npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-zip-slip/no-zip-slip.test.ts ADDED Viewed

@@ -0,0 +1,305 @@
+/**
+ * Comprehensive tests for no-zip-slip rule
+ * Security: CWE-22 (Path Traversal/Zip Slip)
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { describe, it, afterAll } from 'vitest';
+import parser from '@typescript-eslint/parser';
+import { noZipSlip } from './index';
+// Configure RuleTester for Vitest
+RuleTester.afterAll = afterAll;
+RuleTester.it = it;
+RuleTester.itOnly = it.only;
+RuleTester.describe = describe;
+// Use Flat Config format (ESLint 9+)
+const ruleTester = new RuleTester({
+  languageOptions: {
+    parser,
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+describe('no-zip-slip', () => {
+  describe('Valid Code', () => {
+    ruleTester.run('valid - safe archive operations', noZipSlip, {
+      valid: [
+        // Safe archive extraction with validation
+        {
+          code: 'const safeExtract = require("safe-archive-extract"); safeExtract(file, dest);',
+        },
+        // Validated paths
+        {
+          code: 'const safePath = validatePath(entry.name); fs.writeFileSync(path.join(dest, safePath), data);',
+        },
+        // Safe libraries
+        {
+          code: 'const yauzl = require("yauzl"); yauzl.open(zipFile, callback);',
+        },
+        // Non-archive operations
+        {
+          code: 'const data = fs.readFileSync(filePath);',
+        },
+        // Safe file paths
+        {
+          code: 'const filePath = "safe-file.txt";',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Invalid Code - Unsafe Archive Extraction', () => {
+    ruleTester.run('invalid - unsafe archive extraction', noZipSlip, {
+      valid: [],
+      invalid: [
+        {
+          code: 'archive.unzip(dest);',
+          errors: [
+            {
+              messageId: 'unsafeArchiveExtraction',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Path Traversal', () => {
+    ruleTester.run('invalid - path traversal in archives', noZipSlip, {
+      valid: [],
+      invalid: [
+        {
+          code: 'const maliciousPath = "../../../etc/passwd";',
+          errors: [
+            {
+              messageId: 'pathTraversalInArchive',
+            },
+          ],
+        },
+        {
+          code: 'const zipEntry = "../config.json";',
+          errors: [
+            {
+              messageId: 'pathTraversalInArchive',
+            },
+          ],
+        },
+        {
+          code: 'const entry = "subdir/../../../root/.ssh/id_rsa";',
+          errors: [
+            {
+              messageId: 'pathTraversalInArchive',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Unvalidated Archive Paths', () => {
+    ruleTester.run('invalid - unvalidated archive entry usage', noZipSlip, {
+      valid: [],
+      invalid: [
+        {
+          code: 'fs.writeFileSync(path.join(dest, entry.name), data);',
+          errors: [
+            {
+              messageId: 'unvalidatedArchivePath',
+            },
+          ],
+        },
+        {
+          code: 'const filePath = path.resolve(destDir, entry.path);',
+          errors: [
+            {
+              messageId: 'unvalidatedArchivePath',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Invalid Code - Dangerous Destinations', () => {
+    ruleTester.run('invalid - dangerous extraction destinations', noZipSlip, {
+      valid: [],
+      invalid: [
+        {
+          code: 'unzip(zipFile, "/root/backups");',
+          errors: [
+            {
+              messageId: 'dangerousArchiveDestination',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Valid Code - False Positives Reduced', () => {
+    ruleTester.run('valid - false positives reduced', noZipSlip, {
+      valid: [
+        // Safe annotations
+        {
+          code: `
+            /** @safe */
