npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-unencrypted-transmission/index.js ADDED Viewed

@@ -0,0 +1,236 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnencryptedTransmission = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Default insecure protocol patterns
+ */
+const DEFAULT_INSECURE_PROTOCOLS = [
+    'http://',
+    'ws://',
+    'ftp://',
+    'tcp://',
+    'mongodb://',
+    'redis://',
+    'mysql://',
+];
+/**
+ * Secure protocol alternatives
+ */
+const SECURE_ALTERNATIVES = {
+    'http://': 'https://',
+    'ws://': 'wss://',
+    'ftp://': 'ftps://',
+    'tcp://': 'tls://',
+    'mongodb://': 'mongodb+srv://',
+    'redis://': 'rediss://',
+    'mysql://': 'mysqls://',
+};
+/**
+ * Check if a string contains insecure protocol
+ */
+function containsInsecureProtocol(value, insecureProtocols, secureAlternatives) {
+    const lowerValue = value.toLowerCase();
+    for (const protocol of insecureProtocols) {
+        const lowerProtocol = protocol.toLowerCase();
+        // Check if the protocol appears in the value (as a URL scheme)
+        if (lowerValue.includes(lowerProtocol)) {
+            // Check if it's not already using the secure version
+            const secureAlternative = secureAlternatives[lowerProtocol];
+            if (secureAlternative) {
+                // Only report if secure version is not present
+                if (!lowerValue.includes(secureAlternative.toLowerCase())) {
+                    return { isInsecure: true, protocol };
+                }
+            }
+            else {
+                // No secure alternative defined, so it's insecure
+                return { isInsecure: true, protocol };
+            }
+        }
+    }
+    return { isInsecure: false, protocol: '' };
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+/* c8 ignore start -- ignore-pattern matching is defensive */
+function matchesIgnorePattern(text, patterns) {
+    return patterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+/* c8 ignore stop */
+exports.noUnencryptedTransmission = (0, eslint_devkit_2.createRule)({
+    name: 'no-unencrypted-transmission',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)',
+        },
+        hasSuggestions: true,
+        messages: {
+            unencryptedTransmission: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unencrypted Transmission',
+                cwe: 'CWE-319',
+                description: 'Unencrypted transmission detected: {{issue}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
+            }),
+            useHttps: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use HTTPS',
+                description: 'Use secure protocol',
+                severity: 'LOW',
+                fix: 'Replace http:// with https://',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow unencrypted transmission in test files',
+                    },
+                    insecureProtocols: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Insecure protocol patterns to detect',
+                    },
+                    secureAlternatives: {
+                        type: 'object',
+                        additionalProperties: { type: 'string' },
+                        default: {},
+                        description: 'Mapping of insecure protocols to their secure alternatives',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            insecureProtocols: [],
+            secureAlternatives: {},
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, insecureProtocols, secureAlternatives, ignorePatterns = [], } = options;
+        const protocolsToCheck = insecureProtocols && insecureProtocols.length > 0
+            ? insecureProtocols
+            : DEFAULT_INSECURE_PROTOCOLS;
+        // Merge user-provided secure alternatives with defaults
+        const secureAlternativesToUse = secureAlternatives && Object.keys(secureAlternatives).length > 0
+            ? { ...SECURE_ALTERNATIVES, ...secureAlternatives }
+            : SECURE_ALTERNATIVES;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkLiteral(node) {
+            if (typeof node.value !== 'string') {
+                return;
+            }
+            const value = node.value;
+            const text = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(text, ignorePatterns)) {
+                return;
+            }
+            // Skip test files (allow localhost in test files)
+            if (isTestFile) {
+                // Only allow localhost URLs in test files
+                if (text.includes('localhost')) {
+                    return;
+                }
+                // For other URLs in test files, still check them
+            }
+            const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+            if (isInsecure) {
+                // Allow localhost URLs in test files
+                if (isTestFile && text.includes('localhost')) {
+                    return;
+                }
+                const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+                const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+                context.report({
+                    node,
+                    messageId: 'unencryptedTransmission',
+                    data: {
+                        issue: `using insecure protocol ${protocol}`,
+                        safeAlternative,
+                    },
+                    suggest: [
+                        {
+                            messageId: 'useHttps',
+                            data: {
+                                protocol,
+                                secureProtocol,
+                            },
+                            fix(fixer) {
+                                if (secureProtocol && secureProtocol !== 'secure protocol') {
