eslint-plugin-secure-coding 2.3.3 → 2.4.0

package/src/rules/no-hardcoded-credentials/index.js

@@ -0,0 +1,376 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHardcodedCredentials = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Common credential patterns
+ */
+const CREDENTIAL_PATTERNS = {
+    // API Keys (typically 32+ character alphanumeric strings)
+    apiKey: /^(?:[A-Za-z0-9_-]{32,}|sk_[A-Za-z0-9_-]{32,}|pk_[A-Za-z0-9_-]{32,}|AKIA[0-9A-Z]{16})$/,
+    // JWT Tokens (three base64 parts separated by dots)
+    jwtToken: /^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,
+    // OAuth tokens
+    oauthToken: /^(?:ghp_|gho_|ghu_|ghs_|ghr_)[A-Za-z0-9]{36,}$/,
+    // AWS Access Keys
+    awsAccessKey: /^AKIA[0-9A-Z]{16}$/,
+    // Database connection strings with credentials
+    databaseString: /^(?:mysql|postgres|mongodb|redis):\/\/[^:]+:[^@]+@/,
+    // Generic password patterns (common weak passwords) - no length requirement
+    commonPassword: /^(?:password|admin|123456|qwerty|letmein|welcome|monkey|1234567890|12345678|password123|root|test|guest)$/i,
+    // Secret keys (base64-like or hex strings)
+    secretKey: /^(?:[A-Za-z0-9+/]{32,}={0,2}|[A-Fa-f0-9]{32,})$/,
+};
+// Note: CREDENTIAL_VARIABLE_NAMES is reserved for future use when we want to
+// check variable names in addition to values
+// @coverage-note: Not currently used, reserved for future enhancement
+/**
+ * Check if a string literal looks like a hardcoded credential
+ */
+function looksLikeCredential(value, options, ignorePatterns) {
+    // Check ignore patterns first
+    if (ignorePatterns.some(pattern => pattern.test(value))) {
+        return { isCredential: false, type: '' };
+    }
+    // Check custom patterns first (highest priority)
+    for (const customPattern of options.customPatterns) {
+        try {
+            const regex = new RegExp(customPattern.pattern);
+            if (regex.test(value)) {
+                return { isCredential: true, type: customPattern.type };
+            }
+            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        }
+        catch (error) {
+            // Invalid regex pattern, skip it
+            continue;
+        }
+    }
+    // Check passwords (common weak passwords) - no length requirement, check first
+    if (options.detectPasswords) {
+        if (CREDENTIAL_PATTERNS.commonPassword.test(value)) {
+            return { isCredential: true, type: 'Common password' };
+        }
+    }
+    // Check database connection strings - no length requirement
+    if (options.detectDatabaseStrings) {
+        if (CREDENTIAL_PATTERNS.databaseString.test(value)) {
+            return { isCredential: true, type: 'Database connection string' };
+        }
+    }
+    // Check minimum length for other patterns
+    if (value.length < options.minLength) {
+        return { isCredential: false, type: '' };
+    }
+    // Check tokens first (more specific patterns)
+    if (options.detectTokens) {
+        if (CREDENTIAL_PATTERNS.jwtToken.test(value)) {
+            return { isCredential: true, type: 'JWT token' };
+        }
+        if (CREDENTIAL_PATTERNS.oauthToken.test(value)) {
+            return { isCredential: true, type: 'OAuth token' };
+        }
+    }
+    // Check secret keys first (before generic API key patterns)
+    if (value.length >= 32 && CREDENTIAL_PATTERNS.secretKey.test(value)) {
+        return { isCredential: true, type: 'Secret key' };
+    }
+    // Check API keys
+    if (options.detectApiKeys) {
+        if (CREDENTIAL_PATTERNS.awsAccessKey.test(value)) {
+            return { isCredential: true, type: 'AWS access key' };
+        }
+        // Generic API key pattern (long alphanumeric strings)
+        if (/^[A-Za-z0-9_-]{32,}$/.test(value)) {
+            return { isCredential: true, type: 'API key' };
+        }
+    }
+    return { isCredential: false, type: '' };
+}
+// Note: isCredentialVariableName is reserved for future use when we want to
+// check variable names in addition to values
+// @coverage-note: Not currently used, reserved for future enhancement
+exports.noHardcodedCredentials = (0, eslint_devkit_2.createRule)({
+    name: 'no-hardcoded-credentials',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects hardcoded passwords, API keys, tokens, and other sensitive credentials',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            useEnvironmentVariable: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Hard-coded Credential',
+                cwe: 'CWE-798',
+                description: 'Hard-coded {{credentialType}} detected',
+                severity: 'CRITICAL',
+                fix: 'Use environment variable: process.env.{{envVarName}} or secret management service',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            useSecretManager: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Use Secret Manager',
+                cwe: 'CWE-798',
+                description: 'Use secure secret management service',
+                severity: 'HIGH',
+                fix: 'Use AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or similar',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            strategyEnv: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Environment Variable Strategy',
+                description: 'Move credentials to environment variables',
+                severity: 'MEDIUM',
+                fix: 'Store credentials in environment variables (process.env)',
+                documentationLink: 'https://12factor.net/config',
