npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-unsafe-regex-construction/index.js ADDED Viewed

@@ -0,0 +1,291 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeRegexConstruction = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+/**
+ * Check if a node represents user input (variable, function call, template literal)
+ */
+function isUserInput(node) {
+    // Function calls might return user input
+    if (node.type === 'CallExpression') {
+        return true;
+    }
+    // Template literals with expressions are dynamic
+    if (node.type === 'TemplateLiteral') {
+        return node.expressions.length > 0;
+    }
+    // Member expressions accessing user properties
+    if (node.type === 'MemberExpression') {
+        return true;
+    }
+    // Variables are likely user input unless they are safe literals
+    if (node.type === 'Identifier') {
+        // Exclude common safe patterns, but be more restrictive
+        const safeIdentifiers = ['pattern', 'regex', 'regExp', 'regexp'];
+        if (safeIdentifiers.includes(node.name.toLowerCase())) {
+            // For these identifiers, check if they're assigned user input in scope
+            // For now, we'll be conservative and flag them as potentially unsafe
+            return true; // Changed from false to true - safer to flag as user input
+        }
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if a node is escaped (wrapped in an escaping function)
+ */
+function isEscaped(node, trustedFunctions, sourceCode) {
+    // Check if the node itself is a call to a trusted escaping function
+    if (node.type === 'CallExpression' && node.callee.type === 'Identifier') {
+        const functionName = node.callee.name;
+        if (trustedFunctions.includes(functionName)) {
+            return true;
+        }
+    }
+    // Also check if it's wrapped in a trusted function call (for complex cases)
+    let current = node;
+    let depth = 0;
+    const maxDepth = 5; // Prevent infinite loops
+    while (current && depth < maxDepth) {
+        const parent = sourceCode.getNodeByRangeIndex?.(current.range[0] - 1) ||
+            current.parent;
+        if (!parent)
+            break;
+        if (parent.type === 'CallExpression' && parent.callee.type === 'Identifier') {
+            const functionName = parent.callee.name;
+            if (trustedFunctions.includes(functionName)) {
+                return true;
+            }
+        }
+        current = parent;
+        depth++;
+    }
+    return false;
+}
+/**
+ * Check if regex flags are dynamic
+ */
+function hasDynamicFlags(node) {
+    // Check second argument (flags)
+    if (node.arguments.length > 1) {
+        const flagsNode = node.arguments[1];
+        return isUserInput(flagsNode);
+    }
+    return false;
+}
+/**
+ * Extract pattern from RegExp construction
+ */
+function extractPattern(node, sourceCode, trustedFunctions) {
+    const patternNode = node.arguments.length > 0 ? node.arguments[0] : null;
+    if (!patternNode) {
+        return { patternNode: null, isUserInput: false, isEscaped: false };
+    }
+    const isUserInputValue = isUserInput(patternNode);
+    // Default trusted functions + user configured ones
+    const allTrustedFunctions = [...new Set([
+            'escapeRegex', 'escape', 'sanitize', 'RegExp.escape',
+            ...trustedFunctions
+        ])];
+    const isEscapedValue = isEscaped(patternNode, allTrustedFunctions, sourceCode);
+    return {
+        patternNode,
+        isUserInput: isUserInputValue,
+        isEscaped: isEscapedValue,
+    };
+}
+exports.noUnsafeRegexConstruction = (0, eslint_devkit_2.createRule)({
+    name: 'no-unsafe-regex-construction',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects unsafe regex construction patterns (user input without escaping, dynamic flags)',
+        },
+        hasSuggestions: true,
+        messages: {
+            unsafeRegexConstruction: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unsafe regex construction',
+                cwe: 'CWE-400',
+                description: '{{issue}}: {{details}}',
+                severity: 'HIGH',
+                fix: '{{fix}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            escapeUserInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Escape User Input',
+                description: 'Escape user input for regex',
+                severity: 'LOW',
+                fix: 'input.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping',
+            }),
+            validatePattern: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Pattern',
+                description: 'Validate pattern against whitelist',
+                severity: 'LOW',
+                fix: 'Validate pattern before creating RegExp',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useSafeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use safe-regex',
+                description: 'Use safe-regex library for validation',
+                severity: 'LOW',
+                fix: 'if (safeRegex(pattern)) { new RegExp(pattern) }',
+                documentationLink: 'https://github.com/substack/safe-regex',
+            }),
+            avoidDynamicFlags: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Static Flags',
+                description: 'Use static flags instead of dynamic',
+                severity: 'LOW',
+                fix: 'new RegExp(pattern, "gi") with static flags',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp',
+            }),
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiterals: {
+                        type: 'boolean',
+                        default: true,
+                        description: 'Allow literal string patterns',
+                    },
+                    trustedEscapingFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['escapeRegex', 'escape', 'sanitize'],
+                        description: 'Trusted functions that escape input',
+                    },
+                    maxPatternLength: {
+                        type: 'number',
+                        default: 100,
+                        minimum: 1,
+                        description: 'Maximum pattern length for dynamic regex',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiterals: true,
+            trustedEscapingFunctions: ['escapeRegex', 'escape', 'sanitize'],
+            maxPatternLength: 100,
+        },
+    ],
+    create(context, [options = {}]) {
+        const { allowLiterals = true, maxPatternLength = 100, trustedEscapingFunctions = ['escapeRegex', 'escape', 'sanitize'], } = options || {};
+        const sourceCode = context.sourceCode || context.sourceCode;
+        /**
+         * Check RegExp constructor calls
+         */
+        function checkRegExpCall(node) {
+            // Check for RegExp constructor
+            const isRegExpCall = (node.type === 'CallExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp') ||
+                (node.type === 'NewExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp');
+            if (!isRegExpCall) {
+                return;
+            }
+            const { patternNode, isUserInput: isUserInputValue, isEscaped: isEscapedValue } = extractPattern(node, sourceCode, trustedEscapingFunctions);
+            if (!patternNode) {
+                return;
+            }
+            // Check for literal strings
+            if (patternNode.type === 'Literal' && typeof patternNode.value === 'string') {
+                // Even literals can be unsafe if they're very long - check this regardless of allowLiterals
+                const patternLength = patternNode.value.length;
+                if (patternLength > maxPatternLength) {
+                    context.report({
+                        node: patternNode,
+                        messageId: 'unsafeRegexConstruction',
+                        data: {
+                            issue: 'Pattern too long',
+                            details: `Pattern length (${patternLength}) exceeds maximum (${maxPatternLength})`,
+                            fix: 'Split into smaller patterns or validate length',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'validatePattern',
+                                fix: () => null,
+                            },
+                        ],
+                    });
+                    return;
+                }
+                if (!allowLiterals) {
+                    // If we reach here, allowLiterals is false, so treat as unsafe
+                    context.report({
+                        node: patternNode,
+                        messageId: 'unsafeRegexConstruction',
+                        data: {
+                            issue: 'Literal regex pattern',
+                            details: 'Literal regex patterns should be avoided for security. Use variables instead.',
+                            fix: 'Use a variable or RegExp constructor with a string variable',
+                        },
+                        suggest: [
+                            {
+                                messageId: 'validatePattern',
+                                fix: () => null,
+                            },
+                        ],
+                    });
+                    return;
+                }
+            }
+            // Check for user input without escaping
+            if (isUserInputValue && !isEscapedValue) {
+                context.report({
+                    node: patternNode,
+                    messageId: 'unsafeRegexConstruction',
+                    data: {
+                        issue: 'User input in regex without escaping',
+                        details: 'User input in regex pattern can lead to ReDoS or injection attacks',
+                        fix: 'Escape special characters before using in regex',
+                    },
+                    suggest: [
+                        {
+                            messageId: 'escapeUserInput',
+                            fix: () => null,
+                        },
+                        {
+                            messageId: 'validatePattern',
+                            fix: () => null,
+                        },
+                        {
+                            messageId: 'useSafeLibrary',
+                            fix: () => null,
+                        },
+                    ],
+                });
+            }
+            // Check for dynamic flags
+            if (hasDynamicFlags(node)) {
+                context.report({
+                    node,
+                    messageId: 'unsafeRegexConstruction',
+                    data: {
+                        issue: 'Dynamic regex flags',
+                        details: 'Dynamic flags can lead to unexpected behavior or security issues',
+                        fix: 'Use static flags instead of dynamic flags',
+                    },
+                    suggest: [
+                        {
+                            messageId: 'avoidDynamicFlags',
+                            fix: () => null,
+                        },
+                    ],
+                });
+            }
+        }
+        return {
+            CallExpression: checkRegExpCall,
+            NewExpression: checkRegExpCall,
+        };
+    },
+});

