npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-missing-cors-check/index.js ADDED Viewed

@@ -0,0 +1,399 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noMissingCorsCheck = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, ignorePatterns) {
+    return ignorePatterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+exports.noMissingCorsCheck = (0, eslint_devkit_2.createRule)({
+    name: 'no-missing-cors-check',
+    meta: {
+        type: 'problem',
+        deprecated: true,
+        replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
+        docs: {
+            description: 'Detects missing CORS validation (wildcard CORS, missing origin check)',
+        },
+        hasSuggestions: true,
+        messages: {
+            missingCorsCheck: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Missing CORS Validation',
+                cwe: 'CWE-346',
+                description: 'Missing CORS validation detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/346.html',
+            }),
+            useOriginValidation: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Origin',
+                description: 'Validate CORS origin',
+                severity: 'LOW',
+                fix: 'cors({ origin: (origin, cb) => allowedOrigins.includes(origin) ? cb(null, true) : cb(new Error()) })',
+                documentationLink: 'https://github.com/expressjs/cors#configuration-options',
+            }),
+            useCorsMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use CORS Middleware',
+                description: 'Use CORS middleware with origin validation',
+                severity: 'LOW',
+                fix: 'app.use(cors({ origin: allowedOrigins }))',
+                documentationLink: 'https://github.com/expressjs/cors',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow missing CORS checks in test files',
+                    },
+                    trustedLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Custom CORS libraries to trust (wildcard origins in these libraries will not be reported)',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            trustedLibraries: [], // Empty by default - users can add custom CORS libraries they trust
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, trustedLibraries: corsTrustedLibraries = [], ignorePatterns = [], } = options;
+        const trustedLibraries = corsTrustedLibraries;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkLiteral(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for wildcard CORS origin
+            if (node.value === '*' && typeof node.value === 'string') {
+                const text = sourceCode.getText(node);
+                // Check if it matches any ignore pattern
+                if (matchesIgnorePattern(text, ignorePatterns)) {
+                    return;
+                }
+                // Check if it's in contexts handled by other checkers
+                // 1. setHeader/header calls - checkMemberExpression handles these
+                // 2. app.use(cors({ origin: "*" })) - checkCallExpression handles these with suggestions
+                let shouldSkip = false;
+                let current = node;
+                while (current && current.parent) {
+                    current = current.parent;
+                    if (current.type === 'CallExpression') {
+                        const callText = sourceCode.getText(current);
+                        // Check if it's a setHeader/header call with Access-Control-Allow-Origin
+                        // Skip these - checkMemberExpression handles them
+                        if (/\b(setHeader|header)\s*\(/i.test(callText) && /\bAccess-Control-Allow-Origin\b/i.test(callText)) {
+                            shouldSkip = true;
+                            break;
+                        }
+                        // Check if it's app.use(cors({ origin: "*" })) - checkCallExpression handles these with suggestions
+                        if (/\buse\s*\(/i.test(callText) && /\bcors\s*\(/i.test(callText)) {
+                            // Check if the literal is in an object property named "origin"
+                            if (node.parent && node.parent.type === 'Property') {
+                                const prop = node.parent;
+                                if (prop.key.type === 'Identifier' && prop.key.name === 'origin') {
+                                    shouldSkip = true;
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+                // Skip if it's in a context handled by another checker
+                if (shouldSkip) {
+                    return;
+                }
+                // Check if it's in a CORS-related context
+                // Only report if it's actually in a CORS configuration (app.use(cors(...)), etc.)