+            }),
+            strategyConfig: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Configuration File Strategy',
+                description: 'Store credentials in encrypted configuration files',
+                severity: 'MEDIUM',
+                fix: 'Use encrypted configuration files with proper access controls',
+                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Configuration_Management_Cheat_Sheet.html',
+            }),
+            strategyVault: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Secret Vault Strategy',
+                cwe: 'CWE-798',
+                description: 'Use dedicated secret management system',
+                severity: 'HIGH',
+                fix: 'Implement HashiCorp Vault, AWS Secrets Manager, or similar secret vault',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            }),
+            strategyAuto: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.DEVELOPMENT,
+                issueName: 'Context-Aware Strategy',
+                description: 'Apply context-aware credential management',
+                severity: 'MEDIUM',
+                fix: 'Choose strategy based on deployment environment and security requirements',
+                documentationLink: 'https://owasp.org/www-project-cheat-sheets/cheatsheets/Secrets_Management_Cheat_Sheet.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Regex patterns to ignore',
+                    },
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow credentials in test files',
+                    },
+                    minLength: {
+                        type: 'number',
+                        default: 8,
+                        description: 'Minimum length for credential detection',
+                    },
+                    detectApiKeys: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect API keys',
+                    },
+                    detectPasswords: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect passwords',
+                    },
+                    detectTokens: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect tokens',
+                    },
+                    detectDatabaseStrings: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Detect database connection strings',
+                    },
+                    customPatterns: {
+                        type: 'array',
+                        items: {
+                            type: 'object',
+                            properties: {
+                                type: {
+                                    type: 'string',
+                                    description: 'The type of credential (e.g., "API key", "token")',
+                                },
+                                pattern: {
+                                    type: 'string',
+                                    description: 'Regex pattern to match',
+                                },
+                            },
+                            required: ['type', 'pattern'],
+                            additionalProperties: false,
+                        },
+                        default: [],
+                        description: 'Custom credential patterns to detect',
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['env', 'config', 'vault', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing hardcoded credentials (auto = smart detection)'
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignorePatterns: [],
+            allowInTests: false,
+            minLength: 8,
+            detectApiKeys: true,
+            detectPasswords: true,
+            detectTokens: true,
+            detectDatabaseStrings: true,
+            customPatterns: [],
+            strategy: 'auto',
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { ignorePatterns = [], allowInTests = false, minLength = 8, detectApiKeys = true, detectPasswords = true, detectTokens = true, detectDatabaseStrings = true, customPatterns = [], } = options || {};
+        const filename = context.filename || context.getFilename();
+        const isTestFile = allowInTests && (filename.includes('.test.') ||
+            filename.includes('.spec.') ||
+            filename.includes('__tests__') ||
+            filename.includes('/test/'));
+        // Compile ignore patterns to regex
+        const compiledIgnorePatterns = ignorePatterns.map((pattern) => new RegExp(pattern));
+        const detectionOptions = {
+            minLength,
+            detectApiKeys,
+            detectPasswords,
+            detectTokens,
+            detectDatabaseStrings,
+            customPatterns,
+        };
+        /**
+         * Check a string literal node
+         */
+        function checkStringLiteral(node, parent) {
+            if (typeof node.value !== 'string') {
+                return;
+            }
+            const value = node.value;
+            // Skip if in test files and allowed
+            if (isTestFile) {
+                return;
+            }
+            // Check if it looks like a credential
+            const { isCredential, type } = looksLikeCredential(value, detectionOptions, compiledIgnorePatterns);
+            if (!isCredential) {
+                return;
+            }
+            // Generate environment variable name suggestion
+            let envVarName = 'API_KEY';
+            if (parent && parent.type === 'Property' && parent.key.type === 'Identifier') {
+                const keyName = parent.key.name;
