npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-insufficient-postmessage-validation/no-insufficient-postmessage-validation.test.ts ADDED Viewed

@@ -0,0 +1,360 @@
+/**
+ * Comprehensive tests for no-insufficient-postmessage-validation rule
+ * Security: CWE-20 (Improper Input Validation)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noInsufficientPostmessageValidation } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-insufficient-postmessage-validation', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - secure postMessage usage', noInsufficientPostmessageValidation, {
+      valid: [
+        // Secure postMessage with specific origins
+        {
+          code: 'window.postMessage(data, "https://trusted-app.com");',
+        },
+        {
+          code: 'parent.postMessage(result, "https://parent-domain.com");',
+        },
+        // Message handlers with origin validation
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              if (event.origin === 'https://trusted.com') {
+                processData(event.data);
+              }
+            });
+          `,
+        },
+        // Origin whitelist validation
+        {
+          code: `
+            const allowedOrigins = ['https://app1.com', 'https://app2.com'];
+            window.addEventListener('message', (event) => {
+              if (allowedOrigins.includes(event.origin)) {
+                handleMessage(event.data);
+              }
+            });
+          `,
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Wildcard Origins', () => {
+    ruleTester.run('invalid - wildcard postMessage origins', noInsufficientPostmessageValidation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'window.postMessage(data, "*");',
+          errors: [
+            {
+              messageId: 'wildcardOrigin',
+            },
+          ],
+        },
+        {
+          code: 'parent.postMessage(result, "*");',
+          errors: [
+            {
+              messageId: 'wildcardOrigin',
+            },
+          ],
+        },
+        {
+          code: 'iframe.contentWindow.postMessage(data, "*");',
+          errors: [
+            {
+              messageId: 'wildcardOrigin',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Missing Origin Checks', () => {
+    ruleTester.run('invalid - message handlers without origin validation', noInsufficientPostmessageValidation, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            window.addEventListener('message', function(event) {
+              processData(event.data);
+            });
+          `,
+          errors: [
+            {
+              messageId: 'missingOriginCheck',
+            },
+          ],
+        },
+        {
+          code: `
+            window.onmessage = (event) => {
+              handleMessage(event.data);
+            };
+          `,
+          errors: [
+            {
+              messageId: 'missingOriginCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noInsufficientPostmessageValidation, {
+      valid: [
+        // Validated message handlers with safe annotation
+        {
+          code: `
+            /** @safe-message */
+            window.addEventListener('message', (event) => {
+              processData(event.data);
+            });
+          `,
+        },
+        // Development wildcard allowance
+        {
+          code: 'window.postMessage(data, "*");',
+          options: [{ allowWildcardInDev: true }],
+        },
+        // Explicitly allowed origins including wildcard
+        {
+          code: 'window.postMessage(data, "*");',
+          options: [{ allowedOrigins: ['*'] }],
+        },
+        // Safe origin validation patterns in handler
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              if (event.origin && event.origin.endsWith('.trusted.com')) {
+                processData(event.data);
+              }
+            });
+          `,
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - allowed origins', noInsufficientPostmessageValidation, {
+      valid: [
+        // Specific origin is always allowed (rule only flags wildcard)
+        {
+          code: 'window.postMessage(data, "https://allowed.com");',
+        },
+        // Non-allowed specific origin is still valid (rule focuses on wildcard)
+        {
+          code: 'window.postMessage(data, "https://not-allowed.com");',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('config - development wildcard', noInsufficientPostmessageValidation, {
+      valid: [
+        {
+          code: 'window.postMessage(data, "*");',
+          options: [{ allowWildcardInDev: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Deep Validation Mode', () => {
+    ruleTester.run('deepValidation - origin checks in AST', noInsufficientPostmessageValidation, {
+      valid: [
+        // Deep validation detects event.origin comparison on left side
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              if (event.origin === 'https://trusted.com') {
+                processData(event.data);
+              }
+            });
+          `,
+          options: [{ deepValidation: true }],
+        },
+        // Deep validation detects includes() on allowedOrigins array
+        {
+          code: `
+            const allowedOrigins = ['https://app1.com'];
+            window.addEventListener('message', (event) => {
+              if (allowedOrigins.includes(event.origin)) {
+                handleMessage(event.data);
+              }
+            });
+          `,
+          options: [{ deepValidation: true }],
+        },
+        // Deep validation detects origin check on right side of comparison
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              if ('https://trusted.com' === event.origin) {
+                processData(event.data);
+              }
+            });
