eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-data-in-temp-storage/index.js

@@ -1,64 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent sensitive data in temp directories
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDataInTempStorage = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDataInTempStorage = (0, eslint_devkit_1.createRule)({
-    name: 'no-data-in-temp-storage',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent sensitive data in temp directories',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Temp Storage Data',
-                cwe: 'CWE-312',
-                description: 'Sensitive data written to temp directory - not secure',
-                severity: 'HIGH',
-                fix: 'Use secure storage location or encrypt data before writing',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/312.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const tempPaths = ['/tmp', '/var/tmp', 'temp/', '/temp'];
-        return {
-            CallExpression(node) {
-                // Detect fs.writeFileSync or fs.writeFile with temp path
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.type === 'Identifier' &&
-                    node.callee.object.name === 'fs' &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['writeFileSync', 'writeFile'].includes(node.callee.property.name)) {
-                    const pathArg = node.arguments[0];
-                    if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
-                        if (tempPaths.some(tp => pathArg.value.includes(tp))) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Detect temp path literals
-                if (typeof node.value === 'string') {
-                    if (tempPaths.some(tp => node.value.includes(tp))) {
-                        // Only flag if parent is assignment or variable declaration
-                        const parent = node.parent;
-                        if (parent?.type === 'VariableDeclarator' || parent?.type === 'AssignmentExpression') {
-                            report(node);
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-debug-code-in-production/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Detect debug code in production
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/489.html
- */
-export interface Options {
-}
-export declare const noDebugCodeInProduction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-debug-code-in-production/index.js

@@ -1,51 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect debug code in production
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/489.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDebugCodeInProduction = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDebugCodeInProduction = (0, eslint_devkit_1.createRule)({
-    name: 'no-debug-code-in-production',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect debug code in production',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M7'],
-            cweIds: ["CWE-489"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-489',
-                description: 'Detect debug code in production detected - DEBUG, __DEV__, console',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            Identifier(node) {
-                if (['DEBUG', '__DEV__'].includes(node.name)) {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-            CallExpression(node) {
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.name === 'console' &&
-                    node.callee.property.name === 'log') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-directive-injection/index.d.ts

@@ -1,12 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Trusted directive/component names */
-    trustedDirectives?: string[];
-    /** Variables that contain user input */
-    userInputVariables?: string[];
-    /** Frameworks to check for */
-    frameworks?: string[];
-    /** Allow dynamic directives in specific contexts */
-    allowDynamicInComponents?: boolean;
-}
-export declare const noDirectiveInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-directive-injection/index.js

@@ -1,457 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDirectiveInjection = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-exports.noDirectiveInjection = (0, eslint_devkit_1.createRule)({
-    name: 'no-directive-injection',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects directive injection vulnerabilities in templates',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            directiveInjection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Directive Injection',
-                cwe: 'CWE-96',
-                description: 'User input injected into directive or template',
-                severity: '{{severity}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            unsafeDirectiveName: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe Directive Name',
-                cwe: 'CWE-96',
-                description: 'Directive name controlled by user input',
-                severity: 'CRITICAL',
-                fix: 'Use hardcoded directive names or validate against whitelist',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            dynamicDirectiveCreation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Dynamic Directive Creation',
-                cwe: 'CWE-96',
-                description: 'Dynamic creation of directives from user input',
-                severity: 'HIGH',
-                fix: 'Validate directive names against trusted list',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            templateInjection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Template Injection',
-                cwe: 'CWE-96',
-                description: 'User input injected into template content',
-                severity: 'HIGH',
-                fix: 'Sanitize template input or use safe rendering',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            unsafeComponentBinding: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe Component Binding',
-                cwe: 'CWE-96',
-                description: 'Dynamic component binding with user input',
-                severity: 'HIGH',
-                fix: 'Use component whitelist or validate component names',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            userControlledTemplate: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'User Controlled Template',
-                cwe: 'CWE-96',
-                description: 'Template content controlled by user input',
-                severity: 'CRITICAL',
