npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,56 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [4.0.0] - 2025-12-31
+### ⚠️ BREAKING CHANGES
+Removed 12 rules that now have dedicated, specialized plugins with enhanced functionality.
+#### Removed Rules (use dedicated plugins instead)
+| Removed Rule                             | Replacement Plugin               | Replacement Rule(s)                                 |
+| ---------------------------------------- | -------------------------------- | --------------------------------------------------- |
+| `no-sql-injection`                       | `eslint-plugin-pg`               | `pg/no-unsafe-query`                                |
+| `database-injection`                     | `eslint-plugin-pg`               | `pg/no-unsafe-query`                                |
+| `no-insecure-jwt`                        | `eslint-plugin-jwt`              | 13 dedicated JWT rules                              |
+| `no-weak-crypto`                         | `eslint-plugin-crypto`           | `crypto/no-weak-hash-algorithm`                     |
+| `no-timing-attack`                       | `eslint-plugin-crypto`           | `crypto/no-timing-unsafe-compare`                   |
+| `no-insufficient-random`                 | `eslint-plugin-crypto`           | `crypto/no-math-random-crypto`                      |
+| `no-document-cookie`                     | `eslint-plugin-browser-security` | `browser-security/no-sensitive-cookie-js`           |
+| `no-unsanitized-html`                    | `eslint-plugin-browser-security` | `browser-security/no-innerhtml`                     |
+| `no-postmessage-origin-wildcard`         | `eslint-plugin-browser-security` | `browser-security/no-postmessage-wildcard-origin`   |
+| `no-insecure-cookie-settings`            | `eslint-plugin-browser-security` | `browser-security/require-cookie-secure-attrs`      |
+| `no-insufficient-postmessage-validation` | `eslint-plugin-browser-security` | `browser-security/require-postmessage-origin-check` |
+| `no-unencrypted-local-storage`           | `eslint-plugin-browser-security` | `browser-security/no-sensitive-localstorage`        |
+| `no-credentials-in-storage-api`          | `eslint-plugin-browser-security` | `browser-security/no-sensitive-localstorage`        |
+### Migration Guide
+Install the specialized plugins for the functionality you need:
+```bash
+# For PostgreSQL/SQL security
+npm install --save-dev eslint-plugin-pg
+# For JWT security
+npm install --save-dev eslint-plugin-jwt
+# For cryptography security
+npm install --save-dev eslint-plugin-crypto
+# For browser/client-side security
+npm install --save-dev eslint-plugin-browser-security
+```
+### Why This Change?
+Specialized plugins provide:
+- **More rules**: 13 JWT rules vs 1, 24 crypto rules vs 3
+- **Better detection**: Domain-specific AST patterns
+- **Focused maintenance**: Faster updates for each security domain
 ## [3.0.2] - 2025-12-20
 ### Performance
@@ -18,7 +68,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [3.0.1] - 2025-12-20
-### Fixed
+### Fixed444
 - **detect-object-injection**: Reduced false positives by detecting validation patterns:
   - `includes()` checks in enclosing if-blocks

package/README.md CHANGED Viewed

@@ -18,7 +18,7 @@
 ## 💡 What you get
-- **Feature-based coverage:** 89 rules grouped by attack surface (injection, crypto, auth, cookies, headers, mobile security, resource limits, platform specifics).
+- **Feature-based coverage:** 75 rules grouped by attack surface (injection, crypto, auth, cookies, headers, mobile security, resource limits, platform specifics).
 - **LLM-optimized & MCP-ready:** Structured 2-line messages with CWE + OWASP + CVSS + concrete fixes so humans _and_ AI auto-fixers stay aligned.
 - **Standards aligned:** OWASP Top 10 Web + Mobile, CWE tagging, CVSS scoring in every finding for compliance mapping.
 - **Tiered presets:** `recommended`, `strict`, `owasp-top-10` for fast policy rollout.
@@ -283,7 +283,7 @@ npx eslint .