+                envVarName = keyName
+                    .replace(/([a-z])([A-Z])/g, '$1_$2')
+                    .toUpperCase()
+                    .replace(/[^A-Z0-9_]/g, '_');
+            }
+            else if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                const varName = parent.id.name;
+                envVarName = varName
+                    .replace(/([a-z])([A-Z])/g, '$1_$2')
+                    .toUpperCase()
+                    .replace(/[^A-Z0-9_]/g, '_');
+            }
+            context.report({
+                node,
+                messageId: 'useEnvironmentVariable',
+                data: {
+                    credentialType: type,
+                    envVarName,
+                },
+                suggest: [
+                    {
+                        messageId: 'useEnvironmentVariable',
+                        data: { envVarName, credentialType: type },
+                        fix: (fixer) => {
+                            return fixer.replaceText(node, `process.env.${envVarName} || '${value}'`);
+                        },
+                    },
+                    {
+                        messageId: 'useSecretManager',
+                        data: { credentialType: type },
+                        fix: (fixer) => {
+                            return fixer.replaceText(node, `await getSecret('${envVarName.toLowerCase()}')`);
+                        },
+                    },
+                ],
+            });
+        }
+        return {
+            Literal(node) {
+                checkStringLiteral(node, node.parent);
+            },
+            TemplateLiteral(node) {
+                // Check template literal parts for credentials
+                // Only check if there are no interpolations (static template literal)
+                if (node.expressions.length === 0) {
+                    const fullText = node.quasis.map((q) => q.value.raw).join('');
+                    const { isCredential, type } = looksLikeCredential(fullText, detectionOptions, compiledIgnorePatterns);
+                    if (isCredential && !isTestFile) {
+                        context.report({
+                            node,
+                            messageId: 'useEnvironmentVariable',
+                            data: {
+                                credentialType: type,
+                                envVarName: 'API_KEY',
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useEnvironmentVariable',
+                                    data: { envVarName: 'API_KEY', credentialType: type },
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(node, `process.env.API_KEY || \`${fullText}\``);
+                                    },
+                                },
+                                {
+                                    messageId: 'useSecretManager',
+                                    data: { credentialType: type },
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(node, `await getSecret('api_key')`);
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+                else {
+                    // For template literals with interpolations, check each quasi part
+                    for (const quasi of node.quasis) {
+                        if (quasi.value.raw) {
+                            const { isCredential, type } = looksLikeCredential(quasi.value.raw, detectionOptions, compiledIgnorePatterns);
+                            if (isCredential && !isTestFile) {
+                                // Note: Template literals with interpolations are complex to fix automatically
+                                // So we report the error without suggestions
+                                context.report({
+                                    node: quasi,
+                                    messageId: 'useEnvironmentVariable',
+                                    data: {
+                                        credentialType: type,
+                                        envVarName: 'API_KEY',
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-hardcoded-session-tokens/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Detect hardcoded session/JWT tokens
+ */
+export interface Options {
+}
+export declare const noHardcodedSessionTokens: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-hardcoded-session-tokens/index.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * @fileoverview Detect hardcoded session/JWT tokens
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHardcodedSessionTokens = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noHardcodedSessionTokens = (0, eslint_devkit_1.createRule)({
+    name: 'no-hardcoded-session-tokens',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detect hardcoded session/JWT tokens',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Hardcoded Token',
+                cwe: 'CWE-798',
+                description: 'Hardcoded session or JWT token detected - credentials at risk',
+                severity: 'CRITICAL',
+                fix: 'Use environment variables or secure credential management',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        return {
+            Literal(node) {
+                if (typeof node.value !== 'string')
+                    return;
+                // Detect JWT tokens (start with eyJ and contain 2 dots)
+                if (node.value.startsWith('eyJ') && node.value.length > 50 &&
+                    (node.value.match(/\./g) || []).length >= 2) {
