eslint-plugin-secure-coding 2.3.3 → 2.4.0

package/src/rules/no-unsafe-deserialization/index.js

@@ -0,0 +1,491 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeDeserialization = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noUnsafeDeserialization = (0, eslint_devkit_1.createRule)({
+    name: 'no-unsafe-deserialization',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unsafe deserialization of untrusted data',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            unsafeDeserialization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe Deserialization',
+                cwe: 'CWE-502',
+                description: 'Unsafe deserialization of untrusted data (incl. model/tool output)',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}} | validate model/tool output via schema and size limits',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/502.html',
+            }),
+            dangerousEvalUsage: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous eval() Usage',
+                cwe: 'CWE-502',
+                description: 'eval() used for deserialization (code execution vulnerability)',
+                severity: 'CRITICAL',
+                fix: 'Use JSON.parse() or safe deserialization libraries',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/502.html',
+            }),
+            unsafeYamlParsing: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe YAML Parsing',
+                cwe: 'CWE-502',
+                description: 'YAML parsing may execute code during deserialization',
+                severity: 'HIGH',
+                fix: 'Use yaml.safeLoad() or disable code execution',
+                documentationLink: 'https://www.npmjs.com/package/js-yaml#loadstr---options-',
+            }),
+            dangerousFunctionConstructor: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous Function Constructor',
+                cwe: 'CWE-502',
+                description: 'Function constructor used with untrusted data',
+                severity: 'CRITICAL',
+                fix: 'Avoid Function constructor with user input',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function',
+            }),
+            untrustedDeserializationInput: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Untrusted Deserialization Input',
+                cwe: 'CWE-502',
+                description: 'Deserializing untrusted input (incl. LLM/MCP responses) without validation',
+                severity: 'HIGH',
+                fix: 'Schema-validate and size-cap before deserialization; reject unknown fields',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/502.html',
+            }),
+            useSafeDeserializer: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Safe Deserializer',
+                description: 'Use safe deserialization libraries',
+                severity: 'LOW',
+                fix: 'Use JSON.parse, safe-json-parse, or validated libraries',
+                documentationLink: 'https://www.npmjs.com/package/safe-json-parse',
+            }),
+            validateBeforeDeserialization: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate Before Deserialization',
+                description: 'Validate input before deserialization',
+                severity: 'LOW',
+                fix: 'Implement input validation and length limits',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/502.html',
+            }),
+            avoidEval: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Avoid eval()',
+                description: 'Never use eval() for deserialization',
+                severity: 'LOW',
+                fix: 'Use JSON.parse() for data, vm.Script for code when absolutely necessary',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval',
+            }),
+            strategySafeLibraries: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Safe Libraries Strategy',
+                description: 'Use deserialization libraries with built-in safety',
+                severity: 'LOW',
+                fix: 'Use JSON.parse, js-yaml.safeLoad, or protobuf libraries',
+                documentationLink: 'https://www.npmjs.com/package/js-yaml',
+            }),
+            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Input Validation Strategy',
+                description: 'Validate input before any deserialization',
+                severity: 'LOW',
+                fix: 'Implement schema validation and length limits',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/502.html',
+            }),
+            strategySandboxing: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Sandboxing Strategy',
