npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-unsafe-deserialization/no-unsafe-deserialization.test.ts ADDED Viewed

@@ -0,0 +1,310 @@
+/**
+ * Comprehensive tests for no-unsafe-deserialization rule
+ * Security: CWE-502 (Unsafe Deserialization)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noUnsafeDeserialization } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-unsafe-deserialization', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - safe deserialization', noUnsafeDeserialization, {
+      valid: [
+        // Safe JSON parsing
+        {
+          code: 'const data = JSON.parse(input);',
+        },
+        // Safe YAML parsing
+        {
+          code: 'const yaml = require("js-yaml"); const data = yaml.safeLoad(input);',
+        },
+        // Safe libraries
+        {
+          code: 'const data = safeJsonParse(input);',
+        },
+        // Non-deserialization operations
+        {
+          code: 'const result = calculate(input);',
+        },
+        // Validated input
+        {
+          code: 'const cleanData = validateInput(req.body); const obj = JSON.parse(cleanData);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Dangerous eval() Usage', () => {
+    ruleTester.run('invalid - dangerous eval usage', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+      ],
+    });
+  });
+  describe('Invalid Code - Dangerous Function Constructor', () => {
+    ruleTester.run('invalid - dangerous Function constructor', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const func = new Function(req.body.input);',
+          errors: [{ messageId: 'dangerousFunctionConstructor' }],
+        },
+        {
+          code: 'const func = Function("a", "b", req.query.code);',
+          errors: [{ messageId: 'dangerousFunctionConstructor' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Unsafe YAML Parsing', () => {
+    ruleTester.run('invalid - unsafe YAML parsing', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const yaml = require("yaml"); const obj = yaml.parse(userInput);',
+          errors: [{ messageId: 'unsafeDeserialization' }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Dangerous Libraries', () => {
+    ruleTester.run('invalid - dangerous deserialization libraries', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const serialize = require("node-serialize"); serialize.unserialize(userInput);',
+          errors: [
+            { messageId: 'unsafeDeserialization' },
+          ],
+        },
+        // Test custom alias to verify VariableDeclaration tracking works where CallExpression might fail
+        // (If unserialize is strictly standard name)
+        {
+          code: 'const myLib = require("node-serialize"); myLib.unserialize(userInput);',
+          errors: [
+            { messageId: 'unsafeDeserialization' },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Advanced Data Flow Coverage', () => {
+    ruleTester.run('coverage - tracking untrusted sources', noUnsafeDeserialization, {
+      valid: [
+        // Validated variable
+        {
+          code: `
+            const input = req.body;
+            const safe = validateInput(input);
+            const obj = JSON.parse(safe);
+          `,
+          options: [{ validationFunctions: ['validateInput'] }],
+        },
+      ],
+      invalid: [
+        // fs.readFileSync source
+        {
+          code: `
+            const fs = require('fs');
+            const data = fs.readFileSync('data.json');
+            // data is marked untrusted by VariableDeclaration visitor
+            eval(data);
+          `,
+          errors: [{
+            messageId: 'dangerousEvalUsage',
+            suggestions: [{
+              messageId: 'useSafeDeserializer',
+              output: `
+            const fs = require('fs');
+            const data = fs.readFileSync('data.json');
+            // data is marked untrusted by VariableDeclaration visitor
+            JSON.parse(data);
+          `
+            }]
+          }],
+        },
+        // Function parameter untrusted
+        {
+          code: `
+            function process(input) {
+              eval(input);
+            }
+          `,
+          errors: [{
+            messageId: 'dangerousEvalUsage',
+            suggestions: [{
+              messageId: 'useSafeDeserializer',
+              output: `
+            function process(input) {
+              JSON.parse(input);
+            }
+          `
+            }]
+          }],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Untrusted Input', () => {
+    ruleTester.run('invalid - untrusted deserialization input', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const yaml = require("js-yaml"); const obj = yaml.safeLoad(req.query.data);',
+          errors: [
+            {
+              messageId: 'untrustedDeserializationInput',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noUnsafeDeserialization, {
+      valid: [
+        // Safe annotations
+        {
+          code: `
+            /** @safe */
+            function test() {
+              const obj = eval(userInput);
