npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-sensitive-data-exposure/index.ts ADDED Viewed

@@ -0,0 +1,294 @@
+/**
+ * ESLint Rule: no-sensitive-data-exposure
+ * Detects PII/credentials in logs, responses, or error messages
+ * Priority 5: Security with Data Flow Analysis
+ * CWE-532: Information Exposure Through Log Files
+ *
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'sensitiveDataExposure'
+  | 'redactData'
+  | 'useMasking'
+  | 'removeFromLogs';
+export interface Options {
+  /** Sensitive data patterns. Default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card'] */
+  sensitivePatterns?: string[];
+  /** Check console.log statements. Default: true */
+  checkConsoleLog?: boolean;
+  /** Check error messages. Default: true */
+  checkErrorMessages?: boolean;
+  /** Check API responses. Default: true */
+  checkApiResponses?: boolean;
+}
+type RuleOptions = [Options?];
+/**
+ * Check if string contains sensitive data patterns
+ */
+function containsSensitiveData(
+  text: string,
+  patterns: string[]
+): boolean {
+  const lowerText = text.toLowerCase();
+  return patterns.some(pattern => lowerText.includes(pattern.toLowerCase()));
+}
+export const noSensitiveDataExposure = createRule<RuleOptions, MessageIds>({
+  name: 'no-sensitive-data-exposure',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects PII/credentials in logs, responses, or error messages',
+    },
+    hasSuggestions: true,
+    messages: {
+      sensitiveDataExposure: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Sensitive data exposure',
+        cwe: 'CWE-532',
+        description: 'Sensitive data detected in {{context}}: {{dataType}}',
+        severity: 'HIGH',
+        fix: 'Redact or mask sensitive data before logging/exposing',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+      }),
+      redactData: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Redact Data',
+        description: 'Redact sensitive data before logging',
+        severity: 'LOW',
+        fix: 'Redact sensitive fields before logging',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+      }),
+      useMasking: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Masking',
+        description: 'Use data masking function',
+        severity: 'LOW',
+        fix: 'maskSensitive(data)',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+      }),
+      removeFromLogs: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Remove From Logs',
+        description: 'Remove sensitive data from logs and errors',
+        severity: 'LOW',
+        fix: 'Filter sensitive data before logging',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          sensitivePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+            description: 'Sensitive data patterns',
+          },
+          checkConsoleLog: {
+            type: 'boolean',
+            default: true,
+            description: 'Check console.log statements',
+          },
+          checkErrorMessages: {
+            type: 'boolean',
+            default: true,
+            description: 'Check error messages',
+          },
+          checkApiResponses: {
+            type: 'boolean',
+            default: true,
+            description: 'Check API responses',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      sensitivePatterns: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+      checkConsoleLog: true,
+      checkErrorMessages: true,
+      checkApiResponses: true,
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>, [options = {}]) {
+    const {
+sensitivePatterns = ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+      checkConsoleLog = true,
+      checkErrorMessages = true,
+}: Options = options || {};
+    /**
+     * Check CallExpression for logging calls with sensitive data
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      // Check if it's a logging call (console.*, logger.*)
+      const isLoggingCall = (() => {
+        if (node.callee.type === 'MemberExpression') {
+          const object = node.callee.object;
+          const property = node.callee.property;
+          if (property.type === 'Identifier') {
+            const methodName = property.name.toLowerCase();
+            if (['log', 'info', 'warn', 'error', 'debug', 'trace'].includes(methodName)) {
+              // Check if it's console.* or logger.*
+              if (object.type === 'Identifier') {
+                const objName = object.name.toLowerCase();
+                if (objName === 'console' || objName === 'logger') {
+                  return true;
+                }
+              }
+            }
+          }
+        } else if (node.callee.type === 'Identifier') {
+          // Check for logger.info() pattern
+          const calleeName = node.callee.name.toLowerCase();
+          if (calleeName.includes('log') || calleeName.includes('logger')) {
+            return true;
+          }
+        }
+        return false;
+      })();
+      if (isLoggingCall && checkConsoleLog) {
+        // Check if any argument contains sensitive data
+        for (const arg of node.arguments) {
