npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/detect-eval-with-expression/index.js ADDED Viewed

@@ -0,0 +1,392 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectEvalWithExpression = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const EVAL_PATTERNS = [
+    {
+        pattern: 'JSON\\.parse|parse\\(.*\\)',
+        category: 'json',
+        safeAlternative: 'JSON.parse()',
+        example: {
+            bad: 'eval(\'{"key": "\' + value + \'"}"\')',
+            good: 'JSON.parse(\'{"key": "\' + value + \'"}"\')'
+        },
+        effort: '2 minutes'
+    },
+    {
+        pattern: 'Math\\.|parseInt|parseFloat',
+        category: 'math',
+        safeAlternative: 'Math functions or parseInt/parseFloat',
+        example: {
+            bad: 'eval(\'Math.\' + method + \'(\' + arg + \')\')',
+            good: 'const mathMethods = {sin: Math.sin, cos: Math.cos}; mathMethods[method](arg)'
+        },
+        effort: '5 minutes'
+    },
+    {
+        pattern: '\\$\\{|template|interpolat',
+        category: 'template',
+        safeAlternative: 'Template literals or template engine',
+        example: {
+            bad: 'eval(\'Hello \' + userName + \'!\')',
+            good: 'const template = `Hello ${userName}!`;'
+        },
+        effort: '3 minutes'
+    },
+    {
+        pattern: '\\[.*\\]|object\\[|obj\\.|\\.',
+        category: 'object',
+        safeAlternative: 'Direct property access or Map',
+        example: {
+            bad: 'eval(\'obj.\' + property)',
+            good: 'const allowedProps = {name: true, age: true}; if (allowedProps[property]) obj[property]'
+        },
+        effort: '8 minutes'
+    }
+];
+exports.detectEvalWithExpression = (0, eslint_devkit_2.createRule)({
+    name: 'detect-eval-with-expression',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects eval(variable) which can allow an attacker to run arbitrary code',
+        },
+        messages: {
+            // 🎯 Token optimization: 38% reduction (47→29 tokens) - compact format saves LLM processing
+            evalWithExpression: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'eval() with dynamic code',
+                cwe: 'CWE-95',
+                description: 'eval() with dynamic code',
+                severity: 'CRITICAL',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            useJsonParse: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe eval() for JSON parsing',
+                cwe: 'CWE-95',
+                description: 'Use JSON.parse() instead of eval() for JSON string parsing',
+                severity: 'HIGH',
+                fix: 'Replace eval() with JSON.parse()',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            useObjectAccess: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe eval() for property access',
+                cwe: 'CWE-95',
+                description: 'Use direct property access instead of eval() for dynamic property access',
+                severity: 'HIGH',
+                fix: 'Use obj[key] or Map.get(key) instead of eval()',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            useTemplateLiteral: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe eval() for string interpolation',
+                cwe: 'CWE-95',
+                description: 'Use template literals instead of eval() for string interpolation',
+                severity: 'HIGH',
+                fix: 'Replace eval() with template literals: `Hello ${name}`',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            useFunctionConstructor: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe eval() for function creation',
+                cwe: 'CWE-95',
+                description: 'Use Function constructor with validation instead of eval()',
+                severity: 'HIGH',
+                fix: 'Replace eval() with validated Function constructor',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            useSaferAlternative: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe eval() usage detected',
+                cwe: 'CWE-95',
+                description: 'eval() with dynamic code execution detected',
+                severity: 'HIGH',
+                fix: '{{alternative}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            strategyRemove: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Critical eval() security vulnerability',
+                cwe: 'CWE-95',
+                description: 'eval() usage poses severe security risk',
+                severity: 'CRITICAL',
+                fix: 'Remove eval() entirely - security risk too high',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            strategyRefactor: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'eval() refactoring required',
+                cwe: 'CWE-95',
+                description: 'eval() can be refactored to safer alternative',
+                severity: 'HIGH',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            }),
+            strategyValidate: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'eval() input validation needed',
+                cwe: 'CWE-95',
+                description: 'eval() requires input validation for security',
+                severity: 'MEDIUM',
+                fix: 'Add input validation before using eval()',
+                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiteralStrings: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow eval with literal strings (false = stricter)'
+                    },
+                    additionalEvalFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional functions to treat as eval-like'
+                    },
+                    strategy: {
+                        type: 'string',
+                        enum: ['remove', 'refactor', 'validate', 'auto'],
+                        default: 'auto',
+                        description: 'Strategy for fixing eval usage (auto = smart detection)'
+                    }
