npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/detect-non-literal-regexp/index.js ADDED Viewed

@@ -0,0 +1,403 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectNonLiteralRegexp = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+// Type guard for regex literal nodes
+const isRegExpLiteral = (node) => {
+    return node.type === 'Literal' && Object.prototype.hasOwnProperty.call(node, 'regex');
+};
+const REGEXP_PATTERNS = [
+    {
+        pattern: 'new RegExp\\(.*\\)',
+        dangerous: true,
+        vulnerability: 'redos',
+        safeAlternative: 'Pre-defined RegExp constants',
+        example: {
+            bad: 'new RegExp(userInput)',
+            good: 'const PATTERNS = { email: /^[a-zA-Z0-9]+$/ }; PATTERNS[userChoice]'
+        },
+        effort: '10-15 minutes',
+        riskLevel: 'high'
+    },
+    {
+        pattern: 'RegExp\\(.*\\)',
+        dangerous: true,
+        vulnerability: 'redos',
+        safeAlternative: 'Static RegExp literals or validated patterns',
+        example: {
+            bad: 'RegExp(userPattern)',
+            good: 'const safePattern = userPattern.replace(/[.*+?^${}()|[\\]\\\\]/g, \'\\\\$&\'); new RegExp(`^${safePattern}$`)'
+        },
+        effort: '15-20 minutes',
+        riskLevel: 'high'
+    },
+    {
+        pattern: '/.*\\*\\*.*|.*\\+\\+.*|.*\\?\\?/',
+        dangerous: true,
+        vulnerability: 'redos',
+        safeAlternative: 'Avoid nested quantifiers, use atomic groups',
+        example: {
+            bad: '/(a+)+b/', // ReDoS vulnerable
+            good: '/(?>a+)b/', // Atomic group (if supported) or restructure
+        },
+        effort: '20-30 minutes',
+        riskLevel: 'critical'
+    }
+];
+exports.detectNonLiteralRegexp = (0, eslint_devkit_2.createRule)({
+    name: 'detect-non-literal-regexp',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression',
+        },
+        messages: {
+            // 🎯 Token optimization: 41% reduction (51→30 tokens) - compact template variables
+            regexpReDoS: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.WARNING,
+                issueName: 'ReDoS vulnerability',
+                cwe: 'CWE-400',
+                description: 'ReDoS vulnerability detected',
+                severity: '{{riskLevel}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useStaticRegex: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Static Regex',
+                description: 'Use pre-defined RegExp constants',
+                severity: 'LOW',
+                fix: 'const PATTERN = /^[a-z]+$/; // Define at module level',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp',
+            }),
+            validateInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Validate Input',
+                description: 'Validate and escape user input',
+                severity: 'LOW',
+                fix: 'Validate input length and characters before RegExp',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            useRegexLibrary: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Use Safe Library',
+                description: 'Use safe-regex library or re2',
+                severity: 'LOW',
+                fix: 'import { isSafe } from "safe-regex"; if (isSafe(pattern)) ...',
+                documentationLink: 'https://github.com/substack/safe-regex',
+            }),
+            addTimeout: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Add Timeout',
+                description: 'Add timeout to regex operations',
+                severity: 'LOW',
+                fix: 'Use timeout wrapper for regex operations',
+                documentationLink: 'https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS',
+            }),
+            escapeUserInput: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.INFO,
+                issueName: 'Escape Input',
+                description: 'Escape special regex characters',
+                severity: 'LOW',
+                fix: 'input.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    allowLiterals: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Allow literal string regex patterns'
+                    },
+                    additionalPatterns: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional RegExp creation patterns to check'
+                    },
+                    maxPatternLength: {
+                        type: 'number',
+                        default: 100,
+                        minimum: 1,
+                        description: 'Maximum allowed pattern length for dynamic regex'
+                    }
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            allowLiterals: false,
+            additionalPatterns: [],
+            maxPatternLength: 100
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { allowLiterals = false, maxPatternLength = 100 } = options || {};
+        /**
+         * Check if a node is a literal string (potentially safe)
+         * Includes template literals without expressions
+         */
+        const isLiteralString = (node) => {
+            if (node.type === 'Literal' && typeof node.value === 'string') {
+                return true;
+            }
+            // Template literals without expressions are also static/safe
+            if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
+                return true;
+            }
+            return false;
+        };
+        /**
+         * Check if a regex pattern contains dangerous ReDoS patterns
+         * Only flag truly dangerous patterns like nested quantifiers: (a+)+, (a*)*
+         */
+        const hasReDoSPatterns = (pattern) => {
+            // Detect truly dangerous nested quantifier patterns that cause exponential backtracking
+            // Pattern like (a+)+, (a*)+, (a+)*, (a*)*, ([a-z]+)+
+            const nestedQuantifierPatterns = [
+                /\([^)]*[+*]\)[+*]/, // (something+)+ or (something*)* patterns
+                /\([^)]*[+*]\)\{[0-9,]+\}/, // (something+){n,m} patterns
+            ];
+            for (const dangerousPattern of nestedQuantifierPatterns) {
+                if (dangerousPattern.test(pattern)) {
+                    return true;
+                }
+            }
+            return false;
+        };
+        /**
+         * Extract regex pattern from RegExp construction
+         */
+        const extractPattern = (node) => {
+            const sourceCode = context.sourceCode || context.sourceCode;
+            // Determine constructor type
+            let constructor = 'RegExp';
+            if (node.type === 'NewExpression' && node.callee.type === 'Identifier') {
+                constructor = `new ${node.callee.name}`;
+            }
+            // First argument is the pattern
+            const patternNode = node.arguments.length > 0 ? node.arguments[0] : null;
+            const pattern = patternNode ? sourceCode.getText(patternNode) : '';
+            const isDynamic = patternNode ? !isLiteralString(patternNode) : false;
+            const length = patternNode && isLiteralString(patternNode) ?