 ## 📚 Documentation
-- **[Rules Reference](./docs/RULES.md)** - Complete list of all 89 rules with configuration options
+- **[Rules Reference](./docs/RULES.md)** - Complete list of all 75 rules with configuration options
 ---

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-secure-coding",
-  "version": "2.3.3",
+  "version": "2.4.0",
   "description": "Security-focused ESLint plugin with 89 AI-parseable rules for detecting and preventing vulnerabilities. OWASP Top 10 2021 + Mobile Top 10 2024 coverage, CWE references, and AI-assisted fix guidance.",
   "type": "commonjs",
   "main": "./src/index.js",

package/src/index.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * eslint-plugin-secure-coding
+ *
+ * A comprehensive security-focused ESLint plugin with 48+ rules
+ * for detecting and preventing security vulnerabilities in JavaScript/TypeScript code.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - OWASP Top 10 coverage
+ * - Auto-fix capabilities where safe
+ * - Structured context for AI assistants
+ *
+ * @see https://github.com/ofri-peretz/eslint#readme
+ */
+import { TSESLint } from '@interlace/eslint-devkit';
+/**
+ * Collection of all security ESLint rules
+ */
+export declare const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>>;
+/**
+ * ESLint Plugin object
+ */
+export declare const plugin: TSESLint.FlatConfig.Plugin;
+export declare const configs: Record<string, TSESLint.FlatConfig.Config>;
+/**
+ * Default export for ESLint plugin
+ */
+export default plugin;
+/**
+ * Re-export all types from the types barrel
+ */
+export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, AllSecurityRulesOptions, } from './types/index';

package/src/index.js ADDED Viewed

@@ -0,0 +1,416 @@
+"use strict";
+/**
+ * eslint-plugin-secure-coding
+ *
+ * A comprehensive security-focused ESLint plugin with 48+ rules
+ * for detecting and preventing security vulnerabilities in JavaScript/TypeScript code.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - OWASP Top 10 coverage
+ * - Auto-fix capabilities where safe
+ * - Structured context for AI assistants
+ *
+ * @see https://github.com/ofri-peretz/eslint#readme
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configs = exports.plugin = exports.rules = void 0;
+// Security rules - Injection
+const detect_eval_with_expression_1 = require("./rules/detect-eval-with-expression");
+const detect_child_process_1 = require("./rules/detect-child-process");
+const no_unsafe_dynamic_require_1 = require("./rules/no-unsafe-dynamic-require");
+const no_graphql_injection_1 = require("./rules/no-graphql-injection");
+const no_xxe_injection_1 = require("./rules/no-xxe-injection");
+const no_xpath_injection_1 = require("./rules/no-xpath-injection");
+const no_ldap_injection_1 = require("./rules/no-ldap-injection");
+const no_directive_injection_1 = require("./rules/no-directive-injection");
+const no_format_string_injection_1 = require("./rules/no-format-string-injection");
+// Security rules - Path & File
+const detect_non_literal_fs_filename_1 = require("./rules/detect-non-literal-fs-filename");
+const no_zip_slip_1 = require("./rules/no-zip-slip");
+const no_toctou_vulnerability_1 = require("./rules/no-toctou-vulnerability");
+// Security rules - Regex
+const detect_non_literal_regexp_1 = require("./rules/detect-non-literal-regexp");
+const no_redos_vulnerable_regex_1 = require("./rules/no-redos-vulnerable-regex");
+const no_unsafe_regex_construction_1 = require("./rules/no-unsafe-regex-construction");
+// Security rules - Object & Prototype
+const detect_object_injection_1 = require("./rules/detect-object-injection");
+const no_unsafe_deserialization_1 = require("./rules/no-unsafe-deserialization");
+// Security rules - Credentials & Crypto
