npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-sensitive-data-exposure/index.js ADDED Viewed

@@ -0,0 +1,250 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataExposure = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if string contains sensitive data patterns
+ */
+function containsSensitiveData(text, patterns) {
+    const lowerText = text.toLowerCase();
+    return patterns.some(pattern => lowerText.includes(pattern.toLowerCase()));
+}
+exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
+    name: 'no-sensitive-data-exposure',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects PII/credentials in logs, responses, or error messages',
+        },
+        hasSuggestions: true,
+        messages: {
+            sensitiveDataExposure: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Sensitive data exposure',
+                cwe: 'CWE-532',
+                description: 'Sensitive data detected in {{context}}: {{dataType}}',
+                severity: 'HIGH',
+                fix: 'Redact or mask sensitive data before logging/exposing',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            redactData: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Redact Data',
+                description: 'Redact sensitive data before logging',
+                severity: 'LOW',
+                fix: 'Redact sensitive fields before logging',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            useMasking: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Masking',
+                description: 'Use data masking function',
+                severity: 'LOW',
+                fix: 'maskSensitive(data)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+            removeFromLogs: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Remove From Logs',
+                description: 'Remove sensitive data from logs and errors',
+                severity: 'LOW',
+                fix: 'Filter sensitive data before logging',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/532.html',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    sensitivePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+                        description: 'Sensitive data patterns',
+                    },
+                    checkConsoleLog: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check console.log statements',
+                    },
+                    checkErrorMessages: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check error messages',
+                    },
+                    checkApiResponses: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Check API responses',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            sensitivePatterns: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+            checkConsoleLog: true,
+            checkErrorMessages: true,
+            checkApiResponses: true,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { sensitivePatterns = ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'], checkConsoleLog = true, checkErrorMessages = true, } = options || {};
+        /**
+         * Check CallExpression for logging calls with sensitive data
+         */
+        function checkCallExpression(node) {
+            // Check if it's a logging call (console.*, logger.*)
+            const isLoggingCall = (() => {
+                if (node.callee.type === 'MemberExpression') {
+                    const object = node.callee.object;
+                    const property = node.callee.property;
+                    if (property.type === 'Identifier') {
+                        const methodName = property.name.toLowerCase();
+                        if (['log', 'info', 'warn', 'error', 'debug', 'trace'].includes(methodName)) {
+                            // Check if it's console.* or logger.*
+                            if (object.type === 'Identifier') {
+                                const objName = object.name.toLowerCase();
+                                if (objName === 'console' || objName === 'logger') {
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+                }
+                else if (node.callee.type === 'Identifier') {
+                    // Check for logger.info() pattern
+                    const calleeName = node.callee.name.toLowerCase();
+                    if (calleeName.includes('log') || calleeName.includes('logger')) {
+                        return true;
+                    }
+                }
+                return false;
+            })();
+            if (isLoggingCall && checkConsoleLog) {
+                // Check if any argument contains sensitive data
+                for (const arg of node.arguments) {
+                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        const text = arg.value;
+                        if (containsSensitiveData(text, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'logs',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per call
+                        }
+                    }
+                    else if (arg.type === 'Identifier' && arg.name) {
+                        const name = arg.name.toLowerCase();
+                        if (containsSensitiveData(name, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'logs',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per call
+                        }
+                    }
+                }
+            }
+        }
+        /**
+         * Check NewExpression for Error with sensitive data
+         */
+        function checkNewExpression(node) {
+            if (!checkErrorMessages) {
+                return;
+            }
+            if (node.callee && node.callee.type === 'Identifier' && node.callee.name === 'Error') {
+                // Check all arguments for sensitive data (report only once per error)
+                for (const arg of node.arguments) {
+                    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        const text = arg.value;
+                        if (containsSensitiveData(text, sensitivePatterns)) {
+                            context.report({
+                                node: arg,
+                                messageId: 'sensitiveDataExposure',
+                                data: {
+                                    context: 'error messages',
+                                    dataType: 'password',
+                                },
+                                suggest: [
+                                    { messageId: 'redactData', fix: () => null },
+                                    { messageId: 'useMasking', fix: () => null },
+                                    { messageId: 'removeFromLogs', fix: () => null },
+                                ],
+                            });
+                            return; // Only report once per error
+                        }
+                    }
+                    else if (arg.type === 'BinaryExpression' && arg.operator === '+') {
+                        // Check left side if it's a literal
+                        if (arg.left && arg.left.type === 'Literal' && typeof arg.left.value === 'string') {
+                            const leftText = arg.left.value;
+                            if (containsSensitiveData(leftText, sensitivePatterns)) {
+                                context.report({
+                                    node: arg.left,
+                                    messageId: 'sensitiveDataExposure',
+                                    data: {
+                                        context: 'error messages',
+                                        dataType: 'password',
+                                    },
+                                    suggest: [
+                                        { messageId: 'redactData', fix: () => null },
+                                        { messageId: 'useMasking', fix: () => null },
+                                        { messageId: 'removeFromLogs', fix: () => null },
+                                    ],
+                                });
+                                return; // Only report once per error
+                            }
+                        }
+                        // Check right side if it's an identifier
+                        if (arg.right && arg.right.type === 'Identifier' && arg.right.name) {
+                            const rightName = arg.right.name.toLowerCase();
+                            if (containsSensitiveData(rightName, sensitivePatterns)) {
+                                context.report({
+                                    node: arg.right,
+                                    messageId: 'sensitiveDataExposure',
+                                    data: {
+                                        context: 'error messages',
+                                        dataType: 'password',
+                                    },
+                                    suggest: [
+                                        { messageId: 'redactData', fix: () => null },
+                                        { messageId: 'useMasking', fix: () => null },
+                                        { messageId: 'removeFromLogs', fix: () => null },
+                                    ],
+                                });
+                                return; // Only report once per error
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            CallExpression: checkCallExpression,
+            NewExpression: checkNewExpression,
+        };
+    },
+});