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiteralStrings: false,
+            additionalEvalFunctions: [],
+            strategy: 'auto'
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowLiteralStrings = false, additionalEvalFunctions = [], strategy = 'auto' } = options || {};
+        /**
+         * All functions that can execute arbitrary code
+         * NOTE: setTimeout/setInterval are NOT eval-like - they don't execute code strings
+         */
+        const evalFunctions = [
+            'eval',
+            'Function',
+            ...additionalEvalFunctions
+        ];
+        /**
+         * Check if a node is a literal string (safe)
+         */
+        const isLiteralString = (node) => {
+            return node.type === 'Literal' && typeof node.value === 'string';
+        };
+        /**
+         * Select message ID based on strategy
+         */
+        const selectStrategyMessage = (pattern) => {
+            switch (strategy) {
+                case 'remove':
+                    return 'strategyRemove';
+                case 'refactor':
+                    return 'strategyRefactor';
+                case 'validate':
+                    return 'strategyValidate';
+                case 'auto':
+                default:
+                    // Auto mode: choose based on pattern confidence
+                    if (pattern && pattern.category === 'json') {
+                        return 'useJsonParse';
+                    }
+                    if (pattern && pattern.category === 'object') {
+                        return 'useObjectAccess';
+                    }
+                    if (pattern && pattern.category === 'template') {
+                        return 'useTemplateLiteral';
+                    }
+                    return 'strategyRefactor'; // Default to refactor for unknown patterns
+            }
+        };
+        /**
+         * Detect the pattern category from the expression
+         */
+        const detectPattern = (expression) => {
+            for (const pattern of EVAL_PATTERNS) {
+                if (new RegExp(pattern.pattern, 'i').test(expression)) {
+                    return pattern;
+                }
+            }
+            return null;
+        };
+        /**
+         * Generate refactoring steps based on pattern
+         */
+        const generateRefactoringSteps = (pattern) => {
+            if (!pattern) {
+                return [
+                    '   1. Remove eval() usage entirely',
+                    '   2. Identify what the code is trying to achieve',
+                    '   3. Use appropriate safe alternative (JSON.parse, Map, etc.)',
+                    '   4. Add input validation if dynamic behavior needed',
+                    '   5. Test thoroughly for edge cases'
+                ].join('\n');
+            }
+            switch (pattern.category) {
+                case 'json':
+                    return [
+                        '   1. Replace eval() with JSON.parse()',
+                        '   2. Ensure input is valid JSON string',
+                        '   3. Add try/catch for JSON parsing errors',
+                        '   4. Consider using a JSON schema validator'
+                    ].join('\n');
+                case 'math':
+                    return [
+                        '   1. Create whitelist of allowed Math functions',
+                        '   2. Use direct function calls: Math.sin(x)',
+                        '   3. Validate inputs are numbers',
+                        '   4. Consider using a math expression parser library'
+                    ].join('\n');
+                case 'template':
+                    return [
+                        '   1. Use template literals: `Hello ${name}`',
+                        '   2. Sanitize variables before interpolation',
+                        '   3. Use a template engine like Handlebars if complex',
+                        '   4. Validate template structure'
+                    ].join('\n');
+                case 'object':
+                    return [
+                        '   1. Use Map or plain object for key-value access',
+                        '   2. Whitelist allowed property names',
+                        '   3. Use hasOwnProperty() check',
+                        '   4. Consider Object.create(null) for clean objects'
+                    ].join('\n');
+                default:
+                    return [
+                        '   1. Identify the specific use case',
+                        '   2. Find a safer alternative approach',
+                        '   3. Add comprehensive input validation',
+                        '   4. Use static analysis if possible'
+                    ].join('\n');
+            }
+        };
+        /**
+         * Extract expression text for pattern analysis
+         */
+        const extractExpression = (node) => {
+            const sourceCode = context.sourceCode || context.sourceCode;
+            // Try to get the argument text
+            if (node.arguments.length > 0) {
+                return sourceCode.getText(node.arguments[0]);
+            }
+            return 'dynamic expression';
+        };
+        /**
+         * Check call expressions for dangerous eval usage
+         */
+        const checkCallExpression = (node) => {
+            // Check if it's a call to an eval-like function
+            if (node.callee.type === 'Identifier' &&
+                evalFunctions.includes(node.callee.name)) {
+                // Skip if it's a literal string and literals are allowed
+                if (allowLiteralStrings &&
+                    node.arguments.length > 0 &&
+                    isLiteralString(node.arguments[0])) {
+                    return;
+                }
+                // Skip if it's a direct string literal (safe)
+                if (node.arguments.length > 0 &&
+                    node.callee.name === 'eval' &&
