npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/detect-weak-password-validation/index.js ADDED Viewed

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * @fileoverview Identify weak password requirements
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectWeakPasswordValidation = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.detectWeakPasswordValidation = (0, eslint_devkit_1.createRule)({
+    name: 'detect-weak-password-validation',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Identify weak password requirements',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Weak Password Validation',
+                cwe: 'CWE-521',
+                description: 'Password length requirement is too weak (less than 8 characters)',
+                severity: 'CRITICAL',
+                fix: 'Require at least 12 characters with complexity requirements',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        return {
+            BinaryExpression(node) {
+                // Detect weak length requirements like password.length >= 4
+                if (['>=', '>', '==', '==='].includes(node.operator)) {
+                    // Check if left side is .length
+                    if (node.left.type === 'MemberExpression' &&
+                        node.left.property.type === 'Identifier' &&
+                        node.left.property.name === 'length') {
+                        // Check if comparing to a weak number
+                        if (node.right.type === 'Literal' &&
+                            typeof node.right.value === 'number' &&
+                            node.right.value < 8) {
+                            // Check if variable name suggests password
+                            if (node.left.object.type === 'Identifier') {
+                                const varName = node.left.object.name.toLowerCase();
+                                if (varName.includes('password') || varName.includes('pwd') || varName.includes('pass')) {
+                                    report(node);
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-allow-arbitrary-loads/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Prevent configuration allowing insecure loads
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/749.html
+ */
+export interface Options {
+}
+export declare const noAllowArbitraryLoads: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-allow-arbitrary-loads/index.js ADDED Viewed

@@ -0,0 +1,47 @@
+"use strict";
+/**
+ * @fileoverview Prevent configuration allowing insecure loads
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/749.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noAllowArbitraryLoads = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noAllowArbitraryLoads = (0, eslint_devkit_1.createRule)({
+    name: 'no-allow-arbitrary-loads',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent configuration allowing insecure loads',
+            category: 'Security',
+            recommended: true,
+            owaspMobile: ['M5'],
+            cweIds: ["CWE-749"],
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'violation Detected',
+                cwe: 'CWE-295',
+                description: 'Prevent configuration allowing insecure loads detected - allowArbitraryLoads: true',
+                severity: 'HIGH',
+                fix: 'Review and apply secure practices',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        return {
+            Property(node) {
+                if (node.key.type === 'Identifier' &&
+                    node.key.name === 'allowArbitraryLoads' &&
+                    node.value.type === 'Literal' &&
+                    node.value.value === true) {
+                    context.report({ node, messageId: 'violationDetected' });
+                }
+            },
+        };
+    },
+});

package/src/rules/no-arbitrary-file-access/index.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Prevent file access from user input
+ *
+ * False Positive Reduction:
+ * This rule detects safe patterns including:
+ * - path.basename() sanitization
+ * - path.join() with validated base directories
+ * - startsWith() validation guards
+ * - Early-return throw patterns
+ */
+export interface Options {
+}
+export declare const noArbitraryFileAccess: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-arbitrary-file-access/index.js ADDED Viewed

