eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-graphql-injection/index.js

@@ -1,411 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noGraphqlInjection = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-exports.noGraphqlInjection = (0, eslint_devkit_1.createRule)({
-    name: 'no-graphql-injection',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects GraphQL injection vulnerabilities and DoS attacks',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            graphqlInjection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'GraphQL Injection',
-                cwe: 'CWE-89',
-                description: 'GraphQL injection vulnerability detected',
-                severity: '{{severity}}',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://owasp.org/Top10/2025/A05_2025-Injection/',
-            }),
-            introspectionQuery: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Dangerous Introspection Query',
-                cwe: 'CWE-200',
-                description: 'Introspection query may leak schema information',
-                severity: 'HIGH',
-                fix: 'Disable introspection in production',
-                documentationLink: 'https://graphql.org/learn/introspection/',
-            }),
-            complexQueryDos: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Complex Query DoS Risk',
-                cwe: 'CWE-400',
-                description: 'Complex query may cause DoS',
-                severity: 'MEDIUM',
-                fix: 'Limit query depth and complexity',
-                documentationLink: 'https://graphql.org/learn/queries/',
-            }),
-            unsafeVariableInterpolation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe Variable Interpolation',
-                cwe: 'CWE-89',
-                description: 'Unsafe interpolation in GraphQL query',
-                severity: 'HIGH',
-                fix: 'Use GraphQL variables instead of string interpolation',
-                documentationLink: 'https://graphql.org/learn/queries/#variables',
-            }),
-            missingInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Missing Input Validation',
-                cwe: 'CWE-20',
-                description: 'GraphQL input not validated',
-                severity: 'MEDIUM',
-                fix: 'Validate all user inputs before GraphQL execution',
-                documentationLink: 'https://graphql.org/learn/validation/',
-            }),
-            useQueryBuilder: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Query Builder',
-                description: 'Use GraphQL query builders for safe construction',
-                severity: 'LOW',
-                fix: 'Use graphql-tag or similar libraries',
-                documentationLink: 'https://www.npmjs.com/package/graphql-tag',
-            }),
-            disableIntrospection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Disable Introspection',
-                description: 'Disable GraphQL introspection in production',
-                severity: 'LOW',
-                fix: 'Set introspection: false in GraphQL config',
-                documentationLink: 'https://www.apollographql.com/docs/apollo-server/security/introspection/',
-            }),
-            limitQueryDepth: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Limit Query Depth',
-                description: 'Limit maximum query depth',
-                severity: 'LOW',
-                fix: 'Use depth limiting plugins or custom validation',
-                documentationLink: 'https://www.npmjs.com/package/graphql-depth-limit',
-            }),
-            strategyQueryBuilder: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Query Builder Strategy',
-                description: 'Use typed query builders for compile-time safety',
-                severity: 'LOW',
-                fix: 'Use GraphQL code generation tools',
-                documentationLink: 'https://graphql-code-generator.com/',
-            }),
-            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Input Validation Strategy',
-                description: 'Validate all inputs at GraphQL resolver level',
-                severity: 'LOW',
-                fix: 'Implement custom scalars and input validation',
-                documentationLink: 'https://graphql.org/learn/schema/#scalar-types',
-            }),
-            strategyIntrospection: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Introspection Strategy',
-                description: 'Control introspection access based on environment',
-                severity: 'LOW',
-                fix: 'Enable introspection only for development/admin users',
-                documentationLink: 'https://www.apollographql.com/docs/apollo-server/security/introspection/',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowIntrospection: {
-                        type: 'boolean',
-                        default: false,
-                    },
-                    maxQueryDepth: {
-                        type: 'number',
-                        minimum: 1,
-                        default: 10,
-                    },
-                    trustedGraphqlLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['graphql', 'apollo-server', 'graphql-tools', 'graphql-tag'],
-                    },
-                    validationFunctions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['validate', 'sanitize', 'isValid', 'assertValid'],
-                    },
-                    trustedSanitizers: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional function names to consider as GraphQL sanitizers',
-                    },
-                    trustedAnnotations: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional JSDoc annotations to consider as safe markers',