+                                    // Replace the insecure protocol with secure one
+                                    const newValue = value.replace(new RegExp(protocol.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'gi'), secureProtocol);
+                                    return fixer.replaceText(node, JSON.stringify(newValue));
+                                }
+                                return null;
+                            },
+                        },
+                    ],
+                });
+            }
+        }
+        function checkTemplateLiteral(node) {
+            if (isTestFile) {
+                return;
+            }
+            const text = sourceCode.getText(node);
+            // Check if it matches any ignore pattern
+            if (matchesIgnorePattern(text, ignorePatterns)) {
+                return;
+            }
+            // Check each quasis (static parts) and expressions
+            for (const quasi of node.quasis) {
+                const value = quasi.value.raw;
+                const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
+                if (isInsecure) {
+                    const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
+                    const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
+                    context.report({
+                        node: quasi,
+                        messageId: 'unencryptedTransmission',
+                        data: {
+                            issue: `using insecure protocol ${protocol} in template literal`,
+                            safeAlternative,
+                        },
+                        // Don't provide auto-fix for template literals (too risky - might break interpolation)
+                    });
+                }
+            }
+        }
+        return {
+            Literal: checkLiteral,
+            TemplateLiteral: checkTemplateLiteral,
+        };
+    },
+});

package/src/rules/no-unescaped-url-parameter/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow unescaped URL parameters in test files. Default: false */
+    allowInTests?: boolean;
+    /** Trusted URL construction libraries. Default: ['url', 'querystring'] */
+    trustedLibraries?: string[];
+    /** Additional safe patterns to ignore. Default: [] */
+    ignorePatterns?: string[];
+}
+export declare const noUnescapedUrlParameter: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-unescaped-url-parameter/index.js ADDED Viewed

@@ -0,0 +1,355 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnescapedUrlParameter = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if a node is inside a URL encoding function call
+ */
+function isInsideEncodingCall(node, sourceCode, trustedLibraries) {
+    let current = node;
+    while (current) {
+        if (current.type === 'CallExpression') {
+            const callee = current.callee;
+            // Check for encodeURIComponent, encodeURI
+            if (callee.type === 'Identifier') {
+                const calleeName = callee.name;
+                if (['encodeURIComponent', 'encodeURI', 'escape'].includes(calleeName)) {
+                    return true;
+                }
+            }
+            // Check if it's a trusted library call
+            if (callee.type === 'MemberExpression') {
+                const object = callee.object;
+                if (object.type === 'Identifier') {
+                    const objectName = object.name.toLowerCase();
+                    if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
+                        return true;
+                    }
+                }
+            }
+        }
+        // Traverse up the AST
+        if ('parent' in current && current.parent) {
+            current = current.parent;
+        }
+        else {
+            break;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a string matches any ignore pattern
+ */
+function matchesIgnorePattern(text, ignorePatterns) {
+    return ignorePatterns.some(pattern => {
+        try {
+            const regex = new RegExp(pattern, 'i');
+            return regex.test(text);
+        }
+        catch {
+            return false;
+        }
+    });
+}
+/**
+ * Check if a node is a URL construction pattern
+ */
+function isUrlConstruction(node, sourceCode) {
+    let text = sourceCode.getText(node);
+    // For template literals, combine raw strings to improve pattern detection
+    if (node.type === 'TemplateLiteral') {
+        text = node.quasis.map(q => q.value.raw).join('');
+    }
+    // Check for URL construction patterns
+    const urlPatterns = [
+        /\bhttps?:\/\//, // HTTP/HTTPS URLs
+        /\bnew\s+URL\s*\(/,
+        /\burl\s*[=:]\s*/, // url = or url:
+        /\burl\s*\+/, // url +
+        /\bwindow\.location/,
+        /\blocation\.href/,
+        /\bwindow\.open\s*\(/,
+        /\?[^=]+=/, // Query parameters
+    ];
+    return urlPatterns.some(pattern => pattern.test(text));
+}
+exports.noUnescapedUrlParameter = (0, eslint_devkit_2.createRule)({
+    name: 'no-unescaped-url-parameter',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unescaped URL parameters',
+        },
+        hasSuggestions: true,
+        messages: {
+            unescapedUrlParameter: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unescaped URL Parameter',
+                cwe: 'CWE-79',
+                description: 'Unescaped URL parameter detected: {{parameter}}',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
+            }),
+            useEncodeURIComponent: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use encodeURIComponent',
+                description: 'Use encodeURIComponent for URL params',
+                severity: 'LOW',