+            const AdmZip = require("adm-zip");
+            const zip = new AdmZip(file);
+            zip.extractAllTo(dest);
+          `,
+        },
+        // Validated paths
+        {
+          code: `
+            const safeName = validatePath(entry.name);
+            fs.writeFileSync(path.join(dest, safeName), data);
+          `,
+        },
+        // Sanitized paths
+        {
+          code: `
+            const cleanPath = sanitizePath(file.name);
+            const outputPath = path.join(destDir, cleanPath);
+            fs.writeFileSync(outputPath, content);
+          `,
+        },
+        // Safe destinations
+        {
+          code: 'zip.extractAllTo("./uploads/extracted");',
+        },
+        // Internal operations
+        {
+          code: 'const configPath = "./config/backup.zip";',
+        },
+      ],
+      invalid: [],
+    });
+  });
+  describe('Configuration Options', () => {
+    ruleTester.run('config - custom archive functions', noZipSlip, {
+      valid: [
+        {
+          code: 'myExtractor.extract(zipFile, dest);',
+          options: [{ archiveFunctions: ['myExtractor.extract'] }],
+        },
+      ],
+      invalid: [],
+    });
+    ruleTester.run('config - custom safe libraries', noZipSlip, {
+      valid: [
+        {
+          code: 'mySafeLib.extract(file, dest);',
+          options: [{ safeLibraries: ['mySafeLib'] }],
+        },
+      ],
+      invalid: [
+        {
+          code: 'unsafeLib.extract(file, dest);',
+          options: [{ safeLibraries: ['mySafeLib'] }],
+          errors: [
+            {
+              messageId: 'unsafeArchiveExtraction',
+            },
+          ],
+        },
+      ],
+    });
+  });
+  describe('Complex Zip Slip Attack Scenarios', () => {
+    ruleTester.run('complex - real-world zip slip patterns', noZipSlip, {
+      valid: [],
+      invalid: [
+        {
+          code: `
+            function extractZip(zipFile, destDir) {
+              // DANGEROUS: Manual extraction without path validation
+              const zip = new AdmZip(zipFile);
+              zip.getEntries().forEach(entry => {
+                const filePath = path.join(destDir, entry.entryName); // No validation!
+                if (!entry.isDirectory) {
+                  fs.writeFileSync(filePath, zip.readFile(entry));
+                }
+              });
+            }
+          `,
+          errors: [
+            {
+              messageId: 'unvalidatedArchivePath',
+            },
+          ],
+        },
+        {
+          code: `
+            // Zip slip with directory traversal
+            const maliciousZip = Buffer.from([
+              // ZIP file with entry named "../../../etc/passwd"
+            ]);
+            const zip = new AdmZip(maliciousZip);
+            zip.extractAllTo('/tmp/extracted'); // This could overwrite /etc/passwd
+          `,
+          errors: [
+            {
+              messageId: 'unsafeArchiveExtraction',
+            },
+            {
+              messageId: 'dangerousArchiveDestination',
+            },
+          ],
+        },
+        {
+          code: `
+            const yauzl = require('yauzl');
+            function extractWithYauzl(zipPath, extractTo) {
+              yauzl.open(zipPath, { lazyEntries: true }, (err, zipfile) => {
+                zipfile.readEntry();
+                zipfile.on('entry', (entry) => {
+                  // DANGEROUS: No path validation
+                  const outputPath = path.join(extractTo, entry.fileName);
+                  if (entry.fileName.endsWith('/')) {
+                    fs.mkdirSync(outputPath);
+                  } else {
+                    zipfile.openReadStream(entry, (err, readStream) => {
+                      const writeStream = fs.createWriteStream(outputPath); // Could write anywhere!