+                description: 'Execute deserialization in sandboxed environment',
+                severity: 'LOW',
+                fix: 'Use vm module or worker threads for untrusted deserialization',
+                documentationLink: 'https://nodejs.org/api/vm.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    dangerousFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['eval', 'Function', 'setTimeout', 'setInterval', 'unserialize', 'deserialize', 'parseUnsafe'],
+                    },
+                    safeLibraries: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['JSON', 'safe-json-parse', 'js-yaml.safeLoad', 'protobuf', 'msgpack'],
+                    },
+                    validationFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['validateInput', 'sanitizeData', 'checkSchema', 'validateSchema'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as safe deserializers',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            dangerousFunctions: ['eval', 'Function', 'setTimeout', 'setInterval', 'unserialize', 'deserialize', 'parseUnsafe'],
+            safeLibraries: ['JSON', 'safe-json-parse', 'js-yaml.safeLoad', 'protobuf', 'msgpack'],
+            validationFunctions: ['validateInput', 'sanitizeData', 'checkSchema', 'validateSchema'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { dangerousFunctions = ['eval', 'Function', 'setTimeout', 'setInterval', 'unserialize', 'deserialize', 'parseUnsafe'], validationFunctions = ['validateInput', 'sanitizeData', 'checkSchema', 'validateSchema'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        // Track variables that have been validated/sanitized
+        const validatedVariables = new Set();
+        // Track variables that contain untrusted data
+        const untrustedVariables = new Set();
+        /**
+         * Check if this is a dangerous deserialization function
+         */
+        const isDangerousDeserialization = (node) => {
+            const callee = node.callee;
+            // Check for dangerous function calls
+            if (callee.type === 'Identifier' && dangerousFunctions.includes(callee.name)) {
+                return true;
+            }
+            // Check for member expressions like yaml.load, serialize.unserialize
+            if (callee.type === 'MemberExpression') {
+                const memberName = callee.property.type === 'Identifier' ? callee.property.name : '';
+                const objectName = callee.object.type === 'Identifier' ? callee.object.name : '';
+                // Check dangerous methods
+                if (dangerousFunctions.includes(memberName)) {
+                    return true;
+                }
+                // Check dangerous libraries
+                if (['yaml', 'js-yaml', 'node-serialize', 'serialize-javascript'].includes(objectName.toLowerCase()) &&
+                    ['load', 'parse', 'unserialize', 'deserialize'].includes(memberName)) {
+                    return true;
+                }
+            }
+            // Check for require() calls with dangerous libraries
+            if (callee.type === 'Identifier' && callee.name === 'require') {
+                const args = node.arguments;
+                if (args.length > 0 && args[0].type === 'Literal' && typeof args[0].value === 'string') {
+                    const moduleName = args[0].value.toLowerCase();
+                    if (['node-serialize', 'serialize-javascript', 'yaml', 'js-yaml'].includes(moduleName)) {
+                        return true;
+                    }
+                }
+            }
+            return false;
+        };
+        /**
+         * Check if input comes from untrusted source
+         */
+        const isUntrustedInput = (inputNode) => {
+            // Check for MemberExpression patterns like req.body, req.query, etc.
+            if (inputNode.type === 'MemberExpression') {
+                if (inputNode.object.type === 'Identifier' && inputNode.object.name === 'req') {
+                    return true;
+                }
+                if (inputNode.object.type === 'MemberExpression' &&
+                    inputNode.object.object.type === 'Identifier' &&
+                    inputNode.object.object.name === 'req') {
+                    return true;
+                }
+            }
+            if (inputNode.type === 'Identifier') {
+                // Check if this variable has been marked as untrusted
+                if (untrustedVariables.has(inputNode.name)) {
+                    return true;
+                }
+                // Only consider variables untrusted if they actually come from req.* patterns
+                // Don't flag generic variable names like 'input', 'data', etc.
