npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-missing-cors-check/no-missing-cors-check.test.ts ADDED Viewed

@@ -0,0 +1,392 @@
+/**
+ * Comprehensive tests for no-missing-cors-check rule
+ * CWE-346: Origin Validation Error
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noMissingCorsCheck } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-missing-cors-check', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - proper CORS validation', noMissingCorsCheck, {
+      valid: [
+        // CORS with origin validation
+        {
+          code: `
+            app.use(cors({
+              origin: (origin, callback) => {
+                if (allowedOrigins.includes(origin)) {
+                  callback(null, true);
+                } else {
+                  callback(new Error('Not allowed'));
+                }
+              }
+            }));
+          `,
+        },
+        // CORS with allowed origins array
+        {
+          code: 'app.use(cors({ origin: allowedOrigins }));',
+        },
+        // CORS with trusted library
+        {
+          code: 'app.use(cors({ origin: "https://example.com" }));',
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'app.use(cors({ origin: "*" }));',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+        // Ignored patterns
+        {
+          code: 'app.use(cors({ origin: safeOrigin }));',
+          options: [{ ignorePatterns: ['safeOrigin'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Wildcard Origin', () => {
+    ruleTester.run('invalid - wildcard CORS origin', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.use(cors({ origin: "*" }));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+              // Note: Suggestions are provided by the rule but not recognized by test framework
+              // because fix returns null (suggestions are not auto-fixable)
+            },
+          ],
+        },
+        {
+          code: 'app.use(cors({ origin: "*", credentials: true }));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - CORS Headers', () => {
+    ruleTester.run('invalid - wildcard CORS header', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'res.setHeader("Access-Control-Allow-Origin", "*");',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+        {
+          code: 'res.header("Access-Control-Allow-Origin", "*");',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - allowInTests', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors({ origin: "*" }));',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'app.use(cors({ origin: "*" }));',
+          filename: 'server.ts',
+          options: [{ allowInTests: true }],
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - ignorePatterns with invalid regex', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors({ origin: testOrigin }));',
+          options: [{ ignorePatterns: ['['] }], // Invalid regex should be caught
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - trustedLibraries', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(myCors({ origin: "*" }));',
+          options: [{ trustedLibraries: ['myCors'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Edge Cases', () => {
+    ruleTester.run('edge cases - non-wildcard literal', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors({ origin: "https://example.com" }));',
+        },
+        {
+          code: 'app.use(cors({ origin: 123 }));',
+        },
+        {
+          code: 'app.use(cors({ origin: true }));',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - non-CORS context', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'const config = { origin: "*" };',
+        },
+        {
+          code: 'const data = { allowedOrigins: "*" };',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - CORS config object validation', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors({ origin: allowedOrigins, credentials: true }));',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - setHeader with non-wildcard', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'res.setHeader("Access-Control-Allow-Origin", origin);',
+        },
+        {
+          code: 'res.setHeader("Content-Type", "*");',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - header with non-Access-Control', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'res.setHeader("Content-Type", "*");',
+        },
+        {
+          code: 'res.header("Content-Type", "*");',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - callExpression without use method', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.get("/api", handler);',
+        },
+        {
+          code: 'router.post("/users", controller);',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - literal in CORS context via property', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.use(cors({ origin: "*", allowedOrigins: ["https://example.com"] }));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - literal in isActualCorsContext', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const config = { origin: "*" }; app.use(cors(config));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - literal with ignorePatterns', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors({ origin: "*" }));',
+          options: [{ ignorePatterns: ['\\*'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - literal in CORS context via first while loop', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'cors({ origin: "*" });',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - property in CORS call (allowedOrigins)', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.use(cors({ allowedOrigins: "*" }));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - memberExpression with ignorePatterns', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'safeRes.setHeader("Access-Control-Allow-Origin", "*");',
+          options: [{ ignorePatterns: ['safeRes'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - variable declaration found in scope', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            const corsConfig = { origin: "*" };
+            app.use(cors(corsConfig));
+          `,
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - isActualCorsContext path (direct cors call)', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: 'enable(cors({ origin: "*" }));',
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - variable in Program scope (line 427)', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            const myConfig = { origin: "*" };
+            app.use(cors(myConfig));
+          `,
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - variable not found, traverse to root (line 432)', noMissingCorsCheck, {
+      valid: [
+        {
