eslint-plugin-secure-coding 2.3.3 → 2.4.0

package/src/rules/no-missing-security-headers/index.js

@@ -0,0 +1,218 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noMissingSecurityHeaders = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const DEFAULT_REQUIRED_HEADERS = [
+    'Content-Security-Policy',
+    'X-Frame-Options',
+    'X-Content-Type-Options',
+];
+/**
+ * Extract header name from setHeader call
+ */
+function extractHeaderName(node) {
+    if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
+        return String(node.arguments[0].value);
+    }
+    return null;
+}
+/**
+ * Check if all security headers are set in the current scope
+ */
+function checkFunctionForSecurityHeaders(node, requiredHeaders, context) {
+    const setHeaders = new Set();
+    // Find the function that contains this setHeader call
+    let current = node;
+    let scopeNode = null;
+    while (current) {
+        if (current.type === 'FunctionDeclaration' ||
+            current.type === 'FunctionExpression' ||
+            current.type === 'ArrowFunctionExpression') {
+            scopeNode = current;
+            break;
+        }
+        current = current.parent ?? null;
+    }
+    // If no function found, use the program scope (for test cases)
+    if (!scopeNode) {
+        scopeNode = context.sourceCode.ast;
+    }
+    // Collect all setHeader calls in this scope
+    function collectHeaders(node) {
+        if (node.type === 'CallExpression' &&
+            node.callee.type === 'MemberExpression' &&
+            node.callee.property.type === 'Identifier' &&
+            ['setHeader', 'header', 'set'].includes(node.callee.property.name)) {
+            const headerName = extractHeaderName(node);
+            if (headerName) {
+                setHeaders.add(headerName);
+            }
+        }
+        // Recursively check children - only traverse standard AST properties
+        if (node.type === 'Program' && node.body) {
+            node.body.forEach(collectHeaders);
+        }
+        else if ((node.type === 'FunctionDeclaration' ||
+            node.type === 'FunctionExpression' ||
+            node.type === 'ArrowFunctionExpression') && node.body) {
+            collectHeaders(node.body);
+        }
+        else if (node.type === 'BlockStatement' && node.body) {
+            node.body.forEach(collectHeaders);
+        }
+        else if (node.type === 'ExpressionStatement' && node.expression) {
+            collectHeaders(node.expression);
+        }
+    }
+    if (scopeNode) {
+        collectHeaders(scopeNode);
+    }
+    // Return missing headers
+    return requiredHeaders.filter(header => !setHeaders.has(header));
+}
+exports.noMissingSecurityHeaders = (0, eslint_devkit_2.createRule)({
+    name: 'no-missing-security-headers',
+    meta: {
+        type: 'problem',
+        deprecated: true,
+        replacedBy: ['@see eslint-plugin-express-security/require-helmet'],
+        docs: {
+            description: 'Detects missing security headers in HTTP responses',
+        },
+        hasSuggestions: true,
+        messages: {
+            missingSecurityHeader: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Missing security headers',
+                cwe: 'CWE-693',
+                description: 'Missing security headers: {{headers}}',
+                severity: 'HIGH',
+                fix: 'Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options',
+                documentationLink: 'https://owasp.org/www-project-secure-headers/',
+            }),
+            addSecurityHeaders: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add Security Headers',
+                description: 'Add security headers middleware',
+                severity: 'LOW',
+                fix: 'Add Content-Security-Policy, X-Frame-Options headers',
+                documentationLink: 'https://owasp.org/www-project-secure-headers/',
+            }),
+            useMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Helmet',
+                description: 'Use helmet.js for security headers',
+                severity: 'LOW',
+                fix: 'app.use(helmet())',
+                documentationLink: 'https://helmetjs.github.io/',
+            }),
+            setHeader: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Set Headers',
+                description: 'Set security headers manually',
+                severity: 'LOW',
+                fix: 'res.setHeader("X-Frame-Options", "DENY")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    requiredHeaders: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: DEFAULT_REQUIRED_HEADERS,
+                    },
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            requiredHeaders: DEFAULT_REQUIRED_HEADERS,
+            ignoreInTests: true,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { requiredHeaders = DEFAULT_REQUIRED_HEADERS, ignoreInTests = true, } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const reportedScopes = new Set();
+        /**
+         * Get a unique key for the current scope
+         */
+        function getScopeKey(node) {
+            // Find the function that contains this call
+            let current = node;
+            while (current) {
+                if (current.type === 'FunctionDeclaration' ||
+                    current.type === 'FunctionExpression' ||
+                    current.type === 'ArrowFunctionExpression') {
+                    return `${current.range?.[0]}-${current.range?.[1]}`;
+                }
+                current = current.parent ?? null;
+            }
+            // If no function found, use program scope
+            return 'program';
+        }
+        /**
+         * Check for response header setting
+         */
+        function checkCallExpression(node) {
+            // Check for res.setHeader, res.header, res.set
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property.type === 'Identifier') {
+                const methodName = node.callee.property.name;
+                if (['setHeader', 'header', 'set'].includes(methodName)) {
+                    const scopeKey = getScopeKey(node);
+                    // Only check once per scope
+                    if (reportedScopes.has(scopeKey)) {
+                        return;
+                    }
+                    const missing = checkFunctionForSecurityHeaders(node, requiredHeaders, context);
+                    if (missing.length > 0) {
+                        reportedScopes.add(scopeKey);
+                        context.report({
+                            node,
+                            messageId: 'missingSecurityHeader',
+                            data: {
+                                headers: missing.join(', '),
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'addSecurityHeaders',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'useMiddleware',
+                                    fix: () => null,
+                                },
+                                {
+                                    messageId: 'setHeader',
+                                    fix: () => null,
+                                },
+                            ],
+                        });
+                    }
+                    else {
+                        // Mark as checked even if no error
+                        reportedScopes.add(scopeKey);
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});

