npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-privilege-escalation/index.ts ADDED Viewed

@@ -0,0 +1,403 @@
+/**
+ * ESLint Rule: no-privilege-escalation
+ * Detects potential privilege escalation vulnerabilities
+ * CWE-269: Improper Privilege Management
+ *
+ * @see https://cwe.mitre.org/data/definitions/269.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Access_Control
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'privilegeEscalation' | 'addRoleCheck';
+export interface Options {
+  /** Allow privilege escalation patterns in test files. Default: false */
+  allowInTests?: boolean;
+  /** Test file pattern regex string. Default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$' */
+  testFilePattern?: string;
+  /** Role check patterns to recognize. Default: ['hasRole', 'checkRole', 'isAdmin', 'isAuthorized'] */
+  roleCheckPatterns?: string[];
+  /** User input patterns that should be validated. Default: ['req.body', 'req.query', 'req.params'] */
+  userInputPatterns?: string[];
+  /** Additional patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Common role check patterns
+ */
+const DEFAULT_ROLE_CHECK_PATTERNS = [
+  'hasRole',
+  'checkRole',
+  'isAdmin',
+  'isAuthorized',
+  'hasPermission',
+  'checkPermission',
+  'verifyRole',
+  'requireRole',
+];
+/**
+ * Common user input patterns
+ */
+const DEFAULT_USER_INPUT_PATTERNS = [
+  /\breq\.(body|query|params)\b/,
+  /\brequest\.(body|query|params)\b/,
+  /\buserInput\b/,
+  /\binput\b/,
+];
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text: string, patterns: string[]): boolean {
+  return patterns.some(pattern => {
+    try {
+      const regex = new RegExp(pattern, 'i');
+      return regex.test(text);
+    } catch {
+      // Invalid regex - treat as literal string match
+      return text.toLowerCase().includes(pattern.toLowerCase());
+    }
+  });
+}
+/**
+ * Check if a node contains user input patterns
+ */
+function containsUserInput(
+  node: TSESTree.Node,
+  sourceCode: TSESLint.SourceCode,
+  userInputPatterns: RegExp[]
+): boolean {
+  const text = sourceCode.getText(node);
+  return userInputPatterns.some(pattern => pattern.test(text));
+}
+/**
+ * Check if a node is inside a role check call
+ */
+function isInsideRoleCheck(
+  node: TSESTree.Node,
+  sourceCode: TSESLint.SourceCode,
+  roleCheckPatterns: string[]
+): boolean {
+  let current: TSESTree.Node | null = node;
+  while (current) {
+    // Check if current is inside an IfStatement with role check in condition
+    if (current.parent && current.parent.type === 'IfStatement') {
+      const ifStmt = current.parent as TSESTree.IfStatement;
+      const conditionText = sourceCode.getText(ifStmt.test);
+      // Check if condition contains role check patterns (text-based check catches all patterns)
+      if (roleCheckPatterns.some(pattern =>
+        conditionText.toLowerCase().includes(pattern.toLowerCase())
+      )) {
+        return true;
+      }
+    }
+    // Check if current is inside a ConditionalExpression (ternary) with role check
+    if (current.parent && current.parent.type === 'ConditionalExpression') {
+      const condExpr = current.parent as TSESTree.ConditionalExpression;
+      const testText = sourceCode.getText(condExpr.test);
+      // Check if test contains role check patterns (text-based check catches all patterns)
+      if (roleCheckPatterns.some(pattern =>
+        testText.toLowerCase().includes(pattern.toLowerCase())
+      )) {
+        return true;
+      }
+    }
+    // Check if current is inside a CallExpression with role check
+    if (current.parent && current.parent.type === 'CallExpression') {
+      const callExpr = current.parent as TSESTree.CallExpression;
+      const callee = callExpr.callee;
+      if (callee.type === 'Identifier') {
+        const calleeName = callee.name.toLowerCase();
+        if (roleCheckPatterns.some(pattern => calleeName.includes(pattern.toLowerCase()))) {
+          return true;
+        }
+      }
+      if (callee.type === 'MemberExpression' && callee.property.type === 'Identifier') {
+        const propertyName = callee.property.name.toLowerCase();
+        if (roleCheckPatterns.some(pattern => propertyName.includes(pattern.toLowerCase()))) {
+          return true;
+        }
+      }
+    }
+    // Traverse up the AST
+    if ('parent' in current && current.parent) {
+      current = current.parent as TSESTree.Node;
+    } else {
+      break;
+    }
+  }
+  return false;
+}
+export const noPrivilegeEscalation = createRule<RuleOptions, MessageIds>({
+  name: 'no-privilege-escalation',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects potential privilege escalation vulnerabilities',
+    },
+    hasSuggestions: true,
+    messages: {
