npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-missing-cors-check/index.ts DELETED Viewed

@@ -1,453 +0,0 @@
-/**
- * ESLint Rule: no-missing-cors-check
- * Detects missing CORS validation (wildcard CORS, missing origin check)
- * CWE-346: Origin Validation Error
- *
- * @see https://cwe.mitre.org/data/definitions/346.html
- * @see https://owasp.org/www-community/attacks/CORS_Misconfiguration
- */
-import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
-import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import { createRule } from '@interlace/eslint-devkit';
-type MessageIds = 'missingCorsCheck' | 'useOriginValidation' | 'useCorsMiddleware';
-export interface Options {
-  /** Allow missing CORS checks in test files. Default: false */
-  allowInTests?: boolean;
-  /** Trusted CORS libraries. Default: ['cors', '@koa/cors', 'express-cors'] */
-  trustedLibraries?: string[];
-  /** Additional safe patterns to ignore. Default: [] */
-  ignorePatterns?: string[];
-}
-type RuleOptions = [Options?];
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text: string, ignorePatterns: string[]): boolean {
-  return ignorePatterns.some(pattern => {
-    try {
-      const regex = new RegExp(pattern, 'i');
-      return regex.test(text);
-    } catch {
-      return false;
-    }
-  });
-}
-export const noMissingCorsCheck = createRule<RuleOptions, MessageIds>({
-  name: 'no-missing-cors-check',
-  meta: {
-    type: 'problem',
-    deprecated: true,
-    replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
-    docs: {
-      description: 'Detects missing CORS validation (wildcard CORS, missing origin check)',
-    },
-    hasSuggestions: true,
-    messages: {
-      missingCorsCheck: formatLLMMessage({
-        icon: MessageIcons.SECURITY,
-        issueName: 'Missing CORS Validation',
-        cwe: 'CWE-346',
-        description: 'Missing CORS validation detected: {{issue}}',
-        severity: 'HIGH',
-        fix: '{{safeAlternative}}',
-        documentationLink: 'https://cwe.mitre.org/data/definitions/346.html',
-      }),
-      useOriginValidation: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Validate Origin',
-        description: 'Validate CORS origin',
-        severity: 'LOW',
-        fix: 'cors({ origin: (origin, cb) => allowedOrigins.includes(origin) ? cb(null, true) : cb(new Error()) })',
-        documentationLink: 'https://github.com/expressjs/cors#configuration-options',
-      }),
-      useCorsMiddleware: formatLLMMessage({
-        icon: MessageIcons.INFO,
-        issueName: 'Use CORS Middleware',
-        description: 'Use CORS middleware with origin validation',
-        severity: 'LOW',
-        fix: 'app.use(cors({ origin: allowedOrigins }))',
-        documentationLink: 'https://github.com/expressjs/cors',
-      }),
-    },
-    schema: [
-      {
-        type: 'object',
-        properties: {
-          allowInTests: {
-            type: 'boolean',
-            default: false,
-            description: 'Allow missing CORS checks in test files',
-          },
-          trustedLibraries: {
-            type: 'array',
-            items: { type: 'string' },
-            default: [],
-            description: 'Custom CORS libraries to trust (wildcard origins in these libraries will not be reported)',
-          },
-          ignorePatterns: {
-            type: 'array',
-            items: { type: 'string' },
-            default: [],
-            description: 'Additional safe patterns to ignore',
-          },
-        },
-        additionalProperties: false,
-      },
-    ],
-  },
-  defaultOptions: [
-    {
-      allowInTests: false,
-      trustedLibraries: [], // Empty by default - users can add custom CORS libraries they trust
-      ignorePatterns: [],
-    },
-  ],
-  create(
-    context: TSESLint.RuleContext<MessageIds, RuleOptions>,
-    [options = {}]
-  ) {
-    const {
-      allowInTests = false,
-      trustedLibraries: corsTrustedLibraries = [],
-      ignorePatterns = [],
-    } = options as Options;
-    const trustedLibraries = corsTrustedLibraries;
-    const filename = context.getFilename();
-    const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-    const sourceCode = context.sourceCode || context.sourceCode;
-    function checkLiteral(node: TSESTree.Literal) {
-      if (isTestFile) {
-        return;
-      }
-      // Check for wildcard CORS origin
-      if (node.value === '*' && typeof node.value === 'string') {
-        const text = sourceCode.getText(node);
-        // Check if it matches any ignore pattern
-        if (matchesIgnorePattern(text, ignorePatterns)) {
-          return;
-        }
-        // Check if it's in contexts handled by other checkers
