eslint-plugin-secure-coding 2.3.3 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +51 -1
- package/README.md +2 -2
- package/package.json +1 -1
- package/src/index.d.ts +32 -0
- package/src/index.js +416 -0
- package/src/rules/detect-child-process/index.d.ts +11 -0
- package/src/rules/detect-child-process/index.js +529 -0
- package/src/rules/detect-eval-with-expression/index.d.ts +9 -0
- package/src/rules/detect-eval-with-expression/index.js +392 -0
- package/src/rules/detect-mixed-content/index.d.ts +8 -0
- package/src/rules/detect-mixed-content/index.js +44 -0
- package/src/rules/detect-non-literal-fs-filename/index.d.ts +7 -0
- package/src/rules/detect-non-literal-fs-filename/index.js +454 -0
- package/src/rules/detect-non-literal-regexp/index.d.ts +9 -0
- package/src/rules/detect-non-literal-regexp/index.js +403 -0
- package/src/rules/detect-object-injection/index.d.ts +11 -0
- package/src/rules/detect-object-injection/index.js +560 -0
- package/src/rules/detect-suspicious-dependencies/index.d.ts +8 -0
- package/src/rules/detect-suspicious-dependencies/index.js +71 -0
- package/src/rules/detect-weak-password-validation/index.d.ts +6 -0
- package/src/rules/detect-weak-password-validation/index.js +58 -0
- package/src/rules/no-allow-arbitrary-loads/index.d.ts +8 -0
- package/src/rules/no-allow-arbitrary-loads/index.js +47 -0
- package/src/rules/no-arbitrary-file-access/index.d.ts +13 -0
- package/src/rules/no-arbitrary-file-access/index.js +195 -0
- package/src/rules/no-buffer-overread/index.d.ts +29 -0
- package/src/rules/no-buffer-overread/index.js +606 -0
- package/src/rules/no-clickjacking/index.d.ts +10 -0
- package/src/rules/no-clickjacking/index.js +396 -0
- package/src/rules/no-client-side-auth-logic/index.d.ts +6 -0
- package/src/rules/no-client-side-auth-logic/index.js +69 -0
- package/src/rules/no-credentials-in-query-params/index.d.ts +8 -0
- package/src/rules/no-credentials-in-query-params/index.js +57 -0
- package/src/rules/no-data-in-temp-storage/index.d.ts +6 -0
- package/src/rules/no-data-in-temp-storage/index.js +64 -0
- package/src/rules/no-debug-code-in-production/index.d.ts +8 -0
- package/src/rules/no-debug-code-in-production/index.js +51 -0
- package/src/rules/no-directive-injection/index.d.ts +12 -0
- package/src/rules/no-directive-injection/index.js +457 -0
- package/src/rules/no-disabled-certificate-validation/index.d.ts +6 -0
- package/src/rules/no-disabled-certificate-validation/index.js +61 -0
- package/src/rules/no-dynamic-dependency-loading/index.d.ts +8 -0
- package/src/rules/no-dynamic-dependency-loading/index.js +51 -0
- package/src/rules/no-electron-security-issues/index.d.ts +10 -0
- package/src/rules/no-electron-security-issues/index.js +423 -0
- package/src/rules/no-exposed-debug-endpoints/index.d.ts +6 -0
- package/src/rules/no-exposed-debug-endpoints/index.js +62 -0
- package/src/rules/no-exposed-sensitive-data/index.d.ts +11 -0
- package/src/rules/no-exposed-sensitive-data/index.js +340 -0
- package/src/rules/no-format-string-injection/index.d.ts +17 -0
- package/src/rules/no-format-string-injection/index.js +660 -0
- package/src/rules/no-graphql-injection/index.d.ts +12 -0
- package/src/rules/no-graphql-injection/index.js +411 -0
- package/src/rules/no-hardcoded-credentials/index.d.ts +26 -0
- package/src/rules/no-hardcoded-credentials/index.js +376 -0
- package/src/rules/no-hardcoded-session-tokens/index.d.ts +6 -0
- package/src/rules/no-hardcoded-session-tokens/index.js +59 -0
- package/src/rules/no-http-urls/index.d.ts +12 -0
- package/src/rules/no-http-urls/index.js +114 -0
- package/src/rules/no-improper-sanitization/index.d.ts +12 -0
- package/src/rules/no-improper-sanitization/index.js +411 -0
- package/src/rules/no-improper-type-validation/index.d.ts +10 -0
- package/src/rules/no-improper-type-validation/index.js +475 -0
- package/src/rules/no-insecure-comparison/index.d.ts +7 -0
- package/src/rules/no-insecure-comparison/index.js +193 -0
- package/src/rules/no-insecure-redirects/index.d.ts +7 -0
- package/src/rules/no-insecure-redirects/index.js +216 -0
- package/src/rules/no-insecure-websocket/index.d.ts +6 -0
- package/src/rules/no-insecure-websocket/index.js +61 -0
- package/src/rules/no-ldap-injection/index.d.ts +10 -0
- package/src/rules/no-ldap-injection/index.js +455 -0
- package/src/rules/no-missing-authentication/index.d.ts +13 -0
- package/src/rules/no-missing-authentication/index.js +333 -0
- package/src/rules/no-missing-cors-check/index.d.ts +9 -0
- package/src/rules/no-missing-cors-check/index.js +399 -0
- package/src/rules/no-missing-csrf-protection/index.d.ts +11 -0
- package/src/rules/no-missing-csrf-protection/index.js +180 -0
- package/src/rules/no-missing-security-headers/index.d.ts +7 -0
- package/src/rules/no-missing-security-headers/index.js +218 -0
- package/src/rules/no-password-in-url/index.d.ts +8 -0
- package/src/rules/no-password-in-url/index.js +54 -0
- package/src/rules/no-permissive-cors/index.d.ts +8 -0
- package/src/rules/no-permissive-cors/index.js +65 -0
- package/src/rules/no-pii-in-logs/index.d.ts +8 -0
- package/src/rules/no-pii-in-logs/index.js +70 -0
- package/src/rules/no-privilege-escalation/index.d.ts +13 -0
- package/src/rules/no-privilege-escalation/index.js +321 -0
- package/src/rules/no-redos-vulnerable-regex/index.d.ts +7 -0
- package/src/rules/no-redos-vulnerable-regex/index.js +306 -0
- package/src/rules/no-sensitive-data-exposure/index.d.ts +11 -0
- package/src/rules/no-sensitive-data-exposure/index.js +250 -0
- package/src/rules/no-sensitive-data-in-analytics/index.d.ts +8 -0
- package/src/rules/no-sensitive-data-in-analytics/index.js +62 -0
- package/src/rules/no-sensitive-data-in-cache/index.d.ts +8 -0
- package/src/rules/no-sensitive-data-in-cache/index.js +52 -0
- package/src/rules/no-toctou-vulnerability/index.d.ts +7 -0
- package/src/rules/no-toctou-vulnerability/index.js +208 -0
- package/src/rules/no-tracking-without-consent/index.d.ts +6 -0
- package/src/rules/no-tracking-without-consent/index.js +67 -0
- package/src/rules/no-unchecked-loop-condition/index.d.ts +12 -0
- package/src/rules/no-unchecked-loop-condition/index.js +646 -0
- package/src/rules/no-unencrypted-transmission/index.d.ts +11 -0
- package/src/rules/no-unencrypted-transmission/index.js +236 -0
- package/src/rules/no-unescaped-url-parameter/index.d.ts +9 -0
- package/src/rules/no-unescaped-url-parameter/index.js +355 -0
- package/src/rules/no-unlimited-resource-allocation/index.d.ts +12 -0
- package/src/rules/no-unlimited-resource-allocation/index.js +643 -0
- package/src/rules/no-unsafe-deserialization/index.d.ts +10 -0
- package/src/rules/no-unsafe-deserialization/index.js +491 -0
- package/src/rules/no-unsafe-dynamic-require/index.d.ts +5 -0
- package/src/rules/no-unsafe-dynamic-require/index.js +106 -0
- package/src/rules/no-unsafe-regex-construction/index.d.ts +9 -0
- package/src/rules/no-unsafe-regex-construction/index.js +291 -0
- package/src/rules/no-unvalidated-deeplinks/index.d.ts +6 -0
- package/src/rules/no-unvalidated-deeplinks/index.js +62 -0
- package/src/rules/no-unvalidated-user-input/index.d.ts +9 -0
- package/src/rules/no-unvalidated-user-input/index.js +420 -0
- package/src/rules/no-verbose-error-messages/index.d.ts +8 -0
- package/src/rules/no-verbose-error-messages/index.js +68 -0
- package/src/rules/no-weak-password-recovery/index.d.ts +12 -0
- package/src/rules/no-weak-password-recovery/index.js +424 -0
- package/src/rules/no-xpath-injection/index.d.ts +10 -0
- package/src/rules/no-xpath-injection/index.js +487 -0
- package/src/rules/no-xxe-injection/index.d.ts +7 -0
- package/src/rules/no-xxe-injection/index.js +266 -0
- package/src/rules/no-zip-slip/index.d.ts +9 -0
- package/src/rules/no-zip-slip/index.js +445 -0
- package/src/rules/require-backend-authorization/index.d.ts +6 -0
- package/src/rules/require-backend-authorization/index.js +60 -0
- package/src/rules/require-code-minification/index.d.ts +8 -0
- package/src/rules/require-code-minification/index.js +47 -0
- package/src/rules/require-csp-headers/index.d.ts +6 -0
- package/src/rules/require-csp-headers/index.js +64 -0
- package/src/rules/require-data-minimization/index.d.ts +8 -0
- package/src/rules/require-data-minimization/index.js +53 -0
- package/src/rules/require-dependency-integrity/index.d.ts +6 -0
- package/src/rules/require-dependency-integrity/index.js +64 -0
- package/src/rules/require-https-only/index.d.ts +8 -0
- package/src/rules/require-https-only/index.js +62 -0
- package/src/rules/require-mime-type-validation/index.d.ts +6 -0
- package/src/rules/require-mime-type-validation/index.js +66 -0
- package/src/rules/require-network-timeout/index.d.ts +8 -0
- package/src/rules/require-network-timeout/index.js +50 -0
- package/src/rules/require-package-lock/index.d.ts +8 -0
- package/src/rules/require-package-lock/index.js +63 -0
- package/src/rules/require-secure-credential-storage/index.d.ts +8 -0
- package/src/rules/require-secure-credential-storage/index.js +50 -0
- package/src/rules/require-secure-defaults/index.d.ts +8 -0
- package/src/rules/require-secure-defaults/index.js +47 -0
- package/src/rules/require-secure-deletion/index.d.ts +8 -0
- package/src/rules/require-secure-deletion/index.js +44 -0
- package/src/rules/require-storage-encryption/index.d.ts +8 -0
- package/src/rules/require-storage-encryption/index.js +50 -0
- package/src/rules/require-url-validation/index.d.ts +6 -0
- package/src/rules/require-url-validation/index.js +72 -0
- package/src/types/index.d.ts +106 -0
- package/src/types/index.js +16 -0
- package/src/index.ts +0 -605
- package/src/rules/__tests__/integration-demo.test.ts +0 -290
- package/src/rules/__tests__/integration-llm.test.ts +0 -89
- package/src/rules/database-injection/database-injection.test.ts +0 -456
- package/src/rules/database-injection/index.ts +0 -488
- package/src/rules/detect-child-process/detect-child-process.test.ts +0 -207
- package/src/rules/detect-child-process/index.ts +0 -634
- package/src/rules/detect-eval-with-expression/detect-eval-with-expression.test.ts +0 -416
- package/src/rules/detect-eval-with-expression/index.ts +0 -463
- package/src/rules/detect-mixed-content/detect-mixed-content.test.ts +0 -28
- package/src/rules/detect-mixed-content/index.ts +0 -52
- package/src/rules/detect-non-literal-fs-filename/detect-non-literal-fs-filename.test.ts +0 -269
- package/src/rules/detect-non-literal-fs-filename/index.ts +0 -551
- package/src/rules/detect-non-literal-regexp/detect-non-literal-regexp.test.ts +0 -189
- package/src/rules/detect-non-literal-regexp/index.ts +0 -490
- package/src/rules/detect-object-injection/detect-object-injection.test.ts +0 -440
- package/src/rules/detect-object-injection/index.ts +0 -674
- package/src/rules/detect-suspicious-dependencies/detect-suspicious-dependencies.test.ts +0 -32
- package/src/rules/detect-suspicious-dependencies/index.ts +0 -84
- package/src/rules/detect-weak-password-validation/detect-weak-password-validation.test.ts +0 -31
- package/src/rules/detect-weak-password-validation/index.ts +0 -68
- package/src/rules/no-allow-arbitrary-loads/index.ts +0 -54
- package/src/rules/no-allow-arbitrary-loads/no-allow-arbitrary-loads.test.ts +0 -28
- package/src/rules/no-arbitrary-file-access/index.ts +0 -238
- package/src/rules/no-arbitrary-file-access/no-arbitrary-file-access.test.ts +0 -119
- package/src/rules/no-buffer-overread/index.ts +0 -724
- package/src/rules/no-buffer-overread/no-buffer-overread.test.ts +0 -313
- package/src/rules/no-clickjacking/index.ts +0 -481
- package/src/rules/no-clickjacking/no-clickjacking.test.ts +0 -253
- package/src/rules/no-client-side-auth-logic/index.ts +0 -81
- package/src/rules/no-client-side-auth-logic/no-client-side-auth-logic.test.ts +0 -33
- package/src/rules/no-credentials-in-query-params/index.ts +0 -69
- package/src/rules/no-credentials-in-query-params/no-credentials-in-query-params.test.ts +0 -33
- package/src/rules/no-credentials-in-storage-api/index.ts +0 -64
- package/src/rules/no-credentials-in-storage-api/no-credentials-in-storage-api.test.ts +0 -31
- package/src/rules/no-data-in-temp-storage/index.ts +0 -75
- package/src/rules/no-data-in-temp-storage/no-data-in-temp-storage.test.ts +0 -33
- package/src/rules/no-debug-code-in-production/index.ts +0 -59
- package/src/rules/no-debug-code-in-production/no-debug-code-in-production.test.ts +0 -26
- package/src/rules/no-directive-injection/index.ts +0 -551
- package/src/rules/no-directive-injection/no-directive-injection.test.ts +0 -305
- package/src/rules/no-disabled-certificate-validation/index.ts +0 -72
- package/src/rules/no-disabled-certificate-validation/no-disabled-certificate-validation.test.ts +0 -33
- package/src/rules/no-document-cookie/index.ts +0 -113
- package/src/rules/no-document-cookie/no-document-cookie.test.ts +0 -382
- package/src/rules/no-dynamic-dependency-loading/index.ts +0 -60
- package/src/rules/no-dynamic-dependency-loading/no-dynamic-dependency-loading.test.ts +0 -27
- package/src/rules/no-electron-security-issues/index.ts +0 -504
- package/src/rules/no-electron-security-issues/no-electron-security-issues.test.ts +0 -324
- package/src/rules/no-exposed-debug-endpoints/index.ts +0 -73
- package/src/rules/no-exposed-debug-endpoints/no-exposed-debug-endpoints.test.ts +0 -40
- package/src/rules/no-exposed-sensitive-data/index.ts +0 -428
- package/src/rules/no-exposed-sensitive-data/no-exposed-sensitive-data.test.ts +0 -75
- package/src/rules/no-format-string-injection/index.ts +0 -801
- package/src/rules/no-format-string-injection/no-format-string-injection.test.ts +0 -437
- package/src/rules/no-graphql-injection/index.ts +0 -508
- package/src/rules/no-graphql-injection/no-graphql-injection.test.ts +0 -371
- package/src/rules/no-hardcoded-credentials/index.ts +0 -478
- package/src/rules/no-hardcoded-credentials/no-hardcoded-credentials.test.ts +0 -639
- package/src/rules/no-hardcoded-session-tokens/index.ts +0 -69
- package/src/rules/no-hardcoded-session-tokens/no-hardcoded-session-tokens.test.ts +0 -42
- package/src/rules/no-http-urls/index.ts +0 -131
- package/src/rules/no-http-urls/no-http-urls.test.ts +0 -60
- package/src/rules/no-improper-sanitization/index.ts +0 -502
- package/src/rules/no-improper-sanitization/no-improper-sanitization.test.ts +0 -156
- package/src/rules/no-improper-type-validation/index.ts +0 -572
- package/src/rules/no-improper-type-validation/no-improper-type-validation.test.ts +0 -372
- package/src/rules/no-insecure-comparison/index.ts +0 -232
- package/src/rules/no-insecure-comparison/no-insecure-comparison.test.ts +0 -218
- package/src/rules/no-insecure-cookie-settings/index.ts +0 -391
- package/src/rules/no-insecure-cookie-settings/no-insecure-cookie-settings.test.ts +0 -409
- package/src/rules/no-insecure-jwt/index.ts +0 -467
- package/src/rules/no-insecure-jwt/no-insecure-jwt.test.ts +0 -259
- package/src/rules/no-insecure-redirects/index.ts +0 -267
- package/src/rules/no-insecure-redirects/no-insecure-redirects.test.ts +0 -108
- package/src/rules/no-insecure-websocket/index.ts +0 -72
- package/src/rules/no-insecure-websocket/no-insecure-websocket.test.ts +0 -42
- package/src/rules/no-insufficient-postmessage-validation/index.ts +0 -497
- package/src/rules/no-insufficient-postmessage-validation/no-insufficient-postmessage-validation.test.ts +0 -360
- package/src/rules/no-insufficient-random/index.ts +0 -288
- package/src/rules/no-insufficient-random/no-insufficient-random.test.ts +0 -246
- package/src/rules/no-ldap-injection/index.ts +0 -547
- package/src/rules/no-ldap-injection/no-ldap-injection.test.ts +0 -317
- package/src/rules/no-missing-authentication/index.ts +0 -408
- package/src/rules/no-missing-authentication/no-missing-authentication.test.ts +0 -350
- package/src/rules/no-missing-cors-check/index.ts +0 -453
- package/src/rules/no-missing-cors-check/no-missing-cors-check.test.ts +0 -392
- package/src/rules/no-missing-csrf-protection/index.ts +0 -229
- package/src/rules/no-missing-csrf-protection/no-missing-csrf-protection.test.ts +0 -222
- package/src/rules/no-missing-security-headers/index.ts +0 -266
- package/src/rules/no-missing-security-headers/no-missing-security-headers.test.ts +0 -98
- package/src/rules/no-password-in-url/index.ts +0 -64
- package/src/rules/no-password-in-url/no-password-in-url.test.ts +0 -27
- package/src/rules/no-permissive-cors/index.ts +0 -78
- package/src/rules/no-permissive-cors/no-permissive-cors.test.ts +0 -28
- package/src/rules/no-pii-in-logs/index.ts +0 -83
- package/src/rules/no-pii-in-logs/no-pii-in-logs.test.ts +0 -26
- package/src/rules/no-postmessage-origin-wildcard/index.ts +0 -67
- package/src/rules/no-postmessage-origin-wildcard/no-postmessage-origin-wildcard.test.ts +0 -27
- package/src/rules/no-privilege-escalation/index.ts +0 -403
- package/src/rules/no-privilege-escalation/no-privilege-escalation.test.ts +0 -306
- package/src/rules/no-redos-vulnerable-regex/index.ts +0 -379
- package/src/rules/no-redos-vulnerable-regex/no-redos-vulnerable-regex.test.ts +0 -83
- package/src/rules/no-sensitive-data-exposure/index.ts +0 -294
- package/src/rules/no-sensitive-data-exposure/no-sensitive-data-exposure.test.ts +0 -262
- package/src/rules/no-sensitive-data-in-analytics/index.ts +0 -73
- package/src/rules/no-sensitive-data-in-analytics/no-sensitive-data-in-analytics.test.ts +0 -42
- package/src/rules/no-sensitive-data-in-cache/index.ts +0 -59
- package/src/rules/no-sensitive-data-in-cache/no-sensitive-data-in-cache.test.ts +0 -32
- package/src/rules/no-sql-injection/index.ts +0 -424
- package/src/rules/no-sql-injection/no-sql-injection.test.ts +0 -303
- package/src/rules/no-timing-attack/index.ts +0 -552
- package/src/rules/no-timing-attack/no-timing-attack.test.ts +0 -348
- package/src/rules/no-toctou-vulnerability/index.ts +0 -250
- package/src/rules/no-toctou-vulnerability/no-toctou-vulnerability.test.ts +0 -60
- package/src/rules/no-tracking-without-consent/index.ts +0 -78
- package/src/rules/no-tracking-without-consent/no-tracking-without-consent.test.ts +0 -34
- package/src/rules/no-unchecked-loop-condition/index.ts +0 -781
- package/src/rules/no-unchecked-loop-condition/no-unchecked-loop-condition.test.ts +0 -459
- package/src/rules/no-unencrypted-local-storage/index.ts +0 -73
- package/src/rules/no-unencrypted-local-storage/no-unencrypted-local-storage.test.ts +0 -41
- package/src/rules/no-unencrypted-transmission/index.ts +0 -296
- package/src/rules/no-unencrypted-transmission/no-unencrypted-transmission.test.ts +0 -287
- package/src/rules/no-unescaped-url-parameter/index.ts +0 -424
- package/src/rules/no-unescaped-url-parameter/no-unescaped-url-parameter.test.ts +0 -263
- package/src/rules/no-unlimited-resource-allocation/index.ts +0 -767
- package/src/rules/no-unlimited-resource-allocation/no-unlimited-resource-allocation.test.ts +0 -544
- package/src/rules/no-unsafe-deserialization/index.ts +0 -593
- package/src/rules/no-unsafe-deserialization/no-unsafe-deserialization.test.ts +0 -310
- package/src/rules/no-unsafe-dynamic-require/index.ts +0 -125
- package/src/rules/no-unsafe-dynamic-require/no-unsafe-dynamic-require.test.ts +0 -151
- package/src/rules/no-unsafe-regex-construction/index.ts +0 -370
- package/src/rules/no-unsafe-regex-construction/no-unsafe-regex-construction.test.ts +0 -181
- package/src/rules/no-unsanitized-html/index.ts +0 -400
- package/src/rules/no-unsanitized-html/no-unsanitized-html.test.ts +0 -488
- package/src/rules/no-unvalidated-deeplinks/index.ts +0 -73
- package/src/rules/no-unvalidated-deeplinks/no-unvalidated-deeplinks.test.ts +0 -29
- package/src/rules/no-unvalidated-user-input/index.ts +0 -498
- package/src/rules/no-unvalidated-user-input/no-unvalidated-user-input.test.ts +0 -463
- package/src/rules/no-verbose-error-messages/index.ts +0 -83
- package/src/rules/no-verbose-error-messages/no-verbose-error-messages.test.ts +0 -34
- package/src/rules/no-weak-crypto/index.ts +0 -447
- package/src/rules/no-weak-crypto/no-weak-crypto.test.ts +0 -297
- package/src/rules/no-weak-password-recovery/index.ts +0 -509
- package/src/rules/no-weak-password-recovery/no-weak-password-recovery.test.ts +0 -184
- package/src/rules/no-xpath-injection/index.ts +0 -596
- package/src/rules/no-xpath-injection/no-xpath-injection.test.ts +0 -405
- package/src/rules/no-xxe-injection/index.ts +0 -342
- package/src/rules/no-xxe-injection/no-xxe-injection.test.ts +0 -122
- package/src/rules/no-zip-slip/index.ts +0 -526
- package/src/rules/no-zip-slip/no-zip-slip.test.ts +0 -305
- package/src/rules/require-backend-authorization/index.ts +0 -71
- package/src/rules/require-backend-authorization/require-backend-authorization.test.ts +0 -31
- package/src/rules/require-code-minification/index.ts +0 -54
- package/src/rules/require-code-minification/require-code-minification.test.ts +0 -30
- package/src/rules/require-csp-headers/index.ts +0 -74
- package/src/rules/require-csp-headers/require-csp-headers.test.ts +0 -34
- package/src/rules/require-data-minimization/index.ts +0 -65
- package/src/rules/require-data-minimization/require-data-minimization.test.ts +0 -31
- package/src/rules/require-dependency-integrity/index.ts +0 -78
- package/src/rules/require-dependency-integrity/require-dependency-integrity.test.ts +0 -44
- package/src/rules/require-https-only/index.ts +0 -75
- package/src/rules/require-https-only/require-https-only.test.ts +0 -26
- package/src/rules/require-mime-type-validation/index.ts +0 -77
- package/src/rules/require-mime-type-validation/require-mime-type-validation.test.ts +0 -32
- package/src/rules/require-network-timeout/index.ts +0 -58
- package/src/rules/require-network-timeout/require-network-timeout.test.ts +0 -26
- package/src/rules/require-package-lock/index.ts +0 -75
- package/src/rules/require-package-lock/require-package-lock.test.ts +0 -27
- package/src/rules/require-secure-credential-storage/index.ts +0 -60
- package/src/rules/require-secure-credential-storage/require-secure-credential-storage.test.ts +0 -26
- package/src/rules/require-secure-defaults/index.ts +0 -54
- package/src/rules/require-secure-defaults/require-secure-defaults.test.ts +0 -26
- package/src/rules/require-secure-deletion/index.ts +0 -52
- package/src/rules/require-secure-deletion/require-secure-deletion.test.ts +0 -29
- package/src/rules/require-storage-encryption/index.ts +0 -60
- package/src/rules/require-storage-encryption/require-storage-encryption.test.ts +0 -26
- package/src/rules/require-url-validation/index.ts +0 -85
- package/src/rules/require-url-validation/require-url-validation.test.ts +0 -32
- package/src/types/index.ts +0 -235
|
@@ -1,424 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ESLint Rule: no-unescaped-url-parameter
|
|
3
|
-
* Detects unescaped URL parameters
|
|
4
|
-
* CWE-79: Cross-site Scripting (XSS)
|
|
5
|
-
*
|
|
6
|
-
* @see https://cwe.mitre.org/data/definitions/79.html
|
|
7
|
-
* @see https://owasp.org/www-community/attacks/xss/
|
|
8
|
-
*/
|
|
9
|
-
import type { TSESLint, TSESTree } from '@interlace/eslint-devkit';
|
|
10
|
-
import { formatLLMMessage, MessageIcons } from '@interlace/eslint-devkit';
|
|
11
|
-
import { createRule } from '@interlace/eslint-devkit';
|
|
12
|
-
|
|
13
|
-
type MessageIds = 'unescapedUrlParameter' | 'useEncodeURIComponent' | 'useURLSearchParams';
|
|
14
|
-
|
|
15
|
-
export interface Options {
|
|
16
|
-
/** Allow unescaped URL parameters in test files. Default: false */
|
|
17
|
-
allowInTests?: boolean;
|
|
18
|
-
|
|
19
|
-
/** Trusted URL construction libraries. Default: ['url', 'querystring'] */
|
|
20
|
-
trustedLibraries?: string[];
|
|
21
|
-
|
|
22
|
-
/** Additional safe patterns to ignore. Default: [] */
|
|
23
|
-
ignorePatterns?: string[];
|
|
24
|
-
}
|
|
25
|
-
|
|
26
|
-
type RuleOptions = [Options?];
|
|
27
|
-
|
|
28
|
-
/**
|
|
29
|
-
* Check if a node is inside a URL encoding function call
|
|
30
|
-
*/
|
|
31
|
-
function isInsideEncodingCall(
|
|
32
|
-
node: TSESTree.Node,
|
|
33
|
-
sourceCode: TSESLint.SourceCode,
|
|
34
|
-
trustedLibraries: string[]
|
|
35
|
-
): boolean {
|
|
36
|
-
let current: TSESTree.Node | null = node;
|
|
37
|
-
|
|
38
|
-
while (current) {
|
|
39
|
-
if (current.type === 'CallExpression') {
|
|
40
|
-
const callee = current.callee;
|
|
41
|
-
|
|
42
|
-
// Check for encodeURIComponent, encodeURI
|
|
43
|
-
if (callee.type === 'Identifier') {
|
|
44
|
-
const calleeName = callee.name;
|
|
45
|
-
if (['encodeURIComponent', 'encodeURI', 'escape'].includes(calleeName)) {
|
|
46
|
-
return true;
|
|
47
|
-
}
|
|
48
|
-
}
|
|
49
|
-
|
|
50
|
-
// Check if it's a trusted library call
|
|
51
|
-
if (callee.type === 'MemberExpression') {
|
|
52
|
-
const object = callee.object;
|
|
53
|
-
if (object.type === 'Identifier') {
|
|
54
|
-
const objectName = object.name.toLowerCase();
|
|
55
|
-
if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
|
|
56
|
-
return true;
|
|
57
|
-
}
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
}
|
|
61
|
-
|
|
62
|
-
// Traverse up the AST
|
|
63
|
-
if ('parent' in current && current.parent) {
|
|
64
|
-
current = current.parent as TSESTree.Node;
|
|
65
|
-
} else {
|
|
66
|
-
break;
|
|
67
|
-
}
|
|
68
|
-
}
|
|
69
|
-
|
|
70
|
-
return false;
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
/**
|
|
74
|
-
* Check if a string matches any ignore pattern
|
|
75
|
-
*/
|
|
76
|
-
function matchesIgnorePattern(text: string, ignorePatterns: string[]): boolean {
|
|
77
|
-
return ignorePatterns.some(pattern => {
|
|
78
|
-
try {
|
|
79
|
-
const regex = new RegExp(pattern, 'i');
|
|
80
|
-
return regex.test(text);
|
|
81
|
-
} catch {
|
|
82
|
-
return false;
|
|
83
|
-
}
|
|
84
|
-
});
|
|
85
|
-
}
|
|
86
|
-
|
|
87
|
-
/**
|
|
88
|
-
* Check if a node is a URL construction pattern
|
|
89
|
-
*/
|
|
90
|
-
function isUrlConstruction(node: TSESTree.Node, sourceCode: TSESLint.SourceCode): boolean {
|
|
91
|
-
let text = sourceCode.getText(node);
|
|
92
|
-
|
|
93
|
-
// For template literals, combine raw strings to improve pattern detection
|
|
94
|
-
if (node.type === 'TemplateLiteral') {
|
|
95
|
-
text = node.quasis.map(q => q.value.raw).join('');
|
|
96
|
-
}
|
|
97
|
-
|
|
98
|
-
// Check for URL construction patterns
|
|
99
|
-
const urlPatterns = [
|
|
100
|
-
/\bhttps?:\/\//, // HTTP/HTTPS URLs
|
|
101
|
-
/\bnew\s+URL\s*\(/,
|
|
102
|
-
/\burl\s*[=:]\s*/, // url = or url:
|
|
103
|
-
/\burl\s*\+/, // url +
|
|
104
|
-
/\bwindow\.location/,
|
|
105
|
-
/\blocation\.href/,
|
|
106
|
-
/\bwindow\.open\s*\(/,
|
|
107
|
-
/\?[^=]+=/, // Query parameters
|
|
108
|
-
];
|
|
109
|
-
|
|
110
|
-
return urlPatterns.some(pattern => pattern.test(text));
|
|
111
|
-
}
|
|
112
|
-
|
|
113
|
-
export const noUnescapedUrlParameter = createRule<RuleOptions, MessageIds>({
|
|
114
|
-
name: 'no-unescaped-url-parameter',
|
|
115
|
-
meta: {
|
|
116
|
-
type: 'problem',
|
|
117
|
-
docs: {
|
|
118
|
-
description: 'Detects unescaped URL parameters',
|
|
119
|
-
},
|
|
120
|
-
hasSuggestions: true,
|
|
121
|
-
messages: {
|
|
122
|
-
unescapedUrlParameter: formatLLMMessage({
|
|
123
|
-
icon: MessageIcons.SECURITY,
|
|
124
|
-
issueName: 'Unescaped URL Parameter',
|
|
125
|
-
cwe: 'CWE-79',
|
|
126
|
-
description: 'Unescaped URL parameter detected: {{parameter}}',
|
|
127
|
-
severity: 'HIGH',
|
|
128
|
-
fix: '{{safeAlternative}}',
|
|
129
|
-
documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
|
|
130
|
-
}),
|
|
131
|
-
useEncodeURIComponent: formatLLMMessage({
|
|
132
|
-
icon: MessageIcons.INFO,
|
|
133
|
-
issueName: 'Use encodeURIComponent',
|
|
134
|
-
description: 'Use encodeURIComponent for URL params',
|
|
135
|
-
severity: 'LOW',
|
|
136
|
-
fix: '`https://example.com?q=${encodeURIComponent(param)}`',
|
|
137
|
-
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent',
|
|
138
|
-
}),
|
|
139
|
-
useURLSearchParams: formatLLMMessage({
|
|
140
|
-
icon: MessageIcons.INFO,
|
|
141
|
-
issueName: 'Use URLSearchParams',
|
|
142
|
-
description: 'Use URLSearchParams for safe URL construction',
|
|
143
|
-
severity: 'LOW',
|
|
144
|
-
fix: 'new URLSearchParams({ q: param }).toString()',
|
|
145
|
-
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams',
|
|
146
|
-
}),
|
|
147
|
-
},
|
|
148
|
-
schema: [
|
|
149
|
-
{
|
|
150
|
-
type: 'object',
|
|
151
|
-
properties: {
|
|
152
|
-
allowInTests: {
|
|
153
|
-
type: 'boolean',
|
|
154
|
-
default: false,
|
|
155
|
-
description: 'Allow unescaped URL parameters in test files',
|
|
156
|
-
},
|
|
157
|
-
trustedLibraries: {
|
|
158
|
-
type: 'array',
|
|
159
|
-
items: { type: 'string' },
|
|
160
|
-
default: ['url', 'querystring'],
|
|
161
|
-
description: 'Trusted URL construction libraries',
|
|
162
|
-
},
|
|
163
|
-
ignorePatterns: {
|
|
164
|
-
type: 'array',
|
|
165
|
-
items: { type: 'string' },
|
|
166
|
-
default: [],
|
|
167
|
-
description: 'Additional safe patterns to ignore',
|
|
168
|
-
},
|
|
169
|
-
},
|
|
170
|
-
additionalProperties: false,
|
|
171
|
-
},
|
|
172
|
-
],
|
|
173
|
-
},
|
|
174
|
-
defaultOptions: [
|
|
175
|
-
{
|
|
176
|
-
allowInTests: false,
|
|
177
|
-
trustedLibraries: ['url', 'querystring'],
|
|
178
|
-
ignorePatterns: [],
|
|
179
|
-
},
|
|
180
|
-
],
|
|
181
|
-
create(
|
|
182
|
-
context: TSESLint.RuleContext<MessageIds, RuleOptions>,
|
|
183
|
-
[options = {}]
|
|
184
|
-
) {
|
|
185
|
-
const {
|
|
186
|
-
allowInTests = false,
|
|
187
|
-
trustedLibraries = ['url', 'querystring'],
|
|
188
|
-
ignorePatterns = [],
|
|
189
|
-
} = options as Options;
|
|
190
|
-
|
|
191
|
-
const filename = context.getFilename();
|
|
192
|
-
const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
|
|
193
|
-
const sourceCode = context.sourceCode || context.sourceCode;
|
|
194
|
-
|
|
195
|
-
function checkTemplateLiteral(node: TSESTree.TemplateLiteral) {
|
|
196
|
-
if (isTestFile) {
|
|
197
|
-
return;
|
|
198
|
-
}
|
|
199
|
-
|
|
200
|
-
// Check if this is a URL construction
|
|
201
|
-
if (!isUrlConstruction(node, sourceCode)) {
|
|
202
|
-
return;
|
|
203
|
-
}
|
|
204
|
-
|
|
205
|
-
// Check each expression in the template
|
|
206
|
-
for (const expression of node.expressions) {
|
|
207
|
-
const text = sourceCode.getText(expression);
|
|
208
|
-
|
|
209
|
-
// Check if it matches any ignore pattern
|
|
210
|
-
if (matchesIgnorePattern(text, ignorePatterns)) {
|
|
211
|
-
continue;
|
|
212
|
-
}
|
|
213
|
-
|
|
214
|
-
// Check if it's already encoded
|
|
215
|
-
if (isInsideEncodingCall(expression, sourceCode, trustedLibraries)) {
|
|
216
|
-
continue;
|
|
217
|
-
}
|
|
218
|
-
|
|
219
|
-
// Check if it's a user input pattern
|
|
220
|
-
const userInputPatterns = [
|
|
221
|
-
/\breq\.(query|params|body|headers|cookies)/,
|
|
222
|
-
/\brequest\.(query|params|body)/,
|
|
223
|
-
/\buserInput\b/i,
|
|
224
|
-
/\binput\b/i,
|
|
225
|
-
/\bsearchParams\b/,
|
|
226
|
-
/\bparam\b/i, // Generic param variable
|
|
227
|
-
];
|
|
228
|
-
|
|
229
|
-
// Check both the expression text and the full template literal
|
|
230
|
-
// This catches nested patterns like req.query.id
|
|
231
|
-
const fullText = sourceCode.getText(node);
|
|
232
|
-
const exprText = sourceCode.getText(expression);
|
|
233
|
-
const isUserInput = userInputPatterns.some(pattern => pattern.test(text)) ||
|
|
234
|
-
userInputPatterns.some(pattern => pattern.test(fullText)) ||
|
|
235
|
-
userInputPatterns.some(pattern => pattern.test(exprText)) ||
|
|
236
|
-
// Also check for nested member expressions like req.query.id
|
|
237
|
-
(expression.type === 'MemberExpression' &&
|
|
238
|
-
userInputPatterns.some(pattern => {
|
|
239
|
-
// Check the full expression including nested properties
|
|
240
|
-
return pattern.test(exprText);
|
|
241
|
-
}));
|
|
242
|
-
|
|
243
|
-
if (isUserInput) {
|
|
244
|
-
context.report({
|
|
245
|
-
node: expression,
|
|
246
|
-
messageId: 'unescapedUrlParameter',
|
|
247
|
-
data: {
|
|
248
|
-
parameter: text,
|
|
249
|
-
safeAlternative: `Use encodeURIComponent() or URLSearchParams: const url = \`https://example.com?q=\${encodeURIComponent(${text})}\`;`,
|
|
250
|
-
},
|
|
251
|
-
suggest: [
|
|
252
|
-
{
|
|
253
|
-
messageId: 'useEncodeURIComponent',
|
|
254
|
-
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
255
|
-
fix: (_fixer: TSESLint.RuleFixer) => null,
|
|
256
|
-
},
|
|
257
|
-
{
|
|
258
|
-
messageId: 'useURLSearchParams',
|
|
259
|
-
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
260
|
-
fix: (_fixer: TSESLint.RuleFixer) => null,
|
|
261
|
-
},
|
|
262
|
-
],
|
|
263
|
-
});
|
|
264
|
-
}
|
|
265
|
-
}
|
|
266
|
-
}
|
|
267
|
-
|
|
268
|
-
function checkBinaryExpression(node: TSESTree.BinaryExpression) {
|
|
269
|
-
if (isTestFile) {
|
|
270
|
-
return;
|
|
271
|
-
}
|
|
272
|
-
|
|
273
|
-
// Check for string concatenation in URL construction
|
|
274
|
-
if (node.operator === '+') {
|
|
275
|
-
if (!isUrlConstruction(node, sourceCode)) {
|
|
276
|
-
return;
|
|
277
|
-
}
|
|
278
|
-
|
|
279
|
-
// Check right side (usually the parameter)
|
|
280
|
-
if (node.right.type !== 'Literal') {
|
|
281
|
-
const rightText = sourceCode.getText(node.right);
|
|
282
|
-
|
|
283
|
-
// Check if it matches any ignore pattern
|
|
284
|
-
if (matchesIgnorePattern(rightText, ignorePatterns)) {
|
|
285
|
-
return;
|
|
286
|
-
}
|
|
287
|
-
|
|
288
|
-
// Check if it's already encoded
|
|
289
|
-
if (isInsideEncodingCall(node.right, sourceCode, trustedLibraries)) {
|
|
290
|
-
return;
|
|
291
|
-
}
|
|
292
|
-
|
|
293
|
-
// Check if it's a user input pattern
|
|
294
|
-
const userInputPatterns = [
|
|
295
|
-
/\breq\.(query|params|body)/,
|
|
296
|
-
/\brequest\.(query|params|body)/,
|
|
297
|
-
/\buserInput\b/,
|
|
298
|
-
/\binput\b/,
|
|
299
|
-
];
|
|
300
|
-
|
|
301
|
-
const isUserInput = userInputPatterns.some(pattern => pattern.test(rightText));
|
|
302
|
-
|
|
303
|
-
if (isUserInput) {
|
|
304
|
-
context.report({
|
|
305
|
-
node: node.right,
|
|
306
|
-
messageId: 'unescapedUrlParameter',
|
|
307
|
-
data: {
|
|
308
|
-
parameter: rightText,
|
|
309
|
-
safeAlternative: `Use encodeURIComponent(): ${sourceCode.getText(node.left)} + encodeURIComponent(${rightText})`,
|
|
310
|
-
},
|
|
311
|
-
suggest: [
|
|
312
|
-
{
|
|
313
|
-
messageId: 'useEncodeURIComponent',
|
|
314
|
-
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
315
|
-
fix: (_fixer: TSESLint.RuleFixer) => null,
|
|
316
|
-
},
|
|
317
|
-
],
|
|
318
|
-
});
|
|
319
|
-
}
|
|
320
|
-
}
|
|
321
|
-
}
|
|
322
|
-
}
|
|
323
|
-
|
|
324
|
-
function isUserControlled(node: TSESTree.Node, visited = new Set<string>()): boolean {
|
|
325
|
-
const text = sourceCode.getText(node);
|
|
326
|
-
|
|
327
|
-
const patterns = [
|
|
328
|
-
/\breq\.(query|params|body|headers|cookies)/,
|
|
329
|
-
/\brequest\.(query|params|body)/,
|
|
330
|
-
/\buserInput\b/i,
|
|
331
|
-
/\binput\b/i,
|
|
332
|
-
/\bsearchParams\b/,
|
|
333
|
-
/\bparam\b/i,
|
|
334
|
-
/\breturnUrl\b/i,
|
|
335
|
-
/\burl\b/i,
|
|
336
|
-
/\bredirect\b/i,
|
|
337
|
-
/\bnext\b/i,
|
|
338
|
-
];
|
|
339
|
-
|
|
340
|
-
if (patterns.some(p => p.test(text))) return true;
|
|
341
|
-
|
|
342
|
-
// Trace identifiers
|
|
343
|
-
if (node.type === 'Identifier') {
|
|
344
|
-
if (visited.has(node.name)) return false;
|
|
345
|
-
visited.add(node.name);
|
|
346
|
-
|
|
347
|
-
const scope = sourceCode.getScope(node);
|
|
348
|
-
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
349
|
-
const variable = scope.variables.find((v: any) => v.name === node.name);
|
|
350
|
-
|
|
351
|
-
if (variable && variable.defs.length > 0) {
|
|
352
|
-
const def = variable.defs[0];
|
|
353
|
-
if (def.type === 'Variable' && def.node.init) {
|
|
354
|
-
const init = def.node.init;
|
|
355
|
-
// Check if init is constructed from other user inputs
|
|
356
|
-
if (isUserControlled(init, visited)) return true;
|
|
357
|
-
|
|
358
|
-
// Check if init is a TemplateLiteral containing user inputs in expressions
|
|
359
|
-
if (init.type === 'TemplateLiteral') {
|
|
360
|
-
return init.expressions.some(expr => isUserControlled(expr, visited));
|
|
361
|
-
}
|
|
362
|
-
|
|
363
|
-
// Check if init is BinaryExpression (concatenation)
|
|
364
|
-
if (init.type === 'BinaryExpression') {
|
|
365
|
-
return isUserControlled(init.left, visited) || isUserControlled(init.right, visited);
|
|
366
|
-
}
|
|
367
|
-
}
|
|
368
|
-
}
|
|
369
|
-
}
|
|
370
|
-
return false;
|
|
371
|
-
}
|
|
372
|
-
|
|
373
|
-
return {
|
|
374
|
-
TemplateLiteral: checkTemplateLiteral,
|
|
375
|
-
BinaryExpression: checkBinaryExpression,
|
|
376
|
-
AssignmentExpression(node: TSESTree.AssignmentExpression) {
|
|
377
|
-
if (isTestFile) return;
|
|
378
|
-
|
|
379
|
-
// Check for window.location = ... or window.location.href = ...
|
|
380
|
-
const left = node.left;
|
|
381
|
-
let isLocationAssignment = false;
|
|
382
|
-
|
|
383
|
-
if (left.type === 'MemberExpression') {
|
|
384
|
-
const objectName = left.object.type === 'Identifier' ? left.object.name :
|
|
385
|
-
(left.object.type === 'MemberExpression' ? sourceCode.getText(left.object) : '');
|
|
386
|
-
const propName = left.property.type === 'Identifier' ? left.property.name : '';
|
|
387
|
-
|
|
388
|
-
if ((objectName === 'window' && propName === 'location') ||
|
|
389
|
-
(propName === 'href' && objectName.includes('location'))) {
|
|
390
|
-
isLocationAssignment = true;
|
|
391
|
-
}
|
|
392
|
-
} else if (left.type === 'Identifier' && left.name === 'location') {
|
|
393
|
-
// In browser location = ... is valid
|
|
394
|
-
isLocationAssignment = true;
|
|
395
|
-
}
|
|
396
|
-
|
|
397
|
-
if (isLocationAssignment) {
|
|
398
|
-
const right = node.right;
|
|
399
|
-
const rightText = sourceCode.getText(right);
|
|
400
|
-
|
|
401
|
-
// Skip TemplateLiteral and BinaryExpression as they are covered by their own visitors
|
|
402
|
-
if (right.type === 'TemplateLiteral' || right.type === 'BinaryExpression') {
|
|
403
|
-
return;
|
|
404
|
-
}
|
|
405
|
-
|
|
406
|
-
if (matchesIgnorePattern(rightText, ignorePatterns)) return;
|
|
407
|
-
if (isInsideEncodingCall(right, sourceCode, trustedLibraries)) return;
|
|
408
|
-
|
|
409
|
-
if (isUserControlled(right)) {
|
|
410
|
-
context.report({
|
|
411
|
-
node: right,
|
|
412
|
-
messageId: 'unescapedUrlParameter',
|
|
413
|
-
data: {
|
|
414
|
-
parameter: rightText,
|
|
415
|
-
safeAlternative: 'Validate and encode URL before redirecting',
|
|
416
|
-
}
|
|
417
|
-
});
|
|
418
|
-
}
|
|
419
|
-
}
|
|
420
|
-
}
|
|
421
|
-
};
|
|
422
|
-
},
|
|
423
|
-
});
|
|
424
|
-
|
|
@@ -1,263 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Comprehensive tests for no-unescaped-url-parameter rule
|
|
3
|
-
* CWE-79: Cross-site Scripting (XSS)
|
|
4
|
-
*/
|
|
5
|
-
import { RuleTester } from '@typescript-eslint/rule-tester';
|
|
6
|
-
import { describe, it, afterAll } from 'vitest';
|
|
7
|
-
import parser from '@typescript-eslint/parser';
|
|
8
|
-
import { noUnescapedUrlParameter } from './index';
|
|
9
|
-
|
|
10
|
-
// Configure RuleTester for Vitest
|
|
11
|
-
RuleTester.afterAll = afterAll;
|
|
12
|
-
RuleTester.it = it;
|
|
13
|
-
RuleTester.itOnly = it.only;
|
|
14
|
-
RuleTester.describe = describe;
|
|
15
|
-
|
|
16
|
-
// Use Flat Config format (ESLint 9+)
|
|
17
|
-
const ruleTester = new RuleTester({
|
|
18
|
-
languageOptions: {
|
|
19
|
-
parser,
|
|
20
|
-
ecmaVersion: 2022,
|
|
21
|
-
sourceType: 'module',
|
|
22
|
-
parserOptions: {
|
|
23
|
-
ecmaFeatures: {
|
|
24
|
-
jsx: true,
|
|
25
|
-
},
|
|
26
|
-
},
|
|
27
|
-
},
|
|
28
|
-
});
|
|
29
|
-
|
|
30
|
-
describe('no-unescaped-url-parameter', () => {
|
|
31
|
-
describe('Valid Code', () => {
|
|
32
|
-
ruleTester.run('valid - escaped URL parameters', noUnescapedUrlParameter, {
|
|
33
|
-
valid: [
|
|
34
|
-
// Using encodeURIComponent
|
|
35
|
-
{
|
|
36
|
-
code: 'const url = `https://example.com?q=${encodeURIComponent(param)}`;',
|
|
37
|
-
},
|
|
38
|
-
{
|
|
39
|
-
code: 'const url = "https://example.com?q=" + encodeURIComponent(param);',
|
|
40
|
-
},
|
|
41
|
-
// Using URLSearchParams
|
|
42
|
-
{
|
|
43
|
-
code: 'const params = new URLSearchParams({ q: param }); const url = `https://example.com?${params}`;',
|
|
44
|
-
},
|
|
45
|
-
// Using encodeURI
|
|
46
|
-
{
|
|
47
|
-
code: 'const url = `https://example.com/${encodeURI(path)}`;',
|
|
48
|
-
},
|
|
49
|
-
// Test files (when allowInTests is true)
|
|
50
|
-
{
|
|
51
|
-
code: 'const url = `https://example.com?q=${param}`;',
|
|
52
|
-
filename: 'test.spec.ts',
|
|
53
|
-
options: [{ allowInTests: true }],
|
|
54
|
-
},
|
|
55
|
-
// Ignored patterns
|
|
56
|
-
{
|
|
57
|
-
code: 'const url = `https://example.com?q=${safeParam}`;',
|
|
58
|
-
options: [{ ignorePatterns: ['safeParam'] }],
|
|
59
|
-
},
|
|
60
|
-
// Non-URL strings
|
|
61
|
-
{
|
|
62
|
-
code: 'const message = `Hello ${name}`;',
|
|
63
|
-
},
|
|
64
|
-
],
|
|
65
|
-
invalid: [],
|
|
66
|
-
});
|
|
67
|
-
});
|
|
68
|
-
|
|
69
|
-
describe('Invalid Code - Template Literals', () => {
|
|
70
|
-
ruleTester.run('invalid - unescaped in template literal', noUnescapedUrlParameter, {
|
|
71
|
-
valid: [],
|
|
72
|
-
invalid: [
|
|
73
|
-
{
|
|
74
|
-
code: 'const url = `https://example.com?q=${req.query.q}`;',
|
|
75
|
-
errors: [
|
|
76
|
-
{
|
|
77
|
-
messageId: 'unescapedUrlParameter',
|
|
78
|
-
},
|
|
79
|
-
],
|
|
80
|
-
},
|
|
81
|
-
{
|
|
82
|
-
code: 'const url = `https://example.com?search=${userInput}`;',
|
|
83
|
-
errors: [
|
|
84
|
-
{
|
|
85
|
-
messageId: 'unescapedUrlParameter',
|
|
86
|
-
},
|
|
87
|
-
],
|
|
88
|
-
},
|
|
89
|
-
{
|
|
90
|
-
code: 'const url = `https://example.com?id=${req.params.id}`;',
|
|
91
|
-
errors: [
|
|
92
|
-
{
|
|
93
|
-
messageId: 'unescapedUrlParameter',
|
|
94
|
-
},
|
|
95
|
-
],
|
|
96
|
-
},
|
|
97
|
-
],
|
|
98
|
-
