eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-hardcoded-credentials/index.js

@@ -1,376 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noHardcodedCredentials = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Common credential patterns
- */
-const CREDENTIAL_PATTERNS = {
-    // API Keys (typically 32+ character alphanumeric strings)
-    apiKey: /^(?:[A-Za-z0-9_-]{32,}|sk_[A-Za-z0-9_-]{32,}|pk_[A-Za-z0-9_-]{32,}|AKIA[0-9A-Z]{16})$/,
-    // JWT Tokens (three base64 parts separated by dots)
-    jwtToken: /^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,
-    // OAuth tokens
-    oauthToken: /^(?:ghp_|gho_|ghu_|ghs_|ghr_)[A-Za-z0-9]{36,}$/,
-    // AWS Access Keys
-    awsAccessKey: /^AKIA[0-9A-Z]{16}$/,
-    // Database connection strings with credentials
-    databaseString: /^(?:mysql|postgres|mongodb|redis):\/\/[^:]+:[^@]+@/,
-    // Generic password patterns (common weak passwords) - no length requirement
-    commonPassword: /^(?:password|admin|123456|qwerty|letmein|welcome|monkey|1234567890|12345678|password123|root|test|guest)$/i,
-    // Secret keys (base64-like or hex strings)
-    secretKey: /^(?:[A-Za-z0-9+/]{32,}={0,2}|[A-Fa-f0-9]{32,})$/,
-};
-// Note: CREDENTIAL_VARIABLE_NAMES is reserved for future use when we want to
-// check variable names in addition to values
-// @coverage-note: Not currently used, reserved for future enhancement
-/**
- * Check if a string literal looks like a hardcoded credential
- */
-function looksLikeCredential(value, options, ignorePatterns) {
-    // Check ignore patterns first
-    if (ignorePatterns.some(pattern => pattern.test(value))) {
-        return { isCredential: false, type: '' };
-    }
-    // Check custom patterns first (highest priority)
-    for (const customPattern of options.customPatterns) {
-        try {
-            const regex = new RegExp(customPattern.pattern);
-            if (regex.test(value)) {
-                return { isCredential: true, type: customPattern.type };
-            }
-            // eslint-disable-next-line @typescript-eslint/no-unused-vars
-        }
-        catch (error) {
-            // Invalid regex pattern, skip it
-            continue;
-        }
-    }
-    // Check passwords (common weak passwords) - no length requirement, check first
-    if (options.detectPasswords) {
-        if (CREDENTIAL_PATTERNS.commonPassword.test(value)) {
-            return { isCredential: true, type: 'Common password' };
-        }
-    }
-    // Check database connection strings - no length requirement
-    if (options.detectDatabaseStrings) {
-        if (CREDENTIAL_PATTERNS.databaseString.test(value)) {
-            return { isCredential: true, type: 'Database connection string' };
-        }
-    }
-    // Check minimum length for other patterns
-    if (value.length < options.minLength) {
-        return { isCredential: false, type: '' };
-    }
-    // Check tokens first (more specific patterns)
-    if (options.detectTokens) {
-        if (CREDENTIAL_PATTERNS.jwtToken.test(value)) {
-            return { isCredential: true, type: 'JWT token' };
-        }
-        if (CREDENTIAL_PATTERNS.oauthToken.test(value)) {
-            return { isCredential: true, type: 'OAuth token' };
-        }
-    }
-    // Check secret keys first (before generic API key patterns)
-    if (value.length >= 32 && CREDENTIAL_PATTERNS.secretKey.test(value)) {
-        return { isCredential: true, type: 'Secret key' };
-    }
-    // Check API keys
-    if (options.detectApiKeys) {
-        if (CREDENTIAL_PATTERNS.awsAccessKey.test(value)) {
-            return { isCredential: true, type: 'AWS access key' };
-        }
-        // Generic API key pattern (long alphanumeric strings)
-        if (/^[A-Za-z0-9_-]{32,}$/.test(value)) {
-            return { isCredential: true, type: 'API key' };
-        }
-    }
-    return { isCredential: false, type: '' };
-}
-// Note: isCredentialVariableName is reserved for future use when we want to
-// check variable names in addition to values
-// @coverage-note: Not currently used, reserved for future enhancement
-exports.noHardcodedCredentials = (0, eslint_devkit_2.createRule)({
-    name: 'no-hardcoded-credentials',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects hardcoded passwords, API keys, tokens, and other sensitive credentials',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            useEnvironmentVariable: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Hard-coded Credential',
-                cwe: 'CWE-798',
-                description: 'Hard-coded {{credentialType}} detected',
-                severity: 'CRITICAL',
-                fix: 'Use environment variable: process.env.{{envVarName}} or secret management service',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
-            }),
-            useSecretManager: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Use Secret Manager',
-                cwe: 'CWE-798',
-                description: 'Use secure secret management service',
-                severity: 'HIGH',
-                fix: 'Use AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or similar',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
-            }),
-            strategyEnv: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
-                issueName: 'Environment Variable Strategy',
-                description: 'Move credentials to environment variables',
-                severity: 'MEDIUM',
-                fix: 'Store credentials in environment variables (process.env)',
-                documentationLink: 'https://12factor.net/config',
-            }),
