eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/detect-object-injection/index.js

@@ -1,560 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectObjectInjection = void 0;
-/**
- * ESLint Rule: detect-object-injection
- * Detects variable[key] as a left- or right-hand assignment operand (prototype pollution)
- * LLM-optimized with comprehensive object injection prevention guidance
- *
- * Type-Aware Enhancement:
- * This rule uses TypeScript type information when available to reduce false positives.
- * If a property key is constrained to a union of string literals (e.g., 'name' | 'email'),
- * the access is considered safe because the values are statically known at compile time.
- *
- * @see https://portswigger.net/web-security/prototype-pollution
- * @see https://cwe.mitre.org/data/definitions/915.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-const OBJECT_INJECTION_PATTERNS = [
-    {
-        pattern: '__proto__',
-        dangerous: true,
-        vulnerability: 'prototype-pollution',
-        safeAlternative: 'Object.create(null) or Map',
-        example: {
-            bad: 'obj[userInput] = value; // if userInput is "__proto__"',
-            good: 'const map = new Map(); map.set(userInput, value);'
-        },
-        effort: '15-20 minutes',
-        riskLevel: 'critical'
-    },
-    {
-        pattern: 'prototype',
-        dangerous: true,
-        vulnerability: 'prototype-pollution',
-        safeAlternative: 'Avoid prototype manipulation',
-        example: {
-            bad: 'obj[userInput] = value; // if userInput is "prototype"',
-            good: 'if (!obj.hasOwnProperty(userInput)) obj[userInput] = value;'
-        },
-        effort: '10-15 minutes',
-        riskLevel: 'high'
-    },
-    {
-        pattern: 'constructor',
-        dangerous: true,
-        vulnerability: 'method-injection',
-        safeAlternative: 'Validate property names against whitelist',
-        example: {
-            bad: 'obj[userInput] = value; // if userInput is "constructor"',
-            good: 'const ALLOWED_KEYS = [\'name\', \'age\', \'email\']; if (ALLOWED_KEYS.includes(userInput)) obj[userInput] = value;'
-        },
-        effort: '10-15 minutes',
-        riskLevel: 'medium'
-    }
-];
-exports.detectObjectInjection = (0, eslint_devkit_3.createRule)({
-    name: 'detect-object-injection',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects variable[key] as a left- or right-hand assignment operand',
-        },
-        messages: {
-            // 🎯 Token optimization: 37% reduction (54→34 tokens) - removes verbose current/fix/doc labels
-            objectInjection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.WARNING,
-                issueName: 'Object injection',
-                cwe: 'CWE-915',
-                description: 'Object injection/Prototype pollution (incl. model/tool outputs)',
-                severity: '{{riskLevel}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://portswigger.net/web-security/prototype-pollution',
-            }),
-            useMapInstead: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Map',
-                description: 'Use Map instead of plain objects',
-                severity: 'LOW',
-                fix: 'const map = new Map(); map.set(key, value);',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map',
-            }),
-            useHasOwnProperty: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use hasOwnProperty',
-                description: 'Check hasOwnProperty to avoid prototype properties',
-                severity: 'LOW',
-                fix: 'if (obj.hasOwnProperty(key)) { obj[key] = value; }',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty',
-            }),
-            whitelistKeys: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Whitelist Keys',
-                description: 'Whitelist allowed property names',
-                severity: 'LOW',
-                fix: 'const ALLOWED = ["name", "email"]; if (ALLOWED.includes(key)) obj[key] = value; // reject model/tool-supplied unknown keys',
-                documentationLink: 'https://portswigger.net/web-security/prototype-pollution',
-            }),
-            useObjectCreate: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Object.create(null)',
-                description: 'Create clean objects without prototypes',
-                severity: 'LOW',
-                fix: 'const obj = Object.create(null);',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create',
-            }),
-            freezePrototypes: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Freeze Prototypes',
-                description: 'Freeze Object.prototype to prevent pollution',
-                severity: 'LOW',
-                fix: 'Object.freeze(Object.prototype);',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze',
-            }),
-            strategyValidate: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Validate Input',
-                description: 'Add input validation before property access',
-                severity: 'LOW',
-                fix: 'Validate key against allowed values before access',
-                documentationLink: 'https://portswigger.net/web-security/prototype-pollution',
-            }),
-            strategyWhitelist: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Whitelist Properties',
