eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (337) hide show
  1. package/CHANGELOG.md +51 -1
  2. package/README.md +2 -2
  3. package/package.json +1 -1
  4. package/src/index.d.ts +32 -0
  5. package/src/index.js +416 -0
  6. package/src/rules/detect-child-process/index.d.ts +11 -0
  7. package/src/rules/detect-child-process/index.js +529 -0
  8. package/src/rules/detect-eval-with-expression/index.d.ts +9 -0
  9. package/src/rules/detect-eval-with-expression/index.js +392 -0
  10. package/src/rules/detect-mixed-content/index.d.ts +8 -0
  11. package/src/rules/detect-mixed-content/index.js +44 -0
  12. package/src/rules/detect-non-literal-fs-filename/index.d.ts +7 -0
  13. package/src/rules/detect-non-literal-fs-filename/index.js +454 -0
  14. package/src/rules/detect-non-literal-regexp/index.d.ts +9 -0
  15. package/src/rules/detect-non-literal-regexp/index.js +403 -0
  16. package/src/rules/detect-object-injection/index.d.ts +11 -0
  17. package/src/rules/detect-object-injection/index.js +560 -0
  18. package/src/rules/detect-suspicious-dependencies/index.d.ts +8 -0
  19. package/src/rules/detect-suspicious-dependencies/index.js +71 -0
  20. package/src/rules/detect-weak-password-validation/index.d.ts +6 -0
  21. package/src/rules/detect-weak-password-validation/index.js +58 -0
  22. package/src/rules/no-allow-arbitrary-loads/index.d.ts +8 -0
  23. package/src/rules/no-allow-arbitrary-loads/index.js +47 -0
  24. package/src/rules/no-arbitrary-file-access/index.d.ts +13 -0
  25. package/src/rules/no-arbitrary-file-access/index.js +195 -0
  26. package/src/rules/no-buffer-overread/index.d.ts +29 -0
  27. package/src/rules/no-buffer-overread/index.js +606 -0
  28. package/src/rules/no-clickjacking/index.d.ts +10 -0
  29. package/src/rules/no-clickjacking/index.js +396 -0
  30. package/src/rules/no-client-side-auth-logic/index.d.ts +6 -0
  31. package/src/rules/no-client-side-auth-logic/index.js +69 -0
  32. package/src/rules/no-credentials-in-query-params/index.d.ts +8 -0
  33. package/src/rules/no-credentials-in-query-params/index.js +57 -0
  34. package/src/rules/no-data-in-temp-storage/index.d.ts +6 -0
  35. package/src/rules/no-data-in-temp-storage/index.js +64 -0
  36. package/src/rules/no-debug-code-in-production/index.d.ts +8 -0
  37. package/src/rules/no-debug-code-in-production/index.js +51 -0
  38. package/src/rules/no-directive-injection/index.d.ts +12 -0
  39. package/src/rules/no-directive-injection/index.js +457 -0
  40. package/src/rules/no-disabled-certificate-validation/index.d.ts +6 -0
  41. package/src/rules/no-disabled-certificate-validation/index.js +61 -0
  42. package/src/rules/no-dynamic-dependency-loading/index.d.ts +8 -0
  43. package/src/rules/no-dynamic-dependency-loading/index.js +51 -0
  44. package/src/rules/no-electron-security-issues/index.d.ts +10 -0
  45. package/src/rules/no-electron-security-issues/index.js +423 -0
  46. package/src/rules/no-exposed-debug-endpoints/index.d.ts +6 -0
  47. package/src/rules/no-exposed-debug-endpoints/index.js +62 -0
  48. package/src/rules/no-exposed-sensitive-data/index.d.ts +11 -0
  49. package/src/rules/no-exposed-sensitive-data/index.js +340 -0
  50. package/src/rules/no-format-string-injection/index.d.ts +17 -0
  51. package/src/rules/no-format-string-injection/index.js +660 -0
  52. package/src/rules/no-graphql-injection/index.d.ts +12 -0
  53. package/src/rules/no-graphql-injection/index.js +411 -0
  54. package/src/rules/no-hardcoded-credentials/index.d.ts +26 -0
  55. package/src/rules/no-hardcoded-credentials/index.js +376 -0
  56. package/src/rules/no-hardcoded-session-tokens/index.d.ts +6 -0
  57. package/src/rules/no-hardcoded-session-tokens/index.js +59 -0
  58. package/src/rules/no-http-urls/index.d.ts +12 -0
  59. package/src/rules/no-http-urls/index.js +114 -0
  60. package/src/rules/no-improper-sanitization/index.d.ts +12 -0
  61. package/src/rules/no-improper-sanitization/index.js +411 -0
  62. package/src/rules/no-improper-type-validation/index.d.ts +10 -0
  63. package/src/rules/no-improper-type-validation/index.js +475 -0
  64. package/src/rules/no-insecure-comparison/index.d.ts +7 -0
  65. package/src/rules/no-insecure-comparison/index.js +193 -0
  66. package/src/rules/no-insecure-redirects/index.d.ts +7 -0
  67. package/src/rules/no-insecure-redirects/index.js +216 -0
  68. package/src/rules/no-insecure-websocket/index.d.ts +6 -0
  69. package/src/rules/no-insecure-websocket/index.js +61 -0
  70. package/src/rules/no-ldap-injection/index.d.ts +10 -0