+                      readStream.pipe(writeStream);
+                    });
+                  }
+                  zipfile.readEntry();
+                });
+              });
+            }
+          `,
+          errors: [
+            {
+              messageId: 'unvalidatedArchivePath',
+            },
+          ],
+        },
+        {
+          code: `
+            // Windows zip slip
+            const entry = {
+              fileName: "..\\..\\..\\..\\..\\..\\Windows\\System32\\config\\SAM"
+            };
+            const safePath = path.join(extractDir, entry.fileName); // Still dangerous on Windows
+            fs.writeFileSync(safePath, data);
+          `,
+          errors: [
+            {
+              messageId: 'unvalidatedArchivePath',
+            },
+          ],
+        },
+      ],
+    });
+  });
+});

package/src/rules/require-backend-authorization/index.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * @fileoverview Require server-side authorization checks
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const requireBackendAuthorization = createRule<RuleOptions, MessageIds>({
+  name: 'require-backend-authorization',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Require server-side authorization checks',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Client-Side Authorization',
+        cwe: 'CWE-602',
+        description: 'Authorization logic in client code - easily bypassed',
+        severity: 'CRITICAL',
+        fix: 'Move authorization checks to server-side API endpoints',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/602.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    const authProperties = ['role', 'isAdmin', 'isAuthenticated', 'permissions', 'admin'];
+    return {
+      IfStatement(node: TSESTree.IfStatement) {
+        // Detect role-based access in client-side if statements
+        if (node.test.type === 'BinaryExpression') {
+          const checkMember = (expr: TSESTree.Expression) => {
+            if (expr.type === 'MemberExpression' &&
+                expr.property.type === 'Identifier' &&
+                authProperties.includes(expr.property.name)) {
+              return true;
+            }
+            return false;
+          };
+          if (checkMember(node.test.left as TSESTree.Expression) ||
+              checkMember(node.test.right as TSESTree.Expression)) {
+            report(node);
+          }
+        }
+        // Check for user.role or user.isAdmin access
+        if (node.test.type === 'MemberExpression' &&
+            node.test.property.type === 'Identifier' &&
+            authProperties.includes(node.test.property.name)) {
+          report(node);
+        }
+      },
+    };
+  },
+});

package/src/rules/require-backend-authorization/require-backend-authorization.test.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * @fileoverview Tests for require-backend-authorization
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { requireBackendAuthorization } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('require-backend-authorization', requireBackendAuthorization, {
+  valid: [
+    // Server-side checks
+    { code: "const response = await api.checkPermission(userId, resource)" },
+    { code: "if (isEnabled) { showFeature() }" },
+    // Non-auth checks
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Client-side role checks
+    { code: "if (user.role === 'admin') { showAdmin() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (user.isAdmin) { deleteUser() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (currentUser.permissions === 'write') { save() }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "if (account.admin === true) { proceed() }", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/require-code-minification/index.ts ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * @fileoverview Require minification configuration
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/656.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const requireCodeMinification = createRule<RuleOptions, MessageIds>({
+  name: 'require-code-minification',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Require minification configuration',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M7'],
+      cweIds: ["CWE-656"],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'violation Detected',
+        cwe: 'CWE-656',
+        description: 'Require minification configuration detected - Build config without minification',
+        severity: 'LOW',
+        fix: 'Review and apply secure practices',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/656.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      Property(node: TSESTree.Property) {
+        if (node.key.type === 'Identifier' &&
+            node.key.name === 'minimize' &&
+            node.value.type === 'Literal' &&
+            node.value.value === false) {
+          context.report({ node, messageId: 'violationDetected' });
+        }
+      },
+    };
+  },
+});

package/src/rules/require-code-minification/require-code-minification.test.ts ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * @fileoverview Tests for require-code-minification
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { requireCodeMinification } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('require-code-minification', requireCodeMinification, {
+  valid: [
+    // Minification enabled
+    { code: "const config = { minimize: true }" },
+    { code: "module.exports = { optimization: { minimize: true } }" },