-                fix: 'Sanitize template input before compilation',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            dangerousInnerHTML: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Dangerous innerHTML',
-                cwe: 'CWE-96',
-                description: 'innerHTML set with user-controlled content',
-                severity: 'HIGH',
-                fix: 'Use textContent or sanitize HTML content',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML',
-            }),
-            untrustedDirectiveSource: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Untrusted Directive Source',
-                cwe: 'CWE-96',
-                description: 'Directive loaded from untrusted source',
-                severity: 'MEDIUM',
-                fix: 'Load directives from trusted, verified sources',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            useTrustedDirectives: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Trusted Directives',
-                description: 'Use only trusted, verified directives',
-                severity: 'LOW',
-                fix: 'Maintain whitelist of allowed directives',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            sanitizeTemplateInput: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Sanitize Template Input',
-                description: 'Sanitize user input before template processing',
-                severity: 'LOW',
-                fix: 'Use DOMPurify or equivalent sanitization',
-                documentationLink: 'https://github.com/cure53/DOMPurify',
-            }),
-            validateDirectiveNames: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Validate Directive Names',
-                description: 'Validate directive names against whitelist',
-                severity: 'LOW',
-                fix: 'Check directive names before dynamic creation',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
-            }),
-            strategyTemplateSanitization: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Template Sanitization Strategy',
-                description: 'Implement template input sanitization',
-                severity: 'LOW',
-                fix: 'Sanitize all user input before template processing',
-                documentationLink: 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet',
-            }),
-            strategyContentSecurity: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Content Security Strategy',
-                description: 'Use CSP to restrict directive execution',
-                severity: 'LOW',
-                fix: 'Implement strict CSP with script-src restrictions',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
-            }),
-            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Input Validation Strategy',
-                description: 'Validate all template inputs',
-                severity: 'LOW',
-                fix: 'Use schema validation for template inputs',
-                documentationLink: 'https://joi.dev/',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    trustedDirectives: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['ngIf', 'ngFor', 'ngClass', 'v-if', 'v-for', 'v-bind', 'v-on'],
-                    },
-                    userInputVariables: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
-                    },
-                    frameworks: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['angular', 'vue', 'react', 'svelte'],
-                    },
-                    allowDynamicInComponents: {
-                        type: 'boolean',
-                        default: false,
-                    },
-                    trustedSanitizers: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional function names to consider as template sanitizers',
-                    },
-                    trustedAnnotations: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional JSDoc annotations to consider as safe markers',
-                    },
-                    strictMode: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Disable all false positive detection (strict mode)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            trustedDirectives: ['ngIf', 'ngFor', 'ngClass', 'v-if', 'v-for', 'v-bind', 'v-on'],
-            userInputVariables: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
-            frameworks: ['angular', 'vue', 'react', 'svelte'],
-            allowDynamicInComponents: false,
-            trustedSanitizers: [],
-            trustedAnnotations: [],
-            strictMode: false,
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { userInputVariables = ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
-        const sourceCode = context.sourceCode || context.sourceCode;
-        const filename = context.filename || context.getFilename();
-        // Create safety checker for false positive detection
-        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
-            trustedSanitizers,
-            trustedAnnotations,
-            trustedOrmPatterns: [],
-            strictMode,
-        });
-        /**
-         * Check if a variable contains user input
-         */
-        const isUserInput = (varName) => {
-            return userInputVariables.some(input => varName.includes(input)) ||
-                varName.startsWith('user');
-        };
-        return {
-            // Check JSX attributes for directive injection
-            JSXAttribute(node) {
-                const attrName = node.name;
-                const attrValue = node.value;
-                // Check for dangerouslySetInnerHTML
-                if (attrName.type === 'JSXIdentifier' && attrName.name === 'dangerouslySetInnerHTML') {
-                    if (attrValue && attrValue.type === 'JSXExpressionContainer') {
-                        const expression = attrValue.expression;
-                        // Check if the expression contains user input
-                        const expressionText = sourceCode.getText(expression);
-                        if (userInputVariables.some(input => expressionText.includes(input))) {
-                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                            if (safetyChecker.isSafe(node, context)) {
-                                return;
-                            }
-                            /* c8 ignore stop */
-                            context.report({
-                                node: attrValue,
-                                messageId: 'dangerousInnerHTML',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                            });