+                fix: '`https://example.com?q=${encodeURIComponent(param)}`',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent',
+            }),
+            useURLSearchParams: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use URLSearchParams',
+                description: 'Use URLSearchParams for safe URL construction',
+                severity: 'LOW',
+                fix: 'new URLSearchParams({ q: param }).toString()',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowInTests: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow unescaped URL parameters in test files',
+                    },
+                    trustedLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['url', 'querystring'],
+                        description: 'Trusted URL construction libraries',
+                    },
+                    ignorePatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional safe patterns to ignore',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowInTests: false,
+            trustedLibraries: ['url', 'querystring'],
+            ignorePatterns: [],
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowInTests = false, trustedLibraries = ['url', 'querystring'], ignorePatterns = [], } = options;
+        const filename = context.getFilename();
+        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
+        const sourceCode = context.sourceCode || context.sourceCode;
+        function checkTemplateLiteral(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check if this is a URL construction
+            if (!isUrlConstruction(node, sourceCode)) {
+                return;
+            }
+            // Check each expression in the template
+            for (const expression of node.expressions) {
+                const text = sourceCode.getText(expression);
+                // Check if it matches any ignore pattern
+                if (matchesIgnorePattern(text, ignorePatterns)) {
+                    continue;
+                }
+                // Check if it's already encoded
+                if (isInsideEncodingCall(expression, sourceCode, trustedLibraries)) {
+                    continue;
+                }
+                // Check if it's a user input pattern
+                const userInputPatterns = [
+                    /\breq\.(query|params|body|headers|cookies)/,
+                    /\brequest\.(query|params|body)/,
+                    /\buserInput\b/i,
+                    /\binput\b/i,
+                    /\bsearchParams\b/,
+                    /\bparam\b/i, // Generic param variable
+                ];
+                // Check both the expression text and the full template literal
+                // This catches nested patterns like req.query.id
+                const fullText = sourceCode.getText(node);
+                const exprText = sourceCode.getText(expression);
+                const isUserInput = userInputPatterns.some(pattern => pattern.test(text)) ||
+                    userInputPatterns.some(pattern => pattern.test(fullText)) ||
+                    userInputPatterns.some(pattern => pattern.test(exprText)) ||
+                    // Also check for nested member expressions like req.query.id
+                    (expression.type === 'MemberExpression' &&
+                        userInputPatterns.some(pattern => {
+                            // Check the full expression including nested properties
+                            return pattern.test(exprText);
+                        }));
+                if (isUserInput) {
+                    context.report({
+                        node: expression,
+                        messageId: 'unescapedUrlParameter',
+                        data: {
+                            parameter: text,
+                            safeAlternative: `Use encodeURIComponent() or URLSearchParams: const url = \`https://example.com?q=\${encodeURIComponent(${text})}\`;`,
+                        },
+                        suggest: [
+                            {
+                                messageId: 'useEncodeURIComponent',
+                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                fix: (_fixer) => null,
+                            },
+                            {
+                                messageId: 'useURLSearchParams',
+                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                fix: (_fixer) => null,
+                            },
+                        ],
+                    });
+                }
+            }
+        }
+        function checkBinaryExpression(node) {
+            if (isTestFile) {
+                return;
+            }
+            // Check for string concatenation in URL construction
+            if (node.operator === '+') {
+                if (!isUrlConstruction(node, sourceCode)) {
+                    return;
+                }
+                // Check right side (usually the parameter)
+                if (node.right.type !== 'Literal') {
+                    const rightText = sourceCode.getText(node.right);
+                    // Check if it matches any ignore pattern
+                    if (matchesIgnorePattern(rightText, ignorePatterns)) {
+                        return;
+                    }
+                    // Check if it's already encoded
+                    if (isInsideEncodingCall(node.right, sourceCode, trustedLibraries)) {
+                        return;
+                    }
+                    // Check if it's a user input pattern
+                    const userInputPatterns = [
+                        /\breq\.(query|params|body)/,
+                        /\brequest\.(query|params|body)/,
+                        /\buserInput\b/,
+                        /\binput\b/,
+                    ];
+                    const isUserInput = userInputPatterns.some(pattern => pattern.test(rightText));