+const no_hardcoded_credentials_1 = require("./rules/no-hardcoded-credentials");
+const no_insecure_comparison_1 = require("./rules/no-insecure-comparison");
+// Security rules - Input Validation & XSS
+const no_unvalidated_user_input_1 = require("./rules/no-unvalidated-user-input");
+const no_unescaped_url_parameter_1 = require("./rules/no-unescaped-url-parameter");
+const no_improper_sanitization_1 = require("./rules/no-improper-sanitization");
+const no_improper_type_validation_1 = require("./rules/no-improper-type-validation");
+// Security rules - Authentication & Authorization
+const no_missing_authentication_1 = require("./rules/no-missing-authentication");
+const no_privilege_escalation_1 = require("./rules/no-privilege-escalation");
+const no_weak_password_recovery_1 = require("./rules/no-weak-password-recovery");
+// Security rules - Session & Cookies
+const no_missing_csrf_protection_1 = require("./rules/no-missing-csrf-protection");
+// Security rules - Network & Headers
+const no_missing_cors_check_1 = require("./rules/no-missing-cors-check");
+const no_missing_security_headers_1 = require("./rules/no-missing-security-headers");
+const no_insecure_redirects_1 = require("./rules/no-insecure-redirects");
+const no_unencrypted_transmission_1 = require("./rules/no-unencrypted-transmission");
+const no_clickjacking_1 = require("./rules/no-clickjacking");
+// Security rules - Data Exposure
+const no_exposed_sensitive_data_1 = require("./rules/no-exposed-sensitive-data");
+const no_sensitive_data_exposure_1 = require("./rules/no-sensitive-data-exposure");
+// Security rules - Buffer & Memory
+const no_buffer_overread_1 = require("./rules/no-buffer-overread");
+// Security rules - Resource & DoS
+const no_unlimited_resource_allocation_1 = require("./rules/no-unlimited-resource-allocation");
+const no_unchecked_loop_condition_1 = require("./rules/no-unchecked-loop-condition");
+// Security rules - Platform Specific
+const no_electron_security_issues_1 = require("./rules/no-electron-security-issues");
+// OWASP Mobile Top 10 2023/2024 - Mobile Security Rules (40 rules)
+// M1: Improper Credential Usage (3 rules)
+const no_credentials_in_query_params_1 = require("./rules/no-credentials-in-query-params");
+const require_secure_credential_storage_1 = require("./rules/require-secure-credential-storage");
+// M2: Inadequate Supply Chain Security (4 rules)
+const require_dependency_integrity_1 = require("./rules/require-dependency-integrity");
+const detect_suspicious_dependencies_1 = require("./rules/detect-suspicious-dependencies");
+const no_dynamic_dependency_loading_1 = require("./rules/no-dynamic-dependency-loading");
+const require_package_lock_1 = require("./rules/require-package-lock");
+// M3: Insecure Authentication/Authorization (5 rules)
+const no_client_side_auth_logic_1 = require("./rules/no-client-side-auth-logic");
+const require_backend_authorization_1 = require("./rules/require-backend-authorization");
+const no_hardcoded_session_tokens_1 = require("./rules/no-hardcoded-session-tokens");
+const detect_weak_password_validation_1 = require("./rules/detect-weak-password-validation");
+const no_password_in_url_1 = require("./rules/no-password-in-url");
+// M4: Insufficient Input/Output Validation (6 rules)
+const no_unvalidated_deeplinks_1 = require("./rules/no-unvalidated-deeplinks");
+const require_url_validation_1 = require("./rules/require-url-validation");
+const no_arbitrary_file_access_1 = require("./rules/no-arbitrary-file-access");
+const require_mime_type_validation_1 = require("./rules/require-mime-type-validation");
+const require_csp_headers_1 = require("./rules/require-csp-headers");
+// M5: Insecure Communication (7 rules)
+const no_http_urls_1 = require("./rules/no-http-urls");