-            strategyConfig: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
-                issueName: 'Configuration File Strategy',
-                description: 'Store credentials in encrypted configuration files',
-                severity: 'MEDIUM',
-                fix: 'Use encrypted configuration files with proper access controls',
-                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Configuration_Management_Cheat_Sheet.html',
-            }),
-            strategyVault: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Secret Vault Strategy',
-                cwe: 'CWE-798',
-                description: 'Use dedicated secret management system',
-                severity: 'HIGH',
-                fix: 'Implement HashiCorp Vault, AWS Secrets Manager, or similar secret vault',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
-            }),
-            strategyAuto: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
-                issueName: 'Context-Aware Strategy',
-                description: 'Apply context-aware credential management',
-                severity: 'MEDIUM',
-                fix: 'Choose strategy based on deployment environment and security requirements',
-                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Secrets_Management_Cheat_Sheet.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Regex patterns to ignore',
-                    },
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow credentials in test files',
-                    },
-                    minLength: {
-                        type: 'number',
-                        default: 8,
-                        description: 'Minimum length for credential detection',
-                    },
-                    detectApiKeys: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Detect API keys',
-                    },
-                    detectPasswords: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Detect passwords',
-                    },
-                    detectTokens: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Detect tokens',
-                    },
-                    detectDatabaseStrings: {
-                        type: 'boolean',
-                        default: true,
-                        description: 'Detect database connection strings',
-                    },
-                    customPatterns: {
-                        type: 'array',
-                        items: {
-                            type: 'object',
-                            properties: {
-                                type: {
-                                    type: 'string',
-                                    description: 'The type of credential (e.g., "API key", "token")',
-                                },
-                                pattern: {
-                                    type: 'string',
-                                    description: 'Regex pattern to match',
-                                },
-                            },
-                            required: ['type', 'pattern'],
-                            additionalProperties: false,
-                        },
-                        default: [],
-                        description: 'Custom credential patterns to detect',
-                    },
-                    strategy: {
-                        type: 'string',
-                        enum: ['env', 'config', 'vault', 'auto'],
-                        default: 'auto',
-                        description: 'Strategy for fixing hardcoded credentials (auto = smart detection)'
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignorePatterns: [],
-            allowInTests: false,
-            minLength: 8,
-            detectApiKeys: true,
-            detectPasswords: true,
-            detectTokens: true,
-            detectDatabaseStrings: true,
-            customPatterns: [],
-            strategy: 'auto',
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { ignorePatterns = [], allowInTests = false, minLength = 8, detectApiKeys = true, detectPasswords = true, detectTokens = true, detectDatabaseStrings = true, customPatterns = [], } = options || {};
-        const filename = context.filename || context.getFilename();
-        const isTestFile = allowInTests && (filename.includes('.test.') ||
-            filename.includes('.spec.') ||
-            filename.includes('__tests__') ||
-            filename.includes('/test/'));
-        // Compile ignore patterns to regex
-        const compiledIgnorePatterns = ignorePatterns.map((pattern) => new RegExp(pattern));
-        const detectionOptions = {
-            minLength,
-            detectApiKeys,
-            detectPasswords,
-            detectTokens,
-            detectDatabaseStrings,
-            customPatterns,
-        };
-        /**
-         * Check a string literal node
-         */
-        function checkStringLiteral(node, parent) {
-            if (typeof node.value !== 'string') {
-                return;
-            }
-            const value = node.value;
-            // Skip if in test files and allowed
-            if (isTestFile) {
-                return;
-            }
-            // Check if it looks like a credential
-            const { isCredential, type } = looksLikeCredential(value, detectionOptions, compiledIgnorePatterns);
-            if (!isCredential) {
-                return;
-            }
-            // Generate environment variable name suggestion
-            let envVarName = 'API_KEY';
-            if (parent && parent.type === 'Property' && parent.key.type === 'Identifier') {
-                const keyName = parent.key.name;
