npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-xpath-injection/index.js ADDED Viewed

@@ -0,0 +1,487 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noXpathInjection = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noXpathInjection = (0, eslint_devkit_1.createRule)({
+    name: 'no-xpath-injection',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects XPath injection vulnerabilities',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            xpathInjection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'XPath Injection',
+                cwe: 'CWE-643',
+                description: 'XPath injection vulnerability detected',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/643.html',
+            }),
+            unsafeXpathConcatenation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe XPath Concatenation',
+                cwe: 'CWE-643',
+                description: 'Unsafe string concatenation in XPath expression',
+                severity: 'HIGH',
+                fix: 'Use parameterized XPath or escape user input',
+                documentationLink: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+            }),
+            unvalidatedXpathInput: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unvalidated XPath Input',
+                cwe: 'CWE-643',
+                description: 'XPath query uses unvalidated user input',
+                severity: 'MEDIUM',
+                fix: 'Validate and sanitize XPath input before use',
+                documentationLink: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+            }),
+            dangerousXpathExpression: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Dangerous XPath Expression',
+                cwe: 'CWE-643',
+                description: 'XPath expression allows dangerous operations',
+                severity: 'MEDIUM',
+                fix: 'Restrict XPath to safe patterns and validate expressions',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/643.html',
+            }),
+            useParameterizedXpath: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use Parameterized XPath',
+                description: 'Use parameterized XPath queries',
+                severity: 'LOW',
+                fix: 'Construct XPath with proper escaping and validation',
+                documentationLink: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+            }),
+            escapeXpathInput: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Escape XPath Input',
+                description: 'Escape special characters in XPath input',
+                severity: 'LOW',
+                fix: 'Use xpath.escape() or equivalent escaping function',
+                documentationLink: 'https://www.npmjs.com/package/xpath-escape',
+            }),
+            validateXpathQueries: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Validate XPath Queries',
+                description: 'Validate XPath queries against allowed patterns',
+                severity: 'LOW',
+                fix: 'Whitelist allowed XPath operations and validate syntax',
+                documentationLink: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+            }),
+            strategyParameterizedQueries: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Parameterized Queries Strategy',
+                description: 'Use parameterized XPath construction',
+                severity: 'LOW',
+                fix: 'Build XPath queries programmatically with escaped parameters',
+                documentationLink: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+            }),
+            strategyInputValidation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Input Validation Strategy',
+                description: 'Validate XPath input at application boundary',
+                severity: 'LOW',
+                fix: 'Validate XPath syntax and restrict to safe operations',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/643.html',
+            }),
+            strategySafeConstruction: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Safe Construction Strategy',
+                description: 'Use safe XPath construction libraries',
+                severity: 'LOW',
+                fix: 'Use libraries that provide safe XPath building',
+                documentationLink: 'https://www.npmjs.com/package/xpath-builder',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    xpathFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['evaluate', 'selectSingleNode', 'selectNodes', 'xpath', 'select'],
+                    },
+                    safeXpathConstructors: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['buildXPath', 'createXPath', 'safeXPath', 'xpathBuilder'],
+                    },
+                    xpathValidationFunctions: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['validateXPath', 'escapeXPath', 'sanitizeXPath', 'cleanXPath'],
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as XPath sanitizers',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            xpathFunctions: ['evaluate', 'selectSingleNode', 'selectNodes', 'xpath', 'select'],
+            safeXpathConstructors: ['buildXPath', 'createXPath', 'safeXPath', 'xpathBuilder'],
+            xpathValidationFunctions: ['validateXPath', 'escapeXPath', 'sanitizeXPath', 'cleanXPath'],
+            trustedSanitizers: [],
+            trustedAnnotations: ['@xpath-safe'],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { xpathFunctions = ['evaluate', 'selectSingleNode', 'selectNodes', 'xpath', 'select'], safeXpathConstructors = ['buildXPath', 'createXPath', 'safeXPath', 'xpathBuilder'], xpathValidationFunctions = ['validateXPath', 'escapeXPath', 'sanitizeXPath', 'cleanXPath'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        // Track variables that have been validated/sanitized
+        const validatedVariables = new Set();
+        /**
+         * Check if this is an XPath-related operation
+         */
+        const isXpathOperation = (node) => {
+            const callee = node.callee;
+            // Check for XPath method calls
+            if (callee.type === 'MemberExpression' &&
+                callee.property.type === 'Identifier' &&
+                xpathFunctions.includes(callee.property.name)) {
+                return true;
+            }
+            // Check for XPath library calls
+            if (callee.type === 'Identifier' && xpathFunctions.includes(callee.name)) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if XPath expression contains dangerous patterns
+         */
+        const containsDangerousXpath = (xpathText) => {
+            // Dangerous XPath patterns that allow traversal or injection
+            const dangerousPatterns = [
