npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-improper-sanitization/index.js ADDED Viewed

@@ -0,0 +1,411 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noImproperSanitization = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noImproperSanitization = (0, eslint_devkit_1.createRule)({
+    name: 'no-improper-sanitization',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects improper sanitization of user input',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            improperSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Improper Sanitization',
+                cwe: 'CWE-116',
+                description: 'User input sanitization is insufficient or incorrect',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+            }),
+            insufficientXssProtection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insufficient XSS Protection',
+                cwe: 'CWE-79',
+                description: 'XSS protection is incomplete or missing',
+                severity: 'HIGH',
+                fix: 'Use comprehensive XSS prevention or trusted sanitization library',
+                documentationLink: 'https://owasp.org/www-community/attacks/xss/',
+            }),
+            incompleteHtmlEscaping: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Incomplete HTML Escaping',
+                cwe: 'CWE-116',
+                description: 'HTML escaping misses dangerous characters',
+                severity: 'MEDIUM',
+                fix: 'Escape all HTML special characters: & < > " \'',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+            }),
+            unsafeReplaceSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Replace Sanitization',
+                cwe: 'CWE-116',
+                description: 'Simple replace() calls are insufficient for sanitization',
+                severity: 'MEDIUM',
+                fix: 'Use comprehensive sanitization libraries',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+            }),
+            missingContextEncoding: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Context Encoding',
+                cwe: 'CWE-116',
+                description: 'Output encoding missing for specific context',
+                severity: 'MEDIUM',
+                fix: 'Encode output according to usage context (HTML, URL, SQL, etc.)',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+            }),
+            dangerousSanitizerUsage: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous Sanitizer Usage',
+                cwe: 'CWE-94',
+                description: 'Custom sanitizer may be incomplete or bypassable',
+                severity: 'LOW',
+                fix: 'Use well-tested sanitization libraries',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/94.html',
+            }),
+            sqlInjectionSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'SQL Injection Sanitization',
+                cwe: 'CWE-89',
+                description: 'SQL input sanitization is insufficient',
+                severity: 'HIGH',
+                fix: 'Use parameterized queries instead of sanitization',
+                documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
+            }),
+            commandInjectionSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Command Injection Sanitization',
+                cwe: 'CWE-78',
+                description: 'Command input sanitization is insufficient',
+                severity: 'CRITICAL',
+                fix: 'Avoid shell commands with user input, use safe APIs',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            useProperSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Proper Sanitization',
+                description: 'Use proper sanitization methods for each context',
+                severity: 'LOW',
+                fix: 'HTML: DOMPurify, URL: encodeURIComponent, SQL: parameterized queries',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
+            }),
+            validateSanitization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Sanitization',
+                description: 'Validate that sanitization is effective',
+                severity: 'LOW',
+                fix: 'Test sanitization with malicious inputs',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/116.html',
+            }),
+            implementContextAware: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Context Aware Sanitization',
+                description: 'Use different sanitization for different contexts',
+                severity: 'LOW',
+                fix: 'HTML context: escape <>&"\' , URL context: encodeURIComponent',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+            }),
+            strategyDefenseInDepth: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Defense in Depth Strategy',
+                description: 'Implement multiple layers of input validation',
+                severity: 'LOW',
+                fix: 'Validate input, sanitize output, use CSP, implement rate limiting',
+                documentationLink: 'https://owasp.org/www-community/controls/Defense_in_depth',
+            }),
+            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Input Validation Strategy',
+                description: 'Validate input at multiple layers',
+                severity: 'LOW',
+                fix: 'Client-side, server-side, and database-level validation',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
+            }),
+            strategyOutputEncoding: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Output Encoding Strategy',
+                description: 'Encode output according to context',
+                severity: 'LOW',
+                fix: 'Use appropriate encoding for HTML, JavaScript, CSS, URL contexts',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    safeSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'],
+                    },
+                    dangerousChars: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'],
+                    },
+                    contexts: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['html', 'url', 'sql', 'command', 'javascript', 'css'],
+                    },
+                    trustedLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['DOMPurify', 'he', 'validator', 'express-validator'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as sanitizers',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            safeSanitizers: ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'],
+            dangerousChars: ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'],
+            contexts: ['html', 'url', 'sql', 'command', 'javascript', 'css'],
+            trustedLibraries: ['DOMPurify', 'he', 'validator', 'express-validator'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { safeSanitizers = ['DOMPurify.sanitize', 'he.encode', 'encodeURIComponent', 'encodeURI', 'escape'], dangerousChars = ['<', '>', '"', "'", '&', '`', '$', '{', '}', '|', ';', '(', ')'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if sanitization is safe
+         */
+        const isSafeSanitizer = (callText) => {
+            return safeSanitizers.some(sanitizer => callText.includes(sanitizer));
+        };
+        /**
+         * Check if replace sanitization is incomplete
+         */
+        const isIncompleteReplaceSanitization = (callExpression) => {
+            const callText = sourceCode.getText(callExpression);
+            // Check for incomplete HTML escaping (any quote style)
+            const escapesOnlyTags = /replace\(\s*\/[<>]/.test(callText);
+            if (escapesOnlyTags) {
+                // If only escaping < or > but not other dangerous chars, it's incomplete
+                const hasQuoteEscaping = /&quot;|&#x27;|&#039;/.test(callText);
+                const hasAmpersandEscaping = /&amp;/.test(callText);
+                return !(hasQuoteEscaping && hasAmpersandEscaping);
+            }
+            return false;
+        };
+        /**
+         * Check if output context suggests needed encoding
+         */
+        const needsContextEncoding = (outputNode) => {
+            let current = outputNode;
+            // Look for context clues in surrounding code
+            while (current) {