+                // Not just any object with origin: "*"
+                let isActualCorsContext = false;
+                // Check if it's in app.use(cors(...)) or similar
+                current = node;
+                while (current && current.parent) {
+                    current = current.parent;
+                    if (current.type === 'CallExpression') {
+                        const callText = sourceCode.getText(current);
+                        // Check if it's a CORS middleware call
+                        if (/\b(use|cors)\s*\(/i.test(callText) && /\bcors\s*\(/i.test(callText)) {
+                            isActualCorsContext = true;
+                            break;
+                        }
+                    }
+                }
+                // Also check if it's in an object property with name "origin" or "allowedOrigins"
+                // but only if it's in a CORS-related call expression
+                if (node.parent && node.parent.type === 'Property') {
+                    const prop = node.parent;
+                    if (prop.key.type === 'Identifier') {
+                        const keyName = prop.key.name.toLowerCase();
+                        if (keyName === 'origin' || keyName === 'allowedorigins') {
+                            // Check if this property is in a CORS call context
+                            let inCorsCall = false;
+                            let checkNode = prop;
+                            while (checkNode && checkNode.parent) {
+                                checkNode = checkNode.parent;
+                                if (checkNode.type === 'CallExpression') {
+                                    const callText = sourceCode.getText(checkNode);
+                                    if (/\bcors\s*\(/i.test(callText) ||
+                                        (/\buse\s*\(/i.test(callText) && /\bcors/i.test(callText))) {
+                                        inCorsCall = true;
+                                        break;
+                                    }
+                                }
+                            }
+                            if (inCorsCall) {
+                                // Always report wildcard CORS origin - it's never safe
+                                context.report({
+                                    node,
+                                    messageId: 'missingCorsCheck',
+                                    data: {
+                                        issue: 'Wildcard CORS origin (*) allows all origins',
+                                        safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
+                                    },
+                                    suggest: [
+                                        {
+                                            messageId: 'useOriginValidation',
+                                            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                            fix: (_fixer) => null,
+                                        },
+                                    ],
+                                });
+                                return;
+                            }
+                        }
+                    }
+                }
+                // Only report if it's in an actual CORS context
+                if (isActualCorsContext) {
+                    // Always report wildcard CORS origin - it's never safe
+                    context.report({
+                        node,
+                        messageId: 'missingCorsCheck',
+                        data: {
+                            issue: 'Wildcard CORS origin (*) allows all origins',
+                            safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'useOriginValidation',
+                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                fix: (_fixer) => null,
+                            },
+                        ],
+                    });
+                }
+            }
+        }
+        function checkCallExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for app.use(cors({ origin: "*" })) or similar
+            if (node.callee.type === 'MemberExpression') {
+                const property = node.callee.property;
+                if (property.type === 'Identifier' && property.name === 'use') {
+                    // Check if CORS is being used
+                    const text = sourceCode.getText(node);
+                    // Check if it matches any ignore pattern
+                    if (matchesIgnorePattern(text, ignorePatterns)) {
+                        return;
+                    }
+                    // Check if it's a CORS middleware call
+                    // Check for cors() or trusted library calls
+                    const firstArg = node.arguments.length > 0 ? node.arguments[0] : null;
+                    let isCorsCall = /\bcors\s*\(/i.test(text);
+                    if (!isCorsCall && firstArg && firstArg.type === 'CallExpression' && firstArg.callee.type === 'Identifier') {
+                        const callee = firstArg.callee;
+                        const calleeName = callee.name.toLowerCase();
+                        // Check if it's the standard 'cors' library or a trusted library
+                        isCorsCall = calleeName === 'cors' || trustedLibraries.some(lib => {
+                            return calleeName.includes(lib.toLowerCase());
+                        });
+                    }
+                    // Check if it's a trusted library - skip if explicitly trusted
+                    let isTrustedLibrary = false;
+                    if (firstArg && firstArg.type === 'CallExpression' && firstArg.callee.type === 'Identifier') {
+                        const calleeName = firstArg.callee.name.toLowerCase();
+                        isTrustedLibrary = trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()));
+                    }
+                    if (isTrustedLibrary) {
+                        return; // Trusted library, skip
+                    }
+                    // Check if it's a CORS call
+                    if (/\bcors\s*\(/i.test(text) || isCorsCall) {
+                        // Check arguments for wildcard origin
+                        // For app.use(cors({ origin: "*" })), we need to check the arguments to cors(), not app.use()
+                        const corsCallArg = firstArg && firstArg.type === 'CallExpression' ? firstArg : null;
+                        const argsToCheck = corsCallArg ? corsCallArg.arguments : node.arguments;
+                        for (const arg of argsToCheck) {
+                            if (arg.type === 'ObjectExpression') {
+                                // Check for origin property with wildcard value
+                                for (const prop of arg.properties) {
+                                    if (prop.type === 'Property' &&
+                                        prop.key.type === 'Identifier' &&
+                                        prop.key.name === 'origin' &&
+                                        prop.value.type === 'Literal' &&
+                                        prop.value.value === '*') {
+                                        context.report({
+                                            node: prop.value,
+                                            messageId: 'missingCorsCheck',
+                                            data: {
+                                                issue: 'Wildcard CORS origin (*) allows all origins',
+                                                safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
+                                            },
+                                            suggest: [
+                                                {
+                                                    messageId: 'useOriginValidation',
+                                                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                                    fix: (_fixer) => null,
+                                                },
+                                            ],
+                                        });
+                                    }
+                                }
+                            }
+                            else if (arg.type === 'Identifier') {
+                                // Check if this identifier was assigned an object literal with origin: "*"
+                                // For cases like: const config = { origin: "*" }; app.use(cors(config));
+                                const varName = arg.name;
+                                // Traverse the AST to find the variable declaration
+                                let current = node;
+                                while (current) {
+                                    if (current.type === 'Program' || current.type === 'FunctionDeclaration' || current.type === 'FunctionExpression' || current.type === 'ArrowFunctionExpression') {
+                                        // Search for variable declarations in this scope
+                                        const scopeBody = current.type === 'Program' ? current.body :
+                                            (current.type === 'FunctionDeclaration' || current.type === 'FunctionExpression' || current.type === 'ArrowFunctionExpression') ?