+          `,
+          options: [{ deepValidation: true }],
+        },
+      ],
+      invalid: [
+        // Deep validation still catches missing origin checks
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              processData(event.data);
+            });
+          `,
+          options: [{ deepValidation: true }],
+          errors: [{ messageId: 'missingOriginCheck' }],
+        },
+      ],
+    });
+  });
+  describe('Allowed Origins Configuration', () => {
+    ruleTester.run('allowedOrigins - specific origin validation', noInsufficientPostmessageValidation, {
+      valid: [
+        // Origin in allowedOrigins list
+        {
+          code: 'window.postMessage(data, "https://allowed.com");',
+          options: [{ allowedOrigins: ['https://allowed.com'] }],
+        },
+      ],
+      invalid: [
+        // Origin NOT in allowedOrigins list triggers useSpecificOrigins
+        {
+          code: 'window.postMessage(data, "https://not-allowed.com");',
+          options: [{ allowedOrigins: ['https://only-this.com'] }],
+          errors: [{ messageId: 'useSpecificOrigins' }],
+        },
+      ],
+    });
+  });
+  describe('Complex PostMessage Scenarios', () => {
+    ruleTester.run('complex - real-world postMessage patterns', noInsufficientPostmessageValidation, {
+      valid: [],
+      invalid: [
+        // Cross-origin iframe communication vulnerability
+        {
+          code: `
+            function sendToIframe(data) {
+              const iframe = document.getElementById('external-iframe');
+              iframe.contentWindow.postMessage(data, '*');
+            }
+          `,
+          errors: [
+            {
+              messageId: 'wildcardOrigin',
+            },
+          ],
+        },
+        // Message handler without origin validation
+        {
+          code: `
+            window.addEventListener('message', (event) => {
+              if (event.data.type === 'update') {
+                updateUserData(event.data.payload);
+              }
+            });
+          `,
+          errors: [
+            {
+              messageId: 'missingOriginCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('onmessage Assignment Patterns', () => {
+    ruleTester.run('onmessage - assignment edge cases', noInsufficientPostmessageValidation, {
+      valid: [
+        // onmessage with origin validation
+        {
+          code: `
+            window.onmessage = (event) => {
+              if (event.origin === 'https://trusted.com') {
+                handleMessage(event.data);
+              }
+            };
+          `,
+        },
+        // onmessage with safe annotation
+        {
+          code: `
+            /** @safe-message */
+            window.onmessage = (event) => {
+              handleMessage(event.data);
+            };
+          `,
+        },
+      ],
+      invalid: [
+        // FunctionExpression without origin validation
+        {
+          code: `
+            window.onmessage = function(event) {
+              handleMessage(event.data);
+            };
+          `,
+          errors: [{ messageId: 'missingOriginCheck' }],
+        },
+      ],
+    });
+  });
+  describe('Edge Cases and Boundary Conditions', () => {
+    ruleTester.run('edge cases - various patterns', noInsufficientPostmessageValidation, {
+      valid: [
+        // Non-message event type (should not be flagged)
+        {
+          code: `
+            window.addEventListener('click', (event) => {
+              handleClick(event);
+            });
+          `,
+        },
+        // postMessage with only one argument (no origin)
+        {
+          code: 'window.postMessage(data);',
+        },
+        // postMessage with non-literal origin
+        {
+          code: 'window.postMessage(data, targetOrigin);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+});

package/src/rules/no-insufficient-random/index.ts ADDED Viewed

@@ -0,0 +1,288 @@
+/**
+ * ESLint Rule: no-insufficient-random
+ * Detects weak random number generation (Math.random(), weak PRNG)
+ * CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+ *
+ * @see https://cwe.mitre.org/data/definitions/338.html
+ * @see https://owasp.org/www-community/vulnerabilities/Weak_Random_Number_Generation
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'insufficientRandom'
+  | 'useCryptoRandomValues'
+  | 'useSecureRandom';
+export interface Options {
+  /** Allow Math.random() in test files. Default: false */
+  allowInTests?: boolean;
+  /** Additional weak PRNG patterns to detect. Default: [] */
+  additionalWeakPatterns?: string[];
+  /** Trusted random libraries. Default: ['crypto'] */
+  trustedLibraries?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Weak random number generation patterns
+ */
+interface WeakRandomPattern {
+  /** Pattern to match */
+  pattern: RegExp;
+  /** Pattern name for display */
+  name: string;
+  /** Category of weakness */
+  category: 'math' | 'library' | 'custom';
+  /** Safe alternatives */
+  alternatives: string[];
+  /** Example fix */
+  example: {
+    bad: string;
+    good: string;
+  };
+  /** Effort to fix */
+  effort: string;
+}
+const WEAK_RANDOM_PATTERNS: WeakRandomPattern[] = [
+  {
+    pattern: /\bMath\.random\b/i,
+    name: 'Math.random()',
+    category: 'math',
+    alternatives: ['crypto.getRandomValues()', 'crypto.randomBytes()'],
+    example: {
+      bad: 'const random = Math.random();',
+      good: 'const random = crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1);'
+    },
+    effort: '5 minutes'
+  },
+  {
+    pattern: /\brandom\(\)/i,
+    name: 'random()',
+    category: 'library',
+    alternatives: ['crypto.getRandomValues()'],
+    example: {
+      bad: 'const random = random();',
+      good: 'const random = crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1);'
