npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-sensitive-data-in-cache/index.ts ADDED Viewed

@@ -0,0 +1,59 @@
+/**
+ * @fileoverview Prevent caching sensitive data without encryption
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/524.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const noSensitiveDataInCache = createRule<RuleOptions, MessageIds>({
+  name: 'no-sensitive-data-in-cache',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent caching sensitive data without encryption',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M9'],
+      cweIds: ["CWE-524"],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'violation Detected',
+        cwe: 'CWE-200',
+        description: 'Prevent caching sensitive data without encryption detected - Sensitive data in cache',
+        severity: 'HIGH',
+        fix: 'Review and apply secure practices',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.property.type === 'Identifier' &&
+            ['set', 'put', 'store'].includes(node.callee.property.name)) {
+          const keyArg = node.arguments[0];
+          if (keyArg && keyArg.type === 'Literal') {
+            const key = keyArg.value.toString().toLowerCase();
+            if (['password', 'token', 'credit', 'ssn'].some(k => key.includes(k))) {
+              context.report({ node, messageId: 'violationDetected' });
+            }
+          }
+        }
+      },
+    };
+  },
+});

package/src/rules/no-sensitive-data-in-cache/no-sensitive-data-in-cache.test.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * @fileoverview Tests for no-sensitive-data-in-cache
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { noSensitiveDataInCache } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('no-sensitive-data-in-cache', noSensitiveDataInCache, {
+  valid: [
+    // Non-sensitive cache operations
+    { code: "cache.set('theme', 'dark')" },
+    { code: "cache.put('language', 'en')" },
+    { code: "storage.store('settings', config)" },
+    // Non-cache calls
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Caching sensitive data
+    { code: "cache.set('password', pwd)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "cache.put('token', authToken)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "cache.store('creditCard', card)", errors: [{ messageId: 'violationDetected' }] },
+    { code: "cache.set('ssn', socialSecurity)", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/no-sql-injection/index.ts ADDED Viewed

@@ -0,0 +1,424 @@
+/**
+ * ESLint Rule: no-sql-injection
+ * Detects SQL injection vulnerabilities with LLM-optimized context
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Sanitized inputs (escape(), sanitize(), validator.escape(), etc.)
+ * - Safe JSDoc annotations (@safe, @validated, @sanitized)
+ * - ORM method calls (Prisma, TypeORM, Sequelize, Knex)
+ * - Parameterized query patterns
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import {
+  createSafetyChecker,
+  isSanitizedInput,
+  hasSafeAnnotation,
+  isOrmMethodCall,
+  type SecurityRuleOptions,
+} from '@interlace/eslint-devkit';
+type MessageIds = 'sqlInjection' | 'useParameterized' | 'useORM' | 'strategyParameterize' | 'strategyORM' | 'strategySanitize';
+export interface Options extends SecurityRuleOptions {
+  /** Allow dynamic table names in queries. Default: false (stricter) */
+  allowDynamicTableNames?: boolean;
+  /** Functions considered safe for building queries */
+  trustedFunctions?: string[];
+  /** Strategy for fixing SQL injection: 'parameterize', 'orm', 'sanitize', or 'auto' */
+  strategy?: 'parameterize' | 'orm' | 'sanitize' | 'auto';
+}
+type RuleOptions = [Options?];
+export const noSqlInjection = createRule<RuleOptions, MessageIds>({
+  name: 'no-sql-injection',
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Prevent SQL injection vulnerabilities with educational context',
+    },
+    fixable: 'code',
+    hasSuggestions: true,
+    messages: {
+      // Enterprise-grade message with auto-enriched OWASP 2025, CVSS, and compliance data
+      sqlInjection: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'SQL Injection',
+        cwe: 'CWE-89', // Auto-enriches: A05:2025, CVSS:9.8, [SOC2,PCI-DSS,HIPAA,ISO27001]
+        description: 'SQL Injection detected',
+        severity: 'CRITICAL',
+        fix: 'Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId])',
+        documentationLink: 'https://owasp.org/Top10/2025/A05_2025-Injection/',
+      }),
+      useParameterized: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Parameterized Query',
+        description: 'Use parameterized query',
+        severity: 'LOW',
+        fix: 'db.query("SELECT * FROM users WHERE id = ?", [userId])',
+        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+      }),
+      useORM: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use ORM',
+        description: 'Use ORM/Query Builder',
+        severity: 'LOW',
+        fix: 'db.user.findWhere({ id: userId })',
+        documentationLink: 'https://www.prisma.io/docs',
+      }),
+      strategyParameterize: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'Parameterize Strategy',
+        description: 'Use parameterized queries',
+        severity: 'LOW',
+        fix: 'Use ? or :name placeholders',
+        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+      }),
+      strategyORM: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'ORM Strategy',
+        description: 'Migrate to ORM for automatic protection',
+        severity: 'LOW',