+                    if (isUserInput) {
+                        context.report({
+                            node: node.right,
+                            messageId: 'unescapedUrlParameter',
+                            data: {
+                                parameter: rightText,
+                                safeAlternative: `Use encodeURIComponent(): ${sourceCode.getText(node.left)} + encodeURIComponent(${rightText})`,
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useEncodeURIComponent',
+                                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+                                    fix: (_fixer) => null,
+                                },
+                            ],
+                        });
+                    }
+                }
+            }
+        }
+        function isUserControlled(node, visited = new Set()) {
+            const text = sourceCode.getText(node);
+            const patterns = [
+                /\breq\.(query|params|body|headers|cookies)/,
+                /\brequest\.(query|params|body)/,
+                /\buserInput\b/i,
+                /\binput\b/i,
+                /\bsearchParams\b/,
+                /\bparam\b/i,
+                /\breturnUrl\b/i,
+                /\burl\b/i,
+                /\bredirect\b/i,
+                /\bnext\b/i,
+            ];
+            if (patterns.some(p => p.test(text)))
+                return true;
+            // Trace identifiers
+            if (node.type === 'Identifier') {
+                if (visited.has(node.name))
+                    return false;
+                visited.add(node.name);
+                const scope = sourceCode.getScope(node);
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                const variable = scope.variables.find((v) => v.name === node.name);
+                if (variable && variable.defs.length > 0) {
+                    const def = variable.defs[0];
+                    if (def.type === 'Variable' && def.node.init) {
+                        const init = def.node.init;
+                        // Check if init is constructed from other user inputs
+                        if (isUserControlled(init, visited))
+                            return true;
+                        // Check if init is a TemplateLiteral containing user inputs in expressions
+                        if (init.type === 'TemplateLiteral') {
+                            return init.expressions.some(expr => isUserControlled(expr, visited));
+                        }
+                        // Check if init is BinaryExpression (concatenation)
+                        if (init.type === 'BinaryExpression') {
+                            return isUserControlled(init.left, visited) || isUserControlled(init.right, visited);
+                        }
+                    }
+                }
+            }
+            return false;
+        }
+        return {
+            TemplateLiteral: checkTemplateLiteral,
+            BinaryExpression: checkBinaryExpression,
+            AssignmentExpression(node) {
+                if (isTestFile)
+                    return;
+                // Check for window.location = ... or window.location.href = ...
+                const left = node.left;
+                let isLocationAssignment = false;
+                if (left.type === 'MemberExpression') {
+                    const objectName = left.object.type === 'Identifier' ? left.object.name :
+                        (left.object.type === 'MemberExpression' ? sourceCode.getText(left.object) : '');
+                    const propName = left.property.type === 'Identifier' ? left.property.name : '';
+                    if ((objectName === 'window' && propName === 'location') ||
+                        (propName === 'href' && objectName.includes('location'))) {
+                        isLocationAssignment = true;
+                    }
+                }
+                else if (left.type === 'Identifier' && left.name === 'location') {
+                    // In browser location = ... is valid
+                    isLocationAssignment = true;
+                }
+                if (isLocationAssignment) {
+                    const right = node.right;
+                    const rightText = sourceCode.getText(right);
+                    // Skip TemplateLiteral and BinaryExpression as they are covered by their own visitors
+                    if (right.type === 'TemplateLiteral' || right.type === 'BinaryExpression') {
+                        return;
+                    }
+                    if (matchesIgnorePattern(rightText, ignorePatterns))
+                        return;
+                    if (isInsideEncodingCall(right, sourceCode, trustedLibraries))
+                        return;
+                    if (isUserControlled(right)) {
+                        context.report({
+                            node: right,
+                            messageId: 'unescapedUrlParameter',
+                            data: {
+                                parameter: rightText,
+                                safeAlternative: 'Validate and encode URL before redirecting',
+                            }
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-unlimited-resource-allocation/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Maximum allowed resource size for static analysis */
+    maxResourceSize?: number;
+    /** Variables that contain user input */
+    userInputVariables?: string[];
+    /** Safe resource allocation functions */
+    safeResourceFunctions?: string[];
+    /** Require resource validation */
+    requireResourceValidation?: boolean;
+}
+export declare const noUnlimitedResourceAllocation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;