eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (337) hide show
  1. package/CHANGELOG.md +51 -1
  2. package/README.md +2 -2
  3. package/package.json +1 -1
  4. package/src/index.d.ts +32 -0
  5. package/src/index.js +416 -0
  6. package/src/rules/detect-child-process/index.d.ts +11 -0
  7. package/src/rules/detect-child-process/index.js +529 -0
  8. package/src/rules/detect-eval-with-expression/index.d.ts +9 -0
  9. package/src/rules/detect-eval-with-expression/index.js +392 -0
  10. package/src/rules/detect-mixed-content/index.d.ts +8 -0
  11. package/src/rules/detect-mixed-content/index.js +44 -0
  12. package/src/rules/detect-non-literal-fs-filename/index.d.ts +7 -0
  13. package/src/rules/detect-non-literal-fs-filename/index.js +454 -0
  14. package/src/rules/detect-non-literal-regexp/index.d.ts +9 -0
  15. package/src/rules/detect-non-literal-regexp/index.js +403 -0
  16. package/src/rules/detect-object-injection/index.d.ts +11 -0
  17. package/src/rules/detect-object-injection/index.js +560 -0
  18. package/src/rules/detect-suspicious-dependencies/index.d.ts +8 -0
  19. package/src/rules/detect-suspicious-dependencies/index.js +71 -0
  20. package/src/rules/detect-weak-password-validation/index.d.ts +6 -0
  21. package/src/rules/detect-weak-password-validation/index.js +58 -0
  22. package/src/rules/no-allow-arbitrary-loads/index.d.ts +8 -0
  23. package/src/rules/no-allow-arbitrary-loads/index.js +47 -0
  24. package/src/rules/no-arbitrary-file-access/index.d.ts +13 -0
  25. package/src/rules/no-arbitrary-file-access/index.js +195 -0
  26. package/src/rules/no-buffer-overread/index.d.ts +29 -0
  27. package/src/rules/no-buffer-overread/index.js +606 -0
  28. package/src/rules/no-clickjacking/index.d.ts +10 -0
  29. package/src/rules/no-clickjacking/index.js +396 -0
  30. package/src/rules/no-client-side-auth-logic/index.d.ts +6 -0
  31. package/src/rules/no-client-side-auth-logic/index.js +69 -0
  32. package/src/rules/no-credentials-in-query-params/index.d.ts +8 -0
  33. package/src/rules/no-credentials-in-query-params/index.js +57 -0
  34. package/src/rules/no-data-in-temp-storage/index.d.ts +6 -0
  35. package/src/rules/no-data-in-temp-storage/index.js +64 -0
  36. package/src/rules/no-debug-code-in-production/index.d.ts +8 -0
  37. package/src/rules/no-debug-code-in-production/index.js +51 -0
  38. package/src/rules/no-directive-injection/index.d.ts +12 -0
  39. package/src/rules/no-directive-injection/index.js +457 -0
  40. package/src/rules/no-disabled-certificate-validation/index.d.ts +6 -0
  41. package/src/rules/no-disabled-certificate-validation/index.js +61 -0
  42. package/src/rules/no-dynamic-dependency-loading/index.d.ts +8 -0
  43. package/src/rules/no-dynamic-dependency-loading/index.js +51 -0
  44. package/src/rules/no-electron-security-issues/index.d.ts +10 -0
  45. package/src/rules/no-electron-security-issues/index.js +423 -0
  46. package/src/rules/no-exposed-debug-endpoints/index.d.ts +6 -0
  47. package/src/rules/no-exposed-debug-endpoints/index.js +62 -0
  48. package/src/rules/no-exposed-sensitive-data/index.d.ts +11 -0
  49. package/src/rules/no-exposed-sensitive-data/index.js +340 -0
  50. package/src/rules/no-format-string-injection/index.d.ts +17 -0
  51. package/src/rules/no-format-string-injection/index.js +660 -0
  52. package/src/rules/no-graphql-injection/index.d.ts +12 -0
  53. package/src/rules/no-graphql-injection/index.js +411 -0
  54. package/src/rules/no-hardcoded-credentials/index.d.ts +26 -0
  55. package/src/rules/no-hardcoded-credentials/index.js +376 -0
  56. package/src/rules/no-hardcoded-session-tokens/index.d.ts +6 -0
  57. package/src/rules/no-hardcoded-session-tokens/index.js +59 -0
  58. package/src/rules/no-http-urls/index.d.ts +12 -0
  59. package/src/rules/no-http-urls/index.js +114 -0
  60. package/src/rules/no-improper-sanitization/index.d.ts +12 -0
  61. package/src/rules/no-improper-sanitization/index.js +411 -0
  62. package/src/rules/no-improper-type-validation/index.d.ts +10 -0
  63. package/src/rules/no-improper-type-validation/index.js +475 -0
  64. package/src/rules/no-insecure-comparison/index.d.ts +7 -0
  65. package/src/rules/no-insecure-comparison/index.js +193 -0
  66. package/src/rules/no-insecure-redirects/index.d.ts +7 -0
  67. package/src/rules/no-insecure-redirects/index.js +216 -0
  68. package/src/rules/no-insecure-websocket/index.d.ts +6 -0