+        fix: 'Use Prisma, TypeORM, or Sequelize',
+        documentationLink: 'https://www.prisma.io/docs',
+      }),
+      strategySanitize: formatLLMMessage({
+        icon: MessageIcons.STRATEGY,
+        issueName: 'Sanitize Strategy',
+        description: 'Add input sanitization (last resort)',
+        severity: 'LOW',
+        fix: 'Sanitize input as last resort',
+        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowDynamicTableNames: {
+            type: 'boolean',
+            default: false,
+          },
+          trustedFunctions: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+          },
+          strategy: {
+            type: 'string',
+            enum: ['parameterize', 'orm', 'sanitize', 'auto'],
+            default: 'auto',
+            description: 'Strategy for fixing SQL injection (auto = smart detection)'
+          },
+          // Security utilities options for false positive reduction
+          trustedSanitizers: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional function names to consider as sanitizers',
+          },
+          trustedAnnotations: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional JSDoc annotations to consider as safe markers (e.g., @safe)',
+          },
+          trustedOrmPatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional ORM patterns to consider safe',
+          },
+          strictMode: {
+            type: 'boolean',
+            default: false,
+            description: 'Disable all false positive detection (strict mode)',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowDynamicTableNames: false,
+      trustedFunctions: [],
+      strategy: 'auto',
+      trustedSanitizers: [],
+      trustedAnnotations: [],
+      trustedOrmPatterns: [],
+      strictMode: false,
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
+    const opts = context.options[0] || {};
+    const {
+      allowDynamicTableNames = false,
+      trustedSanitizers = [],
+      trustedAnnotations = [],
+      trustedOrmPatterns = [],
+      strictMode = false,
+    } = opts;
+    const sourceCode = context.sourceCode || context.sourceCode;
+    const filename = context.filename || context.getFilename();
+    // Create safety checker for false positive detection
+    const safetyChecker = createSafetyChecker({
+      trustedSanitizers,
+      trustedAnnotations,
+      trustedOrmPatterns,
+      strictMode,
+    });
+    /**
+     * Check if a node contains SQL keywords
+     */
+    const containsSQLKeywords = (node: TSESTree.Node): boolean => {
+      // Use getText for all node types - it works correctly for template literals
+      const text = sourceCode.getText(node).toLowerCase();
+      const sqlKeywords = [
+        'select',
+        'insert',
+        'update',
+        'delete',
+        'drop',
+        'create',
+        'alter',
+        'exec',
+        'execute',
+      ];
+      return sqlKeywords.some((keyword) => text.includes(keyword));
+    };
+    /**
+     * Check if string interpolation contains user input
+     */
+    const containsUnsafeInterpolation = (
+      node: TSESTree.TemplateLiteral | TSESTree.BinaryExpression
+    ): boolean => {
+      if (node.type === 'TemplateLiteral') {
+        // Template literal with expressions is potentially unsafe
+        return node.expressions.length > 0;
+      }
+      if (node.type === 'BinaryExpression' && node.operator === '+') {
+        // String concatenation with variables is unsafe
+        return (
+          node.left.type !== 'Literal' || node.right.type !== 'Literal'
+        );
+      }
+      return false;
+    };
+    /**
+     * Check if template literal only has dynamic table name (if option allows it)
+     */
+    const isOnlyDynamicTableName = (node: TSESTree.TemplateLiteral): boolean => {
+      if (!allowDynamicTableNames) {
+        return false;
+      }
+      // Must have exactly one expression (the table name)
+      if (node.expressions.length !== 1) {
+        return false;
+      }
+      // Check if the pattern is just "SELECT * FROM ${tableName}" (no WHERE clause)
+      // sourceCode.getText(node) returns the template literal with backticks
+      const text = sourceCode.getText(node).toLowerCase();
+      // Pattern: `SELECT * FROM ${tableName}` - must match the full template literal
+      // The text will be like: `select * from ${tablename}`
+      const tableNameOnlyPattern = /^`select\s+\*\s+from\s+\$\{[^}]+\}`$/;
+      // Also check if it has WHERE or other clauses (still unsafe)
+      const hasWhereOrOtherClauses = /where|order\s+by|group\s+by|having|limit|offset/i.test(text);
+      return !hasWhereOrOtherClauses && tableNameOnlyPattern.test(text);
+    };
+    /**
+     * Check if all interpolated expressions in a template literal are safe
+     */
+    /* c8 ignore start -- safetyChecker.isSafe and sanitization checks require JSDoc annotations not testable via RuleTester */
+    const areAllExpressionsSafe = (node: TSESTree.TemplateLiteral): boolean => {
+      return node.expressions.every((expr: TSESTree.Expression) => {
+        // Check if the expression is sanitized or has safe annotation
+        if (safetyChecker.isSafe(expr, context)) {
+          return true;
+        }
+        // Check if expression is from a sanitization call directly
+        if (isSanitizedInput(expr, context, trustedSanitizers)) {
+          return true;
+        }
+        return false;
+      });
+    };
+    /* c8 ignore stop */
+    /**
+     * Find the parent statement (VariableDeclaration, ExpressionStatement, etc.)
