npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/database-injection/index.ts DELETED Viewed

@@ -1,488 +0,0 @@
-/**
- * ESLint Rule: database-injection
- * Comprehensive SQL/NoSQL injection vulnerability detection
- * Inspired by SonarQube RSPEC-3649
- *
- * @see https://rules.sonarsource.com/javascript/RSPEC-3649/
- */
-import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
-import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import { createRule } from '@interlace/eslint-devkit';
-type MessageIds =
-  | 'databaseInjection'
-  | 'usePrisma'
-  | 'useTypeORM'
-  | 'useParameterized'
-  | 'useMongoSanitize'
-  | 'strategyParameterize'
-  | 'strategyORM'
-  | 'strategySanitize'
-  | 'strategyAuto';
-export interface Options {
-  /** Detect NoSQL injection patterns. Default: true */
-  detectNoSQL?: boolean;
-  /** Detect ORM-specific vulnerabilities. Default: true */
-  detectORMs?: boolean;
-  /** Trusted data sources that bypass detection */
-  trustedSources?: string[];
-  /** Show framework-specific recommendations. Default: true */
-  frameworkHints?: boolean;
-  /** Strategy for fixing injection: 'parameterize', 'orm', 'sanitize', 'auto' */
-  strategy?: 'parameterize' | 'orm' | 'sanitize' | 'auto';
-}
-type RuleOptions = [Options?];
-interface VulnerabilityDetails {
-  type: 'SQL' | 'NoSQL';
-  pattern: string;
-  severity: 'critical' | 'high' | 'medium';
-  exploitability: string;
-  cwe: string;
-  owasp: string;
-}
-export const databaseInjection = createRule<RuleOptions, MessageIds>({
-  name: 'database-injection',
-  meta: {
-    type: 'problem',
-    docs: {
-      description: 'Detects SQL and NoSQL injection vulnerabilities with framework-specific fixes',
-    },
-    messages: (() => {
-      const databaseInjection = formatLLMMessage({
-        icon: MessageIcons.SECURITY,
-        issueName: 'SQL Injection',
-        cwe: 'CWE-89',
-        description: 'SQL Injection detected',
-        severity: 'CRITICAL',
-        fix: 'Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId])',
-        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      });
-      const usePrisma = formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use Prisma',
-        description: 'Use Prisma ORM',
-        severity: 'LOW',
-        fix: 'await prisma.user.findMany({ where: { id } })',
-        documentationLink: 'https://www.prisma.io/docs',
-      });
-      const useTypeORM = formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use TypeORM',
-        description: 'Use TypeORM with QueryBuilder',
-        severity: 'LOW',
-        fix: 'userRepository.createQueryBuilder().where("id = :id", { id })',
-        documentationLink: 'https://typeorm.io/',
-      });
-      const useParameterized = formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use Parameterized',
-        description: 'Use parameterized query',
-        severity: 'LOW',
-        fix: 'db.query("SELECT * FROM users WHERE id = ?", [userId])',
-        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      });
-      const useMongoSanitize = formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use mongo-sanitize',
-        description: 'Use mongo-sanitize for MongoDB',
-        severity: 'LOW',
-        fix: 'sanitize(req.body)',
-        documentationLink: 'https://github.com/vkarpov15/mongo-sanitize',
-      });
-      const strategyParameterize = formatLLMMessage({
-        icon: MessageIcons.STRATEGY,
-        issueName: 'Parameterize Strategy',
-        description: 'Use parameterized queries',
-        severity: 'LOW',
-        fix: 'Use ? or :name placeholders for user input',
-        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      });
-      const strategyORM = formatLLMMessage({
-        icon: MessageIcons.STRATEGY,
-        issueName: 'ORM Strategy',
-        description: 'Migrate to ORM for automatic protection',
-        severity: 'LOW',
-        fix: 'Use Prisma, TypeORM, or Sequelize',
-        documentationLink: 'https://www.prisma.io/docs/concepts/overview/why-prisma',
-      });
-      const strategySanitize = formatLLMMessage({
-        icon: MessageIcons.STRATEGY,
-        issueName: 'Sanitize Strategy',
-        description: 'Add input sanitization',
-        severity: 'LOW',
-        fix: 'Sanitize input as last resort',
-        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      });
-      const strategyAuto = formatLLMMessage({
-        icon: MessageIcons.STRATEGY,
