npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-timing-attack/no-timing-attack.test.ts ADDED Viewed

@@ -0,0 +1,348 @@
+/**
+ * Comprehensive tests for no-timing-attack rule
+ * Security: CWE-208 (Timing Attack)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noTimingAttack } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-timing-attack', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - secure timing practices', noTimingAttack, {
+      valid: [
+        // Timing-safe comparisons
+        {
+          code: 'crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));',
+        },
+        // Non-sensitive comparisons
+        {
+          code: 'if (user.name === "admin") return true;',
+        },
+        // Safe early returns in non-auth contexts
+        {
+          code: `
+            function validateEmail(email) {
+              if (!email) return false;
+              return email.includes('@');
+            }
+          `,
+        },
+        // Non-auth function with includes() check - should NOT be flagged
+        {
+          code: `
+            const VALID_KEYS = ['name', 'email', 'age'];
+            function getField(obj, key) {
+              if (VALID_KEYS.includes(key)) {
+                return obj[key];
+              }
+            }
+          `,
+        },
+        // Non-auth function with hasOwnProperty check - should NOT be flagged
+        {
+          code: `
+            function safeGet(obj, key) {
+              if (Object.prototype.hasOwnProperty.call(obj, key)) {
+                return obj[key];
+              }
+            }
+          `,
+        },
+        // Timing-safe libraries
+        {
+          code: 'const bcrypt = require("bcrypt"); bcrypt.compare(password, hash);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Insecure Comparisons', () => {
+    ruleTester.run('invalid - insecure string comparisons', noTimingAttack, {
+      valid: [],
+      invalid: [
+        {
+          code: 'if (userInput === storedPassword) authenticate();',
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+        {
+          code: 'if (token == storedToken) return true;',
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+        {
+          code: 'const isValid = providedSecret === actualSecret;',
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+        {
+          code: `
+            if (providedSecret === actualSecret) {
+              return true;
+            }
+          `,
+          options: [{ allowEarlyReturns: true }],
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Early Return Leakage', () => {
+    ruleTester.run('invalid - early returns in auth functions', noTimingAttack, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            function authenticate(password) {
+              if (!password) return false;
+              return checkPassword(password);
+            }
+          `,
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+        {
+          code: `
+            function verifyToken(token) {
+              if (!token) return false;
+              return validateToken(token);
+            }
+          `,
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+        {
+          code: `
+            function login(credentials) {
+              if (!credentials.password) return false;
+              return authenticateUser(credentials);
+            }
+          `,
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Timing Attacks', () => {
+    ruleTester.run('invalid - timing-sensitive operations', noTimingAttack, {
+      valid: [],
+      invalid: [
+        {
+          code: 'someObject.equals(userInput, storedSecret);',
+          errors: [
+            {
+              messageId: 'timingAttack',
+            },
+          ],
+        },
+        {
+          code: 'password.compare(inputPassword);',
+          errors: [
+            {
+              messageId: 'timingAttack',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noTimingAttack, {
+      valid: [
+        // Safe annotations
+        {
+          code: `
+            /** @timing-safe */
+            if (userInput === storedPassword) authenticate();
+          `,
+        },
+        // Sanitized inputs
+        {
+          code: `
+            const cleanInput = sanitize(userInput);
+            if (cleanInput === storedPassword) authenticate();
+          `,
+        },
+        // Non-sensitive data
+        {
+          code: `
+            const user = { name: 'john' };
+            if (user.name === 'admin') return true;
+          `,
+        },
+        // Early returns allowed in config
+        {
+          code: `
+            function authenticate(password) {
+              if (!password) return false;
+              return checkPassword(password);
+            }
+          `,
+          options: [{ allowEarlyReturns: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - custom auth functions', noTimingAttack, {
+      valid: [
+        // No valid cases - configured auth functions still get checked
+      ],
+      invalid: [
+        {
+          code: `
+            function myAuth(password) {
+              if (!password) return false;
+              return true;
+            }
+          `,
+          options: [{ authFunctions: ['myAuth'] }],
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+        {
+          code: `
+            function myAuth(password) {
+              if (!password) return false;
+              return true;
+            }
+          `,
+          options: [{ authFunctions: ['differentAuth'] }],
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('config - custom sensitive variables', noTimingAttack, {
+      valid: [
+        // Valid cases would be comparisons that don't involve sensitive data
+        {
+          code: 'if (normalVar === otherVar) return true;',
+          options: [{ sensitiveVariables: ['customToken'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'if (mySecret === otherSecret) return true;',
+          options: [{ sensitiveVariables: ['mySecret'] }],
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+        {
+          code: 'if (customToken === storedToken) return true;',
+          options: [{ sensitiveVariables: ['customToken'] }],
+          errors: [
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Complex Authentication Scenarios', () => {
+    ruleTester.run('complex - authentication functions', noTimingAttack, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            function login(username, password) {
+              const user = findUser(username);
+              if (!user) return false; // Timing leak!
