eslint-plugin-secure-coding 2.3.3 → 2.4.0

package/src/rules/detect-non-literal-regexp/detect-non-literal-regexp.test.ts

@@ -1,189 +0,0 @@
-/**
- * Comprehensive tests for detect-non-literal-regexp rule
- * Security: CWE-400 (ReDoS - Regular Expression Denial of Service)
- */
-import { RuleTester } from '@typescript-eslint/rule-tester';
-import { describe, it, afterAll } from 'vitest';
-import parser from '@typescript-eslint/parser';
-import { detectNonLiteralRegexp } from './index';
-
-// Configure RuleTester for Vitest
-RuleTester.afterAll = afterAll;
-RuleTester.it = it;
-RuleTester.itOnly = it.only;
-RuleTester.describe = describe;
-
-// Use Flat Config format (ESLint 9+)
-const ruleTester = new RuleTester({
-  languageOptions: {
-    parser,
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-});
-
-describe('detect-non-literal-regexp', () => {
-  describe('Valid Code', () => {
-    ruleTester.run('valid - safe regex patterns', detectNonLiteralRegexp, {
-      valid: [
-        // Not RegExp - these are safe
-        {
-          code: 'const result = myFunction(pattern);',
-        },
-        {
-          code: 'obj.RegExp(pattern);',
-        },
-        // Note: This rule is very strict and detects ReDoS patterns even in literals
-        // Most regex patterns will trigger the rule, so we only test non-RegExp code as valid
-      ],
-      invalid: [],
-    });
-  });
-
-  describe('Invalid Code - Dynamic RegExp', () => {
-    ruleTester.run('invalid - dynamic regex patterns', detectNonLiteralRegexp, {
-      valid: [],
-      invalid: [
-        {
-          code: 'const pattern = new RegExp(userInput);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: 'const regex = RegExp(userPattern);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: 'new RegExp(`^${userInput}$`);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: `
-            const pattern = getUserInput();
-            const regex = new RegExp(pattern);
-          `,
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: 'new RegExp(config.pattern);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-      ],
-    });
-  });
-
-  describe('Invalid Code - ReDoS Patterns in Literals', () => {
-    ruleTester.run('invalid - True ReDoS vulnerable patterns', detectNonLiteralRegexp, {
-      valid: [
-        // Simple regex literals are now safe - no nested quantifiers
-        { code: 'const pattern = /^[a-z]+$/;' },
-        { code: 'const emailRegex = /^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$/;' },
-        // Static string patterns with new RegExp are now also safe by default
-        { code: 'const pattern = new RegExp("^[a-z]+$");' },
-        { code: 'const pattern = RegExp("^test$");' },
-        { code: 'const pattern = new RegExp(`^test$`);' },
-        // Explicitly allowing literals also works
-        { code: 'const pattern = new RegExp("^[a-z]+$");', options: [{ allowLiterals: true }] },
-        { code: 'const pattern = RegExp("^test$");', options: [{ allowLiterals: true }] },
-        { code: 'const pattern = new RegExp(`^test$`);', options: [{ allowLiterals: true }] },
-      ],
-      invalid: [
-        // Truly dangerous nested quantifier patterns: (a+)+
-        {
-          code: 'const pattern = /(a+)+b/;',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: 'const pattern = /([a-z]+)*/;',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        // Dynamic regex with variables still flagged
-        {
-          code: 'const pattern = new RegExp(userInput);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-      ],
-    });
-  });
-
-
-  describe('Suggestions', () => {
-    ruleTester.run('suggestions for fixes', detectNonLiteralRegexp, {
-      valid: [],
-      invalid: [
-        {
-          code: 'const regex = new RegExp(userInput);',
-          errors: [
-            {
-              messageId: 'regexpReDoS',
-              // Note: Rule may not provide suggestions in all cases
-            },
-          ],
-        },
-      ],
-    });
-  });
-
-  describe('Edge Cases', () => {
-    ruleTester.run('edge cases', detectNonLiteralRegexp, {
-      valid: [
-        // Note: Rule may detect RegExp calls even when reassigned
-        // This is a limitation of static analysis
-        // allowLiterals option now allows static string patterns
-        {
-          code: 'new RegExp("^test$");',
-          options: [{ allowLiterals: true }],
-        },
-      ],
-      invalid: [
-        {
-          code: 'const RegExp = myFunction; RegExp(pattern);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-      ],
-    });
-  });
-
-  describe('Options', () => {
-    ruleTester.run('options testing', detectNonLiteralRegexp, {
-      valid: [
-        // allowLiterals option now allows static string patterns  
-        {