  69. package/src/rules/no-insecure-websocket/index.js +61 -0
  70. package/src/rules/no-ldap-injection/index.d.ts +10 -0
  71. package/src/rules/no-ldap-injection/index.js +455 -0
  72. package/src/rules/no-missing-authentication/index.d.ts +13 -0
  73. package/src/rules/no-missing-authentication/index.js +333 -0
  74. package/src/rules/no-missing-cors-check/index.d.ts +9 -0
  75. package/src/rules/no-missing-cors-check/index.js +399 -0
  76. package/src/rules/no-missing-csrf-protection/index.d.ts +11 -0
  77. package/src/rules/no-missing-csrf-protection/index.js +180 -0
  78. package/src/rules/no-missing-security-headers/index.d.ts +7 -0
  79. package/src/rules/no-missing-security-headers/index.js +218 -0
  80. package/src/rules/no-password-in-url/index.d.ts +8 -0
  81. package/src/rules/no-password-in-url/index.js +54 -0
  82. package/src/rules/no-permissive-cors/index.d.ts +8 -0
  83. package/src/rules/no-permissive-cors/index.js +65 -0
  84. package/src/rules/no-pii-in-logs/index.d.ts +8 -0
  85. package/src/rules/no-pii-in-logs/index.js +70 -0
  86. package/src/rules/no-privilege-escalation/index.d.ts +13 -0
  87. package/src/rules/no-privilege-escalation/index.js +321 -0
  88. package/src/rules/no-redos-vulnerable-regex/index.d.ts +7 -0
  89. package/src/rules/no-redos-vulnerable-regex/index.js +306 -0
  90. package/src/rules/no-sensitive-data-exposure/index.d.ts +11 -0
  91. package/src/rules/no-sensitive-data-exposure/index.js +250 -0
  92. package/src/rules/no-sensitive-data-in-analytics/index.d.ts +8 -0
  93. package/src/rules/no-sensitive-data-in-analytics/index.js +62 -0
  94. package/src/rules/no-sensitive-data-in-cache/index.d.ts +8 -0
  95. package/src/rules/no-sensitive-data-in-cache/index.js +52 -0
  96. package/src/rules/no-toctou-vulnerability/index.d.ts +7 -0
  97. package/src/rules/no-toctou-vulnerability/index.js +208 -0
  98. package/src/rules/no-tracking-without-consent/index.d.ts +6 -0
  99. package/src/rules/no-tracking-without-consent/index.js +67 -0
  100. package/src/rules/no-unchecked-loop-condition/index.d.ts +12 -0
  101. package/src/rules/no-unchecked-loop-condition/index.js +646 -0
  102. package/src/rules/no-unencrypted-transmission/index.d.ts +11 -0
  103. package/src/rules/no-unencrypted-transmission/index.js +236 -0
  104. package/src/rules/no-unescaped-url-parameter/index.d.ts +9 -0
  105. package/src/rules/no-unescaped-url-parameter/index.js +355 -0
  106. package/src/rules/no-unlimited-resource-allocation/index.d.ts +12 -0
  107. package/src/rules/no-unlimited-resource-allocation/index.js +643 -0
  108. package/src/rules/no-unsafe-deserialization/index.d.ts +10 -0
  109. package/src/rules/no-unsafe-deserialization/index.js +491 -0
  110. package/src/rules/no-unsafe-dynamic-require/index.d.ts +5 -0
  111. package/src/rules/no-unsafe-dynamic-require/index.js +106 -0
  112. package/src/rules/no-unsafe-regex-construction/index.d.ts +9 -0
  113. package/src/rules/no-unsafe-regex-construction/index.js +291 -0
  114. package/src/rules/no-unvalidated-deeplinks/index.d.ts +6 -0
  115. package/src/rules/no-unvalidated-deeplinks/index.js +62 -0
  116. package/src/rules/no-unvalidated-user-input/index.d.ts +9 -0
  117. package/src/rules/no-unvalidated-user-input/index.js +420 -0
  118. package/src/rules/no-verbose-error-messages/index.d.ts +8 -0
  119. package/src/rules/no-verbose-error-messages/index.js +68 -0
  120. package/src/rules/no-weak-password-recovery/index.d.ts +12 -0
  121. package/src/rules/no-weak-password-recovery/index.js +424 -0
  122. package/src/rules/no-xpath-injection/index.d.ts +10 -0
  123. package/src/rules/no-xpath-injection/index.js +487 -0
  124. package/src/rules/no-xxe-injection/index.d.ts +7 -0
  125. package/src/rules/no-xxe-injection/index.js +266 -0
  126. package/src/rules/no-zip-slip/index.d.ts +9 -0
  127. package/src/rules/no-zip-slip/index.js +445 -0
  128. package/src/rules/require-backend-authorization/index.d.ts +6 -0
  129. package/src/rules/require-backend-authorization/index.js +60 -0
  130. package/src/rules/require-code-minification/index.d.ts +8 -0
  131. package/src/rules/require-code-minification/index.js +47 -0
  132. package/src/rules/require-csp-headers/index.d.ts +6 -0
  133. package/src/rules/require-csp-headers/index.js +64 -0
  134. package/src/rules/require-data-minimization/index.d.ts +8 -0
