npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-weak-password-recovery/index.js ADDED Viewed

@@ -0,0 +1,424 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noWeakPasswordRecovery = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noWeakPasswordRecovery = (0, eslint_devkit_1.createRule)({
+    name: 'no-weak-password-recovery',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects weak password recovery mechanisms',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            weakPasswordRecovery: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Weak Password Recovery',
+                cwe: 'CWE-640',
+                description: 'Password recovery mechanism has security weaknesses',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            missingRateLimit: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Rate Limit',
+                cwe: 'CWE-640',
+                description: 'Password recovery attempts not rate limited',
+                severity: 'HIGH',
+                fix: 'Implement rate limiting on recovery requests',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            predictableRecoveryToken: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Predictable Recovery Token',
+                cwe: 'CWE-640',
+                description: 'Recovery token can be predicted or guessed',
+                severity: 'CRITICAL',
+                fix: 'Use cryptographically secure random tokens',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            unlimitedRecoveryAttempts: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unlimited Recovery Attempts',
+                cwe: 'CWE-640',
+                description: 'No limit on password recovery attempts',
+                severity: 'MEDIUM',
+                fix: 'Limit recovery attempts per time period',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            insufficientTokenEntropy: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Insufficient Token Entropy',
+                cwe: 'CWE-640',
+                description: 'Recovery token has insufficient randomness',
+                severity: 'HIGH',
+                fix: 'Use at least 128-bit entropy for tokens',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            missingTokenExpiration: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Token Expiration',
+                cwe: 'CWE-640',
+                description: 'Recovery tokens never expire',
+                severity: 'HIGH',
+                fix: 'Implement token expiration (15-60 minutes)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            recoveryLoggingSensitiveData: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Recovery Logging Sensitive Data',
+                cwe: 'CWE-640',
+                description: 'Logging sensitive data during password recovery',
+                severity: 'MEDIUM',
+                fix: 'Never log passwords, tokens, or sensitive recovery data',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            weakRecoveryVerification: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Weak Recovery Verification',
+                cwe: 'CWE-640',
+                description: 'Recovery request verification is insufficient',
+                severity: 'HIGH',
+                fix: 'Require strong verification (email + SMS, security questions)',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            tokenReuseVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Token Reuse Vulnerability',
+                cwe: 'CWE-640',
+                description: 'Recovery tokens can be reused',
+                severity: 'HIGH',
+                fix: 'Mark tokens as used after successful recovery',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            implementRateLimiting: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Rate Limiting',
+                description: 'Add rate limiting to recovery endpoints',
+                severity: 'LOW',
+                fix: 'Limit recovery attempts to 5 per hour per IP/user',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            useCryptographicallySecureTokens: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Cryptographically Secure Tokens',
+                description: 'Generate tokens with crypto.randomBytes()',
+                severity: 'LOW',
+                fix: 'const token = crypto.randomBytes(32).toString("hex");',
+                documentationLink: 'https://nodejs.org/api/crypto.html#cryptorandombytessize-callback',
+            }),
+            implementTokenExpiration: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Token Expiration',
+                description: 'Set reasonable token expiration times',
+                severity: 'LOW',
+                fix: 'Expire tokens after 15-60 minutes',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            }),
+            secureRecoveryFlow: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Secure Recovery Flow',
+                description: 'Implement secure password recovery flow',
+                severity: 'LOW',
+                fix: 'Verify identity, send secure link, require current password',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html',
+            }),
+            strategyMultiFactor: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Multi-Factor Strategy',
+                description: 'Require multiple verification factors',
+                severity: 'LOW',
+                fix: 'Email + SMS verification for password recovery',
+                documentationLink: 'https://owasp.org/www-community/attacks/Brute_force_attack',
+            }),
+            strategyOutOfBandVerification: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Out-of-Band Verification Strategy',
+                description: 'Use out-of-band verification channels',
+                severity: 'LOW',
+                fix: 'Send recovery codes via SMS or authenticator app',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html',
+            }),
+            strategyTimeBoundTokens: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Time-Bound Tokens Strategy',
+                description: 'Use time-bound recovery tokens',
+                severity: 'LOW',
+                fix: 'Tokens expire quickly and can only be used once',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/640.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    minTokenEntropy: {
+                        type: 'number',
+                        minimum: 64,
+                        default: 128,
+                    },
+                    maxTokenLifetimeHours: {
+                        type: 'number',
+                        minimum: 0.25,
+                        default: 1,
+                    },
+                    recoveryKeywords: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['reset', 'password', 'recovery', 'forgot', 'token', 'resetToken'],
+                    },
+                    secureTokenFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as secure',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            minTokenEntropy: 128,
+            maxTokenLifetimeHours: 1,
+            recoveryKeywords: ['reset', 'password', 'recovery', 'forgot', 'token', 'resetToken'],
+            secureTokenFunctions: ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'],
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { secureTokenFunctions = ['crypto.randomBytes', 'crypto.randomUUID', 'randomBytes', 'generateSecureToken'], trustedSanitizers = [], trustedAnnotations = ['secure-recovery', 'rate-limited'], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        /**
+         * Check if code is specifically related to password recovery
+         * Requires MULTIPLE indicators to avoid false positives on general password handling
+         * Only returns true for functions that BOTH:
+         * 1. Have password/forgot in the name
+         * 2. AND have reset/recovery/forgot in the name
