npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-privilege-escalation/index.js ADDED Viewed

@@ -0,0 +1,321 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPrivilegeEscalation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Common role check patterns
+ */
+const DEFAULT_ROLE_CHECK_PATTERNS = [
+    'hasRole',
+    'checkRole',
+    'isAdmin',
+    'isAuthorized',
+    'hasPermission',
+    'checkPermission',
+    'verifyRole',
+    'requireRole',
+];
+/**
+ * Common user input patterns
+ */
+const DEFAULT_USER_INPUT_PATTERNS = [
+    /\breq\.(body|query|params)\b/,
+    /\brequest\.(body|query|params)\b/,
+    /\buserInput\b/,
+    /\binput\b/,
+];
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, patterns) {
+    return patterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            // Invalid regex - treat as literal string match
+            return text.toLowerCase().includes(pattern.toLowerCase());
+        }
+    });
+}
+/**
+ * Check if a node contains user input patterns
+ */
+function containsUserInput(node, sourceCode, userInputPatterns) {
+    const text = sourceCode.getText(node);
+    return userInputPatterns.some(pattern => pattern.test(text));
+}
+/**
+ * Check if a node is inside a role check call
+ */
+function isInsideRoleCheck(node, sourceCode, roleCheckPatterns) {
+    let current = node;
+    while (current) {
+        // Check if current is inside an IfStatement with role check in condition
+        if (current.parent && current.parent.type === 'IfStatement') {
+            const ifStmt = current.parent;
+            const conditionText = sourceCode.getText(ifStmt.test);
+            // Check if condition contains role check patterns (text-based check catches all patterns)
+            if (roleCheckPatterns.some(pattern => conditionText.toLowerCase().includes(pattern.toLowerCase()))) {
+                return true;
+            }
+        }
+        // Check if current is inside a ConditionalExpression (ternary) with role check
+        if (current.parent && current.parent.type === 'ConditionalExpression') {
+            const condExpr = current.parent;
+            const testText = sourceCode.getText(condExpr.test);
+            // Check if test contains role check patterns (text-based check catches all patterns)
+            if (roleCheckPatterns.some(pattern => testText.toLowerCase().includes(pattern.toLowerCase()))) {
+                return true;
+            }
+        }
+        // Check if current is inside a CallExpression with role check
+        if (current.parent && current.parent.type === 'CallExpression') {
+            const callExpr = current.parent;
+            const callee = callExpr.callee;
+            if (callee.type === 'Identifier') {
+                const calleeName = callee.name.toLowerCase();
+                if (roleCheckPatterns.some(pattern => calleeName.includes(pattern.toLowerCase()))) {
+                    return true;
+                }
+            }
+            if (callee.type === 'MemberExpression' && callee.property.type === 'Identifier') {
+                const propertyName = callee.property.name.toLowerCase();
+                if (roleCheckPatterns.some(pattern => propertyName.includes(pattern.toLowerCase()))) {
+                    return true;
+                }
+            }
+        }
+        // Traverse up the AST
+        if ('parent' in current && current.parent) {
+            current = current.parent;
+        }
+        else {
+            break;
+        }
+    }
+    return false;
+}
+exports.noPrivilegeEscalation = (0, eslint_devkit_2.createRule)({
+    name: 'no-privilege-escalation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects potential privilege escalation vulnerabilities',
+        },
+        hasSuggestions: true,
+        messages: {
+            privilegeEscalation: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Privilege Escalation',
+                cwe: 'CWE-269',
+                description: 'Potential privilege escalation: {{issue}} - user input used without role validation',
+                severity: 'HIGH',
+                fix: 'Add role check before using user input: if (!hasRole(user, requiredRole)) throw new Error("Unauthorized");',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/269.html',
+            }),
+            addRoleCheck: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add Role Check',
+                description: 'Add role check before privilege operations',
+                severity: 'LOW',
+                fix: 'if (!hasRole(user, requiredRole)) throw new Error("Unauthorized")',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/269.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow privilege escalation patterns in test files',
+                    },
+                    testFilePattern: {
+                        type: 'string',
+                        default: '\\.(test|spec)\\.(ts|tsx|js|jsx)$',
+                        description: 'Test file pattern regex string',
+                    },
+                    roleCheckPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: DEFAULT_ROLE_CHECK_PATTERNS,
+                        description: 'Role check patterns to recognize',
+                    },