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * @fileoverview Prevent file access from user input
+ *
+ * False Positive Reduction:
+ * This rule detects safe patterns including:
+ * - path.basename() sanitization
+ * - path.join() with validated base directories
+ * - startsWith() validation guards
+ * - Early-return throw patterns
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noArbitraryFileAccess = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noArbitraryFileAccess = (0, eslint_devkit_1.createRule)({
+    name: 'no-arbitrary-file-access',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent file access from user input',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Arbitrary File Access',
+                cwe: 'CWE-22',
+                description: 'File path from user input - path traversal vulnerability',
+                severity: 'HIGH',
+                fix: 'Validate and sanitize file paths, use allowlists',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/22.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        const sourceCode = context.sourceCode;
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const fsReadMethods = ['readFile', 'readFileSync', 'readdir', 'readdirSync', 'stat', 'statSync'];
+        const fsWriteMethods = ['writeFile', 'writeFileSync', 'appendFile', 'appendFileSync'];
+        const userInputSources = ['req', 'request', 'params', 'query', 'body'];
+        // Track variables that have been sanitized with path.basename()
+        const sanitizedVariables = new Set();
+        // Track variables that have been validated with startsWith() guards
+        const validatedVariables = new Set();
+        /**
+         * Check if a variable is assigned from path.basename() or path.join() with basename
+         */
+        function checkVariableDeclaration(node) {
+            if (node.id.type !== 'Identifier' || !node.init) {
+                return;
+            }
+            const varName = node.id.name;
+            const init = node.init;
+            // Check for path.basename() assignment
+            if (init.type === 'CallExpression' &&
+                init.callee.type === 'MemberExpression' &&
+                init.callee.object.type === 'Identifier' &&
+                init.callee.object.name === 'path' &&
+                init.callee.property.type === 'Identifier' &&
+                init.callee.property.name === 'basename') {
+                sanitizedVariables.add(varName);
+            }
+            // Check for path.join() with a sanitized variable or literal base
+            if (init.type === 'CallExpression' &&
+                init.callee.type === 'MemberExpression' &&
+                init.callee.object.type === 'Identifier' &&
+                init.callee.object.name === 'path' &&
+                init.callee.property.type === 'Identifier' &&
+                init.callee.property.name === 'join') {
+                // Check if any argument is a sanitized variable
+                const hasSanitizedArg = init.arguments.some((arg) => arg.type === 'Identifier' && sanitizedVariables.has(arg.name));
+                // Check if first arg is a safe base (literal or known safe variable)
+                const firstArg = init.arguments[0];
+                const hasSafeBase = firstArg && (firstArg.type === 'Literal' ||
+                    (firstArg.type === 'Identifier' && /^(SAFE|BASE|ROOT|UPLOAD|PUBLIC)/i.test(firstArg.name)));
+                if (hasSanitizedArg && hasSafeBase) {
+                    sanitizedVariables.add(varName);
+                }
+            }
+        }
+        /**
+         * Check if there's a startsWith() guard validation for this variable
+         * Looks for patterns like:
+         * if (!path.startsWith(baseDir)) { throw ... }
+         * if (!path.startsWith(baseDir)) { return ... }
+         */
+        function hasStartsWithGuard(node, varName) {
+            // Already validated
+            if (validatedVariables.has(varName)) {
+                return true;
+            }
+            // Walk up to find the containing block or function
+            let current = node.parent;
+            while (current) {
+                // If we've reached a function body or block, search its statements
+                if (current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement) {
+                    const statements = current.body;
+                    // Look for IF statements in this block that validate our variable
+                    for (const stmt of statements) {
+                        if (stmt.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
+                            const testText = sourceCode.getText(stmt.test).toLowerCase();
+                            // Check for startsWith() validation pattern with our variable
+                            if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+                                // Check if this is a guard clause (negated condition with throw/return)
+                                const consequent = stmt.consequent;
+                                // Handle block statement: if (...) { throw/return; }
+                                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement && consequent.body.length > 0) {
+                                    const firstStmt = consequent.body[0];
+                                    if (firstStmt.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement || firstStmt.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement) {
+                                        validatedVariables.add(varName);
+                                        return true;
+                                    }
+                                }
+                                // Handle direct statement: if (...) throw/return;
+                                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement || consequent.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement) {
+                                    validatedVariables.add(varName);
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+                }
+                // Also check if current IS an if statement (when node is inside the consequent)
+                if (current.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
+                    const testText = sourceCode.getText(current.test).toLowerCase();
+                    if (testText.includes('startswith') && testText.includes(varName.toLowerCase())) {
+                        validatedVariables.add(varName);
+                        return true;
+                    }
+                }
+                current = current.parent;
+            }
+            return false;
+        }
+        /**
+         * Check if a variable comes from a sanitized/validated source
+         */
+        function isVariableSafe(varName, node) {
+            // Already tracked as sanitized
+            if (sanitizedVariables.has(varName)) {
+                return true;
+            }
+            // Has startsWith guard validation
+            if (hasStartsWithGuard(node, varName)) {
+                return true;
+            }
+            // Check naming conventions that suggest safety
+            if (/^(safe|sanitized|validated|clean)/i.test(varName)) {
+                return true;
+            }
+            return false;
+        }
+        return {
+            // Track variable declarations for sanitization patterns
+            VariableDeclarator(node) {
+                checkVariableDeclaration(node);
+            },
+            CallExpression(node) {
+                // Detect fs.* with user input
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    node.callee.object.name === 'fs' &&
+                    node.callee.property.type === 'Identifier' &&
+                    [...fsReadMethods, ...fsWriteMethods].includes(node.callee.property.name)) {
+                    const pathArg = node.arguments[0];
+                    // Skip if path is a literal (safe)
+                    if (pathArg && pathArg.type === 'Literal') {
+                        return;
+                    }
+                    // Check if path is a variable
+                    if (pathArg && pathArg.type === 'Identifier') {
+                        const varName = pathArg.name;
+                        // Skip if variable is sanitized or validated
+                        if (isVariableSafe(varName, node)) {
+                            return;
+                        }
+                        report(node);
+                        return;
+                    }
+                    // Flag if path is from a member expression (user input sources)
+                    if (pathArg?.type === 'MemberExpression' &&
+                        pathArg.object.type === 'Identifier') {
+                        const objName = pathArg.object.name.toLowerCase();
+                        if (userInputSources.includes(objName)) {
+                            report(node);
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-buffer-overread/index.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * ESLint Rule: no-buffer-overread
+ * Detects buffer access beyond bounds (CWE-126)
+ *
+ * Buffer overread occurs when reading from buffers beyond their allocated
+ * length, potentially leading to information disclosure, crashes, or
+ * other security issues.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe buffer access patterns
+ * - Bounds checking operations
+ * - JSDoc annotations (@safe, @validated)
+ * - Input validation functions
+ */
+import type { SecurityRuleOptions } from '@interlace/eslint-devkit';
+export interface Options extends SecurityRuleOptions {
+    /** Buffer methods to check for bounds safety */
+    bufferMethods?: string[];
+    /** Functions that validate buffer indices */
+    boundsCheckFunctions?: string[];
+    /** Buffer types to monitor */
+    bufferTypes?: string[];
+    /** Additional function names to consider as buffer index validators */
+    trustedSanitizers?: string[];
+    /** Additional JSDoc annotations to consider as safe markers */
+    strictMode?: boolean;
+}
+export declare const noBufferOverread: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;