  71. package/src/rules/no-ldap-injection/index.js +455 -0
  72. package/src/rules/no-missing-authentication/index.d.ts +13 -0
  73. package/src/rules/no-missing-authentication/index.js +333 -0
  74. package/src/rules/no-missing-cors-check/index.d.ts +9 -0
  75. package/src/rules/no-missing-cors-check/index.js +399 -0
  76. package/src/rules/no-missing-csrf-protection/index.d.ts +11 -0
  77. package/src/rules/no-missing-csrf-protection/index.js +180 -0
  78. package/src/rules/no-missing-security-headers/index.d.ts +7 -0
  79. package/src/rules/no-missing-security-headers/index.js +218 -0
  80. package/src/rules/no-password-in-url/index.d.ts +8 -0
  81. package/src/rules/no-password-in-url/index.js +54 -0
  82. package/src/rules/no-permissive-cors/index.d.ts +8 -0
  83. package/src/rules/no-permissive-cors/index.js +65 -0
  84. package/src/rules/no-pii-in-logs/index.d.ts +8 -0
  85. package/src/rules/no-pii-in-logs/index.js +70 -0
  86. package/src/rules/no-privilege-escalation/index.d.ts +13 -0
  87. package/src/rules/no-privilege-escalation/index.js +321 -0
  88. package/src/rules/no-redos-vulnerable-regex/index.d.ts +7 -0
  89. package/src/rules/no-redos-vulnerable-regex/index.js +306 -0
  90. package/src/rules/no-sensitive-data-exposure/index.d.ts +11 -0
  91. package/src/rules/no-sensitive-data-exposure/index.js +250 -0
  92. package/src/rules/no-sensitive-data-in-analytics/index.d.ts +8 -0
  93. package/src/rules/no-sensitive-data-in-analytics/index.js +62 -0
  94. package/src/rules/no-sensitive-data-in-cache/index.d.ts +8 -0
  95. package/src/rules/no-sensitive-data-in-cache/index.js +52 -0
  96. package/src/rules/no-toctou-vulnerability/index.d.ts +7 -0
  97. package/src/rules/no-toctou-vulnerability/index.js +208 -0
  98. package/src/rules/no-tracking-without-consent/index.d.ts +6 -0
  99. package/src/rules/no-tracking-without-consent/index.js +67 -0
  100. package/src/rules/no-unchecked-loop-condition/index.d.ts +12 -0
  101. package/src/rules/no-unchecked-loop-condition/index.js +646 -0
  102. package/src/rules/no-unencrypted-transmission/index.d.ts +11 -0
  103. package/src/rules/no-unencrypted-transmission/index.js +236 -0
  104. package/src/rules/no-unescaped-url-parameter/index.d.ts +9 -0
  105. package/src/rules/no-unescaped-url-parameter/index.js +355 -0
  106. package/src/rules/no-unlimited-resource-allocation/index.d.ts +12 -0
  107. package/src/rules/no-unlimited-resource-allocation/index.js +643 -0
  108. package/src/rules/no-unsafe-deserialization/index.d.ts +10 -0
  109. package/src/rules/no-unsafe-deserialization/index.js +491 -0
  110. package/src/rules/no-unsafe-dynamic-require/index.d.ts +5 -0
  111. package/src/rules/no-unsafe-dynamic-require/index.js +106 -0
  112. package/src/rules/no-unsafe-regex-construction/index.d.ts +9 -0
  113. package/src/rules/no-unsafe-regex-construction/index.js +291 -0
  114. package/src/rules/no-unvalidated-deeplinks/index.d.ts +6 -0
  115. package/src/rules/no-unvalidated-deeplinks/index.js +62 -0
  116. package/src/rules/no-unvalidated-user-input/index.d.ts +9 -0
  117. package/src/rules/no-unvalidated-user-input/index.js +420 -0
  118. package/src/rules/no-verbose-error-messages/index.d.ts +8 -0
  119. package/src/rules/no-verbose-error-messages/index.js +68 -0
  120. package/src/rules/no-weak-password-recovery/index.d.ts +12 -0
  121. package/src/rules/no-weak-password-recovery/index.js +424 -0
  122. package/src/rules/no-xpath-injection/index.d.ts +10 -0
  123. package/src/rules/no-xpath-injection/index.js +487 -0
  124. package/src/rules/no-xxe-injection/index.d.ts +7 -0
  125. package/src/rules/no-xxe-injection/index.js +266 -0
  126. package/src/rules/no-zip-slip/index.d.ts +9 -0
  127. package/src/rules/no-zip-slip/index.js +445 -0
  128. package/src/rules/require-backend-authorization/index.d.ts +6 -0
  129. package/src/rules/require-backend-authorization/index.js +60 -0
  130. package/src/rules/require-code-minification/index.d.ts +8 -0
  131. package/src/rules/require-code-minification/index.js +47 -0
  132. package/src/rules/require-csp-headers/index.d.ts +6 -0
  133. package/src/rules/require-csp-headers/index.js +64 -0
  134. package/src/rules/require-data-minimization/index.d.ts +8 -0
  135. package/src/rules/require-data-minimization/index.js +53 -0
  136. package/src/rules/require-dependency-integrity/index.d.ts +6 -0
  137. package/src/rules/require-dependency-integrity/index.js +64 -0
  138. package/src/rules/require-https-only/index.d.ts +8 -0