-        issueName: 'Auto Strategy',
-        description: 'Apply context-aware injection prevention',
-        severity: 'LOW',
-        fix: 'Use context-appropriate protection',
-        documentationLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      });
-      return {
-        databaseInjection,
-        usePrisma,
-        useTypeORM,
-        useParameterized,
-        useMongoSanitize,
-        strategyParameterize,
-        strategyORM,
-        strategySanitize,
-        strategyAuto,
-      };
-    })(),
-    schema: [
-      {
-        type: 'object',
-        properties: {
-          detectNoSQL: {
-            type: 'boolean',
-            default: true,
-          },
-          detectORMs: {
-            type: 'boolean',
-            default: true,
-            description: 'Detect unsafe ORM usage',
-          },
-          trustedSources: {
-            type: 'array',
-            items: { type: 'string' },
-            default: [],
-          },
-          frameworkHints: {
-            type: 'boolean',
-            default: true,
-            description: 'Provide framework-specific suggestions',
-          },
-          strategy: {
-            type: 'string',
-            enum: ['parameterize', 'orm', 'sanitize', 'auto'],
-            default: 'auto',
-            description: 'Strategy for fixing injection (auto = smart detection)'
-          },
-        },
-        additionalProperties: false,
-      },
-    ],
-  },
-  defaultOptions: [
-    {
-      detectNoSQL: true,
-      detectORMs: true,
-      trustedSources: [],
-      frameworkHints: true,
-      strategy: 'auto',
-    },
-  ],
-  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
-    const options = context.options[0] || {};
-    const {
-      detectNoSQL = true,
-      strategy = 'auto'
-    }: Options = options || {};
-    const sourceCode = context.sourceCode || context.sourceCode;
-    /**
-     * Select message ID based on strategy
-     * @todo Consider using this for suggestions in future versions
-     */
-    const selectStrategyMessage = (): MessageIds => {
-      switch (strategy) {
-        case 'parameterize':
-          return 'strategyParameterize';
-        case 'orm':
-          return 'strategyORM';
-        case 'sanitize':
-          return 'strategySanitize';
-        case 'auto':
-        default:
-          // Auto mode: prefer parameterized queries
-          return 'useParameterized';
-      }
-    };
-    const filename = context.filename || context.getFilename();
-    /**
-     * SQL keywords for detection
-     */
-    const SQL_KEYWORDS = [
-      'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'CREATE', 'ALTER',
-      'EXEC', 'EXECUTE', 'TRUNCATE', 'GRANT', 'REVOKE', 'WHERE', 'FROM', 'JOIN'
-    ];
-    /**
-     * NoSQL patterns
-     */
-    const NOSQL_PATTERNS = [
-      'find', 'findOne', 'findById', 'updateOne', 'updateMany', 'deleteOne',
-      'deleteMany', 'aggregate', '$where', '$regex'
-    ];
-    /**
-     * NoSQL query patterns in template literals (e.g., `this.name === "${userName}"`)
-     */
-    const NOSQL_QUERY_PATTERNS = [
-      /this\.\w+\s*===?\s*["']/i,  // this.name === "value"
-      /this\.\w+\s*!==?\s*["']/i,   // this.name !== "value"
-      /\$\w+\s*===?\s*["']/i,       // $where === "value"
-    ];
-    /**
-     * Check if text contains SQL keywords
-     */
-    function containsSQLKeywords(text: string): boolean {
-      const upperText = text.toUpperCase();
-      return SQL_KEYWORDS.some(keyword => upperText.includes(keyword));
-    }
-    /**
-     * Check if code is using NoSQL operations
-     */
-    function isNoSQLOperation(node: TSESTree.Node): boolean {
-      const text = sourceCode.getText(node);
-      return NOSQL_PATTERNS.some(pattern => text.includes(pattern));
-    }
-    /**
-     * Check if expression is tainted (contains user input)
-     */
-    function isTainted(node: TSESTree.Node): {
-      tainted: boolean;
-      source?: string;
-      confidence: 'high' | 'medium' | 'low';
-    } {
-      const text = sourceCode.getText(node);
-      const { trustedSources = [] } = options;
-      // High confidence taint sources
-      const highConfidenceSources = [
-        'req.body', 'req.query', 'req.params', 'request.body',
-        'params.', 'query.', 'body.', 'input.', 'userInput'
-      ];
-      // Medium confidence taint sources
-      const mediumConfidenceSources = [
-        'props.', 'state.', 'context.', 'event.', 'data.'