+     */
+    const findParentStatement = (node: TSESTree.Node): TSESTree.Node | null => {
+      let current: TSESTree.Node | undefined = node;
+      while (current?.parent) {
+        if (
+          current.parent.type === 'VariableDeclaration' ||
+          current.parent.type === 'ExpressionStatement' ||
+          current.parent.type === 'ReturnStatement'
+        ) {
+          return current.parent;
+        }
+        current = current.parent;
+      }
+      return null;
+    };
+    /**
+     * Check if the parent call is using an ORM or parameterized query
+     */
+    /* c8 ignore start -- isOrmMethodCall and hasSafeAnnotation require context patterns not testable via RuleTester */
+    const isInSafeContext = (node: TSESTree.Node): boolean => {
+      // Check if parent is an ORM call
+      let current: TSESTree.Node | undefined = node;
+      while (current) {
+        if (current.type === 'CallExpression') {
+          if (isOrmMethodCall(current, context, trustedOrmPatterns)) {
+            return true;
+          }
+        }
+        current = current.parent as TSESTree.Node | undefined;
+      }
+      // Check for safe annotation on containing function
+      if (hasSafeAnnotation(node, context, trustedAnnotations)) {
+        return true;
+      }
+      return false;
+    };
+    /* c8 ignore stop */
+    return {
+      // Check template literals
+      TemplateLiteral(node: TSESTree.TemplateLiteral) {
+        if (
+          !containsSQLKeywords(node) ||
+          !containsUnsafeInterpolation(node)
+        ) {
+          return;
+        }
+        // Allow dynamic table names if option is set and it's only a table name
+        if (isOnlyDynamicTableName(node)) {
+          return;
+        }
+        // FALSE POSITIVE REDUCTION:
+        // Skip if all interpolated expressions are sanitized
+        if (areAllExpressionsSafe(node)) {
+          return;
+        }
+        // Skip if in a safe context (ORM call, @safe annotation)
+        if (isInSafeContext(node)) {
+          return;
+        }
+        const queryText = sourceCode.getText(node);
+        // Find the parent statement to understand context
+        const parentStatement = findParentStatement(node);
+        const isInVariableDeclaration = parentStatement?.type === 'VariableDeclaration';
+        context.report({
+          node,
+          messageId: 'sqlInjection',
+          data: {
+            filePath: filename,
+            line: String(node.loc?.start.line ?? 0),
+          },
+          suggest: [
+            {
+              messageId: 'useParameterized',
+              fix: (fixer: TSESLint.RuleFixer) => {
+                // Generate parameterized version
+                const params: string[] = [];
+                let paramIndex = 1;
+                const parameterized = queryText.replace(
+                  /\$\{([^}]+)\}/g,
+                  (_: string, expr: string) => {
+                    params.push(expr);
+                    return `$${paramIndex++}`;
+                  }
+                );
+                // If assigned to a variable, wrap in db.query() call
+                // This produces valid JavaScript syntax
+                if (isInVariableDeclaration && parentStatement) {
+                  return fixer.replaceText(
+                    parentStatement,
+                    `${sourceCode.getText(parentStatement).split('=')[0].trim()} = db.query(${parameterized}, [${params.join(', ')}])`
+                  );
+                }
+                // For standalone template literals, wrap in db.query()
+                return fixer.replaceText(
+                  node,
+                  `db.query(${parameterized}, [${params.join(', ')}])`
+                );
+              },
+            },
+          ],
+        });
+      },
+      // Check binary expressions (string concatenation)
+      BinaryExpression(node: TSESTree.BinaryExpression) {
+        if (node.operator !== '+') return;
+        if (!containsSQLKeywords(node)) return;
+        if (!containsUnsafeInterpolation(node)) return;
+        // FALSE POSITIVE REDUCTION:
+        // Check if in a safe context (ORM call, @safe annotation)
+        if (isInSafeContext(node)) {
+          return;
+        }
+        // Check if concatenated values are sanitized
+        const checkSide = (side: TSESTree.Node): boolean => {
+          if (side.type === 'Literal') return true;
+          return safetyChecker.isSafe(side, context);
+        };
+        if (checkSide(node.left) && checkSide(node.right)) {
+          return;
+        }
+        context.report({
+          node,
+          messageId: 'sqlInjection',
+          data: {
+            filePath: filename,
+            line: String(node.loc?.start.line ?? 0),
+          },
+        });
+      },
+    };
+  },
+});