  139. package/src/rules/require-https-only/index.js +62 -0
  140. package/src/rules/require-mime-type-validation/index.d.ts +6 -0
  141. package/src/rules/require-mime-type-validation/index.js +66 -0
  142. package/src/rules/require-network-timeout/index.d.ts +8 -0
  143. package/src/rules/require-network-timeout/index.js +50 -0
  144. package/src/rules/require-package-lock/index.d.ts +8 -0
  145. package/src/rules/require-package-lock/index.js +63 -0
  146. package/src/rules/require-secure-credential-storage/index.d.ts +8 -0
  147. package/src/rules/require-secure-credential-storage/index.js +50 -0
  148. package/src/rules/require-secure-defaults/index.d.ts +8 -0
  149. package/src/rules/require-secure-defaults/index.js +47 -0
  150. package/src/rules/require-secure-deletion/index.d.ts +8 -0
  151. package/src/rules/require-secure-deletion/index.js +44 -0
  152. package/src/rules/require-storage-encryption/index.d.ts +8 -0
  153. package/src/rules/require-storage-encryption/index.js +50 -0
  154. package/src/rules/require-url-validation/index.d.ts +6 -0
  155. package/src/rules/require-url-validation/index.js +72 -0
  156. package/src/types/index.d.ts +106 -0
  157. package/src/types/index.js +16 -0
  158. package/src/index.ts +0 -605
  159. package/src/rules/__tests__/integration-demo.test.ts +0 -290
  160. package/src/rules/__tests__/integration-llm.test.ts +0 -89
  161. package/src/rules/database-injection/database-injection.test.ts +0 -456
  162. package/src/rules/database-injection/index.ts +0 -488
  163. package/src/rules/detect-child-process/detect-child-process.test.ts +0 -207
  164. package/src/rules/detect-child-process/index.ts +0 -634
  165. package/src/rules/detect-eval-with-expression/detect-eval-with-expression.test.ts +0 -416
  166. package/src/rules/detect-eval-with-expression/index.ts +0 -463
  167. package/src/rules/detect-mixed-content/detect-mixed-content.test.ts +0 -28
  168. package/src/rules/detect-mixed-content/index.ts +0 -52
  169. package/src/rules/detect-non-literal-fs-filename/detect-non-literal-fs-filename.test.ts +0 -269
  170. package/src/rules/detect-non-literal-fs-filename/index.ts +0 -551
  171. package/src/rules/detect-non-literal-regexp/detect-non-literal-regexp.test.ts +0 -189
  172. package/src/rules/detect-non-literal-regexp/index.ts +0 -490
  173. package/src/rules/detect-object-injection/detect-object-injection.test.ts +0 -440
  174. package/src/rules/detect-object-injection/index.ts +0 -674
  175. package/src/rules/detect-suspicious-dependencies/detect-suspicious-dependencies.test.ts +0 -32
  176. package/src/rules/detect-suspicious-dependencies/index.ts +0 -84
  177. package/src/rules/detect-weak-password-validation/detect-weak-password-validation.test.ts +0 -31
  178. package/src/rules/detect-weak-password-validation/index.ts +0 -68
  179. package/src/rules/no-allow-arbitrary-loads/index.ts +0 -54
  180. package/src/rules/no-allow-arbitrary-loads/no-allow-arbitrary-loads.test.ts +0 -28
  181. package/src/rules/no-arbitrary-file-access/index.ts +0 -238
  182. package/src/rules/no-arbitrary-file-access/no-arbitrary-file-access.test.ts +0 -119
  183. package/src/rules/no-buffer-overread/index.ts +0 -724
  184. package/src/rules/no-buffer-overread/no-buffer-overread.test.ts +0 -313
  185. package/src/rules/no-clickjacking/index.ts +0 -481
  186. package/src/rules/no-clickjacking/no-clickjacking.test.ts +0 -253
  187. package/src/rules/no-client-side-auth-logic/index.ts +0 -81
  188. package/src/rules/no-client-side-auth-logic/no-client-side-auth-logic.test.ts +0 -33
  189. package/src/rules/no-credentials-in-query-params/index.ts +0 -69
  190. package/src/rules/no-credentials-in-query-params/no-credentials-in-query-params.test.ts +0 -33
  191. package/src/rules/no-credentials-in-storage-api/index.ts +0 -64
  192. package/src/rules/no-credentials-in-storage-api/no-credentials-in-storage-api.test.ts +0 -31
  193. package/src/rules/no-data-in-temp-storage/index.ts +0 -75
  194. package/src/rules/no-data-in-temp-storage/no-data-in-temp-storage.test.ts +0 -33
  195. package/src/rules/no-debug-code-in-production/index.ts +0 -59
  196. package/src/rules/no-debug-code-in-production/no-debug-code-in-production.test.ts +0 -26
  197. package/src/rules/no-directive-injection/index.ts +0 -551
  198. package/src/rules/no-directive-injection/no-directive-injection.test.ts +0 -305
  199. package/src/rules/no-disabled-certificate-validation/index.ts +0 -72
  200. package/src/rules/no-disabled-certificate-validation/no-disabled-certificate-validation.test.ts +0 -33