+          if (arg.type === 'Literal' && typeof arg.value === 'string') {
+            const text = arg.value;
+            if (containsSensitiveData(text, sensitivePatterns)) {
+              context.report({
+                node: arg,
+                messageId: 'sensitiveDataExposure',
+                data: {
+                  context: 'logs',
+                  dataType: 'password',
+                },
+                suggest: [
+                  { messageId: 'redactData', fix: () => null },
+                  { messageId: 'useMasking', fix: () => null },
+                  { messageId: 'removeFromLogs', fix: () => null },
+                ],
+              });
+              return; // Only report once per call
+            }
+          } else if (arg.type === 'Identifier' && arg.name) {
+            const name = arg.name.toLowerCase();
+            if (containsSensitiveData(name, sensitivePatterns)) {
+              context.report({
+                node: arg,
+                messageId: 'sensitiveDataExposure',
+                data: {
+                  context: 'logs',
+                  dataType: 'password',
+                },
+                suggest: [
+                  { messageId: 'redactData', fix: () => null },
+                  { messageId: 'useMasking', fix: () => null },
+                  { messageId: 'removeFromLogs', fix: () => null },
+                ],
+              });
+              return; // Only report once per call
+            }
+          }
+        }
+      }
+    }
+    /**
+     * Check NewExpression for Error with sensitive data
+     */
+    function checkNewExpression(node: TSESTree.NewExpression) {
+      if (!checkErrorMessages) {
+        return;
+      }
+      if (node.callee && node.callee.type === 'Identifier' && node.callee.name === 'Error') {
+        // Check all arguments for sensitive data (report only once per error)
+        for (const arg of node.arguments) {
+          if (arg.type === 'Literal' && typeof arg.value === 'string') {
+            const text = arg.value;
+            if (containsSensitiveData(text, sensitivePatterns)) {
+              context.report({
+                node: arg,
+                messageId: 'sensitiveDataExposure',
+                data: {
+                  context: 'error messages',
+                  dataType: 'password',
+                },
+                suggest: [
+                  { messageId: 'redactData', fix: () => null },
+                  { messageId: 'useMasking', fix: () => null },
+                  { messageId: 'removeFromLogs', fix: () => null },
+                ],
+              });
+              return; // Only report once per error
+            }
+          } else if (arg.type === 'BinaryExpression' && arg.operator === '+') {
+            // Check left side if it's a literal
+            if (arg.left && arg.left.type === 'Literal' && typeof arg.left.value === 'string') {
+              const leftText = arg.left.value;
+              if (containsSensitiveData(leftText, sensitivePatterns)) {
+                context.report({
+                  node: arg.left,
+                  messageId: 'sensitiveDataExposure',
+                  data: {
+                    context: 'error messages',
+                    dataType: 'password',
+                  },
+                  suggest: [
+                    { messageId: 'redactData', fix: () => null },
+                    { messageId: 'useMasking', fix: () => null },
+                    { messageId: 'removeFromLogs', fix: () => null },
+                  ],
+                });
+                return; // Only report once per error
+              }
+            }
+            // Check right side if it's an identifier
+            if (arg.right && arg.right.type === 'Identifier' && arg.right.name) {
+              const rightName = arg.right.name.toLowerCase();
+              if (containsSensitiveData(rightName, sensitivePatterns)) {
+                context.report({
+                  node: arg.right,
+                  messageId: 'sensitiveDataExposure',
+                  data: {
+                    context: 'error messages',
+                    dataType: 'password',
+                  },
+                  suggest: [
+                    { messageId: 'redactData', fix: () => null },
+                    { messageId: 'useMasking', fix: () => null },
+                    { messageId: 'removeFromLogs', fix: () => null },
+                  ],
+                });
+                return; // Only report once per error
+              }
+            }
+          }
+        }
+      }
+    }
+    return {
+      CallExpression: checkCallExpression,
+      NewExpression: checkNewExpression,
+    };
+  },
+});

package/src/rules/no-sensitive-data-exposure/no-sensitive-data-exposure.test.ts ADDED Viewed

@@ -0,0 +1,262 @@
+/**
+ * Comprehensive tests for no-sensitive-data-exposure rule
+ * Security: Detects PII/credentials in logs, responses, or error messages
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noSensitiveDataExposure } from './index';