-                        }
-                    }
-                }
-                // Check for dynamic directive names (Angular/Vue style)
-                // Check for dynamic directive names (Angular/Vue style)
-                const isNamespaceDirective = ((attrName.type === 'JSXNamespacedName' && (attrName.namespace.name === 'v' || attrName.namespace.name === 'ng')) ||
-                    (attrName.type === 'JSXIdentifier' && (attrName.name.startsWith('ng:') || attrName.name.startsWith('v:'))));
-                if (isNamespaceDirective && attrValue) {
-                    if (attrValue.type === 'JSXExpressionContainer') {
-                        const expression = attrValue.expression;
-                        // Check if directive value comes from user input
-                        if (expression.type === 'Identifier' && isUserInput(expression.name)) {
-                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                            if (safetyChecker.isSafe(node, context)) {
-                                return;
-                            }
-                            /* c8 ignore stop */
-                            context.report({
-                                node: attrValue,
-                                messageId: 'directiveInjection',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                    severity: 'HIGH',
-                                    safeAlternative: 'Use hardcoded directive values or validate user input',
-                                },
-                            });
-                        }
-                    }
-                }
-                // Check for dynamic component binding (React/Angular)
-                if (attrName.type === 'JSXIdentifier') {
-                    const attrNameStr = attrName.name;
-                    // Check for is="" (dynamic component in Vue/Angular)
-                    if (attrNameStr === 'is' && attrValue) {
-                        if (attrValue.type === 'JSXExpressionContainer') {
-                            const expression = attrValue.expression;
-                            if (expression.type === 'Identifier' && isUserInput(expression.name)) {
-                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                                if (safetyChecker.isSafe(node, context)) {
-                                    return;
-                                }
-                                /* c8 ignore stop */
-                                context.report({
-                                    node: attrValue,
-                                    messageId: 'unsafeComponentBinding',
-                                    data: {
-                                        filePath: filename,
-                                        line: String(node.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-            },
-            // Check for innerHTML assignments
-            AssignmentExpression(node) {
-                const left = node.left;
-                const right = node.right;
-                // Check for element.innerHTML = userInput
-                if (left.type === 'MemberExpression' &&
-                    left.property.type === 'Identifier' &&
-                    left.property.name === 'innerHTML') {
-                    // Check if right side contains user input
-                    const rightText = sourceCode.getText(right);
-                    if (userInputVariables.some(input => rightText.includes(input))) {
-                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                        if (safetyChecker.isSafe(node, context)) {
-                            return;
-                        }
-                        /* c8 ignore stop */
-                        context.report({
-                            node: right,
-                            messageId: 'dangerousInnerHTML',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                    }
-                }
-            },
-            // Check for template compilation with user input
-            CallExpression(node) {
-                const callee = node.callee;
-                // Check for template compilation functions
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier') {
-                    const methodName = callee.property.name;
-                    const objectName = callee.object.type === 'Identifier' ? callee.object.name : '';
-                    // Template compilation functions
-                    if (['compile', 'template', '$compile', '$interpolate'].includes(methodName) ||
-                        (objectName === 'Handlebars' && methodName === 'compile') ||
-                        (objectName === '_' && methodName === 'template') ||
-                        (objectName === 'ejs' && methodName === 'render') ||
-                        (objectName === 'pug' && methodName === 'render') ||
-                        (objectName === 'mustache' && methodName === 'render')) {
-                        const args = node.arguments;
-                        if (args.length > 0) {
-                            const templateArg = args[0];
-                            // Check if template comes from user input
-                            if (templateArg.type === 'Identifier' && isUserInput(templateArg.name)) {
-                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                                if (safetyChecker.isSafe(node, context)) {
-                                    return;
-                                }
-                                /* c8 ignore stop */
-                                context.report({
-                                    node: templateArg,
-                                    messageId: 'userControlledTemplate',
-                                    data: {
-                                        filePath: filename,
-                                        line: String(node.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                    // Check for Vue.js v-html directive
-                    if (objectName === 'Vue' && methodName === 'directive') {
-                        const args = node.arguments;
-                        if (args.length >= 2) {
-                            const directiveName = args[0];
-                            if (directiveName.type === 'Identifier' && isUserInput(directiveName.name)) {
-                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                                if (safetyChecker.isSafe(node, context)) {