  201. package/src/rules/no-document-cookie/index.ts +0 -113
  202. package/src/rules/no-document-cookie/no-document-cookie.test.ts +0 -382
  203. package/src/rules/no-dynamic-dependency-loading/index.ts +0 -60
  204. package/src/rules/no-dynamic-dependency-loading/no-dynamic-dependency-loading.test.ts +0 -27
  205. package/src/rules/no-electron-security-issues/index.ts +0 -504
  206. package/src/rules/no-electron-security-issues/no-electron-security-issues.test.ts +0 -324
  207. package/src/rules/no-exposed-debug-endpoints/index.ts +0 -73
  208. package/src/rules/no-exposed-debug-endpoints/no-exposed-debug-endpoints.test.ts +0 -40
  209. package/src/rules/no-exposed-sensitive-data/index.ts +0 -428
  210. package/src/rules/no-exposed-sensitive-data/no-exposed-sensitive-data.test.ts +0 -75
  211. package/src/rules/no-format-string-injection/index.ts +0 -801
  212. package/src/rules/no-format-string-injection/no-format-string-injection.test.ts +0 -437
  213. package/src/rules/no-graphql-injection/index.ts +0 -508
  214. package/src/rules/no-graphql-injection/no-graphql-injection.test.ts +0 -371
  215. package/src/rules/no-hardcoded-credentials/index.ts +0 -478
  216. package/src/rules/no-hardcoded-credentials/no-hardcoded-credentials.test.ts +0 -639
  217. package/src/rules/no-hardcoded-session-tokens/index.ts +0 -69
  218. package/src/rules/no-hardcoded-session-tokens/no-hardcoded-session-tokens.test.ts +0 -42
  219. package/src/rules/no-http-urls/index.ts +0 -131
  220. package/src/rules/no-http-urls/no-http-urls.test.ts +0 -60
  221. package/src/rules/no-improper-sanitization/index.ts +0 -502
  222. package/src/rules/no-improper-sanitization/no-improper-sanitization.test.ts +0 -156
  223. package/src/rules/no-improper-type-validation/index.ts +0 -572
  224. package/src/rules/no-improper-type-validation/no-improper-type-validation.test.ts +0 -372
  225. package/src/rules/no-insecure-comparison/index.ts +0 -232
  226. package/src/rules/no-insecure-comparison/no-insecure-comparison.test.ts +0 -218
  227. package/src/rules/no-insecure-cookie-settings/index.ts +0 -391
  228. package/src/rules/no-insecure-cookie-settings/no-insecure-cookie-settings.test.ts +0 -409
  229. package/src/rules/no-insecure-jwt/index.ts +0 -467
  230. package/src/rules/no-insecure-jwt/no-insecure-jwt.test.ts +0 -259
  231. package/src/rules/no-insecure-redirects/index.ts +0 -267
  232. package/src/rules/no-insecure-redirects/no-insecure-redirects.test.ts +0 -108
  233. package/src/rules/no-insecure-websocket/index.ts +0 -72
  234. package/src/rules/no-insecure-websocket/no-insecure-websocket.test.ts +0 -42
  235. package/src/rules/no-insufficient-postmessage-validation/index.ts +0 -497
  236. package/src/rules/no-insufficient-postmessage-validation/no-insufficient-postmessage-validation.test.ts +0 -360
  237. package/src/rules/no-insufficient-random/index.ts +0 -288
  238. package/src/rules/no-insufficient-random/no-insufficient-random.test.ts +0 -246
  239. package/src/rules/no-ldap-injection/index.ts +0 -547
  240. package/src/rules/no-ldap-injection/no-ldap-injection.test.ts +0 -317
  241. package/src/rules/no-missing-authentication/index.ts +0 -408
  242. package/src/rules/no-missing-authentication/no-missing-authentication.test.ts +0 -350
  243. package/src/rules/no-missing-cors-check/index.ts +0 -453
  244. package/src/rules/no-missing-cors-check/no-missing-cors-check.test.ts +0 -392
  245. package/src/rules/no-missing-csrf-protection/index.ts +0 -229
  246. package/src/rules/no-missing-csrf-protection/no-missing-csrf-protection.test.ts +0 -222
  247. package/src/rules/no-missing-security-headers/index.ts +0 -266
  248. package/src/rules/no-missing-security-headers/no-missing-security-headers.test.ts +0 -98
  249. package/src/rules/no-password-in-url/index.ts +0 -64
  250. package/src/rules/no-password-in-url/no-password-in-url.test.ts +0 -27
  251. package/src/rules/no-permissive-cors/index.ts +0 -78
  252. package/src/rules/no-permissive-cors/no-permissive-cors.test.ts +0 -28
  253. package/src/rules/no-pii-in-logs/index.ts +0 -83
  254. package/src/rules/no-pii-in-logs/no-pii-in-logs.test.ts +0 -26
  255. package/src/rules/no-postmessage-origin-wildcard/index.ts +0 -67
  256. package/src/rules/no-postmessage-origin-wildcard/no-postmessage-origin-wildcard.test.ts +0 -27
  257. package/src/rules/no-privilege-escalation/index.ts +0 -403
  258. package/src/rules/no-privilege-escalation/no-privilege-escalation.test.ts +0 -306
  259. package/src/rules/no-redos-vulnerable-regex/index.ts +0 -379
  260. package/src/rules/no-redos-vulnerable-regex/no-redos-vulnerable-regex.test.ts +0 -83
  261. package/src/rules/no-sensitive-data-exposure/index.ts +0 -294
  262. package/src/rules/no-sensitive-data-exposure/no-sensitive-data-exposure.test.ts +0 -262
  263. package/src/rules/no-sensitive-data-in-analytics/index.ts +0 -73
  264. package/src/rules/no-sensitive-data-in-analytics/no-sensitive-data-in-analytics.test.ts +0 -42
  265. package/src/rules/no-sensitive-data-in-cache/index.ts +0 -59
  266. package/src/rules/no-sensitive-data-in-cache/no-sensitive-data-in-cache.test.ts +0 -32
  267. package/src/rules/no-sql-injection/index.ts +0 -424
  268. package/src/rules/no-sql-injection/no-sql-injection.test.ts +0 -303
  269. package/src/rules/no-timing-attack/index.ts +0 -552
  270. package/src/rules/no-timing-attack/no-timing-attack.test.ts +0 -348
  271. package/src/rules/no-toctou-vulnerability/index.ts +0 -250
  272. package/src/rules/no-toctou-vulnerability/no-toctou-vulnerability.test.ts +0 -60
  273. package/src/rules/no-tracking-without-consent/index.ts +0 -78
  274. package/src/rules/no-tracking-without-consent/no-tracking-without-consent.test.ts +0 -34
  275. package/src/rules/no-unchecked-loop-condition/index.ts +0 -781
  276. package/src/rules/no-unchecked-loop-condition/no-unchecked-loop-condition.test.ts +0 -459
  277. package/src/rules/no-unencrypted-local-storage/index.ts +0 -73
  278. package/src/rules/no-unencrypted-local-storage/no-unencrypted-local-storage.test.ts +0 -41
  279. package/src/rules/no-unencrypted-transmission/index.ts +0 -296
  280. package/src/rules/no-unencrypted-transmission/no-unencrypted-transmission.test.ts +0 -287
  281. package/src/rules/no-unescaped-url-parameter/index.ts +0 -424
  282. package/src/rules/no-unescaped-url-parameter/no-unescaped-url-parameter.test.ts +0 -263
  283. package/src/rules/no-unlimited-resource-allocation/index.ts +0 -767
  284. package/src/rules/no-unlimited-resource-allocation/no-unlimited-resource-allocation.test.ts +0 -544
  285. package/src/rules/no-unsafe-deserialization/index.ts +0 -593
  286. package/src/rules/no-unsafe-deserialization/no-unsafe-deserialization.test.ts +0 -310
  287. package/src/rules/no-unsafe-dynamic-require/index.ts +0 -125
  288. package/src/rules/no-unsafe-dynamic-require/no-unsafe-dynamic-require.test.ts +0 -151
  289. package/src/rules/no-unsafe-regex-construction/index.ts +0 -370
  290. package/src/rules/no-unsafe-regex-construction/no-unsafe-regex-construction.test.ts +0 -181
  291. package/src/rules/no-unsanitized-html/index.ts +0 -400
  292. package/src/rules/no-unsanitized-html/no-unsanitized-html.test.ts +0 -488
  293. package/src/rules/no-unvalidated-deeplinks/index.ts +0 -73
  294. package/src/rules/no-unvalidated-deeplinks/no-unvalidated-deeplinks.test.ts +0 -29
  295. package/src/rules/no-unvalidated-user-input/index.ts +0 -498
  296. package/src/rules/no-unvalidated-user-input/no-unvalidated-user-input.test.ts +0 -463
  297. package/src/rules/no-verbose-error-messages/index.ts +0 -83
  298. package/src/rules/no-verbose-error-messages/no-verbose-error-messages.test.ts +0 -34
  299. package/src/rules/no-weak-crypto/index.ts +0 -447
  300. package/src/rules/no-weak-crypto/no-weak-crypto.test.ts +0 -297
  301. package/src/rules/no-weak-password-recovery/index.ts +0 -509
  302. package/src/rules/no-weak-password-recovery/no-weak-password-recovery.test.ts +0 -184
  303. package/src/rules/no-xpath-injection/index.ts +0 -596
  304. package/src/rules/no-xpath-injection/no-xpath-injection.test.ts +0 -405
  305. package/src/rules/no-xxe-injection/index.ts +0 -342
  306. package/src/rules/no-xxe-injection/no-xxe-injection.test.ts +0 -122
  307. package/src/rules/no-zip-slip/index.ts +0 -526
  308. package/src/rules/no-zip-slip/no-zip-slip.test.ts +0 -305
  309. package/src/rules/require-backend-authorization/index.ts +0 -71
  310. package/src/rules/require-backend-authorization/require-backend-authorization.test.ts +0 -31
  311. package/src/rules/require-code-minification/index.ts +0 -54
  312. package/src/rules/require-code-minification/require-code-minification.test.ts +0 -30
  313. package/src/rules/require-csp-headers/index.ts +0 -74
  314. package/src/rules/require-csp-headers/require-csp-headers.test.ts +0 -34
  315. package/src/rules/require-data-minimization/index.ts +0 -65
  316. package/src/rules/require-data-minimization/require-data-minimization.test.ts +0 -31
  317. package/src/rules/require-dependency-integrity/index.ts +0 -78
  318. package/src/rules/require-dependency-integrity/require-dependency-integrity.test.ts +0 -44
  319. package/src/rules/require-https-only/index.ts +0 -75
  320. package/src/rules/require-https-only/require-https-only.test.ts +0 -26
  321. package/src/rules/require-mime-type-validation/index.ts +0 -77
  322. package/src/rules/require-mime-type-validation/require-mime-type-validation.test.ts +0 -32
  323. package/src/rules/require-network-timeout/index.ts +0 -58
  324. package/src/rules/require-network-timeout/require-network-timeout.test.ts +0 -26
  325. package/src/rules/require-package-lock/index.ts +0 -75
  326. package/src/rules/require-package-lock/require-package-lock.test.ts +0 -27
  327. package/src/rules/require-secure-credential-storage/index.ts +0 -60
  328. package/src/rules/require-secure-credential-storage/require-secure-credential-storage.test.ts +0 -26
  329. package/src/rules/require-secure-defaults/index.ts +0 -54
  330. package/src/rules/require-secure-defaults/require-secure-defaults.test.ts +0 -26
  331. package/src/rules/require-secure-deletion/index.ts +0 -52
  332. package/src/rules/require-secure-deletion/require-secure-deletion.test.ts +0 -29
  333. package/src/rules/require-storage-encryption/index.ts +0 -60
  334. package/src/rules/require-storage-encryption/require-storage-encryption.test.ts +0 -26
  335. package/src/rules/require-url-validation/index.ts +0 -85
  336. package/src/rules/require-url-validation/require-url-validation.test.ts +0 -32
  337. package/src/types/index.ts +0 -235
package/src/rules/no-electron-security-issues/no-electron-security-issues.test.ts DELETED
@@ -1,324 +0,0 @@
1
- /**
2
- * Comprehensive tests for no-electron-security-issues rule
3
- * Security: CWE-16 (Configuration)
4
- */
5
- import { RuleTester } from '@typescript-eslint/rule-tester';
6
- import { describe, it, afterAll } from 'vitest';
7
- import parser from '@typescript-eslint/parser';
8
- import { noElectronSecurityIssues } from './index';
9
-
10
- // Configure RuleTester for Vitest
11
- RuleTester.afterAll = afterAll;
12
- RuleTester.it = it;
13
- RuleTester.itOnly = it.only;
14
- RuleTester.describe = describe;
15
-
16
- // Use Flat Config format (ESLint 9+)
17
- const ruleTester = new RuleTester({
18
- languageOptions: {
19
- parser,
20
- ecmaVersion: 2022,
21
- sourceType: 'module',
22
- },
23
- });
24
-
25
- describe('no-electron-security-issues', () => {
26
- describe('Valid Code', () => {
27
- ruleTester.run('valid - secure Electron configuration', noElectronSecurityIssues, {
28
- valid: [
29
- // Secure BrowserWindow configuration
30
- {
31
- code: 'new BrowserWindow({ contextIsolation: true, nodeIntegration: false });',
32
- },
33
- {
34
- code: 'const win = new BrowserWindow({ webSecurity: true, sandbox: true });',
35
- },
36
- // Safe IPC usage
37
- {
38
- code: 'ipcRenderer.send("safe-channel", data);',
39
- },
40
- // Secure preload script
41
- {
42
- code: 'win.loadFile("app/index.html", { preload: "preload.js" });',
43
- },
44
- ],
45
- invalid: [],
46
- });
47
- });
48
-
49
- describe('Invalid Code - BrowserWindow Security Issues', () => {
50
- ruleTester.run('invalid - insecure BrowserWindow options', noElectronSecurityIssues, {
51
- valid: [],
52
- invalid: [
53
- {
54
- code: 'new BrowserWindow({ nodeIntegration: true });',
55
- errors: [
56
- {
57
- messageId: 'nodeIntegrationEnabled',
58
- },
59
- ],
60
- },
61
- {
62
- code: 'const win = new BrowserWindow({ contextIsolation: false });',
63
- errors: [
64
- {
65
- messageId: 'contextIsolationDisabled',
66
- },
67
- ],
68
- },
69
- {
70
- code: 'new BrowserWindow({ webSecurity: false });',
71
- errors: [
72
- {
73
- messageId: 'webSecurityDisabled',
74
- },
75
- ],
76
- },
77
- {
78
- code: 'new BrowserWindow({ allowRunningInsecureContent: true });',
79
- errors: [
80
- {
81
- messageId: 'insecureContentEnabled',
82
- },
83
- ],
84
- },
85
- {
86
- code: 'new BrowserWindow({ sandbox: false });',
87
- errors: [
88
- {
89
- messageId: 'missingSandbox',
90
- },
91
- ],
92
- },
93
- ],
94
- });
95
- });
96
-
97
- describe('Invalid Code - Multiple Security Issues', () => {
98
- ruleTester.run('invalid - multiple BrowserWindow vulnerabilities', noElectronSecurityIssues, {
99
- valid: [],
100
- invalid: [
101
- {
102
- code: `
103
- const win = new BrowserWindow({
104
- nodeIntegration: true,
105
- contextIsolation: false,
106
- webSecurity: false,
107
- allowRunningInsecureContent: true,
108
- sandbox: false
109
- });
110
- `,
111
- errors: [
112
- {
113
- messageId: 'nodeIntegrationEnabled',
114
- },
115
- {
116
- messageId: 'contextIsolationDisabled',
117
- },
118
- {
119
- messageId: 'webSecurityDisabled',
120
- },
121
- {
122
- messageId: 'insecureContentEnabled',
123
- },
124
- {
125
- messageId: 'missingSandbox',
126
- },
127
- ],
128
- },
129
- ],
130
- });
131
- });
132
-
133
- describe('Invalid Code - Direct Node Access', () => {
134
- ruleTester.run('invalid - direct Node.js API access in renderer', noElectronSecurityIssues, {
135
- valid: [],
136
- invalid: [
137
- // require() calls in renderer-like files
138
- {
139
- code: 'const fs = require("fs");',
140
- filename: 'renderer.js',
141
- errors: [
142
- {
143
- messageId: 'directNodeAccess',
144
- },
145
- ],
146
- },
147
- {
148
- code: 'const { exec } = require("child_process");',
149
- filename: 'view.js',
150
- errors: [
151
- {
152
- messageId: 'directNodeAccess',
153
- },
154
- ],
155
- },
156
- ],
157
- });
158
- });
159
-
160
- describe('Invalid Code - Unsafe Preload Scripts', () => {
161
- ruleTester.run('invalid - unsafe preload script patterns', noElectronSecurityIssues, {
162
- valid: [],
163
- invalid: [
164
- // Rule only detects unsafe preload via AssignmentExpression
165
- {
166
- code: 'win.webContents.preload = "node_modules/evil.js";',
167
- errors: [
168
- {
169
- messageId: 'unsafePreloadScript',
170
- },
171
- ],
172
- },
173
- {
174
- code: 'win.webContents.preload = "https://evil.com/script.js";',
175
- errors: [
176
- {
177
- messageId: 'unsafePreloadScript',
178
- },
179
- ],
180
- },
181
- ],
182
- });
183
- });
184
-
185
- describe('Invalid Code - Insecure IPC Patterns', () => {
186
- // IPC validation only triggers when allowedIpcChannels is configured
187
- ruleTester.run('invalid - insecure IPC communication', noElectronSecurityIssues, {
188
- valid: [],
189
- invalid: [
190
- // With allowedIpcChannels configured, untrusted channels are flagged
191
- {
192
- code: 'ipcRenderer.send("untrusted-channel", data);',
193
- options: [{ allowedIpcChannels: ['safe-channel'] }],
194
- errors: [
195
- {
196
- messageId: 'insecureIpcPattern',
197
- },
198
- ],
199
- },
200
- {
201
- code: 'ipcMain.handle("dangerous", async (event, arg) => { return sensitiveData; });',
202
- options: [{ allowedIpcChannels: ['safe-channel'] }],
203
- errors: [
204
- {
205
- messageId: 'insecureIpcPattern',
206
- },
207
- ],
208
- },
209
- ],
210
- });
211
- });
212
-
213
- describe('Valid Code - False Positives Reduced', () => {
214
- ruleTester.run('valid - false positives reduced', noElectronSecurityIssues, {
215
- valid: [
216
- // Allowed IPC channels when configured
217
- {
218
- code: 'ipcRenderer.send("allowed-channel", data);',
219
- options: [{ allowedIpcChannels: ['allowed-channel'] }],
220
- },
221
- // Safe preload patterns (electron import is allowed)
222
- {
223
- code: 'const { contextBridge } = require("electron");',
224
- },
225
- // Main process Node.js access (allowed - not in renderer-like filename)
226
- {
227
- code: 'require("fs");',
228
- filename: 'main.js',
229
- },
230
- ],
231
- invalid: [],
232
- });
233
- });
234
-
235
- describe('Configuration Options', () => {
236
- ruleTester.run('config - allowed IPC channels', noElectronSecurityIssues, {
237
- valid: [
238
- {
239
- code: 'ipcRenderer.send("trusted-channel", data);',
240
- options: [{ allowedIpcChannels: ['trusted-channel'] }],
241
- },
242
- ],
243
- invalid: [
244
- {
245
- code: 'ipcRenderer.send("untrusted-channel", data);',
246
- options: [{ allowedIpcChannels: ['trusted-channel'] }],
247
- errors: [
248
- {
249
- messageId: 'insecureIpcPattern',
250
- },
251
- ],
252
- },
253
- ],
254
- });
255
- });
256
-
257
- describe('Complex Electron Security Scenarios', () => {
258
- ruleTester.run('complex - real-world Electron security vulnerabilities', noElectronSecurityIssues, {
259
- valid: [],
260
- invalid: [
261
- // webPreferences nested object - detected via Property visitor
262
- {
263
- code: `
264
- // Remote code execution vulnerability
265
- const mainWindow = new BrowserWindow({
266
- width: 800,
267
- height: 600,
268
- webPreferences: {
269
- nodeIntegration: true, // CRITICAL: Allows Node.js in renderer
270
- contextIsolation: false, // CRITICAL: No security boundary
271
- webSecurity: false, // HIGH: Disables CORS
272
- allowRunningInsecureContent: true, // MEDIUM: Allows mixed content
273
- sandbox: false // MEDIUM: Not sandboxed
274
- }
275
- });
276
- `,
277
- errors: [
278
- {
279
- messageId: 'nodeIntegrationEnabled',
280
- },
281
- {
282
- messageId: 'contextIsolationDisabled',
283
- },
284
- {
285
- messageId: 'webSecurityDisabled',
286
- },
287
- {
288
- messageId: 'insecureContentEnabled',
289
- },
290
- {
291
- messageId: 'missingSandbox',
292
- },
293
- ],
294
- },
295
- // Renderer Node.js access - detected via CallExpression for require()
296
- {
297
- code: `
298
- // Renderer Node.js access vulnerability
299
- // In renderer.js - should not have direct Node access
300
- const fs = require('fs');
301
- const os = require('os');
302
-
303
- function readFile() {
304
- return fs.readFileSync('sensitive.txt', 'utf8'); // DANGEROUS
305
- }
306
-
307
- function getSystemInfo() {
308
- return os.platform(); // DANGEROUS
309
- }
310
- `,
311
- filename: 'renderer.js',
312
- errors: [
313
- {
314
- messageId: 'directNodeAccess',
315
- },
316
- {
317
- messageId: 'directNodeAccess',
318
- },
319
- ],
320
- },
321
- ],
322
- });
323
- });
324
- });
package/src/rules/no-exposed-debug-endpoints/index.ts DELETED
@@ -1,73 +0,0 @@
1
- /**
2
- * @fileoverview Detect debug endpoints without auth
3
- */
4
-
5
- import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
6
- import type { TSESTree } from '@interlace/eslint-devkit';
7
-
8
- type MessageIds = 'violationDetected';
9
-
10
- // eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
11
- export interface Options {}
12
-
13
- type RuleOptions = [Options?];
14
-
15
- export const noExposedDebugEndpoints = createRule<RuleOptions, MessageIds>({
16
- name: 'no-exposed-debug-endpoints',
17
- meta: {
18
- type: 'problem',
19
- docs: {
20
- description: 'Detect debug endpoints without auth',
21
- },
22
- messages: {
23
- violationDetected: formatLLMMessage({
24
- icon: MessageIcons.SECURITY,
25
- issueName: 'Exposed Debug Endpoint',
26
- cwe: 'CWE-489',
27
- description: 'Debug endpoint exposed without authentication',
28
- severity: 'HIGH',
29
- fix: 'Remove debug endpoints from production or add authentication',
30
- documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
31
- })
32
- },
33
- schema: [],
34
- },
35
- defaultOptions: [],
36
- create(context) {
37
- function report(node: TSESTree.Node) {
38
- context.report({ node, messageId: 'violationDetected' });
39
- }
40
-
41
- const debugPaths = ['/debug', '/__debug__', '/admin', '/_admin', '/test', '/health'];
42
-
43
- return {
44
- CallExpression(node: TSESTree.CallExpression) {
45
- // Detect app.get('/debug', handler)
46
- if (node.callee.type === 'MemberExpression' &&
47
- node.callee.object.type === 'Identifier' &&
48
- ['app', 'router', 'express'].includes(node.callee.object.name) &&
49
- node.callee.property.type === 'Identifier' &&
50
- ['get', 'post', 'use'].includes(node.callee.property.name)) {
51
-
52
- const pathArg = node.arguments[0];
53
- if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
54
- const path = pathArg.value.toLowerCase();
55
- if (debugPaths.some(dp => path.includes(dp))) {
56
- report(node);
57
- }
58
- }
59
- }
60
- },
61
-
62
- Literal(node: TSESTree.Literal) {
63
- // Flag debug path strings in general
64
- if (typeof node.value === 'string') {
65
- const path = node.value.toLowerCase();
66
- if (debugPaths.some(dp => path === dp)) {
67
- report(node);
68
- }
69
- }
70
- },
71
- };
72
- },
73
- });
package/src/rules/no-exposed-debug-endpoints/no-exposed-debug-endpoints.test.ts DELETED
@@ -1,40 +0,0 @@
1
- /**
2
- * @fileoverview Tests for no-exposed-debug-endpoints
3
- */
4
-
5
- import { RuleTester } from '@typescript-eslint/rule-tester';
6
- import { noExposedDebugEndpoints } from './index';
7
-
8
- const ruleTester = new RuleTester({
9
- languageOptions: {
10
- ecmaVersion: 2022,
11
- sourceType: 'module',
12
- },
13
- });
14
-
15
- ruleTester.run('no-exposed-debug-endpoints', noExposedDebugEndpoints, {
16
- valid: [
17
- // Safe endpoints
18
- { code: "app.get('/api/users', handler)" },
19
- { code: "router.post('/login', authenticate)" },
20
- // Non-route code
21
- { code: "const x = 1" },
22
- ],
23
-
24
- invalid: [
25
- // Debug endpoints (caught by both CallExpression and Literal)
26
- {
27
- code: "app.get('/debug', debugHandler)",
28
- errors: [{ messageId: 'violationDetected' }, { messageId: 'violationDetected' }]
29
- },
30
- // Debug path literals only
31
- {
32
- code: "const path = '/debug'",
33
- errors: [{ messageId: 'violationDetected' }]
34
- },
35
- {
36
- code: "const endpoint = '/admin'",
37
- errors: [{ messageId: 'violationDetected' }]
38
- },
39
- ],
40
- });