+                                                (current.body.type === 'BlockStatement' ? current.body.body : []) : [];
+                                        for (const stmt of scopeBody) {
+                                            if (stmt.type === 'VariableDeclaration') {
+                                                for (const declarator of stmt.declarations) {
+                                                    if (declarator.id.type === 'Identifier' && declarator.id.name === varName && declarator.init) {
+                                                        // Check if init is an object literal with origin: "*"
+                                                        if (declarator.init.type === 'ObjectExpression') {
+                                                            for (const prop of declarator.init.properties) {
+                                                                if (prop.type === 'Property' &&
+                                                                    prop.key.type === 'Identifier' &&
+                                                                    prop.key.name === 'origin' &&
+                                                                    prop.value.type === 'Literal' &&
+                                                                    prop.value.value === '*') {
+                                                                    context.report({
+                                                                        node: arg,
+                                                                        messageId: 'missingCorsCheck',
+                                                                        data: {
+                                                                            issue: 'Wildcard CORS origin (*) allows all origins',
+                                                                            safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
+                                                                        },
+                                                                        suggest: [
+                                                                            {
+                                                                                messageId: 'useOriginValidation',
+                                                                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                                                                fix: (_fixer) => null,
+                                                                            },
+                                                                        ],
+                                                                    });
+                                                                    return; // Found and reported, exit
+                                                                }
+                                                            }
+                                                        }
+                                                    }
+                                                }
+                                            }
+                                        }
+                                        break; // Only check the immediate scope
+                                    }
+                                    if (current.parent) {
+                                        current = current.parent;
+                                    }
+                                    else {
+                                        break;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        function checkMemberExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for Access-Control-Allow-Origin header without validation
+            if (node.property.type === 'Identifier') {
+                const propertyName = node.property.name;
+                if (propertyName === 'setHeader' || propertyName === 'header') {
+                    // Check if it matches any ignore pattern
+                    const text = sourceCode.getText(node);
+                    if (matchesIgnorePattern(text, ignorePatterns)) {
+                        return;
+                    }
+                    // Check if it's setting CORS headers
+                    // Need to check the full call expression, not just the member expression
+                    const parent = node.parent;
+                    if (parent && parent.type === 'CallExpression') {
+                        const callText = sourceCode.getText(parent);
+                        if (/\bAccess-Control-Allow-Origin\b/i.test(callText)) {
+                            // Check if the value is a wildcard
+                            const args = parent.arguments;
+                            if (args.length >= 2 && args[1].type === 'Literal' && args[1].value === '*') {
+                                context.report({
+                                    node: args[1],
+                                    messageId: 'missingCorsCheck',
+                                    data: {
+                                        issue: 'Wildcard CORS header allows all origins',
+                                        safeAlternative: 'Validate origin before setting header: res.setHeader("Access-Control-Allow-Origin", allowedOrigins.includes(origin) ? origin : "null");',
+                                    },
+                                    suggest: [
+                                        {
+                                            messageId: 'useOriginValidation',
+                                            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                            fix: (_fixer) => null,
+                                        },
+                                    ],
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            Literal: checkLiteral,
+            CallExpression: checkCallExpression,
+            MemberExpression: checkMemberExpression,
+        };
+    },
+});

package/src/rules/no-missing-csrf-protection/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Allow missing CSRF protection in test files. Default: false */
+    allowInTests?: boolean;
+    /** CSRF middleware patterns to recognize. Default: ['csrf', 'csurf', 'csrfProtection', 'verifyCsrfToken'] */
+    csrfMiddlewarePatterns?: string[];
+    /** HTTP methods that require CSRF protection. Default: ['post', 'put', 'delete', 'patch'] */
