npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-unencrypted-transmission/index.ts ADDED Viewed

@@ -0,0 +1,296 @@
+/**
+ * ESLint Rule: no-unencrypted-transmission
+ * Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)
+ * CWE-319: Cleartext Transmission of Sensitive Information
+ *
+ * @see https://cwe.mitre.org/data/definitions/319.html
+ * @see https://owasp.org/www-community/vulnerabilities/Insecure_Transport
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'unencryptedTransmission' | 'useHttps';
+export interface Options {
+  /** Allow unencrypted transmission in test files. Default: false */
+  allowInTests?: boolean;
+  /** Insecure protocol patterns. Default: ['http://', 'ws://', 'ftp://', 'tcp://', 'mongodb://', 'redis://', 'mysql://'] */
+  insecureProtocols?: string[];
+  /** Secure protocol alternatives mapping. Default: { 'http://': 'https://', 'ws://': 'wss://', ... } */
+  secureAlternatives?: Record<string, string>;
+  /** Additional safe patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Default insecure protocol patterns
+ */
+const DEFAULT_INSECURE_PROTOCOLS = [
+  'http://',
+  'ws://',
+  'ftp://',
+  'tcp://',
+  'mongodb://',
+  'redis://',
+  'mysql://',
+];
+/**
+ * Secure protocol alternatives
+ */
+const SECURE_ALTERNATIVES: Record<string, string> = {
+  'http://': 'https://',
+  'ws://': 'wss://',
+  'ftp://': 'ftps://',
+  'tcp://': 'tls://',
+  'mongodb://': 'mongodb+srv://',
+  'redis://': 'rediss://',
+  'mysql://': 'mysqls://',
+};
+/**
+ * Check if a string contains insecure protocol
+ */
+function containsInsecureProtocol(
+  value: string,
+  insecureProtocols: string[],
+  secureAlternatives: Record<string, string>
+): { isInsecure: boolean; protocol: string } {
+  const lowerValue = value.toLowerCase();
+  for (const protocol of insecureProtocols) {
+    const lowerProtocol = protocol.toLowerCase();
+    // Check if the protocol appears in the value (as a URL scheme)
+    if (lowerValue.includes(lowerProtocol)) {
+      // Check if it's not already using the secure version
+      const secureAlternative = secureAlternatives[lowerProtocol];
+      if (secureAlternative) {
+        // Only report if secure version is not present
+        if (!lowerValue.includes(secureAlternative.toLowerCase())) {
+          return { isInsecure: true, protocol };
+        }
+      } else {
+        // No secure alternative defined, so it's insecure
+        return { isInsecure: true, protocol };
+      }
+    }
+  }
+  return { isInsecure: false, protocol: '' };
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+/* c8 ignore start -- ignore-pattern matching is defensive */
+function matchesIgnorePattern(text: string, patterns: string[]): boolean {
+  return patterns.some(pattern => {
+    try {
+      const regex = new RegExp(pattern, 'i');
+      return regex.test(text);
+    } catch {
+      return false;
+    }
+  });
+}
+/* c8 ignore stop */
+export const noUnencryptedTransmission = createRule<RuleOptions, MessageIds>({
+  name: 'no-unencrypted-transmission',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)',
+    },
+    hasSuggestions: true,
+    messages: {
+      unencryptedTransmission: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Unencrypted Transmission',
+        cwe: 'CWE-319',
+        description: 'Unencrypted transmission detected: {{issue}}',
+        severity: 'HIGH',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+      }),
+      useHttps: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use HTTPS',
+        description: 'Use secure protocol',
+        severity: 'LOW',
+        fix: 'Replace http:// with https://',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow unencrypted transmission in test files',
+          },
+          insecureProtocols: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Insecure protocol patterns to detect',
+          },
+          secureAlternatives: {
+            type: 'object',
+            additionalProperties: { type: 'string' },
+            default: {},
+            description: 'Mapping of insecure protocols to their secure alternatives',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional safe patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      insecureProtocols: [],
+      secureAlternatives: {},
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      insecureProtocols,
+      secureAlternatives,
+      ignorePatterns = [],
+    } = options as Options;
+    const protocolsToCheck = insecureProtocols && insecureProtocols.length > 0
+      ? insecureProtocols
+      : DEFAULT_INSECURE_PROTOCOLS;
+    // Merge user-provided secure alternatives with defaults
+    const secureAlternativesToUse = secureAlternatives && Object.keys(secureAlternatives).length > 0
+      ? { ...SECURE_ALTERNATIVES, ...secureAlternatives }
+      : SECURE_ALTERNATIVES;
+    const filename = context.getFilename();
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    const sourceCode = context.sourceCode || context.sourceCode;
+    function checkLiteral(node: TSESTree.Literal) {
+      if (typeof node.value !== 'string') {
+        return;
+      }
+      const value = node.value;
+      const text = sourceCode.getText(node);
+      // Check if it matches any ignore pattern
+      if (matchesIgnorePattern(text, ignorePatterns)) {
+        return;
+      }
+      // Skip test files (allow localhost in test files)
+      if (isTestFile) {
+        // Only allow localhost URLs in test files
+        if (text.includes('localhost')) {
+          return;
+        }
+        // For other URLs in test files, still check them
+      }
+      const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+      if (isInsecure) {
+        // Allow localhost URLs in test files
+        if (isTestFile && text.includes('localhost')) {
+          return;
+        }
+        const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+        const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+        context.report({
+          node,
+          messageId: 'unencryptedTransmission',
+          data: {
+            issue: `using insecure protocol ${protocol}`,
+            safeAlternative,
+          },
+          suggest: [
+              {
+                messageId: 'useHttps',
+                data: {
+                  protocol,
+                  secureProtocol,
+                },
+                fix(fixer: TSESLint.RuleFixer) {
+                  if (secureProtocol && secureProtocol !== 'secure protocol') {
+                    // Replace the insecure protocol with secure one
+                    const newValue = value.replace(new RegExp(protocol.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'gi'), secureProtocol);
+                    return fixer.replaceText(node, JSON.stringify(newValue));
+                  }
+                  return null;
+                },
+            },
+          ],
+        });
+      }
+    }
+    function checkTemplateLiteral(node: TSESTree.TemplateLiteral) {
+      if (isTestFile) {
+        return;
+      }
+      const text = sourceCode.getText(node);
+      // Check if it matches any ignore pattern
+      if (matchesIgnorePattern(text, ignorePatterns)) {
+        return;
+      }
+      // Check each quasis (static parts) and expressions
+      for (const quasi of node.quasis) {
+        const value = quasi.value.raw;
+        const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+        if (isInsecure) {
+          const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+          const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+          context.report({
+            node: quasi,
+            messageId: 'unencryptedTransmission',
+            data: {
+              issue: `using insecure protocol ${protocol} in template literal`,
+              safeAlternative,
+            },
+            // Don't provide auto-fix for template literals (too risky - might break interpolation)
+          });
+        }
+      }
+    }
+    return {
+      Literal: checkLiteral,
+      TemplateLiteral: checkTemplateLiteral,
+    };
+  },
+});