+                    userInputPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional user input patterns to check (regex strings)',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            testFilePattern: '\\.(test|spec)\\.(ts|tsx|js|jsx)$',
+            roleCheckPatterns: DEFAULT_ROLE_CHECK_PATTERNS,
+            userInputPatterns: [],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, testFilePattern = '\\.(test|spec)\\.(ts|tsx|js|jsx)$', roleCheckPatterns = DEFAULT_ROLE_CHECK_PATTERNS, userInputPatterns: additionalUserInputPatterns = [], ignorePatterns = [], } = options;
+        const filename = context.getFilename();
+        const testFileRegex = new RegExp(testFilePattern);
+        const isTestFile = allowInTests && testFileRegex.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        // Combine default and additional user input patterns
+        const userInputPatterns = [
+            ...DEFAULT_USER_INPUT_PATTERNS,
+            ...additionalUserInputPatterns.map(pattern => new RegExp(pattern, 'i')),
+        ];
+        /**
+         * Check AssignmentExpression for privilege escalation
+         */
+        function checkAssignmentExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for role assignment from user input
+            // Pattern: user.role = req.body.role
+            if (node.left.type === 'MemberExpression' &&
+                node.left.property.type === 'Identifier') {
+                const propertyName = node.left.property.name.toLowerCase();
+                // Check if it's a role/permission related property
+                if (['role', 'permission', 'privilege', 'access', 'level'].includes(propertyName)) {
+                    const text = sourceCode.getText(node);
+                    // Check if it matches any ignore pattern
+                    if (matchesIgnorePattern(text, ignorePatterns)) {
+                        return;
+                    }
+                    // Check if right side contains user input
+                    if (containsUserInput(node.right, sourceCode, userInputPatterns)) {
+                        // Check if it's inside a role check
+                        if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+                            context.report({
+                                node: node,
+                                messageId: 'privilegeEscalation',
+                                data: {
+                                    issue: `Role assignment from user input: ${sourceCode.getText(node.left)} = ${sourceCode.getText(node.right)}`,
+                                },
+                                suggest: [
+                                    {
+                                        messageId: 'addRoleCheck',
+                                        fix: () => null,
+                                    },
+                                ],
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        /**
+         * Check CallExpression for privilege operations with user input
+         */
+        function checkCallExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for privilege-related function calls with user input
+            const callee = node.callee;
+            let isPrivilegeOperation = false;
+            let operationName = '';
+            if (callee.type === 'Identifier') {
+                const calleeName = callee.name.toLowerCase();
+                if (['setrole', 'grant', 'revoke', 'elevate', 'promote'].some(op => calleeName.includes(op))) {
+                    isPrivilegeOperation = true;
+                    operationName = callee.name;
+                }
+            }
+            if (callee.type === 'MemberExpression' && callee.property.type === 'Identifier') {
+                const propertyName = callee.property.name.toLowerCase();
+                if (['setrole', 'grant', 'revoke', 'elevate', 'promote', 'updaterole'].some(op => propertyName.includes(op))) {
+                    isPrivilegeOperation = true;
+                    operationName = propertyName;
+                }
+            }
+            if (isPrivilegeOperation) {
+                const text = sourceCode.getText(node);
+                // Check if it matches any ignore pattern
+                if (matchesIgnorePattern(text, ignorePatterns)) {
+                    return;
+                }
+                // Check if any argument contains user input
+                for (const arg of node.arguments) {
+                    if (containsUserInput(arg, sourceCode, userInputPatterns)) {
+                        // Check if it's inside a role check
+                        if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+                            context.report({
+                                node: node,
+                                messageId: 'privilegeEscalation',
+                                data: {
+                                    issue: `Privilege operation (${operationName}) with user input without role validation`,
+                                },
+                                suggest: [
+                                    {
+                                        messageId: 'addRoleCheck',
