npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-unescaped-url-parameter/index.ts ADDED Viewed

@@ -0,0 +1,424 @@
+/**
+ * ESLint Rule: no-unescaped-url-parameter
+ * Detects unescaped URL parameters
+ * CWE-79: Cross-site Scripting (XSS)
+ *
+ * @see https://cwe.mitre.org/data/definitions/79.html
+ * @see https://owasp.org/www-community/attacks/xss/
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'unescapedUrlParameter' | 'useEncodeURIComponent' | 'useURLSearchParams';
+export interface Options {
+  /** Allow unescaped URL parameters in test files. Default: false */
+  allowInTests?: boolean;
+  /** Trusted URL construction libraries. Default: ['url', 'querystring'] */
+  trustedLibraries?: string[];
+  /** Additional safe patterns to ignore. Default: [] */
+  ignorePatterns?: string[];
+}
+type RuleOptions = [Options?];
+/**
+ * Check if a node is inside a URL encoding function call
+ */
+function isInsideEncodingCall(
+  node: TSESTree.Node,
+  sourceCode: TSESLint.SourceCode,
+  trustedLibraries: string[]
+): boolean {
+  let current: TSESTree.Node | null = node;
+  while (current) {
+    if (current.type === 'CallExpression') {
+      const callee = current.callee;
+      // Check for encodeURIComponent, encodeURI
+      if (callee.type === 'Identifier') {
+        const calleeName = callee.name;
+        if (['encodeURIComponent', 'encodeURI', 'escape'].includes(calleeName)) {
+          return true;
+        }
+      }
+      // Check if it's a trusted library call
+      if (callee.type === 'MemberExpression') {
+        const object = callee.object;
+        if (object.type === 'Identifier') {
+          const objectName = object.name.toLowerCase();
+          if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
+            return true;
+          }
+        }
+      }
+    }
+    // Traverse up the AST
+    if ('parent' in current && current.parent) {
+      current = current.parent as TSESTree.Node;
+    } else {
+      break;
+    }
+  }
+  return false;
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text: string, ignorePatterns: string[]): boolean {
+  return ignorePatterns.some(pattern => {
+    try {
+      const regex = new RegExp(pattern, 'i');
+      return regex.test(text);
+    } catch {
+      return false;
+    }
+  });
+}
+/**
+ * Check if a node is a URL construction pattern
+ */
+function isUrlConstruction(node: TSESTree.Node, sourceCode: TSESLint.SourceCode): boolean {
+  let text = sourceCode.getText(node);
+  // For template literals, combine raw strings to improve pattern detection
+  if (node.type === 'TemplateLiteral') {
+    text = node.quasis.map(q => q.value.raw).join('');
+  }
+  // Check for URL construction patterns
+  const urlPatterns = [
+    /\bhttps?:\/\//,  // HTTP/HTTPS URLs
+    /\bnew\s+URL\s*\(/,
+    /\burl\s*[=:]\s*/,  // url = or url:
+    /\burl\s*\+/,  // url +
+    /\bwindow\.location/,
+    /\blocation\.href/,
+    /\bwindow\.open\s*\(/,
+    /\?[^=]+=/,  // Query parameters
+  ];
+  return urlPatterns.some(pattern => pattern.test(text));
+}
+export const noUnescapedUrlParameter = createRule<RuleOptions, MessageIds>({
+  name: 'no-unescaped-url-parameter',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Detects unescaped URL parameters',
+    },
+    hasSuggestions: true,
+    messages: {
+      unescapedUrlParameter: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Unescaped URL Parameter',
+        cwe: 'CWE-79',
+        description: 'Unescaped URL parameter detected: {{parameter}}',
+        severity: 'HIGH',
+        fix: '{{safeAlternative}}',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
+      }),
+      useEncodeURIComponent: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use encodeURIComponent',
+        description: 'Use encodeURIComponent for URL params',
+        severity: 'LOW',
+        fix: '`https://example.com?q=${encodeURIComponent(param)}`',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent',
+      }),
+      useURLSearchParams: formatLLMMessage({
+        icon: MessageIcons.INFO,
+        issueName: 'Use URLSearchParams',
+        description: 'Use URLSearchParams for safe URL construction',
+        severity: 'LOW',
+        fix: 'new URLSearchParams({ q: param }).toString()',
+        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowInTests: {
+            type: 'boolean',
+            default: false,
+            description: 'Allow unescaped URL parameters in test files',
+          },
+          trustedLibraries: {
+            type: 'array',
+            items: { type: 'string' },
+            default: ['url', 'querystring'],
+            description: 'Trusted URL construction libraries',
+          },
+          ignorePatterns: {
+            type: 'array',
+            items: { type: 'string' },
+            default: [],
