npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/require-url-validation/index.js ADDED Viewed

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * @fileoverview Enforce URL validation before navigation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireUrlValidation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.requireUrlValidation = (0, eslint_devkit_1.createRule)({
+    name: 'require-url-validation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Enforce URL validation before navigation',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'URL Validation Required',
+                cwe: 'CWE-601',
+                description: 'Unvalidated URL used for navigation - this is a security risk',
+                severity: 'HIGH',
+                fix: 'Validate URLs before using them for navigation',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/601.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        return {
+            AssignmentExpression(node) {
+                // Detect window.location assignment from user input
+                if (node.left.type === 'MemberExpression' &&
+                    node.left.object.type === 'Identifier' &&
+                    node.left.object.name === 'window' &&
+                    node.left.property.type === 'Identifier' &&
+                    node.left.property.name === 'location') {
+                    // Flag if right side is a variable (not a literal URL)
+                    if (node.right.type === 'Identifier') {
+                        report(node);
+                    }
+                }
+                // Detect location.href assignment
+                if (node.left.type === 'MemberExpression' &&
+                    node.left.object.type === 'Identifier' &&
+                    node.left.object.name === 'location' &&
+                    node.left.property.type === 'Identifier' &&
+                    node.left.property.name === 'href') {
+                    if (node.right.type === 'Identifier') {
+                        report(node);
+                    }
+                }
+            },
+            CallExpression(node) {
+                // Detect window.open with variable URL
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    node.callee.object.name === 'window' &&
+                    node.callee.property.type === 'Identifier' &&
+                    node.callee.property.name === 'open') {
+                    const urlArg = node.arguments[0];
+                    if (urlArg && urlArg.type === 'Identifier') {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/types/index.d.ts ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * eslint-plugin-secure-coding Type Exports
+ *
+ * Barrel file that exports all security rule Options types with consistent naming.
+ *
+ * Usage:
+ * ```typescript
+ * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
+ *
+ * const config: NoHardcodedCredentialsOptions = {
+ *   ignorePatterns: ['test/*'],
+ * };
+ * ```
+ */
+import type { Options as DetectEvalWithExpressionOptions } from '../rules/detect-eval-with-expression';
+import type { Options as DetectChildProcessOptions } from '../rules/detect-child-process';
+import type { Options as NoUnsafeDynamicRequireOptions } from '../rules/no-unsafe-dynamic-require';
+import type { Options as NoGraphqlInjectionOptions } from '../rules/no-graphql-injection';
+import type { Options as NoXxeInjectionOptions } from '../rules/no-xxe-injection';
+import type { Options as NoXpathInjectionOptions } from '../rules/no-xpath-injection';
+import type { Options as NoLdapInjectionOptions } from '../rules/no-ldap-injection';
+import type { Options as NoDirectiveInjectionOptions } from '../rules/no-directive-injection';
+import type { Options as NoFormatStringInjectionOptions } from '../rules/no-format-string-injection';
+import type { Options as DetectNonLiteralFsFilenameOptions } from '../rules/detect-non-literal-fs-filename';
+import type { Options as NoZipSlipOptions } from '../rules/no-zip-slip';
+import type { Options as NoToctouVulnerabilityOptions } from '../rules/no-toctou-vulnerability';
+import type { Options as DetectNonLiteralRegexpOptions } from '../rules/detect-non-literal-regexp';
+import type { Options as NoRedosVulnerableRegexOptions } from '../rules/no-redos-vulnerable-regex';
+import type { Options as NoUnsafeRegexConstructionOptions } from '../rules/no-unsafe-regex-construction';
+import type { Options as DetectObjectInjectionOptions } from '../rules/detect-object-injection';
+import type { Options as NoUnsafeDeserializationOptions } from '../rules/no-unsafe-deserialization';
+import type { Options as NoHardcodedCredentialsOptions } from '../rules/no-hardcoded-credentials';
+import type { Options as NoInsecureComparisonOptions } from '../rules/no-insecure-comparison';
+import type { Options as NoUnvalidatedUserInputOptions } from '../rules/no-unvalidated-user-input';
+import type { Options as NoUnescapedUrlParameterOptions } from '../rules/no-unescaped-url-parameter';