package/src/rules/no-sensitive-data-in-analytics/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent PII sent to analytics
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/359.html
+ */
+export interface Options {
+}
+export declare const noSensitiveDataInAnalytics: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-sensitive-data-in-analytics/index.js ADDED Viewed

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * @fileoverview Prevent PII sent to analytics
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/359.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataInAnalytics = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
+    name: 'no-sensitive-data-in-analytics',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent PII being sent to analytics services',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M6'],
+            cweIds: ['CWE-359'],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Sensitive Data in Analytics',
+                cwe: 'CWE-359',
+                description: 'Sensitive field sent to analytics - this is a privacy violation',
+                severity: 'HIGH',
+                fix: 'Remove PII from analytics tracking data',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        const sensitiveFields = ['email', 'ssn', 'creditcard', 'password', 'phone', 'address'];
+        function report(node, field) {
+            context.report({ node, messageId: 'violationDetected', data: { field } });
+        }
+        return {
+            CallExpression(node) {
+                // analytics.track() with sensitive data
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.name === 'analytics' &&
+                    node.callee.property.name === 'track') {
+                    const dataArg = node.arguments[1];
+                    if (dataArg?.type === 'ObjectExpression') {
+                        dataArg.properties.forEach(prop => {
+                            if (prop.type === 'Property') {
+                                const key = prop.key.name?.toLowerCase();
+                                const matchedField = sensitiveFields.find(f => key?.includes(f));
+                                if (matchedField) {
+                                    report(prop, matchedField);
+                                }
+                            }
+                        });
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-sensitive-data-in-cache/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent caching sensitive data without encryption
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/524.html
+ */
+export interface Options {
+}
+export declare const noSensitiveDataInCache: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-sensitive-data-in-cache/index.js ADDED Viewed

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * @fileoverview Prevent caching sensitive data without encryption
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/524.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataInCache = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noSensitiveDataInCache = (0, eslint_devkit_1.createRule)({
+    name: 'no-sensitive-data-in-cache',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent caching sensitive data without encryption',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M9'],
+            cweIds: ["CWE-524"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-200',
+                description: 'Prevent caching sensitive data without encryption detected - Sensitive data in cache',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        return {
+            CallExpression(node) {
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.property.type === 'Identifier' &&
+                    ['set', 'put', 'store'].includes(node.callee.property.name)) {
+                    const keyArg = node.arguments[0];
+                    if (keyArg && keyArg.type === 'Literal') {
+                        const key = keyArg.value.toString().toLowerCase();
+                        if (['password', 'token', 'credit', 'ssn'].some(k => key.includes(k))) {
+                            context.report({ node, messageId: 'violationDetected' });
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-toctou-vulnerability/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Ignore in test files. Default: true */
+    ignoreInTests?: boolean;
+    /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
+    fsMethods?: string[];
+}
+export declare const noToctouVulnerability: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-toctou-vulnerability/index.js ADDED Viewed