-                description: 'Whitelist allowed property names only',
-                severity: 'LOW',
-                fix: 'Define allowed keys and validate against them',
-                documentationLink: 'https://portswigger.net/web-security/prototype-pollution',
-            }),
-            strategyFreeze: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Freeze Prototypes',
-                description: 'Freeze prototypes to prevent pollution',
-                severity: 'LOW',
-                fix: 'Object.freeze(Object.prototype) at app startup',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowLiterals: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow bracket notation with literal strings'
-                    },
-                    additionalMethods: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional object methods to check for injection'
-                    },
-                    dangerousProperties: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['__proto__', 'prototype', 'constructor'],
-                        description: 'Properties to consider dangerous'
-                    },
-                    strategy: {
-                        type: 'string',
-                        enum: ['validate', 'whitelist', 'freeze', 'auto'],
-                        default: 'auto',
-                        description: 'Strategy for fixing object injection (auto = smart detection)'
-                    }
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowLiterals: false,
-            additionalMethods: [],
-            dangerousProperties: ['__proto__', 'prototype', 'constructor'],
-            strategy: 'auto'
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { allowLiterals = false, dangerousProperties = ['__proto__', 'prototype', 'constructor'], } = options || {};
-        // Track MemberExpressions that are part of AssignmentExpressions to avoid double-reporting
-        const handledMemberExpressions = new WeakSet();
-        // Check if TypeScript parser services are available for type-aware checking
-        const hasTypeInfo = (0, eslint_devkit_2.hasParserServices)(context);
-        const parserServices = hasTypeInfo ? (0, eslint_devkit_2.getParserServices)(context) : null;
-        /**
-         * Check if a node is a literal string (potentially safe)
-         */
-        const isLiteralString = (node) => {
-            return node.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof node.value === 'string';
-        };
-        /**
-         * Check if a property is part of a typed union (safe access)
-         *
-         * Type-Aware Enhancement:
-         * When TypeScript parser services are available, we can check if a variable
-         * is typed as a union of string literals (e.g., 'name' | 'email').
-         * Such accesses are safe because the values are statically constrained.
-         *
-         * @example
-         * // This is now detected as SAFE (no false positive):
-         * const key: 'name' | 'email' = getKey();
-         * obj[key] = value;
-         *
-         * // This is still detected as DANGEROUS:
-         * const key: string = getUserInput();
-         * obj[key] = value;
-         */
-        const isTypedUnionAccess = (propertyNode) => {
-            // Check if property is a literal string (typed access like obj['name'])
-            if (isLiteralString(propertyNode)) {
-                return true; // Literal strings are safe - they're typed at compile time
-            }
-            // Type-aware check: If we have TypeScript type information, check if the
-            // property key is constrained to a union of safe string literals
-            /* c8 ignore start -- TypeScript parser services often unavailable in RuleTester */
-            if (parserServices && propertyNode.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                try {
-                    const type = (0, eslint_devkit_2.getTypeOfNode)(propertyNode, parserServices);
-                    // Check if the type is a union of safe string literals
-                    // (excludes '__proto__', 'prototype', 'constructor')
-                    if ((0, eslint_devkit_2.isUnionOfSafeStringLiterals)(type, dangerousProperties)) {
-                        return true; // Safe - statically constrained to safe values
-                    }
-                    // Also check for single string literal type (e.g., const key: 'name' = ...)
-                    const literalValues = (0, eslint_devkit_2.getStringLiteralValues)(type);
-                    if (literalValues && literalValues.length === 1) {
-                        // Single literal - safe if not dangerous
-                        if (!dangerousProperties.includes(literalValues[0])) {
-                            return true;
-                        }
-                    }
-                }
-                catch {
-                    // If type checking fails, fall back to treating as potentially dangerous
-                    // This can happen with malformed AST or missing type information
-                }
-            }
-            /* c8 ignore stop */
-            // Without type information, treat all identifiers as potentially dangerous
-            return false;
-        };
-        /**
-         * Check if the property key has been validated before use.
-         *
-         * Detects patterns like:
-         * - if (ARRAY.includes(key)) { obj[key] = value; }
-         * - if (Object.prototype.hasOwnProperty.call(obj, key)) { return obj[key]; }
-         * - if (Object.hasOwn(obj, key)) { return obj[key]; }
-         *
-         * @param propertyNode - The property node (key in obj[key])
-         * @param node - The current node being checked
-         * @returns true if the key has been validated, false otherwise
-         */
-        const hasPrecedingValidation = (propertyNode, node) => {
-            // Only check for identifier keys (obj[key] where key is a variable)
-            if (propertyNode.type !== eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                return false;
-            }
-            const keyName = propertyNode.name;
-            // AST-based validation detection (faster than getText + regex)
-            const isIncludesCall = (testNode) => {
-                // Pattern: ARRAY.includes(keyName)
-                if (testNode.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    testNode.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    testNode.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    testNode.callee.property.name === 'includes' &&
-                    testNode.arguments.length > 0 &&
-                    testNode.arguments[0].type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    testNode.arguments[0].name === keyName) {
-                    return true;
-                }
-                // Handle negation: !ARRAY.includes(key)
-                if (testNode.type === eslint_devkit_1.AST_NODE_TYPES.UnaryExpression &&
-                    testNode.operator === '!' &&
-                    testNode.argument.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                    return isIncludesCall(testNode.argument);
-                }
-                return false;
-            };
-            const isHasOwnPropertyCall = (testNode) => {
-                // Pattern: Object.prototype.hasOwnProperty.call(obj, key) OR obj.hasOwnProperty(key) OR Object.hasOwn(obj, key)
-                if (testNode.type !== eslint_devkit_1.AST_NODE_TYPES.CallExpression)
-                    return false;
-                const callee = testNode.callee;
-                const args = testNode.arguments;
-                // Object.prototype.hasOwnProperty.call(obj, key)
-                if (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    callee.property.name === 'call' &&
-                    args.length >= 2 &&
-                    args[1].type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    args[1].name === keyName) {
-                    return true;
-                }
-                // obj.hasOwnProperty(key) OR Object.hasOwn(obj, key)
-                if (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    (callee.property.name === 'hasOwnProperty' || callee.property.name === 'hasOwn')) {
-                    const keyArg = callee.property.name === 'hasOwn' ? args[1] : args[0];
-                    if (keyArg?.type === eslint_devkit_1.AST_NODE_TYPES.Identifier && keyArg.name === keyName) {
-                        return true;
-                    }
-                }
-                return false;
-            };
-            const isInOperator = (testNode) => {
-                // Pattern: key in obj
-                return testNode.type === eslint_devkit_1.AST_NODE_TYPES.BinaryExpression &&
-                    testNode.operator === 'in' &&
-                    testNode.left.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    testNode.left.name === keyName;
-            };
-            const hasValidation = (testNode) => {
-                return isIncludesCall(testNode) || isHasOwnPropertyCall(testNode) || isInOperator(testNode);
-            };
-            const hasEarlyExit = (consequent) => {
-                // Check if block contains throw or return
-                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement) {
-                    return consequent.body.some(stmt => stmt.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement ||
-                        stmt.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement);
-                }
-                return consequent.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement ||
-                    consequent.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement;
-            };
-            // Walk up to find enclosing IfStatement with validation
-            let current = node.parent;
-            let foundFunctionBody = false;
-            while (current && !foundFunctionBody) {
-                // Check if we're inside an if-block with validation in the condition
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
-                    if (hasValidation(current.test)) {
-                        return true;
-                    }
-                }
-                // Check for function body - look for preceding sibling if-statements with early exit
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement && current.parent && (current.parent.type === eslint_devkit_1.AST_NODE_TYPES.FunctionDeclaration ||
-                    current.parent.type === eslint_devkit_1.AST_NODE_TYPES.FunctionExpression ||
-                    current.parent.type === eslint_devkit_1.AST_NODE_TYPES.ArrowFunctionExpression)) {
-                    foundFunctionBody = true;
-                    const blockBody = current.body;
-                    const nodeIndex = blockBody.findIndex((stmt) => {
-                        let check = node;
-                        while (check) {
-                            if (check === stmt)
-                                return true;
-                            check = check.parent;
-                        }
-                        return false;
-                    });
-                    // Look at preceding statements for validation patterns with early exit
