eslint-plugin-secure-coding 2.3.4 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/CHANGELOG.md +51 -1
  2. package/README.md +3 -2
  3. package/package.json +2 -9
  4. package/src/index.d.ts +1 -1
  5. package/src/index.js +0 -49
  6. package/src/types/index.d.ts +4 -29
  7. package/src/types/index.js +3 -4
  8. package/src/rules/database-injection/index.d.ts +0 -13
  9. package/src/rules/database-injection/index.js +0 -406
  10. package/src/rules/no-credentials-in-storage-api/index.d.ts +0 -6
  11. package/src/rules/no-credentials-in-storage-api/index.js +0 -54
  12. package/src/rules/no-document-cookie/index.d.ts +0 -5
  13. package/src/rules/no-document-cookie/index.js +0 -89
  14. package/src/rules/no-insecure-cookie-settings/index.d.ts +0 -9
  15. package/src/rules/no-insecure-cookie-settings/index.js +0 -306
  16. package/src/rules/no-insecure-jwt/index.d.ts +0 -10
  17. package/src/rules/no-insecure-jwt/index.js +0 -380
  18. package/src/rules/no-insufficient-postmessage-validation/index.d.ts +0 -14
  19. package/src/rules/no-insufficient-postmessage-validation/index.js +0 -392
  20. package/src/rules/no-insufficient-random/index.d.ts +0 -9
  21. package/src/rules/no-insufficient-random/index.js +0 -208
  22. package/src/rules/no-postmessage-origin-wildcard/index.d.ts +0 -8
  23. package/src/rules/no-postmessage-origin-wildcard/index.js +0 -56
  24. package/src/rules/no-sql-injection/index.d.ts +0 -10
  25. package/src/rules/no-sql-injection/index.js +0 -335
  26. package/src/rules/no-timing-attack/index.d.ts +0 -10
  27. package/src/rules/no-timing-attack/index.js +0 -447
  28. package/src/rules/no-unencrypted-local-storage/index.d.ts +0 -8
  29. package/src/rules/no-unencrypted-local-storage/index.js +0 -61
  30. package/src/rules/no-unsanitized-html/index.d.ts +0 -9
  31. package/src/rules/no-unsanitized-html/index.js +0 -335
  32. package/src/rules/no-weak-crypto/index.d.ts +0 -11
  33. package/src/rules/no-weak-crypto/index.js +0 -351
package/src/rules/no-insecure-jwt/index.js DELETED
@@ -1,380 +0,0 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.noInsecureJwt = void 0;
4
- const eslint_devkit_1 = require("@interlace/eslint-devkit");
5
- const eslint_devkit_2 = require("@interlace/eslint-devkit");
6
- const eslint_devkit_3 = require("@interlace/eslint-devkit");
7
- exports.noInsecureJwt = (0, eslint_devkit_1.createRule)({
8
- name: 'no-insecure-jwt',
9
- meta: {
10
- type: 'problem',
11
- deprecated: true,
12
- replacedBy: ['@see eslint-plugin-jwt for 13 specialized JWT security rules'],
13
- docs: {
14
- description: 'Detects insecure JWT operations and missing signature verification',
15
- },
16
- fixable: 'code',
17
- hasSuggestions: true,
18
- messages: {
19
- insecureJwtAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
20
- icon: eslint_devkit_2.MessageIcons.SECURITY,
21
- issueName: 'Insecure JWT Algorithm',
22
- cwe: 'CWE-347',
23
- description: 'JWT algorithm confusion vulnerability',
24
- severity: 'CRITICAL',
25
- fix: 'Use RS256/ES256 and validate algorithm before verification',
26
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
27
- }),
28
- missingSignatureVerification: (0, eslint_devkit_2.formatLLMMessage)({
29
- icon: eslint_devkit_2.MessageIcons.SECURITY,
30
- issueName: 'Missing JWT Signature Verification',
31
- cwe: 'CWE-347',
32
- description: 'JWT parsed without signature verification',
33
- severity: 'CRITICAL',
34
- fix: 'Use jwt.verify() instead of jwt.decode()',
35
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
36
- }),
37
- weakJwtSecret: (0, eslint_devkit_2.formatLLMMessage)({
38
- icon: eslint_devkit_2.MessageIcons.SECURITY,
39
- issueName: 'Weak JWT Secret',
40
- cwe: 'CWE-347',
41
- description: 'JWT signed with weak/insufficient secret',
42
- severity: 'HIGH',
43
- fix: 'Use minimum 256-bit secret (32+ characters)',
44
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
45
- }),
46
- jwtWithoutValidation: (0, eslint_devkit_2.formatLLMMessage)({
47
- icon: eslint_devkit_2.MessageIcons.SECURITY,
48