+            description: 'Additional safe patterns to ignore',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowInTests: false,
+      trustedLibraries: ['url', 'querystring'],
+      ignorePatterns: [],
+    },
+  ],
+  create(
+    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
+    [options = {}]
+  ) {
+    const {
+      allowInTests = false,
+      trustedLibraries = ['url', 'querystring'],
+      ignorePatterns = [],
+    } = options as Options;
+    const filename = context.getFilename();
+    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+    const sourceCode = context.sourceCode || context.sourceCode;
+    function checkTemplateLiteral(node: TSESTree.TemplateLiteral) {
+      if (isTestFile) {
+        return;
+      }
+      // Check if this is a URL construction
+      if (!isUrlConstruction(node, sourceCode)) {
+        return;
+      }
+      // Check each expression in the template
+      for (const expression of node.expressions) {
+        const text = sourceCode.getText(expression);
+        // Check if it matches any ignore pattern
+        if (matchesIgnorePattern(text, ignorePatterns)) {
+          continue;
+        }
+        // Check if it's already encoded
+        if (isInsideEncodingCall(expression, sourceCode, trustedLibraries)) {
+          continue;
+        }
+        // Check if it's a user input pattern
+        const userInputPatterns = [
+          /\breq\.(query|params|body|headers|cookies)/,
+          /\brequest\.(query|params|body)/,
+          /\buserInput\b/i,
+          /\binput\b/i,
+          /\bsearchParams\b/,
+          /\bparam\b/i, // Generic param variable
+        ];
+        // Check both the expression text and the full template literal
+        // This catches nested patterns like req.query.id
+        const fullText = sourceCode.getText(node);
+        const exprText = sourceCode.getText(expression);
+        const isUserInput = userInputPatterns.some(pattern => pattern.test(text)) ||
+                           userInputPatterns.some(pattern => pattern.test(fullText)) ||
+                           userInputPatterns.some(pattern => pattern.test(exprText)) ||
+                           // Also check for nested member expressions like req.query.id
+                           (expression.type === 'MemberExpression' &&
+                            userInputPatterns.some(pattern => {
+                              // Check the full expression including nested properties
+                              return pattern.test(exprText);
+                            }));
+        if (isUserInput) {
+          context.report({
+            node: expression,
+            messageId: 'unescapedUrlParameter',
+            data: {
+              parameter: text,
+              safeAlternative: `Use encodeURIComponent() or URLSearchParams: const url = \`https://example.com?q=\${encodeURIComponent(${text})}\`;`,
+            },
+            suggest: [
+              {
+                messageId: 'useEncodeURIComponent',
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                fix: (_fixer: TSESLint.RuleFixer) => null,
+              },
+              {
+                messageId: 'useURLSearchParams',
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                fix: (_fixer: TSESLint.RuleFixer) => null,
+              },
+            ],
+          });
+        }
+      }
+    }
+    function checkBinaryExpression(node: TSESTree.BinaryExpression) {
+      if (isTestFile) {
+        return;
+      }
+      // Check for string concatenation in URL construction
+      if (node.operator === '+') {
+        if (!isUrlConstruction(node, sourceCode)) {
+          return;
+        }
+        // Check right side (usually the parameter)
+        if (node.right.type !== 'Literal') {
+          const rightText = sourceCode.getText(node.right);
+          // Check if it matches any ignore pattern
+          if (matchesIgnorePattern(rightText, ignorePatterns)) {
+            return;
+          }
+          // Check if it's already encoded
+          if (isInsideEncodingCall(node.right, sourceCode, trustedLibraries)) {
+            return;
+          }
+          // Check if it's a user input pattern
+          const userInputPatterns = [
+            /\breq\.(query|params|body)/,
+            /\brequest\.(query|params|body)/,
+            /\buserInput\b/,
+            /\binput\b/,
+          ];
+          const isUserInput = userInputPatterns.some(pattern => pattern.test(rightText));
+          if (isUserInput) {
+            context.report({
+              node: node.right,
+              messageId: 'unescapedUrlParameter',
+              data: {
+                parameter: rightText,
+                safeAlternative: `Use encodeURIComponent(): ${sourceCode.getText(node.left)} + encodeURIComponent(${rightText})`,