+const no_disabled_certificate_validation_1 = require("./rules/no-disabled-certificate-validation");
+const require_https_only_1 = require("./rules/require-https-only");
+const no_insecure_websocket_1 = require("./rules/no-insecure-websocket");
+const detect_mixed_content_1 = require("./rules/detect-mixed-content");
+const no_allow_arbitrary_loads_1 = require("./rules/no-allow-arbitrary-loads");
+const require_network_timeout_1 = require("./rules/require-network-timeout");
+// M6: Inadequate Privacy Controls (4 rules)
+const no_pii_in_logs_1 = require("./rules/no-pii-in-logs");
+const no_tracking_without_consent_1 = require("./rules/no-tracking-without-consent");
+const require_data_minimization_1 = require("./rules/require-data-minimization");
+const no_sensitive_data_in_analytics_1 = require("./rules/no-sensitive-data-in-analytics");
+// M7: Insufficient Binary Protections (2 rules)
+const no_debug_code_in_production_1 = require("./rules/no-debug-code-in-production");
+const require_code_minification_1 = require("./rules/require-code-minification");
+// M8: Security Misconfiguration (4 rules)
+const no_verbose_error_messages_1 = require("./rules/no-verbose-error-messages");
+const no_exposed_debug_endpoints_1 = require("./rules/no-exposed-debug-endpoints");
+const require_secure_defaults_1 = require("./rules/require-secure-defaults");
+const no_permissive_cors_1 = require("./rules/no-permissive-cors");
+// M9: Insecure Data Storage (5 rules)
+const no_sensitive_data_in_cache_1 = require("./rules/no-sensitive-data-in-cache");
+const require_storage_encryption_1 = require("./rules/require-storage-encryption");
+const no_data_in_temp_storage_1 = require("./rules/no-data-in-temp-storage");
+const require_secure_deletion_1 = require("./rules/require-secure-deletion");
+/**
+ * Collection of all security ESLint rules
+ */
+exports.rules = {
+    // Flat rule names (recommended usage)
+    'detect-eval-with-expression': detect_eval_with_expression_1.detectEvalWithExpression,
+    'detect-child-process': detect_child_process_1.detectChildProcess,
+    'no-unsafe-dynamic-require': no_unsafe_dynamic_require_1.noUnsafeDynamicRequire,
+    'no-graphql-injection': no_graphql_injection_1.noGraphqlInjection,
+    'no-xxe-injection': no_xxe_injection_1.noXxeInjection,
+    'no-xpath-injection': no_xpath_injection_1.noXpathInjection,
+    'no-ldap-injection': no_ldap_injection_1.noLdapInjection,
+    'no-directive-injection': no_directive_injection_1.noDirectiveInjection,
+    'no-format-string-injection': no_format_string_injection_1.noFormatStringInjection,
+    'detect-non-literal-fs-filename': detect_non_literal_fs_filename_1.detectNonLiteralFsFilename,
+    'no-zip-slip': no_zip_slip_1.noZipSlip,
+    'no-toctou-vulnerability': no_toctou_vulnerability_1.noToctouVulnerability,
+    'detect-non-literal-regexp': detect_non_literal_regexp_1.detectNonLiteralRegexp,
+    'no-redos-vulnerable-regex': no_redos_vulnerable_regex_1.noRedosVulnerableRegex,
+    'no-unsafe-regex-construction': no_unsafe_regex_construction_1.noUnsafeRegexConstruction,
+    'detect-object-injection': detect_object_injection_1.detectObjectInjection,
+    'no-unsafe-deserialization': no_unsafe_deserialization_1.noUnsafeDeserialization,
+    'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
+    'no-insecure-comparison': no_insecure_comparison_1.noInsecureComparison,
+    'no-unvalidated-user-input': no_unvalidated_user_input_1.noUnvalidatedUserInput,
+    'no-unescaped-url-parameter': no_unescaped_url_parameter_1.noUnescapedUrlParameter,
+    'no-improper-sanitization': no_improper_sanitization_1.noImproperSanitization,
+    'no-improper-type-validation': no_improper_type_validation_1.noImproperTypeValidation,
+    'no-missing-authentication': no_missing_authentication_1.noMissingAuthentication,
