npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-unlimited-resource-allocation/index.js ADDED Viewed

@@ -0,0 +1,643 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnlimitedResourceAllocation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noUnlimitedResourceAllocation = (0, eslint_devkit_1.createRule)({
+    name: 'no-unlimited-resource-allocation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unlimited resource allocation that could cause DoS',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            unlimitedResourceAllocation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Resource Allocation',
+                cwe: 'CWE-770',
+                description: 'Resource allocation without limits',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            unlimitedBufferAllocation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Buffer Allocation',
+                cwe: 'CWE-770',
+                description: 'Buffer allocated without size limits',
+                severity: 'HIGH',
+                fix: 'Set maximum buffer size limits',
+                documentationLink: 'https://nodejs.org/api/buffer.html',
+            }),
+            unlimitedFileOperations: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited File Operations',
+                cwe: 'CWE-770',
+                description: 'File operations without size limits',
+                severity: 'MEDIUM',
+                fix: 'Validate file size before operations',
+                documentationLink: 'https://nodejs.org/api/fs.html',
+            }),
+            unlimitedNetworkConnections: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Network Connections',
+                cwe: 'CWE-770',
+                description: 'Network connections without limits',
+                severity: 'MEDIUM',
+                fix: 'Limit concurrent connections',
+                documentationLink: 'https://nodejs.org/api/http.html',
+            }),
+            unlimitedMemoryAllocation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Memory Allocation',
+                cwe: 'CWE-770',
+                description: 'Memory allocated without limits',
+                severity: 'MEDIUM',
+                fix: 'Set memory allocation limits',
+                documentationLink: 'https://nodejs.org/api/buffer.html',
+            }),
+            userControlledResourceSize: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'User Controlled Resource Size',
+                cwe: 'CWE-770',
+                description: 'Resource size controlled by user input',
+                severity: 'HIGH',
+                fix: 'Validate and limit user-controlled resource sizes',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            missingResourceLimits: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Resource Limits',
+                cwe: 'CWE-770',
+                description: 'Resource allocation lacks proper limits',
+                severity: 'MEDIUM',
+                fix: 'Implement resource size validation',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            resourceAllocationInLoop: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Resource Allocation in Loop',
+                cwe: 'CWE-770',
+                description: 'Resource allocation inside loop without limits',
+                severity: 'HIGH',
+                fix: 'Move resource allocation outside loop or add iteration limits',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            implementResourceLimits: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Resource Limits',
+                description: 'Add limits to resource allocation',
+                severity: 'LOW',
+                fix: 'const limitedSize = Math.min(userSize, MAX_SIZE);',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            validateResourceSize: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Resource Size',
+                description: 'Validate resource size before allocation',
+                severity: 'LOW',
+                fix: 'if (size > MAX_SIZE) throw new Error("Size too large");',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            useResourcePools: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Resource Pools',
+                description: 'Use resource pools for better control',
+                severity: 'LOW',
+                fix: 'Implement connection pooling and resource reuse',
+                documentationLink: 'https://en.wikipedia.org/wiki/Object_pool_pattern',
+            }),
+            strategyResourceManagement: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Resource Management Strategy',
+                description: 'Implement comprehensive resource management',
+                severity: 'LOW',
+                fix: 'Use resource pools, limits, and cleanup mechanisms',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/770.html',
+            }),
+            strategyRateLimiting: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Rate Limiting Strategy',
+                description: 'Implement rate limiting for resource allocation',
+                severity: 'LOW',
+                fix: 'Use rate limiters to prevent resource exhaustion',
+                documentationLink: 'https://en.wikipedia.org/wiki/Rate_limiting',
+            }),
+            strategyResourceCleanup: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Resource Cleanup Strategy',
+                description: 'Ensure proper resource cleanup',
+                severity: 'LOW',
+                fix: 'Implement try-finally blocks and resource disposal',
+                documentationLink: 'https://en.wikipedia.org/wiki/Resource_management_(computing)',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    maxResourceSize: {
+                        type: 'number',
+                        minimum: 1024,
+                        default: 1048576, // 1MB
+                    },
+                    userInputVariables: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['req', 'request', 'body', 'query', 'params', 'input', 'data'],
+                    },