+                /\.\./, // Parent directory traversal
+                /\/\*/, // All children selector
+                /\[.*\*\]/, // Wildcard in predicates
+                /\/\//, // Descendant-or-self axis (can be dangerous in some contexts)
+                /text\(\)/, // Content extraction
+                /comment\(\)/, // Comment extraction
+                /processing-instruction\(\)/, // Processing instruction extraction
+            ];
+            return dangerousPatterns.some(pattern => pattern.test(xpathText));
+        };
+        /**
+         * Check if string contains XPath interpolation
+         */
+        const containsXpathInterpolation = (text) => {
+            return /\$\{[^}]+\}/.test(text) || /'[^']*\+[^+]*'/.test(text) || /"[^"]*\+[^+]*"/.test(text);
+        };
+        /**
+         * Check if XPath input is from untrusted source
+         */
+        const isUntrustedXpathInput = (inputNode) => {
+            if (inputNode.type === 'MemberExpression') {
+                // Check patterns like req.query.*, req.body.*, req.params.*
+                if (inputNode.object.type === 'MemberExpression' &&
+                    inputNode.object.object.type === 'Identifier' &&
+                    inputNode.object.object.name === 'req' &&
+                    inputNode.object.property.type === 'Identifier' &&
+                    ['query', 'body', 'params', 'param'].includes(inputNode.object.property.name)) {
+                    return true;
+                }
+                // Check patterns like req.*
+                if (inputNode.object.type === 'Identifier' && inputNode.object.name === 'req') {
+                    return true;
+                }
+            }
+            if (inputNode.type !== 'Identifier') {
+                return false;
+            }
+            const varName = inputNode.name.toLowerCase();
+            if (['req', 'request', 'query', 'params', 'input', 'user', 'search'].some(keyword => varName.includes(keyword))) {
+                return true;
+            }
+            // Check if it comes from function parameters
+            let current = inputNode;
+            while (current) {
+                if (current.type === 'FunctionDeclaration' ||
+                    current.type === 'FunctionExpression' ||
+                    current.type === 'ArrowFunctionExpression') {
+                    const func = current;
+                    return func.params.some((param) => {
+                        if (param.type === 'Identifier') {
+                            return param.name === inputNode.name;
+                        }
+                        return false;
+                    });
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check if XPath input has been validated
+         */
+        const isXpathInputValidated = (inputNode) => {
+            let current = inputNode;
+            while (current) {
+                if (current.type === 'CallExpression' &&
+                    current.callee.type === 'Identifier' &&
+                    xpathValidationFunctions.includes(current.callee.name)) {
+                    return true;
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check for safe annotation on containing statement or variable declaration
+         */
+        const hasSafeAnnotationOnStatement = (node) => {
+            let current = node;
+            // Walk up to find VariableDeclaration, ExpressionStatement, FunctionDeclaration, or containing statement
+            while (current) {
+                if (current.type === 'VariableDeclaration' ||
+                    current.type === 'ExpressionStatement' ||
+                    current.type === 'FunctionDeclaration') {
+                    // Check for JSDoc comments before this statement
+                    const comments = sourceCode.getCommentsBefore(current);
+                    for (const comment of comments) {
+                        if (comment.type === 'Block' && comment.value.includes('@xpath-safe')) {
+                            return true;
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        /**
+         * Check if XPath is constructed safely
+         */
+        const isSafeXpathConstruction = (node) => {
+            let current = node;
+            while (current) {
+                if (current.type === 'CallExpression' &&
+                    current.callee.type === 'Identifier' &&
+                    safeXpathConstructors.includes(current.callee.name)) {
+                    return true;
+                }
+                current = current.parent;
+            }
+            return false;
+        };
+        return {
+            // Check XPath function calls
+            CallExpression(node) {
+                if (!isXpathOperation(node)) {
+                    return;
+                }
+                const args = node.arguments;
+                if (args.length === 0) {
+                    return;
+                }
+                // Check first argument (usually the XPath expression)
+                const xpathArg = args[0];
+                if (xpathArg.type === 'Literal' && typeof xpathArg.value === 'string') {
+                    const xpathText = xpathArg.value;
+                    // Check for dangerous XPath patterns
+                    if (containsDangerousXpath(xpathText)) {
+                        // FALSE POSITIVE REDUCTION: Skip if annotated as safe
+                        if ((0, eslint_devkit_3.hasSafeAnnotation)(xpathArg, context, trustedAnnotations) || hasSafeAnnotationOnStatement(node)) {
+                            return;
+                        }
+                        context.report({
+                            node: xpathArg,
+                            messageId: 'dangerousXpathExpression',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+                else if (xpathArg.type === 'Identifier') {
+                    // Check if XPath comes from untrusted input
+                    if (isUntrustedXpathInput(xpathArg) && !isXpathInputValidated(xpathArg) &&
+                        !(xpathArg.type === 'Identifier' && validatedVariables.has(xpathArg.name))) {
+                        // FALSE POSITIVE REDUCTION
+                        if ((0, eslint_devkit_3.hasSafeAnnotation)(xpathArg, context, trustedAnnotations) || safetyChecker.isSafe(xpathArg, context) || hasSafeAnnotationOnStatement(node)) {
+                            return;
+                        }
+                        context.report({
+                            node: xpathArg,
+                            messageId: 'unvalidatedXpathInput',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check template literals for XPath expressions
+            TemplateLiteral(node) {
+                const fullText = sourceCode.getText(node);
+                // Check if this looks like an XPath expression
