npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/detect-child-process/index.js ADDED Viewed

@@ -0,0 +1,529 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectChildProcess = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const COMMAND_PATTERNS = [
+    {
+        method: 'exec',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['execFile', 'spawn'],
+        example: {
+            bad: 'exec(`git clone ${repoUrl}`)',
+            good: [
+                'execFile(\'git\', [\'clone\', repoUrl], {shell: false})',
+                'spawn(\'git\', [\'clone\', repoUrl], {shell: false})'
+            ]
+        },
+        effort: '15-25 minutes'
+    },
+    {
+        method: 'execSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['execFileSync', 'spawnSync'],
+        example: {
+            bad: 'execSync(`npm install ${packageName}`)',
+            good: [
+                'execFileSync(\'npm\', [\'install\', packageName], {shell: false})',
+                'spawnSync(\'npm\', [\'install\', packageName], {shell: false})'
+            ]
+        },
+        effort: '15-25 minutes'
+    },
+    {
+        method: 'spawn',
+        dangerous: false,
+        vulnerability: 'argument-injection',
+        safeAlternatives: ['spawn with validation'],
+        example: {
+            bad: 'spawn(\'bash\', [\'-c\', userCommand])',
+            good: [
+                'spawn(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '20-30 minutes'
+    },
+    {
+        method: 'execFile',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawn'],
+        example: {
+            bad: 'execFile(userCommand, userArgs, callback)',
+            good: [
+                'spawn(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'execFileSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawnSync'],
+        example: {
+            bad: 'execFileSync(userCommand, userArgs)',
+            good: [
+                'spawnSync(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '10-15 minutes'
+    },
+    {
+        method: 'spawnSync',
+        dangerous: false,
+        vulnerability: 'argument-injection',
+        safeAlternatives: ['spawnSync with validation'],
+        example: {
+            bad: 'spawnSync(\'bash\', [\'-c\', userCommand])',
+            good: [
+                'spawnSync(validatedCommand, validatedArgs, {shell: false})',
+                '// Validate command and args first'
+            ]
+        },
+        effort: '15-20 minutes'
+    },
+    {
+        method: 'fork',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawn'],
+        example: {
+            bad: 'fork(userScript)',
+            good: [
+                'spawn(\'node\', [validatedScript], {shell: false})',
+                '// Validate script path first'
+            ]
+        },
+        effort: '15-20 minutes'
+    },
+    {
+        method: 'forkSync',
+        dangerous: true,
+        vulnerability: 'command-injection',
+        safeAlternatives: ['spawnSync'],
+        example: {
+            bad: 'forkSync(userScript)',
+            good: [
+                'spawnSync(\'node\', [validatedScript], {shell: false, stdio: \'inherit\'})',
+                '// Validate script path first'
+            ]
+        },
+        effort: '15-20 minutes'
+    }
+];
+exports.detectChildProcess = (0, eslint_devkit_2.createRule)({
+    name: 'detect-child-process',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects child_process usage that may allow command injection',
+        },
+        messages: {
+            // 🎯 Token optimization: 44% reduction (55→31 tokens) - removes ❌/✅/📚 labels
+            childProcessCommandInjection: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.WARNING,
+                issueName: 'Command injection',
+                cwe: 'CWE-78',
+                description: 'Command injection detected',
+                severity: 'CRITICAL',
+                fix: 'Use execFile/spawn with {shell: false} and array args',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            useExecFile: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use execFile',
+                description: 'Use execFile() with argument array',
+                severity: 'LOW',
+                fix: 'execFile(cmd, [arg1, arg2], { shell: false })',
+                documentationLink: 'https://nodejs.org/api/child_process.html#child_processexecfilefile-args-options-callback',
+            }),
+            useSpawn: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use spawn',
+                description: 'Use spawn() with separate arguments',
+                severity: 'LOW',
+                fix: 'spawn(cmd, [arg1, arg2], { shell: false })',
+                documentationLink: 'https://nodejs.org/api/child_process.html#child_processspawncommand-args-options',
+            }),
+            useSaferLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Safer Library',
+                description: 'Consider safer command execution libraries',
+                severity: 'LOW',
+                fix: 'Use execa, zx, or cross-spawn instead',