-        // 1. setHeader/header calls - checkMemberExpression handles these
-        // 2. app.use(cors({ origin: "*" })) - checkCallExpression handles these with suggestions
-        let shouldSkip = false;
-        let current: TSESTree.Node | null = node;
-        while (current && current.parent) {
-          current = current.parent as TSESTree.Node;
-          if (current.type === 'CallExpression') {
-            const callText = sourceCode.getText(current);
-            // Check if it's a setHeader/header call with Access-Control-Allow-Origin
-            // Skip these - checkMemberExpression handles them
-            if (/\b(setHeader|header)\s*\(/i.test(callText) && /\bAccess-Control-Allow-Origin\b/i.test(callText)) {
-              shouldSkip = true;
-              break;
-            }
-            // Check if it's app.use(cors({ origin: "*" })) - checkCallExpression handles these with suggestions
-            if (/\buse\s*\(/i.test(callText) && /\bcors\s*\(/i.test(callText)) {
-              // Check if the literal is in an object property named "origin"
-              if (node.parent && node.parent.type === 'Property') {
-                const prop = node.parent as TSESTree.Property;
-                if (prop.key.type === 'Identifier' && prop.key.name === 'origin') {
-                  shouldSkip = true;
-                  break;
-                }
-              }
-            }
-          }
-        }
-        // Skip if it's in a context handled by another checker
-        if (shouldSkip) {
-          return;
-        }
-        // Check if it's in a CORS-related context
-        // Only report if it's actually in a CORS configuration (app.use(cors(...)), etc.)
-        // Not just any object with origin: "*"
-        let isActualCorsContext = false;
-        // Check if it's in app.use(cors(...)) or similar
-        current = node;
-        while (current && current.parent) {
-          current = current.parent as TSESTree.Node;
-          if (current.type === 'CallExpression') {
-            const callText = sourceCode.getText(current);
-            // Check if it's a CORS middleware call
-            if (/\b(use|cors)\s*\(/i.test(callText) && /\bcors\s*\(/i.test(callText)) {
-              isActualCorsContext = true;
-              break;
-            }
-          }
-        }
-        // Also check if it's in an object property with name "origin" or "allowedOrigins"
-        // but only if it's in a CORS-related call expression
-        if (node.parent && node.parent.type === 'Property') {
-          const prop = node.parent as TSESTree.Property;
-          if (prop.key.type === 'Identifier') {
-            const keyName = prop.key.name.toLowerCase();
-            if (keyName === 'origin' || keyName === 'allowedorigins') {
-              // Check if this property is in a CORS call context
-              let inCorsCall = false;
-              let checkNode: TSESTree.Node | null = prop;
-              while (checkNode && checkNode.parent) {
-                checkNode = checkNode.parent as TSESTree.Node;
-                if (checkNode.type === 'CallExpression') {
-                  const callText = sourceCode.getText(checkNode);
-                  if (/\bcors\s*\(/i.test(callText) ||
-                      (/\buse\s*\(/i.test(callText) && /\bcors/i.test(callText))) {
-                    inCorsCall = true;
-                    break;
-                  }
-                }
-              }
-              if (inCorsCall) {
-                // Always report wildcard CORS origin - it's never safe
-                context.report({
-                  node,
-                  messageId: 'missingCorsCheck',
-                  data: {
-                    issue: 'Wildcard CORS origin (*) allows all origins',
-                    safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
-                  },
-                  suggest: [
-                    {
-                      messageId: 'useOriginValidation',
-                      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                      fix: (_fixer: TSESLint.RuleFixer) => null,
-                    },
-                  ],
-                });
-                return;
-              }
-            }
-          }
-        }
-        // Only report if it's in an actual CORS context
-        if (isActualCorsContext) {
-          // Always report wildcard CORS origin - it's never safe
-          context.report({
-            node,
-            messageId: 'missingCorsCheck',
-            data: {
-              issue: 'Wildcard CORS origin (*) allows all origins',
-              safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
-            },