+                    safeResourceFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['validateSize', 'checkLimits', 'limitResource', 'safeAlloc'],
+                    },
+                    requireResourceValidation: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as resource validators',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            maxResourceSize: 1048576, // 1MB
+            userInputVariables: ['req', 'request', 'body', 'query', 'params', 'input', 'data'],
+            safeResourceFunctions: ['validateSize', 'checkLimits', 'limitResource', 'safeAlloc'],
+            requireResourceValidation: true,
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { maxResourceSize = 1048576, userInputVariables = ['req', 'request', 'body', 'query', 'params', 'input', 'data'], safeResourceFunctions = ['validateSize', 'checkLimits', 'limitResource', 'safeAlloc'], requireResourceValidation = true, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if an expression contains user input - using shared utility
+         */
+        const isUserInput = (expression) => (0, eslint_devkit_3.isUserInputExpression)(expression, sourceCode, userInputVariables);
+        /**
+         * Check if resource allocation has size validation
+         */
+        const hasSizeValidation = (node) => {
+            const args = node.arguments;
+            if (args.length === 0) {
+                return false;
+            }
+            // Check if size argument is a validated expression
+            const sizeArg = args[0];
+            const sizeText = sourceCode.getText(sizeArg);
+            // Look for validation patterns
+            return sizeText.includes('Math.min(') ||
+                sizeText.includes('Math.max(') ||
+                sizeText.includes('Math.clamp(') ||
+                safeResourceFunctions.some(func => sizeText.includes(func));
+        };
+        /**
+         * Estimate resource size from static analysis
+         */
+        const estimateResourceSize = (sizeExpression) => {
+            if (sizeExpression.type === 'Literal' && typeof sizeExpression.value === 'number') {
+                return sizeExpression.value;
+            }
+            // Handle binary expressions like 1024 * 1024 * 100
+            if (sizeExpression.type === 'BinaryExpression') {
+                const left = estimateResourceSize(sizeExpression.left);
+                const right = estimateResourceSize(sizeExpression.right);
+                if (left !== null && right !== null) {
+                    switch (sizeExpression.operator) {
+                        case '*':
+                            return left * right;
+                        case '+':
+                            return left + right;
+                        case '-':
+                            return left - right;
+                        case '/':
+                            return right !== 0 ? left / right : null;
+                        default:
+                            return null;
+                    }
+                }
+            }
+            return null;
+        };
+        return {
+            // Check Buffer allocation
+            CallExpression(node) {
+                const callee = node.callee;
+                const calleeText = sourceCode.getText(callee);
+                // Check for Buffer.alloc(), Buffer.allocUnsafe() or new Buffer()
+                const isBufferAlloc = callee.type === 'MemberExpression' &&
+                    callee.object.type === 'Identifier' &&
+                    callee.object.name === 'Buffer' &&
+                    callee.property.type === 'Identifier' &&
+                    (callee.property.name === 'alloc' || callee.property.name === 'allocUnsafe');
+                const isNewBuffer = callee.type === 'NewExpression' &&
+                    callee.callee.type === 'Identifier' &&
+                    callee.callee.name === 'Buffer';
+                if (isBufferAlloc || isNewBuffer) {
+                    const args = node.arguments;
+                    if (args.length > 0) {
+                        const sizeArg = args[0];
+                        // Check if size comes from user input (but skip if validated)
+                        if (sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg) && !hasSizeValidation(node)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'userControlledResourceSize',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                            return;
+                        }
+                        // Check if size exceeds limits
+                        const estimatedSize = sizeArg.type === 'SpreadElement' ? null : estimateResourceSize(sizeArg);
+                        if (estimatedSize && estimatedSize > maxResourceSize) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'unlimitedBufferAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                            return;
+                        }
+                        // Check if no size validation present (only for non-literal sizes from user input)
+                        const isLiteralSize = sizeArg.type === 'Literal' && typeof sizeArg.value === 'number';
+                        const comesFromUserInput = sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg);
+                        if (requireResourceValidation && !hasSizeValidation(node) && !isLiteralSize && comesFromUserInput) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node,
+                                messageId: 'missingResourceLimits',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for multer configuration without limits
+                if (callee.type === 'Identifier' && callee.name === 'multer') {
+                    const args = node.arguments;
+                    if (args.length > 0 && args[0].type === 'ObjectExpression') {
+                        const props = args[0].properties;
+                        // Check for valid limits definition
+                        const hasValidLimits = props.some((prop) => {
+                            if (prop.type !== 'Property' || prop.key.type !== 'Identifier') {
+                                return false;
+                            }
+                            // Direct fileSize (not standard but maybe used?)
