npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-missing-csrf-protection/no-missing-csrf-protection.test.ts ADDED Viewed

@@ -0,0 +1,222 @@
+/**
+ * Comprehensive tests for no-missing-csrf-protection rule
+ * CWE-352: Cross-Site Request Forgery (CSRF)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noMissingCsrfProtection } from './index';
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-missing-csrf-protection', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - CSRF protection present', noMissingCsrfProtection, {
+      valid: [
+        // CSRF middleware in route chain
+        {
+          code: 'app.post("/api/users", csrf(), handler);',
+        },
+        {
+          code: 'router.put("/api/users/:id", csrf(), handler);',
+        },
+        {
+          code: 'app.delete("/api/users/:id", csrf(), handler);',
+        },
+        // CSRF middleware globally
+        {
+          code: 'app.use(csrf());',
+        },
+        {
+          code: 'app.get("/api/users", handler);', // GET doesn't require CSRF
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'app.post("/test", handler);',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Missing CSRF', () => {
+    ruleTester.run('invalid - POST without CSRF', noMissingCsrfProtection, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.post("/api/users", handler);',
+          errors: [
+            {
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: 'POST route handler missing CSRF protection',
+                safeAlternative: 'Add CSRF middleware: app.post("/path", csrf(), handler) or use app.use(csrf()) globally',
+              },
+              suggestions: [
+                {
+                  messageId: 'addCsrfValidation',
+                  output: 'app.post("/api/users", csrf(), handler);',
+                },
+              ],
+            },
+          ],
+        },
+        {
+          code: 'router.post("/api/users", (req, res) => {});',
+          errors: [
+            {
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: 'POST route handler missing CSRF protection',
+                safeAlternative: 'Add CSRF middleware: app.post("/path", csrf(), handler) or use app.use(csrf()) globally',
+              },
+              suggestions: [
+                {
+                  messageId: 'addCsrfValidation',
+                  output: 'router.post("/api/users", csrf(), (req, res) => {});',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('invalid - PUT without CSRF', noMissingCsrfProtection, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.put("/api/users/:id", handler);',
+          errors: [
+            {
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: 'PUT route handler missing CSRF protection',
+                safeAlternative: 'Add CSRF middleware: app.put("/path", csrf(), handler) or use app.use(csrf()) globally',
+              },
+              suggestions: [
+                {
+                  messageId: 'addCsrfValidation',
+                  output: 'app.put("/api/users/:id", csrf(), handler);',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('invalid - DELETE without CSRF', noMissingCsrfProtection, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.delete("/api/users/:id", handler);',
+          errors: [
+            {
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: 'DELETE route handler missing CSRF protection',
+                safeAlternative: 'Add CSRF middleware: app.delete("/path", csrf(), handler) or use app.use(csrf()) globally',
+              },
+              suggestions: [
+                {
+                  messageId: 'addCsrfValidation',
+                  output: 'app.delete("/api/users/:id", csrf(), handler);',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('invalid - PATCH without CSRF', noMissingCsrfProtection, {
+      valid: [],
+      invalid: [
+        {
+          code: 'app.patch("/api/users/:id", handler);',
+          errors: [
+            {
+              messageId: 'missingCsrfProtection',
+              data: {
+                issue: 'PATCH route handler missing CSRF protection',
+                safeAlternative: 'Add CSRF middleware: app.patch("/path", csrf(), handler) or use app.use(csrf()) globally',
+              },
+              suggestions: [
+                {
+                  messageId: 'addCsrfValidation',
+                  output: 'app.patch("/api/users/:id", csrf(), handler);',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - ignorePatterns', noMissingCsrfProtection, {
+      valid: [
+        // Valid ignorePattern - pattern must match the call text
+        {
+          code: 'app.post("/api/internal", handler);',
+          options: [{ ignorePatterns: ['api/internal'] }],
+        },
+        // Invalid regex pattern fallback to string includes - the text must contain the pattern
+        {
+          code: 'app.post("/api/internal", handler);',
+          options: [{ ignorePatterns: ['internal'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - custom CSRF patterns', noMissingCsrfProtection, {
+      valid: [
+        {
+          code: 'app.post("/api/users", customCsrf(), handler);',
+          options: [{ csrfMiddlewarePatterns: ['customCsrf'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - custom protected methods', noMissingCsrfProtection, {
+      valid: [
+        {
+          code: 'app.options("/api/users", handler);', // OPTIONS not protected by default
+        },
+      ],
+      invalid: [
+        {
+          code: 'app.options("/api/users", handler);',
+          options: [{ protectedMethods: ['options'] }],
+          errors: [{
+            messageId: 'missingCsrfProtection',
+            suggestions: [{ messageId: 'addCsrfValidation', output: 'app.options("/api/users", csrf(), handler);' }],
+          }],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-missing-security-headers/index.ts ADDED Viewed

@@ -0,0 +1,266 @@
+/**
+ * ESLint Rule: no-missing-security-headers
+ * Detects missing security headers in HTTP responses
+ * CWE-693: Protection Mechanism Failure
+ *
+ * @see https://cwe.mitre.org/data/definitions/693.html
+ * @see https://owasp.org/www-project-secure-headers/
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'missingSecurityHeader'
+  | 'addSecurityHeaders'
+  | 'useMiddleware'
+  | 'setHeader';
+export interface Options {
+  /** Required security headers. Default: ['Content-Security-Policy', 'X-Frame-Options', 'X-Content-Type-Options'] */
+  requiredHeaders?: string[];
+  /** Ignore in test files. Default: true */
+  ignoreInTests?: boolean;
+}
+type RuleOptions = [Options?];
+const DEFAULT_REQUIRED_HEADERS = [
+  'Content-Security-Policy',
+  'X-Frame-Options',
+  'X-Content-Type-Options',
+];
+/**
+ * Extract header name from setHeader call
+ */
+function extractHeaderName(node: TSESTree.CallExpression): string | null {
+  if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
+    return String(node.arguments[0].value);
+  }
+  return null;
+}
+/**
+ * Check if all security headers are set in the current scope
+ */
+function checkFunctionForSecurityHeaders(
+  node: TSESTree.CallExpression,
+  requiredHeaders: string[],
+  context: TSESLint.RuleContext<MessageIds, RuleOptions>
+): string[] {
+  const setHeaders = new Set<string>();
+  // Find the function that contains this setHeader call
+  let current: TSESTree.Node | null = node;
+  let scopeNode: TSESTree.Node | null = null;
+  while (current) {
+    if (current.type === 'FunctionDeclaration' ||
+        current.type === 'FunctionExpression' ||
+        current.type === 'ArrowFunctionExpression') {
+      scopeNode = current;
+      break;
+    }
+    current = (current as TSESTree.Node & { parent?: TSESTree.Node }).parent ?? null;
+  }
+  // If no function found, use the program scope (for test cases)
+  if (!scopeNode) {
+    scopeNode = context.sourceCode.ast;
+  }
+  // Collect all setHeader calls in this scope
+  function collectHeaders(node: TSESTree.Node): void {
+    if (node.type === 'CallExpression' &&
+        node.callee.type === 'MemberExpression' &&
+        node.callee.property.type === 'Identifier' &&
+        ['setHeader', 'header', 'set'].includes(node.callee.property.name)) {
+      const headerName = extractHeaderName(node);
+      if (headerName) {
+        setHeaders.add(headerName);
+      }
+    }
+    // Recursively check children - only traverse standard AST properties
+    if (node.type === 'Program' && node.body) {
+      node.body.forEach(collectHeaders);
+    } else if ((node.type === 'FunctionDeclaration' ||
+                node.type === 'FunctionExpression' ||
+                node.type === 'ArrowFunctionExpression') && node.body) {
+      collectHeaders(node.body);
+    } else if (node.type === 'BlockStatement' && node.body) {
+      node.body.forEach(collectHeaders);
+    } else if (node.type === 'ExpressionStatement' && node.expression) {
+      collectHeaders(node.expression);
+    }
+  }
+  if (scopeNode) {
+    collectHeaders(scopeNode);
+  }
+  // Return missing headers