-            suggest: [
-              {
-                messageId: 'useOriginValidation',
-                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                fix: (_fixer: TSESLint.RuleFixer) => null,
-              },
-            ],
-          });
-        }
-      }
-    }
-    function checkCallExpression(node: TSESTree.CallExpression) {
-      if (isTestFile) {
-        return;
-      }
-      // Check for app.use(cors({ origin: "*" })) or similar
-      if (node.callee.type === 'MemberExpression') {
-        const property = node.callee.property;
-        if (property.type === 'Identifier' && property.name === 'use') {
-          // Check if CORS is being used
-          const text = sourceCode.getText(node);
-          // Check if it matches any ignore pattern
-          if (matchesIgnorePattern(text, ignorePatterns)) {
-            return;
-          }
-          // Check if it's a CORS middleware call
-          // Check for cors() or trusted library calls
-          const firstArg = node.arguments.length > 0 ? node.arguments[0] : null;
-          let isCorsCall = /\bcors\s*\(/i.test(text);
-          if (!isCorsCall && firstArg && firstArg.type === 'CallExpression' && firstArg.callee.type === 'Identifier') {
-            const callee = firstArg.callee;
-            const calleeName = callee.name.toLowerCase();
-            // Check if it's the standard 'cors' library or a trusted library
-            isCorsCall = calleeName === 'cors' || trustedLibraries.some(lib => {
-              return calleeName.includes(lib.toLowerCase());
-            });
-          }
-          // Check if it's a trusted library - skip if explicitly trusted
-          let isTrustedLibrary = false;
-          if (firstArg && firstArg.type === 'CallExpression' && firstArg.callee.type === 'Identifier') {
-            const calleeName = firstArg.callee.name.toLowerCase();
-            isTrustedLibrary = trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()));
-          }
-          if (isTrustedLibrary) {
-            return; // Trusted library, skip
-          }
-          // Check if it's a CORS call
-          if (/\bcors\s*\(/i.test(text) || isCorsCall) {
-            // Check arguments for wildcard origin
-            // For app.use(cors({ origin: "*" })), we need to check the arguments to cors(), not app.use()
-            const corsCallArg = firstArg && firstArg.type === 'CallExpression' ? firstArg : null;
-            const argsToCheck = corsCallArg ? corsCallArg.arguments : node.arguments;
-            for (const arg of argsToCheck) {
-              if (arg.type === 'ObjectExpression') {
-                // Check for origin property with wildcard value
-                for (const prop of arg.properties) {
-                  if (prop.type === 'Property' &&
-                      prop.key.type === 'Identifier' &&
-                      prop.key.name === 'origin' &&
-                      prop.value.type === 'Literal' &&
-                      prop.value.value === '*') {
-                    context.report({
-                      node: prop.value,
-                      messageId: 'missingCorsCheck',
-                      data: {
-                        issue: 'Wildcard CORS origin (*) allows all origins',
-                        safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
-                      },
-                      suggest: [
-                        {
-                          messageId: 'useOriginValidation',
-                          // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                          fix: (_fixer: TSESLint.RuleFixer) => null,
-                        },
-                      ],
-                    });
-                  }
-                }
-              } else if (arg.type === 'Identifier') {
-                // Check if this identifier was assigned an object literal with origin: "*"
-                // For cases like: const config = { origin: "*" }; app.use(cors(config));
-                const varName = arg.name;
-                // Traverse the AST to find the variable declaration
-                let current: TSESTree.Node | null = node;
-                while (current) {
-                  if (current.type === 'Program' || current.type === 'FunctionDeclaration' || current.type === 'FunctionExpression' || current.type === 'ArrowFunctionExpression') {
-                    // Search for variable declarations in this scope
-                    const scopeBody = current.type === 'Program' ? current.body :
-                                     (current.type === 'FunctionDeclaration' || current.type === 'FunctionExpression' || current.type === 'ArrowFunctionExpression') ?
