects
+ * Detects open redirect vulnerabilities
+ * CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
+ *
+ * @see https://cwe.mitre.org/data/definitions/601.html
+ * @see https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'insecureRedirect'
+  | 'whitelistDomains'
+  | 'validateRedirect'
+  | 'useRelativeUrl';
+export interface Options {
+  /** Ignore in test files. Default: true */
+  ignoreInTests?: boolean;
+  /** Allowed redirect domains. Default: [] */
+  allowedDomains?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Check if redirect URL is validated
+ */
+function isRedirectValidated(
+  node: TSESTree.CallExpression,
+  sourceCode: TSESLint.SourceCode
+): boolean {
+  const callText = sourceCode.getText(node);
+  // Check if URL is from user input (req.query, req.body, req.params)
+  const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
+  if (!userInputPattern.test(callText)) {
+    // Not from user input, assume safe
+    return true;
+  }
+  // Look for validation patterns in the surrounding code
+  // This is a simplified static analysis - in practice, would need data flow analysis
+  const program = sourceCode.ast;
+  const nodeStart = node.loc?.start;
+  const nodeEnd = node.loc?.end;
+  /* c8 ignore start -- Guard clause: loc is always present in RuleTester */
+  if (!nodeStart || !nodeEnd || !program) {
+    return false;
+  }
+  /* c8 ignore stop */
+  // Check for validation function calls before this redirect
+  const validationPatterns = [
+    /\b(validateUrl|validateRedirect|isValidUrl|isSafeUrl)\s*\(/,
+    /\b(whitelist|allowedDomains|permittedUrls)\s*\./,
+    /\b(url\.hostname|url\.host)\s*===/,
+    /\ballowedDomains\.includes\s*\(/,
+    /\bstartsWith\s*\(\s*['"]/,
+    /\bendsWith\s*\(\s*['"]/,
+    /\bindexOf\s*\(\s*['"]/,
+    /\bmatch\s*\(\s*\//,
+  ];
+  // Look for validation in the same function scope
+  let current: TSESTree.Node | null = node;
+  let depth = 0;
+  const maxDepth = 20;
+  while (current && depth < maxDepth) {
+    // Check siblings before this node
+    const parent: TSESTree.Node | undefined = (current as TSESTree.Node & { parent?: TSESTree.Node }).parent;
+    if (!parent) break;
+    if (parent.type === 'BlockStatement') {
+      const body = parent.body;
+      const currentIndex = body.indexOf(current as TSESTree.Statement);
+      // Check previous statements in the same block
+      for (let i = currentIndex - 1; i >= 0 && i >= currentIndex - 5; i--) {
+        const stmt = body[i];
+        const stmtText = sourceCode.getText(stmt);
+        if (validationPatterns.some(pattern => pattern.test(stmtText))) {
+          return true; // Found validation
+        }
+      }
+    }
+    current = parent;
+    depth++;
+  }
+  // No validation found
+  return false;
+}
+export const noInsecureRedirects = createRule<RuleOptions, MessageIds>({
+  name: 'no-insecure-redirects',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects open redirect vulnerabilities',
+    },
+    hasSuggestions: true,
+    messages: {
+      insecureRedirect: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Open redirect',
+        cwe: 'CWE-601',
+        description: 'Unvalidated redirect detected - user-controlled URL',
+        severity: 'HIGH',
+        fix: 'Whitelist allowed domains or validate redirect target',
+        documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+      }),
+      whitelistDomains: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Whitelist Domains',
+        description: 'Whitelist allowed redirect domains',
+        severity: 'LOW',
+        fix: 'if (allowedDomains.includes(url.hostname)) redirect(url)',
+        documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+      }),
+      validateRedirect: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Validate Redirect',
+        description: 'Validate redirect URL before use',
+        severity: 'LOW',
+        fix: 'validateRedirectUrl(userInput) before redirect',
+        documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+      }),
+      useRelativeUrl: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Relative URL',
+        description: 'Use relative URLs for internal redirects',
+        severity: 'LOW',
+        fix: 'redirect("/internal/path") instead of absolute URLs',
+        documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          ignoreInTests: {
+            type: 'boolean',
+            default: true,
+          },
+          allowedDomains: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      ignoreInTests: true,
+      allowedDomains: [],
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>, [options = {}]) {
+    const {
+ignoreInTests = true
+}: Options = options || {};
+    const filename = context.getFilename();
+    const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    if (isTestFile) {
+      return {};
+    }
+    const sourceCode = context.sourceCode || context.sourceCode;
+    /**
+     * Check redirect calls and assignments
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      // Check for res.redirect, window.location, etc.
+      if (node.callee.type === 'MemberExpression' &&
+          node.callee.property.type === 'Identifier') {
+        const methodName = node.callee.property.name;
+        if (['redirect', 'replace', 'assign'].includes(methodName)) {
+          // Check if redirect URL is validated
+          if (!isRedirectValidated(node, sourceCode)) {
+            context.report({
+              node,
+              messageId: 'insecureRedirect',
+              suggest: [
+                {
+                  messageId: 'whitelistDomains',
+                  fix: () => null,
+                },
+                {
+                  messageId: 'validateRedirect',
+                  fix: () => null,
+                },
+                {
+                  messageId: 'useRelativeUrl',
+                  fix: () => null,
+                },
+              ],
+            });
+          }
+        }
+      }
+    }
+    /**
+     * Check assignment expressions like window.location.href = ...
