npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-electron-security-issues/index.js ADDED Viewed

@@ -0,0 +1,423 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noElectronSecurityIssues = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noElectronSecurityIssues = (0, eslint_devkit_1.createRule)({
+    name: 'no-electron-security-issues',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects Electron security vulnerabilities and insecure configurations',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            electronSecurityIssue: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Electron Security Issue',
+                cwe: 'CWE-16',
+                description: 'Electron security vulnerability detected',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security',
+            }),
+            nodeIntegrationEnabled: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Node Integration Enabled',
+                cwe: 'CWE-16',
+                description: 'nodeIntegration enabled allows Node.js access in renderer',
+                severity: 'CRITICAL',
+                fix: 'Set nodeIntegration: false and use secure preload scripts',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content',
+            }),
+            contextIsolationDisabled: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Context Isolation Disabled',
+                cwe: 'CWE-16',
+                description: 'contextIsolation disabled removes security boundary',
+                severity: 'CRITICAL',
+                fix: 'Enable contextIsolation and use preload scripts',
+                documentationLink: 'https://electronjs.org/docs/tutorial/context-isolation',
+            }),
+            webSecurityDisabled: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Web Security Disabled',
+                cwe: 'CWE-16',
+                description: 'webSecurity disabled removes CORS and security protections',
+                severity: 'HIGH',
+                fix: 'Keep webSecurity enabled',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#6-define-a-content-security-policy',
+            }),
+            insecureContentEnabled: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insecure Content Enabled',
+                cwe: 'CWE-16',
+                description: 'allowRunningInsecureContent allows mixed content',
+                severity: 'MEDIUM',
+                fix: 'Set allowRunningInsecureContent: false',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity',
+            }),
+            unsafePreloadScript: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Preload Script',
+                cwe: 'CWE-16',
+                description: 'Preload script may expose sensitive APIs',
+                severity: 'HIGH',
+                fix: 'Use minimal, secure preload scripts',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
+            }),
+            directNodeAccess: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Direct Node Access',
+                cwe: 'CWE-16',
+                description: 'Direct access to Node.js APIs in renderer process',
+                severity: 'HIGH',
+                fix: 'Access Node.js APIs only through secure IPC channels',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
+            }),
+            insecureIpcPattern: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insecure IPC Pattern',
+                cwe: 'CWE-16',
+                description: 'IPC communication lacks proper validation',
+                severity: 'MEDIUM',
+                fix: 'Validate IPC messages and restrict channels',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#7-do-not-use-the-ipc-transport-for-sensitive-data',
+            }),
+            missingSandbox: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Sandbox',
+                cwe: 'CWE-16',
+                description: 'BrowserWindow not sandboxed',
+                severity: 'MEDIUM',
+                fix: 'Enable sandbox for untrusted content',
+                documentationLink: 'https://electronjs.org/docs/tutorial/sandbox',
+            }),
+            enableSecurityFeatures: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Enable Security Features',
+                description: 'Enable Electron security features',
+                severity: 'LOW',
+                fix: 'Set contextIsolation: true, nodeIntegration: false',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security',
+            }),
+            useContextIsolation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Context Isolation',
+                description: 'Use context isolation for security',
+                severity: 'LOW',
+                fix: 'Enable contextIsolation in BrowserWindow options',
+                documentationLink: 'https://electronjs.org/docs/tutorial/context-isolation',
+            }),
+            securePreloadScripts: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Secure Preload Scripts',
+                description: 'Use secure preload scripts',
+                severity: 'LOW',
+                fix: 'Limit APIs exposed in preload scripts',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content',
+            }),
+            strategySecureDefaults: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Secure Defaults Strategy',
+                description: 'Use secure defaults for Electron applications',
+                severity: 'LOW',
+                fix: 'Start with secure configuration and relax only when necessary',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security',
+            }),
+            strategyProcessSeparation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Process Separation Strategy',
+                description: 'Separate main and renderer processes properly',
+                severity: 'LOW',
+                fix: 'Keep Node.js APIs in main process, use IPC for communication',
