npm - eslint-plugin-secure-coding - Versions diffs - 2.3.2 → 2.3.3 - Mend

eslint-plugin-secure-coding 2.3.2 → 2.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (361) hide show

package/src/rules/no-document-cookie/index.d.ts DELETED Viewed

@@ -1,5 +0,0 @@
-export interface Options {
-    /** Allow reading document.cookie for parsing */
-    allowReading?: boolean;
-}
-export declare const noDocumentCookie: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-document-cookie/index.js DELETED Viewed

@@ -1,89 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDocumentCookie = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-exports.noDocumentCookie = (0, eslint_devkit_1.createRule)({
-    name: 'no-document-cookie',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent direct usage of document.cookie - use Cookie Store API or cookie libraries instead',
-        },
-        hasSuggestions: false,
-        messages: {
-            noDocumentCookie: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.WARNING,
-                issueName: 'Document Cookie',
-                description: 'Avoid direct document.cookie usage',
-                severity: 'MEDIUM',
-                fix: 'Use Cookie Store API or cookie library instead',
-                documentationLink: 'https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/no-document-cookie.md',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowReading: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [{ allowReading: true }],
-    create(context) {
-        const [options] = context.options;
-        const { allowReading = true } = options || {};
-        function isDocumentCookieAccess(node) {
-            // Check if this is accessing document.cookie
-            return (node.object.type === 'Identifier' &&
-                node.object.name === 'document' &&
-                ((node.property.type === 'Identifier' && node.property.name === 'cookie') ||
-                    (node.computed && node.property.type === 'Literal' && node.property.value === 'cookie')));
-        }
-        function isAssignmentToCookie(node) {
-            // Check if this is an assignment to document.cookie
-            const parent = node.parent;
-            // Check direct assignment
-            if (parent?.type === 'AssignmentExpression' && parent.left === node) {
-                return true;
-            }
-            // Check compound assignment (+=, -=, etc.)
-            if (parent?.type === 'AssignmentExpression' &&
-                parent.operator &&
-                parent.operator.includes('=') &&
-                parent.left === node) {
-                return true;
-            }
-            // Variable declarator (const/let/var x = document.cookie) - this is reading, not assigning
-            if (parent?.type === 'VariableDeclarator' && parent.init === node) {
-                return false;
-            }
-            return false;
-        }
-        return {
-            MemberExpression(node) {
-                if (isDocumentCookieAccess(node)) {
-                    const isAssigning = isAssignmentToCookie(node);
-                    // If allowReading is true, only flag assignments
-                    // If allowReading is false, flag everything
-                    if (allowReading && !isAssigning) {
-                        return; // Allow reading when option is enabled
-                    }
-                    // Flag document.cookie usage
-                    context.report({
-                        node,
-                        messageId: 'noDocumentCookie',
-                        data: {
-                            operation: isAssigning ? 'assignment to' : 'reading from',
-                        },
-                    });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-dynamic-dependency-loading/index.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent dynamic dependency injection
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/494.html
- */
-export interface Options {
-}
-export declare const noDynamicDependencyLoading: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-dynamic-dependency-loading/index.js DELETED Viewed

@@ -1,51 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent dynamic dependency injection
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/494.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDynamicDependencyLoading = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDynamicDependencyLoading = (0, eslint_devkit_1.createRule)({
-    name: 'no-dynamic-dependency-loading',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent runtime dependency injection with dynamic paths',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M2'],
-            cweIds: ['CWE-494'],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-1104',
-                description: 'Dynamic import/require detected - use static imports for security',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/1104.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            CallExpression(node) {
-                // Dynamic require
-                if (node.callee.name === 'require' && node.arguments[0]?.type !== 'Literal') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-            ImportExpression(node) {
-                // Dynamic import()
-                if (node.source.type !== 'Literal') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-electron-security-issues/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Allow insecure settings in development */
-    allowInDev?: boolean;
-    /** Safe preload script patterns */
-    safePreloadPatterns?: string[];
-    /** Allowed IPC channels */
-    allowedIpcChannels?: string[];
-}
-export declare const noElectronSecurityIssues: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-electron-security-issues/index.js DELETED Viewed