+                // unless they have been explicitly marked as untrusted
+                // Check if it comes from function parameters (these are potentially untrusted)
+                let current = inputNode;
+                while (current) {
+                    if (current.type === 'FunctionDeclaration' ||
+                        current.type === 'FunctionExpression' ||
+                        current.type === 'ArrowFunctionExpression') {
+                        const func = current;
+                        if (func.params.some((param) => {
+                            if (param.type === 'Identifier') {
+                                return param.name === inputNode.name;
+                            }
+                            return false;
+                        })) {
+                            return true; // Function parameters are untrusted
+                        }
+                    }
+                    current = current.parent;
+                }
+            }
+            return false;
+        };
+        /**
+         * Check if input has been validated
+         */
+        const isInputValidated = (inputNode) => {
+            let current = inputNode;
+            while (current) {
+                if (current.type === 'CallExpression' &&
+                    current.callee.type === 'Identifier' &&
+                    validationFunctions.includes(current.callee.name)) {
+                    return true;
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check if this is a safe deserialization library
+         */
+        const isSafeLibrary = (node) => {
+            const callee = node.callee;
+            if (callee.type === 'MemberExpression') {
+                const objectName = callee.object.type === 'Identifier' ? callee.object.name : '';
+                const memberName = callee.property.type === 'Identifier' ? callee.property.name : '';
+                // Check for safe patterns
+                if (objectName === 'JSON' && memberName === 'parse') {
+                    return true;
+                }
+                if (objectName === 'yaml' && memberName === 'safeLoad') {
+                    return true;
+                }
+                if (objectName === 'js-yaml' && memberName === 'safeLoad') {
+                    return true;
+                }
+            }
+            return false;
+        };
+        const checkCallExpression = (node) => {
+            // 1. Check Function Constructor (NewExpression or CallExpression)
+            if ((node.type === 'NewExpression' || node.type === 'CallExpression') &&
+                node.callee.type === 'Identifier' &&
+                node.callee.name === 'Function') {
+                const args = node.arguments;
+                const hasUntrustedInput = args.some((arg) => isUntrustedInput(arg));
+                if (hasUntrustedInput) {
+                    if (safetyChecker.isSafe(node, context))
+                        return;
+                    context.report({
+                        node,
+                        messageId: 'dangerousFunctionConstructor',
+                        data: {
+                            filePath: context.getFilename(),
+                            line: String(node.loc?.start.line ?? 0),
+                            severity: 'HIGH',
+                            safeAlternative: 'Avoid dynamic function creation',
+                        }
+                    });
+                    return;
+                }
+            }
+            // 2. Check CallExpressions (eval, unserialize, yaml, etc.)
+            if (isDangerousDeserialization(node)) {
+                const args = node.arguments;
+                const hasUntrustedInput = args.some((arg) => isUntrustedInput(arg));
+                // Check if explicit validation is present
+                const isSafe = isSafeLibrary(node);
+                const filename = context.getFilename();
+                if (!isSafe && hasUntrustedInput) {
+                    // Basic safety check
+                    const safe = safetyChecker.isSafe(node, context);
+                    if (!safe) {
+                        // Determine message ID
+                        let messageId = 'unsafeDeserialization';
+                        // Check specifically for YAML
+                        const calleeText = sourceCode.getText(node.callee);
+                        if (calleeText.includes('yaml') || calleeText.includes('YAML')) {
+                            messageId = 'unsafeYamlParsing';
+                        }
+                        // Check for generic dangerous functions
+                        if (node.callee.type === 'Identifier' && ['eval', 'setTimeout', 'setInterval'].includes(node.callee.name)) {
+                            messageId = 'dangerousEvalUsage';
+                        }
+                        context.report({
+                            node,
+                            messageId,
+                            data: {
+                                library: calleeText,
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                                severity: 'HIGH',
+                                safeAlternative: 'Use JSON.parse() or validated safe deserialization libraries',
+                            },
+                            suggest: messageId === 'dangerousEvalUsage' ? [{
+                                    messageId: 'useSafeDeserializer',
+                                    fix: (fixer) => {
+                                        return fixer.replaceText(node, `JSON.parse(${sourceCode.getText(node.arguments[0])})`);
+                                    }
+                                }] : undefined
+                        });