-      ];
-      for (const source of highConfidenceSources) {
-        if (text.includes(source)) {
-          return { tainted: true, source, confidence: 'high' };
-        }
-      }
-      for (const source of mediumConfidenceSources) {
-        if (text.includes(source)) {
-          return { tainted: true, source, confidence: 'medium' };
-        }
-      }
-      // Check if this source is explicitly trusted (only for low-confidence sources)
-      for (const trusted of trustedSources) {
-        if (text.includes(trusted)) {
-          return { tainted: false, confidence: 'low' };
-        }
-      }
-      // Check if it's a variable (low confidence)
-      if (node.type === 'Identifier' && !text.match(/^[A-Z_]+$/)) {
-        return { tainted: true, source: 'variable', confidence: 'low' };
-      }
-      return { tainted: false, confidence: 'low' };
-    }
-    /**
-     * Analyze vulnerability and provide detailed report
-     */
-    function analyzeVulnerability(
-      node: TSESTree.Node,
-      vulnType: 'SQL' | 'NoSQL'
-    ): VulnerabilityDetails {
-      const taintInfo = isTainted(node);
-      return {
-        type: vulnType,
-        pattern: taintInfo.tainted
-          ? `User input (${taintInfo.source}) in query`
-          : 'Dynamic query construction',
-        severity: taintInfo.confidence === 'high' ? 'critical' : taintInfo.confidence === 'medium' ? 'high' : 'medium',
-        exploitability: taintInfo.confidence === 'high'
-          ? 'Easily exploitable via API parameters'
-          : 'Exploitable with access to input sources',
-        cwe: vulnType === 'SQL' ? 'CWE-89' : 'CWE-943',
-        owasp: 'A03:2021 - Injection',
-      };
-    }
-    /**
-     * Report additional strategy-specific suggestions
-     */
-    function reportStrategySuggestions(node: TSESTree.Node) {
-      const strategyMessageId = selectStrategyMessage();
-      if (strategyMessageId !== 'useParameterized') { // Don't duplicate the main message
-        context.report({
-          node,
-          messageId: strategyMessageId,
-        });
-      }
-    }
-    /**
-     * Check template literal for SQL or NoSQL injection
-     */
-    function checkTemplateLiteral(node: TSESTree.TemplateLiteral) {
-      const text = sourceCode.getText(node);
-      // Check for SQL injection
-      if (containsSQLKeywords(text) && node.expressions.length > 0) {
-      // Check if any expression is tainted
-      const taintedExprs = node.expressions.filter((expr: TSESTree.Expression | TSESTree.SpreadElement) => isTainted(expr).tainted);
-        if (taintedExprs.length > 0) {
-      const vulnDetails = analyzeVulnerability(node, 'SQL');
-      const data = {
-        type: vulnDetails.type,
-        severity: vulnDetails.severity.toUpperCase(),
-        filePath: filename,
-        line: String(node.loc?.start.line ?? 0),
-        cwe: vulnDetails.cwe,
-        cweCode: vulnDetails.cwe.replace('CWE-', ''),
-        currentExample: `db.query(\`SELECT * FROM users WHERE id = ${'${userId}'}\`)`,
-        fixExample: `Use parameterized: db.query("SELECT * FROM users WHERE id = ?", [userId])`,
-        docLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      };
-      context.report({
-        node,
-        messageId: 'databaseInjection',
-        data,
-      });
-      reportStrategySuggestions(node);
-          return;
-        }
-      }
-      // Check for NoSQL injection patterns in template literals
-      if (detectNoSQL && node.expressions.length > 0) {
-        const hasNoSQLPattern = NOSQL_QUERY_PATTERNS.some(pattern => pattern.test(text));
-        if (hasNoSQLPattern) {
-          // Check if any expression is tainted
-          const taintedExprs = node.expressions.filter((expr: TSESTree.Expression | TSESTree.SpreadElement) => isTainted(expr).tainted);
-          if (taintedExprs.length > 0) {
-            const vulnDetails = analyzeVulnerability(node, 'NoSQL');
-            const data = {
-              type: vulnDetails.type,
-              severity: vulnDetails.severity.toUpperCase(),
-              filePath: filename,
-              line: String(node.loc?.start.line ?? 0),
-              cwe: vulnDetails.cwe,
-              cweCode: vulnDetails.cwe.replace('CWE-', ''),
-              currentExample: `const query = \`this.name === "${'${userName}'}"\``,
-              fixExample: `Sanitize input: const query = \`this.name === "\${mongoSanitize(userName)}"\``,
-              docLink: 'https://owasp.org/www-community/attacks/NoSQL_Injection',
-            };
-            context.report({
-              node,
-              messageId: 'databaseInjection',
-              data,
-            });