package/src/rules/no-password-in-url/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent passwords in URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+export interface Options {
+}
+export declare const noPasswordInUrl: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-password-in-url/index.js

@@ -0,0 +1,54 @@
+"use strict";
+/**
+ * @fileoverview Prevent passwords in URLs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPasswordInUrl = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noPasswordInUrl = (0, eslint_devkit_1.createRule)({
+    name: 'no-password-in-url',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent passwords in URLs',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M3'],
+            cweIds: ["CWE-598"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-521',
+                description: 'Prevent passwords in URLs detected - this is a security risk',
+                severity: 'CRITICAL',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({
+                node,
+                messageId: 'violationDetected',
+            });
+        }
+        return {
+            Literal(node) {
+                // Check for http://user:password@host patterns
+                if (node.type === 'Literal' && typeof node.value === 'string') {
+                    const urlPattern = /https?:\/\/[^:]+:[^@]+@/;
+                    if (urlPattern.test(node.value)) {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-permissive-cors/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent overly permissive CORS configuration
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/942.html
+ */
+export interface Options {
+}
+export declare const noPermissiveCors: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-permissive-cors/index.js

@@ -0,0 +1,65 @@
+"use strict";
+/**
+ * @fileoverview Prevent overly permissive CORS configuration
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/942.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPermissiveCors = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
+    name: 'no-permissive-cors',
+    meta: {
+        type: 'problem',
+        deprecated: true,
+        replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
+        docs: {
+            description: 'Prevent overly permissive CORS configuration',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M8'],
+            cweIds: ["CWE-942"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-942',
+                description: 'Prevent overly permissive CORS configuration detected - this is a security risk',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/942.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({
+                node,
+                messageId: 'violationDetected',
+            });
+        }
+        return {
+            CallExpression(node) {
+                // Check for Access-Control-Allow-Origin: *
+                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
+                    node.callee.property?.name === 'setHeader' &&
+                    node.arguments[0]?.value === 'Access-Control-Allow-Origin' &&
+                    node.arguments[1]?.value === '*') {
+                    report(node);
+                }
+                // Check cors({ origin: '*' })
+                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
+                    node.callee.name === 'cors' &&
+                    node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
+                    const originProp = node.arguments[0].properties.find(p => p.key?.name === 'origin');
+                    if (originProp?.value.type === 'Literal' && originProp.value.value === '*') {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-pii-in-logs/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+export interface Options {
+}
+export declare const noPiiInLogs: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-pii-in-logs/index.js

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPiiInLogs = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
+    name: 'no-pii-in-logs',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent PII (email, SSN, credit cards) in console logs',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M6'],
+            cweIds: ["CWE-532"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-359',
+                description: 'Prevent PII (email, SSN, credit cards) in console logs detected - this is a security risk',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({
+                node,
+                messageId: 'violationDetected',
+            });
+        }
+        return {
+            CallExpression(node) {
+                // Check console.log/error/warn calls
+                if (node.type === 'CallExpression' &&
+                    node.callee.type === 'MemberExpression' &&
+                    node.callee.object.name === 'console' &&
+                    ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
+                    // Check arguments for PII-related property access
+                    for (const arg of node.arguments) {
+                        if (arg.type === 'MemberExpression') {
+                            const propName = arg.property.name?.toLowerCase();
+                            const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
+                            if (piiProps.some(p => propName?.includes(p))) {
+                                report(node);
+                            }
+                        }
+                        // Check string literals mentioning PII
+                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                            const text = arg.value.toLowerCase();
+                            if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
+                                report(node);
+                            }
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-privilege-escalation/index.d.ts

@@ -0,0 +1,13 @@
+export interface Options {
+    /** Allow privilege escalation patterns in test files. Default: false */
+    allowInTests?: boolean;
+    /** Test file pattern regex string. Default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$' */
+    testFilePattern?: string;
+    /** Role check patterns to recognize. Default: ['hasRole', 'checkRole', 'isAdmin', 'isAuthorized'] */
+    roleCheckPatterns?: string[];
+    /** User input patterns that should be validated. Default: ['req.body', 'req.query', 'req.params'] */
+    userInputPatterns?: string[];
+    /** Additional patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noPrivilegeEscalation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;