-          code: 'new RegExp("^test$");',
-          options: [{ allowLiterals: true }],
-        },
-      ],
-      invalid: [
-        // Dynamic userInput patterns are still flagged
-        {
-          code: 'new RegExp(userInput);',
-          options: [{ maxPatternLength: 100 }],
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-        {
-          code: 'new RegExp(userInput);',
-          options: [{ allowLiterals: true }],
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-      ],
-    });
-  });
-
-  describe('Uncovered Lines', () => {
-    // Note: Lines 365-368 (early return with allowLiterals) are not testable
-    // because the rule flags all regex patterns as potentially vulnerable
-    // The allowLiterals option only affects whether literals are processed or not
-
-    // Line 389: Early return when no vulnerability is detected
-    ruleTester.run('line 389 - no vulnerability detected', detectNonLiteralRegexp, {
-      valid: [],
-      invalid: [
-        // This should trigger the no vulnerability case, but still report due to dynamic nature
-        {
-          code: 'new RegExp(userInput);',
-          errors: [{ messageId: 'regexpReDoS' }],
-        },
-      ],
-    });
-  });
-});
-

package/src/rules/detect-non-literal-regexp/index.ts

@@ -1,490 +0,0 @@
-/**
- * ESLint Rule: detect-non-literal-regexp
- * Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression
- * LLM-optimized with comprehensive ReDoS prevention guidance
- *
- * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- * @see https://cwe.mitre.org/data/definitions/400.html
- */
-import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
-import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import { createRule } from '@interlace/eslint-devkit';
-
-type MessageIds =
-  | 'regexpReDoS'
-  | 'useStaticRegex'
-  | 'validateInput'
-  | 'useRegexLibrary'
-  | 'addTimeout'
-  | 'escapeUserInput';
-
-export interface Options {
-  /** Allow literal string regex patterns. Default: false (stricter) */
-  allowLiterals?: boolean;
-  
-  /** Additional RegExp creation patterns to check */
-  additionalPatterns?: string[];
-  
-  /** Maximum allowed pattern length for dynamic regex */
-  maxPatternLength?: number;
-}
-
-type RuleOptions = [Options?];
-
-// Type guard for regex literal nodes
-const isRegExpLiteral = (node: TSESTree.Node): node is TSESTree.Literal & { regex: { pattern: string; flags: string } } => {
-  return node.type === 'Literal' && Object.prototype.hasOwnProperty.call(node, 'regex');
-};
-
-/**
- * RegExp creation patterns and their security implications
- */
-interface RegExpPattern {
-  pattern: string;
-  dangerous: boolean;
-  vulnerability: 'redos' | 'injection' | 'performance';
-  safeAlternative: string;
-  example: { bad: string; good: string };
-  effort: string;
-  riskLevel: 'low' | 'medium' | 'high' | 'critical';
-}
-
-const REGEXP_PATTERNS: RegExpPattern[] = [
-  {
-    pattern: 'new RegExp\\(.*\\)',
-    dangerous: true,
-    vulnerability: 'redos',
-    safeAlternative: 'Pre-defined RegExp constants',
-    example: {
-      bad: 'new RegExp(userInput)',
-      good: 'const PATTERNS = { email: /^[a-zA-Z0-9]+$/ }; PATTERNS[userChoice]'
-    },
-    effort: '10-15 minutes',
-    riskLevel: 'high'
-  },
-  {
-    pattern: 'RegExp\\(.*\\)',
-    dangerous: true,
-    vulnerability: 'redos',
-    safeAlternative: 'Static RegExp literals or validated patterns',
-    example: {
-      bad: 'RegExp(userPattern)',
-      good: 'const safePattern = userPattern.replace(/[.*+?^${}()|[\\]\\\\]/g, \'\\\\$&\'); new RegExp(`^${safePattern}$`)'
-    },
-    effort: '15-20 minutes',
-    riskLevel: 'high'
-  },
-  {
-    pattern: '/.*\\*\\*.*|.*\\+\\+.*|.*\\?\\?/',
-    dangerous: true,
-    vulnerability: 'redos',
-    safeAlternative: 'Avoid nested quantifiers, use atomic groups',
-    example: {
-      bad: '/(a+)+b/', // ReDoS vulnerable
-      good: '/(?>a+)b/', // Atomic group (if supported) or restructure
-    },
-    effort: '20-30 minutes',
-    riskLevel: 'critical'
-  }
-];
-
-export const detectNonLiteralRegexp = createRule<RuleOptions, MessageIds>({
-  name: 'detect-non-literal-regexp',
-  meta: {
-    type: 'problem',
-    docs: {
-      description: 'Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression',
-    },
-    messages: {
-      // 🎯 Token optimization: 41% reduction (51→30 tokens) - compact template variables
-      regexpReDoS: formatLLMMessage({
-        icon: MessageIcons.WARNING,
-        issueName: 'ReDoS vulnerability',
-        cwe: 'CWE-400',
-        description: 'ReDoS vulnerability detected',
-        severity: '{{riskLevel}}',
-        fix: '{{safeAlternative}}',
-        documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
-      }),
-      useStaticRegex: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use Static Regex',