+                documentationLink: 'https://github.com/sindresorhus/execa',
+            }),
+            validateInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Input',
+                description: 'Add input validation and sanitization',
+                severity: 'LOW',
+                fix: 'Validate user input before passing to command',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            useShellFalse: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Disable Shell',
+                description: 'Use shell: false option',
+                severity: 'LOW',
+                fix: '{ shell: false } to prevent shell interpretation',
+                documentationLink: 'https://nodejs.org/api/child_process.html#spawning-bat-and-cmd-files-on-windows',
+            }),
+            strategyValidate: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Validate Strategy',
+                description: 'Comprehensive input validation',
+                severity: 'LOW',
+                fix: 'Add allowlist validation before command execution',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            strategySanitize: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Sanitize Strategy',
+                description: 'Sanitize and escape command arguments',
+                severity: 'LOW',
+                fix: 'Escape special characters in command arguments',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            }),
+            strategyRestrict: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.STRATEGY,
+                issueName: 'Restrict Strategy',
+                description: 'Restrict to predefined safe commands',
+                severity: 'LOW',
+                fix: 'Define allowlist of permitted commands',
+                documentationLink: 'https://owasp.org/www-community/attacks/Command_Injection',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiteralStrings: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow exec() with literal strings'
+                    },
+                    allowLiteralSpawn: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow spawn() with literal arguments'
+                    },
+                    additionalMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional child_process methods to check'
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['validate', 'sanitize', 'restrict', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing command injection (auto = smart detection)'
+                    }
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiteralStrings: false,
+            allowLiteralSpawn: false,
+            additionalMethods: [],
+            strategy: 'auto'
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowLiteralStrings = false, allowLiteralSpawn = false, additionalMethods = [], } = options || {};
+        /**
+         * Child process methods that can be dangerous (Set for O(1) lookup)
+         */
+        const dangerousMethodsSet = new Set([
+            'exec',
+            'execSync',
+            'execFile',
+            'execFileSync',
+            'spawn',
+            'spawnSync',
+            'fork',
+            'forkSync',
+            ...additionalMethods
+        ]);
+        /**
+         * Track imported child_process identifiers so we can flag calls like
+         * `exec()` or `cp.exec()` in addition to `child_process.exec()`.
+         */
+        const moduleAliases = new Set(['child_process']);
+        const importedMethods = new Set();
+        /**
+         * Check if a node contains string interpolation or concatenation
+         */
+        const containsDynamicStrings = (node) => {
+            if (node.type === 'TemplateLiteral') {
+                return node.expressions.length > 0;
+            }
+            if (node.type === 'BinaryExpression' && node.operator === '+') {
+                return true;
+            }
+            // Check for variable references
+            if (node.type === 'Identifier') {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if arguments contain only literals (safe)
+         */
+        const hasOnlyLiteralArgs = (args) => {
+            return args.every(arg => arg.type === 'Literal' ||
+                (arg.type === 'ArrayExpression' &&
+                    arg.elements.every((el) => el?.type === 'Literal')));
+        };
+        /**
+         * Extract command and arguments for analysis
+         */
+        const extractCommandInfo = (node) => {
+            let method = 'unknown';
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier') {
+                method = node.callee.property.name;
+            }
+            else if (node.callee.type === 'Identifier') {
+                method = node.callee.name;
+            }
+            const sourceCode = context.sourceCode || context.sourceCode;
+            const args = node.arguments.map((arg) => sourceCode.getText(arg)).join(', ');
+            const pattern = COMMAND_PATTERNS.find(p => p.method === method) || null;
+            // Check if arguments contain dynamic content