  135. package/src/rules/require-data-minimization/index.js +53 -0
  136. package/src/rules/require-dependency-integrity/index.d.ts +6 -0
  137. package/src/rules/require-dependency-integrity/index.js +64 -0
  138. package/src/rules/require-https-only/index.d.ts +8 -0
  139. package/src/rules/require-https-only/index.js +62 -0
  140. package/src/rules/require-mime-type-validation/index.d.ts +6 -0
  141. package/src/rules/require-mime-type-validation/index.js +66 -0
  142. package/src/rules/require-network-timeout/index.d.ts +8 -0
  143. package/src/rules/require-network-timeout/index.js +50 -0
  144. package/src/rules/require-package-lock/index.d.ts +8 -0
  145. package/src/rules/require-package-lock/index.js +63 -0
  146. package/src/rules/require-secure-credential-storage/index.d.ts +8 -0
  147. package/src/rules/require-secure-credential-storage/index.js +50 -0
  148. package/src/rules/require-secure-defaults/index.d.ts +8 -0
  149. package/src/rules/require-secure-defaults/index.js +47 -0
  150. package/src/rules/require-secure-deletion/index.d.ts +8 -0
  151. package/src/rules/require-secure-deletion/index.js +44 -0
  152. package/src/rules/require-storage-encryption/index.d.ts +8 -0
  153. package/src/rules/require-storage-encryption/index.js +50 -0
  154. package/src/rules/require-url-validation/index.d.ts +6 -0
  155. package/src/rules/require-url-validation/index.js +72 -0
  156. package/src/types/index.d.ts +106 -0
  157. package/src/types/index.js +16 -0
  158. package/src/index.ts +0 -605
  159. package/src/rules/__tests__/integration-demo.test.ts +0 -290
  160. package/src/rules/__tests__/integration-llm.test.ts +0 -89
  161. package/src/rules/database-injection/database-injection.test.ts +0 -456
  162. package/src/rules/database-injection/index.ts +0 -488
  163. package/src/rules/detect-child-process/detect-child-process.test.ts +0 -207
  164. package/src/rules/detect-child-process/index.ts +0 -634
  165. package/src/rules/detect-eval-with-expression/detect-eval-with-expression.test.ts +0 -416
  166. package/src/rules/detect-eval-with-expression/index.ts +0 -463
  167. package/src/rules/detect-mixed-content/detect-mixed-content.test.ts +0 -28
  168. package/src/rules/detect-mixed-content/index.ts +0 -52
  169. package/src/rules/detect-non-literal-fs-filename/detect-non-literal-fs-filename.test.ts +0 -269
  170. package/src/rules/detect-non-literal-fs-filename/index.ts +0 -551
  171. package/src/rules/detect-non-literal-regexp/detect-non-literal-regexp.test.ts +0 -189
  172. package/src/rules/detect-non-literal-regexp/index.ts +0 -490
  173. package/src/rules/detect-object-injection/detect-object-injection.test.ts +0 -440
  174. package/src/rules/detect-object-injection/index.ts +0 -674
  175. package/src/rules/detect-suspicious-dependencies/detect-suspicious-dependencies.test.ts +0 -32
  176. package/src/rules/detect-suspicious-dependencies/index.ts +0 -84
  177. package/src/rules/detect-weak-password-validation/detect-weak-password-validation.test.ts +0 -31
  178. package/src/rules/detect-weak-password-validation/index.ts +0 -68
  179. package/src/rules/no-allow-arbitrary-loads/index.ts +0 -54
  180. package/src/rules/no-allow-arbitrary-loads/no-allow-arbitrary-loads.test.ts +0 -28
  181. package/src/rules/no-arbitrary-file-access/index.ts +0 -238
  182. package/src/rules/no-arbitrary-file-access/no-arbitrary-file-access.test.ts +0 -119
  183. package/src/rules/no-buffer-overread/index.ts +0 -724
  184. package/src/rules/no-buffer-overread/no-buffer-overread.test.ts +0 -313
  185. package/src/rules/no-clickjacking/index.ts +0 -481
  186. package/src/rules/no-clickjacking/no-clickjacking.test.ts +0 -253
  187. package/src/rules/no-client-side-auth-logic/index.ts +0 -81
  188. package/src/rules/no-client-side-auth-logic/no-client-side-auth-logic.test.ts +0 -33
  189. package/src/rules/no-credentials-in-query-params/index.ts +0 -69
  190. package/src/rules/no-credentials-in-query-params/no-credentials-in-query-params.test.ts +0 -33
  191. package/src/rules/no-credentials-in-storage-api/index.ts +0 -64
  192. package/src/rules/no-credentials-in-storage-api/no-credentials-in-storage-api.test.ts +0 -31
  193. package/src/rules/no-data-in-temp-storage/index.ts +0 -75
  194. package/src/rules/no-data-in-temp-storage/no-data-in-temp-storage.test.ts +0 -33
  195. package/src/rules/no-debug-code-in-production/index.ts +0 -59