+                                        fix: () => null,
+                                    },
+                                ],
+                            });
+                            return; // Report once per call
+                        }
+                    }
+                }
+            }
+        }
+        /**
+         * Check ObjectExpression for role assignment in objects (e.g. arguments)
+         */
+        function checkObjectExpression(node) {
+            if (isTestFile)
+                return;
+            for (const prop of node.properties) {
+                if (prop.type === 'Property' && prop.key.type === 'Identifier') {
+                    const keyName = prop.key.name.toLowerCase();
+                    if (['role', 'permission', 'privilege', 'access', 'level'].includes(keyName)) {
+                        const text = sourceCode.getText(prop);
+                        if (matchesIgnorePattern(text, ignorePatterns))
+                            continue;
+                        if (containsUserInput(prop.value, sourceCode, userInputPatterns)) {
+                            if (!isInsideRoleCheck(node, sourceCode, roleCheckPatterns)) {
+                                context.report({
+                                    node: prop,
+                                    messageId: 'privilegeEscalation',
+                                    data: {
+                                        issue: `Role assignment in object from user input: ${sourceCode.getText(prop)}`,
+                                    },
+                                    suggest: [
+                                        {
+                                            messageId: 'addRoleCheck',
+                                            fix: () => null, // No auto-fix for logic
+                                        },
+                                    ],
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            AssignmentExpression: checkAssignmentExpression,
+            CallExpression: checkCallExpression,
+            ObjectExpression: checkObjectExpression,
+        };
+    },
+});

package/src/rules/no-redos-vulnerable-regex/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Allow certain common patterns. Default: false */
+    allowCommonPatterns?: boolean;
+    /** Maximum pattern length to analyze. Default: 500 */
+    maxPatternLength?: number;
+}
+export declare const noRedosVulnerableRegex: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-redos-vulnerable-regex/index.js ADDED Viewed

@@ -0,0 +1,306 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noRedosVulnerableRegex = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+// Type guard for regex literal nodes
+const isRegExpLiteral = (node) => {
+    return node.type === 'Literal' && Object.prototype.hasOwnProperty.call(node, 'regex');
+};
+const REDOS_PATTERNS = [
+    {
+        pattern: /\([^)]*\+\)\+|\([^)]*\*\)\*|\([^)]*\?\)\?/,
+        name: 'Nested Quantifiers',
+        description: 'Nested quantifiers like (a+)+, (a*)*, (a?)? cause exponential backtracking',
+        example: {
+            bad: '/(a+)+b/',
+            good: '/(?>a+)b/ or /a+b/'
+        },
+        fix: 'Use atomic groups (?>...) or restructure to avoid nesting',
+        severity: 'critical'
+    },
+    {
+        pattern: /\([^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\*/,
+        name: 'Nested Repetition',
+        description: 'Quantifiers nested within groups with quantifiers',
+        example: {
+            bad: '/(x+)+y/',
+            good: '/x+y/'
+        },
+        fix: 'Flatten nested quantifiers',
+        severity: 'critical'
+    },
+    {
+        pattern: /\([^)]*\|[^)]*\)\+|\([^)]*\|[^)]*\)\*/,
+        name: 'Alternation with Quantifier',
+        description: 'Alternation groups with quantifiers can cause backtracking',
+        example: {
+            bad: '/(a|b)+c/',
+            good: '/[ab]+c/'
+        },
+        fix: 'Use character classes instead of alternation when possible',
+        severity: 'high'
+    },
+    {
+        pattern: /\.\*\.\*|\.\+\+\.\+/,
+        name: 'Nested Wildcards',
+        description: 'Nested wildcard quantifiers cause catastrophic backtracking',
+        example: {
+            bad: '/.*.*/',
+            good: '/.*/ or be more specific'
+        },
+        fix: 'Remove redundant wildcards or be more specific',
+        severity: 'critical'
+    },
+    {
+        pattern: /\([^)]*\)\{[0-9]+,\}[^)]*\([^)]*\)\{[0-9]+,\}/,
+        name: 'Multiple Repetition Groups',
+        description: 'Multiple repetition groups can cause exponential backtracking',
+        example: {
+            bad: '/(a{2,})+(b{2,})+/',
+            good: 'Restructure to avoid nested repetitions'
+        },
+        fix: 'Restructure regex to avoid nested repetitions',
+        severity: 'high'
+    }
+];
+/**
+ * Check if a regex pattern contains ReDoS vulnerabilities
+ */
+function hasReDoSVulnerability(pattern) {
+    for (const redosPattern of REDOS_PATTERNS) {
+        if (redosPattern.pattern.test(pattern)) {
+            return redosPattern;
+        }
+    }
+    // Additional checks for common ReDoS patterns
+    // Nested quantifiers: (a+)+, (a*)*, (a?)?