-                    },
-                    strictMode: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Disable all false positive detection (strict mode)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowIntrospection: false,
-            maxQueryDepth: 10,
-            trustedGraphqlLibraries: ['graphql', 'apollo-server', 'graphql-tools', 'graphql-tag'],
-            validationFunctions: ['validate', 'sanitize', 'isValid', 'assertValid'],
-            trustedSanitizers: [],
-            trustedAnnotations: [],
-            strictMode: false,
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { allowIntrospection = false, maxQueryDepth = 10, trustedGraphqlLibraries = ['graphql', 'apollo-server', 'graphql-tools', 'graphql-tag'], validationFunctions = ['validate', 'sanitize', 'isValid', 'assertValid'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
-        const sourceCode = context.sourceCode || context.sourceCode;
-        const filename = context.filename || context.getFilename();
-        // Create safety checker for false positive detection
-        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
-            trustedSanitizers,
-            trustedAnnotations,
-            trustedOrmPatterns: [],
-            strictMode,
-        });
-        /**
-         * Check if this is a GraphQL-related operation
-         */
-        const isGraphqlRelated = (node) => {
-            const callee = node.callee;
-            // Check for GraphQL library calls
-            if (callee.type === 'Identifier') {
-                return trustedGraphqlLibraries.some(lib => callee.name.toLowerCase().includes(lib.toLowerCase()));
-            }
-            // Check for member expressions like graphql.parse, apollo.executeQuery
-            if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
-                const objectName = callee.object.name;
-                return trustedGraphqlLibraries.some(lib => objectName.toLowerCase().includes(lib.toLowerCase()));
-            }
-            return false;
-        };
-        /**
-         * Check if string contains GraphQL query patterns
-         */
-        const containsGraphqlQuery = (text) => {
-            const lowerText = text.toLowerCase();
-            return /\b(query|mutation|subscription|fragment)\b/.test(lowerText) ||
-                /{\s*\w+/.test(lowerText) || // GraphQL selection sets
-                /\btype\b|\binterface\b|\benum\b|\bscalar\b/.test(lowerText); // Schema definitions
-        };
-        /**
-         * Check if string contains dangerous introspection
-         */
-        const containsIntrospection = (text) => {
-            return /__schema|__type/i.test(text);
-        };
-        /**
-         * Calculate query depth (rough estimate)
-         */
-        const calculateQueryDepth = (queryText) => {
-            let depth = 0;
-            let braceCount = 0;
-            for (const char of queryText) {
-                if (char === '{') {
-                    braceCount++;
-                    depth = Math.max(depth, braceCount);
-                }
-                else if (char === '}') {
-                    braceCount--;
-                }
-            }
-            return depth;
-        };
-        /**
-         * Check if string contains unsafe interpolation
-         */
-        const containsUnsafeInterpolation = (text) => {
-            // Check for template literal interpolation
-            return /\$\{[^}]+\}/.test(text) ||
-                // Check for string concatenation patterns
-                /\w+\s*\+\s*[^+]+\s*\+\s*\w+/.test(text);
-        };
-        /**
-         * Check if input is validated before use
-         */
-        const isInputValidated = (inputNode) => {
-            // Check if input comes from a validation function
-            let current = inputNode;
-            // Walk up the AST to find validation calls
-            while (current) {
-                if (current.type === 'CallExpression' &&
-                    current.callee.type === 'Identifier' &&
-                    validationFunctions.includes(current.callee.name)) {
-                    return true;
-                }
-                current = current.parent;
-            }
-            return false;
-        };
-        return {
-            // Check template literals for GraphQL queries
-            TemplateLiteral(node) {
-                const queryText = sourceCode.getText(node);
-                if (!containsGraphqlQuery(queryText)) {
-                    return;
-                }
-                // Check for introspection queries
-                if (!allowIntrospection && containsIntrospection(queryText)) {
-                    // FALSE POSITIVE REDUCTION: Skip if annotated as safe
-                    if (safetyChecker.isSafe(node, context)) {
-                        return;
-                    }
-                    context.report({
-                        node,
-                        messageId: 'introspectionQuery',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                    return;
-                }
-                // Check for unsafe interpolation
-                if (containsUnsafeInterpolation(queryText)) {
-                    // FALSE POSITIVE REDUCTION: Skip if all expressions are validated
-                    const allExpressionsSafe = node.expressions.every((expr) => isInputValidated(expr) || safetyChecker.isSafe(expr, context));
-                    if (!allExpressionsSafe) {
-                        context.report({
-                            node,
-                            messageId: 'unsafeVariableInterpolation',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                            suggest: [
-                                {