- issueName: 'JWT Without Validation',
49
- cwe: 'CWE-347',
50
- description: 'JWT used without proper validation',
51
- severity: 'HIGH',
52
- fix: 'Verify JWT signature before trusting payload',
53
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
54
- }),
55
- unsafeJwtParsing: (0, eslint_devkit_2.formatLLMMessage)({
56
- icon: eslint_devkit_2.MessageIcons.SECURITY,
57
- issueName: 'Unsafe JWT Parsing',
58
- cwe: 'CWE-347',
59
- description: 'Unsafe JWT parsing pattern detected',
60
- severity: 'MEDIUM',
61
- fix: 'Use verified JWT libraries with proper error handling',
62
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
63
- }),
64
- useSecureJwtLibrary: (0, eslint_devkit_2.formatLLMMessage)({
65
- icon: eslint_devkit_2.MessageIcons.INFO,
66
- issueName: 'Use Secure JWT Library',
67
- description: 'Use jsonwebtoken or jose library',
68
- severity: 'LOW',
69
- fix: 'npm install jsonwebtoken && use jwt.verify()',
70
- documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
71
- }),
72
- verifyBeforeTrust: (0, eslint_devkit_2.formatLLMMessage)({
73
- icon: eslint_devkit_2.MessageIcons.INFO,
74
- issueName: 'Verify Before Trust',
75
- description: 'Always verify JWT signature before using payload',
76
- severity: 'LOW',
77
- fix: 'jwt.verify(token, secret, callback)',
78
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
79
- }),
80
- strategyUseVerifiedLibrary: (0, eslint_devkit_2.formatLLMMessage)({
81
- icon: eslint_devkit_2.MessageIcons.STRATEGY,
82
- issueName: 'Verified Library Strategy',
83
- description: 'Use battle-tested JWT libraries',
84
- severity: 'LOW',
85
- fix: 'Use jsonwebtoken, jose, or jwt libraries',
86
- documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
87
- }),
88
- strategyValidateAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
89
- icon: eslint_devkit_2.MessageIcons.STRATEGY,
90
- issueName: 'Algorithm Validation Strategy',
91
- description: 'Validate algorithms before use',
92
- severity: 'LOW',
93
- fix: 'Whitelist allowed algorithms: ["RS256", "ES256"]',
94
- documentationLink: 'https://tools.ietf.org/html/rfc8725',
95
- }),
96
- strategyStrongSecrets: (0, eslint_devkit_2.formatLLMMessage)({
97
- icon: eslint_devkit_2.MessageIcons.STRATEGY,
98
- issueName: 'Strong Secrets Strategy',
99
- description: 'Use cryptographically strong secrets',
100
- severity: 'LOW',
101
- fix: 'Generate 256-bit secrets: crypto.randomBytes(32)',
102
- documentationLink: 'https://nodejs.org/api/crypto.html',
103
- })
104
- },
105
- schema: [
106
- {
107
- type: 'object',
108
- properties: {
109
- allowedInsecureAlgorithms: {
110
- type: 'array',
111
- items: { type: 'string' },
112
- default: [],
113
- },
114
- minSecretLength: {
115
- type: 'number',
116
- minimum: 16,
117
- default: 32,
118
- },
119
- trustedJwtLibraries: {
120
- type: 'array',
121
- items: { type: 'string' },
122
- default: ['jsonwebtoken', 'jose', 'jwt'],
123
- },
124
- trustedSanitizers: {
125
- type: 'array',
126
- items: { type: 'string' },
127
- default: [],
128
- description: 'Additional function names to consider as JWT validators',
129
- },
130
- trustedAnnotations: {
131
- type: 'array',
132
- items: { type: 'string' },
133
- default: [],
134
- description: 'Additional JSDoc annotations to consider as safe markers',
135
- },
136
- strictMode: {
137
- type: 'boolean',
138
- default: false,
139
- description: 'Disable all false positive detection (strict mode)',
140
- },
141
- },
142
- additionalProperties: false,
143
- },
144
- ],
145
- },
146
- defaultOptions: [
147
- {
148
- allowedInsecureAlgorithms: [],
149
- minSecretLength: 32,
150
- trustedJwtLibraries: ['jsonwebtoken', 'jose', 'jwt'],
151
- trustedSanitizers: [],
152
- trustedAnnotations: [],
153
- strictMode: false,
154
- },
155
- ],
156
- create(context) {
157
- const options = context.options[0] || {};
158
- const { minSecretLength = 32, trustedJwtLibraries = ['jsonwebtoken', 'jose', 'jwt'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
159
- const sourceCode = context.sourceCode || context.sourceCode;
160