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-sensitive-data-exposure', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - no sensitive data', noSensitiveDataExposure, {
+      valid: [
+        // Regular log messages
+        {
+          code: `console.log('User logged in');`,
+        },
+        {
+          code: `console.log('Hello world');`,
+        },
+        // Logger methods without sensitive data
+        {
+          code: `logger.info('Request received');`,
+        },
+        {
+          code: `logger.error('Operation failed');`,
+        },
+        {
+          code: `logger.debug('Processing started');`,
+        },
+        // Errors without sensitive data
+        {
+          code: `throw new Error('Operation failed');`,
+        },
+        {
+          code: `new Error('Invalid input');`,
+        },
+        // Variables with sensitive names not in logs
+        {
+          code: `const password = process.env.PASSWORD;`,
+        },
+        // Non-logging function calls with sensitive data (not flagged)
+        {
+          code: `processData('password value');`,
+        },
+        {
+          code: `fetch('https://api.example.com?token=abc');`,
+        },
+        // Member expression that's not console/logger
+        {
+          code: `validator.check('password field');`,
+        },
+        // Custom patterns - not matching
+        {
+          code: `console.log('Password:', password);`,
+          options: [{ sensitivePatterns: ['secret'] }],
+        },
+        // Disabled checks
+        {
+          code: `console.log('password is:', pwd);`,
+          options: [{ checkConsoleLog: false }],
+        },
+        {
+          code: `throw new Error('password error');`,
+          options: [{ checkErrorMessages: false }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Console Log', () => {
+    ruleTester.run('invalid - console.log with sensitive data', noSensitiveDataExposure, {
+      valid: [],
+      invalid: [
+        // String literal with password
+        {
+          code: `console.log('password: 123456');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with token
+        {
+          code: `console.log('API token: abc123');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with key
+        {
+          code: `console.log('secret key value');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with SSN
+        {
+          code: `console.log('SSN: 123-45-6789');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with credit
+        {
+          code: `console.log('credit card number');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // Identifier with password in name
+        {
+          code: `console.log(userPassword);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // Identifier with token in name
+        {
+          code: `console.log(apiToken);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // Identifier with key in name
+        {
+          code: `console.log(secretKey);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Logger Methods', () => {
+    ruleTester.run('invalid - logger with sensitive data', noSensitiveDataExposure, {
+      valid: [],
+      invalid: [
+        // logger.info
+        {
+          code: `logger.info('password exposed');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // logger.warn
+        {
+          code: `logger.warn('api_key: xyz');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // logger.error
+        {
+          code: `logger.error('token invalid');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // logger.debug with identifier
+        {
+          code: `logger.debug(password);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // console.warn
+        {
+          code: `console.warn('secret exposed');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // console.error
+        {
+          code: `console.error('apikey error');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // console.debug
+        {
+          code: `console.debug(apiKey);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // console.trace
+        {
+          code: `console.trace('token trace');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Identifier-based Logging', () => {
+    ruleTester.run('invalid - log() function with sensitive data', noSensitiveDataExposure, {
+      valid: [],
+      invalid: [
+        // Direct log() function call
+        {
+          code: `log('password: 123');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // customLogger() function
+        {
+          code: `customLogger('token exposed');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Error Messages', () => {
+    ruleTester.run('invalid - Error with sensitive data', noSensitiveDataExposure, {
+      valid: [],
+      invalid: [
+        // String literal with password
+        {
+          code: `throw new Error('password is invalid');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with token
+        {
+          code: `new Error('token expired');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // String literal with secret
