eslint-plugin-secure-coding 2.3.4 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/CHANGELOG.md +51 -1
  2. package/README.md +3 -2
  3. package/package.json +2 -9
  4. package/src/index.d.ts +1 -1
  5. package/src/index.js +0 -49
  6. package/src/types/index.d.ts +4 -29
  7. package/src/types/index.js +3 -4
  8. package/src/rules/database-injection/index.d.ts +0 -13
  9. package/src/rules/database-injection/index.js +0 -406
  10. package/src/rules/no-credentials-in-storage-api/index.d.ts +0 -6
  11. package/src/rules/no-credentials-in-storage-api/index.js +0 -54
  12. package/src/rules/no-document-cookie/index.d.ts +0 -5
  13. package/src/rules/no-document-cookie/index.js +0 -89
  14. package/src/rules/no-insecure-cookie-settings/index.d.ts +0 -9
  15. package/src/rules/no-insecure-cookie-settings/index.js +0 -306
  16. package/src/rules/no-insecure-jwt/index.d.ts +0 -10
  17. package/src/rules/no-insecure-jwt/index.js +0 -380
  18. package/src/rules/no-insufficient-postmessage-validation/index.d.ts +0 -14
  19. package/src/rules/no-insufficient-postmessage-validation/index.js +0 -392
  20. package/src/rules/no-insufficient-random/index.d.ts +0 -9
  21. package/src/rules/no-insufficient-random/index.js +0 -208
  22. package/src/rules/no-postmessage-origin-wildcard/index.d.ts +0 -8
  23. package/src/rules/no-postmessage-origin-wildcard/index.js +0 -56
  24. package/src/rules/no-sql-injection/index.d.ts +0 -10
  25. package/src/rules/no-sql-injection/index.js +0 -335
  26. package/src/rules/no-timing-attack/index.d.ts +0 -10
  27. package/src/rules/no-timing-attack/index.js +0 -447
  28. package/src/rules/no-unencrypted-local-storage/index.d.ts +0 -8
  29. package/src/rules/no-unencrypted-local-storage/index.js +0 -61
  30. package/src/rules/no-unsanitized-html/index.d.ts +0 -9
  31. package/src/rules/no-unsanitized-html/index.js +0 -335
  32. package/src/rules/no-weak-crypto/index.d.ts +0 -11
  33. package/src/rules/no-weak-crypto/index.js +0 -351
package/src/rules/no-unsanitized-html/index.js DELETED
@@ -1,335 +0,0 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.noUnsanitizedHtml = void 0;
4
- const eslint_devkit_1 = require("@interlace/eslint-devkit");
5
- const eslint_devkit_2 = require("@interlace/eslint-devkit");
6
- /**
7
- * Check if a string matches any ignore pattern
8
- */
9
- function matchesIgnorePattern(text, ignorePatterns) {
10
- return ignorePatterns.some(pattern => {
11
- try {
12
- const regex = new RegExp(pattern, 'i');
13
- return regex.test(text);
14
- }
15
- catch {
16
- // Invalid regex - treat as literal string match
17
- return text.toLowerCase().includes(pattern.toLowerCase());
18
- }
19
- });
20
- }
21
- exports.noUnsanitizedHtml = (0, eslint_devkit_2.createRule)({
22
- name: 'no-unsanitized-html',
23
- meta: {
24
- type: 'problem',
25
- docs: {
26
- description: 'Detects unsanitized HTML injection (dangerouslySetInnerHTML, innerHTML)',
27
- },
28
- hasSuggestions: true,
29
- messages: {
30
- unsanitizedHtml: (0, eslint_devkit_1.formatLLMMessage)({
31
- icon: eslint_devkit_1.MessageIcons.SECURITY,
32
- issueName: 'Unsanitized HTML Injection',
33
- cwe: 'CWE-79',
34
- description: 'Unsanitized HTML detected: {{htmlSource}}',
35
- severity: 'CRITICAL',
36
- fix: '{{safeAlternative}}',
37
- documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
38
- }),
39
- useTextContent: (0, eslint_devkit_1.formatLLMMessage)({
40
- icon: eslint_devkit_1.MessageIcons.INFO,
41
- issueName: 'Use textContent',
42
- description: 'Use textContent instead of innerHTML',
43
- severity: 'LOW',
44
- fix: 'element.textContent = userInput;',
45
- documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent',
46
- }),
47
- useSanitizeLibrary: (0, eslint_devkit_1.formatLLMMessage)({
48
- icon: eslint_devkit_1.MessageIcons.INFO,
49
- issueName: 'Use Sanitization',
50
- description: 'Use sanitization library',
51
- severity: 'LOW',
52
- fix: 'DOMPurify.sanitize(html) or sanitize-html',
53
- documentationLink: 'https://github.com/cure53/DOMPurify',
54
- }),
55
- useDangerouslySetInnerHTML: (0, eslint_devkit_1.formatLLMMessage)({
56
- icon: eslint_devkit_1.MessageIcons.INFO,
57
- issueName: 'Sanitize First',
58
- description: 'Sanitize before dangerouslySetInnerHTML',
59
- severity: 'LOW',
60
- fix: 'dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}',
61
- documentationLink: 'https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html',
62
- }),
63
- },
64
- schema: [
65
- {
66
- type: 'object',
67
- properties: {
68
- allowInTests: {
69
- type: 'boolean',
70
- default: false,
71
- description: 'Allow unsanitized HTML in test files',
72
- },
73
- trustedLibraries: {
74
- type: 'array',
75
- items: { type: 'string' },
76
- default: ['dompurify', 'sanitize-html', 'xss'],
77
- description: 'Trusted sanitization libraries',
78
- },
79
- ignorePatterns: {
80
- type: 'array',
81
- items: { type: 'string' },
82
- default: [],
83
- description: 'Additional safe patterns to ignore',
84
- },
85
- },
86
- additionalProperties: false,
87
- },
88
- ],
89
- },
90
- defaultOptions: [
91
- {
92
- allowInTests: false,
93
- trustedLibraries: ['dompurify', 'sanitize-html', 'xss'],
94
- ignorePatterns: [],
95
- },
96
- ],
97
- create(context, [options = {}]) {
98
- const { allowInTests = false, trustedLibraries = ['dompurify', 'sanitize-html', 'xss'], ignorePatterns = [], } = options;
99
- const filename = context.getFilename();
100
- const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
101
- const sourceCode = context.sourceCode || context.sourceCode;
102
- // Track variables that have been assigned sanitized content
103
- const sanitizedVariables = new Set();
104
- /**
105
- * Check if a call expression is a sanitization call
106
- */
107
- function isSanitizationCall(node) {
108
- const callee = node.callee;
109
- if (callee.type === 'Identifier') {
110
- const calleeName = callee.name.toLowerCase();
111
- if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
112
- return true;
113
- }
114
- if (trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()))) {
115
- return true;
116
- }
117
- }
118
- if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
119
- const objectName = callee.object.name.toLowerCase();
120
- if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
121
- return true;
122
- }
123
- // Also check the method name
124
- if (callee.property.type === 'Identifier') {
125
- const methodName = callee.property.name.toLowerCase();
126
- if (['sanitize', 'purify', 'escape', 'clean'].includes(methodName)) {
127
- return true;
128
- }
129
- }
130
- }
131
- return false;
132
- }
133
- /**
134
- * Track variable declarations that are assigned sanitized content
135
- */
136
- function trackSanitizedAssignment(node) {
137
- let varName = null;
138
- let init = null;
139
- if (node.type === 'VariableDeclarator') {
140
- if (node.id.type === 'Identifier' && node.init) {
141
- varName = node.id.name;
142
- init = node.init;
143
- }
144
- }
145
- else {
146
- if (node.left.type === 'Identifier') {
147
- varName = node.left.name;
148
- init = node.right;
149
- }
150
- }
151
- if (varName && init && init.type === 'CallExpression') {
152
- if (isSanitizationCall(init)) {
153
- sanitizedVariables.add(varName);
154
- }
155
- }
156
- }
157
- function checkAssignmentExpression(node) {
158
- if (isTestFile) {
159
- return;
160
- }
161
- // Check if left side is a dangerous DOM property
162
- if (node.left.type === 'MemberExpression' &&
163
- node.left.property.type === 'Identifier') {
164
- const propertyName = node.left.property.name;
165
- const dangerousProps = ['innerHTML', 'outerHTML'];
166
- if (!dangerousProps.includes(propertyName)) {
167
- return; // Not a dangerous property
168
- }
169
- const memberExpr = node.left;
170
- const property = memberExpr.property;
171
- const text = sourceCode.getText(memberExpr);
172
- // Check if the left side (variable/object) matches any ignore pattern
173
- // This handles cases like testElement.innerHTML where testElement should be ignored
174
- if (memberExpr.object.type === 'Identifier') {
175
- const objectName = memberExpr.object.name;
176
- if (matchesIgnorePattern(objectName, ignorePatterns)) {
177
- return;
178
- }
179
- }
180
- // Also check the full expression
181
- if (matchesIgnorePattern(text, ignorePatterns)) {
182
- return;
183
- }
184
- // Check if the right side (assignment value) is a sanitization call
185
- // First check if node.right itself is a sanitization call
186
- if (node.right.type === 'CallExpression') {
187
- const callee = node.right.callee;
188
- if (callee.type === 'Identifier') {
189
- const calleeName = callee.name.toLowerCase();
190
- if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
191
- return;
192
- }
193
- if (trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()))) {
194
- return;
195
- }
196
- }
197
- if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
198
- const objectName = callee.object.name.toLowerCase();
199
- if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
200
- return;
201
- }
202
- }
203
- }
204
- // If right side is a literal string/number, allow it
205
- if (node.right.type === 'Literal') {
206
- return;
207
- }
208
- // FALSE POSITIVE REDUCTION: Check if right side is a previously-sanitized variable
209
- // Pattern: const clean = DOMPurify.sanitize(html); element.innerHTML = clean;
210
- if (node.right.type === 'Identifier' && sanitizedVariables.has(node.right.name)) {
211
- return;
212
- }
213
- // For innerHTML/outerHTML, we should flag ANY non-sanitized assignment
214
- // This is more aggressive but safer - innerHTML should ALWAYS be sanitized
215
- // unless it's a literal or explicitly sanitized
216
- // Build suggestions array - conditionally include based on context
217
- // For allowInTests option, don't provide suggestions (test expects none)
218
- const suggestions = allowInTests && !isTestFile
219
- ? undefined // allowInTests is true but file is not a test file - no suggestions
220
- : [
221
- {
222
- messageId: 'useTextContent',
223
- fix: (fixer) => {
224
- return fixer.replaceText(property, 'textContent');
225
- },
226
- },
227
- {
228
- messageId: 'useSanitizeLibrary',
229
- fix: () => [],
230
- },
231
- ];
232
- context.report({
233
- node: memberExpr,
234
- messageId: 'unsanitizedHtml',
235
- data: {
236
- htmlSource: propertyName,
237
- safeAlternative: 'Use textContent or sanitize with DOMPurify: element.textContent = userInput; or element.innerHTML = DOMPurify.sanitize(html);',
238
- },
239
- suggest: suggestions,
240
- });
241
- }
242
- }
243
- function checkJSXAttribute(node) {
244
- if (isTestFile) {
245
- return;
246
- }
247
- if (node.name.type !== 'JSXIdentifier') {
248
- return;
249
- }
250
- const attributeName = node.name.name;
251
- // Check for dangerouslySetInnerHTML
252
- if (attributeName === 'dangerouslySetInnerHTML') {
253