+                            if (prop.key.name === 'fileSize')
+                                return true;
+                            // Limits object
+                            if (prop.key.name === 'limits' && prop.value.type === 'ObjectExpression') {
+                                return prop.value.properties.some((limitProp) => limitProp.type === 'Property' &&
+                                    limitProp.key.type === 'Identifier' &&
+                                    limitProp.key.name === 'fileSize');
+                            }
+                            return false;
+                        });
+                        if (!hasValidLimits) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node,
+                                messageId: 'unlimitedFileOperations',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                    return;
+                }
+                // Check for fs operations
+                if (callee.type === 'MemberExpression' &&
+                    callee.object.type === 'Identifier' &&
+                    callee.object.name === 'fs' &&
+                    callee.property.type === 'Identifier' &&
+                    ['readFile', 'writeFile', 'readFileSync', 'writeFileSync'].includes(callee.property.name)) {
+                    const args = node.arguments;
+                    if (args.length > 0) {
+                        // Check if file path comes from user input (potential for large files)
+                        const pathArg = args[0];
+                        // SAFE: Static path construction with path.join(__dirname, ...literals)
+                        // This is a common pattern that doesn't involve user input
+                        if (pathArg.type === 'CallExpression' &&
+                            pathArg.callee.type === 'MemberExpression' &&
+                            pathArg.callee.object.type === 'Identifier' &&
+                            pathArg.callee.object.name === 'path' &&
+                            pathArg.callee.property.type === 'Identifier' &&
+                            (pathArg.callee.property.name === 'join' || pathArg.callee.property.name === 'resolve')) {
+                            // Check if first arg is __dirname and all subsequent args are literals
+                            const pathArgs = pathArg.arguments;
+                            if (pathArgs.length > 0 &&
+                                pathArgs[0].type === 'Identifier' &&
+                                pathArgs[0].name === '__dirname' &&
+                                pathArgs.slice(1).every(arg => arg.type === 'Literal')) {
+                                // Safe: path.join(__dirname, 'static', 'path')
+                                return;
+                            }
+                        }
+                        if (pathArg.type !== 'SpreadElement' && isUserInput(pathArg)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: pathArg,
+                                messageId: 'unlimitedFileOperations',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for Array constructor with user input
+                if (callee.type === 'Identifier' && callee.name === 'Array') {
+                    const args = node.arguments;
+                    if (args.length === 1) {
+                        const sizeArg = args[0];
+                        if (sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'unlimitedMemoryAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for complex resource exhaustion patterns
+                /* c8 ignore start -- defensive detectors for rare patterns */
+                // ZIP bomb detection - unlimited decompression
+                if (calleeText.includes('unzipper') || calleeText.includes('Extract')) {
+                    // Check for unlimited ZIP extraction
+                    context.report({
+                        node,
+                        messageId: 'unlimitedFileOperations',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                }
+                // XML expansion attack detection
+                if (calleeText.includes('xml2js') || calleeText.includes('parseString')) {
+                    context.report({
+                        node,
+                        messageId: 'unlimitedMemoryAllocation',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                }
+                // Check for cache with unlimited growth
+                if (calleeText.includes('set') && sourceCode.getText(node).includes('Buffer.alloc')) {
+                    // Detect cache patterns that allocate buffers without limits
+                    const args = node.arguments;
+                    if (args.length >= 2) {
+                        const valueArg = args[1];
+                        const valueText = sourceCode.getText(valueArg);
+                        if (valueText.includes('Buffer.alloc') && valueText.includes('length')) {
+                            context.report({
+                                node,
+                                messageId: 'unlimitedMemoryAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for recursive data structure processing
+                if (calleeText.includes('map') || calleeText.includes('forEach')) {
+                    const args = node.arguments;
+                    if (args.length > 0) {
+                        const callbackArg = args[0];