+                    report(node);
+                }
+                // Detect Bearer tokens
+                if (node.value.startsWith('Bearer ') && node.value.length > 20) {
+                    report(node);
+                }
+                // Detect session_id patterns
+                const parent = node.parent;
+                if (parent?.type === 'VariableDeclarator' &&
+                    parent.id.type === 'Identifier') {
+                    const varName = parent.id.name.toLowerCase();
+                    if ((varName.includes('session') || varName.includes('token')) &&
+                        node.value.length >= 16 && /^[a-zA-Z0-9]+$/.test(node.value)) {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-http-urls/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Disallow hardcoded HTTP URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/319.html
+ */
+export interface Options {
+    /** List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1) */
+    allowedHosts?: string[];
+    /** List of ports allowed for HTTP (e.g., 3000, 8080 for development) */
+    allowedPorts?: number[];
+}
+export declare const noHttpUrls: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-http-urls/index.js

@@ -0,0 +1,114 @@
+"use strict";
+/**
+ * @fileoverview Disallow hardcoded HTTP URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/319.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noHttpUrls = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noHttpUrls = (0, eslint_devkit_1.createRule)({
+    name: 'no-http-urls',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow hardcoded HTTP URLs (require HTTPS)',
+        },
+        messages: {
+            insecureHttp: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Insecure HTTP URL',
+                cwe: 'CWE-319',
+                owasp: 'A02:2021',
+                cvss: 7.5,
+                description: 'Hardcoded HTTP URL detected: "{{url}}"',
+                severity: 'HIGH',
+                compliance: ['SOC2', 'PCI-DSS', 'HIPAA'],
+                fix: 'Use HTTPS instead: const url = "https://..."',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+            }),
+            insecureHttpWithException: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.WARNING,
+                issueName: 'Insecure HTTP URL',
+                cwe: 'CWE-319',
+                owasp: 'A02:2021',
+                cvss: 5.3,
+                description: 'HTTP URL detected: "{{url}}"',
+                severity: 'MEDIUM',
+                fix: 'Use HTTPS or add to allowedHosts config',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowedHosts: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        description: 'List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1)',
+                    },
+                    allowedPorts: {
+                        type: 'array',
+                        items: { type: 'number' },
+                        description: 'List of ports allowed for HTTP (e.g., 3000, 8080 for development)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowedHosts: ['localhost', '127.0.0.1'],
+            allowedPorts: [],
+        },
+    ],
+    create(context) {
+        const [options = {}] = context.options;
+        const allowedHosts = options.allowedHosts ?? ['localhost', '127.0.0.1'];
+        const allowedPorts = options.allowedPorts ?? [];
+        function isAllowedException(url) {
+            try {
+                const parsedUrl = new URL(url);
+                // Check if host is in allowed list
+                if (allowedHosts.includes(parsedUrl.hostname)) {
+                    return true;
+                }
+                // Check if port is in allowed list
+                if (parsedUrl.port && allowedPorts.includes(parseInt(parsedUrl.port, 10))) {
+                    return true;
+                }
+                return false;
+            }
+            catch {
+                // If URL parsing fails, treat as pattern match
+                return allowedHosts.some(host => url.includes(host));
+            }
+        }
+        function checkStringValue(node, value) {
+            const httpPattern = /^http:\/\//i;
+            if (httpPattern.test(value) && !isAllowedException(value)) {
+                context.report({
+                    node,
+                    messageId: allowedHosts.length > 0 || allowedPorts.length > 0
+                        ? 'insecureHttpWithException'
+                        : 'insecureHttp',
+                    data: { url: value },
+                });
+            }
+        }
+        return {
+            Literal(node) {
+                if (typeof node.value === 'string') {
+                    checkStringValue(node, node.value);
+                }
+            },
+            TemplateElement(node) {
+                if (node.value.cooked) {
+                    checkStringValue(node, node.value.cooked);
+                }
+            },
+        };
+    },
+});

package/src/rules/no-improper-sanitization/index.d.ts

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Safe sanitization functions */
+    safeSanitizers?: string[];
+    /** Characters that should be escaped */
+    dangerousChars?: string[];
+    /** Contexts that require different encoding */
+    contexts?: string[];
+    /** Trusted sanitization libraries */
+    trustedLibraries?: string[];
+}
+export declare const noImproperSanitization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;