  196. package/src/rules/no-debug-code-in-production/no-debug-code-in-production.test.ts +0 -26
  197. package/src/rules/no-directive-injection/index.ts +0 -551
  198. package/src/rules/no-directive-injection/no-directive-injection.test.ts +0 -305
  199. package/src/rules/no-disabled-certificate-validation/index.ts +0 -72
  200. package/src/rules/no-disabled-certificate-validation/no-disabled-certificate-validation.test.ts +0 -33
  201. package/src/rules/no-document-cookie/index.ts +0 -113
  202. package/src/rules/no-document-cookie/no-document-cookie.test.ts +0 -382
  203. package/src/rules/no-dynamic-dependency-loading/index.ts +0 -60
  204. package/src/rules/no-dynamic-dependency-loading/no-dynamic-dependency-loading.test.ts +0 -27
  205. package/src/rules/no-electron-security-issues/index.ts +0 -504
  206. package/src/rules/no-electron-security-issues/no-electron-security-issues.test.ts +0 -324
  207. package/src/rules/no-exposed-debug-endpoints/index.ts +0 -73
  208. package/src/rules/no-exposed-debug-endpoints/no-exposed-debug-endpoints.test.ts +0 -40
  209. package/src/rules/no-exposed-sensitive-data/index.ts +0 -428
  210. package/src/rules/no-exposed-sensitive-data/no-exposed-sensitive-data.test.ts +0 -75
  211. package/src/rules/no-format-string-injection/index.ts +0 -801
  212. package/src/rules/no-format-string-injection/no-format-string-injection.test.ts +0 -437
  213. package/src/rules/no-graphql-injection/index.ts +0 -508
  214. package/src/rules/no-graphql-injection/no-graphql-injection.test.ts +0 -371
  215. package/src/rules/no-hardcoded-credentials/index.ts +0 -478
  216. package/src/rules/no-hardcoded-credentials/no-hardcoded-credentials.test.ts +0 -639
  217. package/src/rules/no-hardcoded-session-tokens/index.ts +0 -69
  218. package/src/rules/no-hardcoded-session-tokens/no-hardcoded-session-tokens.test.ts +0 -42
  219. package/src/rules/no-http-urls/index.ts +0 -131
  220. package/src/rules/no-http-urls/no-http-urls.test.ts +0 -60
  221. package/src/rules/no-improper-sanitization/index.ts +0 -502
  222. package/src/rules/no-improper-sanitization/no-improper-sanitization.test.ts +0 -156
  223. package/src/rules/no-improper-type-validation/index.ts +0 -572
  224. package/src/rules/no-improper-type-validation/no-improper-type-validation.test.ts +0 -372
  225. package/src/rules/no-insecure-comparison/index.ts +0 -232
  226. package/src/rules/no-insecure-comparison/no-insecure-comparison.test.ts +0 -218
  227. package/src/rules/no-insecure-cookie-settings/index.ts +0 -391
  228. package/src/rules/no-insecure-cookie-settings/no-insecure-cookie-settings.test.ts +0 -409
  229. package/src/rules/no-insecure-jwt/index.ts +0 -467
  230. package/src/rules/no-insecure-jwt/no-insecure-jwt.test.ts +0 -259
  231. package/src/rules/no-insecure-redirects/index.ts +0 -267
  232. package/src/rules/no-insecure-redirects/no-insecure-redirects.test.ts +0 -108
  233. package/src/rules/no-insecure-websocket/index.ts +0 -72
  234. package/src/rules/no-insecure-websocket/no-insecure-websocket.test.ts +0 -42
  235. package/src/rules/no-insufficient-postmessage-validation/index.ts +0 -497
  236. package/src/rules/no-insufficient-postmessage-validation/no-insufficient-postmessage-validation.test.ts +0 -360
  237. package/src/rules/no-insufficient-random/index.ts +0 -288
  238. package/src/rules/no-insufficient-random/no-insufficient-random.test.ts +0 -246
  239. package/src/rules/no-ldap-injection/index.ts +0 -547
  240. package/src/rules/no-ldap-injection/no-ldap-injection.test.ts +0 -317
  241. package/src/rules/no-missing-authentication/index.ts +0 -408
  242. package/src/rules/no-missing-authentication/no-missing-authentication.test.ts +0 -350
  243. package/src/rules/no-missing-cors-check/index.ts +0 -453
  244. package/src/rules/no-missing-cors-check/no-missing-cors-check.test.ts +0 -392
  245. package/src/rules/no-missing-csrf-protection/index.ts +0 -229
  246. package/src/rules/no-missing-csrf-protection/no-missing-csrf-protection.test.ts +0 -222
  247. package/src/rules/no-missing-security-headers/index.ts +0 -266
  248. package/src/rules/no-missing-security-headers/no-missing-security-headers.test.ts +0 -98
  249. package/src/rules/no-password-in-url/index.ts +0 -64
  250. package/src/rules/no-password-in-url/no-password-in-url.test.ts +0 -27
  251. package/src/rules/no-permissive-cors/index.ts +0 -78