package/src/rules/no-unvalidated-deeplinks/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Require validation of deep link URLs
+ */
+export interface Options {
+}
+export declare const noUnvalidatedDeeplinks: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-unvalidated-deeplinks/index.js ADDED Viewed

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * @fileoverview Require validation of deep link URLs
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnvalidatedDeeplinks = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noUnvalidatedDeeplinks = (0, eslint_devkit_1.createRule)({
+    name: 'no-unvalidated-deeplinks',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Require validation of deep link URLs',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Unvalidated Deeplink',
+                cwe: 'CWE-939',
+                description: 'Deep link URL used without validation - potential open redirect',
+                severity: 'HIGH',
+                fix: 'Validate deep link URLs against a whitelist before navigation',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/939.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        return {
+            CallExpression(node) {
+                // Detect Linking.openURL() with variable argument (React Native)
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    node.callee.object.name === 'Linking' &&
+                    node.callee.property.type === 'Identifier' &&
+                    node.callee.property.name === 'openURL') {
+                    const urlArg = node.arguments[0];
+                    // Flag if URL is a variable/expression, not a literal
+                    if (urlArg && urlArg.type === 'Identifier') {
+                        report(node);
+                    }
+                    if (urlArg && urlArg.type === 'MemberExpression') {
+                        report(node);
+                    }
+                }
+                // Detect navigation.navigate with external URLs
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.property.type === 'Identifier' &&
+                    node.callee.property.name === 'navigate') {
+                    const urlArg = node.arguments[0];
+                    if (urlArg && urlArg.type === 'Identifier') {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-unvalidated-user-input/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+export interface Options {
+    /** Allow unvalidated input in test files. Default: false */
+    allowInTests?: boolean;
+    /** Trusted validation libraries. Default: ['zod', 'joi', 'yup', 'class-validator'] */
+    trustedLibraries?: string[];
+    /** Additional safe patterns to ignore. Default: ['^safe', '^sanitized', '^validated', '^clean'] (prefix patterns) */
+    ignorePatterns?: string[];
+}
+export declare const noUnvalidatedUserInput: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;