+  return requiredHeaders.filter(header => !setHeaders.has(header));
+}
+export const noMissingSecurityHeaders = createRule<RuleOptions, MessageIds>({
+  name: 'no-missing-security-headers',
+  meta: {
+    type: 'problem',
+    deprecated: true,
+    replacedBy: ['@see eslint-plugin-express-security/require-helmet'],
+    docs: {
+      description: 'Detects missing security headers in HTTP responses',
+    },
+    hasSuggestions: true,
+    messages: {
+      missingSecurityHeader: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Missing security headers',
+        cwe: 'CWE-693',
+        description: 'Missing security headers: {{headers}}',
+        severity: 'HIGH',
+        fix: 'Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options',
+        documentationLink: 'https://owasp.org/www-project-secure-headers/',
+      }),
+      addSecurityHeaders: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Add Security Headers',
+        description: 'Add security headers middleware',
+        severity: 'LOW',
+        fix: 'Add Content-Security-Policy, X-Frame-Options headers',
+        documentationLink: 'https://owasp.org/www-project-secure-headers/',
+      }),
+      useMiddleware: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Helmet',
+        description: 'Use helmet.js for security headers',
+        severity: 'LOW',
+        fix: 'app.use(helmet())',
+        documentationLink: 'https://helmetjs.github.io/',
+      }),
+      setHeader: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Set Headers',
+        description: 'Set security headers manually',
+        severity: 'LOW',
+        fix: 'res.setHeader("X-Frame-Options", "DENY")',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          requiredHeaders: {
+            type: 'array',
+            items: { type: 'string' },
+            default: DEFAULT_REQUIRED_HEADERS,
+          },
+          ignoreInTests: {
+            type: 'boolean',
+            default: true,
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      requiredHeaders: DEFAULT_REQUIRED_HEADERS,
+      ignoreInTests: true,
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>, [options = {}]) {
+    const {
+requiredHeaders = DEFAULT_REQUIRED_HEADERS,
+      ignoreInTests = true,
+}: Options = options || {};
+    const filename = context.getFilename();
+    const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    if (isTestFile) {
+      return {};
+    }
+    const reportedScopes = new Set<string>();
+    /**
+     * Get a unique key for the current scope
+     */
+    function getScopeKey(node: TSESTree.CallExpression): string {
+      // Find the function that contains this call
+      let current: TSESTree.Node | null = node;
+      while (current) {
+        if (current.type === 'FunctionDeclaration' ||
+            current.type === 'FunctionExpression' ||
+            current.type === 'ArrowFunctionExpression') {
+          return `${current.range?.[0]}-${current.range?.[1]}`;
+        }
+        current = (current as TSESTree.Node & { parent?: TSESTree.Node }).parent ?? null;
+      }
+      // If no function found, use program scope
+      return 'program';
+    }
+    /**
+     * Check for response header setting
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      // Check for res.setHeader, res.header, res.set
+      if (node.callee.type === 'MemberExpression' &&
+          node.callee.property.type === 'Identifier') {
+        const methodName = node.callee.property.name;
+        if (['setHeader', 'header', 'set'].includes(methodName)) {
+          const scopeKey = getScopeKey(node);
+          // Only check once per scope
+          if (reportedScopes.has(scopeKey)) {
+            return;
+          }
+          const missing = checkFunctionForSecurityHeaders(node, requiredHeaders, context);
+          if (missing.length > 0) {
+            reportedScopes.add(scopeKey);
+            context.report({
+              node,
+              messageId: 'missingSecurityHeader',
+              data: {
+                headers: missing.join(', '),
+              },
+              suggest: [
+                {
+                  messageId: 'addSecurityHeaders',
+                  fix: () => null,
+                },
+                {
+                  messageId: 'useMiddleware',
+                  fix: () => null,
+                },
+                {
+                  messageId: 'setHeader',
+                  fix: () => null,
+                },
+              ],
+            });