+                documentationLink: 'https://electronjs.org/docs/tutorial/application-architecture',
+            }),
+            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Input Validation Strategy',
+                description: 'Validate all inputs in Electron applications',
+                severity: 'LOW',
+                fix: 'Validate IPC messages and user inputs',
+                documentationLink: 'https://electronjs.org/docs/tutorial/security#7-do-not-use-the-ipc-transport-for-sensitive-data',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInDev: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow insecure settings in development'
+                    },
+                    safePreloadPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['contextBridge', 'ipcRenderer'],
+                    },
+                    allowedIpcChannels: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as safe',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInDev: false,
+            safePreloadPatterns: ['contextBridge', 'ipcRenderer'],
+            allowedIpcChannels: [],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowedIpcChannels = [], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if this is an Electron BrowserWindow creation
+         */
+        const isBrowserWindowCreation = (node) => {
+            return node.callee.type === 'Identifier' &&
+                node.callee.name === 'BrowserWindow';
+        };
+        /**
+         * Check if BrowserWindow options contain insecure settings
+         */
+        const checkBrowserWindowOptions = (optionsNode) => {
+            for (const prop of optionsNode.properties) {
+                if (prop.type === 'Property' &&
+                    prop.key.type === 'Identifier') {
+                    const key = prop.key.name;
+                    const value = prop.value;
+                    // Check for insecure boolean options
+                    if (['nodeIntegration', 'contextIsolation', 'webSecurity', 'allowRunningInsecureContent', 'sandbox'].includes(key)) {
+                        if (value.type === 'Literal') {
+                            const isInsecure = ((key === 'nodeIntegration' && value.value === true) ||
+                                (key === 'contextIsolation' && value.value === false) ||
+                                (key === 'webSecurity' && value.value === false) ||
+                                (key === 'allowRunningInsecureContent' && value.value === true) ||
+                                (key === 'sandbox' && value.value === false));
+                            if (isInsecure) {
+                                // FALSE POSITIVE REDUCTION
+                                if (safetyChecker.isSafe(prop, context)) {
+                                    continue;
+                                }
+                                const messageId = (key === 'nodeIntegration' ? 'nodeIntegrationEnabled' :
+                                    key === 'contextIsolation' ? 'contextIsolationDisabled' :
+                                        key === 'webSecurity' ? 'webSecurityDisabled' :
+                                            key === 'allowRunningInsecureContent' ? 'insecureContentEnabled' :
+                                                'missingSandbox');
+                                context.report({
+                                    node: prop,
+                                    messageId,
+                                    data: {
+                                        filePath: filename,
+                                        line: String(prop.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+        };
+        /**
+         * Check if this is an IPC call
+         */
+        const isIpcCall = (node) => {
+            const callee = node.callee;
+            if (callee.type === 'MemberExpression' &&
+                callee.object.type === 'Identifier' &&
+                ['ipcMain', 'ipcRenderer'].includes(callee.object.name) &&
+                callee.property.type === 'Identifier') {
+                return ['send', 'invoke', 'handle', 'on', 'once'].includes(callee.property.name);
+            }
+            return false;
+        };
+        /**
+         * Check for unsafe IPC patterns
+         */
+        const checkIpcCall = (node) => {
+            const args = node.arguments;
+            if (args.length === 0) {
+                return;
+            }
+            // Check channel name (first argument)
+            const channelArg = args[0];
+            if (channelArg.type === 'Literal' && typeof channelArg.value === 'string') {
+                const channel = channelArg.value;
+                // Check if channel is allowed
+                if (allowedIpcChannels.length > 0 && !allowedIpcChannels.includes(channel)) {
+                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                    if (safetyChecker.isSafe(node, context)) {
+                        return;
+                    }
+                    /* c8 ignore stop */
+                    context.report({
+                        node: channelArg,
+                        messageId: 'insecureIpcPattern',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                }
+            }
+        };
+        /**
+         * Check for direct Node.js API access in renderer-like files
+         */
+        const isRendererFile = () => {
+            const fileName = filename.toLowerCase();
+            return fileName.includes('renderer') ||
+                fileName.includes('preload') ||
+                fileName.includes('ui') ||
+                fileName.includes('view');
+        };
+        /**
+         * Check for Node.js API usage
+         */
+        const isNodeApiCall = (node) => {
+            const callee = node.callee;
+            // Check for require('fs'), require('child_process'), etc.