-                    for (let i = 0; i < nodeIndex; i++) {
-                        const stmt = blockBody[i];
-                        if (stmt.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement &&
-                            hasValidation(stmt.test) &&
-                            hasEarlyExit(stmt.consequent)) {
-                            return true;
-                        }
-                    }
-                }
-                current = current.parent;
-            }
-            return false;
-        };
-        /**
-         * Check if property access is potentially dangerous
-         */
-        const isDangerousPropertyAccess = (propertyNode) => {
-            // SAFE: Numeric literals (array index access like items[0], items[1])
-            if (propertyNode.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof propertyNode.value === 'number') {
-                return false;
-            }
-            // Check if it's a literal string first
-            if (isLiteralString(propertyNode)) {
-                const propName = String(propertyNode.value);
-                // DANGEROUS: Literal strings that match dangerous properties (always flag these)
-                // Check this BEFORE checking typed union access
-                if (dangerousProperties.includes(propName)) {
-                    return true;
-                }
-                // SAFE: Typed union access (obj[typedKey] where typedKey is 'primary' | 'secondary')
-                // Only safe if it's NOT a dangerous property
-                if (isTypedUnionAccess(propertyNode)) {
-                    return false;
-                }
-                // SAFE: Literal strings that are NOT dangerous properties (if allowLiterals is true)
-                if (allowLiterals) {
-                    return false;
-                }
-                // If allowLiterals is false, non-dangerous literal strings are still considered safe
-                // (they're static and known at compile time)
-                return false;
-            }
-            // DANGEROUS: Any untyped/dynamic property access (e.g., obj[userInput])
-            return true;
-        };
-        /**
-         * Extract property access information
-         */
-        const extractPropertyAccess = (node) => {
-            const sourceCode = context.sourceCode || context.sourceCode;
-            let object;
-            let property;
-            let propertyNode;
-            let isAssignment = false;
-            if (node.type === eslint_devkit_1.AST_NODE_TYPES.AssignmentExpression && node.left.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression) {
-                // Assignment: obj[key] = value
-                object = sourceCode.getText(node.left.object);
-                property = sourceCode.getText(node.left.property);
-                propertyNode = node.left.property;
-                isAssignment = true;
-            }
-            else if (node.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression) {
-                // Access: obj[key]
-                object = sourceCode.getText(node.object);
-                property = sourceCode.getText(node.property);
-                propertyNode = node.property;
-                isAssignment = false;
-            }
-            else {
-                return { object: '', property: '', propertyNode: node, isAssignment: false, pattern: null };
-            }
-            // Check if property matches dangerous patterns
-            const pattern = OBJECT_INJECTION_PATTERNS.find(p => new RegExp(p.pattern, 'i').test(property) ||
-                dangerousProperties.includes(property.replace(/['"]/g, ''))) || null;
-            return { object, property, propertyNode, isAssignment, pattern };
-        };
-        /**
-         * Determine if this is a high-risk assignment
-         */
-        const isHighRiskAssignment = (node) => {
-            if (node.left.type !== 'MemberExpression') {
-                return false;
-            }
-            // Only check computed member access (bracket notation)
-            // Dot notation (obj.name) is safe
-            if (!node.left.computed) {
-                return false;
-            }
-            const { propertyNode } = extractPropertyAccess(node);
-            // Skip if the key has been validated (e.g., includes() or hasOwnProperty check)
-            if (hasPrecedingValidation(propertyNode, node)) {
-                return false;
-            }
-            // Check for dangerous property access in assignment
-            return isDangerousPropertyAccess(propertyNode);
-        };
-        /**
-         * Determine if this is a high-risk member access
-         */
-        const isHighRiskMemberAccess = (node) => {
-            // Only check computed member access (bracket notation)
-            if (!node.computed) {
-                return false;
-            }
-            const { propertyNode } = extractPropertyAccess(node);
-            // Skip if the key has been validated (e.g., includes() or hasOwnProperty check)
-            if (hasPrecedingValidation(propertyNode, node)) {
-                return false;
-            }
-            // Check for dangerous property access
-            return isDangerousPropertyAccess(propertyNode);
-        };
-        /**
-         * Determine risk level based on the pattern and context
-         */
-        const determineRiskLevel = (pattern, isAssignment) => {
-            if (pattern?.riskLevel === 'critical' || (pattern && isAssignment)) {
-                return 'CRITICAL';
-            }
-            if (pattern?.riskLevel === 'high' || isAssignment) {
-                return 'HIGH';
-            }
-            return 'MEDIUM';
-        };
-        /**
-         * Check assignment expressions for object injection
-         */
-        const checkAssignmentExpression = (node) => {
-            if (!isHighRiskAssignment(node)) {
-                return;
-            }
-            // Mark the MemberExpression as handled to avoid double-reporting