+    },
+    effort: '5 minutes'
+  }
+];
+/**
+ * Check if a string contains a weak random pattern
+ */
+function containsWeakRandom(
+  value: string,
+  additionalPatterns: string[]
+): WeakRandomPattern | null {
+  // Check standard patterns
+  for (const pattern of WEAK_RANDOM_PATTERNS) {
+    if (pattern.pattern.test(value)) {
+      return pattern;
+    }
+  }
+  // Check additional patterns
+  for (const additionalPattern of additionalPatterns) {
+    const regex = new RegExp(`\\b${additionalPattern}\\b`, 'i');
+    if (regex.test(value)) {
+      return {
+        pattern: regex,
+        name: additionalPattern,
+        category: 'custom',
+        alternatives: ['crypto.getRandomValues()'],
+        example: {
+          bad: `${additionalPattern}()`,
+          good: 'crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1)'
+        },
+        effort: '10 minutes'
+      };
+    }
+  }
+  return null;
+}
+/**
+ * Check if a MemberExpression is Math.random()
+ */
+function isMathRandom(node: TSESTree.MemberExpression): boolean {
+  return (
+    node.object.type === 'Identifier' &&
+    node.object.name === 'Math' &&
+    node.property.type === 'Identifier' &&
+    node.property.name === 'random'
+  );
+}
+/**
+ * Generate refactoring suggestions
+ */
+function generateSuggestions(
+  pattern: WeakRandomPattern
+): { messageId: MessageIds; fix: string }[] {
+  const suggestions: { messageId: MessageIds; fix: string }[] = [];
+  if (pattern.category === 'math') {
+    suggestions.push({
+      messageId: 'useCryptoRandomValues',
+      fix: 'Use crypto.getRandomValues(): const random = crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1);'
+    });
+  } else {
+    suggestions.push({
+      messageId: 'useSecureRandom',
+      fix: 'Use crypto.getRandomValues() or crypto.randomBytes() for secure random number generation'
+    });
+  }
+  return suggestions;
+}
+export const noInsufficientRandom = createRule<RuleOptions, MessageIds>({
+  name: 'no-insufficient-random',
+  meta: {
+    type: 'problem',
+    deprecated: true,
+    replacedBy: ['@see eslint-plugin-crypto/no-math-random-crypto'],
+    docs: {
+      description: 'Detects weak random number generation (Math.random(), weak PRNG)',
+    },
+    hasSuggestions: true,
+    messages: {
+      insufficientRandom: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Weak random number generation',
+        cwe: 'CWE-338',
+        description: 'Use of weak pseudo-random number generator: {{pattern}}',
+        severity: 'HIGH',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/338.html',
+      }),
+      useCryptoRandomValues: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Crypto Random',
+        description: 'Use crypto.getRandomValues()',
+        severity: 'LOW',
+        fix: 'crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1)',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues',
+      }),
+      useSecureRandom: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Secure Random',
+        description: 'Use crypto for secure random generation',
+        severity: 'LOW',
+        fix: 'crypto.randomBytes() or crypto.getRandomValues()',
+        documentationLink: 'https://nodejs.org/api/crypto.html#cryptorandombytessize-callback',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow Math.random() in test files',
+          },
+          additionalWeakPatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional weak PRNG patterns to detect',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      additionalWeakPatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      additionalWeakPatterns = [],
+    } = options as Options;
+    const filename = context.getFilename();
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    /**
+     * Check if a call expression uses weak random generation
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check for Math.random() calls
+      if (node.callee.type === 'MemberExpression' && isMathRandom(node.callee)) {
+        const pattern = containsWeakRandom('Math.random()', additionalWeakPatterns);
+        if (pattern) {
+          const safeAlternative = pattern.alternatives[0];
+          const suggestions = generateSuggestions(pattern);
+          context.report({
+            node: node.callee,
+            messageId: 'insufficientRandom',
+            data: {
+              pattern: pattern.name,
+              safeAlternative: `Use ${safeAlternative}: ${pattern.example.good}`,
+            },
+            suggest: suggestions.map(step => ({
+              messageId: step.messageId,
+              fix: (fixer: TSESLint.RuleFixer) => {
+                // Replace Math.random() with crypto.getRandomValues()
+                return fixer.replaceText(
+                  node,
+                  'crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1)'
+                );
+              },
+            })),
+          });
+        }
+        return;
+      }
+      // Check for standalone random() function calls (if configured)
+      if (node.callee.type === 'Identifier' && additionalWeakPatterns.length > 0) {
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const callText = sourceCode.getText(node);
+        const pattern = containsWeakRandom(callText, additionalWeakPatterns);
+        if (pattern) {
+          const safeAlternative = pattern.alternatives[0];
+          context.report({
+            node: node.callee,
+            messageId: 'insufficientRandom',
+            data: {
+              pattern: pattern.name,
+              safeAlternative: `Use ${safeAlternative}: ${pattern.example.good}`,
+            },
+            // Custom patterns cannot be safely auto-fixed - error message provides guidance
+          });
+        }
+      }
+    }
+    return {
+      CallExpression: checkCallExpression,
+    };
+  },
+});