-                envVarName = keyName
-                    .replace(/([a-z])([A-Z])/g, '$1_$2')
-                    .toUpperCase()
-                    .replace(/[^A-Z0-9_]/g, '_');
-            }
-            else if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
-                const varName = parent.id.name;
-                envVarName = varName
-                    .replace(/([a-z])([A-Z])/g, '$1_$2')
-                    .toUpperCase()
-                    .replace(/[^A-Z0-9_]/g, '_');
-            }
-            context.report({
-                node,
-                messageId: 'useEnvironmentVariable',
-                data: {
-                    credentialType: type,
-                    envVarName,
-                },
-                suggest: [
-                    {
-                        messageId: 'useEnvironmentVariable',
-                        data: { envVarName, credentialType: type },
-                        fix: (fixer) => {
-                            return fixer.replaceText(node, `process.env.${envVarName} || '${value}'`);
-                        },
-                    },
-                    {
-                        messageId: 'useSecretManager',
-                        data: { credentialType: type },
-                        fix: (fixer) => {
-                            return fixer.replaceText(node, `await getSecret('${envVarName.toLowerCase()}')`);
-                        },
-                    },
-                ],
-            });
-        }
-        return {
-            Literal(node) {
-                checkStringLiteral(node, node.parent);
-            },
-            TemplateLiteral(node) {
-                // Check template literal parts for credentials
-                // Only check if there are no interpolations (static template literal)
-                if (node.expressions.length === 0) {
-                    const fullText = node.quasis.map((q) => q.value.raw).join('');
-                    const { isCredential, type } = looksLikeCredential(fullText, detectionOptions, compiledIgnorePatterns);
-                    if (isCredential && !isTestFile) {
-                        context.report({
-                            node,
-                            messageId: 'useEnvironmentVariable',
-                            data: {
-                                credentialType: type,
-                                envVarName: 'API_KEY',
-                            },
-                            suggest: [
-                                {
-                                    messageId: 'useEnvironmentVariable',
-                                    data: { envVarName: 'API_KEY', credentialType: type },
-                                    fix: (fixer) => {
-                                        return fixer.replaceText(node, `process.env.API_KEY || \`${fullText}\``);
-                                    },
-                                },
-                                {
-                                    messageId: 'useSecretManager',
-                                    data: { credentialType: type },
-                                    fix: (fixer) => {
-                                        return fixer.replaceText(node, `await getSecret('api_key')`);
-                                    },
-                                },
-                            ],
-                        });
-                    }
-                }
-                else {
-                    // For template literals with interpolations, check each quasi part
-                    for (const quasi of node.quasis) {
-                        if (quasi.value.raw) {
-                            const { isCredential, type } = looksLikeCredential(quasi.value.raw, detectionOptions, compiledIgnorePatterns);
-                            if (isCredential && !isTestFile) {
-                                // Note: Template literals with interpolations are complex to fix automatically
-                                // So we report the error without suggestions
-                                context.report({
-                                    node: quasi,
-                                    messageId: 'useEnvironmentVariable',
-                                    data: {
-                                        credentialType: type,
-                                        envVarName: 'API_KEY',
-                                    },
-                                });
-                            }
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-hardcoded-session-tokens/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Detect hardcoded session/JWT tokens
- */
-export interface Options {
-}
-export declare const noHardcodedSessionTokens: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-hardcoded-session-tokens/index.js

@@ -1,59 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect hardcoded session/JWT tokens
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noHardcodedSessionTokens = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noHardcodedSessionTokens = (0, eslint_devkit_1.createRule)({
-    name: 'no-hardcoded-session-tokens',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect hardcoded session/JWT tokens',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Hardcoded Token',
-                cwe: 'CWE-798',
-                description: 'Hardcoded session or JWT token detected - credentials at risk',
-                severity: 'CRITICAL',
-                fix: 'Use environment variables or secure credential management',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            Literal(node) {