+    'no-privilege-escalation': no_privilege_escalation_1.noPrivilegeEscalation,
+    'no-weak-password-recovery': no_weak_password_recovery_1.noWeakPasswordRecovery,
+    'no-missing-csrf-protection': no_missing_csrf_protection_1.noMissingCsrfProtection,
+    'no-missing-cors-check': no_missing_cors_check_1.noMissingCorsCheck,
+    'no-missing-security-headers': no_missing_security_headers_1.noMissingSecurityHeaders,
+    'no-insecure-redirects': no_insecure_redirects_1.noInsecureRedirects,
+    'no-unencrypted-transmission': no_unencrypted_transmission_1.noUnencryptedTransmission,
+    'no-clickjacking': no_clickjacking_1.noClickjacking,
+    'no-exposed-sensitive-data': no_exposed_sensitive_data_1.noExposedSensitiveData,
+    'no-sensitive-data-exposure': no_sensitive_data_exposure_1.noSensitiveDataExposure,
+    'no-buffer-overread': no_buffer_overread_1.noBufferOverread,
+    'no-unlimited-resource-allocation': no_unlimited_resource_allocation_1.noUnlimitedResourceAllocation,
+    'no-unchecked-loop-condition': no_unchecked_loop_condition_1.noUncheckedLoopCondition,
+    'no-electron-security-issues': no_electron_security_issues_1.noElectronSecurityIssues,
+    // OWASP Mobile Top 10 2023/2024 rules (40 rules)
+    // M1: Improper Credential Usage (3 rules)
+    'no-credentials-in-query-params': no_credentials_in_query_params_1.noCredentialsInQueryParams,
+    'require-secure-credential-storage': require_secure_credential_storage_1.requireSecureCredentialStorage,
+    // M2: Inadequate Supply Chain Security (4 rules)
+    'require-dependency-integrity': require_dependency_integrity_1.requireDependencyIntegrity,
+    'detect-suspicious-dependencies': detect_suspicious_dependencies_1.detectSuspiciousDependencies,
+    'no-dynamic-dependency-loading': no_dynamic_dependency_loading_1.noDynamicDependencyLoading,
+    'require-package-lock': require_package_lock_1.requirePackageLock,
+    // M3: Insecure Authentication/Authorization (5 rules)
+    'no-client-side-auth-logic': no_client_side_auth_logic_1.noClientSideAuthLogic,
+    'require-backend-authorization': require_backend_authorization_1.requireBackendAuthorization,
+    'no-hardcoded-session-tokens': no_hardcoded_session_tokens_1.noHardcodedSessionTokens,
+    'detect-weak-password-validation': detect_weak_password_validation_1.detectWeakPasswordValidation,
+    'no-password-in-url': no_password_in_url_1.noPasswordInUrl,
+    // M4: Insufficient Input/Output Validation (6 rules)
+    'no-unvalidated-deeplinks': no_unvalidated_deeplinks_1.noUnvalidatedDeeplinks,
+    'require-url-validation': require_url_validation_1.requireUrlValidation,
+    'no-arbitrary-file-access': no_arbitrary_file_access_1.noArbitraryFileAccess,
+    'require-mime-type-validation': require_mime_type_validation_1.requireMimeTypeValidation,
+    'require-csp-headers': require_csp_headers_1.requireCspHeaders,
+    // M5: Insecure Communication (7 rules)
+    'no-http-urls': no_http_urls_1.noHttpUrls,
+    'no-disabled-certificate-validation': no_disabled_certificate_validation_1.noDisabledCertificateValidation,
+    'require-https-only': require_https_only_1.requireHttpsOnly,
+    'no-insecure-websocket': no_insecure_websocket_1.noInsecureWebsocket,
+    'detect-mixed-content': detect_mixed_content_1.detectMixedContent,
+    'no-allow-arbitrary-loads': no_allow_arbitrary_loads_1.noAllowArbitraryLoads,
+    'require-network-timeout': require_network_timeout_1.requireNetworkTimeout,
+    // M6: Inadequate Privacy Controls (4 rules)
+    'no-pii-in-logs': no_pii_in_logs_1.noPiiInLogs,
+    'no-tracking-without-consent': no_tracking_without_consent_1.noTrackingWithoutConsent,
+    'require-data-minimization': require_data_minimization_1.requireDataMinimization,
+    'no-sensitive-data-in-analytics': no_sensitive_data_in_analytics_1.noSensitiveDataInAnalytics,