+         */
+        const isRecoveryRelated = (text) => {
+            const lowerText = text.toLowerCase();
+            // Require BOTH a password keyword AND a recovery action keyword
+            const passwordKeywords = ['password', 'pwd'];
+            const recoveryKeywords = ['reset', 'recover', 'forgot', 'restore'];
+            const hasPasswordKeyword = passwordKeywords.some(keyword => lowerText.includes(keyword));
+            const hasRecoveryKeyword = recoveryKeywords.some(keyword => lowerText.includes(keyword));
+            // Both must be present to be considered recovery-related
+            if (hasPasswordKeyword && hasRecoveryKeyword) {
+                return true;
+            }
+            // Also check for compound patterns that strongly indicate password recovery
+            const strongRecoveryPatterns = [
+                'resetpassword', 'passwordreset', 'forgotpassword', 'passwordrecovery',
+                'recoverytoken', 'password_reset', 'forgot_password', 'reset_password',
+                'passwordforgot', 'recoverpassword'
+            ];
+            return strongRecoveryPatterns.some(pattern => lowerText.includes(pattern));
+        };
+        /**
+         * Check if token generation is cryptographically secure
+         */
+        const isSecureTokenGeneration = (callExpression) => {
+            const callText = sourceCode.getText(callExpression);
+            return secureTokenFunctions.some(func => callText.includes(func));
+        };
+        /**
+         * Check if token has expiration
+         */
+        const hasTokenExpiration = (functionNode) => {
+            const functionText = sourceCode.getText(functionNode).toLowerCase();
+            return functionText.includes('expire') ||
+                functionText.includes('ttl') ||
+                functionText.includes('timeout') ||
+                functionText.includes('lifetime');
+        };
+        return {
+            // Check variable declarations for recovery tokens
+            VariableDeclarator(node) {
+                if (!node.init || node.id.type !== 'Identifier') {
+                    return;
+                }
+                const varName = node.id.name.toLowerCase();
+                // Check if variable is specifically password-recovery-related (not just any token)
+                if (isRecoveryRelated(varName)) {
+                    const initText = sourceCode.getText(node.init);
+                    // Check for weak token generation
+                    if (node.init.type === 'CallExpression') {
+                        if (!isSecureTokenGeneration(node.init)) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context) || (node.parent && safetyChecker.isSafe(node.parent, context))) {
+                                return;
+                            }
+                            context.report({
+                                node: node.init,
+                                messageId: 'predictableRecoveryToken',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                    else if (node.init.type === 'BinaryExpression') {
+                        // Check for predictable patterns
+                        const weakPatterns = ['Date.now()', 'Math.random()', 'timestamp', 'new Date()'];
+                        if (weakPatterns.some(pattern => initText.includes(pattern))) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context) || (node.parent && safetyChecker.isSafe(node.parent, context))) {
+                                return;
+                            }
+                            context.report({
+                                node: node.init,
+                                messageId: 'insufficientTokenEntropy',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check function declarations for recovery logic
+            // ONLY check function NAME to avoid FPs on any function that mentions "password"
+            FunctionDeclaration(node) {
+                if (!node.id) {
+                    return;
+                }
+                const functionName = node.id.name;
+                const functionText = sourceCode.getText(node).toLowerCase();
+                // IMPORTANT: Only check the function NAME, not the entire body
+                // This prevents flagging every function that happens to contain "password"
+                if (isRecoveryRelated(functionName)) {
+                    // Check for token expiration
+                    if (!hasTokenExpiration(node)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node: node.id,
+                            messageId: 'missingTokenExpiration',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                    // Check for rate limiting (very basic check)
+                    if (!functionText.includes('limit') && !functionText.includes('rate')) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node: node.id,
+                            messageId: 'missingRateLimit',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check call expressions for logging sensitive data
+            CallExpression(node) {
+                const callee = node.callee;
+                // Check for console.log, logger calls
+                if ((callee.type === 'MemberExpression' &&
+                    callee.object.type === 'Identifier' &&
+                    (callee.object.name === 'console' || callee.object.name === 'logger') &&
+                    callee.property.type === 'Identifier' &&
+                    ['log', 'info', 'warn', 'error'].includes(callee.property.name)) ||
+                    (callee.type === 'Identifier' && callee.name === 'logger')) {
+                    const args = node.arguments;
+                    for (const arg of args) {
+                        // Ignore literal strings (labels, messages) - focusing on sensitive variables
+                        if (arg.type === 'Literal') {
+                            continue;
+                        }
+                        const argText = sourceCode.getText(arg).toLowerCase();
+                        // Check if logging recovery-related sensitive data
+                        if (isRecoveryRelated(argText) &&
+                            (argText.includes('token') || argText.includes('password') ||
+                                argText.includes('reset') || argText.includes('code'))) {
+                            // FALSE POSITIVE REDUCTION
+                            if (safetyChecker.isSafe(node, context)) {
+                                continue;
+                            }
+                            context.report({
+                                node: arg,
+                                messageId: 'recoveryLoggingSensitiveData',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check for weak recovery verification
+            IfStatement(node) {
+                const test = node.test;
+                const testText = sourceCode.getText(test).toLowerCase();
+                // Check if this is a recovery-related condition
+                if (isRecoveryRelated(testText)) {
+                    // Look for weak verification (just checking email exists)
+                    if (testText.includes('email') && !testText.includes('verify') &&
+                        !testText.includes('token') && !testText.includes('code') &&
+                        !testText.includes('otp') && !testText.includes('sms')) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node: test,
+                            messageId: 'weakRecoveryVerification',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-xpath-injection/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** XPath-related function names to check */
+    xpathFunctions?: string[];
+    /** Functions that safely construct XPath queries */
+    safeXpathConstructors?: string[];
+    /** Functions that validate/sanitize XPath input */
+    xpathValidationFunctions?: string[];
+}
+export declare const noXpathInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;