npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-debug-code-in-production/index.js ADDED Viewed

@@ -0,0 +1,51 @@
+"use strict";
+/**
+ * @fileoverview Detect debug code in production
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/489.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDebugCodeInProduction = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noDebugCodeInProduction = (0, eslint_devkit_1.createRule)({
+    name: 'no-debug-code-in-production',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detect debug code in production',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M7'],
+            cweIds: ["CWE-489"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-489',
+                description: 'Detect debug code in production detected - DEBUG, __DEV__, console',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        return {
+            Identifier(node) {
+                if (['DEBUG', '__DEV__'].includes(node.name)) {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+            CallExpression(node) {
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.name === 'console' &&
+                    node.callee.property.name === 'log') {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+        };
+    },
+});

package/src/rules/no-directive-injection/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Trusted directive/component names */
+    trustedDirectives?: string[];
+    /** Variables that contain user input */
+    userInputVariables?: string[];
+    /** Frameworks to check for */
+    frameworks?: string[];
+    /** Allow dynamic directives in specific contexts */
+    allowDynamicInComponents?: boolean;
+}
+export declare const noDirectiveInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-directive-injection/index.js ADDED Viewed

@@ -0,0 +1,457 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDirectiveInjection = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noDirectiveInjection = (0, eslint_devkit_1.createRule)({
+    name: 'no-directive-injection',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects directive injection vulnerabilities in templates',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            directiveInjection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Directive Injection',
+                cwe: 'CWE-96',
+                description: 'User input injected into directive or template',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            unsafeDirectiveName: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Directive Name',
+                cwe: 'CWE-96',
+                description: 'Directive name controlled by user input',
+                severity: 'CRITICAL',
+                fix: 'Use hardcoded directive names or validate against whitelist',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            dynamicDirectiveCreation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dynamic Directive Creation',
+                cwe: 'CWE-96',
+                description: 'Dynamic creation of directives from user input',
+                severity: 'HIGH',
+                fix: 'Validate directive names against trusted list',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            templateInjection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Template Injection',
+                cwe: 'CWE-96',
+                description: 'User input injected into template content',
+                severity: 'HIGH',
+                fix: 'Sanitize template input or use safe rendering',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            unsafeComponentBinding: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Component Binding',
+                cwe: 'CWE-96',
+                description: 'Dynamic component binding with user input',
+                severity: 'HIGH',
+                fix: 'Use component whitelist or validate component names',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            userControlledTemplate: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'User Controlled Template',
+                cwe: 'CWE-96',
+                description: 'Template content controlled by user input',
+                severity: 'CRITICAL',
+                fix: 'Sanitize template input before compilation',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            dangerousInnerHTML: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous innerHTML',
+                cwe: 'CWE-96',
+                description: 'innerHTML set with user-controlled content',
+                severity: 'HIGH',
+                fix: 'Use textContent or sanitize HTML content',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML',
+            }),
+            untrustedDirectiveSource: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Untrusted Directive Source',
+                cwe: 'CWE-96',
+                description: 'Directive loaded from untrusted source',
+                severity: 'MEDIUM',
+                fix: 'Load directives from trusted, verified sources',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            useTrustedDirectives: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Trusted Directives',
+                description: 'Use only trusted, verified directives',
+                severity: 'LOW',
+                fix: 'Maintain whitelist of allowed directives',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            sanitizeTemplateInput: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Sanitize Template Input',
+                description: 'Sanitize user input before template processing',
+                severity: 'LOW',
+                fix: 'Use DOMPurify or equivalent sanitization',
+                documentationLink: 'https://github.com/cure53/DOMPurify',
+            }),
+            validateDirectiveNames: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Directive Names',
+                description: 'Validate directive names against whitelist',
+                severity: 'LOW',
+                fix: 'Check directive names before dynamic creation',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/96.html',
+            }),
+            strategyTemplateSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Template Sanitization Strategy',
+                description: 'Implement template input sanitization',
+                severity: 'LOW',
+                fix: 'Sanitize all user input before template processing',
+                documentationLink: 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet',
+            }),
+            strategyContentSecurity: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Content Security Strategy',
+                description: 'Use CSP to restrict directive execution',
+                severity: 'LOW',
+                fix: 'Implement strict CSP with script-src restrictions',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
+            }),
+            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Input Validation Strategy',
+                description: 'Validate all template inputs',
+                severity: 'LOW',
+                fix: 'Use schema validation for template inputs',
+                documentationLink: 'https://joi.dev/',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    trustedDirectives: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['ngIf', 'ngFor', 'ngClass', 'v-if', 'v-for', 'v-bind', 'v-on'],
+                    },
+                    userInputVariables: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
+                    },
+                    frameworks: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['angular', 'vue', 'react', 'svelte'],
+                    },
+                    allowDynamicInComponents: {
+                        type: 'boolean',
+                        default: false,
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as template sanitizers',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            trustedDirectives: ['ngIf', 'ngFor', 'ngClass', 'v-if', 'v-for', 'v-bind', 'v-on'],
+            userInputVariables: ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'],
+            frameworks: ['angular', 'vue', 'react', 'svelte'],
+            allowDynamicInComponents: false,
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { userInputVariables = ['req', 'request', 'body', 'query', 'params', 'input', 'data', 'userInput'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if a variable contains user input
+         */
+        const isUserInput = (varName) => {
+            return userInputVariables.some(input => varName.includes(input)) ||
+                varName.startsWith('user');
+        };
+        return {
+            // Check JSX attributes for directive injection
+            JSXAttribute(node) {
+                const attrName = node.name;
+                const attrValue = node.value;