+          } else {
+            // Mark as checked even if no error
+            reportedScopes.add(scopeKey);
+          }
+        }
+      }
+    }
+    return {
+      CallExpression: checkCallExpression,
+    };
+  },
+});

package/src/rules/no-missing-security-headers/no-missing-security-headers.test.ts ADDED Viewed

@@ -0,0 +1,98 @@
+/**
+ * Comprehensive tests for no-missing-security-headers rule
+ * Security: CWE-693 - Detects missing security headers in HTTP responses
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noMissingSecurityHeaders } from './index';
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-missing-security-headers', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - security headers set', noMissingSecurityHeaders, {
+      valid: [
+        // All required headers
+        {
+          code: `
+            res.setHeader('Content-Security-Policy', 'default-src self');
+            res.setHeader('X-Frame-Options', 'DENY');
+            res.setHeader('X-Content-Type-Options', 'nosniff');
+          `,
+        },
+        // Test files (if ignoreInTests is true)
+        {
+          code: 'res.setHeader("X-Custom", "value");',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Missing Security Headers', () => {
+    ruleTester.run('invalid - missing headers', noMissingSecurityHeaders, {
+      valid: [],
+      invalid: [
+        {
+          code: 'res.setHeader("X-Custom", "value");',
+          errors: [{ messageId: 'missingSecurityHeader' }],
+        },
+        {
+          code: 'res.setHeader("Content-Security-Policy", "default-src self");',
+          errors: [{ messageId: 'missingSecurityHeader' }], // Missing other headers
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - ignoreInTests', noMissingSecurityHeaders, {
+      valid: [
+        {
+          code: 'res.setHeader("X-Custom", "value");',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'res.setHeader("X-Custom", "value");',
+          filename: 'test.spec.ts',
+          options: [{ ignoreInTests: false }],
+          errors: [{ messageId: 'missingSecurityHeader' }],
+        },
+      ],
+    });
+    ruleTester.run('options - requiredHeaders', noMissingSecurityHeaders, {
+      valid: [
+        {
+          code: 'res.setHeader("Custom-Header", "value");',
+          options: [{ requiredHeaders: ['Custom-Header'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'res.setHeader("Other-Header", "value");',
+          options: [{ requiredHeaders: ['Custom-Header'] }],
+          errors: [{ messageId: 'missingSecurityHeader' }],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-password-in-url/index.ts ADDED Viewed

@@ -0,0 +1,64 @@
+/**
+ * @fileoverview Prevent passwords in URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noPasswordInUrl = createRule<RuleOptions, MessageIds>({
+  name: 'no-password-in-url',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent passwords in URLs',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M3'],
+      cweIds: ["CWE-598"],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'violation Detected',
+        cwe: 'CWE-521',
+        description: 'Prevent passwords in URLs detected - this is a security risk',
+        severity: 'CRITICAL',
+        fix: 'Review and apply secure practices',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({
+        node,
+        messageId: 'violationDetected',
+      });
+    }
+    return {
+      Literal(node: TSESTree.Literal) {
+      // Check for http://user:password@host patterns
+      if (node.type === 'Literal' && typeof node.value === 'string') {
+        const urlPattern = /https?:\/\/[^:]+:[^@]+@/;
+        if (urlPattern.test(node.value)) {
+          report(node);
+        }
+      }
+      },
+};
+  },
+});

package/src/rules/no-password-in-url/no-password-in-url.test.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * @fileoverview Tests for no-password-in-url
+ *
+ * Coverage: Comprehensive test suite with valid and invalid cases
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noPasswordInUrl } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-password-in-url', noPasswordInUrl, {
+  valid: [
+    { code: "const url = 'https://example.com/api'" },
+    { code: "fetch('https://api.example.com')" }
+  ],
+  invalid: [
+    { code: "const url = 'https://user:password@example.com'", errors: [{ messageId: 'violationDetected' }] },
+    { code: "fetch('https://admin:secret123@api.com')", errors: [{ messageId: 'violationDetected' }] }
+  ],
+});