-                if (typeof node.value !== 'string')
-                    return;
-                // Detect JWT tokens (start with eyJ and contain 2 dots)
-                if (node.value.startsWith('eyJ') && node.value.length > 50 &&
-                    (node.value.match(/\./g) || []).length >= 2) {
-                    report(node);
-                }
-                // Detect Bearer tokens
-                if (node.value.startsWith('Bearer ') && node.value.length > 20) {
-                    report(node);
-                }
-                // Detect session_id patterns
-                const parent = node.parent;
-                if (parent?.type === 'VariableDeclarator' &&
-                    parent.id.type === 'Identifier') {
-                    const varName = parent.id.name.toLowerCase();
-                    if ((varName.includes('session') || varName.includes('token')) &&
-                        node.value.length >= 16 && /^[a-zA-Z0-9]+$/.test(node.value)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-http-urls/index.d.ts

@@ -1,12 +0,0 @@
-/**
- * @fileoverview Disallow hardcoded HTTP URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/319.html
- */
-export interface Options {
-    /** List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1) */
-    allowedHosts?: string[];
-    /** List of ports allowed for HTTP (e.g., 3000, 8080 for development) */
-    allowedPorts?: number[];
-}
-export declare const noHttpUrls: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-http-urls/index.js

@@ -1,114 +0,0 @@
-"use strict";
-/**
- * @fileoverview Disallow hardcoded HTTP URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/319.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noHttpUrls = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noHttpUrls = (0, eslint_devkit_1.createRule)({
-    name: 'no-http-urls',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Disallow hardcoded HTTP URLs (require HTTPS)',
-        },
-        messages: {
-            insecureHttp: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 7.5,
-                description: 'Hardcoded HTTP URL detected: "{{url}}"',
-                severity: 'HIGH',
-                compliance: ['SOC2', 'PCI-DSS', 'HIPAA'],
-                fix: 'Use HTTPS instead: const url = "https://..."',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-            insecureHttpWithException: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.WARNING,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 5.3,
-                description: 'HTTP URL detected: "{{url}}"',
-                severity: 'MEDIUM',
-                fix: 'Use HTTPS or add to allowedHosts config',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowedHosts: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        description: 'List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1)',
-                    },
-                    allowedPorts: {
-                        type: 'array',
-                        items: { type: 'number' },
-                        description: 'List of ports allowed for HTTP (e.g., 3000, 8080 for development)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowedHosts: ['localhost', '127.0.0.1'],
-            allowedPorts: [],
-        },
-    ],
-    create(context) {
-        const [options = {}] = context.options;
-        const allowedHosts = options.allowedHosts ?? ['localhost', '127.0.0.1'];
-        const allowedPorts = options.allowedPorts ?? [];
-        function isAllowedException(url) {
-            try {
-                const parsedUrl = new URL(url);
-                // Check if host is in allowed list
-                if (allowedHosts.includes(parsedUrl.hostname)) {
-                    return true;
-                }
-                // Check if port is in allowed list
-                if (parsedUrl.port && allowedPorts.includes(parseInt(parsedUrl.port, 10))) {
-                    return true;
-                }
-                return false;
-            }
-            catch {
-                // If URL parsing fails, treat as pattern match
-                return allowedHosts.some(host => url.includes(host));
-            }
-        }
-        function checkStringValue(node, value) {
-            const httpPattern = /^http:\/\//i;
-            if (httpPattern.test(value) && !isAllowedException(value)) {
-                context.report({
-                    node,
-                    messageId: allowedHosts.length > 0 || allowedPorts.length > 0
-                        ? 'insecureHttpWithException'
-                        : 'insecureHttp',
-                    data: { url: value },
-                });
-            }
-        }
-        return {
-            Literal(node) {
-                if (typeof node.value === 'string') {
-                    checkStringValue(node, node.value);
-                }
-            },
-            TemplateElement(node) {
-                if (node.value.cooked) {
-                    checkStringValue(node, node.value.cooked);
-                }
-            },
-        };
-    },
-});

package/src/rules/no-improper-sanitization/index.d.ts

@@ -1,12 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Safe sanitization functions */
-    safeSanitizers?: string[];
-    /** Characters that should be escaped */
-    dangerousChars?: string[];
-    /** Contexts that require different encoding */
-    contexts?: string[];
-    /** Trusted sanitization libraries */
-    trustedLibraries?: string[];
-}
-export declare const noImproperSanitization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;