-            if (node.left.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression) {
-                handledMemberExpressions.add(node.left);
-            }
-            const { object, property, isAssignment, pattern } = extractPropertyAccess(node);
-            const riskLevel = determineRiskLevel(pattern, isAssignment);
-            context.report({
-                node,
-                messageId: 'objectInjection',
-                data: {
-                    pattern: `${object}[${property}]`,
-                    riskLevel,
-                    vulnerability: pattern?.vulnerability || 'object injection',
-                    safeAlternative: pattern?.safeAlternative || 'Use Map or property whitelisting',
-                },
-                suggest: [
-                    {
-                        messageId: 'useMapInstead',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'useHasOwnProperty',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'whitelistKeys',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'useObjectCreate',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'freezePrototypes',
-                        fix: () => null
-                    }
-                ]
-            });
-        };
-        /**
-         * Check member expressions for object injection
-         */
-        const checkMemberExpression = (node) => {
-            if (!isHighRiskMemberAccess(node)) {
-                return;
-            }
-            // Skip if this MemberExpression was already handled as part of an AssignmentExpression
-            if (handledMemberExpressions.has(node)) {
-                return;
-            }
-            // Also check parent - if it's an AssignmentExpression and this node is the left side, skip
-            // (This handles cases where WeakSet check didn't work due to visitor order)
-            const parent = node.parent;
-            if (parent && parent.type === eslint_devkit_1.AST_NODE_TYPES.AssignmentExpression && parent.left === node) {
-                return;
-            }
-            const { object, property, isAssignment, pattern } = extractPropertyAccess(node);
-            const riskLevel = determineRiskLevel(pattern, isAssignment);
-            context.report({
-                node,
-                messageId: 'objectInjection',
-                data: {
-                    pattern: `${object}[${property}]`,
-                    riskLevel,
-                    vulnerability: pattern?.vulnerability || 'object injection',
-                    safeAlternative: pattern?.safeAlternative || 'Use Map or property whitelisting',
-                }
-            });
-        };
-        return {
-            AssignmentExpression: checkAssignmentExpression,
-            MemberExpression: checkMemberExpression
-        };
-    },
-});

package/src/rules/detect-suspicious-dependencies/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Detect potential typosquatting in dependencies
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/506.html
- */
-export interface Options {
-}
-export declare const detectSuspiciousDependencies: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/detect-suspicious-dependencies/index.js

@@ -1,71 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect potential typosquatting in dependencies
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/506.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectSuspiciousDependencies = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.detectSuspiciousDependencies = (0, eslint_devkit_1.createRule)({
-    name: 'detect-suspicious-dependencies',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect typosquatting in package names',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Suspicious Dependency',
-                cwe: 'CWE-506',
-                description: 'Suspicious package name detected - possible typosquatting',
-                severity: 'HIGH',
-                fix: 'Verify package authenticity on npm registry',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/506.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        const popularPackages = ['react', 'lodash', 'express', 'axios', 'webpack'];
-        function levenshtein(a, b) {
-            const matrix = [];
-            for (let i = 0; i <= b.length; i++) {
-                matrix[i] = [i];
-            }
-            for (let j = 0; j <= a.length; j++) {
-                matrix[0][j] = j;
-            }
-            for (let i = 1; i <= b.length; i++) {
-                for (let j = 1; j <= a.length; j++) {
-                    if (b.charAt(i - 1) === a.charAt(j - 1)) {
-                        matrix[i][j] = matrix[i - 1][j - 1];
-                    }
-                    else {
-                        matrix[i][j] = Math.min(matrix[i - 1][j - 1] + 1, matrix[i][j - 1] + 1, matrix[i - 1][j] + 1);
-                    }
-                }
-            }
-            return matrix[b.length][a.length];
-        }
-        return {
-            ImportDeclaration(node) {
-                const source = node.source.value;
-                if (typeof source === 'string' && !source.startsWith('.') && !source.startsWith('@')) {
-                    for (const popular of popularPackages) {
-                        const distance = levenshtein(source, popular);
-                        if (distance > 0 && distance <= 2) {
-                            context.report({
-                                node,
-                                messageId: 'violationDetected',
-                                data: { name: source, similar: popular },
-                            });
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/detect-weak-password-validation/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Identify weak password requirements
- */
-export interface Options {
-}
-export declare const detectWeakPasswordValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;