  252. package/src/rules/no-permissive-cors/no-permissive-cors.test.ts +0 -28
  253. package/src/rules/no-pii-in-logs/index.ts +0 -83
  254. package/src/rules/no-pii-in-logs/no-pii-in-logs.test.ts +0 -26
  255. package/src/rules/no-postmessage-origin-wildcard/index.ts +0 -67
  256. package/src/rules/no-postmessage-origin-wildcard/no-postmessage-origin-wildcard.test.ts +0 -27
  257. package/src/rules/no-privilege-escalation/index.ts +0 -403
  258. package/src/rules/no-privilege-escalation/no-privilege-escalation.test.ts +0 -306
  259. package/src/rules/no-redos-vulnerable-regex/index.ts +0 -379
  260. package/src/rules/no-redos-vulnerable-regex/no-redos-vulnerable-regex.test.ts +0 -83
  261. package/src/rules/no-sensitive-data-exposure/index.ts +0 -294
  262. package/src/rules/no-sensitive-data-exposure/no-sensitive-data-exposure.test.ts +0 -262
  263. package/src/rules/no-sensitive-data-in-analytics/index.ts +0 -73
  264. package/src/rules/no-sensitive-data-in-analytics/no-sensitive-data-in-analytics.test.ts +0 -42
  265. package/src/rules/no-sensitive-data-in-cache/index.ts +0 -59
  266. package/src/rules/no-sensitive-data-in-cache/no-sensitive-data-in-cache.test.ts +0 -32
  267. package/src/rules/no-sql-injection/index.ts +0 -424
  268. package/src/rules/no-sql-injection/no-sql-injection.test.ts +0 -303
  269. package/src/rules/no-timing-attack/index.ts +0 -552
  270. package/src/rules/no-timing-attack/no-timing-attack.test.ts +0 -348
  271. package/src/rules/no-toctou-vulnerability/index.ts +0 -250
  272. package/src/rules/no-toctou-vulnerability/no-toctou-vulnerability.test.ts +0 -60
  273. package/src/rules/no-tracking-without-consent/index.ts +0 -78
  274. package/src/rules/no-tracking-without-consent/no-tracking-without-consent.test.ts +0 -34
  275. package/src/rules/no-unchecked-loop-condition/index.ts +0 -781
  276. package/src/rules/no-unchecked-loop-condition/no-unchecked-loop-condition.test.ts +0 -459
  277. package/src/rules/no-unencrypted-local-storage/index.ts +0 -73
  278. package/src/rules/no-unencrypted-local-storage/no-unencrypted-local-storage.test.ts +0 -41
  279. package/src/rules/no-unencrypted-transmission/index.ts +0 -296
  280. package/src/rules/no-unencrypted-transmission/no-unencrypted-transmission.test.ts +0 -287
  281. package/src/rules/no-unescaped-url-parameter/index.ts +0 -424
  282. package/src/rules/no-unescaped-url-parameter/no-unescaped-url-parameter.test.ts +0 -263
  283. package/src/rules/no-unlimited-resource-allocation/index.ts +0 -767
  284. package/src/rules/no-unlimited-resource-allocation/no-unlimited-resource-allocation.test.ts +0 -544
  285. package/src/rules/no-unsafe-deserialization/index.ts +0 -593
  286. package/src/rules/no-unsafe-deserialization/no-unsafe-deserialization.test.ts +0 -310
  287. package/src/rules/no-unsafe-dynamic-require/index.ts +0 -125
  288. package/src/rules/no-unsafe-dynamic-require/no-unsafe-dynamic-require.test.ts +0 -151
  289. package/src/rules/no-unsafe-regex-construction/index.ts +0 -370
  290. package/src/rules/no-unsafe-regex-construction/no-unsafe-regex-construction.test.ts +0 -181
  291. package/src/rules/no-unsanitized-html/index.ts +0 -400
  292. package/src/rules/no-unsanitized-html/no-unsanitized-html.test.ts +0 -488
  293. package/src/rules/no-unvalidated-deeplinks/index.ts +0 -73
  294. package/src/rules/no-unvalidated-deeplinks/no-unvalidated-deeplinks.test.ts +0 -29
  295. package/src/rules/no-unvalidated-user-input/index.ts +0 -498
  296. package/src/rules/no-unvalidated-user-input/no-unvalidated-user-input.test.ts +0 -463
  297. package/src/rules/no-verbose-error-messages/index.ts +0 -83
  298. package/src/rules/no-verbose-error-messages/no-verbose-error-messages.test.ts +0 -34
  299. package/src/rules/no-weak-crypto/index.ts +0 -447
  300. package/src/rules/no-weak-crypto/no-weak-crypto.test.ts +0 -297
  301. package/src/rules/no-weak-password-recovery/index.ts +0 -509
  302. package/src/rules/no-weak-password-recovery/no-weak-password-recovery.test.ts +0 -184
  303. package/src/rules/no-xpath-injection/index.ts +0 -596
  304. package/src/rules/no-xpath-injection/no-xpath-injection.test.ts +0 -405
  305. package/src/rules/no-xxe-injection/index.ts +0 -342
  306. package/src/rules/no-xxe-injection/no-xxe-injection.test.ts +0 -122
  307. package/src/rules/no-zip-slip/index.ts +0 -526
  308. package/src/rules/no-zip-slip/no-zip-slip.test.ts +0 -305