+      privilegeEscalation: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Privilege Escalation',
+        cwe: 'CWE-269',
+        description: 'Potential privilege escalation: {{issue}} - user input used without role validation',
+        severity: 'HIGH',
+        fix: 'Add role check before using user input: if (!hasRole(user, requiredRole)) throw new Error("Unauthorized");',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/269.html',
+      }),
+      addRoleCheck: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Add Role Check',
+        description: 'Add role check before privilege operations',
+        severity: 'LOW',
+        fix: 'if (!hasRole(user, requiredRole)) throw new Error("Unauthorized")',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/269.html',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow privilege escalation patterns in test files',
+          },
+          testFilePattern: {
+            type: 'string',
+            default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$',
+            description: 'Test file pattern regex string',
+          },
+          roleCheckPatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: DEFAULT_ROLE_CHECK_PATTERNS,
+            description: 'Role check patterns to recognize',
+          },
+          userInputPatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional user input patterns to check (regex strings)',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      testFilePattern: '\\.(test|spec)\\.(ts|tsx|js|jsx)$',
+      roleCheckPatterns: DEFAULT_ROLE_CHECK_PATTERNS,
+      userInputPatterns: [],
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      testFilePattern = '\\.(test|spec)\\.(ts|tsx|js|jsx)$',
+      roleCheckPatterns = DEFAULT_ROLE_CHECK_PATTERNS,
+      userInputPatterns: additionalUserInputPatterns = [],
+      ignorePatterns = [],
+    } = options as Options;
+    const filename = context.getFilename();
+    const testFileRegex = new RegExp(testFilePattern);
+    const isTestFile = allowInTests && testFileRegex.test(filename);
+    const sourceCode = context.sourceCode || context.sourceCode;
+    // Combine default and additional user input patterns
+    const userInputPatterns = [
+      ...DEFAULT_USER_INPUT_PATTERNS,
+      ...additionalUserInputPatterns.map(pattern => new RegExp(pattern, 'i')),
+    ];
+    /**
+     * Check AssignmentExpression for privilege escalation
+     */
+    function checkAssignmentExpression(node: TSESTree.AssignmentExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check for role assignment from user input
+      // Pattern: user.role = req.body.role
+      if (node.left.type === 'MemberExpression' &&
+          node.left.property.type === 'Identifier') {
+        const propertyName = node.left.property.name.toLowerCase();
+        // Check if it's a role/permission related property
+        if (['role', 'permission', 'privilege', 'access', 'level'].includes(propertyName)) {
+          const text = sourceCode.getText(node);
+          // Check if it matches any ignore pattern
+          if (matchesIgnorePattern(text, ignorePatterns)) {
+            return;
+          }
+          // Check if right side contains user input
+          if (containsUserInput(node.right, sourceCode, userInputPatterns)) {
+            // Check if it's inside a role check
+            if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+              context.report({
+                node: node,
+                messageId: 'privilegeEscalation',
+                data: {
+                  issue: `Role assignment from user input: ${sourceCode.getText(node.left)} = ${sourceCode.getText(node.right)}`,
+                },
+                suggest: [
+                  {
+                    messageId: 'addRoleCheck',
+                    fix: () => null,
+                  },
+                ],
+              });
+            }
+          }
+        }
+      }
+    }
+    /**
+     * Check CallExpression for privilege operations with user input
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check for privilege-related function calls with user input
+      const callee = node.callee;
+      let isPrivilegeOperation = false;
+      let operationName = '';
+      if (callee.type === 'Identifier') {
+        const calleeName = callee.name.toLowerCase();
+        if (['setrole', 'grant', 'revoke', 'elevate', 'promote'].some(op =>
+          calleeName.includes(op)
+        )) {
+          isPrivilegeOperation = true;
+          operationName = callee.name;
+        }
+      }
+      if (callee.type === 'MemberExpression' && callee.property.type === 'Identifier') {
+        const propertyName = callee.property.name.toLowerCase();