+    // M7: Insufficient Binary Protections (2 rules)
+    'no-debug-code-in-production': no_debug_code_in_production_1.noDebugCodeInProduction,
+    'require-code-minification': require_code_minification_1.requireCodeMinification,
+    // M8: Security Misconfiguration (4 rules)
+    'no-verbose-error-messages': no_verbose_error_messages_1.noVerboseErrorMessages,
+    'no-exposed-debug-endpoints': no_exposed_debug_endpoints_1.noExposedDebugEndpoints,
+    'require-secure-defaults': require_secure_defaults_1.requireSecureDefaults,
+    'no-permissive-cors': no_permissive_cors_1.noPermissiveCors,
+    // M9: Insecure Data Storage (5 rules)
+    'no-sensitive-data-in-cache': no_sensitive_data_in_cache_1.noSensitiveDataInCache,
+    'require-storage-encryption': require_storage_encryption_1.requireStorageEncryption,
+    'no-data-in-temp-storage': no_data_in_temp_storage_1.noDataInTempStorage,
+    'require-secure-deletion': require_secure_deletion_1.requireSecureDeletion,
+};
+/**
+ * ESLint Plugin object
+ */
+exports.plugin = {
+    meta: {
+        name: 'eslint-plugin-secure-coding',
+        version: '1.0.0',
+    },
+    rules: exports.rules,
+};
+/**
+ * Preset configurations for security rules
+ */
+const recommendedRules = {
+    // Critical - Injection vulnerabilities (OWASP A03)
+    'secure-coding/detect-eval-with-expression': 'error',
+    'secure-coding/detect-child-process': 'error',
+    'secure-coding/no-unsafe-dynamic-require': 'error',
+    'secure-coding/no-graphql-injection': 'error',
+    'secure-coding/no-xxe-injection': 'error',
+    'secure-coding/no-xpath-injection': 'error',
+    'secure-coding/no-ldap-injection': 'error',
+    'secure-coding/no-directive-injection': 'error',
+    'secure-coding/no-format-string-injection': 'error',
+    // Critical - Path traversal & file operations
+    'secure-coding/detect-non-literal-fs-filename': 'error',
+    'secure-coding/no-zip-slip': 'error',
+    'secure-coding/no-toctou-vulnerability': 'error',
+    // Critical - Deserialization
+    'secure-coding/no-unsafe-deserialization': 'error',
+    // High - Regex vulnerabilities
+    'secure-coding/detect-non-literal-regexp': 'warn',
+    'secure-coding/no-redos-vulnerable-regex': 'error',
+    'secure-coding/no-unsafe-regex-construction': 'warn',
+    // High - Prototype pollution
+    'secure-coding/detect-object-injection': 'warn',
+    // Critical - Cryptography (OWASP A02)
+    'secure-coding/no-hardcoded-credentials': 'error',
+    'secure-coding/no-insecure-comparison': 'warn',
+    // Critical - XSS vulnerabilities (OWASP A03)
+    'secure-coding/no-unvalidated-user-input': 'warn',
+    'secure-coding/no-unescaped-url-parameter': 'warn',
+    'secure-coding/no-improper-sanitization': 'error',
+    'secure-coding/no-improper-type-validation': 'warn',
+    // High - Authentication & Authorization (OWASP A01, A07)
+    'secure-coding/no-missing-authentication': 'warn',
+    'secure-coding/no-privilege-escalation': 'warn',
+    'secure-coding/no-weak-password-recovery': 'error',
+    // High - Session & Cookies
+    'secure-coding/no-missing-csrf-protection': 'warn',
+    // High - Network & Headers (OWASP A05)
+    'secure-coding/no-missing-cors-check': 'warn',
+    'secure-coding/no-missing-security-headers': 'warn',
+    'secure-coding/no-insecure-redirects': 'warn',
+    'secure-coding/no-unencrypted-transmission': 'warn',
+    'secure-coding/no-clickjacking': 'error',
+    // High - Data Exposure (OWASP A01)
+    'secure-coding/no-exposed-sensitive-data': 'error',
+    'secure-coding/no-sensitive-data-exposure': 'warn',
+    // Medium - Buffer & Memory
+    'secure-coding/no-buffer-overread': 'error',
+    // Medium - Resource & DoS