- const filename = context.filename || context.getFilename();
161
- // Create safety checker for false positive detection
162
- const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
163
- trustedSanitizers,
164
- trustedAnnotations,
165
- trustedOrmPatterns: [],
166
- strictMode,
167
- });
168
- /**
169
- * Check if secret/key is weak
170
- */
171
- const isWeakSecret = (secretNode) => {
172
- if (secretNode.type === 'Literal' && typeof secretNode.value === 'string') {
173
- return secretNode.value.length < minSecretLength;
174
- }
175
- return false; // Can't determine strength of non-literal secrets
176
- };
177
- /**
178
- * Check if JWT operation has signature verification
179
- */
180
- const hasSignatureVerification = (jwtCall) => {
181
- // Check if it's jwt.verify() call
182
- if (jwtCall.callee.type === 'MemberExpression' &&
183
- jwtCall.callee.property.type === 'Identifier' &&
184
- jwtCall.callee.property.name === 'verify') {
185
- return true;
186
- }
187
- // Check for @verified annotation
188
- return (0, eslint_devkit_3.hasSafeAnnotation)(jwtCall, context, trustedAnnotations);
189
- };
190
- /**
191
- * Check if this is a trusted JWT library call
192
- */
193
- const isTrustedJwtLibrary = (node) => {
194
- // Check if callee is a member expression (library.method)
195
- if (node.callee.type !== 'MemberExpression') {
196
- return false;
197
- }
198
- // Check if the object is a JWT library
199
- const object = node.callee.object;
200
- if (object.type === 'Identifier') {
201
- return trustedJwtLibraries.includes(object.name.toLowerCase());
202
- }
203
- return false;
204
- };
205
- /**
206
- * Extract JWT-related information from a call
207
- */
208
- const extractJwtInfo = (node) => {
209
- const sourceText = sourceCode.getText(node);
210
- // Check for algorithm specification
211
- const hasAlgorithmSpec = /\b(algorithms?|alg)\s*:/i.test(sourceText);
212
- // Check for insecure patterns
213
- const hasNoneAlgorithm = /\b(alg|algorithms?)\s*:\s*(\[\s*)?['"`]\s*none\s*['"`]/i.test(sourceText);
214
- const hasEmptyAlgorithms = /\b(alg|algorithms?)\s*:\s*\[\s*\]/i.test(sourceText);
215
- const weakAlgorithms = ['HS256', 'HS384', 'HS512']; // Define weak algorithms
216
- const hasWeakAlgorithm = weakAlgorithms.some(alg => {
217
- const regex = new RegExp(`['"\`]${alg}['"\`]`, 'i');
218
- return regex.test(sourceText);
219
- });
220
- return {
221
- sourceText,
222
- hasAlgorithmSpec,
223
- hasNoneAlgorithm: hasNoneAlgorithm || hasEmptyAlgorithms,
224
- hasWeakAlgorithm,
225
- isDecodeCall: /\bdecode\b/i.test(sourceText),
226
- isVerifyCall: /\bverify\b/i.test(sourceText),
227
- };
228
- };
229
- /**
230
- * Locate the algorithms option node for precise error highlighting
231
- */
232
- const getAlgorithmsNode = (call) => {
233
- const optionsArg = call.arguments[2];
234
- if (optionsArg && optionsArg.type === 'ObjectExpression') {
235
- const algorithmsProp = optionsArg.properties.find((prop) => prop.type === 'Property' &&
236
- prop.key.type === 'Identifier' &&
237
- (prop.key.name === 'algorithms' || prop.key.name === 'alg'));
238
- if (algorithmsProp) {
239
- return algorithmsProp.value;
240
- }
241
- return optionsArg;
242
- }
243
- return null;
244
- };
245
- /**
246
- * Check if this looks like a JWT operation (verify/decode/sign)
247
- */
248
- const looksLikeJwtOperation = (node) => {
249
- if (node.callee.type !== 'MemberExpression') {
250
- return false;
251
- }
252
- const property = node.callee.property;
253
- if (property.type !== 'Identifier') {
254
- return false;
255
- }
256
- // Check for JWT-related method names
257
- const jwtMethods = ['verify', 'decode', 'sign', 'encode'];
258
- return jwtMethods.includes(property.name);
259
- };
260
- return {
261
- // Check JWT library method calls
262
- CallExpression(node) {
263
- // Check both trusted libraries AND generic JWT-like operations
264
- const isTrusted = isTrustedJwtLibrary(node);
265
- const looksLikeJwt = looksLikeJwtOperation(node);
266
- if (!isTrusted && !looksLikeJwt) {
267
- return;
268
- }
269
