npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-permissive-cors/index.ts DELETED Viewed

@@ -1,78 +0,0 @@
-/**
- * @fileoverview Prevent overly permissive CORS configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-import { AST_NODE_TYPES, createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import type { TSESTree } from '@interlace/eslint-devkit';
-type MessageIds = 'violationDetected';
-// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
-export interface Options {}
-type RuleOptions = [Options?];
-export const noPermissiveCors = createRule<RuleOptions, MessageIds>({
-  name: 'no-permissive-cors',
-  meta: {
-    type: 'problem',
-    deprecated: true,
-    replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
-    docs: {
-      description: 'Prevent overly permissive CORS configuration',
-      category: 'Security',
-      recommended: true,
-      owaspMobile: ['M8'],
-      cweIds: ["CWE-942"],
-    },
-    messages: {
-      violationDetected: formatLLMMessage({
-        icon: MessageIcons.SECURITY,
-        issueName: 'violation Detected',
-        cwe: 'CWE-942',
-        description: 'Prevent overly permissive CORS configuration detected - this is a security risk',
-        severity: 'HIGH',
-        fix: 'Review and apply secure practices',
-        documentationLink: 'https://cwe.mitre.org/data/definitions/942.html',
-      })
-    },
-    schema: [],
-  },
-  defaultOptions: [],
-  create(context) {
-    function report(node: TSESTree.Node) {
-      context.report({
-        node,
-        messageId: 'violationDetected',
-      });
-    }
-    return {
-      CallExpression(node: TSESTree.CallExpression) {
-      // Check for Access-Control-Allow-Origin: *
-      if (node.type === AST_NODE_TYPES.CallExpression &&
-          node.callee.property?.name === 'setHeader' &&
-          node.arguments[0]?.value === 'Access-Control-Allow-Origin' &&
-          node.arguments[1]?.value === '*') {
-        report(node);
-      }
-      // Check cors({ origin: '*' })
-      if (node.type === AST_NODE_TYPES.CallExpression &&
-          node.callee.name === 'cors' &&
-          node.arguments[0]?.type === AST_NODE_TYPES.ObjectExpression) {
-        const originProp = node.arguments[0].properties.find(
-          p => p.key?.name === 'origin'
-        );
-        if (originProp?.value.type === 'Literal' && originProp.value.value === '*') {
-          report(node);
-        }
-      }
-      },
-};
-  },
-});

package/src/rules/no-permissive-cors/no-permissive-cors.test.ts DELETED Viewed

@@ -1,28 +0,0 @@
-/**
- * @fileoverview Tests for no-permissive-cors
- *
- * Coverage: Comprehensive test suite with valid and invalid cases
- */
-import { RuleTester } from '@typescript-eslint/rule-tester';
-import { noPermissiveCors } from './index';
-const ruleTester = new RuleTester({
-  languageOptions: {
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-});
-ruleTester.run('no-permissive-cors', noPermissiveCors, {
-  valid: [
-    { code: "cors({ origin: 'https://example.com' })" },
-    { code: "res.setHeader('Access-Control-Allow-Origin', 'https://mysite.com')" },
-    { code: "const origin = 'https://safe.com'" }
-  ],
-  invalid: [
-    { code: "cors({ origin: '*' })", errors: [{ messageId: 'violationDetected' }] },
-    { code: "res.setHeader('Access-Control-Allow-Origin', '*')", errors: [{ messageId: 'violationDetected' }] }
-  ],
-});

package/src/rules/no-pii-in-logs/index.ts DELETED Viewed

@@ -1,83 +0,0 @@
-/**
- * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/532.html
- */
-import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import type { TSESTree } from '@interlace/eslint-devkit';
-type MessageIds = 'violationDetected';
-// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
-export interface Options {}
-type RuleOptions = [Options?];
-export const noPiiInLogs = createRule<RuleOptions, MessageIds>({
-  name: 'no-pii-in-logs',
-  meta: {
-    type: 'problem',
-    docs: {
-      description: 'Prevent PII (email, SSN, credit cards) in console logs',
-      category: 'Security',
-      recommended: true,
-      owaspMobile: ['M6'],
-      cweIds: ["CWE-532"],
-    },
-    messages: {
-      violationDetected: formatLLMMessage({
-        icon: MessageIcons.SECURITY,
-        issueName: 'violation Detected',
-        cwe: 'CWE-359',
-        description: 'Prevent PII (email, SSN, credit cards) in console logs detected - this is a security risk',
-        severity: 'HIGH',
-        fix: 'Review and apply secure practices',
-        documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
-      })
-    },
-    schema: [],
-  },
-  defaultOptions: [],
-  create(context) {
-    function report(node: TSESTree.Node) {
-      context.report({
-        node,
-        messageId: 'violationDetected',
-      });
-    }
-    return {
-      CallExpression(node: TSESTree.CallExpression) {
-      // Check console.log/error/warn calls
-      if (node.type === 'CallExpression' &&
-          node.callee.type === 'MemberExpression' &&
-          node.callee.object.name === 'console' &&
-          ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
-        // Check arguments for PII-related property access
-        for (const arg of node.arguments) {
-          if (arg.type === 'MemberExpression') {
-            const propName = arg.property.name?.toLowerCase();
-            const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
-            if (piiProps.some(p => propName?.includes(p))) {
-              report(node);
-            }
-          }
-          // Check string literals mentioning PII
-          if (arg.type === 'Literal' && typeof arg.value === 'string') {
-            const text = arg.value.toLowerCase();
-            if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
-              report(node);
-            }
-          }
-        }
-      }
-      },
-};
-  },
-});