-        description: 'Use pre-defined RegExp constants',
-        severity: 'LOW',
-        fix: 'const PATTERN = /^[a-z]+$/; // Define at module level',
-        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp',
-      }),
-      validateInput: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Validate Input',
-        description: 'Validate and escape user input',
-        severity: 'LOW',
-        fix: 'Validate input length and characters before RegExp',
-        documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
-      }),
-      useRegexLibrary: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use Safe Library',
-        description: 'Use safe-regex library or re2',
-        severity: 'LOW',
-        fix: 'import { isSafe } from "safe-regex"; if (isSafe(pattern)) ...',
-        documentationLink: 'https://github.com/substack/safe-regex',
-      }),
-      addTimeout: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Add Timeout',
-        description: 'Add timeout to regex operations',
-        severity: 'LOW',
-        fix: 'Use timeout wrapper for regex operations',
-        documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
-      }),
-      escapeUserInput: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Escape Input',
-        description: 'Escape special regex characters',
-        severity: 'LOW',
-        fix: 'input.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
-        documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping',
-      })
-    },
-    schema: [
-      {
-        type: 'object',
-        properties: {
-          allowLiterals: {
-            type: 'boolean',
-            default: false,
-            description: 'Allow literal string regex patterns'
-          },
-          additionalPatterns: {
-            type: 'array',
-            items: { type: 'string' },
-            default: [],
-            description: 'Additional RegExp creation patterns to check'
-          },
-          maxPatternLength: {
-            type: 'number',
-            default: 100,
-            minimum: 1,
-            description: 'Maximum allowed pattern length for dynamic regex'
-          }
-        },
-        additionalProperties: false,
-      },
-    ],
-  },
-  defaultOptions: [
-    {
-      allowLiterals: false,
-      additionalPatterns: [],
-      maxPatternLength: 100
-    },
-  ],
-  create(context: TSESLint.RuleContext<MessageIds, RuleOptions>) {
-    const options = context.options[0] || {};
-    const {
-allowLiterals = false,
-      maxPatternLength = 100
-    
-}: Options = options || {};
-
-    /**
-     * Check if a node is a literal string (potentially safe)
-     * Includes template literals without expressions
-     */
-    const isLiteralString = (node: TSESTree.Node): boolean => {
-      if (node.type === 'Literal' && typeof node.value === 'string') {
-        return true;
-      }
-      // Template literals without expressions are also static/safe
-      if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
-        return true;
-      }
-      return false;
-    };
-
-    /**
-     * Check if a regex pattern contains dangerous ReDoS patterns
-     * Only flag truly dangerous patterns like nested quantifiers: (a+)+, (a*)*
-     */
-    const hasReDoSPatterns = (pattern: string): boolean => {
-      // Detect truly dangerous nested quantifier patterns that cause exponential backtracking
-      // Pattern like (a+)+, (a*)+, (a+)*, (a*)*, ([a-z]+)+
-      const nestedQuantifierPatterns = [
-        /\([^)]*[+*]\)[+*]/, // (something+)+ or (something*)* patterns
-        /\([^)]*[+*]\)\{[0-9,]+\}/, // (something+){n,m} patterns
-      ];
-      
-      for (const dangerousPattern of nestedQuantifierPatterns) {
-        if (dangerousPattern.test(pattern)) {
-          return true;
-        }
-      }
-      
-      return false;
-    };
-
-    /**
-     * Extract regex pattern from RegExp construction
-     */
-    const extractPattern = (node: TSESTree.CallExpression | TSESTree.NewExpression): {
-      pattern: string;
-      patternNode: TSESTree.Node | null;
-      constructor: string;
-      isDynamic: boolean;
-      length: number;
-    } => {
-      const sourceCode = context.sourceCode || context.sourceCode;
-
-      // Determine constructor type
-      let constructor = 'RegExp';
-      if (node.type === 'NewExpression' && node.callee.type === 'Identifier') {
-        constructor = `new ${node.callee.name}`;
-      }
-
-      // First argument is the pattern
-      const patternNode = node.arguments.length > 0 ? node.arguments[0] : null;
-      const pattern = patternNode ? sourceCode.getText(patternNode) : '';
-      const isDynamic = patternNode ? !isLiteralString(patternNode) : false;
-      const length = patternNode && isLiteralString(patternNode) ?