+            const isDynamic = node.arguments.some((arg) => containsDynamicStrings(arg));
+            return { method, args, pattern, isDynamic };
+        };
+        /**
+         * Generate refactoring steps based on the pattern
+         */
+        const generateRefactoringSteps = (pattern) => {
+            switch (pattern.method) {
+                case 'exec':
+                case 'execSync':
+                    return [
+                        '   1. Replace exec() with execFile() or spawn()',
+                        '   2. Split command and arguments into separate array elements',
+                        '   3. Use {shell: false} option to prevent shell interpretation',
+                        '   4. Validate and sanitize all user inputs',
+                        '   5. Consider using execa library for better security'
+                    ].join('\n');
+                case 'spawn':
+                    return [
+                        '   1. Ensure first argument is a safe, validated command path',
+                        '   2. Pass arguments as separate array elements',
+                        '   3. Use {shell: false} to prevent shell injection',
+                        '   4. Validate command exists and is executable',
+                        '   5. Consider using cross-spawn for cross-platform safety'
+                    ].join('\n');
+                case 'execFile':
+                    return [
+                        '   1. Replace execFile() with spawn() for better security',
+                        '   2. Validate command path before execution',
+                        '   3. Ensure arguments are properly sanitized',
+                        '   4. Use {shell: false} option',
+                        '   5. Consider using execa library'
+                    ].join('\n');
+                case 'execFileSync':
+                    return [
+                        '   1. Replace execFileSync() with spawnSync() for better security',
+                        '   2. Validate command path before execution',
+                        '   3. Ensure arguments are properly sanitized',
+                        '   4. Use {shell: false} option',
+                        '   5. Consider using execa library'
+                    ].join('\n');
+                case 'spawnSync':
+                    return [
+                        '   1. Ensure first argument is a safe, validated command path',
+                        '   2. Pass arguments as separate array elements',
+                        '   3. Use {shell: false} to prevent shell injection',
+                        '   4. Validate command exists and is executable',
+                        '   5. Handle synchronous execution properly'
+                    ].join('\n');
+                case 'fork':
+                    return [
+                        '   1. Replace fork() with spawn() for Node.js scripts',
+                        '   2. Validate script path exists and is readable',
+                        '   3. Use spawn(\'node\', [scriptPath], options) instead',
+                        '   4. Add proper error handling',
+                        '   5. Consider using child_process.execFile() for simple scripts'
+                    ].join('\n');
+                case 'forkSync':
+                    return [
+                        '   1. Replace forkSync() with spawnSync() for Node.js scripts',
+                        '   2. Validate script path exists and is readable',
+                        '   3. Use spawnSync(\'node\', [scriptPath], options) instead',
+                        '   4. Add proper error handling and synchronous waiting',
+                        '   5. Consider using child_process.execFileSync() for simple scripts'
+                    ].join('\n');
+                default:
+                    return [
+                        '   1. Identify the specific command execution need',
+                        '   2. Choose appropriate child_process method',
+                        '   3. Use argument arrays instead of string interpolation',
+                        '   4. Add comprehensive input validation',
+                        '   5. Test with malicious inputs'
+                    ].join('\n');
+            }
+        };
+        /**
+         * Determine risk level based on the call pattern
+         */
+        const determineRiskLevel = (pattern, isDynamic) => {
+            if (pattern?.dangerous && isDynamic) {
+                return 'critical';
+            }
+            if (pattern?.dangerous || isDynamic) {
+                return 'high';
+            }
+            return 'medium';
+        };
+        /**
+         * Determine whether the callee refers to a child_process API.
+         */
+        const getChildProcessCall = (node) => {
+            // child_process.exec(...)
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier') {
+                const methodName = node.callee.property.name;
+                if (!dangerousMethodsSet.has(methodName)) {
+                    return null;
+                }
+                // child_process.exec(...) or alias.exec(...)