- const jwtInfo = extractJwtInfo(node);
270
- // CRITICAL: Algorithm confusion attack (alg: "none" or algorithms: [])
271
- if (jwtInfo.hasNoneAlgorithm) {
272
- const algorithmsNode = getAlgorithmsNode(node);
273
- context.report({
274
- node: algorithmsNode ?? node,
275
- messageId: 'insecureJwtAlgorithm',
276
- data: {
277
- filePath: filename,
278
- line: String(node.loc?.start.line ?? 0),
279
- },
280
- });
281
- return;
282
- }
283
- // HIGH: Weak algorithm without proper key validation
284
- if (jwtInfo.hasWeakAlgorithm && node.arguments.length >= 2) {
285
- const secretArg = node.arguments[1];
286
- if (isWeakSecret(secretArg)) {
287
- context.report({
288
- node: secretArg,
289
- messageId: 'weakJwtSecret',
290
- data: {
291
- filePath: filename,
292
- line: String(node.loc?.start.line ?? 0),
293
- },
294
- });
295
- return;
296
- }
297
- }
298
- // CRITICAL: Using jwt.decode() instead of jwt.verify()
299
- if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
300
- // FALSE POSITIVE REDUCTION: Skip if annotated as safe
301
- if (safetyChecker.isSafe(node, context)) {
302
- return;
303
- }
304
- context.report({
305
- node,
306
- messageId: 'missingSignatureVerification',
307
- data: {
308
- filePath: filename,
309
- line: String(node.loc?.start.line ?? 0),
310
- },
311
- suggest: [
312
- {
313
- messageId: 'verifyBeforeTrust',
314
- fix: () => null // Could be complex to auto-fix
315
- },
316
- ],
317
- });
318
- }
319
- },
320
- // Check for JWT-related variable declarations and assignments
321
- VariableDeclarator(node) {
322
- if (!node.init || node.init.type !== 'CallExpression') {
323
- return;
324
- }
325
- const initCall = node.init;
326
- if (!isTrustedJwtLibrary(initCall) && !looksLikeJwtOperation(initCall)) {
327
- return;
328
- }
329
- const jwtInfo = extractJwtInfo(initCall);
330
- // Variable assigned with unverified JWT data
331
- if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
332
- /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
333
- if (safetyChecker.isSafe(initCall, context)) {
334
- return;
335
- }
336
- /* c8 ignore stop */
337
- context.report({
338
- node,
339
- messageId: 'jwtWithoutValidation',
340
- data: {
341
- filePath: filename,
342
- line: String(node.loc?.start.line ?? 0),
343
- },
344
- });
345
- }
346
- },
347
- // Check for JWT token usage without verification
348
- Literal(node) {
349
- if (typeof node.value !== 'string') {
350
- return;
351
- }
352
- const value = node.value;
353
- // Look for JWT patterns in strings
354
- if (value.includes('eyJ') && value.split('.').length === 3) { // JWT structure
355
- // Check if this JWT is used unsafely
356
- let current = node;
357
- let isVerified = false;
358
- // Walk up to find if this is within a verified JWT operation
359
- while (current && !isVerified) {
360
- if (current.type === 'CallExpression' && hasSignatureVerification(current)) {
361
- isVerified = true;
362
- break;
363
- }
364
- current = current.parent;
365
- }
366
- if (!isVerified && !safetyChecker.isSafe(node, context)) {
367
- context.report({
368
- node,
369
- messageId: 'unsafeJwtParsing',
370
- data: {
371
- filePath: filename,
372
- line: String(node.loc?.start.line ?? 0),
373
- },
374
- });
375
- }
376
- }
377
- }
378
- };
379
- },
380
- });
package/src/rules/no-insufficient-postmessage-validation/index.d.ts DELETED
@@ -1,14 +0,0 @@
1
- import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
2
- export interface Options extends SecurityRuleOptions {
3
- /** Allowed origins for postMessage communication */
4
- allowedOrigins?: string[];
5
- /** Whether to allow wildcard origins in development */
6
- allowWildcardInDev?: boolean;
7
- /** Message event handler patterns to check */
8
- messageHandlerPatterns?: string[];
9
- /** Origins considered safe (e.g., localhost, development domains) */
10
- safeOrigins?: string[];
11
- /** Whether to perform deep origin validation analysis */
12
- deepValidation?: boolean;
13
- }
14
- export declare const noInsufficientPostmessageValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;