+        if (['setrole', 'grant', 'revoke', 'elevate', 'promote', 'updaterole'].some(op =>
+          propertyName.includes(op)
+        )) {
+          isPrivilegeOperation = true;
+          operationName = propertyName;
+        }
+      }
+      if (isPrivilegeOperation) {
+        const text = sourceCode.getText(node);
+        // Check if it matches any ignore pattern
+        if (matchesIgnorePattern(text, ignorePatterns)) {
+          return;
+        }
+        // Check if any argument contains user input
+        for (const arg of node.arguments) {
+          if (containsUserInput(arg, sourceCode, userInputPatterns)) {
+            // Check if it's inside a role check
+            if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+              context.report({
+                node: node,
+                messageId: 'privilegeEscalation',
+                data: {
+                  issue: `Privilege operation (${operationName}) with user input without role validation`,
+                },
+                suggest: [
+                  {
+                    messageId: 'addRoleCheck',
+                    fix: () => null,
+                  },
+                ],
+              });
+              return; // Report once per call
+            }
+          }
+        }
+      }
+    }
+    /**
+     * Check ObjectExpression for role assignment in objects (e.g. arguments)
+     */
+    function checkObjectExpression(node: TSESTree.ObjectExpression) {
+      if (isTestFile) return;
+      for (const prop of node.properties) {
+        if (prop.type === 'Property' && prop.key.type === 'Identifier') {
+          const keyName = prop.key.name.toLowerCase();
+          if (['role', 'permission', 'privilege', 'access', 'level'].includes(keyName)) {
+            const text = sourceCode.getText(prop);
+            if (matchesIgnorePattern(text, ignorePatterns)) continue;
+            if (containsUserInput(prop.value, sourceCode, userInputPatterns)) {
+              if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+                context.report({
+                  node: prop,
+                  messageId: 'privilegeEscalation',
+                  data: {
+                    issue: `Role assignment in object from user input: ${sourceCode.getText(prop)}`,
+                  },
+                  suggest: [
+                    {
+                      messageId: 'addRoleCheck',
+                      fix: () => null, // No auto-fix for logic
+                    },
+                  ],
+                });
+              }
+            }
+          }
+        }
+      }
+    }
+    return {
+      AssignmentExpression: checkAssignmentExpression,
+      CallExpression: checkCallExpression,
+      ObjectExpression: checkObjectExpression,
+    };
+  },
+});

package/src/rules/no-privilege-escalation/no-privilege-escalation.test.ts ADDED Viewed

@@ -0,0 +1,306 @@
+/**
+ * Comprehensive tests for no-privilege-escalation rule
+ * CWE-269: Improper Privilege Management
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noPrivilegeEscalation } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-privilege-escalation', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - role checks and safe assignments', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'if (hasRole(user, "admin")) { user.role = req.body.role; }',
+        },
+        {
+          code: 'if (checkRole(user, requiredRole)) { grant(user, permission); }',
+        },
+        {
+          code: 'const role = "admin"; user.role = role;',
+        },
+        {
+          code: 'user.role = getDefaultRole();',
+        },
+        {
+          code: 'if (isAuthorized(user)) { setRole(user, req.body.role); }',
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'user.role = req.body.role;',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+        // Ignored patterns
+        {
+          code: 'user.role = req.body.role;',
+          options: [{ ignorePatterns: ['user.role'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Privilege Escalation', () => {
+    ruleTester.run('invalid - role assignment from user input', noPrivilegeEscalation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'user.role = req.body.role;',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+        {
+          code: 'user.permission = req.query.permission;',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+        {
+          code: 'user.privilege = request.body.privilege;',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Privilege Operations', () => {
+    ruleTester.run('invalid - privilege operations with user input', noPrivilegeEscalation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'grant(user, req.body.permission);',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+        {