  309. package/src/rules/require-backend-authorization/index.ts +0 -71
  310. package/src/rules/require-backend-authorization/require-backend-authorization.test.ts +0 -31
  311. package/src/rules/require-code-minification/index.ts +0 -54
  312. package/src/rules/require-code-minification/require-code-minification.test.ts +0 -30
  313. package/src/rules/require-csp-headers/index.ts +0 -74
  314. package/src/rules/require-csp-headers/require-csp-headers.test.ts +0 -34
  315. package/src/rules/require-data-minimization/index.ts +0 -65
  316. package/src/rules/require-data-minimization/require-data-minimization.test.ts +0 -31
  317. package/src/rules/require-dependency-integrity/index.ts +0 -78
  318. package/src/rules/require-dependency-integrity/require-dependency-integrity.test.ts +0 -44
  319. package/src/rules/require-https-only/index.ts +0 -75
  320. package/src/rules/require-https-only/require-https-only.test.ts +0 -26
  321. package/src/rules/require-mime-type-validation/index.ts +0 -77
  322. package/src/rules/require-mime-type-validation/require-mime-type-validation.test.ts +0 -32
  323. package/src/rules/require-network-timeout/index.ts +0 -58
  324. package/src/rules/require-network-timeout/require-network-timeout.test.ts +0 -26
  325. package/src/rules/require-package-lock/index.ts +0 -75
  326. package/src/rules/require-package-lock/require-package-lock.test.ts +0 -27
  327. package/src/rules/require-secure-credential-storage/index.ts +0 -60
  328. package/src/rules/require-secure-credential-storage/require-secure-credential-storage.test.ts +0 -26
  329. package/src/rules/require-secure-defaults/index.ts +0 -54
  330. package/src/rules/require-secure-defaults/require-secure-defaults.test.ts +0 -26
  331. package/src/rules/require-secure-deletion/index.ts +0 -52
  332. package/src/rules/require-secure-deletion/require-secure-deletion.test.ts +0 -29
  333. package/src/rules/require-storage-encryption/index.ts +0 -60
  334. package/src/rules/require-storage-encryption/require-storage-encryption.test.ts +0 -26
  335. package/src/rules/require-url-validation/index.ts +0 -85
  336. package/src/rules/require-url-validation/require-url-validation.test.ts +0 -32
  337. package/src/types/index.ts +0 -235
package/src/rules/__tests__/integration-demo.test.ts DELETED
@@ -1,290 +0,0 @@
1
-
2
- import { RuleTester } from '@typescript-eslint/rule-tester';
3
- import { describe, it, afterAll } from 'vitest';
4
- import parser from '@typescript-eslint/parser';
5
-
6
- // Rules
7
- import { detectChildProcess } from '../detect-child-process';
8
- import { noDirectiveInjection } from '../no-directive-injection';
9
- import { noToctouVulnerability } from '../no-toctou-vulnerability';
10
- import { noRedosVulnerableRegex } from '../no-redos-vulnerable-regex';
11
- import { noBufferOverread } from '../no-buffer-overread';
12
- import { noInsecureComparison } from '../no-insecure-comparison';
13
- import { noUnsanitizedHtml } from '../no-unsanitized-html';
14
- import { noUnescapedUrlParameter } from '../no-unescaped-url-parameter';
15
- import { noImproperSanitization } from '../no-improper-sanitization';
16
- import { noImproperTypeValidation } from '../no-improper-type-validation';
17
- import { noPrivilegeEscalation } from '../no-privilege-escalation';
18
- import { noInsecureJwt } from '../no-insecure-jwt';
19
-
20
- // Configure RuleTester for Vitest
21
- RuleTester.afterAll = afterAll;
22
- RuleTester.it = it;
23
- RuleTester.itOnly = it.only;
24
- RuleTester.describe = describe;
25
-
26
- const ruleTester = new RuleTester({
27
- languageOptions: {
28
- parser,
29
- ecmaVersion: 2022,
30
- sourceType: 'module',
31
- },
32
- });
33
-
34
- describe('Demo Gaps Reproduction', () => {
35
-
36
- describe('no-directive-injection', () => {
37
- ruleTester.run('demo-repro', noDirectiveInjection, {
38
- valid: [],
39
- invalid: [
40
- {
41
- code: `
42
- declare const Handlebars: any;
43
- export function insecure_noDirectiveInjection(userInputTemplate: string, data: object) {
44
- const compiled = Handlebars.compile(userInputTemplate);
45
- return compiled(data);
46
- }
47
- `,
48
- errors: [{ messageId: 'userControlledTemplate' }]
49
- }
50
- ]
51
- });
52
- });
53
-
54
- describe('detect-child-process', () => {
55
- ruleTester.run('demo-repro', detectChildProcess, {
56
- valid: [],
57
- invalid: [
58
- {
59
- code: `
60
- import * as child_process from 'child_process';