+                if (node.callee.object.type === 'Identifier' &&
+                    moduleAliases.has(node.callee.object.name)) {
+                    return { method: methodName, calleeNode: node.callee };
+                }
+            }
+            // exec(...) when imported directly from child_process
+            if (node.callee.type === 'Identifier' && dangerousMethodsSet.has(node.callee.name)) {
+                if (importedMethods.has(node.callee.name)) {
+                    return { method: node.callee.name, calleeNode: node.callee };
+                }
+            }
+            return null;
+        };
+        /**
+         * Check child_process calls for security issues
+         */
+        const checkChildProcessCall = (node) => {
+            const detected = getChildProcessCall(node);
+            if (!detected) {
+                return;
+            }
+            const { method, args, pattern, isDynamic } = extractCommandInfo(node);
+            // Allow literal strings if configured
+            if (allowLiteralStrings && method === 'exec' && !isDynamic) {
+                return;
+            }
+            // Allow literal spawn if configured
+            if (allowLiteralSpawn && method === 'spawn' && hasOnlyLiteralArgs(node.arguments)) {
+                return;
+            }
+            // Report the security issue
+            const riskLevel = determineRiskLevel(pattern, isDynamic);
+            const steps = pattern ? generateRefactoringSteps(pattern) : 'Review and secure command execution';
+            const alternatives = pattern?.safeAlternatives.join(', ') || 'execFile, spawn with validation';
+            context.report({
+                node,
+                messageId: 'childProcessCommandInjection',
+                data: {
+                    method,
+                    args,
+                    riskLevel,
+                    vulnerability: pattern?.vulnerability || 'command injection',
+                    alternatives,
+                    steps,
+                    effort: pattern?.effort || '15-30 minutes'
+                },
+                suggest: [
+                    {
+                        messageId: 'useExecFile',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useSpawn',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useSaferLibrary',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'validateInput',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useShellFalse',
+                        fix: () => null
+                    }
+                ]
+            });
+        };
+        /**
+         * Track imports/requires of child_process to catch alias usage.
+         */
+        const trackChildProcessImport = (node) => {
+            if (node.source.value !== 'child_process') {
+                return;
+            }
+            for (const specifier of node.specifiers) {
+                if (specifier.type === 'ImportDefaultSpecifier' || specifier.type === 'ImportNamespaceSpecifier') {
+                    moduleAliases.add(specifier.local.name);
+                }
+                if (specifier.type === 'ImportSpecifier') {
+                    importedMethods.add(specifier.local.name);
+                }
+            }
+        };
+        /**
+         * Track CommonJS require patterns.
+         */
+        const trackChildProcessRequire = (node) => {
+            if (!node.init) {
+                return;
+            }
+            // const cp = require('child_process');
+            if (node.id.type === 'Identifier' &&
+                node.init.type === 'CallExpression' &&
+                node.init.callee.type === 'Identifier' &&
+                node.init.callee.name === 'require' &&
+                node.init.arguments[0] &&
+                node.init.arguments[0].type === 'Literal' &&
+                node.init.arguments[0].value === 'child_process') {
+                moduleAliases.add(node.id.name);
+                return;
+            }
+            // const { exec } = require('child_process');
+            if (node.id.type === 'ObjectPattern' &&
+                node.init?.type === 'CallExpression' &&
+                node.init.callee.type === 'Identifier' &&
+                node.init.callee.name === 'require' &&
+                node.init.arguments[0] &&
+                node.init.arguments[0].type === 'Literal' &&
+                node.init.arguments[0].value === 'child_process') {
+                for (const prop of node.id.properties) {
+                    if (prop.type === 'Property' && prop.key.type === 'Identifier') {
+                        importedMethods.add(prop.value.type === 'Identifier' ? prop.value.name : prop.key.name);
+                    }
+                }
+            }
+        };
+        return {
+            CallExpression: checkChildProcessCall,
+            ImportDeclaration: trackChildProcessImport,
+            VariableDeclarator: trackChildProcessRequire
+        };
+    },
+});

package/src/rules/detect-eval-with-expression/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow eval with literal strings. Default: false (stricter) */
+    allowLiteralStrings?: boolean;
+    /** Additional functions to treat as eval-like */
+    additionalEvalFunctions?: string[];
+    /** Strategy for fixing eval usage: 'remove', 'refactor', 'validate', or 'auto' */
+    strategy?: 'remove' | 'refactor' | 'validate' | 'auto';
+}
+export declare const detectEvalWithExpression: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;