@@ -1,423 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noElectronSecurityIssues = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-exports.noElectronSecurityIssues = (0, eslint_devkit_1.createRule)({
-    name: 'no-electron-security-issues',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects Electron security vulnerabilities and insecure configurations',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            electronSecurityIssue: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Electron Security Issue',
-                cwe: 'CWE-16',
-                description: 'Electron security vulnerability detected',
-                severity: '{{severity}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security',
-            }),
-            nodeIntegrationEnabled: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Node Integration Enabled',
-                cwe: 'CWE-16',
-                description: 'nodeIntegration enabled allows Node.js access in renderer',
-                severity: 'CRITICAL',
-                fix: 'Set nodeIntegration: false and use secure preload scripts',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content',
-            }),
-            contextIsolationDisabled: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Context Isolation Disabled',
-                cwe: 'CWE-16',
-                description: 'contextIsolation disabled removes security boundary',
-                severity: 'CRITICAL',
-                fix: 'Enable contextIsolation and use preload scripts',
-                documentationLink: 'https://electronjs.org/docs/tutorial/context-isolation',
-            }),
-            webSecurityDisabled: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Web Security Disabled',
-                cwe: 'CWE-16',
-                description: 'webSecurity disabled removes CORS and security protections',
-                severity: 'HIGH',
-                fix: 'Keep webSecurity enabled',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#6-define-a-content-security-policy',
-            }),
-            insecureContentEnabled: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Insecure Content Enabled',
-                cwe: 'CWE-16',
-                description: 'allowRunningInsecureContent allows mixed content',
-                severity: 'MEDIUM',
-                fix: 'Set allowRunningInsecureContent: false',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity',
-            }),
-            unsafePreloadScript: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe Preload Script',
-                cwe: 'CWE-16',
-                description: 'Preload script may expose sensitive APIs',
-                severity: 'HIGH',
-                fix: 'Use minimal, secure preload scripts',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
-            }),
-            directNodeAccess: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Direct Node Access',
-                cwe: 'CWE-16',
-                description: 'Direct access to Node.js APIs in renderer process',
-                severity: 'HIGH',
-                fix: 'Access Node.js APIs only through secure IPC channels',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
-            }),
-            insecureIpcPattern: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Insecure IPC Pattern',
-                cwe: 'CWE-16',
-                description: 'IPC communication lacks proper validation',
-                severity: 'MEDIUM',
-                fix: 'Validate IPC messages and restrict channels',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#7-do-not-use-the-ipc-transport-for-sensitive-data',
-            }),
-            missingSandbox: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Missing Sandbox',
-                cwe: 'CWE-16',
-                description: 'BrowserWindow not sandboxed',
-                severity: 'MEDIUM',
-                fix: 'Enable sandbox for untrusted content',
-                documentationLink: 'https://electronjs.org/docs/tutorial/sandbox',
-            }),
-            enableSecurityFeatures: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Enable Security Features',
-                description: 'Enable Electron security features',
-                severity: 'LOW',
-                fix: 'Set contextIsolation: true, nodeIntegration: false',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security',
-            }),
-            useContextIsolation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Context Isolation',
-                description: 'Use context isolation for security',
-                severity: 'LOW',
-                fix: 'Enable contextIsolation in BrowserWindow options',
-                documentationLink: 'https://electronjs.org/docs/tutorial/context-isolation',
-            }),
-            securePreloadScripts: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Secure Preload Scripts',
-                description: 'Use secure preload scripts',
-                severity: 'LOW',
-                fix: 'Limit APIs exposed in preload scripts',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
-            }),
-            strategySecureDefaults: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Secure Defaults Strategy',
-                description: 'Use secure defaults for Electron applications',
-                severity: 'LOW',
-                fix: 'Start with secure configuration and relax only when necessary',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security',
-            }),
-            strategyProcessSeparation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Process Separation Strategy',
-                description: 'Separate main and renderer processes properly',
-                severity: 'LOW',
-                fix: 'Keep Node.js APIs in main process, use IPC for communication',
-                documentationLink: 'https://electronjs.org/docs/tutorial/application-architecture',
-            }),
-            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Input Validation Strategy',
-                description: 'Validate all inputs in Electron applications',
-                severity: 'LOW',
-                fix: 'Validate IPC messages and user inputs',
-                documentationLink: 'https://electronjs.org/docs/tutorial/security#7-do-not-use-the-ipc-transport-for-sensitive-data',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInDev: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow insecure settings in development'
-                    },
-                    safePreloadPatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['contextBridge', 'ipcRenderer'],
-                    },
-                    allowedIpcChannels: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                    },
-                    trustedSanitizers: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional function names to consider as safe',
-                    },
-                    trustedAnnotations: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional JSDoc annotations to consider as safe markers',
-                    },
-                    strictMode: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Disable all false positive detection (strict mode)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInDev: false,
-            safePreloadPatterns: ['contextBridge', 'ipcRenderer'],
-            allowedIpcChannels: [],
-            trustedSanitizers: [],
-            trustedAnnotations: [],
-            strictMode: false,
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { allowedIpcChannels = [], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
-        const filename = context.filename || context.getFilename();
-        // Create safety checker for false positive detection
-        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
-            trustedSanitizers,
-            trustedAnnotations,
-            trustedOrmPatterns: [],
-            strictMode,
-        });
-        /**
-         * Check if this is an Electron BrowserWindow creation
-         */
-        const isBrowserWindowCreation = (node) => {
-            return node.callee.type === 'Identifier' &&
-                node.callee.name === 'BrowserWindow';
-        };
-        /**
-         * Check if BrowserWindow options contain insecure settings
-         */
-        const checkBrowserWindowOptions = (optionsNode) => {
-            for (const prop of optionsNode.properties) {
-                if (prop.type === 'Property' &&