61
- export function insecure_detectChildProcess(filename: string) {
62
- child_process.exec(\`cat \${filename}\`, (error, stdout) => {
63
- if (error) throw error;
64
- return stdout;
65
- });
66
- }
67
- `,
68
- errors: [{ messageId: 'childProcessCommandInjection' }]
69
- }
70
- ]
71
- });
72
- });
73
-
74
- describe('no-toctou-vulnerability', () => {
75
- ruleTester.run('demo-repro', noToctouVulnerability, {
76
- valid: [],
77
- invalid: [
78
- {
79
- code: `
80
- import * as fs from 'fs';
81
- export function insecure_noToctouVulnerability(_filePath: string) {
82
- const tempPath = '/tmp/report.txt';
83
- if (fs.existsSync(tempPath)) {
84
- return fs.readFileSync(tempPath, 'utf-8');
85
- }
86
- return null;
87
- }
88
- `,
89
- errors: [{ messageId: 'toctouVulnerability' }]
90
- }
91
- ]
92
- });
93
- });
94
-
95
- describe('no-redos-vulnerable-regex', () => {
96
- ruleTester.run('demo-repro', noRedosVulnerableRegex, {
97
- valid: [],
98
- invalid: [
99
- {
100
- code: `
101
- export function insecure_noRedosVulnerableRegex(email: string) {
102
- const catastrophic = /(a+)+b/;
103
- return catastrophic.test(email);
104
- }
105
- `,
106
- errors: [{ messageId: 'redosVulnerable' }]
107
- }
108
- ]
109
- });
110
- });
111
-
112
- describe('no-buffer-overread', () => {
113
- ruleTester.run('demo-repro', noBufferOverread, {
114
- valid: [],
115
- invalid: [
116
- {
117
- code: `
118
- export function insecure_noBufferOverread(buffer: Buffer, req: { query: { index: string } }) {
119
- const userIndex = Number(req.query.index);
120
- return buffer.readUInt8(userIndex);
121
- }
122
- `,
123
- errors: [{ messageId: 'missingBoundsCheck' }]
124
- }
125
- ]
126
- });
127
- });
128
-
129
- describe('no-insecure-comparison', () => {
130
- ruleTester.run('demo-repro', noInsecureComparison, {
131
- valid: [],
132
- invalid: [
133
- {
134
- code: `
135
- export function insecure_noInsecureComparison(provided: string, expected: string) {
136
- if (provided === expected) {
137
- return true;
138
- }
139
- return false;
140
- }
141
- `,
142
- errors: [{
143
- messageId: 'timingUnsafeComparison',
144
- suggestions: [{
145
- messageId: 'useStrictEquality', // The rule reuses this ID for the timing safe fix? Yes, assuming I didn't change it in rule.
146
- output: `
147
- export function insecure_noInsecureComparison(provided: string, expected: string) {
148
- if (crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(expected))) {
149
- return true;
150
- }
151
- return false;
152
- }
153
- `
154
- }]
155
- }]
156
- }
157
- ]
158
- });
159
- });
160
-
161
- describe('no-unsanitized-html', () => {
162
- ruleTester.run('demo-repro', noUnsanitizedHtml, {
163
- valid: [],
164
- invalid: [
165
- {
166
- code: `
167
- export function insecure_noUnsanitizedHtml(container: HTMLElement, userContent: string) {
168
- const userInput = userContent;
169
- container.innerHTML = userInput;
170
- }
171
- `,
172
- errors: [{
173
- messageId: 'unsanitizedHtml',
174
- suggestions: [
175
- {
176
- messageId: 'useTextContent',
177
- output: `
178
- export function insecure_noUnsanitizedHtml(container: HTMLElement, userContent: string) {
179
- const userInput = userContent;
180
- container.textContent = userInput;
181
- }
182
- `
183
- }
184
- ]
185
- }]
186
- }
187
- ]
188
- });
189
- });
190
-
191
- describe('no-unescaped-url-parameter', () => {
192
- ruleTester.run('demo-repro', noUnescapedUrlParameter, {
193
- valid: [],
194
- invalid: [
195
- {
196
- code: `
197
- const window = { location: { href: '' } };
198
- export function insecure_noUnescapedUrlParameter(returnUrl: string) {
199
- const redirectUrl = \`https://example.com/dashboard?next=\${returnUrl}\`;
200
- window.location.href = redirectUrl;
201
- }
202
- `,
203
- errors: [{ messageId: 'unescapedUrlParameter' }]
204
- }
205
- ]
206
- });
207
- });
208
-
209
- describe('no-improper-sanitization', () => {
210
- ruleTester.run('demo-repro', noImproperSanitization, {
211
- valid: [],
212
- invalid: [
213
- {
214
- code: `
215
- export function insecure_noImproperSanitization(input: string) {
216
- return input.replace(/</g, '&lt;');
217
- }
218
- `,
219
- errors: [{ messageId: 'incompleteHtmlEscaping' }]
220
- }
221
- ]
222
- });
223
- });
224
-
225
- describe('no-improper-type-validation', () => {
226
- ruleTester.run('demo-repro', noImproperTypeValidation, {
227
- valid: [],
228