+    // Non-minification config
+    { code: "const x = 1" },
+    { code: "const config = { debug: false }" },
+  ],
+  invalid: [
+    // Minification disabled
+    { code: "const config = { minimize: false }", errors: [{ messageId: 'violationDetected' }] },
+    { code: "module.exports = { optimization: { minimize: false } }", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/require-csp-headers/index.ts ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * @fileoverview Require Content Security Policy
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const requireCspHeaders = createRule<RuleOptions, MessageIds>({
+  name: 'require-csp-headers',
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Require Content Security Policy headers',
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'Missing CSP',
+        cwe: 'CWE-1021',
+        description: 'HTML response without Content-Security-Policy header',
+        severity: 'MEDIUM',
+        fix: 'Use helmet.contentSecurityPolicy() or set CSP header manually',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/1021.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        // Detect res.send(html) with HTML content without CSP
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.property.type === 'Identifier' &&
+            node.callee.property.name === 'send') {
+          const arg = node.arguments[0];
+          // Check if sending HTML string
+          if (arg && arg.type === 'TemplateLiteral') {
+            const quasi = arg.quasis[0]?.value?.raw || '';
+            if (quasi.includes('<html') || quasi.includes('<!DOCTYPE')) {
+              report(node);
+            }
+          }
+          if (arg && arg.type === 'Literal' && typeof arg.value === 'string') {
+            if (arg.value.includes('<html') || arg.value.includes('<!DOCTYPE')) {
+              report(node);
+            }
+          }
+        }
+        // Detect res.render() without CSP middleware
+        if (node.callee.type === 'MemberExpression' &&
+            node.callee.property.type === 'Identifier' &&
+            node.callee.property.name === 'render') {
+          // This is a heuristic - flag render calls as a reminder
+          // In real projects, you'd check for helmet middleware
+          report(node);
+        }
+      },
+    };
+  },
+});

package/src/rules/require-csp-headers/require-csp-headers.test.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * @fileoverview Tests for require-csp-headers
+ */
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { requireCspHeaders } from './index';
+const ruleTester = new RuleTester({
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+ruleTester.run('require-csp-headers', requireCspHeaders, {
+  valid: [
+    // JSON responses don't need CSP
+    { code: "res.send({ data: 'json' })" },
+    { code: "res.json({ status: 'ok' })" },
+    // Non-HTML strings
+    { code: "res.send('Hello World')" },
+    { code: "const x = 1" },
+  ],
+  invalid: [
+    // Sending HTML without CSP
+    { code: "res.send('<html><body>Hello</body></html>')", errors: [{ messageId: 'violationDetected' }] },
+    { code: "res.send('<!DOCTYPE html><html></html>')", errors: [{ messageId: 'violationDetected' }] },
+    { code: "res.send(`<html>${content}</html>`)", errors: [{ messageId: 'violationDetected' }] },
+    // Render calls need CSP
+    { code: "res.render('index')", errors: [{ messageId: 'violationDetected' }] },
+    { code: "res.render('template', { data })", errors: [{ messageId: 'violationDetected' }] },
+  ],
+});

package/src/rules/require-data-minimization/index.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * @fileoverview Identify excessive data collection
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/213.html
+ */
+import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
+import type { TSESTree } from '@interlace/eslint-devkit';
+type MessageIds = 'violationDetected';
+// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
+export interface Options {}
+type RuleOptions = [Options?];
+export const requireDataMinimization = createRule<RuleOptions, MessageIds>({
+  name: 'require-data-minimization',
+  meta: {
+    type: 'suggestion',
+    docs: {
+      description: 'Identify excessive data collection patterns',
+      category: 'Security',
+      recommended: true,
+      owaspMobile: ['M6'],
+      cweIds: ['CWE-213'],
+    },
+    messages: {
+      violationDetected: formatLLMMessage({
+        icon: MessageIcons.SECURITY,
+        issueName: 'violation Detected',
+        cwe: 'CWE-213',
+        description: 'Excessive data collection detected - only collect data that is necessary',
+        severity: 'MEDIUM',
+        fix: 'Review and apply secure practices',
+        documentationLink: 'https://cwe.mitre.org/data/definitions/213.html',
+      })
+    },
+    schema: [],
+  },
+  defaultOptions: [],
+  create(context) {
+    function report(node: TSESTree.Node) {
+      context.report({ node, messageId: 'violationDetected' });
+    }
+    return {
+      ObjectExpression(node: TSESTree.ObjectExpression) {
+        // Flag objects with >10 properties being collected
+        if (node.properties.length > 10) {
+          // Check if this looks like user data collection
+          const hasUserData = node.properties.some(p =>
+            p.type === 'Property' &&
+            ['email', 'name', 'phone', 'address'].includes(p.key.name)
+          );
+          if (hasUserData) {
+            report(node);
+          }
+        }
+      },
+    };
+  },
+});