+                // Check for dangerouslySetInnerHTML
+                if (attrName.type === 'JSXIdentifier' && attrName.name === 'dangerouslySetInnerHTML') {
+                    if (attrValue && attrValue.type === 'JSXExpressionContainer') {
+                        const expression = attrValue.expression;
+                        // Check if the expression contains user input
+                        const expressionText = sourceCode.getText(expression);
+                        if (userInputVariables.some(input => expressionText.includes(input))) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: attrValue,
+                                messageId: 'dangerousInnerHTML',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for dynamic directive names (Angular/Vue style)
+                // Check for dynamic directive names (Angular/Vue style)
+                const isNamespaceDirective = ((attrName.type === 'JSXNamespacedName' && (attrName.namespace.name === 'v' || attrName.namespace.name === 'ng')) ||
+                    (attrName.type === 'JSXIdentifier' && (attrName.name.startsWith('ng:') || attrName.name.startsWith('v:'))));
+                if (isNamespaceDirective && attrValue) {
+                    if (attrValue.type === 'JSXExpressionContainer') {
+                        const expression = attrValue.expression;
+                        // Check if directive value comes from user input
+                        if (expression.type === 'Identifier' && isUserInput(expression.name)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: attrValue,
+                                messageId: 'directiveInjection',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                    severity: 'HIGH',
+                                    safeAlternative: 'Use hardcoded directive values or validate user input',
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for dynamic component binding (React/Angular)
+                if (attrName.type === 'JSXIdentifier') {
+                    const attrNameStr = attrName.name;
+                    // Check for is="" (dynamic component in Vue/Angular)
+                    if (attrNameStr === 'is' && attrValue) {
+                        if (attrValue.type === 'JSXExpressionContainer') {
+                            const expression = attrValue.expression;
+                            if (expression.type === 'Identifier' && isUserInput(expression.name)) {
+                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                /* c8 ignore stop */
+                                context.report({
+                                    node: attrValue,
+                                    messageId: 'unsafeComponentBinding',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            },
+            // Check for innerHTML assignments
+            AssignmentExpression(node) {
+                const left = node.left;
+                const right = node.right;
+                // Check for element.innerHTML = userInput
+                if (left.type === 'MemberExpression' &&
+                    left.property.type === 'Identifier' &&
+                    left.property.name === 'innerHTML') {
+                    // Check if right side contains user input
+                    const rightText = sourceCode.getText(right);
+                    if (userInputVariables.some(input => rightText.includes(input))) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node: right,
+                            messageId: 'dangerousInnerHTML',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check for template compilation with user input
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for template compilation functions
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier') {
+                    const methodName = callee.property.name;
+                    const objectName = callee.object.type === 'Identifier' ? callee.object.name : '';
+                    // Template compilation functions
+                    if (['compile', 'template', '$compile', '$interpolate'].includes(methodName) ||
+                        (objectName === 'Handlebars' && methodName === 'compile') ||
+                        (objectName === '_' && methodName === 'template') ||
+                        (objectName === 'ejs' && methodName === 'render') ||
+                        (objectName === 'pug' && methodName === 'render') ||
+                        (objectName === 'mustache' && methodName === 'render')) {
+                        const args = node.arguments;
+                        if (args.length > 0) {
+                            const templateArg = args[0];
+                            // Check if template comes from user input
+                            if (templateArg.type === 'Identifier' && isUserInput(templateArg.name)) {
+                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                /* c8 ignore stop */
+                                context.report({
+                                    node: templateArg,
+                                    messageId: 'userControlledTemplate',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                    // Check for Vue.js v-html directive
+                    if (objectName === 'Vue' && methodName === 'directive') {
+                        const args = node.arguments;
+                        if (args.length >= 2) {
+                            const directiveName = args[0];
+                            if (directiveName.type === 'Identifier' && isUserInput(directiveName.name)) {
+                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                /* c8 ignore stop */
+                                context.report({
+                                    node: directiveName,
+                                    messageId: 'unsafeDirectiveName',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+                // Check for Angular directive creation
+                if (callee.type === 'Identifier' && callee.name === 'directive') {
+                    const args = node.arguments;
+                    if (args.length >= 2) {
+                        const directiveName = args[0];
+                        if (directiveName.type === 'Identifier' && isUserInput(directiveName.name)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: directiveName,
+                                messageId: 'dynamicDirectiveCreation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check template literals for injection
+            TemplateLiteral(node) {
+                // Check if template literal is used dangerously
+                let current = node;
+                let isInDangerousContext = false;
+                while (current && !isInDangerousContext) {
+                    if (current.type === 'JSXExpressionContainer') {
+                        // Check if we are inside dangerouslySetInnerHTML attribute
+                        if (current.parent?.type === 'JSXAttribute' &&
+                            current.parent.name.type === 'JSXIdentifier' &&
+                            current.parent.name.name === 'dangerouslySetInnerHTML') {
+                            isInDangerousContext = true;
+                            break;
+                        }
+                    }
+                    else if (current.type === 'AssignmentExpression') {
+                        // Check for innerHTML assignment
+                        const left = current.left;
+                        if (left.type === 'MemberExpression' &&
+                            left.property.type === 'Identifier' &&
+                            left.property.name === 'innerHTML') {
+                            isInDangerousContext = true;
+                            break;
+                        }
+                    }
+                    current = current.parent;
+                }
+                if (isInDangerousContext) {
+                    // Check if template contains user input
+                    const hasUserInput = node.expressions.some((expr) => (expr.type === 'Identifier' && isUserInput(expr.name)) ||
+                        (expr.type === 'MemberExpression' &&
+                            expr.object.type === 'Identifier' &&
+                            isUserInput(expr.object.name)));
+                    if (hasUserInput) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'templateInjection',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                                severity: 'HIGH',
+                                safeAlternative: 'Sanitize template input before insertion',
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-disabled-certificate-validation/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Prevent disabled SSL/TLS certificate validation
+ */
+export interface Options {
+}
+export declare const noDisabledCertificateValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-disabled-certificate-validation/index.js ADDED Viewed