+    'secure-coding/no-unlimited-resource-allocation': 'error',
+    'secure-coding/no-unchecked-loop-condition': 'error',
+    // Medium - Platform specific
+    'secure-coding/no-electron-security-issues': 'error',
+    // Mobile & General Security (OWASP Mobile)
+    'secure-coding/no-credentials-in-query-params': 'error',
+    'secure-coding/no-http-urls': 'error',
+    'secure-coding/require-https-only': 'error',
+    'secure-coding/no-pii-in-logs': 'warn',
+    'secure-coding/no-verbose-error-messages': 'warn',
+    'secure-coding/no-hardcoded-session-tokens': 'error',
+    'secure-coding/detect-mixed-content': 'error',
+    'secure-coding/no-unvalidated-deeplinks': 'error',
+    'secure-coding/no-insecure-websocket': 'error',
+    'secure-coding/detect-suspicious-dependencies': 'warn',
+};
+exports.configs = {
+    /**
+     * Recommended security configuration
+     *
+     * Enables all security rules with sensible severity levels:
+     * - Critical injection vulnerabilities as errors
+     * - Important security issues as warnings
+     */
+    recommended: {
+        plugins: {
+            'secure-coding': exports.plugin,
+        },
+        rules: recommendedRules,
+    },
+    /**
+     * Strict security configuration
+     *
+     * All security rules set to 'error' for maximum protection
+     */
+    strict: {
+        plugins: {
+            'secure-coding': exports.plugin,
+        },
+        rules: Object.fromEntries(Object.keys(exports.rules).map(ruleName => [`secure-coding/${ruleName}`, 'error'])),
+    },
+    /**
+     * OWASP Top 10 focused configuration
+     *
+     * Rules mapped to OWASP Top 10 2021 categories
+     */
+    'owasp-top-10': {
+        plugins: {
+            'secure-coding': exports.plugin,
+        },
+        rules: {
+            // A01:2021 – Broken Access Control
+            'secure-coding/no-missing-authentication': 'error',
+            'secure-coding/no-privilege-escalation': 'error',
+            'secure-coding/no-exposed-sensitive-data': 'error',
+            'secure-coding/no-insecure-redirects': 'error',
+            // A02:2021 – Cryptographic Failures
+            'secure-coding/no-hardcoded-credentials': 'error',
+            'secure-coding/no-unencrypted-transmission': 'error',
+            'secure-coding/no-sensitive-data-exposure': 'error',
+            // A03:2021 – Injection
+            'secure-coding/detect-eval-with-expression': 'error',
+            'secure-coding/detect-child-process': 'error',
+            'secure-coding/no-graphql-injection': 'error',
+            'secure-coding/no-xxe-injection': 'error',
+            'secure-coding/no-xpath-injection': 'error',
+            'secure-coding/no-ldap-injection': 'error',
+            'secure-coding/no-unescaped-url-parameter': 'error',
+            // A04:2021 – Insecure Design
+            'secure-coding/no-weak-password-recovery': 'error',
+            'secure-coding/no-improper-type-validation': 'error',
+            // A05:2021 – Security Misconfiguration
+            'secure-coding/no-missing-security-headers': 'error',
+            'secure-coding/no-missing-cors-check': 'error',
+            'secure-coding/no-clickjacking': 'error',
+            'secure-coding/no-electron-security-issues': 'error',
+            // A07:2021 – Identification and Authentication Failures
+            'secure-coding/no-insecure-comparison': 'error',
+            'secure-coding/no-missing-csrf-protection': 'error',
+            // A08:2021 – Software and Data Integrity Failures
+            'secure-coding/no-unsafe-deserialization': 'error',
+            'secure-coding/no-unsafe-dynamic-require': 'error',
+        },
+    },
+    /**
+     * OWASP Mobile Top 10 focused configuration
+     *
+     * Rules mapped to OWASP Mobile Top 10 2024 categories