-            reportStrategySuggestions(node);
-            return;
-          }
-        }
-      }
-    }
-    /**
-     * Check NoSQL operations
-     */
-    function checkNoSQLOperation(node: TSESTree.CallExpression) {
-      if (!detectNoSQL) return;
-      if (!isNoSQLOperation(node)) return;
-      // Check if arguments contain user input
-      const taintedArgs = node.arguments.filter((arg: TSESTree.CallExpressionArgument) => isTainted(arg).tainted);
-      if (taintedArgs.length === 0) return;
-      const vulnDetails = analyzeVulnerability(node, 'NoSQL');
-      const data = {
-        type: vulnDetails.type,
-        severity: vulnDetails.severity.toUpperCase(),
-        filePath: filename,
-        line: String(node.loc?.start.line ?? 0),
-        cwe: vulnDetails.cwe,
-        cweCode: vulnDetails.cwe.replace('CWE-', ''),
-        currentExample: `User.findOne({ email: req.body.email })`,
-        fixExample: `Sanitize input: User.findOne({ email: mongoSanitize(req.body.email) })`,
-        docLink: 'https://owasp.org/www-community/attacks/NoSQL_Injection',
-      };
-      context.report({
-        node,
-        messageId: 'databaseInjection',
-        data,
-      });
-      reportStrategySuggestions(node);
-    }
-    /**
-     * Check binary expression (string concatenation) for SQL injection
-     */
-    function checkBinaryExpression(node: TSESTree.BinaryExpression) {
-      // Only check string concatenation with + operator
-      if (node.operator !== '+') return;
-      // Get the full text of the binary expression
-      const text = sourceCode.getText(node);
-      // Check if it contains SQL keywords
-      if (!containsSQLKeywords(text)) return;
-      // Check if any part of the expression is tainted
-      const taintInfo = isTainted(node);
-      if (!taintInfo.tainted) {
-        // Also check left and right sides individually
-        const leftTainted = isTainted(node.left).tainted;
-        const rightTainted = isTainted(node.right).tainted;
-        if (!leftTainted && !rightTainted) return;
-      }
-      const vulnDetails = analyzeVulnerability(node, 'SQL');
-      const data = {
-        type: vulnDetails.type,
-        severity: vulnDetails.severity.toUpperCase(),
-        filePath: filename,
-        line: String(node.loc?.start.line ?? 0),
-        cwe: vulnDetails.cwe,
-        cweCode: vulnDetails.cwe.replace('CWE-', ''),
-        currentExample: `const query = "SELECT * FROM users WHERE name = '" + userName + "'"`,
-        fixExample: `Use parameterized: db.query("SELECT * FROM users WHERE name = ?", [userName])`,
-        docLink: 'https://owasp.org/www-community/attacks/SQL_Injection',
-      };
-      context.report({
-        node,
-        messageId: 'databaseInjection',
-        data,
-      });
-      reportStrategySuggestions(node);
-    }
-    return {
-      TemplateLiteral: checkTemplateLiteral,
-      CallExpression: checkNoSQLOperation,
-      BinaryExpression: checkBinaryExpression,
-    };
-  },
-});

package/src/rules/detect-child-process/detect-child-process.test.ts DELETED Viewed

@@ -1,207 +0,0 @@
-/**
- * Comprehensive tests for detect-child-process rule
- * Security: CWE-78 (Command Injection)
- */
-import { RuleTester } from '@typescript-eslint/rule-tester';
-import { describe, it, afterAll } from 'vitest';
-import parser from '@typescript-eslint/parser';
-import { detectChildProcess } from './index';
-// Configure RuleTester for Vitest
-RuleTester.afterAll = afterAll;
-RuleTester.it = it;
-RuleTester.itOnly = it.only;
-RuleTester.describe = describe;
-// Use Flat Config format (ESLint 9+)
-const ruleTester = new RuleTester({
-  languageOptions: {
-    parser,
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-});
-describe('detect-child-process', () => {
-  describe('Valid Code', () => {
-    ruleTester.run('valid - safe child process usage', detectChildProcess, {
-      valid: [
-        // Not child_process methods
-        {
-          code: 'const exec = myFunction; exec(command);',
-        },
-        {
-          code: 'obj.exec(command);',
-        },
-        // Note: Rule flags ALL child_process methods, even execFile/spawn
-        // These are considered "safe" in practice but rule detects them
-      ],
-      invalid: [],
-    });
-  });
-  describe('Invalid Code - exec()', () => {
-    ruleTester.run('invalid - exec with dynamic commands', detectChildProcess, {
-      valid: [],
-      invalid: [
-        {
-          code: 'child_process.exec(`git clone ${repoUrl}`);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.exec("git clone " + repoUrl);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.execSync(`npm install ${packageName}`);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: `