+        {
+          code: `throw new Error('secret not found');`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // BinaryExpression with sensitive left side
+        {
+          code: `throw new Error('password: ' + value);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // BinaryExpression with sensitive right identifier
+        {
+          code: `throw new Error('Error: ' + userPassword);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // BinaryExpression with token identifier
+        {
+          code: `throw new Error('Invalid ' + apiToken);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // BinaryExpression with key identifier
+        {
+          code: `throw new Error('Missing ' + secretKey);`,
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+      ],
+    });
+  });
+  describe('Options - Custom Patterns', () => {
+    ruleTester.run('options - custom sensitive patterns', noSensitiveDataExposure, {
+      valid: [],
+      invalid: [
+        // Custom pattern: email
+        {
+          code: `console.log('user email: test@example.com');`,
+          options: [{ sensitivePatterns: ['email'] }],
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+        // Custom pattern: phone
+        {
+          code: `logger.info('phone number logged');`,
+          options: [{ sensitivePatterns: ['phone'] }],
+          errors: [{ messageId: 'sensitiveDataExposure' }],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-sensitive-data-in-analytics/index.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview Prevent PII sent to analytics
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/359.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noSensitiveDataInAnalytics = createRule<RuleOptions, MessageIds>({
+  name: 'no-sensitive-data-in-analytics',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent PII being sent to analytics services',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M6'],
+      cweIds: ['CWE-359'],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Sensitive Data in Analytics',
+        cwe: 'CWE-359',
+        description: 'Sensitive field sent to analytics - this is a privacy violation',
+        severity: 'HIGH',
+        fix: 'Remove PII from analytics tracking data',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    const sensitiveFields = ['email', 'ssn', 'creditcard', 'password', 'phone', 'address'];
+    function report(node: TSESTree.Node, field: string) {
+      context.report({ node, messageId: 'violationDetected', data: { field } });
+    }
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        // analytics.track() with sensitive data
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.object.name === 'analytics' &&
+            node.callee.property.name === 'track') {
+          const dataArg = node.arguments[1];
+          if (dataArg?.type === 'ObjectExpression') {
+            dataArg.properties.forEach(prop => {
+              if (prop.type === 'Property') {
+                const key = prop.key.name?.toLowerCase();
+                const matchedField = sensitiveFields.find(f => key?.includes(f));
+                if (matchedField) {
+                  report(prop, matchedField);
+                }
+              }
+            });
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-sensitive-data-in-analytics/no-sensitive-data-in-analytics.test.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * @fileoverview Tests for no-sensitive-data-in-analytics
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noSensitiveDataInAnalytics } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-sensitive-data-in-analytics', noSensitiveDataInAnalytics, {
+  valid: [
+    // Non-sensitive analytics
+    { code: "analytics.track('page_view', { page: '/home' })" },
+    { code: "analytics.track('click', { element: 'button', action: 'submit' })" },
+    { code: "gtag('event', 'click', { element: 'button' })" },
+    // Non-analytics code
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Email in analytics
+    { code: "analytics.track('signup', { email: user.email })", errors: [{ messageId: 'violationDetected' }] },
+    { code: "analytics.track('login', { userEmail: email })", errors: [{ messageId: 'violationDetected' }] },
+    // SSN
+    { code: "analytics.track('verify', { ssn: userSSN })", errors: [{ messageId: 'violationDetected' }] },
+    // Credit card
+    { code: "analytics.track('purchase', { creditcard: card })", errors: [{ messageId: 'violationDetected' }] },
+    // Password
+    { code: "analytics.track('auth', { password: pwd })", errors: [{ messageId: 'violationDetected' }] },
+    // Phone
+    { code: "analytics.track('contact', { phone: number })", errors: [{ messageId: 'violationDetected' }] },
+    // Address
+    { code: "analytics.track('order', { address: addr })", errors: [{ messageId: 'violationDetected' }] },
+    // Multiple sensitive fields
+    { code: "analytics.track('profile', { email: e, phone: p })", errors: [{ messageId: 'violationDetected' }, { messageId: 'violationDetected' }] },
+  ],
+});