+                String(patternNode.value).length : pattern.length;
+            return { pattern, patternNode, constructor, isDynamic, length };
+        };
+        /**
+         * Detect the specific vulnerability pattern
+         */
+        const detectVulnerability = (pattern, isDynamic) => {
+            // Check for dynamic construction first (highest risk)
+            if (isDynamic) {
+                for (const vuln of REGEXP_PATTERNS) {
+                    if (new RegExp(vuln.pattern, 'i').test(pattern)) {
+                        return vuln;
+                    }
+                }
+                // Generic dynamic RegExp construction
+                return {
+                    pattern: 'dynamic',
+                    dangerous: true,
+                    vulnerability: 'redos',
+                    safeAlternative: 'Pre-defined RegExp constants',
+                    example: {
+                        bad: pattern,
+                        good: 'const PATTERNS = { email: /^[a-zA-Z0-9]+$/ }; PATTERNS[type]'
+                    },
+                    effort: '10-15 minutes',
+                    riskLevel: 'high'
+                };
+            }
+            // Check for ReDoS patterns in literal regex
+            if (hasReDoSPatterns(pattern)) {
+                return {
+                    pattern: 'redos-literal',
+                    dangerous: true,
+                    vulnerability: 'redos',
+                    safeAlternative: 'Restructure regex to avoid nested quantifiers',
+                    example: {
+                        bad: pattern,
+                        good: pattern.replace(/(a+)\+/g, '$1') // Simplified example
+                    },
+                    effort: '20-30 minutes',
+                    riskLevel: 'high'
+                };
+            }
+            return null;
+        };
+        /**
+         * Generate refactoring steps based on the vulnerability
+         */
+        const generateRefactoringSteps = (vulnerability) => {
+            if (vulnerability.pattern === 'dynamic') {
+                return [
+                    '   1. Create a whitelist of allowed regex patterns',
+                    '   2. Use object lookup: PATTERNS[userChoice]',
+                    '   3. If dynamic needed: escape input with regex escaping function',
+                    '   4. Add pattern length validation',
+                    '   5. Consider using a safe regex library'
+                ].join('\n');
+            }
+            if (vulnerability.pattern === 'redos-literal') {
+                return [
+                    '   1. Identify nested quantifiers (*+, ++, ?+)',
+                    '   2. Restructure regex to avoid exponential backtracking',
+                    '   3. Use atomic groups if supported: (?>...)',
+                    '   4. Test regex performance with long inputs',
+                    '   5. Consider alternatives like string methods'
+                ].join('\n');
+            }
+            switch (vulnerability.vulnerability) {
+                case 'redos':
+                    return [
+                        '   1. Avoid nested quantifiers and backreferences',
+                        '   2. Use possessive quantifiers: *+, ++, ?+',
+                        '   3. Restructure regex to be more specific',
+                        '   4. Test with potentially malicious inputs',
+                        '   5. Consider safe-regex library validation'
+                    ].join('\n');
+                case 'injection':
+                    return [
+                        '   1. Escape user input before RegExp construction',
+                        '   2. Use RegExp.escape() if available',
+                        '   3. Validate input against allowed character sets',
+                        '   4. Add length limits to prevent oversized patterns',
+                        '   5. Use static patterns when possible'
+                    ].join('\n');
+                default:
+                    return [
+                        '   1. Identify the specific regex use case',
+                        '   2. Choose appropriate safe alternative',
+                        '   3. Add input validation and escaping',
+                        '   4. Test thoroughly with edge cases',
+                        '   5. Monitor performance in production'
+                    ].join('\n');
+            }
+        };
+        /**
+         * Determine overall risk level
+         */
+        const determineRiskLevel = (vulnerability, pattern) => {
+            if (vulnerability.riskLevel === 'critical' || hasReDoSPatterns(pattern)) {
+                return 'CRITICAL';
+            }
+            if (vulnerability.riskLevel === 'high') {
+                return 'HIGH';
+            }
+            return 'MEDIUM';
+        };
+        /**
+         * Check RegExp constructor calls for vulnerabilities
+         */