-            const command = getUserInput();
-            child_process.exec(command);
-          `,
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-      ],
-    });
-  });
-  describe('Invalid Code - execFile/spawn (Rule flags all methods)', () => {
-    ruleTester.run('invalid - execFile and spawn (rule flags all child_process methods)', detectChildProcess, {
-      valid: [],
-      invalid: [
-        // Note: Rule flags ALL child_process methods, even safe ones like execFile/spawn
-        {
-          code: 'child_process.execFile("git", ["clone", repoUrl], { shell: false });',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.execFileSync("npm", ["install", packageName], { shell: false });',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.spawn("node", ["script.js"], { shell: false });',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.spawnSync("ls", ["-la"], { shell: false });',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-      ],
-    });
-  });
-  describe('Invalid Code - spawn()', () => {
-    ruleTester.run('invalid - spawn with unsafe arguments', detectChildProcess, {
-      valid: [],
-      invalid: [
-        {
-          code: 'child_process.spawn("bash", ["-c", userCommand]);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.spawn(userCommand, args);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        {
-          code: 'child_process.spawnSync("sh", ["-c", userInput]);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-      ],
-    });
-  });
-  describe('Suggestions', () => {
-    ruleTester.run('suggestions for fixes', detectChildProcess, {
-      valid: [],
-      invalid: [
-        {
-          code: 'child_process.exec(`git clone ${repoUrl}`);',
-          errors: [
-            {
-              messageId: 'childProcessCommandInjection',
-              // Note: Rule provides suggestions but they don't have output (fix: () => null)
-              // Test framework requires output for suggestions, so we don't test them here
-            },
-          ],
-        },
-      ],
-    });
-  });
-  describe('Edge Cases', () => {
-    ruleTester.run('edge cases', detectChildProcess, {
-      valid: [
-        // Literal strings (if allowLiteralStrings is true)
-        {
-          code: 'child_process.exec("git clone https://example.com/repo.git");',
-          options: [{ allowLiteralStrings: true }],
-        },
-      ],
-      invalid: [
-        // Note: Rule only checks child_process.exec() directly, not imported calls
-        // These would need rule enhancement to detect
-      ],
-    });
-  });
-  describe('Options', () => {
-    ruleTester.run('options testing', detectChildProcess, {
-      valid: [
-        {
-          code: 'child_process.exec("literal string");',
-          options: [{ allowLiteralStrings: true }],
-        },
-        {
-          code: 'child_process.spawn("node", ["script.js"]);',
-          options: [{ allowLiteralSpawn: true }],
-        },
-      ],
-      invalid: [
-        {
-          code: 'child_process.exec(userCommand);',
-          options: [{ allowLiteralStrings: true }],
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-      ],
-    });
-  });
-  describe('Edge Cases - Coverage', () => {
-    ruleTester.run('edge cases - default case in switch (line 251)', detectChildProcess, {
-      valid: [],
-      invalid: [
-        // Test with execFileSync to trigger default case in generateRefactoringSteps (line 251)
-        {
-          code: 'child_process.execFileSync(userCommand, args);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        // Test with fork to trigger default case
-        {
-          code: 'child_process.fork(userScript);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-        // Test with forkSync to trigger forkSync case in generateRefactoringSteps (lines 429-438)
-        {
-          code: 'child_process.forkSync(userScript);',
-          errors: [{ messageId: 'childProcessCommandInjection' }],
-        },
-      ],
-    });
-    ruleTester.run('edge cases - non-dangerous method (line 290)', detectChildProcess, {
-      valid: [
-        // Test with a method that's NOT in dangerousMethods to cover line 290
-        // Note: child_process doesn't have many other methods, but if one exists that's not dangerous,
-        // it should be valid. However, since we can't easily test this without modifying the rule,
-        // we'll test with a method that might not be in the default list
-        {
-          code: 'child_process.someOtherMethod(command);',
-        },
-      ],
-      invalid: [],
-    });
-  });
-});