+     */
+    function checkAssignmentExpression(node: TSESTree.AssignmentExpression) {
+      // Check for window.location.href assignments
+      if (node.left.type === 'MemberExpression' &&
+          node.left.object.type === 'MemberExpression' &&
+          node.left.object.object.type === 'Identifier' &&
+          node.left.object.object.name === 'window' &&
+          node.left.object.property.type === 'Identifier' &&
+          node.left.object.property.name === 'location' &&
+          node.left.property.type === 'Identifier' &&
+          ['href', 'replace', 'assign'].includes(node.left.property.name)) {
+        // Check if assignment value comes from user input
+        const rightText = sourceCode.getText(node.right);
+        const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
+        if (userInputPattern.test(rightText)) {
+          context.report({
+            node,
+            messageId: 'insecureRedirect',
+            suggest: [
+              {
+                messageId: 'whitelistDomains',
+                fix: () => null,
+              },
+              {
+                messageId: 'validateRedirect',
+                fix: () => null,
+              },
+              {
+                messageId: 'useRelativeUrl',
+                fix: () => null,
+              },
+            ],
+          });
+        }
+      }
+    }
+    return {
+      CallExpression: checkCallExpression,
+      AssignmentExpression: checkAssignmentExpression,
+    };
+  },
+});

package/src/rules/no-insecure-redirects/no-insecure-redirects.test.ts ADDED Viewed

@@ -0,0 +1,108 @@
+/**
+ * Comprehensive tests for no-insecure-redirects rule
+ * Security: CWE-601 - Detects open redirect vulnerabilities
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noInsecureRedirects } from './index';
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-insecure-redirects', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - validated redirects', noInsecureRedirects, {
+      valid: [
+        // Relative redirects
+        { code: 'res.redirect("/dashboard");' },
+        { code: 'res.redirect("../home");' },
+        // Test files (if ignoreInTests is true)
+        {
+          code: 'res.redirect(req.query.url);',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: true }],
+        },
+        // Validated with validateUrl
+        {
+          code: `
+            const url = req.query.url;
+            validateUrl(url);
+            res.redirect(url);
+          `,
+        },
+        // Validated with isValidUrl
+        {
+          code: `
+            const redirect = req.query.redirect;
+            if (isValidUrl(redirect)) {
+              res.redirect(redirect);
+            }
+          `,
+        },
+        // Validated with allowedDomains check
+        {
+          code: `
+            const target = req.body.target;
+            if (allowedDomains.includes(target)) {
+              res.redirect(target);
+            }
+          `,
+        },
+        // Validated with startsWith check
+        {
+          code: `
+            const url = req.params.url;
+            url.startsWith('https://');
+            res.redirect(url);
+          `,
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Insecure Redirects', () => {
+    ruleTester.run('invalid - unvalidated redirects', noInsecureRedirects, {
+      valid: [],
+      invalid: [
+        { code: 'res.redirect(req.query.url);', errors: [{ messageId: 'insecureRedirect' }] },
+        { code: 'res.redirect(req.body.redirectUrl);', errors: [{ messageId: 'insecureRedirect' }] },
+        { code: 'window.location.href = req.params.url;', errors: [{ messageId: 'insecureRedirect' }] },
+        // Using location.replace
+        { code: 'location.replace(req.query.url);', errors: [{ messageId: 'insecureRedirect' }] },
+        { code: 'location.assign(req.body.next);', errors: [{ messageId: 'insecureRedirect' }] },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - ignoreInTests', noInsecureRedirects, {
+      valid: [
+        {
+          code: 'res.redirect(req.query.url);',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'res.redirect(req.query.url);',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: false }],
+          errors: [{ messageId: 'insecureRedirect' }],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-insecure-websocket/index.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * @fileoverview Require secure WebSocket connections (wss://)
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noInsecureWebsocket = createRule<RuleOptions, MessageIds>({
+  name: 'no-insecure-websocket',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Require secure WebSocket connections (wss://)',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Insecure WebSocket',
+        cwe: 'CWE-319',
+        description: 'Insecure WebSocket connection (ws://) - data transmitted in clear text',
+        severity: 'HIGH',
+        fix: 'Use wss:// instead of ws:// for secure WebSocket connections',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    return {
+      NewExpression(node: TSESTree.NewExpression) {
+        // Check for new WebSocket('ws://...')
+        if (node.callee.type === 'Identifier' && node.callee.name === 'WebSocket') {
+          const urlArg = node.arguments[0];
+          // Check literal string
+          if (urlArg && urlArg.type === 'Literal' &&
+              typeof urlArg.value === 'string' &&
+              urlArg.value.startsWith('ws://')) {
+            report(node);
+          }
+          // Check template literal
+          if (urlArg && urlArg.type === 'TemplateLiteral') {
+            const text = context.sourceCode.getText(urlArg);
+            if (text.includes('ws://')) {
+              report(node);
+            }
+          }
+        }
+      },
+      Literal(node: TSESTree.Literal) {
+        // Check for ws:// URLs in string literals
+        if (typeof node.value === 'string' && node.value.startsWith('ws://')) {
+          report(node);
+        }
+      },
+    };
+  },
+});