+        const checkRegExpCall = (node) => {
+            // Check for RegExp constructor calls
+            const isRegExpCall = node.callee.type === 'Identifier' && node.callee.name === 'RegExp';
+            const isNewRegExp = node.type === 'NewExpression' && node.callee.type === 'Identifier' && node.callee.name === 'RegExp';
+            if (!isRegExpCall && !isNewRegExp) {
+                return;
+            }
+            const { pattern, patternNode, isDynamic, length } = extractPattern(node);
+            // Allow literals if configured and pattern is reasonable length
+            if (allowLiterals && patternNode && isLiteralString(patternNode) && length <= maxPatternLength) {
+                // Still check for ReDoS patterns even in literals
+                if (!hasReDoSPatterns(pattern)) {
+                    return;
+                }
+            }
+            const vulnerability = detectVulnerability(pattern, isDynamic);
+            // If no specific vulnerability detected but it's dynamic, still warn
+            const effectiveVulnerability = vulnerability || (isDynamic ? {
+                pattern: 'dynamic',
+                dangerous: true,
+                vulnerability: 'redos',
+                safeAlternative: 'Use static RegExp patterns',
+                example: {
+                    bad: pattern,
+                    good: '/^safe-pattern$/'
+                },
+                effort: '10-15 minutes',
+                riskLevel: 'medium'
+            } : null);
+            if (!effectiveVulnerability) {
+                return;
+            }
+            const riskLevel = determineRiskLevel(effectiveVulnerability, pattern);
+            const steps = generateRefactoringSteps(effectiveVulnerability);
+            context.report({
+                node,
+                messageId: 'regexpReDoS',
+                data: {
+                    pattern: pattern.substring(0, 30) + (pattern.length > 30 ? '...' : ''),
+                    riskLevel,
+                    vulnerability: effectiveVulnerability.vulnerability,
+                    safeAlternative: effectiveVulnerability.safeAlternative,
+                    steps,
+                    effort: effectiveVulnerability.effort
+                },
+                suggest: [
+                    {
+                        messageId: 'useStaticRegex',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'validateInput',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'useRegexLibrary',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'addTimeout',
+                        fix: () => null
+                    },
+                    {
+                        messageId: 'escapeUserInput',
+                        fix: () => null
+                    }
+                ]
+            });
+        };
+        /**
+         * Check literal regex patterns for ReDoS vulnerabilities
+         */
+        const checkLiteralRegExp = (node) => {
+            if (!isRegExpLiteral(node)) {
+                return;
+            }
+            const pattern = node.regex.pattern;
+            // Check for ReDoS patterns
+            if (hasReDoSPatterns(pattern)) {
+                const vulnerability = detectVulnerability(pattern, false);
+                if (vulnerability) {
+                    const riskLevel = determineRiskLevel(vulnerability, pattern);
+                    const steps = generateRefactoringSteps(vulnerability);
+                    context.report({
+                        node,
+                        messageId: 'regexpReDoS',
+                        data: {
+                            pattern: pattern.substring(0, 30) + (pattern.length > 30 ? '...' : ''),
+                            riskLevel,
+                            vulnerability: vulnerability.vulnerability,
+                            safeAlternative: vulnerability.safeAlternative,
+                            steps,
+                            effort: vulnerability.effort
+                        }
+                    });
+                }
+            }
+        };
+        return {
+            CallExpression: checkRegExpCall,
+            NewExpression: checkRegExpCall,
+            Literal: checkLiteralRegExp
+        };
+    },
+});

package/src/rules/detect-object-injection/index.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface Options {
+    /** Allow bracket notation with literal strings. Default: false (stricter) */
+    allowLiterals?: boolean;
+    /** Additional object methods to check for injection */
+    additionalMethods?: string[];
+    /** Properties to consider dangerous. Default: __proto__, prototype, constructor */
+    dangerousProperties?: string[];
+    /** Strategy for fixing object injection: 'validate', 'whitelist', 'freeze', or 'auto' */
+    strategy?: 'validate' | 'whitelist' | 'freeze' | 'auto';
+}
+export declare const detectObjectInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;