- invalid: [
229
- {
230
- code: `
231
- export function insecure_noImproperTypeValidation(input: unknown): string | undefined {
232
- if (typeof input === 'object') {
233
- return (input as { toString: () => string }).toString();
234
- }
235
- return undefined;
236
- }
237
- `,
238
- errors: [{ messageId: 'unsafeTypeofCheck' }]
239
- }
240
- ]
241
- });
242
- });
243
-
244
- describe('no-privilege-escalation', () => {
245
- ruleTester.run('demo-repro', noPrivilegeEscalation, {
246
- valid: [],
247
- invalid: [
248
- {
249
- code: `
250
- declare const app: any;
251
- declare const db: any;
252
- export function insecure_noPrivilegeEscalation() {
253
- app.post('/user/update-role', (req: { body: { userId: string; role: string } }) => {
254
- db.updateUser(req.body.userId, { role: req.body.role });
255
- });
256
- }
257
- `,
258
- errors: [{ messageId: 'privilegeEscalation' }]
259
- }
260
- ]
261
- });
262
- });
263
-
264
- describe('no-insecure-jwt', () => {
265
- ruleTester.run('demo-repro', noInsecureJwt, {
266
- valid: [],
267
- invalid: [
268
- {
269
- code: `
270
- declare const jwt: any;
271
- export function insecure_noInsecureJwtEmpty(token: string) {
272
- return jwt.verify(token, 'short', { algorithms: [] });
273
- }
274
- `,
275
- errors: [{ messageId: 'insecureJwtAlgorithm' }]
276
- },
277
- {
278
- code: `
279
- declare const jwt: any;
280
- export function insecure_noInsecureJwtNone(token: string) {
281
- return jwt.verify(token, 'secret', { algorithms: ['none', 'HS256'] });
282
- }
283
- `,
284
- errors: [{ messageId: 'insecureJwtAlgorithm' }]
285
- }
286
- ]
287
- });
288
- });
289
-
290
- });
package/src/rules/__tests__/integration-llm.test.ts DELETED
@@ -1,89 +0,0 @@
1
- /**
2
- * LLM/MCP-focused integration tests across multiple rules
3
- *
4
- * These tests validate security rules against LLM and Model Context Protocol (MCP) scenarios:
5
- * - detect-object-injection (using tool output as keys)
6
- * - detect-non-literal-fs-filename (file paths from tool output)
7
- * - detect-child-process (executing commands from agent/model)
8
- */
9
- import { RuleTester } from '@typescript-eslint/rule-tester';
10
- import parser from '@typescript-eslint/parser';
11
- import { describe, it, afterAll } from 'vitest';
12
-
13
- import { detectObjectInjection } from '../detect-object-injection';
14
- import { detectNonLiteralFsFilename } from '../detect-non-literal-fs-filename';
15
- import { detectChildProcess } from '../detect-child-process';
16
-
17
- RuleTester.afterAll = afterAll;
18
- RuleTester.it = it;
19
- RuleTester.itOnly = it.only;
20
- RuleTester.describe = describe;
21
-
22
- const ruleTester = new RuleTester({
23
- languageOptions: {
24
- parser,
25
- ecmaVersion: 2022,
26
- sourceType: 'module',
27
- },
28
- });
29
-
30
- describe('LLM/MCP fixtures', () => {
31
- // Note: Some LLM-specific patterns may not be caught by all rules depending on their implementation.
32
- // These tests focus on patterns that are reliably detected.
33
-
34
- ruleTester.run('detect-object-injection (tool output key)', detectObjectInjection, {
35
- valid: [
36
- {
37
- code: 'const safe = Object.create(null); safe.allowed = value;',
38
- },
39
- ],
40
- invalid: [
41
- {
42
- code: 'const key = toolResult.key; target[key] = value;',
43
- errors: [{ messageId: 'objectInjection' }],
44
- },
45
- {
46
- code: 'obj[llmResponse.field] = 1;',
47
- errors: [{ messageId: 'objectInjection' }],
48
- },
49
- ],
50
- });
51
-
52
- ruleTester.run('detect-non-literal-fs-filename (tool path)', detectNonLiteralFsFilename, {
53
- valid: [
54
- {
55
- code: "fs.readFile('/var/app/data/safe.txt', cb);",
56
- },
57
- ],
58
- invalid: [
59
- {
60
- code: 'fs.readFile(toolOutput.path, cb);',
61
- errors: [{ messageId: 'fsPathTraversal' }],
62
- },
63
- {
64
- code: 'fs.stat(modelResponse, cb);',
65
- errors: [{ messageId: 'fsPathTraversal' }],
66
- },
67
- ],
68
- });
69
-
70
- ruleTester.run('detect-child-process (agent command)', detectChildProcess, {
71
- valid: [],
72
- invalid: [
73
- {
74
- code: `
75
- const { exec } = require('child_process');
76
- exec(modelCommand);
77
- `,
78
- errors: [{ messageId: 'childProcessCommandInjection' }],
79
- },
80
- {
81
- code: `
82
- import { exec } from 'child_process';
83
- exec(toolParams.command);
84
- `,
85
- errors: [{ messageId: 'childProcessCommandInjection' }],
86
- },
87
- ],
88
- });
89
- });