+import type { Options as NoImproperSanitizationOptions } from '../rules/no-improper-sanitization';
+import type { Options as NoImproperTypeValidationOptions } from '../rules/no-improper-type-validation';
+import type { Options as NoMissingAuthenticationOptions } from '../rules/no-missing-authentication';
+import type { Options as NoPrivilegeEscalationOptions } from '../rules/no-privilege-escalation';
+import type { Options as NoWeakPasswordRecoveryOptions } from '../rules/no-weak-password-recovery';
+import type { Options as NoMissingCsrfProtectionOptions } from '../rules/no-missing-csrf-protection';
+import type { Options as NoMissingCorsCheckOptions } from '../rules/no-missing-cors-check';
+import type { Options as NoMissingSecurityHeadersOptions } from '../rules/no-missing-security-headers';
+import type { Options as NoInsecureRedirectsOptions } from '../rules/no-insecure-redirects';
+import type { Options as NoUnencryptedTransmissionOptions } from '../rules/no-unencrypted-transmission';
+import type { Options as NoClickjackingOptions } from '../rules/no-clickjacking';
+import type { Options as NoExposedSensitiveDataOptions } from '../rules/no-exposed-sensitive-data';
+import type { Options as NoSensitiveDataExposureOptions } from '../rules/no-sensitive-data-exposure';
+import type { Options as NoBufferOverreadOptions } from '../rules/no-buffer-overread';
+import type { Options as NoUnlimitedResourceAllocationOptions } from '../rules/no-unlimited-resource-allocation';
+import type { Options as NoUncheckedLoopConditionOptions } from '../rules/no-unchecked-loop-condition';
+import type { Options as NoElectronSecurityIssuesOptions } from '../rules/no-electron-security-issues';
+export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
+/**
+ * Combined type for all security rule options
+ * Useful for creating unified configuration objects
+ *
+ * @example
+ * ```typescript
+ * const config: AllSecurityRulesOptions = {
+ *   'no-hardcoded-credentials': {
+ *     ignorePatterns: ['test/*'],
+ *   },
+ * };
+ * ```
+ */
+export type AllSecurityRulesOptions = {
+    'detect-eval-with-expression'?: DetectEvalWithExpressionOptions;
+    'detect-child-process'?: DetectChildProcessOptions;
+    'no-unsafe-dynamic-require'?: NoUnsafeDynamicRequireOptions;
+    'no-graphql-injection'?: NoGraphqlInjectionOptions;
+    'no-xxe-injection'?: NoXxeInjectionOptions;
+    'no-xpath-injection'?: NoXpathInjectionOptions;
+    'no-ldap-injection'?: NoLdapInjectionOptions;
+    'no-directive-injection'?: NoDirectiveInjectionOptions;
+    'no-format-string-injection'?: NoFormatStringInjectionOptions;
+    'detect-non-literal-fs-filename'?: DetectNonLiteralFsFilenameOptions;
+    'no-zip-slip'?: NoZipSlipOptions;
+    'no-toctou-vulnerability'?: NoToctouVulnerabilityOptions;
+    'detect-non-literal-regexp'?: DetectNonLiteralRegexpOptions;
+    'no-redos-vulnerable-regex'?: NoRedosVulnerableRegexOptions;
+    'no-unsafe-regex-construction'?: NoUnsafeRegexConstructionOptions;
+    'detect-object-injection'?: DetectObjectInjectionOptions;
+    'no-unsafe-deserialization'?: NoUnsafeDeserializationOptions;
+    'no-hardcoded-credentials'?: NoHardcodedCredentialsOptions;
+    'no-insecure-comparison'?: NoInsecureComparisonOptions;
+    'no-unvalidated-user-input'?: NoUnvalidatedUserInputOptions;
+    'no-unescaped-url-parameter'?: NoUnescapedUrlParameterOptions;
+    'no-improper-sanitization'?: NoImproperSanitizationOptions;
+    'no-improper-type-validation'?: NoImproperTypeValidationOptions;
+    'no-missing-authentication'?: NoMissingAuthenticationOptions;
+    'no-privilege-escalation'?: NoPrivilegeEscalationOptions;
+    'no-weak-password-recovery'?: NoWeakPasswordRecoveryOptions;
+    'no-missing-csrf-protection'?: NoMissingCsrfProtectionOptions;
+    'no-missing-cors-check'?: NoMissingCorsCheckOptions;
+    'no-missing-security-headers'?: NoMissingSecurityHeadersOptions;
+    'no-insecure-redirects'?: NoInsecureRedirectsOptions;
+    'no-unencrypted-transmission'?: NoUnencryptedTransmissionOptions;
+    'no-clickjacking'?: NoClickjackingOptions;
+    'no-exposed-sensitive-data'?: NoExposedSensitiveDataOptions;
+    'no-sensitive-data-exposure'?: NoSensitiveDataExposureOptions;
+    'no-buffer-overread'?: NoBufferOverreadOptions;
+    'no-unlimited-resource-allocation'?: NoUnlimitedResourceAllocationOptions;
+    'no-unchecked-loop-condition'?: NoUncheckedLoopConditionOptions;
+    'no-electron-security-issues'?: NoElectronSecurityIssuesOptions;
+};

package/src/types/index.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * eslint-plugin-secure-coding Type Exports
+ *
+ * Barrel file that exports all security rule Options types with consistent naming.
+ *
+ * Usage:
+ * ```typescript
+ * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
+ *
+ * const config: NoHardcodedCredentialsOptions = {
+ *   ignorePatterns: ['test/*'],
+ * };
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });