npm - eslint-plugin-secure-coding - Versions diffs - 2.3.3 → 2.4.0 - Mend

eslint-plugin-secure-coding 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/src/rules/no-clickjacking/index.js ADDED Viewed

@@ -0,0 +1,396 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noClickjacking = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+const eslint_devkit_2 = require("@interlace/eslint-devkit");
+const eslint_devkit_3 = require("@interlace/eslint-devkit");
+exports.noClickjacking = (0, eslint_devkit_1.createRule)({
+    name: 'no-clickjacking',
+    meta: {
+        type: 'problem',
+        deprecated: true,
+        replacedBy: ['@see eslint-plugin-express-security/require-helmet'],
+        docs: {
+            description: 'Detects clickjacking vulnerabilities and missing frame protections',
+        },
+        fixable: 'code',
+        hasSuggestions: true,
+        messages: {
+            clickjackingVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Clickjacking Vulnerability',
+                cwe: 'CWE-1021',
+                description: 'Clickjacking protection missing',
+                severity: '{{severity}}',
+                fix: '{{safeAlternative}}',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            missingFrameBusting: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing Frame Busting',
+                cwe: 'CWE-1021',
+                description: 'No frame-busting code to prevent clickjacking',
+                severity: 'HIGH',
+                fix: 'Add frame-busting JavaScript to prevent framing',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            unsafeIframeUsage: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Unsafe iframe Usage',
+                cwe: 'CWE-1021',
+                description: 'iframe may enable clickjacking attacks',
+                severity: 'MEDIUM',
+                fix: 'Add X-Frame-Options or CSP frame-ancestors protection',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            missingXFrameOptions: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing X-Frame-Options',
+                cwe: 'CWE-1021',
+                description: 'X-Frame-Options header not set',
+                severity: 'HIGH',
+                fix: 'Set X-Frame-Options: DENY or SAMEORIGIN',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options',
+            }),
+            missingCspFrameAncestors: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Missing CSP frame-ancestors',
+                cwe: 'CWE-1021',
+                description: 'CSP frame-ancestors directive not configured',
+                severity: 'HIGH',
+                fix: 'Add frame-ancestors to Content-Security-Policy',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors',
+            }),
+            transparentFrameOverlay: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Transparent Frame Overlay',
+                cwe: 'CWE-1021',
+                description: 'Transparent elements may hide clickjacking attacks',
+                severity: 'MEDIUM',
+                fix: 'Use frame-busting or CSP protections',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            frameManipulation: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.SECURITY,
+                issueName: 'Frame Manipulation',
+                cwe: 'CWE-1021',
+                description: 'Code attempts to manipulate parent frames',
+                severity: 'LOW',
+                fix: 'Implement proper frame communication or prevent framing',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            implementFrameBusting: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Implement Frame Busting',
+                description: 'Add JavaScript to prevent framing',
+                severity: 'LOW',
+                fix: 'if (top != self) top.location = location;',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            useXFrameOptions: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Use X-Frame-Options',
+                description: 'Set X-Frame-Options HTTP header',
+                severity: 'LOW',
+                fix: 'X-Frame-Options: DENY',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options',
+            }),
+            setCspFrameAncestors: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.INFO,
+                issueName: 'Set CSP frame-ancestors',
+                description: 'Configure CSP frame-ancestors directive',
+                severity: 'LOW',
+                fix: 'frame-ancestors \'self\' https://trusted.com',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors',
+            }),
+            strategyFrameProtection: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Frame Protection Strategy',
+                description: 'Implement multiple layers of frame protection',
+                severity: 'LOW',
+                fix: 'Use X-Frame-Options, CSP, and frame-busting together',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            }),
+            strategyContentSecurity: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'Content Security Strategy',
+                description: 'Use CSP for comprehensive frame control',
+                severity: 'LOW',
+                fix: 'Implement strict CSP with frame-ancestors',
+                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
+            }),
+            strategyUserInteraction: (0, eslint_devkit_2.formatLLMMessage)({
+                icon: eslint_devkit_2.MessageIcons.STRATEGY,
+                issueName: 'User Interaction Strategy',
+                description: 'Protect user interactions from framing attacks',
+                severity: 'LOW',
+                fix: 'Validate user intent for sensitive actions',
+                documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
+            })
+        },
+        schema: [
+            {
+                type: 'object',
+                properties: {
+                    trustedSources: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: ['self', 'same-origin'],
+                    },
+                    requireFrameBusting: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    detectTransparentOverlays: {
+                        type: 'boolean',
+                        default: true,
+                    },
+                    trustedSanitizers: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional function names to consider as frame protectors',
+                    },
+                    trustedAnnotations: {
+                        type: 'array',
+                        items: { type: 'string' },
+                        default: [],
+                        description: 'Additional JSDoc annotations to consider as safe markers',
+                    },
+                    strictMode: {
+                        type: 'boolean',
+                        default: false,
+                        description: 'Disable all false positive detection (strict mode)',
+                    },
+                },
+                additionalProperties: false,
+            },
+        ],
+    },
+    defaultOptions: [
+        {
+            trustedSources: ['self', 'same-origin'],
+            requireFrameBusting: true,
+            detectTransparentOverlays: true,
+            trustedSanitizers: [],
+            trustedAnnotations: [],
+            strictMode: false,
+        },
+    ],
+    create(context) {
+        const options = context.options[0] || {};
+        const { trustedSources = ['self', 'same-origin'], requireFrameBusting = true, detectTransparentOverlays = true, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
+        const sourceCode = context.sourceCode || context.sourceCode;
+        const filename = context.filename || context.getFilename();
+        // Create safety checker for false positive detection
+        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
+            trustedSanitizers,
+            trustedAnnotations,
+            trustedOrmPatterns: [],
+            strictMode,
+        });
+        // Track if frame-busting code is present
+        let hasFrameBusting = false;
+        /**
+         * Check if source is trusted
+         */
+        const isTrustedSource = (source) => {
+            return trustedSources.some(trusted => source.includes(trusted) ||
+                (trusted === 'self' && (source === 'self' || source.startsWith('/'))) ||
+                (trusted === 'same-origin' && source === 'same-origin'));
+        };
+        /**
+         * Check if this is frame-busting code
+         */
+        const isFrameBustingCode = (node) => {
+            const test = node.test;
+            const testText = sourceCode.getText(test).toLowerCase();
+            // Look for common frame-busting patterns
+            return testText.includes('top != self') ||
+                testText.includes('top !== self') ||
+                testText.includes('window.top !== window.self') ||
+                testText.includes('parent != self') ||
+                testText.includes('top.location') ||
+                testText.includes('self.location');
+        };
+        /**
+         * Check for transparent/invisible elements that could hide clickjacking
+         */
+        const hasTransparentStyles = (styleText) => {
+            const styles = styleText.toLowerCase();
+            return styles.includes('opacity: 0') ||
+                styles.includes('opacity:0') ||
+                styles.includes('visibility: hidden') ||
+                styles.includes('display: none') ||
+                styles.includes('z-index: -1') ||
+                styles.includes('position: absolute') && styles.includes('top: 0') && styles.includes('left: 0');
+        };
+        return {
+            // Check for frame-busting code
+            IfStatement(node) {
+                if (isFrameBustingCode(node)) {
+                    hasFrameBusting = true;
+                }
+            },
+            // Check iframe elements (in JSX/TSX)
+            JSXElement(node) {
+                if (node.openingElement.name.type === 'JSXIdentifier' &&
+                    node.openingElement.name.name === 'iframe') {
+                    // Check iframe attributes
+                    const attributes = node.openingElement.attributes;
+                    let hasSrc = false;
+                    let srcValue = '';
+                    for (const attr of attributes) {
+                        if (attr.type === 'JSXAttribute' &&
+                            attr.name.type === 'JSXIdentifier' &&
+                            attr.name.name === 'src' &&
+                            attr.value) {
+                            hasSrc = true;
+                            if (attr.value.type === 'Literal' && typeof attr.value.value === 'string') {
+                                srcValue = attr.value.value;
+                            }
+                        }
+                    }
+                    if (hasSrc && srcValue && !isTrustedSource(srcValue)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node: node.openingElement,
+                            messageId: 'unsafeIframeUsage',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check for frame manipulation code
+            MemberExpression(node) {
+                // Look for top.location or window.top manipulation
+                if (node.object.type === 'Identifier' &&
+                    (node.object.name === 'top' || node.object.name === 'window')) {
+                    if (node.property.type === 'Identifier' &&
+                        (node.property.name === 'location' || node.property.name === 'top')) {
+                        // Check if this is being assigned or compared
+                        let current = node;
+                        let isFrameManipulation = false;
+                        // Walk up to see if this is an assignment or comparison
+                        while (current && !isFrameManipulation) {
+                            if (current.type === 'AssignmentExpression' &&
+                                current.left === node) {
+                                isFrameManipulation = true;
+                                break;
+                            }
+                            if (current.type === 'BinaryExpression' &&
+                                (current.left === node || current.right === node)) {
+                                // Comparison like top != self
+                                const operator = current.operator;
+                                if (operator === '!=' || operator === '!==' ||
+                                    operator === '==' || operator === '===') {
+                                    // This might be frame-busting code
+                                    break;
+                                }
+                                isFrameManipulation = true;
+                                break;
+                            }
+                            current = current.parent;
+                        }
+                        if (isFrameManipulation) {
+                            /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                            if (safetyChecker.isSafe(node, context)) {
+                                return;
+                            }
+                            /* c8 ignore stop */
+                            context.report({
+                                node,
+                                messageId: 'frameManipulation',
+                                data: {
+                                    filePath: filename,
+                                    line: String(node.loc?.start.line ?? 0),
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Check for CSS that could hide clickjacking attacks
+            Literal(node) {
+                if (typeof node.value === 'string' && detectTransparentOverlays) {
+                    // Check if this looks like CSS
+                    const text = node.value.toLowerCase();
+                    if ((text.includes('style=') || text.includes('css')) &&
+                        hasTransparentStyles(text)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'transparentFrameOverlay',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // Check template literals for CSS
+            TemplateLiteral(node) {
+                if (detectTransparentOverlays) {
+                    const text = sourceCode.getText(node).toLowerCase();
+                    if (text.includes('style') && hasTransparentStyles(text)) {
+                        /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
+                        if (safetyChecker.isSafe(node, context)) {
+                            return;
+                        }
+                        /* c8 ignore stop */
+                        context.report({
+                            node,
+                            messageId: 'transparentFrameOverlay',
+                            data: {
+                                filePath: filename,
+                                line: String(node.loc?.start.line ?? 0),
+                            },
+                        });
+                    }
+                }
+            },
+            // At the end of the file, check if frame-busting is required but missing
+            'Program:exit'() {
+                if (requireFrameBusting && !hasFrameBusting) {
+                    // Only check files that are likely entry points or render HTML
+                    const isEntryPoint = /\.(html|htm)$/.test(filename) ||
+                        /(index|app|main|page)\.(tsx|jsx)$/i.test(filename) ||
+                        /pages?\/.*\.(tsx|jsx)$/i.test(filename) ||
+                        /layout\.(tsx|jsx)$/i.test(filename);
+                    // Skip non-entry point files
+                    if (!isEntryPoint) {
+                        return;
+                    }
+                    // Check if this file has actual UI rendering (JSX elements with event handlers)
+                    const fileContent = sourceCode.getText();
+                    const hasUIElements = fileContent.includes('<button') ||
+                        fileContent.includes('<form') ||
+                        fileContent.includes('<input') ||
+                        (fileContent.includes('onClick') && fileContent.includes('<'));
+                    if (hasUIElements) {
+                        context.report({
+                            node: context.sourceCode.ast,
+                            messageId: 'missingFrameBusting',
+                            data: {
+                                filePath: filename,
+                                line: '1',
+                            },
+                        });
+                    }
+                }
+            }
+        };
+    },
+});

package/src/rules/no-client-side-auth-logic/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Prevent authentication logic in client code
+ */
+export interface Options {
+}
+export declare const noClientSideAuthLogic: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-client-side-auth-logic/index.js ADDED Viewed

@@ -0,0 +1,69 @@
+"use strict";
+/**
+ * @fileoverview Prevent authentication logic in client code
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noClientSideAuthLogic = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noClientSideAuthLogic = (0, eslint_devkit_1.createRule)({
+    name: 'no-client-side-auth-logic',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent authentication logic in client code',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Client-Side Auth Logic',
+                cwe: 'CWE-602',
+                description: 'Authentication logic in client code - easily bypassed',
+                severity: 'CRITICAL',
+                fix: 'Move authentication checks to the server',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/602.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const authKeywords = ['admin', 'authenticated', 'authorized', 'isAdmin', 'isAuthenticated', 'role'];
+        return {
+            IfStatement(node) {
+                // Detect role/auth checks from localStorage
+                if (node.test.type === 'CallExpression' &&
+                    node.test.callee.type === 'MemberExpression' &&
+                    node.test.callee.object.type === 'Identifier' &&
+                    node.test.callee.object.name === 'localStorage' &&
+                    node.test.callee.property.type === 'Identifier' &&
+                    node.test.callee.property.name === 'getItem') {
+                    const keyArg = node.test.arguments[0];
+                    if (keyArg && keyArg.type === 'Literal') {
+                        const key = String(keyArg.value).toLowerCase();
+                        if (authKeywords.some(kw => key.includes(kw))) {
+                            report(node);
+                        }
+                    }
+                }
+                // Detect password comparison
+                if (node.test.type === 'BinaryExpression') {
+                    const checkMember = (expr) => {
+                        if (expr.type === 'MemberExpression' &&
+                            expr.property.type === 'Identifier' &&
+                            ['password', 'secret', 'token'].includes(expr.property.name)) {
+                            return true;
+                        }
+                        return false;
+                    };
+                    if (checkMember(node.test.left) ||
+                        checkMember(node.test.right)) {
+                        report(node);
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-credentials-in-query-params/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Disallow credentials in URL query parameters
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+export interface Options {
+}
+export declare const noCredentialsInQueryParams: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-credentials-in-query-params/index.js ADDED Viewed

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * @fileoverview Disallow credentials in URL query parameters
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/598.html
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noCredentialsInQueryParams = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noCredentialsInQueryParams = (0, eslint_devkit_1.createRule)({
+    name: 'no-credentials-in-query-params',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Disallow credentials in URL query parameters',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Credentials in Query Parameters',
+                cwe: 'CWE-798',
+                description: 'Credentials detected in URL query parameters - this is a security risk',
+                severity: 'CRITICAL',
+                fix: 'Use secure methods: POST body, headers (Authorization), or secure cookies',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/798.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        const sourceCode = context.sourceCode;
+        const sensitiveParams = ['password=', 'token=', 'apikey=', 'secret=', 'auth='];
+        function report(node) {
+            context.report({
+                node,
+                messageId: 'violationDetected',
+            });
+        }
+        return {
+            Literal(node) {
+                if (typeof node.value === 'string') {
+                    const url = node.value.toLowerCase();
+                    if (sensitiveParams.some(param => url.includes('?' + param) || url.includes('&' + param))) {
+                        report(node);
+                    }
+                }
+            },
+            TemplateLiteral(node) {
+                const text = sourceCode.getText(node).toLowerCase();
+                if (sensitiveParams.some(param => text.includes(param))) {
+                    report(node);
+                }
+            },
+        };
+    },
+});

package/src/rules/no-data-in-temp-storage/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * @fileoverview Prevent sensitive data in temp directories
+ */
+export interface Options {
+}
+export declare const noDataInTempStorage: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-data-in-temp-storage/index.js ADDED Viewed

@@ -0,0 +1,64 @@
+"use strict";
+/**
+ * @fileoverview Prevent sensitive data in temp directories
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noDataInTempStorage = void 0;
+const eslint_devkit_1 = require("@interlace/eslint-devkit");
+exports.noDataInTempStorage = (0, eslint_devkit_1.createRule)({
+    name: 'no-data-in-temp-storage',
+    meta: {
+        type: 'problem',
+        docs: {
+            description: 'Prevent sensitive data in temp directories',
+        },
+        messages: {
+            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
+                icon: eslint_devkit_1.MessageIcons.SECURITY,
+                issueName: 'Temp Storage Data',
+                cwe: 'CWE-312',
+                description: 'Sensitive data written to temp directory - not secure',
+                severity: 'HIGH',
+                fix: 'Use secure storage location or encrypt data before writing',
+                documentationLink: 'https://cwe.mitre.org/data/definitions/312.html',
+            })
+        },
+        schema: [],
+    },
+    defaultOptions: [],
+    create(context) {
+        function report(node) {
+            context.report({ node, messageId: 'violationDetected' });
+        }
+        const tempPaths = ['/tmp', '/var/tmp', 'temp/', '/temp'];
+        return {
+            CallExpression(node) {
+                // Detect fs.writeFileSync or fs.writeFile with temp path
+                if (node.callee.type === 'MemberExpression' &&
+                    node.callee.object.type === 'Identifier' &&
+                    node.callee.object.name === 'fs' &&
+                    node.callee.property.type === 'Identifier' &&
+                    ['writeFileSync', 'writeFile'].includes(node.callee.property.name)) {
+                    const pathArg = node.arguments[0];
+                    if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
+                        if (tempPaths.some(tp => pathArg.value.includes(tp))) {
+                            report(node);
+                        }
+                    }
+                }
+            },
+            Literal(node) {
+                // Detect temp path literals
+                if (typeof node.value === 'string') {
+                    if (tempPaths.some(tp => node.value.includes(tp))) {
+                        // Only flag if parent is assignment or variable declaration
+                        const parent = node.parent;
+                        if (parent?.type === 'VariableDeclarator' || parent?.type === 'AssignmentExpression') {
+                            report(node);
+                        }
+                    }
+                }
+            },
+        };
+    },
+});

package/src/rules/no-debug-code-in-production/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Detect debug code in production
+ * @see https://owasp.org/www-project-mobile-top-10/
+ * @see https://cwe.mitre.org/data/definitions/489.html
+ */
+export interface Options {
+}
+export declare const noDebugCodeInProduction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;