+                    }
+                }
+            }
+            // Check for untrusted input in potentially safe functions
+            if (isSafeLibrary(node)) {
+                const args = node.arguments;
+                const hasUntrustedInput = args.some((arg) => {
+                    // Check if it's validated
+                    if (arg.type === 'Identifier' && validatedVariables.has(arg.name)) {
+                        return false;
+                    }
+                    return isUntrustedInput(arg) && !isInputValidated(arg);
+                });
+                if (hasUntrustedInput) {
+                    // Even JSON.parse can be unsafe if used on complex objects that get eval'd later
+                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                    if (safetyChecker.isSafe(node, context)) {
+                        return;
+                    }
+                    /* c8 ignore stop */
+                    context.report({
+                        node,
+                        messageId: 'untrustedDeserializationInput',
+                        data: {
+                            filePath: context.getFilename(),
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                        suggest: [
+                            {
+                                messageId: 'validateBeforeDeserialization',
+                                fix: () => null
+                            },
+                        ],
+                    });
+                }
+            }
+        };
+        return {
+            // Track variable assignments from untrusted sources
+            VariableDeclaration(node) {
+                for (const declarator of node.declarations) {
+                    if (declarator.id.type === 'Identifier' && declarator.init) {
+                        // Check if the initializer comes from an untrusted source
+                        if (isUntrustedInput(declarator.init)) {
+                            untrustedVariables.add(declarator.id.name);
+                        }
+                        // Check if it's assigned from fs operations or other untrusted sources
+                        if (declarator.init.type === 'CallExpression') {
+                            const callee = declarator.init.callee;
+                            if (callee.type === 'MemberExpression' &&
+                                callee.object.type === 'Identifier' &&
+                                callee.object.name === 'fs' &&
+                                callee.property.type === 'Identifier' &&
+                                ['readFile', 'readFileSync'].includes(callee.property.name)) {
+                                untrustedVariables.add(declarator.id.name);
+                            }
+                        }
+                    }
+                }
+            },
+            // Track assignment expressions
+            AssignmentExpression(node) {
+                if (node.left.type === 'Identifier' && isUntrustedInput(node.right)) {
+                    untrustedVariables.add(node.left.name);
+                }
+            },
+            // Check dangerous function calls
+            CallExpression(node) {
+                checkCallExpression(node);
+            },
+            NewExpression(node) {
+                checkCallExpression(node);
+            },
+            // Check for dangerous require/import patterns
+            VariableDeclarator(node) {
+                if (!node.init) {
+                    return;
+                }
+                // Track variables assigned from validation functions
+                if (node.id.type === 'Identifier' &&
+                    node.init.type === 'CallExpression' &&
+                    node.init.callee.type === 'Identifier' &&
+                    (validationFunctions.includes(node.init.callee.name) || trustedSanitizers.includes(node.init.callee.name))) {
+                    validatedVariables.add(node.id.name);
+                }
+                // Check for require/import of dangerous libraries
+                if (node.init.type === 'CallExpression' &&
+                    node.init.callee.type === 'Identifier' &&
+                    node.init.callee.name === 'require') {
+                    const requireArg = node.init.arguments[0];
+                    if (requireArg?.type === 'Literal' && typeof requireArg.value === 'string') {
+                        const moduleName = requireArg.value;
+                        if (['node-serialize', 'serialize-javascript', 'js-yaml', 'yaml'].includes(moduleName)) {
+                            // Check if this variable is used unsafely later
+                            if (node.id.type === 'Identifier') {
+                                // Look ahead to see if this library is used dangerously
+                                // This is a simplified check - in practice, we'd need more sophisticated analysis
+                                const variables = sourceCode.getDeclaredVariables(node);
+                                for (const variable of variables) {
+                                    for (const reference of variable.references) {
+                                        const refNode = reference.identifier;
+                                        // Check if reference is part of a call to dangerous method
+                                        // e.g. serialize.unserialize()
+                                        if (refNode.parent && refNode.parent.type === 'MemberExpression' &&
+                                            refNode.parent.object === refNode) {
+                                            const memberExpr = refNode.parent;