-                                    messageId: 'useQueryBuilder',
-                                    fix: () => null // Complex to auto-fix
-                                },
-                            ],
-                        });
-                    }
-                }
-                // Check query depth for DoS protection
-                const depth = calculateQueryDepth(queryText);
-                if (depth > maxQueryDepth) {
-                    context.report({
-                        node,
-                        messageId: 'complexQueryDos',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                        suggest: [
-                            {
-                                messageId: 'limitQueryDepth',
-                                fix: () => null
-                            },
-                        ],
-                    });
-                }
-            },
-            // Check string literals for GraphQL queries
-            Literal(node) {
-                if (typeof node.value !== 'string') {
-                    return;
-                }
-                const queryText = node.value;
-                if (!containsGraphqlQuery(queryText)) {
-                    return;
-                }
-                // Check for introspection queries
-                if (!allowIntrospection && containsIntrospection(queryText)) {
-                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                    if (safetyChecker.isSafe(node, context)) {
-                        return;
-                    }
-                    /* c8 ignore stop */
-                    context.report({
-                        node,
-                        messageId: 'introspectionQuery',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                }
-                // Check query depth
-                const depth = calculateQueryDepth(queryText);
-                if (depth > maxQueryDepth) {
-                    context.report({
-                        node,
-                        messageId: 'complexQueryDos',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                }
-            },
-            // Check binary expressions (string concatenation)
-            BinaryExpression(node) {
-                if (node.operator !== '+') {
-                    return;
-                }
-                const fullText = sourceCode.getText(node);
-                if (!containsGraphqlQuery(fullText)) {
-                    return;
-                }
-                // String concatenation in GraphQL queries is dangerous
-                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                if (safetyChecker.isSafe(node, context)) {
-                    return;
-                }
-                /* c8 ignore stop */
-                context.report({
-                    node,
-                    messageId: 'graphqlInjection',
-                    data: {
-                        filePath: filename,
-                        line: String(node.loc?.start.line ?? 0),
-                        severity: 'HIGH',
-                        safeAlternative: 'Use GraphQL variables or query builders instead of string concatenation',
-                    },
-                });
-            },
-            // Check GraphQL execution calls
-            CallExpression(node) {
-                if (!isGraphqlRelated(node)) {
-                    return;
-                }
-                const callee = node.callee;
-                // Check for execute/query methods
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier' &&
-                    ['execute', 'executeQuery', 'query', 'mutate', 'subscribe'].includes(callee.property.name)) {
-                    // Check arguments for unvalidated inputs
-                    for (const arg of node.arguments) {
-                        if (arg.type === 'Identifier' && !isInputValidated(arg)) {
-                            // FALSE POSITIVE REDUCTION
-                            if (safetyChecker.isSafe(arg, context)) {
-                                continue;
-                            }
-                            context.report({
-                                node: arg,
-                                messageId: 'missingInputValidation',
-                                data: {
-                                    filePath: filename,
-                                    line: String(node.loc?.start.line ?? 0),
-                                },
-                            });
-                        }
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/no-hardcoded-credentials/index.d.ts

@@ -1,26 +0,0 @@
-export interface Options {
-    /** Patterns to ignore (regex strings). Default: [] */
-    ignorePatterns?: string[];
-    /** Allow credentials in test files. Default: false */
-    allowInTests?: boolean;
-    /** Minimum length for credential detection. Default: 8 */
-    minLength?: number;
-    /** Detect API keys. Default: true */
-    detectApiKeys?: boolean;
-    /** Detect passwords. Default: true */
-    detectPasswords?: boolean;
-    /** Detect tokens. Default: true */
-    detectTokens?: boolean;
-    /** Detect database connection strings. Default: true */
-    detectDatabaseStrings?: boolean;
-    /** Custom credential patterns. Default: [] */
-    customPatterns?: Array<{
-        /** The type of credential (e.g., 'API key', 'token', 'password') */
-        type: string;
-        /** Regex pattern to match */
-        pattern: string;
-    }>;
-    /** Strategy for fixing hardcoded credentials: 'env', 'config', 'vault', 'auto' */
-    strategy?: 'env' | 'config' | 'vault' | 'auto';
-}
-export declare const noHardcodedCredentials: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;