+              },
+              suggest: [
+                {
+                  messageId: 'useEncodeURIComponent',
+                  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                  fix: (_fixer: TSESLint.RuleFixer) => null,
+                },
+              ],
+            });
+          }
+        }
+      }
+    }
+    function isUserControlled(node: TSESTree.Node, visited = new Set<string>()): boolean {
+      const text = sourceCode.getText(node);
+      const patterns = [
+        /\breq\.(query|params|body|headers|cookies)/,
+        /\brequest\.(query|params|body)/,
+        /\buserInput\b/i,
+        /\binput\b/i,
+        /\bsearchParams\b/,
+        /\bparam\b/i,
+        /\breturnUrl\b/i,
+        /\burl\b/i,
+        /\bredirect\b/i,
+        /\bnext\b/i,
+      ];
+      if (patterns.some(p => p.test(text))) return true;
+      // Trace identifiers
+      if (node.type === 'Identifier') {
+        if (visited.has(node.name)) return false;
+        visited.add(node.name);
+        const scope = sourceCode.getScope(node);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const variable = scope.variables.find((v: any) => v.name === node.name);
+        if (variable && variable.defs.length > 0) {
+          const def = variable.defs[0];
+          if (def.type === 'Variable' && def.node.init) {
+             const init = def.node.init;
+             // Check if init is constructed from other user inputs
+             if (isUserControlled(init, visited)) return true;
+             // Check if init is a TemplateLiteral containing user inputs in expressions
+             if (init.type === 'TemplateLiteral') {
+                 return init.expressions.some(expr => isUserControlled(expr, visited));
+             }
+             // Check if init is BinaryExpression (concatenation)
+             if (init.type === 'BinaryExpression') {
+                 return isUserControlled(init.left, visited) || isUserControlled(init.right, visited);
+             }
+          }
+        }
+      }
+      return false;
+    }
+    return {
+      TemplateLiteral: checkTemplateLiteral,
+      BinaryExpression: checkBinaryExpression,
+      AssignmentExpression(node: TSESTree.AssignmentExpression) {
+        if (isTestFile) return;
+        // Check for window.location = ... or window.location.href = ...
+        const left = node.left;
+        let isLocationAssignment = false;
+        if (left.type === 'MemberExpression') {
+             const objectName = left.object.type === 'Identifier' ? left.object.name :
+                              (left.object.type === 'MemberExpression' ? sourceCode.getText(left.object) : '');
+             const propName = left.property.type === 'Identifier' ? left.property.name : '';
+             if ((objectName === 'window' && propName === 'location') ||
+                 (propName === 'href' && objectName.includes('location'))) {
+                 isLocationAssignment = true;
+             }
+        } else if (left.type === 'Identifier' && left.name === 'location') {
+             // In browser location = ... is valid
+             isLocationAssignment = true;
+        }
+        if (isLocationAssignment) {
+            const right = node.right;
+            const rightText = sourceCode.getText(right);
+            // Skip TemplateLiteral and BinaryExpression as they are covered by their own visitors
+            if (right.type === 'TemplateLiteral' || right.type === 'BinaryExpression') {
+                return;
+            }
+            if (matchesIgnorePattern(rightText, ignorePatterns)) return;
+            if (isInsideEncodingCall(right, sourceCode, trustedLibraries)) return;
+             if (isUserControlled(right)) {
+                 context.report({
+                    node: right,
+                    messageId: 'unescapedUrlParameter',
+                    data: {
+                      parameter: rightText,
+                      safeAlternative: 'Validate and encode URL before redirecting',
+                    }
+                 });
+             }
+        }
+      }
+    };
+  },
+});

package/src/rules/no-unescaped-url-parameter/no-unescaped-url-parameter.test.ts ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * Comprehensive tests for no-unescaped-url-parameter rule
+ * CWE-79: Cross-site Scripting (XSS)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noUnescapedUrlParameter } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    parserOptions: {
+      ecmaFeatures: {
+        jsx: true,
+      },
+    },
+  },
+});
+describe('no-unescaped-url-parameter', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - escaped URL parameters', noUnescapedUrlParameter, {
+      valid: [
+        // Using encodeURIComponent
+        {
+          code: 'const url = `https://example.com?q=${encodeURIComponent(param)}`;',