-                                    return;
-                                }
-                                /* c8 ignore stop */
-                                context.report({
-                                    node: directiveName,
-                                    messageId: 'unsafeDirectiveName',
-                                    data: {
-                                        filePath: filename,
-                                        line: String(node.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-                // Check for Angular directive creation
-                if (callee.type === 'Identifier' && callee.name === 'directive') {
-                    const args = node.arguments;
-                    if (args.length >= 2) {
-                        const directiveName = args[0];
-                        if (directiveName.type === 'Identifier' && isUserInput(directiveName.name)) {
-                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                            if (safetyChecker.isSafe(node, context)) {
-                                return;
-                            }
-                            /* c8 ignore stop */
-                            context.report({
-                                node: directiveName,
-                                messageId: 'dynamicDirectiveCreation',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                            });
-                        }
-                    }
-                }
-            },
-            // Check template literals for injection
-            TemplateLiteral(node) {
-                // Check if template literal is used dangerously
-                let current = node;
-                let isInDangerousContext = false;
-                while (current && !isInDangerousContext) {
-                    if (current.type === 'JSXExpressionContainer') {
-                        // Check if we are inside dangerouslySetInnerHTML attribute
-                        if (current.parent?.type === 'JSXAttribute' &&
-                            current.parent.name.type === 'JSXIdentifier' &&
-                            current.parent.name.name === 'dangerouslySetInnerHTML') {
-                            isInDangerousContext = true;
-                            break;
-                        }
-                    }
-                    else if (current.type === 'AssignmentExpression') {
-                        // Check for innerHTML assignment
-                        const left = current.left;
-                        if (left.type === 'MemberExpression' &&
-                            left.property.type === 'Identifier' &&
-                            left.property.name === 'innerHTML') {
-                            isInDangerousContext = true;
-                            break;
-                        }
-                    }
-                    current = current.parent;
-                }
-                if (isInDangerousContext) {
-                    // Check if template contains user input
-                    const hasUserInput = node.expressions.some((expr) => (expr.type === 'Identifier' && isUserInput(expr.name)) ||
-                        (expr.type === 'MemberExpression' &&
-                            expr.object.type === 'Identifier' &&
-                            isUserInput(expr.object.name)));
-                    if (hasUserInput) {
-                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                        if (safetyChecker.isSafe(node, context)) {
-                            return;
-                        }
-                        /* c8 ignore stop */
-                        context.report({
-                            node,
-                            messageId: 'templateInjection',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                                severity: 'HIGH',
-                                safeAlternative: 'Sanitize template input before insertion',
-                            },
-                        });
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/no-disabled-certificate-validation/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Prevent disabled SSL/TLS certificate validation
- */
-export interface Options {
-}
-export declare const noDisabledCertificateValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-disabled-certificate-validation/index.js

@@ -1,61 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent disabled SSL/TLS certificate validation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDisabledCertificateValidation = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDisabledCertificateValidation = (0, eslint_devkit_1.createRule)({
-    name: 'no-disabled-certificate-validation',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent disabled SSL/TLS certificate validation',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Disabled Certificate Validation',
-                cwe: 'CWE-295',
-                description: 'SSL/TLS certificate validation is disabled - man-in-the-middle attack possible',
-                severity: 'CRITICAL',
-                fix: 'Remove rejectUnauthorized: false or verify: false, fix certificate issues properly',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const dangerousProperties = ['rejectUnauthorized', 'strictSSL', 'verify'];
-        return {
-            Property(node) {
-                // Check for dangerous SSL options set to false
-                if (node.key.type === 'Identifier' &&
-                    dangerousProperties.includes(node.key.name) &&
-                    node.value.type === 'Literal' &&
-                    node.value.value === false) {
-                    report(node);
-                }
-            },
-            AssignmentExpression(node) {
-                // Check for NODE_TLS_REJECT_UNAUTHORIZED = '0'
-                if (node.left.type === 'MemberExpression' &&
-                    node.left.object.type === 'MemberExpression' &&
-                    node.left.object.object.type === 'Identifier' &&
-                    node.left.object.object.name === 'process' &&
-                    node.left.object.property.type === 'Identifier' &&
-                    node.left.object.property.name === 'env' &&
-                    node.left.property.type === 'Identifier' &&
-                    node.left.property.name === 'NODE_TLS_REJECT_UNAUTHORIZED') {
-                    if (node.right.type === 'Literal' && node.right.value === '0') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});