+              if (user.password === password) {
+                return true;
+              }
+              return false;
+            }
+          `,
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+            {
+              messageId: 'insecureStringComparison',
+            },
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+          ],
+        },
+        {
+          code: `
+            function verifyToken(token) {
+              if (!token || token.length < 10) return false; // Timing leak!
+              const storedToken = getStoredToken();
+              return token === storedToken; // Insecure comparison
+            }
+          `,
+          errors: [
+            {
+              messageId: 'earlyReturnLeakage',
+            },
+            {
+              messageId: 'insecureStringComparison',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-toctou-vulnerability/index.ts ADDED Viewed

@@ -0,0 +1,250 @@
+/**
+ * ESLint Rule: no-toctou-vulnerability
+ * Detects Time-of-Check-Time-of-Use vulnerabilities
+ * CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
+ *
+ * @see https://cwe.mitre.org/data/definitions/367.html
+ * @see https://owasp.org/www-community/vulnerabilities/TOCTOU_Race_Condition
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds =
+  | 'toctouVulnerability'
+  | 'useAtomicOperations'
+  | 'useFsPromises'
+  | 'addProperLocking';
+export interface Options {
+  /** Ignore in test files. Default: true */
+  ignoreInTests?: boolean;
+  /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
+  fsMethods?: string[];
+}
+type RuleOptions = [Options?];
+export const noToctouVulnerability = createRule<RuleOptions, MessageIds>({
+  name: 'no-toctou-vulnerability',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
+    },
+    hasSuggestions: true,
+    messages: {
+      toctouVulnerability: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'TOCTOU vulnerability',
+        cwe: 'CWE-367',
+        description: 'Time-of-check Time-of-use race condition detected',
+        severity: 'HIGH',
+        fix: 'Use atomic operations or fs.promises for file operations',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
+      }),
+      useAtomicOperations: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use Atomic Operations',
+        description: 'Use atomic file operations',
+        severity: 'LOW',
+        fix: 'fs.promises.access() then fs.promises.readFile()',
+        documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
+      }),
+      useFsPromises: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use fs.promises',
+        description: 'Use fs.promises API',
+        severity: 'LOW',
+        fix: 'await fs.promises.readFile() instead of sync operations',
+        documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
+      }),
+      addProperLocking: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Add File Locking',
+        description: 'Add proper locking mechanism',
+        severity: 'LOW',
+        fix: 'Use proper-lockfile or similar for concurrent access',
+        documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          ignoreInTests: {
+            type: 'boolean',
+            default: true,
+          },
+          fsMethods: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      ignoreInTests: true,
+      fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>, [options = {}]) {
+    const {
+ignoreInTests = true
+}: Options = options || {};
+    const filename = context.getFilename();
+    const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    if (isTestFile) {
+      return {};
+    }
+    const sourceCode = context.sourceCode || context.sourceCode;
+    /**
+     * Check for TOCTOU patterns
+     */
+    function checkCallExpression(node: TSESTree.CallExpression) {
+      // 1. Identify the file operation (Use)
+      let useMethodName = '';
+      if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
+        const objectName = node.callee.object.type === 'Identifier' ? node.callee.object.name : '';
+        if (objectName === 'fs' || objectName === 'fsPromises') {
+           useMethodName = node.callee.property.name;
+        }
+      } else if (node.callee.type === 'Identifier') {
+        useMethodName = node.callee.name;
+      }
+      const riskyUseMethods = ['readFileSync', 'writeFileSync', 'readFile', 'writeFile', 'openSync', 'open', 'unlinkSync', 'unlink'];
+      if (!riskyUseMethods.includes(useMethodName)) {
+        return;
+      }
+      const useArg = node.arguments[0];
+      if (!useArg) return;
+      // 2. Walk up to find the condition (Check)
+      let current: TSESTree.Node | undefined = node.parent;
+      while (current) {
+        if (current.type === 'IfStatement') {
+          // Extract the condition node
+          let condition = current.test;
+          // Handle negated condition: if (!exists(path)) { create(path) } -> also TOCTOU but different logic?
+          // Actually TOCTOU is usually Check(exists) -> Use(read).
+          // If (!exists) -> create is Check -> Use.