+            }
+          `,
+        },
+        // Validated inputs
+        {
+          code: `
+            const cleanInput = validateInput(req.body);
+            const data = JSON.parse(cleanInput);
+          `,
+        },
+        // Sanitized inputs
+        {
+          code: `
+            const safeData = sanitizeInput(req.body.data);
+            const yaml = require("js-yaml");
+            const obj = yaml.safeLoad(safeData);
+          `,
+          options: [{ validationFunctions: ['sanitizeInput'] }],
+        },
+        // Internal/trusted data
+        {
+          code: 'const config = JSON.parse(fs.readFileSync("config.json", "utf8"));',
+        },
+        // Safe eval usage (though still generally discouraged)
+        {
+          code: `
+            const safeCode = "console.log('hello')";
+            eval(safeCode);
+          `,
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - custom dangerous functions', noUnsafeDeserialization, {
+      valid: [
+        {
+          code: 'const data = customDeserialize(value);',
+          options: [{ dangerousFunctions: ['customDeserialize'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'const data = customDeserialize(req.body);',
+          options: [{ dangerousFunctions: ['customDeserialize'] }],
+          errors: [
+            {
+              messageId: 'unsafeDeserialization',
+            },
+          ],
+        },
+      ],
+    });
+    ruleTester.run('config - custom validation functions', noUnsafeDeserialization, {
+      valid: [
+        {
+          code: 'const clean = myValidator(req.body); const data = JSON.parse(clean);',
+          options: [{ validationFunctions: ['myValidator'] }],
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Complex Deserialization Attack Scenarios', () => {
+    ruleTester.run('complex - real-world deserialization patterns', noUnsafeDeserialization, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            // Node-serialize vulnerability
+            const serialize = require('node-serialize');
+            const app = express();
+            app.post('/deserialize', (req, res) => {
+              // DANGEROUS: Unserializing user input
+              const userData = req.body.data;
+              const obj = serialize.unserialize(userData);
+              res.json(obj);
+            });
+          `,
+          errors: [
+            {
+              messageId: 'unsafeDeserialization',
+            },
+            {
+              messageId: 'unsafeDeserialization',
+            },
+          ],
+        },
+        {
+          code: `
+            // YAML code execution vulnerability
+            const yaml = require('js-yaml');
+            function parseYamlConfig(yamlString) {
+              // DANGEROUS: Using unsafe YAML load
+              return yaml.load(yamlString);
+            }
+          `,
+          errors: [
+            {
+              messageId: 'unsafeDeserialization',
+            },
+            {
+              messageId: 'unsafeYamlParsing',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/no-unsafe-dynamic-require/index.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * ESLint Rule: no-unsafe-dynamic-require
+ * Detects dynamic require() calls that could lead to code injection
+ */
+import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
+import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import { createRule } from '@interlace/eslint-devkit';
+type MessageIds = 'unsafeDynamicRequire';
+export interface Options {
+  /** Allow dynamic import() expressions. Default: false (stricter) */
+  allowDynamicImport?: boolean;
+}
+type RuleOptions = [Options?];
+export const noUnsafeDynamicRequire = createRule<RuleOptions, MessageIds>({
+  name: 'no-unsafe-dynamic-require',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Prevent unsafe dynamic require() calls that could enable code injection',
+    },
+    fixable: 'code',
+    hasSuggestions: false,
+    messages: {
+      unsafeDynamicRequire: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Dynamic require()',
+        cwe: 'CWE-95',
+        description: 'Dynamic require() detected',
+        severity: 'CRITICAL',
+        fix: 'Use allowlist: const ALLOWED = ["mod1", "mod2"]; if (!ALLOWED.includes(name)) throw Error("Not allowed")',
+        documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+      }),
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          allowDynamicImport: {
+            type: 'boolean',
+            default: false,
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  defaultOptions: [
+    {
+      allowDynamicImport: false,
+    },
+  ],
+  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
+    /**
+     * Track variables that reference require
+     * Maps variable name to the node where it was assigned
+     */
+    const requireVariables = new Set<string>();
+    /**
+     * Check if a node is a reference to require
+     */
+    const isRequireReference = (node: TSESTree.Node): boolean => {
+      if (node.type === 'Identifier' && node.name === 'require') {