+     */
+    'owasp-mobile-top-10': {
+        plugins: {
+            'secure-coding': exports.plugin,
+        },
+        rules: {
+            // M1: Improper Credential Usage
+            'secure-coding/no-credentials-in-query-params': 'error',
+            'secure-coding/require-secure-credential-storage': 'error',
+            'secure-coding/no-hardcoded-credentials': 'error',
+            // M2: Inadequate Supply Chain Security
+            'secure-coding/require-dependency-integrity': 'error',
+            'secure-coding/detect-suspicious-dependencies': 'error',
+            'secure-coding/no-dynamic-dependency-loading': 'error',
+            'secure-coding/require-package-lock': 'error',
+            // M3: Insecure Authentication/Authorization
+            'secure-coding/no-client-side-auth-logic': 'error',
+            'secure-coding/require-backend-authorization': 'error',
+            'secure-coding/no-hardcoded-session-tokens': 'error',
+            'secure-coding/detect-weak-password-validation': 'error',
+            'secure-coding/no-password-in-url': 'error',
+            // M4: Insufficient Input/Output Validation
+            'secure-coding/no-unvalidated-deeplinks': 'error',
+            'secure-coding/require-url-validation': 'error',
+            'secure-coding/no-arbitrary-file-access': 'error',
+            'secure-coding/require-mime-type-validation': 'error',
+            'secure-coding/require-csp-headers': 'error',
+            // M5: Insecure Communication
+            'secure-coding/no-http-urls': 'error',
+            'secure-coding/no-disabled-certificate-validation': 'error',
+            'secure-coding/require-https-only': 'error',
+            'secure-coding/no-insecure-websocket': 'error',
+            'secure-coding/detect-mixed-content': 'error',
+            'secure-coding/no-allow-arbitrary-loads': 'error',
+            'secure-coding/require-network-timeout': 'error',
+            // M6: Inadequate Privacy Controls
+            'secure-coding/no-pii-in-logs': 'error',
+            'secure-coding/no-tracking-without-consent': 'error',
+            'secure-coding/require-data-minimization': 'error',
+            'secure-coding/no-sensitive-data-in-analytics': 'error',
+            // M7: Insufficient Binary Protections
+            'secure-coding/no-debug-code-in-production': 'error',
+            'secure-coding/require-code-minification': 'error',
+            // M8: Security Misconfiguration
+            'secure-coding/no-verbose-error-messages': 'error',
+            'secure-coding/no-exposed-debug-endpoints': 'error',
+            'secure-coding/require-secure-defaults': 'error',
+            'secure-coding/no-permissive-cors': 'error',
+            // M9: Insecure Data Storage
+            'secure-coding/no-sensitive-data-in-cache': 'error',
+            'secure-coding/require-storage-encryption': 'error',
+            'secure-coding/no-data-in-temp-storage': 'error',
+            'secure-coding/require-secure-deletion': 'error',
+        },
+    },
+};
+/**
+ * Default export for ESLint plugin
+ */
+exports.default = exports.plugin;

package/src/rules/detect-child-process/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Allow exec() with literal strings. Default: false (stricter) */
+    allowLiteralStrings?: boolean;
+    /** Allow spawn() with literal arguments. Default: false (stricter) */
+    allowLiteralSpawn?: boolean;
+    /** Additional child_process methods to check */
+    additionalMethods?: string[];
+    /** Strategy for fixing command injection: 'validate', 'sanitize', 'restrict', or 'auto' */
+    strategy?: 'validate' | 'sanitize' | 'restrict' | 'auto';
+}
+export declare const detectChildProcess: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;