+                                            const propertyName = memberExpr.property.type === 'Identifier' ? memberExpr.property.name : '';
+                                            if (['unserialize', 'deserialize', 'load', 'parse'].includes(propertyName)) {
+                                                const callExpr = memberExpr.parent;
+                                                if (callExpr && callExpr.type === 'CallExpression' && callExpr.callee === memberExpr) {
+                                                    // FALSE POSITIVE REDUCTION
+                                                    if (safetyChecker.isSafe(callExpr, context)) {
+                                                        continue;
+                                                    }
+                                                    context.report({
+                                                        node: callExpr,
+                                                        messageId: 'unsafeDeserialization',
+                                                        data: {
+                                                            filePath: filename,
+                                                            line: String(callExpr.loc?.start.line ?? 0),
+                                                            severity: 'CRITICAL',
+                                                            safeAlternative: 'Avoid using this library or use safe alternatives',
+                                                        },
+                                                    });
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-unsafe-dynamic-require/index.d.ts

@@ -0,0 +1,5 @@
+export interface Options {
+    /** Allow dynamic import() expressions. Default: false (stricter) */
+    allowDynamicImport?: boolean;
+}
+export declare const noUnsafeDynamicRequire: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-unsafe-dynamic-require/index.js

@@ -0,0 +1,106 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeDynamicRequire = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+exports.noUnsafeDynamicRequire = (0, eslint_devkit_2.createRule)({
+    name: 'no-unsafe-dynamic-require',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent unsafe dynamic require() calls that could enable code injection',
+        },
+        fixable: 'code',
+        hasSuggestions: false,
+        messages: {
+            unsafeDynamicRequire: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Dynamic require()',
+                cwe: 'CWE-95',
+                description: 'Dynamic require() detected',
+                severity: 'CRITICAL',
+                fix: 'Use allowlist: const ALLOWED = ["mod1", "mod2"]; if (!ALLOWED.includes(name)) throw Error("Not allowed")',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowDynamicImport: {
+                        type: 'boolean',
+                        default: false,
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowDynamicImport: false,
+        },
+    ],
+    create(context) {
+        /**
+         * Track variables that reference require
+         * Maps variable name to the node where it was assigned
+         */
+        const requireVariables = new Set();
+        /**
+         * Check if a node is a reference to require
+         */
+        const isRequireReference = (node) => {
+            if (node.type === 'Identifier' && node.name === 'require') {
+                return true;
+            }
+            if (node.type === 'Identifier' && requireVariables.has(node.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if argument is dynamic (not a literal)
+         */
+        const isDynamicArgument = (arg) => {
+            if (arg.type === 'Literal')
+                return false;
+            if (arg.type === 'TemplateLiteral' && arg.expressions.length === 0)
+                return false;
+            return true;
+        };
+        return {
+            VariableDeclarator(node) {
+                // Track when require is assigned to a variable
+                if (node.id.type === 'Identifier' && node.init) {
+                    if (node.init.type === 'Identifier' && node.init.name === 'require') {
+                        requireVariables.add(node.id.name);
+                    }
+                }
+            },
+            CallExpression(node) {
+                // Check for require() calls (direct or via variable)
+                if (node.callee.type !== 'Identifier') {
+                    return;
+                }
+                // Check if callee is require or a variable that references require
+                if (!isRequireReference(node.callee)) {
+                    return;
+                }
+                // Must have at least one argument
+                if (node.arguments.length === 0)
+                    return;
+                const firstArg = node.arguments[0];
+                if (firstArg.type === 'SpreadElement')
+                    return;
+                // Check if dynamic
+                if (!isDynamicArgument(firstArg))
+                    return;
+                context.report({
+                    node,
+                    messageId: 'unsafeDynamicRequire',
+                });
+            },
+        };
+    },
+});

package/src/rules/no-unsafe-regex-construction/index.d.ts

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow literal string patterns. Default: false */
+    allowLiterals?: boolean;
+    /** Trusted functions that escape input. Default: ['escapeRegex', 'escape', 'sanitize'] */
+    trustedEscapingFunctions?: string[];
+    /** Maximum pattern length for dynamic regex. Default: 100 */
+    maxPatternLength?: number;
+}
+export declare const noUnsafeRegexConstruction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;