+        return true;
+      }
+      if (node.type === 'Identifier' && requireVariables.has(node.name)) {
+        return true;
+      }
+      return false;
+    };
+    /**
+     * Check if argument is dynamic (not a literal)
+     */
+    const isDynamicArgument = (arg: TSESTree.Expression | TSESTree.SpreadElement): boolean => {
+      if (arg.type === 'Literal') return false;
+      if (arg.type === 'TemplateLiteral' && arg.expressions.length === 0) return false;
+      return true;
+    };
+    return {
+      VariableDeclarator(node: TSESTree.VariableDeclarator) {
+        // Track when require is assigned to a variable
+        if (node.id.type === 'Identifier' && node.init) {
+          if (node.init.type === 'Identifier' && node.init.name === 'require') {
+            requireVariables.add(node.id.name);
+          }
+        }
+      },
+      CallExpression(node: TSESTree.CallExpression) {
+        // Check for require() calls (direct or via variable)
+        if (node.callee.type !== 'Identifier') {
+          return;
+        }
+        // Check if callee is require or a variable that references require
+        if (!isRequireReference(node.callee)) {
+          return;
+        }
+        // Must have at least one argument
+        if (node.arguments.length === 0) return;
+        const firstArg = node.arguments[0];
+        if (firstArg.type === 'SpreadElement') return;
+        // Check if dynamic
+        if (!isDynamicArgument(firstArg)) return;
+        context.report({
+          node,
+          messageId: 'unsafeDynamicRequire',
+        });
+      },
+    };
+  },
+});

package/src/rules/no-unsafe-dynamic-require/no-unsafe-dynamic-require.test.ts ADDED Viewed

@@ -0,0 +1,151 @@
+/**
+ * Comprehensive tests for no-unsafe-dynamic-require rule
+ * Security: CWE-95 (Code Injection)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noUnsafeDynamicRequire } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-unsafe-dynamic-require', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - static require', noUnsafeDynamicRequire, {
+      valid: [
+        // Static require with string literal
+        {
+          code: 'const fs = require("fs");',
+        },
+        {
+          code: 'const path = require("path");',
+        },
+        {
+          code: 'const module = require("./local-module");',
+        },
+        // Template literal with no expressions
+        {
+          code: 'const fs = require(`fs`);',
+        },
+        {
+          code: 'const path = require(`./utils/path`);',
+        },
+        // Not a require call
+        {
+          code: 'const result = myFunction(moduleName);',
+        },
+        {
+          code: 'const obj = { require: () => {} }; obj.require(name);',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Dynamic Require', () => {
+    ruleTester.run('invalid - dynamic require calls', noUnsafeDynamicRequire, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const module = require(moduleName);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: 'const mod = require(userInput);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: 'require(`./modules/${moduleName}`);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: 'require(`./${dir}/${file}`);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: `
+            const moduleName = getUserInput();
+            const mod = require(moduleName);
+          `,
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: 'const mod = require(config.moduleName);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+      ],
+    });
+  });
+  describe('Suggestions', () => {
+    ruleTester.run('suggestions for fixes', noUnsafeDynamicRequire, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const mod = require(moduleName);',
+          errors: [
+            {
+              messageId: 'unsafeDynamicRequire',
+              // Note: Rule may not provide suggestions in all cases
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Edge Cases', () => {
+    ruleTester.run('edge cases', noUnsafeDynamicRequire, {
+      valid: [
+        // Empty require (should not trigger)
+        {
+          code: 'require();',
+        },
+        // Spread element (should not trigger)
+        {
+          code: 'require(...args);',
+        },
+      ],
+      invalid: [
+        {
+          code: '(require)(moduleName);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+        {
+          code: 'const req = require; req(moduleName);',
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+      ],
+    });
+  });
+  describe('Options - allowDynamicImport', () => {
+    ruleTester.run('allowDynamicImport option', noUnsafeDynamicRequire, {
+      valid: [
+        // Note: This option is for import(), not require()
+        // So require() should still be flagged even with this option
+      ],
+      invalid: [
+        {
+          code: 'const mod = require(moduleName);',
+          options: [{ allowDynamicImport: true }],
+          errors: [{ messageId: 'unsafeDynamicRequire' }],
+        },
+      ],
+    });
+  });
+});