- // Check if the value is sanitized
254
- if (node.value && node.value.type === 'JSXExpressionContainer') {
255
- const expression = node.value.expression;
256
- // Check if it's an object with __html property
257
- if (expression.type === 'ObjectExpression') {
258
- const htmlProperty = expression.properties.find((prop) => prop.type === 'Property' &&
259
- prop.key.type === 'Identifier' &&
260
- prop.key.name === '__html');
261
- if (htmlProperty && htmlProperty.value) {
262
- const htmlValue = htmlProperty.value;
263
- // Check if the value is sanitized
264
- if (htmlValue.type === 'CallExpression') {
265
- const callee = htmlValue.callee;
266
- if (callee.type === 'MemberExpression' && callee.object.type === 'Identifier') {
267
- const objectName = callee.object.name.toLowerCase();
268
- if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
269
- return; // It's sanitized
270
- }
271
- }
272
- if (callee.type === 'Identifier') {
273
- const calleeName = callee.name.toLowerCase();
274
- if (['sanitize', 'sanitizehtml', 'purify', 'escape'].includes(calleeName)) {
275
- return; // It's sanitized
276
- }
277
- }
278
- }
279
- // Check if the value matches user input patterns
280
- const htmlValueText = sourceCode.getText(htmlValue);
281
- let isUserInputValue = false;
282
- if (htmlValue.type === 'Identifier') {
283
- const identifierName = htmlValue.name.toLowerCase();
284
- const userInputNames = ['userinput', 'userdata', 'html', 'content', 'text'];
285
- isUserInputValue = userInputNames.includes(identifierName);
286
- }
287
- const userInputPatterns = [
288
- /\b(userInput|userData|html|content|text)\b/i,
289
- /\breq\.(body|query|params|headers|cookies)/,
290
- /\brequest\.(body|query|params)/,
291
- ];
292
- isUserInputValue = isUserInputValue || userInputPatterns.some(pattern => pattern.test(htmlValueText));
293
- if (isUserInputValue) {
294
- // It's user input, report it
295
- }
296
- else {
297
- // Check if it matches ignore patterns
298
- if (matchesIgnorePattern(htmlValueText, ignorePatterns)) {
299
- return;
300
- }
301
- // If it's not user input and not in ignore patterns, it might be safe
302
- return;
303
- }
304
- }
305
- }
306
- }
307
- context.report({
308
- node,
309
- messageId: 'unsanitizedHtml',
310
- data: {
311
- htmlSource: 'dangerouslySetInnerHTML',
312
- safeAlternative: 'Sanitize HTML before using dangerouslySetInnerHTML: <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />',
313
- },
314
- suggest: [
315
- {
316
- messageId: 'useDangerouslySetInnerHTML',
317
- // eslint-disable-next-line @typescript-eslint/no-unused-vars
318
- fix: (_fixer) => null,
319
- },
320
- ],
321
- });
322
- }
323
- }
324
- return {
325
- VariableDeclarator: trackSanitizedAssignment,
326
- AssignmentExpression: (node) => {
327
- // Track sanitized assignments first
328
- trackSanitizedAssignment(node);
329
- // Then check for unsafe innerHTML
330
- checkAssignmentExpression(node);
331
- },
332
- JSXAttribute: checkJSXAttribute,
333
- };
334
- },
335
- });
package/src/rules/no-weak-crypto/index.d.ts DELETED
@@ -1,11 +0,0 @@
1
- export interface Options {
2
- /** Allow weak crypto in test files. Default: false */
3
- allowInTests?: boolean;
4
- /** Additional weak algorithms to detect. Default: [] */
5
- additionalWeakAlgorithms?: string[];
6
- /** Trusted crypto libraries. Default: ['crypto', 'crypto-js'] */
7
- trustedLibraries?: string[];
8
- /** Strategy for fixing weak crypto: 'upgrade', 'migrate', 'policy', 'auto' */
9
- strategy?: 'upgrade' | 'migrate' | 'policy' | 'auto';
10
- }
11
- export declare const noWeakCrypto: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;