+          code: 'setRole(user, req.query.role);',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+        {
+          code: 'userService.elevate(user, req.body.level);',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+        // MemberExpression callee with updateRole keyword
+        {
+          code: 'authService.updateRole(user, req.body.role);',
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - allowInTests', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'user.role = req.body.role;',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'user.role = req.body.role;',
+          filename: 'server.ts',
+          options: [{ allowInTests: true }],
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - roleCheckPatterns', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'if (myCustomCheck(user)) { user.role = req.body.role; }',
+          options: [{ roleCheckPatterns: ['myCustomCheck', 'hasRole', 'checkRole', 'isAdmin', 'isAuthorized', 'hasPermission', 'checkPermission', 'verifyRole', 'requireRole'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - userInputPatterns', noPrivilegeEscalation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'user.role = customInput.role;',
+          options: [{ userInputPatterns: ['customInput'] }],
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - ignorePatterns', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'user.role = req.body.role;',
+          options: [{ ignorePatterns: ['user.role'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'user.permission = req.body.permission;',
+          options: [{ ignorePatterns: ['user.role'] }],
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('coverage - invalid regex in ignorePatterns', noPrivilegeEscalation, {
+      valid: [],
+      invalid: [
+        {
+          code: 'user.role = req.body.role;',
+          options: [{ ignorePatterns: ['['] }], // Invalid regex - should not match
+          errors: [
+            {
+              messageId: 'privilegeEscalation',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('coverage - MemberExpression if condition', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'if (userService.hasRole(user)) { user.role = req.body.role; }',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('coverage - ConditionalExpression role check', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'const result = hasRole(user) ? user.role = req.body.role : null;',
+        },
+        {
+          code: 'const result = checkRole(user) ? user.role = req.body.role : null;',
+        },
+        // Cover line 142-151: ConditionalExpression with CallExpression test (Identifier callee)
+        {
+          code: 'const result = isAdmin() ? (user.role = req.body.role) : null;',
+        },
+        // Cover MemberExpression callee in ternary
+        {
+          code: 'const result = user.hasPermission() ? (user.role = req.body.role) : null;',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('coverage - privilege operations ignorePatterns', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'grant(user, req.body.permission);',
+          options: [{ ignorePatterns: ['grant'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('coverage - test file early return', noPrivilegeEscalation, {
+      valid: [
+        {
+          code: 'grant(user, req.body.permission);',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [],
+    });
+    // Cover lines 157-170: CallExpression parent with role check patterns
+    ruleTester.run('coverage - CallExpression parent with role check', noPrivilegeEscalation, {
+      valid: [
+        // Role assignment inside hasRole() call - covered by parent check (line 160-165)
+        {
+          code: 'checkRole(user, user.role = req.body.role);',
+        },
+        // Role assignment inside member expression role check (line 167-172)
+        {
+          code: 'userService.verifyRole(user, user.role = req.body.role);',
+        },
+        // Nested role check calls
+        {
+          code: 'requireRole(admin, user.permission = req.body.permission);',
+        },
+      ],
+      invalid: [],
+    });
+    // Cover edge cases for MemberExpression callee
+    ruleTester.run('coverage - MemberExpression callee variations', noPrivilegeEscalation, {
+      valid: [
+        // MemberExpression with role check property in IfStatement
+        {
+          code: 'if (auth.isAuthorized(user)) { user.access = req.body.access; }',
+        },
+        // MemberExpression with checkPermission
+        {
+          code: 'if (service.checkPermission(user)) { user.level = req.body.level; }',
+        },
+      ],
+      invalid: [],
+    });
+  });
+});