@@ -0,0 +1,208 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noToctouVulnerability = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noToctouVulnerability = (0, eslint_devkit_2.createRule)({
+    name: 'no-toctou-vulnerability',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
+        },
+        hasSuggestions: true,
+        messages: {
+            toctouVulnerability: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'TOCTOU vulnerability',
+                cwe: 'CWE-367',
+                description: 'Time-of-check Time-of-use race condition detected',
+                severity: 'HIGH',
+                fix: 'Use atomic operations or fs.promises for file operations',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
+            }),
+            useAtomicOperations: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Atomic Operations',
+                description: 'Use atomic file operations',
+                severity: 'LOW',
+                fix: 'fs.promises.access() then fs.promises.readFile()',
+                documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
+            }),
+            useFsPromises: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use fs.promises',
+                description: 'Use fs.promises API',
+                severity: 'LOW',
+                fix: 'await fs.promises.readFile() instead of sync operations',
+                documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
+            }),
+            addProperLocking: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add File Locking',
+                description: 'Add proper locking mechanism',
+                severity: 'LOW',
+                fix: 'Use proper-lockfile or similar for concurrent access',
+                documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    ignoreInTests: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    fsMethods: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            ignoreInTests: true,
+            fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { ignoreInTests = true } = options || {};
+        const filename = context.getFilename();
+        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        if (isTestFile) {
+            return {};
+        }
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check for TOCTOU patterns
+         */
+        function checkCallExpression(node) {
+            // 1. Identify the file operation (Use)
+            let useMethodName = '';
+            if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
+                const objectName = node.callee.object.type === 'Identifier' ? node.callee.object.name : '';
+                if (objectName === 'fs' || objectName === 'fsPromises') {
+                    useMethodName = node.callee.property.name;
+                }
+            }
+            else if (node.callee.type === 'Identifier') {
+                useMethodName = node.callee.name;
+            }
+            const riskyUseMethods = ['readFileSync', 'writeFileSync', 'readFile', 'writeFile', 'openSync', 'open', 'unlinkSync', 'unlink'];
+            if (!riskyUseMethods.includes(useMethodName)) {
+                return;
+            }
+            const useArg = node.arguments[0];
+            if (!useArg)
+                return;
+            // 2. Walk up to find the condition (Check)
+            let current = node.parent;
+            while (current) {
+                if (current.type === 'IfStatement') {
+                    // Extract the condition node
+                    let condition = current.test;
+                    // Handle negated condition: if (!exists(path)) { create(path) } -> also TOCTOU but different logic?
+                    // Actually TOCTOU is usually Check(exists) -> Use(read).
+                    // If (!exists) -> create is Check -> Use.
+                    // But strict TOCTOU is checking state then acting.
+                    // If checking for negation
+                    if (condition.type === 'UnaryExpression' && condition.operator === '!') {
+                        condition = condition.argument;
+                    }
+                    if (condition.type === 'CallExpression') {
+                        // Check if it's a file check method
+                        let checkMethodName = '';
+                        if (condition.callee.type === 'MemberExpression' && condition.callee.property.type === 'Identifier') {
+                            checkMethodName = condition.callee.property.name;
+                        }
+                        else if (condition.callee.type === 'Identifier') {
+                            checkMethodName = condition.callee.name;
+                        }
+                        const checkMethods = ['existsSync', 'statSync', 'accessSync', 'exists', 'stat', 'access'];
+                        if (checkMethods.includes(checkMethodName)) {
+                            // Compare arguments
+                            const checkArg = condition.arguments[0];
+                            if (checkArg) {
+                                // Method 1: Identifier match (same variable)
+                                if (checkArg.type === 'Identifier' && useArg.type === 'Identifier' && checkArg.name === useArg.name) {
+                                    reportToctou(node);
+                                    return;
+                                }
+                                // Method 2: Text match (fallback)
+                                const checkArgText = sourceCode.getText(checkArg).replace(/\s/g, '');
+                                const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                                if (checkArgText === useArgText) {
+                                    reportToctou(node);
+                                    return;
+                                }
+                            }
+                        }
+                        // Handle stats.isFile() / stats.isDirectory() pattern
+                        if (condition.callee.type === 'MemberExpression' &&
+                            condition.callee.property.type === 'Identifier' &&
+                            ['isFile', 'isDirectory'].includes(condition.callee.property.name) &&
+                            condition.callee.object.type === 'Identifier') {
+                            const statsVarName = condition.callee.object.name;
+                            let currentScope = sourceCode.getScope(condition);
+                            let variable = null;
+                            while (currentScope) {
+                                variable = currentScope.variables.find(v => v.name === statsVarName);
+                                if (variable)
+                                    break;
+                                currentScope = currentScope.upper;
+                            }
+                            if (variable && variable.defs.length > 0) {
+                                const def = variable.defs[0];
+                                if (def.type === 'Variable' && def.node.init && def.node.init.type === 'CallExpression') {
+                                    const init = def.node.init;
+                                    if (init.callee.type === 'MemberExpression' &&
+                                        init.callee.property.type === 'Identifier' &&
+                                        ['statSync', 'lstatSync', 'stat', 'lstat'].includes(init.callee.property.name)) {
+                                        const statArg = init.arguments[0];
+                                        if (statArg) {
+                                            const checkArgText = sourceCode.getText(statArg).replace(/\s/g, '');
+                                            const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
+                                            if (checkArgText === useArgText) {
+                                                reportToctou(node);
+                                                return;
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+        }
+        function reportToctou(node) {
+            context.report({
+                node,
+                messageId: 'toctouVulnerability',
+                suggest: [
+                    {
+                        messageId: 'useAtomicOperations',
+                        fix: () => null,
+                    },
+                    {
+                        messageId: 'useFsPromises',
+                        fix: () => null,
+                    },
+                    {
+                        messageId: 'addProperLocking',
+                        fix: () => null,
+                    },
+                ],
+            });
+        }
+        return {
+            CallExpression: checkCallExpression,
+        };
+    },
+});

package/src/rules/no-tracking-without-consent/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Require consent before tracking
+ */
+export interface Options {
+}
+export declare const noTrackingWithoutConsent: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;