-                     String((patternNode as TSESTree.Literal).value).length : pattern.length;
-
-      return { pattern, patternNode, constructor, isDynamic, length };
-    };
-
-    /**
-     * Detect the specific vulnerability pattern
-     */
-    const detectVulnerability = (pattern: string, isDynamic: boolean): RegExpPattern | null => {
-      // Check for dynamic construction first (highest risk)
-      if (isDynamic) {
-        for (const vuln of REGEXP_PATTERNS) {
-          if (new RegExp(vuln.pattern, 'i').test(pattern)) {
-            return vuln;
-          }
-        }
-        // Generic dynamic RegExp construction
-        return {
-          pattern: 'dynamic',
-          dangerous: true,
-          vulnerability: 'redos',
-          safeAlternative: 'Pre-defined RegExp constants',
-          example: {
-            bad: pattern,
-            good: 'const PATTERNS = { email: /^[a-zA-Z0-9]+$/ }; PATTERNS[type]'
-          },
-          effort: '10-15 minutes',
-          riskLevel: 'high'
-        };
-      }
-
-      // Check for ReDoS patterns in literal regex
-      if (hasReDoSPatterns(pattern)) {
-        return {
-          pattern: 'redos-literal',
-          dangerous: true,
-          vulnerability: 'redos',
-          safeAlternative: 'Restructure regex to avoid nested quantifiers',
-          example: {
-            bad: pattern,
-            good: pattern.replace(/(a+)\+/g, '$1') // Simplified example
-          },
-          effort: '20-30 minutes',
-          riskLevel: 'high'
-        };
-      }
-
-      return null;
-    };
-
-    /**
-     * Generate refactoring steps based on the vulnerability
-     */
-    const generateRefactoringSteps = (vulnerability: RegExpPattern): string => {
-      if (vulnerability.pattern === 'dynamic') {
-        return [
-          '   1. Create a whitelist of allowed regex patterns',
-          '   2. Use object lookup: PATTERNS[userChoice]',
-          '   3. If dynamic needed: escape input with regex escaping function',
-          '   4. Add pattern length validation',
-          '   5. Consider using a safe regex library'
-        ].join('\n');
-      }
-
-      if (vulnerability.pattern === 'redos-literal') {
-        return [
-          '   1. Identify nested quantifiers (*+, ++, ?+)',
-          '   2. Restructure regex to avoid exponential backtracking',
-          '   3. Use atomic groups if supported: (?>...)',
-          '   4. Test regex performance with long inputs',
-          '   5. Consider alternatives like string methods'
-        ].join('\n');
-      }
-
-      switch (vulnerability.vulnerability) {
-        case 'redos':
-          return [
-            '   1. Avoid nested quantifiers and backreferences',
-            '   2. Use possessive quantifiers: *+, ++, ?+',
-            '   3. Restructure regex to be more specific',
-            '   4. Test with potentially malicious inputs',
-            '   5. Consider safe-regex library validation'
-          ].join('\n');
-
-        case 'injection':
-          return [
-            '   1. Escape user input before RegExp construction',
-            '   2. Use RegExp.escape() if available',
-            '   3. Validate input against allowed character sets',
-            '   4. Add length limits to prevent oversized patterns',
-            '   5. Use static patterns when possible'
-          ].join('\n');
-
-        default:
-          return [
-            '   1. Identify the specific regex use case',
-            '   2. Choose appropriate safe alternative',
-            '   3. Add input validation and escaping',
-            '   4. Test thoroughly with edge cases',
-            '   5. Monitor performance in production'
-          ].join('\n');
-      }
-    };
-
-    /**
-     * Determine overall risk level
-     */
-    const determineRiskLevel = (vulnerability: RegExpPattern, pattern: string): string => {
-      if (vulnerability.riskLevel === 'critical' || hasReDoSPatterns(pattern)) {