+            if (callee.type === 'Identifier' && callee.name === 'require') {
+                const arg = node.arguments[0];
+                if (arg?.type === 'Literal' && typeof arg.value === 'string') {
+                    const moduleName = arg.value;
+                    return ['fs', 'child_process', 'os', 'path', 'crypto', 'http', 'https'].includes(moduleName);
+                }
+            }
+            // Check for global Node.js objects
+            if (callee.type === 'MemberExpression' &&
+                callee.object.type === 'Identifier' &&
+                ['process', 'global', '__dirname', '__filename'].includes(callee.object.name)) {
+                return true;
+            }
+            return false;
+        };
+        return {
+            // Check BrowserWindow creation
+            NewExpression(node) {
+                try {
+                    if (isBrowserWindowCreation(node)) {
+                        const args = node.arguments;
+                        if (args.length > 0 && args[0]?.type === 'ObjectExpression') {
+                            checkBrowserWindowOptions(args[0]);
+                        }
+                    }
+                }
+                catch {
+                    return;
+                }
+            },
+            // Check IPC calls
+            CallExpression(node) {
+                try {
+                    if (isIpcCall(node)) {
+                        checkIpcCall(node);
+                    }
+                    // Check for Node.js API usage in renderer files
+                    if (isRendererFile() && isNodeApiCall(node)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'directNodeAccess',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+                catch {
+                    // Skip problematic nodes to avoid rule crashes
+                    return;
+                }
+            },
+            // Check for preload script issues
+            AssignmentExpression(node) {
+                try {
+                    // Look for preload script assignments
+                    if (node.left.type === 'MemberExpression' &&
+                        node.left.property.type === 'Identifier' &&
+                        node.left.property.name === 'preload') {
+                        if (node.right.type === 'Literal' && typeof node.right.value === 'string') {
+                            const preloadPath = node.right.value;
+                            // Check for potentially unsafe preload patterns
+                            if (preloadPath.includes('node_modules') ||
+                                preloadPath.includes('http') ||
+                                preloadPath.includes('remote')) {
+                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                /* c8 ignore stop */
+                                context.report({
+                                    node: node.right,
+                                    messageId: 'unsafePreloadScript',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+                catch {
+                    return;
+                }
+            },
+            // Check for insecure webPreferences patterns
+            Property(node) {
+                try {
+                    if (node.key.type === 'Identifier' && node.key.name === 'webPreferences') {
+                        if (node.value.type === 'ObjectExpression') {
+                            checkBrowserWindowOptions(node.value);
+                        }
+                    }
+                }
+                catch {
+                    return;
+                }
+            }
+        };
+    },
+});

package/src/rules/no-exposed-debug-endpoints/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Detect debug endpoints without auth
+ */
+export interface Options {
+}
+export declare const noExposedDebugEndpoints: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-exposed-debug-endpoints/index.js ADDED Viewed

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * @fileoverview Detect debug endpoints without auth
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noExposedDebugEndpoints = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noExposedDebugEndpoints = (0, eslint_devkit_1.createRule)({
+    name: 'no-exposed-debug-endpoints',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detect debug endpoints without auth',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Exposed Debug Endpoint',
+                cwe: 'CWE-489',
+                description: 'Debug endpoint exposed without authentication',
+                severity: 'HIGH',
+                fix: 'Remove debug endpoints from production or add authentication',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const debugPaths = ['/debug', '/__debug__', '/admin', '/_admin', '/test', '/health'];
+        return {
+            CallExpression(node) {
+                // Detect app.get('/debug', handler)
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    ['app', 'router', 'express'].includes(node.callee.object.name) &&
+                    node.callee.property.type === 'Identifier' &&
+                    ['get', 'post', 'use'].includes(node.callee.property.name)) {
+                    const pathArg = node.arguments[0];
+                    if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
+                        const path = pathArg.value.toLowerCase();
+                        if (debugPaths.some(dp => path.includes(dp))) {
+                            report(node);
+                        }
+                    }
+                }
+            },
+            Literal(node) {
+                // Flag debug path strings in general
+                if (typeof node.value === 'string') {
+                    const path = node.value.toLowerCase();
+                    if (debugPaths.some(dp => path === dp)) {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-exposed-sensitive-data/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Allow sensitive data in test files. Default: false */
+    allowInTests?: boolean;
+    /** Patterns to detect sensitive data. Default: ['ssn', 'social', 'credit', 'card', 'password', 'secret', 'token', 'apiKey'] */
+    sensitivePatterns?: string[];
+    /** Logging/output patterns to detect. Default: ['log', 'console', 'print', 'debug', 'error', 'warn', 'info', 'trace', 'response', 'res.', 'req.'] */
+    loggingPatterns?: string[];
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noExposedSensitiveData: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;