-                                     (current.body.type === 'BlockStatement' ? current.body.body : []) : [];
-                    for (const stmt of scopeBody) {
-                      if (stmt.type === 'VariableDeclaration') {
-                        for (const declarator of stmt.declarations) {
-                          if (declarator.id.type === 'Identifier' && declarator.id.name === varName && declarator.init) {
-                            // Check if init is an object literal with origin: "*"
-                            if (declarator.init.type === 'ObjectExpression') {
-                              for (const prop of declarator.init.properties) {
-                                if (prop.type === 'Property' &&
-                                    prop.key.type === 'Identifier' &&
-                                    prop.key.name === 'origin' &&
-                                    prop.value.type === 'Literal' &&
-                                    prop.value.value === '*') {
-                                  context.report({
-                                    node: arg,
-                                    messageId: 'missingCorsCheck',
-                                    data: {
-                                      issue: 'Wildcard CORS origin (*) allows all origins',
-                                      safeAlternative: 'Use origin validation: app.use(cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error("Not allowed")); } } }));',
-                                    },
-                                    suggest: [
-                                      {
-                                        messageId: 'useOriginValidation',
-                                        // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                        fix: (_fixer: TSESLint.RuleFixer) => null,
-                                      },
-                                    ],
-                                  });
-                                  return; // Found and reported, exit
-                                }
-                              }
-                            }
-                          }
-                        }
-                      }
-                    }
-                    break; // Only check the immediate scope
-                  }
-                  if (current.parent) {
-                    current = current.parent as TSESTree.Node;
-                  } else {
-                    break;
-                  }
-                }
-              }
-            }
-          }
-        }
-      }
-    }
-    function checkMemberExpression(node: TSESTree.MemberExpression) {
-      if (isTestFile) {
-        return;
-      }
-      // Check for Access-Control-Allow-Origin header without validation
-      if (node.property.type === 'Identifier') {
-        const propertyName = node.property.name;
-        if (propertyName === 'setHeader' || propertyName === 'header') {
-          // Check if it matches any ignore pattern
-          const text = sourceCode.getText(node);
-          if (matchesIgnorePattern(text, ignorePatterns)) {
-            return;
-          }
-          // Check if it's setting CORS headers
-          // Need to check the full call expression, not just the member expression
-          const parent = node.parent;
-          if (parent && parent.type === 'CallExpression') {
-            const callText = sourceCode.getText(parent);
-            if (/\bAccess-Control-Allow-Origin\b/i.test(callText)) {
-              // Check if the value is a wildcard
-              const args = parent.arguments;
-              if (args.length >= 2 && args[1].type === 'Literal' && args[1].value === '*') {
-                context.report({
-                  node: args[1],
-                  messageId: 'missingCorsCheck',
-                  data: {
-                    issue: 'Wildcard CORS header allows all origins',
-                    safeAlternative: 'Validate origin before setting header: res.setHeader("Access-Control-Allow-Origin", allowedOrigins.includes(origin) ? origin : "null");',
-                  },
-                  suggest: [
-                    {
-                      messageId: 'useOriginValidation',
-                      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                      fix: (_fixer: TSESLint.RuleFixer) => null,
-                    },
-                  ],
-                });
-              }
-            }
-          }
-        }
-      }
-    }
-    return {
-      Literal: checkLiteral,
-      CallExpression: checkCallExpression,
-      MemberExpression: checkMemberExpression,
-    };
-  },
-});