-        return 'CRITICAL';
-      }
-
-      if (vulnerability.riskLevel === 'high') {
-        return 'HIGH';
-      }
-
-      return 'MEDIUM';
-    };
-
-    /**
-     * Check RegExp constructor calls for vulnerabilities
-     */
-    const checkRegExpCall = (node: TSESTree.CallExpression | TSESTree.NewExpression) => {
-      // Check for RegExp constructor calls
-      const isRegExpCall = node.callee.type === 'Identifier' && node.callee.name === 'RegExp';
-      const isNewRegExp = node.type === 'NewExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp';
-
-      if (!isRegExpCall && !isNewRegExp) {
-        return;
-      }
-
-      const { pattern, patternNode, isDynamic, length } = extractPattern(node);
-
-      // Allow literals if configured and pattern is reasonable length
-      if (allowLiterals && patternNode && isLiteralString(patternNode) && length <= maxPatternLength) {
-        // Still check for ReDoS patterns even in literals
-        if (!hasReDoSPatterns(pattern)) {
-          return;
-        }
-      }
-
-      const vulnerability = detectVulnerability(pattern, isDynamic);
-
-      // If no specific vulnerability detected but it's dynamic, still warn
-      const effectiveVulnerability = vulnerability || (isDynamic ? {
-        pattern: 'dynamic',
-        dangerous: true,
-        vulnerability: 'redos' as const,
-        safeAlternative: 'Use static RegExp patterns',
-        example: {
-          bad: pattern,
-          good: '/^safe-pattern$/'
-        },
-        effort: '10-15 minutes',
-        riskLevel: 'medium' as const
-      } : null);
-
-      if (!effectiveVulnerability) {
-        return;
-      }
-
-      const riskLevel = determineRiskLevel(effectiveVulnerability, pattern);
-      const steps = generateRefactoringSteps(effectiveVulnerability);
-
-      context.report({
-        node,
-        messageId: 'regexpReDoS',
-        data: {
-          pattern: pattern.substring(0, 30) + (pattern.length > 30 ? '...' : ''),
-          riskLevel,
-          vulnerability: effectiveVulnerability.vulnerability,
-          safeAlternative: effectiveVulnerability.safeAlternative,
-          steps,
-          effort: effectiveVulnerability.effort
-        },
-        suggest: [
-          {
-            messageId: 'useStaticRegex',
-            fix: () => null
-          },
-          {
-            messageId: 'validateInput',
-            fix: () => null
-          },
-          {
-            messageId: 'useRegexLibrary',
-            fix: () => null
-          },
-          {
-            messageId: 'addTimeout',
-            fix: () => null
-          },
-          {
-            messageId: 'escapeUserInput',
-            fix: () => null
-          }
-        ]
-      });
-    };
-
-    /**
-     * Check literal regex patterns for ReDoS vulnerabilities
-     */
-    const checkLiteralRegExp = (node: TSESTree.Node) => {
-      if (!isRegExpLiteral(node)) {
-        return;
-      }
-
-      const pattern = node.regex.pattern;
-
-      // Check for ReDoS patterns
-      if (hasReDoSPatterns(pattern)) {
-        const vulnerability = detectVulnerability(pattern, false);
-
-        if (vulnerability) {
-          const riskLevel = determineRiskLevel(vulnerability, pattern);
-          const steps = generateRefactoringSteps(vulnerability);
-
-          context.report({
-            node,
-            messageId: 'regexpReDoS',
-            data: {
-              pattern: pattern.substring(0, 30) + (pattern.length > 30 ? '...' : ''),
-              riskLevel,
-              vulnerability: vulnerability.vulnerability,
-              safeAlternative: vulnerability.safeAlternative,
-              steps,
-              effort: vulnerability.effort
-            }
-          });
-        }
-      }
-    };
-
-    return {
-      CallExpression: checkRegExpCall,
-      NewExpression: checkRegExpCall,
-      Literal: checkLiteralRegExp
-    };
-  },
-});