+          code: 'app.use(cors(unknownVar));',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - variable in function scope', noMissingCorsCheck, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            function setupCors() {
+              const config = { origin: "*" };
+              app.use(cors(config));
+            }
+          `,
+          errors: [
+            {
+              messageId: 'missingCorsCheck',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-missing-csrf-protection/index.ts ADDED Viewed

@@ -0,0 +1,229 @@
+/**
+ * ESLint Rule: no-missing-csrf-protection
+ * Detects missing CSRF token validation in POST/PUT/DELETE requests
+ * CWE-352: Cross-Site Request Forgery (CSRF)
+ *
+ * @see https://cwe.mitre.org/data/definitions/352.html
+ * @see https://owasp.org/www-community/attacks/csrf
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { AST_NODE_TYPES, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'missingCsrfProtection' | 'addCsrfValidation';
+export interface Options {
+  /** Allow missing CSRF protection in test files. Default: false */
+  allowInTests?: boolean;
+  /** CSRF middleware patterns to recognize. Default: ['csrf', 'csurf', 'csrfProtection', 'verifyCsrfToken'] */
+  csrfMiddlewarePatterns?: string[];
+  /** HTTP methods that require CSRF protection. Default: ['post', 'put', 'delete', 'patch'] */
+  protectedMethods?: string[];
+  /** Additional safe patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Default CSRF middleware patterns
+ */
+const DEFAULT_CSRF_MIDDLEWARE_PATTERNS = [
+  'csrf',
+  'csurf',
+  'csrfProtection',
+  'verifyCsrfToken',
+  'csrfToken',
+  'validateCsrf',
+  'checkCsrf',
+  'csrfMiddleware',
+];
+/**
+ * Default HTTP methods that require CSRF protection
+ */
+const DEFAULT_PROTECTED_METHODS = ['post', 'put', 'delete', 'patch'];
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text: string, patterns: string[]): boolean {
+  return patterns.some(pattern => {
+    try {
+      const regex = new RegExp(pattern, 'i');
+      return regex.test(text);
+    } catch {
+      return text.toLowerCase().includes(pattern.toLowerCase());
+    }
+  });
+}
+export const noMissingCsrfProtection = createRule<RuleOptions, MessageIds>({
+  name: 'no-missing-csrf-protection',
+  meta: {
+    type: 'problem',
+    deprecated: true,
+    replacedBy: ['@see eslint-plugin-express-security/require-csrf-protection'],
+    docs: {
+      description: 'Detects missing CSRF token validation in POST/PUT/DELETE requests',
+    },
+    hasSuggestions: true,
+    messages: {
+      missingCsrfProtection: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Missing CSRF Protection',
+        cwe: 'CWE-352',
+        description: 'Missing CSRF protection detected: {{issue}}',
+        severity: 'HIGH',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/352.html',
+      }),
+      addCsrfValidation: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Add CSRF Validation',
+        description: 'Add CSRF middleware',
+        severity: 'LOW',
+        fix: 'app.use(csrf({ cookie: true }))',
+        documentationLink: 'https://github.com/expressjs/csurf',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow missing CSRF protection in test files',
+          },
+          csrfMiddlewarePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'CSRF middleware patterns to recognize',
+          },
+          protectedMethods: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'HTTP methods that require CSRF protection',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional safe patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      csrfMiddlewarePatterns: [],
+      protectedMethods: [],
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      csrfMiddlewarePatterns,
+      protectedMethods: customProtectedMethods,
+      ignorePatterns = [],
+    } = options as Options;
+    const csrfPatterns = csrfMiddlewarePatterns && csrfMiddlewarePatterns.length > 0
+      ? csrfMiddlewarePatterns
+      : DEFAULT_CSRF_MIDDLEWARE_PATTERNS;
+    const protectedMethods = customProtectedMethods && customProtectedMethods.length > 0
+      ? customProtectedMethods
+      : DEFAULT_PROTECTED_METHODS;
+    // Pre-compute Set for O(1) lookups (performance optimization)
+    const protectedMethodsSet = new Set(protectedMethods.map(m => m.toLowerCase()));
+    const filename = context.filename;
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    const sourceCode = context.sourceCode;
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      if (isTestFile) {
+        return;
+      }
+      const callee = node.callee;
+      const callText = sourceCode.getText(node);
+      // Check if it matches any ignore pattern
+      if (matchesIgnorePattern(callText, ignorePatterns)) {
+        return;
+      }
+      // Check for route handler methods (app.post, router.put, etc.)
+      if (callee.type === AST_NODE_TYPES.MemberExpression && callee.property.type === AST_NODE_TYPES.Identifier) {
+        const methodName = callee.property.name;
+        // Only check if it's a route handler that requires CSRF (O(1) Set lookup)
+        if (protectedMethodsSet.has(methodName.toLowerCase())) {
+          // Must have at least 2 arguments (path and handler)
+          if (node.arguments.length < 2) {
+            return;
+          }
+          // Check if CSRF middleware is in the route chain arguments
+          let hasCsrfInChain = false;
+          // Check if any argument (after the first path argument) is a CSRF middleware
+          // Skip the first argument (path) and check the rest
+          for (let i = 1; i < node.arguments.length; i++) {
+            const arg = node.arguments[i];
+            const argText = sourceCode.getText(arg);
+            if (csrfPatterns.some(pattern => argText.toLowerCase().includes(pattern.toLowerCase()))) {
+              hasCsrfInChain = true;
+              break;
+            }
+          }
+          if (!hasCsrfInChain) {
+            context.report({
+              node,
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: `${methodName.toUpperCase()} route handler missing CSRF protection`,
+                safeAlternative: `Add CSRF middleware: app.${methodName}("/path", csrf(), handler) or use app.use(csrf()) globally`,
+              },
+              suggest: [
+                {
+                  messageId: 'addCsrfValidation',
+                  fix(fixer: TSESLint.RuleFixer) {
+                    // Add CSRF middleware after the first argument (path)
+                    const firstArg = node.arguments[0];
+                    if (firstArg) {
+                      return fixer.insertTextAfter(firstArg, ', csrf()');
+                    }
+                    return null;
+                  },
+                },
+              ],
+            });
+          }
+        }
+      }
+    }
+    return {
+      CallExpression: checkCallExpression,
+    };
+  },
+});