+                const text = sourceCode.getText(current).toLowerCase();
+                if (text.includes('innerhtml') || text.includes('outerhtml')) {
+                    return 'html';
+                }
+                if (text.includes('href') || text.includes('src') || text.includes('url')) {
+                    return 'url';
+                }
+                if (text.includes('sql') || text.includes('query') || text.includes('execute')) {
+                    return 'sql';
+                }
+                if (text.includes('exec') || text.includes('spawn') || text.includes('command')) {
+                    return 'command';
+                }
+                current = current.parent;
+            }
+            return null;
+        };
+        return {
+            // Check call expressions for sanitization issues
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for replace() sanitization
+                if (callee.type === 'MemberExpression' &&
+                    callee.property.type === 'Identifier' &&
+                    callee.property.name === 'replace') {
+                    if (isIncompleteReplaceSanitization(node)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'incompleteHtmlEscaping',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+                // Check for custom sanitizer functions
+                if (callee.type === 'Identifier') {
+                    const functionName = callee.name;
+                    // Check if it's a known dangerous sanitizer pattern
+                    if (functionName.toLowerCase().includes('sanitize') ||
+                        functionName.toLowerCase().includes('escape') ||
+                        functionName.toLowerCase().includes('clean')) {
+                        // If it's not in our safe list, flag it
+                        if (!safeSanitizers.some(safe => functionName.includes(safe))) {
+                            // Check if arguments contain user input
+                            const args = node.arguments;
+                            let hasUserInput = false;
+                            for (const arg of args) {
+                                const argText = sourceCode.getText(arg).toLowerCase();
+                                if (argText.includes('req.') || argText.includes('body') ||
+                                    argText.includes('query') || argText.includes('params') ||
+                                    argText.includes('input') || argText.includes('data')) {
+                                    hasUserInput = true;
+                                    break;
+                                }
+                            }
+                            if (hasUserInput) {
+                                /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                if (safetyChecker.isSafe(node, context)) {
+                                    return;
+                                }
+                                /* c8 ignore stop */
+                                context.report({
+                                    node,
+                                    messageId: 'dangerousSanitizerUsage',
+                                    data: {
+                                        filePath: filename,
+                                        line: String(node.loc?.start.line ?? 0),
+                                    },
+                                });
+                            }
+                        }
+                    }
+                }
+            },
+            // Check assignments that might need sanitization
+            AssignmentExpression(node) {
+                const left = node.left;
+                const right = node.right;
+                // Check for assignments to potentially dangerous properties
+                if (left.type === 'MemberExpression' &&
+                    left.property.type === 'Identifier') {
+                    const propertyName = left.property.name.toLowerCase();
+                    if (['innerhtml', 'outerhtml', 'innertext', 'textcontent'].includes(propertyName)) {
+                        const encodingContext = needsContextEncoding(node);
+                        if (encodingContext === 'html' && propertyName === 'innerhtml') {
+                            // Check if right side is properly sanitized
+                            const rightText = sourceCode.getText(right);
+                            if (!isSafeSanitizer(rightText)) {
+                                // Check if right side contains user input
+                                const hasUserInput = rightText.includes('req.') ||
+                                    rightText.includes('body') ||
+                                    rightText.includes('query') ||
+                                    rightText.includes('input');
+                                if (hasUserInput) {
+                                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                                    if (safetyChecker.isSafe(node, context)) {
+                                        return;
+                                    }
+                                    /* c8 ignore stop */
+                                    context.report({
+                                        node: right,
+                                        messageId: 'insufficientXssProtection',
+                                        data: {
+                                            filePath: filename,
+                                            line: String(node.loc?.start.line ?? 0),
+                                        },
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            // Check string literals that might contain dangerous characters
+            Literal(node) {
+                if (typeof node.value !== 'string') {
+                    return;
+                }
+                const text = node.value;
+                // Check if this string is used in a dangerous context
+                let current = node;
+                let isInDangerousContext = false;
+                while (current && !isInDangerousContext) {
+                    if (current.type === 'AssignmentExpression') {
+                        const left = current.left;
+                        if (left.type === 'MemberExpression' &&
+                            left.property.type === 'Identifier' &&
+                            ['innerHTML', 'outerHTML'].includes(left.property.name)) {
+                            isInDangerousContext = true;
+                            break;
+                        }
+                    }
+                    else if (current.type === 'CallExpression') {
+                        const callee = current.callee;
+                        if (callee.type === 'MemberExpression' &&
+                            callee.property.type === 'Identifier' &&
+                            ['write', 'send', 'json'].includes(callee.property.name)) {
+                            // Could be response output
+                            isInDangerousContext = true;
+                            break;
+                        }
+                    }
+                    current = current.parent;
+                }
+                if (isInDangerousContext) {
+                    // Check if string contains dangerous characters without proper escaping
+                    const hasDangerousChars = dangerousChars.some(char => text.includes(char));
+                    const hasEscaping = text.includes('&lt;') || text.includes('&gt;') ||
+                        text.includes('&quot;') || text.includes('&#x27;') ||
+                        text.includes('&amp;');
+                    if (hasDangerousChars && !hasEscaping) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'unsafeReplaceSanitization',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-improper-type-validation/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Variables that contain user input and should be validated */
+    userInputVariables?: string[];
+    /** Safe type checking functions */
+    safeTypeCheckFunctions?: string[];
+    /** Whether to allow instanceof in same-realm contexts */
+    allowInstanceofSameRealm?: boolean;
+}
+export declare const noImproperTypeValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;