+    if (/(\([^)]*[+*?][^)]*\)[+*?])/.test(pattern)) {
+        return {
+            pattern: /\([^)]*[+*?][^)]*\)[+*?]/,
+            name: 'Nested Quantifier Pattern',
+            description: 'Pattern contains nested quantifiers that can cause exponential backtracking',
+            example: {
+                bad: pattern.substring(0, 30),
+                good: 'Restructure to avoid nested quantifiers'
+            },
+            fix: 'Use atomic groups or restructure regex',
+            severity: 'critical'
+        };
+    }
+    return null;
+}
+/**
+ * Generate fix suggestions based on the vulnerability
+ */
+function generateFixSuggestions(vulnerability) {
+    const suggestions = [];
+    if (vulnerability.severity === 'critical' || vulnerability.name.includes('Nested')) {
+        suggestions.push({
+            messageId: 'useAtomicGroups',
+            description: vulnerability.fix
+        });
+        suggestions.push({
+            messageId: 'restructureRegex',
+            description: 'Restructure the regex to avoid nested quantifiers'
+        });
+    }
+    if (vulnerability.name.includes('Quantifier')) {
+        suggestions.push({
+            messageId: 'usePossessiveQuantifiers',
+            description: 'Use possessive quantifiers (*+, ++, ?+) if supported'
+        });
+    }
+    suggestions.push({
+        messageId: 'useSafeLibrary',
+        description: 'Consider using safe-regex library to validate patterns'
+    });
+    return suggestions;
+}
+exports.noRedosVulnerableRegex = (0, eslint_devkit_2.createRule)({
+    name: 'no-redos-vulnerable-regex',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects ReDoS-vulnerable regex patterns in literal regex patterns',
+        },
+        hasSuggestions: true,
+        messages: {
+            redosVulnerable: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'ReDoS vulnerable regex',
+                cwe: 'CWE-400',
+                description: '{{vulnerabilityName}}: {{description}}',
+                severity: '{{severity}}',
+                fix: '{{fix}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useAtomicGroups: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Atomic Groups',
+                description: 'Use atomic groups to prevent backtracking',
+                severity: 'LOW',
+                fix: '(?>...) to prevent backtracking',
+                documentationLink: 'https://www.regular-expressions.info/atomic.html',
+            }),
+            usePossessiveQuantifiers: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Possessive Quantifiers',
+                description: 'Use possessive quantifiers',
+                severity: 'LOW',
+                fix: '*+, ++, ?+ (if supported)',
+                documentationLink: 'https://www.regular-expressions.info/possessive.html',
+            }),
+            restructureRegex: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Restructure Regex',
+                description: 'Restructure to avoid nested quantifiers',
+                severity: 'LOW',
+                fix: 'Avoid (a+)+ patterns',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useSafeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use safe-regex',
+                description: 'Validate with safe-regex library',
+                severity: 'LOW',
+                fix: 'if (safeRegex(pattern)) { new RegExp(pattern) }',
+                documentationLink: 'https://github.com/substack/safe-regex',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowCommonPatterns: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow certain common patterns',
+                    },
+                    maxPatternLength: {
+                        type: 'number',
+                        default: 500,
+                        minimum: 1,
+                        description: 'Maximum pattern length to analyze',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowCommonPatterns: false,
+            maxPatternLength: 500,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowCommonPatterns = false, maxPatternLength = 500 } = options || {};
+        /**
+         * Check literal regex patterns for ReDoS vulnerabilities
+         */
+        function checkLiteralRegExp(node) {
+            if (!isRegExpLiteral(node)) {
+                return;
+            }
+            const pattern = node.regex.pattern;
+            // Skip if pattern is too long (performance)