+                if (!fullText.includes('/') && !fullText.includes('[') && !fullText.includes('@')) {
+                    return;
+                }
+                // Check for interpolation in XPath-like expressions
+                if (containsXpathInterpolation(fullText)) {
+                    // Check if any interpolated values are untrusted
+                    const hasUntrustedInterpolation = node.expressions.some((expr) => isUntrustedXpathInput(expr) && !isXpathInputValidated(expr) && !(expr.type === 'Identifier' && validatedVariables.has(expr.name)));
+                    if (hasUntrustedInterpolation) {
+                        // FALSE POSITIVE REDUCTION: Check for safe annotation
+                        if (hasSafeAnnotationOnStatement(node)) {
+                            return;
+                        }
+                        context.report({
+                            node,
+                            messageId: 'unsafeXpathConcatenation',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                            suggest: [
+                                {
+                                    messageId: 'useParameterizedXpath',
+                                    fix: () => null
+                                },
+                            ],
+                        });
+                    }
+                }
+                // Check for dangerous patterns in template literals
+                if (containsDangerousXpath(fullText)) {
+                    // FALSE POSITIVE REDUCTION: Check for safe annotation
+                    if (hasSafeAnnotationOnStatement(node)) {
+                        return;
+                    }
+                    context.report({
+                        node,
+                        messageId: 'dangerousXpathExpression',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                        },
+                    });
+                }
+            },
+            // Check binary expressions (string concatenation)
+            BinaryExpression(node) {
+                if (node.operator !== '+') {
+                    return;
+                }
+                const fullText = sourceCode.getText(node);
+                // Check if this looks like XPath construction
+                if (!fullText.includes('/') && !fullText.includes('[')) {
+                    return;
+                }
+                // Check if either side contains XPath-like patterns
+                const leftText = sourceCode.getText(node.left);
+                const rightText = sourceCode.getText(node.right);
+                if ((leftText.includes('/') || leftText.includes('[')) ||
+                    (rightText.includes('/') || rightText.includes('['))) {
+                    // Check if untrusted input is involved
+                    const leftUntrusted = isUntrustedXpathInput(node.left) && !isXpathInputValidated(node.left) && !(node.left.type === 'Identifier' && validatedVariables.has(node.left.name));
+                    const rightUntrusted = isUntrustedXpathInput(node.right) && !isXpathInputValidated(node.right) && !(node.right.type === 'Identifier' && validatedVariables.has(node.right.name));
+                    if (leftUntrusted || rightUntrusted) {
+                        // FALSE POSITIVE REDUCTION
+                        if (safetyChecker.isSafe(node, context) || hasSafeAnnotationOnStatement(node)) {
+                            return;
+                        }
+                        context.report({
+                            node,
+                            messageId: 'xpathInjection',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                                severity: 'HIGH',
+                                safeAlternative: 'Use parameterized XPath construction with input validation',
+                            },
+                        });
+                    }
+                }
+            },
+            // Check variable assignments with XPath expressions
+            VariableDeclarator(node) {
+                if (!node.init || node.id.type !== 'Identifier') {
+                    return;
+                }
+                const varName = node.id.name;
+                // Track variables that are assigned the result of sanitization functions
+                if (node.init.type === 'CallExpression' &&
+                    node.init.callee.type === 'Identifier' &&
+                    (xpathValidationFunctions.includes(node.init.callee.name) || trustedSanitizers.includes(node.init.callee.name))) {
+                    validatedVariables.add(varName);
+                }
+                const varNameLower = varName.toLowerCase();
+                if (!varNameLower.includes('xpath') && !varNameLower.includes('query') && !varNameLower.includes('path')) {
+                    return;
+                }
+                // Check if assigned value contains dangerous XPath
+                if (node.init.type === 'Literal' && typeof node.init.value === 'string') {
+                    if (containsDangerousXpath(node.init.value)) {
+                        // FALSE POSITIVE REDUCTION
+                        if (safetyChecker.isSafe(node.init, context) || hasSafeAnnotationOnStatement(node)) {
+                            return;
+                        }
+                        context.report({
+                            node: node.init,
+                            messageId: 'dangerousXpathExpression',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+                else if (isUntrustedXpathInput(node.init) && !isSafeXpathConstruction(node.init)) {
+                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                    if (safetyChecker.isSafe(node.init, context)) {
+                        return;
+                    }
+                    /* c8 ignore stop */
+                    context.report({
+                        node: node.init,
+                        messageId: 'xpathInjection',
+                        data: {
+                            filePath: filename,
+                            line: String(node.loc?.start.line ?? 0),
+                            severity: 'MEDIUM',
+                            safeAlternative: 'Use safe XPath construction methods',
+                        },
+                    });
+                }
+            }
+        };
+    },
+});

package/src/rules/no-xxe-injection/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export interface Options {
+    /** Parser options that indicate safe configuration */
+    safeParserOptions?: string[];
+    /** Functions that validate/sanitize XML input */
+    xmlValidationFunctions?: string[];
+}
+export declare const noXxeInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;