});
|
|
99
|
-
});
|
|
100
|
-
|
|
101
|
-
describe('Invalid Code - String Concatenation', () => {
|
|
102
|
-
ruleTester.run('invalid - unescaped in string concatenation', noUnescapedUrlParameter, {
|
|
103
|
-
valid: [],
|
|
104
|
-
invalid: [
|
|
105
|
-
{
|
|
106
|
-
code: 'const url = "https://example.com?q=" + req.query.q;',
|
|
107
|
-
errors: [
|
|
108
|
-
{
|
|
109
|
-
messageId: 'unescapedUrlParameter',
|
|
110
|
-
},
|
|
111
|
-
],
|
|
112
|
-
},
|
|
113
|
-
{
|
|
114
|
-
code: 'const url = "https://example.com?search=" + userInput;',
|
|
115
|
-
errors: [
|
|
116
|
-
{
|
|
117
|
-
messageId: 'unescapedUrlParameter',
|
|
118
|
-
},
|
|
119
|
-
],
|
|
120
|
-
},
|
|
121
|
-
],
|
|
122
|
-
});
|
|
123
|
-
});
|
|
124
|
-
|
|
125
|
-
describe('Options', () => {
|
|
126
|
-
ruleTester.run('options - allowInTests', noUnescapedUrlParameter, {
|
|
127
|
-
valid: [
|
|
128
|
-
{
|
|
129
|
-
code: 'const url = `https://example.com?q=${param}`;',
|
|
130
|
-
filename: 'test.spec.ts',
|
|
131
|
-
options: [{ allowInTests: true }],
|
|
132
|
-
},
|
|
133
|
-
],
|
|
134
|
-
invalid: [
|
|
135
|
-
{
|
|
136
|
-
code: 'const url = `https://example.com?q=${param}`;',
|
|
137
|
-
filename: 'handler.ts',
|
|
138
|
-
options: [{ allowInTests: true }],
|
|
139
|
-
errors: [
|
|
140
|
-
{
|
|
141
|
-
messageId: 'unescapedUrlParameter',
|
|
142
|
-
},
|
|
143
|
-
],
|
|
144
|
-
},
|
|
145
|
-
],
|
|
146
|
-
});
|
|
147
|
-
|
|
148
|
-
ruleTester.run('options - ignorePatterns with invalid regex', noUnescapedUrlParameter, {
|
|
149
|
-
valid: [
|
|
150
|
-
{
|
|
151
|
-
code: 'const url = `https://example.com?q=${testParam}`;',
|
|
152
|
-
options: [{ ignorePatterns: ['['] }], // Invalid regex should be caught
|
|
153
|
-
},
|
|
154
|
-
],
|
|
155
|
-
invalid: [],
|
|
156
|
-
});
|
|
157
|
-
|
|
158
|
-
ruleTester.run('options - trustedLibraries', noUnescapedUrlParameter, {
|
|
159
|
-
valid: [
|
|
160
|
-
{
|
|
161
|
-
code: 'const url = `https://example.com?q=${myLib.encode(param)}`;',
|
|
162
|
-
options: [{ trustedLibraries: ['myLib'] }],
|
|
163
|
-
},
|
|
164
|
-
],
|
|
165
|
-
invalid: [],
|
|
166
|
-
});
|
|
167
|
-
});
|
|
168
|
-
|
|
169
|
-
describe('Edge Cases', () => {
|
|
170
|
-
ruleTester.run('edge cases - non-URL template literals', noUnescapedUrlParameter, {
|
|
171
|
-
valid: [
|
|
172
|
-
{
|
|
173
|
-
code: 'const message = `Hello ${name}`;',
|
|
174
|
-
},
|
|
175
|
-
{
|
|
176
|
-
code: 'const path = `/users/${id}`;',
|
|
177
|
-
},
|
|
178
|
-
{
|
|
179
|
-
code: 'const file = `./${filename}.txt`;',
|
|
180
|
-
},
|
|
181
|
-
],
|
|
182
|
-
invalid: [],
|
|
183
|
-
});
|
|
184
|
-
|
|
185
|
-
ruleTester.run('edge cases - binary expression with literal', noUnescapedUrlParameter, {
|
|
186
|
-
valid: [
|
|
187
|
-
{
|
|
188
|
-
code: 'const url = "https://example.com?q=" + "test";',
|
|
189
|
-
},
|
|
190
|
-
],
|
|
191
|
-
invalid: [],
|
|
192
|
-
});
|
|
193
|
-
|
|
194
|
-
ruleTester.run('edge cases - already encoded in template', noUnescapedUrlParameter, {
|
|
195
|
-
valid: [
|
|
196
|
-
{
|
|
197
|
-
code: 'const url = `https://example.com?q=${encodeURIComponent(req.query.q)}`;',
|
|
198
|
-
},
|
|
199
|
-
{
|
|
200
|
-
code: 'const url = `https://example.com?q=${encodeURI(path)}`;',
|
|
201
|
-
},
|
|
202
|
-
{
|
|
203
|
-
code: 'const url = `https://example.com?q=${escape(input)}`;',
|
|
204
|
-
},
|
|
205
|
-
],
|
|
206
|
-
invalid: [],
|
|
207
|
-
});
|
|
208
|
-
|
|
209
|
-
ruleTester.run('edge cases - already encoded in binary', noUnescapedUrlParameter, {
|
|
210
|
-
valid: [
|
|
211
|
-
{
|
|
212
|
-
code: 'const url = "https://example.com?q=" + encodeURIComponent(req.query.q);',
|
|
213
|
-
},
|
|
214
|
-
],
|
|
215
|
-
invalid: [],
|
|
216
|
-
});
|
|
217
|
-
|
|
218
|
-
ruleTester.run('edge cases - different URL patterns', noUnescapedUrlParameter, {
|
|
219
|
-
valid: [],
|
|
220
|
-
invalid: [
|
|
221
|
-
{
|
|
222
|
-
code: 'const url = new URL(`https://example.com?q=${req.query.q}`);',
|
|
223
|
-
errors: [
|
|
224
|
-
{
|
|
225
|
-
messageId: 'unescapedUrlParameter',
|
|
226
|
-
},
|
|
227
|
-
],
|
|
228
|
-
},
|
|
229
|
-
{
|
|
230
|
-
code: 'window.location.href = `https://example.com?q=${userInput}`;',
|
|
231
|
-
errors: [
|
|
232
|
-
{
|
|
233
|
-
messageId: 'unescapedUrlParameter',
|
|
234
|
-
},
|
|
235
|
-
],
|
|
236
|
-
},
|
|
237
|
-
{
|
|
238
|
-
code: 'window.open(`https://example.com?q=${input}`);',
|
|
239
|
-
errors: [
|
|
240
|
-
{
|
|
241
|
-
messageId: 'unescapedUrlParameter',
|
|
242
|
-
},
|
|
243
|
-
],
|
|
244
|
-
},
|
|
245
|
-
],
|
|
246
|
-
});
|
|
247
|
-
|
|
248
|
-
ruleTester.run('edge cases - searchParams pattern', noUnescapedUrlParameter, {
|
|
249
|
-
valid: [],
|
|
250
|
-
invalid: [
|
|
251
|
-
{
|
|
252
|
-
code: 'const url = `https://example.com?q=${searchParams.get("id")}`;',
|
|
253
|
-
errors: [
|
|
254
|
-
{
|
|
255
|
-
messageId: 'unescapedUrlParameter',
|
|
256
|
-
},
|
|
257
|
-
],
|
|
258
|
-
},
|
|
259
|
-
],
|
|
260
|
-
});
|
|
261
|
-
});
|
|
262
|
-
});
|
|
263
|
-
|