+            if (pattern.length > maxPatternLength) {
+                return;
+            }
+            const vulnerability = hasReDoSVulnerability(pattern);
+            if (!vulnerability) {
+                return;
+            }
+            // Allow common patterns if configured
+            if (allowCommonPatterns && (vulnerability.severity === 'medium' || vulnerability.name === 'Alternation with Quantifier')) {
+                return;
+            }
+            const suggestions = generateFixSuggestions(vulnerability);
+            const severity = vulnerability.severity.toUpperCase();
+            context.report({
+                node,
+                messageId: 'redosVulnerable',
+                data: {
+                    vulnerabilityName: vulnerability.name,
+                    description: vulnerability.description,
+                    severity,
+                    fix: vulnerability.fix,
+                },
+                suggest: suggestions.map(suggestion => ({
+                    messageId: suggestion.messageId,
+                    fix: () => null, // Complex refactoring, cannot auto-fix
+                })),
+            });
+        }
+        /**
+         * Check new RegExp() calls for ReDoS vulnerabilities
+         */
+        function checkNewRegExp(node) {
+            // Check for new RegExp(pattern) or RegExp(pattern)
+            let callee;
+            if (node.type === 'NewExpression') {
+                callee = node.callee;
+            }
+            else if (node.type === 'CallExpression') {
+                callee = node.callee;
+            }
+            else {
+                /* c8 ignore next */
+                return;
+            }
+            const isRegExp = callee.type === 'Identifier' && callee.name === 'RegExp';
+            if (!isRegExp) {
+                /* c8 ignore next */
+                return;
+            }
+            // Check if first argument is a string literal
+            if (node.arguments.length === 0) {
+                /* c8 ignore next */
+                return;
+            }
+            const firstArg = node.arguments[0];
+            if (firstArg.type !== 'Literal' || typeof firstArg.value !== 'string') {
+                /* c8 ignore next */
+                return;
+            }
+            const pattern = firstArg.value;
+            // Skip if pattern is too long (performance)
+            if (pattern.length > maxPatternLength) {
+                /* c8 ignore next */
+                return;
+            }
+            const vulnerability = hasReDoSVulnerability(pattern);
+            if (!vulnerability) {
+                /* c8 ignore next */
+                return;
+            }
+            // Allow common patterns if configured
+            if (allowCommonPatterns && (vulnerability.severity === 'medium' || vulnerability.name === 'Alternation with Quantifier')) {
+                /* c8 ignore next */
+                return;
+            }
+            const suggestions = generateFixSuggestions(vulnerability);
+            const severity = vulnerability.severity.toUpperCase();
+            context.report({
+                node,
+                messageId: 'redosVulnerable',
+                data: {
+                    vulnerabilityName: vulnerability.name,
+                    description: vulnerability.description,
+                    severity,
+                    fix: vulnerability.fix,
+                },
+                suggest: suggestions.map(suggestion => ({
+                    messageId: suggestion.messageId,
+                    fix: () => null, // Complex refactoring, cannot auto-fix
+                })),
+            });
+        }
+        return {
+            Literal: checkLiteralRegExp,
+            CallExpression: checkNewRegExp,
+            NewExpression: checkNewRegExp,
+        };
+    },
+});

package/src/rules/no-sensitive-data-exposure/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Sensitive data patterns. Default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card'] */
+    sensitivePatterns?: string[];
+    /** Check console.log statements. Default: true */
+    checkConsoleLog?: boolean;
+    /** Check error messages. Default: true */
+    checkErrorMessages?: boolean;
+    /** Check API responses. Default: true */
+    checkApiResponses?: boolean;
+}
+export declare const noSensitiveDataExposure: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;