+                        const callbackText = sourceCode.getText(callbackArg);
+                        // Detect patterns that create arrays from nested object properties
+                        if (callbackText.includes('Object.keys') && callbackText.includes('map')) {
+                            context.report({
+                                node,
+                                messageId: 'unlimitedMemoryAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                /* c8 ignore stop */
+                // Check for resource allocation inside loops
+                if ((0, eslint_devkit_3.isInsideLoop)(node)) {
+                    const calleeText = sourceCode.getText(callee);
+                    // Check if this allocates resources
+                    if (calleeText.includes('alloc') ||
+                        calleeText.includes('Array') ||
+                        calleeText.includes('Buffer') ||
+                        calleeText.includes('readFile') ||
+                        calleeText.includes('writeFile')) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        // Skip if this is an assignment to an array element (pre-allocated pattern)
+                        const parent = node.parent;
+                        if (parent && parent.type === 'AssignmentExpression' &&
+                            parent.left.type === 'MemberExpression' &&
+                            parent.left.object.type === 'Identifier') {
+                            // This is assigning to an array element, likely pre-allocated
+                            return;
+                        }
+                        // Report resourceAllocationInLoop - this can be in addition to user input errors
+                        context.report({
+                            node,
+                            messageId: 'resourceAllocationInLoop',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check new expressions for resource allocation
+            NewExpression(node) {
+                const callee = node.callee;
+                // Check for new Buffer() with user input
+                if (callee.type === 'Identifier' && callee.name === 'Buffer') {
+                    const args = node.arguments;
+                    if (args.length > 0) {
+                        const sizeArg = args[0];
+                        // Check if size comes from user input (but skip if validated)
+                        if (sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg) && !hasSizeValidation(node)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'userControlledResourceSize',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                            return;
+                        }
+                        // Check if size exceeds limits
+                        const estimatedSize = sizeArg.type === 'SpreadElement' ? null : estimateResourceSize(sizeArg);
+                        if (estimatedSize && estimatedSize > maxResourceSize) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'unlimitedBufferAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                            return;
+                        }
+                        // Check if no size validation present (only for non-literal sizes from user input)
+                        const isLiteralSize = sizeArg.type === 'Literal' && typeof sizeArg.value === 'number';
+                        const comesFromUserInput = sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg);
+                        if (requireResourceValidation && !hasSizeValidation(node) && !isLiteralSize && comesFromUserInput) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node,
+                                messageId: 'missingResourceLimits',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for new Array() with user input
+                if (callee.type === 'Identifier' && callee.name === 'Array') {
+                    const args = node.arguments;
+                    if (args.length === 1) {
+                        const sizeArg = args[0];
+                        if (sizeArg.type !== 'SpreadElement' && isUserInput(sizeArg)) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node: sizeArg,
+                                messageId: 'unlimitedMemoryAllocation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+                // Check for resource allocation inside loops
+                if ((0, eslint_devkit_3.isInsideLoop)(node)) {
+                    const calleeText = sourceCode.getText(callee);
+                    // Check if this allocates resources
+                    if (calleeText.includes('Buffer') ||
+                        calleeText.includes('Array') ||
+                        calleeText.includes('Map') ||
+                        calleeText.includes('Set')) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'resourceAllocationInLoop',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-unsafe-deserialization/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Dangerous deserialization functions to detect */
+    dangerousFunctions?: string[];
+    /** Safe deserialization libraries */
+    safeLibraries?: string[];
+    /** Functions that validate input before deserialization */
+    validationFunctions?: string[];
+}
+export declare const noUnsafeDeserialization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;