-                    prop.key.type === 'Identifier') {
-                    const key = prop.key.name;
-                    const value = prop.value;
-                    // Check for insecure boolean options
-                    if (['nodeIntegration', 'contextIsolation', 'webSecurity', 'allowRunningInsecureContent', 'sandbox'].includes(key)) {
-                        if (value.type === 'Literal') {
-                            const isInsecure = ((key === 'nodeIntegration' && value.value === true) ||
-                                (key === 'contextIsolation' && value.value === false) ||
-                                (key === 'webSecurity' && value.value === false) ||
-                                (key === 'allowRunningInsecureContent' && value.value === true) ||
-                                (key === 'sandbox' && value.value === false));
-                            if (isInsecure) {
-                                // FALSE POSITIVE REDUCTION
-                                if (safetyChecker.isSafe(prop, context)) {
-                                    continue;
-                                }
-                                const messageId = (key === 'nodeIntegration' ? 'nodeIntegrationEnabled' :
-                                    key === 'contextIsolation' ? 'contextIsolationDisabled' :
-                                        key === 'webSecurity' ? 'webSecurityDisabled' :
-                                            key === 'allowRunningInsecureContent' ? 'insecureContentEnabled' :
-                                                'missingSandbox');
-                                context.report({
-                                    node: prop,
-                                    messageId,
-                                    data: {
-                                        filePath: filename,
-                                        line: String(prop.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-            }
-        };
-        /**
-         * Check if this is an IPC call
-         */
-        const isIpcCall = (node) => {
-            const callee = node.callee;
-            if (callee.type === 'MemberExpression' &&
-                callee.object.type === 'Identifier' &&
-                ['ipcMain', 'ipcRenderer'].includes(callee.object.name) &&
-                callee.property.type === 'Identifier') {
-                return ['send', 'invoke', 'handle', 'on', 'once'].includes(callee.property.name);
-            }
-            return false;
-        };
-        /**
-         * Check for unsafe IPC patterns
-         */
-        const checkIpcCall = (node) => {
-            const args = node.arguments;
-            if (args.length === 0) {
-                return;
-            }
-            // Check channel name (first argument)
-            const channelArg = args[0];
-            if (channelArg.type === 'Literal' && typeof channelArg.value === 'string') {
-                const channel = channelArg.value;
-                // Check if channel is allowed
-                if (allowedIpcChannels.length > 0 && !allowedIpcChannels.includes(channel)) {
-                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                    if (safetyChecker.isSafe(node, context)) {
-                        return;
-                    }
-                    /* c8 ignore stop */
-                    context.report({
-                        node: channelArg,
-                        messageId: 'insecureIpcPattern',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                }
-            }
-        };
-        /**
-         * Check for direct Node.js API access in renderer-like files
-         */
-        const isRendererFile = () => {
-            const fileName = filename.toLowerCase();
-            return fileName.includes('renderer') ||
-                fileName.includes('preload') ||
-                fileName.includes('ui') ||
-                fileName.includes('view');
-        };
-        /**
-         * Check for Node.js API usage
-         */
-        const isNodeApiCall = (node) => {
-            const callee = node.callee;
-            // Check for require('fs'), require('child_process'), etc.
-            if (callee.type === 'Identifier' && callee.name === 'require') {
-                const arg = node.arguments[0];
-                if (arg?.type === 'Literal' && typeof arg.value === 'string') {
-                    const moduleName = arg.value;
-                    return ['fs', 'child_process', 'os', 'path', 'crypto', 'http', 'https'].includes(moduleName);
-                }
-            }
-            // Check for global Node.js objects
-            if (callee.type === 'MemberExpression' &&
-                callee.object.type === 'Identifier' &&
-                ['process', 'global', '__dirname', '__filename'].includes(callee.object.name)) {
-                return true;
-            }
-            return false;
-        };
-        return {
-            // Check BrowserWindow creation
-            NewExpression(node) {
-                try {
-                    if (isBrowserWindowCreation(node)) {
-                        const args = node.arguments;
-                        if (args.length > 0 && args[0]?.type === 'ObjectExpression') {
-                            checkBrowserWindowOptions(args[0]);
-                        }
-                    }
-                }
-                catch {
-                    return;
-                }
-            },
-            // Check IPC calls
-            CallExpression(node) {
-                try {
-                    if (isIpcCall(node)) {
-                        checkIpcCall(node);
-                    }
-                    // Check for Node.js API usage in renderer files
-                    if (isRendererFile() && isNodeApiCall(node)) {
-                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                        if (safetyChecker.isSafe(node, context)) {
-                            return;
-                        }
-                        /* c8 ignore stop */
-                        context.report({
-                            node,
-                            messageId: 'directNodeAccess',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                    }
-                }
-                catch {
-                    // Skip problematic nodes to avoid rule crashes
-                    return;
-                }
-            },
-            // Check for preload script issues
-            AssignmentExpression(node) {
-                try {
-                    // Look for preload script assignments
-                    if (node.left.type === 'MemberExpression' &&
-                        node.left.property.type === 'Identifier' &&
-                        node.left.property.name === 'preload') {
-                        if (node.right.type === 'Literal' && typeof node.right.value === 'string') {
-                            const preloadPath = node.right.value;
-                            // Check for potentially unsafe preload patterns
-                            if (preloadPath.includes('node_modules') ||
-                                preloadPath.includes('http') ||
-                                preloadPath.includes('remote')) {
-                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                                if (safetyChecker.isSafe(node, context)) {
-                                    return;
-                                }
-                                /* c8 ignore stop */
-                                context.report({
-                                    node: node.right,
-                                    messageId: 'unsafePreloadScript',
-                                    data: {
-                                        filePath: filename,
-                                        line: String(node.loc?.start.line ?? 0),
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-                catch {
-                    return;
-                }
-            },
-            // Check for insecure webPreferences patterns
-            Property(node) {
-                try {
-                    if (node.key.type === 'Identifier' && node.key.name === 'webPreferences') {
-                        if (node.value.type === 'ObjectExpression') {
-                            checkBrowserWindowOptions(node.value);
-                        }
-                    }
-                }
-                catch {
-                    return;
-                }
-            }
-        };
-    },
-});

