eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-insecure-cookie-settings/index.d.ts

@@ -1,9 +0,0 @@
-export interface Options {
-    /** Allow insecure cookies in test files. Default: false */
-    allowInTests?: boolean;
-    /** Cookie library patterns to recognize. Default: ['cookie', 'js-cookie', 'universal-cookie'] */
-    cookieLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-export declare const noInsecureCookieSettings: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-insecure-cookie-settings/index.js

@@ -1,306 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureCookieSettings = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-/**
- * Check if a node is inside a cookie configuration
- */
-function isInsideCookieConfig(node, sourceCode) {
-    let current = node;
-    // Traverse up the parent chain
-    while (current && 'parent' in current && current.parent) {
-        current = current.parent;
-        // Check for cookie-related method calls
-        if (current.type === 'CallExpression') {
-            const callExpr = current;
-            // Check for res.cookie() calls
-            if (callExpr.callee.type === 'MemberExpression') {
-                const memberExpr = callExpr.callee;
-                if (memberExpr.property.type === 'Identifier' && memberExpr.property.name === 'cookie') {
-                    // Check if the node is an argument of this call
-                    if (callExpr.arguments.some((arg) => arg === node || (arg.type === 'ObjectExpression' && sourceCode.getText(arg).includes(sourceCode.getText(node))))) {
-                        return true;
-                    }
-                }
-            }
-            // Check for other cookie-related calls using text matching
-            const callText = sourceCode.getText(current);
-            if (/\b(cookie|cookies|setCookie|res\.cookie|document\.cookie)\b/i.test(callText)) {
-                const callee = callExpr.callee;
-                // Specific check for cookies.set / cookie.set
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier' &&
-                    callee.property.name === 'set') {
-                    return true;
-                }
-                // Check if node is part of this call
-                const nodeText = sourceCode.getText(node);
-                if (callText.includes(nodeText)) {
-                    return true;
-                }
-            }
-        }
-    }
-    return false;
-}
-/**
- * Check if an object expression has secure cookie settings
- */
-function hasSecureCookieSettings(node, sourceCode) {
-    const text = sourceCode.getText(node);
-    // Check for httpOnly flag (case-insensitive)
-    const hasHttpOnly = /\bhttpOnly\s*:\s*(true|'true'|"true")/i.test(text);
-    // Check for secure flag (case-insensitive)
-    const hasSecure = /\bsecure\s*:\s*(true|'true'|"true")/i.test(text);
-    // Check for sameSite flag (should be 'strict', 'lax', or 'none')
-    const hasSameSite = /\bsameSite\s*:\s*['"](strict|lax|none)['"]/i.test(text);
-    return { hasHttpOnly, hasSecure, hasSameSite };
-}
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text, ignorePatterns) {
-    return ignorePatterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            return false;
-        }
-    });
-}
-exports.noInsecureCookieSettings = (0, eslint_devkit_1.createRule)({
-    name: 'no-insecure-cookie-settings',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-express-security/no-insecure-cookie-options'],
-        docs: {
-            description: 'Detects insecure cookie configurations (missing httpOnly, secure, sameSite flags)',
-        },
-        hasSuggestions: true,
-        messages: {
-            insecureCookieSettings: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure Cookie Configuration',
-                cwe: 'CWE-614',
-                description: 'Insecure cookie settings detected: {{issue}}',
-                severity: 'HIGH',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/614.html',
-            }),
-            addSecureFlags: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Add Secure Flags',
-                description: 'Set secure cookie flags',
-                severity: 'LOW',
-                fix: '{ httpOnly: true, secure: true, sameSite: "strict" }',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow insecure cookies in test files',
-                    },
-                    cookieLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Cookie library patterns to recognize',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            cookieLibraries: [],
-            ignorePatterns: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, ignorePatterns = [], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        function checkObjectExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check if this ObjectExpression is the third argument of a cookie call
-            // First, check if parent is directly a CallExpression
-            if (node.parent && node.parent.type === 'CallExpression') {
-                const parentCall = node.parent;
-                const callee = parentCall.callee;
-                // Check if it's a cookie call
-                if (callee.type === 'MemberExpression' &&
-                    callee.property.type === 'Identifier' &&
-                    callee.property.name === 'cookie') {
-                    // Check if this node is the third argument (index 2)
-                    // Use both reference check and range check for reliability
-                    const thirdArg = parentCall.arguments.length >= 3 ? parentCall.arguments[2] : null;
-                    const isThirdArg = thirdArg && (thirdArg === node ||
-                        (thirdArg.type === 'ObjectExpression' &&
-                            thirdArg.range[0] === node.range[0] &&
-                            thirdArg.range[1] === node.range[1]));
-                    if (isThirdArg) {
-                        // Check if the parent call is ignored
-                        const callText = sourceCode.getText(parentCall);
-                        if (matchesIgnorePattern(callText, ignorePatterns)) {
-                            return;
-                        }
-                    }
-                }
-            }
-            // If not handled above, check if it's inside a cookie config using helper
-            if (!isInsideCookieConfig(node, sourceCode)) {
-                return;
-            }
-            // If it's inside a cookie config, check it
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            const { hasHttpOnly, hasSecure, hasSameSite } = hasSecureCookieSettings(node, sourceCode);
-            const issues = [];
-            if (!hasHttpOnly) {
-                issues.push('missing httpOnly flag');
-            }
-            if (!hasSecure) {
-                issues.push('missing secure flag');
-            }
-            if (!hasSameSite) {
-                issues.push('missing sameSite flag');
-            }
-            if (issues.length > 0) {
-                const issueDescription = issues.join(', ');
-                const safeAlternative = 'Set httpOnly: true, secure: true, sameSite: "strict"';
-                context.report({
-                    node,
-                    messageId: 'insecureCookieSettings',
-                    data: {
-                        issue: issueDescription,
-                        safeAlternative,
-                    },
-                    suggest: [
-                        {
-                            messageId: 'addSecureFlags',
-                            fix(fixer) {
-                                // Find the last property in the object
-                                const properties = node.properties;
-                                if (properties.length === 0) {
-                                    // Empty object - add all flags
-                                    return fixer.replaceText(node, '{ httpOnly: true, secure: true, sameSite: "strict" }');
-                                }
-                                const lastProperty = properties[properties.length - 1];
-                                const lastPropertyText = sourceCode.getText(lastProperty);
-                                const needsComma = !lastPropertyText.trim().endsWith(',');
-                                const insertPosition = lastProperty.range[1];
-                                const missingFlags = [];
-                                if (!hasHttpOnly)
-                                    missingFlags.push('httpOnly: true');
-                                if (!hasSecure)
-                                    missingFlags.push('secure: true');
-                                if (!hasSameSite)
-                                    missingFlags.push('sameSite: "strict"');
-                                const prefix = needsComma ? ',' : '';
-                                const insertion = prefix + '\n  ' + missingFlags.join(',\n  ');
-                                return fixer.insertTextAfterRange([insertPosition, insertPosition], insertion);
-                            },
-                        },
-                    ],
-                });
-            }
-        }
-        function checkCallExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            const callee = node.callee;
-            const callText = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(callText, ignorePatterns)) {
-                return;
-            }
-            // Check for res.cookie() calls or cookies.set() calls
-            const isResCookie = callee.type === 'MemberExpression' &&
-                callee.property.type === 'Identifier' &&
-                callee.property.name === 'cookie';
-            const isUniversalCookie = callee.type === 'MemberExpression' &&
-                callee.property.type === 'Identifier' &&
-                callee.property.name === 'set' &&
-                callee.object.type === 'Identifier' &&
-                (callee.object.name === 'cookies' || callee.object.name === 'cookie');
-            if (isResCookie || isUniversalCookie) {
-                // Check if third argument (options) is provided
-                if (node.arguments.length < 3) {
-                    context.report({
-                        node,
-                        messageId: 'insecureCookieSettings',
-                        data: {
-                            issue: 'missing cookie options with httpOnly, secure, and sameSite flags',
-                            safeAlternative: 'Add options object: res.cookie(name, value, { httpOnly: true, secure: true, sameSite: "strict" })',
-                        },
-                        suggest: [
-                            {
-                                messageId: 'addSecureFlags',
-                                fix(fixer) {
-                                    // Add options as third argument
-                                    const lastArg = node.arguments[node.arguments.length - 1];
-                                    const insertPosition = lastArg.range[1];
-                                    return fixer.insertTextAfterRange([insertPosition, insertPosition], `, { httpOnly: true, secure: true, sameSite: "strict" }`);
-                                },
-                            },
-                        ],
-                    });
-                    return;
-                }
-            }
-        }
-        function checkAssignmentExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check for document.cookie assignments
-            if (node.left.type === 'MemberExpression' &&
-                node.left.object.type === 'Identifier' &&
-                node.left.object.name === 'document' &&
-                node.left.property.type === 'Identifier' &&
-                node.left.property.name === 'cookie') {
-                const text = sourceCode.getText(node);
-                // Check if it matches any ignore pattern
-                if (matchesIgnorePattern(text, ignorePatterns)) {
-                    return;
-                }
-                context.report({
-                    node,
-                    messageId: 'insecureCookieSettings',
-                    data: {
-                        issue: 'using document.cookie directly (cannot set httpOnly flag)',
-                        safeAlternative: 'Use server-side cookie setting with httpOnly: true, secure: true, sameSite: "strict"',
-                    },
-                });
-            }
-        }
-        return {
-            ObjectExpression: checkObjectExpression,
-            CallExpression: checkCallExpression,
-            AssignmentExpression: checkAssignmentExpression,
-        };
-    },
-});

package/src/rules/no-insecure-jwt/index.d.ts

@@ -1,10 +0,0 @@
-import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
-export interface Options extends SecurityRuleOptions {
-    /** Allow specific insecure algorithms for legacy compatibility. Default: [] (strict) */
-    allowedInsecureAlgorithms?: string[];
-    /** Minimum key length for HMAC secrets. Default: 32 (256 bits) */
-    minSecretLength?: number;
-    /** JWT libraries to consider safe. Default: jsonwebtoken, jose, jwt */
-    trustedJwtLibraries?: string[];
-}
-export declare const noInsecureJwt: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;