package/src/rules/no-unencrypted-transmission/no-unencrypted-transmission.test.ts ADDED Viewed

@@ -0,0 +1,287 @@
+/**
+ * Comprehensive tests for no-unencrypted-transmission rule
+ * CWE-319: Cleartext Transmission of Sensitive Information
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noUnencryptedTransmission } from './index';
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-unencrypted-transmission', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - secure protocols', noUnencryptedTransmission, {
+      valid: [
+        // HTTPS
+        {
+          code: 'const url = "https://api.example.com";',
+        },
+        {
+          code: 'fetch("https://api.example.com/data");',
+        },
+        // WSS
+        {
+          code: 'const ws = new WebSocket("wss://example.com");',
+        },
+        // Secure database connections
+        {
+          code: 'const db = "mongodb+srv://user:pass@cluster.mongodb.net";',
+        },
+        {
+          code: 'const redis = "rediss://localhost:6379";',
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'const url = "http://localhost:3000";',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - HTTP', () => {
+    ruleTester.run('invalid - HTTP protocol', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = "http://api.example.com";',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol http://',
+                safeAlternative: 'Use https:// instead of http://',
+              },
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  data: {
+                    protocol: 'http://',
+                    secureProtocol: 'https://',
+                  },
+                  output: 'const url = "https://api.example.com";',
+                },
+              ],
+            },
+          ],
+        },
+        {
+          code: 'fetch("http://api.example.com/data");',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol http://',
+                safeAlternative: 'Use https:// instead of http://',
+              },
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  data: {
+                    protocol: 'http://',
+                    secureProtocol: 'https://',
+                  },
+                  output: 'fetch("https://api.example.com/data");',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - WebSocket', () => {
+    ruleTester.run('invalid - WS protocol', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const ws = new WebSocket("ws://example.com");',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol ws://',
+                safeAlternative: 'Use wss:// instead of ws://',
+              },
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  data: {
+                    protocol: 'ws://',
+                    secureProtocol: 'wss://',
+                  },
+                  output: 'const ws = new WebSocket("wss://example.com");',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Database Connections', () => {
+    ruleTester.run('invalid - unencrypted database', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const db = "mongodb://user:pass@localhost:27017";',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol mongodb://',
+                safeAlternative: 'Use mongodb+srv:// instead of mongodb://',
+              },
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  data: {
+                    protocol: 'mongodb://',
+                    secureProtocol: 'mongodb+srv://',
+                  },
+                  output: 'const db = "mongodb+srv://user:pass@localhost:27017";',
+                },
+              ],
+            },
+          ],
+        },
+        {
+          code: 'const redis = "redis://localhost:6379";',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol redis://',
+                safeAlternative: 'Use rediss:// instead of redis://',
+              },
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  data: {
+                    protocol: 'redis://',
+                    secureProtocol: 'rediss://',
+                  },
+                  output: 'const redis = "rediss://localhost:6379";',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Template Literals', () => {
+    ruleTester.run('invalid - insecure protocol in template', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = `http://${host}/api`;',
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              data: {
+                issue: 'using insecure protocol http:// in template literal',
+                safeAlternative: 'Use https:// instead of http://',
+              },
+              suggestions: undefined,
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Options Coverage', () => {
+    ruleTester.run('options - allowInTests still blocks non-localhost', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = "http://staging.example.com";',
+          filename: 'example.spec.ts',
+          options: [{ allowInTests: true }],
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  output: 'const url = "https://staging.example.com";',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - ignorePatterns skip insecure literal', noUnencryptedTransmission, {
+      valid: [
+        {
+          code: 'const url = "http://internal.example.com";',
+          options: [{ ignorePatterns: ['internal'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - custom insecure protocols', noUnencryptedTransmission, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const smtp = "smtp://mail.example.com";',
+          options: [
+            {
+              insecureProtocols: ['smtp://'],
+              secureAlternatives: { 'smtp://': 'smtps://' },
+            },
+          ],
+          errors: [
+            {
+              messageId: 'unencryptedTransmission',
+              suggestions: [
+                {
+                  messageId: 'useHttps',
+                  output: 'const smtp = "smtps://mail.example.com";',
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - template literal in test file skipped', noUnencryptedTransmission, {
+      valid: [
+        {
+          code: 'const url = `http://${host}/api`;',
+          filename: 'transport.test.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+});