package/src/rules/no-exposed-debug-endpoints/index.d.ts DELETED Viewed

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Detect debug endpoints without auth
- */
-export interface Options {
-}
-export declare const noExposedDebugEndpoints: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-exposed-debug-endpoints/index.js DELETED Viewed

@@ -1,62 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect debug endpoints without auth
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noExposedDebugEndpoints = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noExposedDebugEndpoints = (0, eslint_devkit_1.createRule)({
-    name: 'no-exposed-debug-endpoints',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect debug endpoints without auth',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Exposed Debug Endpoint',
-                cwe: 'CWE-489',
-                description: 'Debug endpoint exposed without authentication',
-                severity: 'HIGH',
-                fix: 'Remove debug endpoints from production or add authentication',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const debugPaths = ['/debug', '/__debug__', '/admin', '/_admin', '/test', '/health'];
-        return {
-            CallExpression(node) {
-                // Detect app.get('/debug', handler)
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.type === 'Identifier' &&
-                    ['app', 'router', 'express'].includes(node.callee.object.name) &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['get', 'post', 'use'].includes(node.callee.property.name)) {
-                    const pathArg = node.arguments[0];
-                    if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
-                        const path = pathArg.value.toLowerCase();
-                        if (debugPaths.some(dp => path.includes(dp))) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Flag debug path strings in general
-                if (typeof node.value === 'string') {
-                    const path = node.value.toLowerCase();
-                    if (debugPaths.some(dp => path === dp)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});