+        },
+        {
+          code: 'const url = "https://example.com?q=" + encodeURIComponent(param);',
+        },
+        // Using URLSearchParams
+        {
+          code: 'const params = new URLSearchParams({ q: param }); const url = `https://example.com?${params}`;',
+        },
+        // Using encodeURI
+        {
+          code: 'const url = `https://example.com/${encodeURI(path)}`;',
+        },
+        // Test files (when allowInTests is true)
+        {
+          code: 'const url = `https://example.com?q=${param}`;',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+        // Ignored patterns
+        {
+          code: 'const url = `https://example.com?q=${safeParam}`;',
+          options: [{ ignorePatterns: ['safeParam'] }],
+        },
+        // Non-URL strings
+        {
+          code: 'const message = `Hello ${name}`;',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Template Literals', () => {
+    ruleTester.run('invalid - unescaped in template literal', noUnescapedUrlParameter, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = `https://example.com?q=${req.query.q}`;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+        {
+          code: 'const url = `https://example.com?search=${userInput}`;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+        {
+          code: 'const url = `https://example.com?id=${req.params.id}`;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - String Concatenation', () => {
+    ruleTester.run('invalid - unescaped in string concatenation', noUnescapedUrlParameter, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = "https://example.com?q=" + req.query.q;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+        {
+          code: 'const url = "https://example.com?search=" + userInput;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Options', () => {
+    ruleTester.run('options - allowInTests', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = `https://example.com?q=${param}`;',
+          filename: 'test.spec.ts',
+          options: [{ allowInTests: true }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'const url = `https://example.com?q=${param}`;',
+          filename: 'handler.ts',
+          options: [{ allowInTests: true }],
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('options - ignorePatterns with invalid regex', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = `https://example.com?q=${testParam}`;',
+          options: [{ ignorePatterns: ['['] }], // Invalid regex should be caught
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('options - trustedLibraries', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = `https://example.com?q=${myLib.encode(param)}`;',
+          options: [{ trustedLibraries: ['myLib'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Edge Cases', () => {
+    ruleTester.run('edge cases - non-URL template literals', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const message = `Hello ${name}`;',
+        },
+        {
+          code: 'const path = `/users/${id}`;',
+        },
+        {
+          code: 'const file = `./${filename}.txt`;',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - binary expression with literal', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = "https://example.com?q=" + "test";',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - already encoded in template', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = `https://example.com?q=${encodeURIComponent(req.query.q)}`;',
+        },
+        {
+          code: 'const url = `https://example.com?q=${encodeURI(path)}`;',
+        },
+        {
+          code: 'const url = `https://example.com?q=${escape(input)}`;',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - already encoded in binary', noUnescapedUrlParameter, {
+      valid: [
+        {
+          code: 'const url = "https://example.com?q=" + encodeURIComponent(req.query.q);',
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('edge cases - different URL patterns', noUnescapedUrlParameter, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = new URL(`https://example.com?q=${req.query.q}`);',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+        {
+          code: 'window.location.href = `https://example.com?q=${userInput}`;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+        {
+          code: 'window.open(`https://example.com?q=${input}`);',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('edge cases - searchParams pattern', noUnescapedUrlParameter, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const url = `https://example.com?q=${searchParams.get("id")}`;',
+          errors: [
+            {
+              messageId: 'unescapedUrlParameter',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});