+          // But strict TOCTOU is checking state then acting.
+          // If checking for negation
+          if (condition.type === 'UnaryExpression' && condition.operator === '!') {
+             condition = condition.argument;
+          }
+          if (condition.type === 'CallExpression') {
+             // Check if it's a file check method
+             let checkMethodName = '';
+             if (condition.callee.type === 'MemberExpression' && condition.callee.property.type === 'Identifier') {
+                checkMethodName = condition.callee.property.name;
+             } else if (condition.callee.type === 'Identifier') {
+                checkMethodName = condition.callee.name;
+             }
+             const checkMethods = ['existsSync', 'statSync', 'accessSync', 'exists', 'stat', 'access'];
+             if (checkMethods.includes(checkMethodName)) {
+                // Compare arguments
+                const checkArg = condition.arguments[0];
+                if (checkArg) {
+                    // Method 1: Identifier match (same variable)
+                    if (checkArg.type === 'Identifier' && useArg.type === 'Identifier' && checkArg.name === useArg.name) {
+                        reportToctou(node);
+                        return;
+                    }
+                    // Method 2: Text match (fallback)
+                    const checkArgText = sourceCode.getText(checkArg).replace(/\s/g, '');
+                    const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                    if (checkArgText === useArgText) {
+                        reportToctou(node);
+                        return;
+                    }
+                }
+             }
+             // Handle stats.isFile() / stats.isDirectory() pattern
+             if (condition.callee.type === 'MemberExpression' &&
+                 condition.callee.property.type === 'Identifier' &&
+                 ['isFile', 'isDirectory'].includes(condition.callee.property.name) &&
+                 condition.callee.object.type === 'Identifier') {
+                 const statsVarName = condition.callee.object.name;
+                 let currentScope = sourceCode.getScope(condition);
+                 let variable = null;
+                 while (currentScope) {
+                     variable = currentScope.variables.find(v => v.name === statsVarName);
+                     if (variable) break;
+                     currentScope = currentScope.upper;
+                 }
+                 if (variable && variable.defs.length > 0) {
+                     const def = variable.defs[0];
+                     if (def.type === 'Variable' && def.node.init && def.node.init.type === 'CallExpression') {
+                         const init = def.node.init;
+                         if (init.callee.type === 'MemberExpression' &&
+                             init.callee.property.type === 'Identifier' &&
+                             ['statSync', 'lstatSync', 'stat', 'lstat'].includes(init.callee.property.name)) {
+                                 const statArg = init.arguments[0];
+                                 if (statArg) {
+                                     const checkArgText = sourceCode.getText(statArg).replace(/\s/g, '');
+                                     const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                                     if (checkArgText === useArgText) {
+                                         reportToctou(node);
+                                         return;
+                                     }
+                                 }
+                         }
+                     }
+                 }
+             }
+          }
+        }
+        current = current.parent as TSESTree.Node;
+      }
+    }
+    function reportToctou(node: TSESTree.Node) {
+       context.report({
+        node,
+        messageId: 'toctouVulnerability',
+        suggest: [
+          {
+            messageId: 'useAtomicOperations',
+            fix: () => null,
+          },
+          {
+            messageId: 'useFsPromises',
+            fix: () => null,
+          },
+          {
+            messageId: 'addProperLocking',
+            fix: () => null,
+          },
+        ],
+      });
+    }
+    return {
+      CallExpression: checkCallExpression,
+    };
+  },
+});

package/src/rules/no-toctou-vulnerability/no-toctou-vulnerability.test.ts ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * Tests for no-toctou-vulnerability rule
+ * Security: CWE-367 (Time-of-Check Time-of-Use)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noToctouVulnerability } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-toctou-vulnerability', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - safe file operations', noToctouVulnerability, {
+      valid: [
+        'const data = fs.readFileSync("file.txt");',
+        'fs.writeFileSync("output.txt", buffer);',
+        'const stats = fs.statSync("file.txt");',
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - TOCTOU Vulnerabilities', () => {
+    ruleTester.run('invalid - check-then-use patterns', noToctouVulnerability, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            if (fs.existsSync("file.txt")) {
+              const data = fs.readFileSync("file.txt");
+            }
+          `,
+          errors: [{ messageId: 'toctouVulnerability' }],
+        },
+        {
+          code: `
+            const stats = fs.statSync("file.txt");
+            if (stats.isFile()) {
+              fs.unlinkSync("file.txt");
+            }
+          `,
+          errors: [{ messageId: 'toctouVulnerability' }],
+        },
+      ],
+    });
+  });
+});