+                    isLiteralString(node.arguments[0])) {
+                    return;
+                }
+                const expression = extractExpression(node);
+                const pattern = detectPattern(expression);
+                const steps = generateRefactoringSteps(pattern);
+                const strategyMessageId = selectStrategyMessage(pattern);
+                context.report({
+                    node,
+                    messageId: strategyMessageId,
+                    data: {
+                        expression,
+                        patternCategory: pattern?.category || 'dynamic code execution',
+                        safeAlternative: pattern?.safeAlternative || 'Remove eval entirely',
+                        steps,
+                        effort: pattern?.effort || '15-30 minutes'
+                    },
+                    suggest: pattern ? [
+                        {
+                            messageId: strategyMessageId,
+                            data: {
+                                safeAlternative: pattern.safeAlternative,
+                                alternative: pattern.safeAlternative
+                            },
+                            fix: () => null // Complex refactoring, cannot auto-fix safely
+                        }
+                    ] : undefined
+                });
+            }
+            // Also check for Function constructor usage
+            if (node.callee.type === 'NewExpression' &&
+                node.callee.callee.type === 'Identifier' &&
+                node.callee.callee.name === 'Function') {
+                const expression = extractExpression(node);
+                const pattern = detectPattern(expression);
+                const strategyMessageId = selectStrategyMessage(pattern);
+                context.report({
+                    node,
+                    messageId: strategyMessageId,
+                    data: {
+                        expression: `new Function(${expression})`,
+                        patternCategory: 'function constructor',
+                        safeAlternative: 'Arrow function or regular function',
+                        steps: [
+                            '   1. Replace Function constructor with arrow function',
+                            '   2. Use regular function declaration',
+                            '   3. Validate any dynamic parts',
+                            '   4. Consider module imports instead'
+                        ].join('\n'),
+                        effort: '10 minutes'
+                    }
+                });
+            }
+        };
+        /**
+         * Check NewExpression for Function constructor usage
+         */
+        const checkNewExpression = (node) => {
+            // Check for new Function() usage
+            if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+                const sourceCode = context.sourceCode || context.sourceCode;
+                const expression = node.arguments.map((arg) => sourceCode.getText(arg)).join(', ');
+                const pattern = detectPattern(expression);
+                const strategyMessageId = selectStrategyMessage(pattern);
+                context.report({
+                    node,
+                    messageId: strategyMessageId,
+                    data: {
+                        expression: `new Function(${expression})`,
+                        patternCategory: 'function constructor',
+                        safeAlternative: 'Arrow function or regular function',
+                        steps: [
+                            '   1. Replace Function constructor with arrow function',
+                            '   2. Use regular function declaration',
+                            '   3. Validate any dynamic parts',
+                            '   4. Consider module imports instead'
+                        ].join('\n'),
+                        effort: '10 minutes'
+                    }
+                });
+            }
+        };
+        return {
+            CallExpression: checkCallExpression,
+            NewExpression: checkNewExpression
+        };
+    },
+});

package/src/rules/detect-mixed-content/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Detect HTTP resources in HTTPS pages
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/311.html
+ */
+export interface Options {
+}
+export declare const detectMixedContent: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/detect-mixed-content/index.js ADDED Viewed

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * @fileoverview Detect HTTP resources in HTTPS pages
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/311.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectMixedContent = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.detectMixedContent = (0, eslint_devkit_1.createRule)({
+    name: 'detect-mixed-content',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detect HTTP resources in HTTPS pages',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M5'],
+            cweIds: ["CWE-311"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-311',
+                description: 'Detect HTTP resources in HTTPS pages detected - Literal containing http:// in HTTPS context',
+                severity: 'MEDIUM',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/311.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        return {
+            Literal(node) {
+                if (typeof node.value === 'string' && node.value.startsWith('http://')) {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+        };
+    },
+});

package/src/rules/detect-non-literal-fs-filename/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Allow literal strings. Default: false (stricter) */
+    allowLiterals?: boolean;
+    /** Additional fs methods to check */
+    additionalMethods?: string[];
+}
+export declare const detectNonLiteralFsFilename: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;