@@ -0,0 +1,61 @@
+"use strict";
+/**
+ * @fileoverview Prevent disabled SSL/TLS certificate validation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDisabledCertificateValidation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noDisabledCertificateValidation = (0, eslint_devkit_1.createRule)({
+    name: 'no-disabled-certificate-validation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent disabled SSL/TLS certificate validation',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Disabled Certificate Validation',
+                cwe: 'CWE-295',
+                description: 'SSL/TLS certificate validation is disabled - man-in-the-middle attack possible',
+                severity: 'CRITICAL',
+                fix: 'Remove rejectUnauthorized: false or verify: false, fix certificate issues properly',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const dangerousProperties = ['rejectUnauthorized', 'strictSSL', 'verify'];
+        return {
+            Property(node) {
+                // Check for dangerous SSL options set to false
+                if (node.key.type === 'Identifier' &&
+                    dangerousProperties.includes(node.key.name) &&
+                    node.value.type === 'Literal' &&
+                    node.value.value === false) {
+                    report(node);
+                }
+            },
+            AssignmentExpression(node) {
+                // Check for NODE_TLS_REJECT_UNAUTHORIZED = '0'
+                if (node.left.type === 'MemberExpression' &&
+                    node.left.object.type === 'MemberExpression' &&
+                    node.left.object.object.type === 'Identifier' &&
+                    node.left.object.object.name === 'process' &&
+                    node.left.object.property.type === 'Identifier' &&
+                    node.left.object.property.name === 'env' &&
+                    node.left.property.type === 'Identifier' &&
+                    node.left.property.name === 'NODE_TLS_REJECT_UNAUTHORIZED') {
+                    if (node.right.type === 'Literal' && node.right.value === '0') {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-dynamic-dependency-loading/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent dynamic dependency injection
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/494.html
+ */
+export interface Options {
+}
+export declare const noDynamicDependencyLoading: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-dynamic-dependency-loading/index.js ADDED Viewed

@@ -0,0 +1,51 @@
+"use strict";
+/**
+ * @fileoverview Prevent dynamic dependency injection
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/494.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDynamicDependencyLoading = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noDynamicDependencyLoading = (0, eslint_devkit_1.createRule)({
+    name: 'no-dynamic-dependency-loading',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent runtime dependency injection with dynamic paths',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M2'],
+            cweIds: ['CWE-494'],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-1104',
+                description: 'Dynamic import/require detected - use static imports for security',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/1104.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        return {
+            CallExpression(node) {
+                // Dynamic require
+                if (node.callee.name === 'require' && node.arguments[0]?.type !== 'Literal') {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+            ImportExpression(node) {
+                // Dynamic import()
+                if (node.source.type !== 'Literal') {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+        };
+    },
+});

package/src/rules/no-electron-security-issues/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Allow insecure settings in development */
+    allowInDev?: boolean;
+    /** Safe preload script patterns */
+    safePreloadPatterns?: string[];
+    /** Allowed IPC channels */
+    allowedIpcChannels?: string[];
+}
+export declare const noElectronSecurityIssues: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;