package/src/rules/no-pii-in-logs/no-pii-in-logs.test.ts DELETED Viewed

@@ -1,26 +0,0 @@
-/**
- * @fileoverview Tests for no-pii-in-logs
- */
-import { RuleTester } from '@typescript-eslint/rule-tester';
-import { noPiiInLogs } from './index';
-const ruleTester = new RuleTester({
-  languageOptions: {
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-});
-ruleTester.run('no-pii-in-logs', noPiiInLogs, {
-  valid: [
-    { code: "console.log('Status:', status)" },
-    { code: "console.info('Count:', count)" }
-  ],
-  invalid: [
-    { code: "console.log(user.email)", errors: [{ messageId: 'violationDetected' }] },
-    { code: "console.log('email:', value)", errors: [{ messageId: 'violationDetected' }] },
-    { code: "console.log(data.ssn)", errors: [{ messageId: 'violationDetected' }] }
-  ],
-});

package/src/rules/no-postmessage-origin-wildcard/index.ts DELETED Viewed

@@ -1,67 +0,0 @@
-/**
- * @fileoverview Prevent wildcard origins in postMessage
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-import { createRule, formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
-import type { TSESTree } from '@interlace/eslint-devkit';
-type MessageIds = 'violationDetected';
-// eslint-disable-next-line @typescript-eslint/no-empty-object-type, @typescript-eslint/no-empty-interface -- Rule has no configurable options
-export interface Options {}
-type RuleOptions = [Options?];
-export const noPostmessageOriginWildcard = createRule<RuleOptions, MessageIds>({
-  name: 'no-postmessage-origin-wildcard',
-  meta: {
-    type: 'problem',
-    docs: {
-      description: 'Prevent wildcard origins in postMessage',
-      category: 'Security',
-      recommended: true,
-      owaspMobile: ['M4'],
-      cweIds: ["CWE-942"],
-    },
-    messages: {
-      violationDetected: formatLLMMessage({
-        icon: MessageIcons.SECURITY,
-        issueName: 'violation Detected',
-        cwe: 'CWE-346',
-        description: 'Prevent wildcard origins in postMessage detected - this is a security risk',
-        severity: 'HIGH',
-        fix: 'Review and apply secure practices',
-        documentationLink: 'https://cwe.mitre.org/data/definitions/346.html',
-      })
-    },
-    schema: [],
-  },
-  defaultOptions: [],
-  create(context) {
-    function report(node: TSESTree.Node) {
-      context.report({
-        node,
-        messageId: 'violationDetected',
-      });
-    }
-    return {
-      CallExpression(node: TSESTree.CallExpression) {
-      // Check postMessage calls
-      if (node.type === 'CallExpression' &&
-          node.callee.type === 'MemberExpression' &&
-          node.callee.property.name === 'postMessage') {
-        const originArg = node.arguments[1];
-        if (originArg && originArg.type === 'Literal' && originArg.value === '*') {
-          report(node);
-        }
-      }
-      },
-};
-  },
-});

package/src/rules/no-postmessage-origin-wildcard/no-postmessage-origin-wildcard.test.ts DELETED Viewed

@@ -1,27 +0,0 @@
-/**
- * @fileoverview Tests for no-postmessage-origin-wildcard
- *
- * Coverage: Comprehensive test suite with valid and invalid cases
- */
-import { RuleTester } from '@typescript-eslint/rule-tester';
-import { noPostmessageOriginWildcard } from './index';
-const ruleTester = new RuleTester({
-  languageOptions: {
-    ecmaVersion: 2022,
-    sourceType: 'module',
-  },
-});
-ruleTester.run('no-postmessage-origin-wildcard', noPostmessageOriginWildcard, {
-  valid: [
-    { code: "window.postMessage(data, 'https://example.com')" },
-    { code: "parent.postMessage(msg, origin)" }
-  ],
-  invalid: [
-    { code: "window.postMessage(data, '*')", errors: [{ messageId: 'violationDetected' }] },
-    { code: "parent.postMessage(msg, '*')", errors: [{ messageId: 'violationDetected' }] }
-  ],
-});