+    protectedMethods?: string[];
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noMissingCsrfProtection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-missing-csrf-protection/index.js ADDED Viewed

@@ -0,0 +1,180 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noMissingCsrfProtection = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Default CSRF middleware patterns
+ */
+const DEFAULT_CSRF_MIDDLEWARE_PATTERNS = [
+    'csrf',
+    'csurf',
+    'csrfProtection',
+    'verifyCsrfToken',
+    'csrfToken',
+    'validateCsrf',
+    'checkCsrf',
+    'csrfMiddleware',
+];
+/**
+ * Default HTTP methods that require CSRF protection
+ */
+const DEFAULT_PROTECTED_METHODS = ['post', 'put', 'delete', 'patch'];
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, patterns) {
+    return patterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return text.toLowerCase().includes(pattern.toLowerCase());
+        }
+    });
+}
+exports.noMissingCsrfProtection = (0, eslint_devkit_2.createRule)({
+    name: 'no-missing-csrf-protection',
+    meta: {
+        type: 'problem',
+        deprecated: true,
+        replacedBy: ['@see eslint-plugin-express-security/require-csrf-protection'],
+        docs: {
+            description: 'Detects missing CSRF token validation in POST/PUT/DELETE requests',
+        },
+        hasSuggestions: true,
+        messages: {
+            missingCsrfProtection: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Missing CSRF Protection',
+                cwe: 'CWE-352',
+                description: 'Missing CSRF protection detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/352.html',
+            }),
+            addCsrfValidation: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add CSRF Validation',
+                description: 'Add CSRF middleware',
+                severity: 'LOW',
+                fix: 'app.use(csrf({ cookie: true }))',
+                documentationLink: 'https://github.com/expressjs/csurf',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow missing CSRF protection in test files',
+                    },
+                    csrfMiddlewarePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'CSRF middleware patterns to recognize',
+                    },
+                    protectedMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'HTTP methods that require CSRF protection',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            csrfMiddlewarePatterns: [],
+            protectedMethods: [],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, csrfMiddlewarePatterns, protectedMethods: customProtectedMethods, ignorePatterns = [], } = options;
+        const csrfPatterns = csrfMiddlewarePatterns && csrfMiddlewarePatterns.length > 0
+            ? csrfMiddlewarePatterns
+            : DEFAULT_CSRF_MIDDLEWARE_PATTERNS;
+        const protectedMethods = customProtectedMethods && customProtectedMethods.length > 0
+            ? customProtectedMethods
+            : DEFAULT_PROTECTED_METHODS;
+        // Pre-compute Set for O(1) lookups (performance optimization)
+        const protectedMethodsSet = new Set(protectedMethods.map(m => m.toLowerCase()));
+        const filename = context.filename;
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode;
+        function checkCallExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            const callee = node.callee;
+            const callText = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(callText, ignorePatterns)) {
+                return;
+            }
+            // Check for route handler methods (app.post, router.put, etc.)
+            if (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression && callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                const methodName = callee.property.name;
+                // Only check if it's a route handler that requires CSRF (O(1) Set lookup)
+                if (protectedMethodsSet.has(methodName.toLowerCase())) {
+                    // Must have at least 2 arguments (path and handler)
+                    if (node.arguments.length < 2) {
+                        return;
+                    }
+                    // Check if CSRF middleware is in the route chain arguments
+                    let hasCsrfInChain = false;
+                    // Check if any argument (after the first path argument) is a CSRF middleware
+                    // Skip the first argument (path) and check the rest
+                    for (let i = 1; i < node.arguments.length; i++) {
+                        const arg = node.arguments[i];
+                        const argText = sourceCode.getText(arg);
+                        if (csrfPatterns.some(pattern => argText.toLowerCase().includes(pattern.toLowerCase()))) {
+                            hasCsrfInChain = true;
+                            break;
+                        }
+                    }
+                    if (!hasCsrfInChain) {
+                        context.report({
+                            node,
+                            messageId: 'missingCsrfProtection',
+                            data: {
+                                issue: `${methodName.toUpperCase()} route handler missing CSRF protection`,
+                                safeAlternative: `Add CSRF middleware: app.${methodName}("/path", csrf(), handler) or use app.use(csrf()) globally`,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'addCsrfValidation',
+                                    fix(fixer) {
+                                        // Add CSRF middleware after the first argument (path)
+                                        const firstArg = node.arguments[0];
+                                        if (firstArg) {
+                                            return fixer.insertTextAfter(firstArg, ', csrf()');
+                                        }
+                                        return null;
+                                    },
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});

package/src/rules/no-missing-security-headers/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Required security headers. Default: ['Content-Security-Policy', 'X-Frame-Options', 'X-Content-Type-Options'] */
+    requiredHeaders?: string[];
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+}
+export declare const noMissingSecurityHeaders: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;