npm - eslint-plugin-secure-coding - Versions diffs - 2.4.0 → 3.0.1 - Mend

eslint-plugin-secure-coding 2.4.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/src/rules/no-insecure-comparison/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noInsecureComparison = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-insecure-redirects/index.d.ts CHANGED Viewed

@@ -1,7 +1,24 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-insecure-redirects
+ * Detects open redirect vulnerabilities
+ * CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
+ *
+ * @see https://cwe.mitre.org/data/definitions/601.html
+ * @see https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureRedirect' | 'whitelistDomains' | 'validateRedirect' | 'useRelativeUrl';
 export interface Options {
     /** Ignore in test files. Default: true */
     ignoreInTests?: boolean;
     /** Allowed redirect domains. Default: [] */
     allowedDomains?: string[];
 }
-export declare const noInsecureRedirects: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noInsecureRedirects: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-insecure-redirects/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noInsecureRedirects = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-insecure-websocket/index.d.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 /**
- * @fileoverview Require secure WebSocket connections (wss://)
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noInsecureWebsocket: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noInsecureWebsocket: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-insecure-websocket/index.js CHANGED Viewed

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Require secure WebSocket connections (wss://)
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noInsecureWebsocket = void 0;
+/**
+ * @fileoverview Require secure WebSocket connections (wss://)
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noInsecureWebsocket = (0, eslint_devkit_1.createRule)({
     name: 'no-insecure-websocket',

package/src/rules/no-ldap-injection/index.d.ts CHANGED Viewed

@@ -1,4 +1,29 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-ldap-injection
+ * Detects LDAP injection vulnerabilities (CWE-90)
+ *
+ * LDAP injection occurs when user input is improperly inserted into LDAP
+ * queries, allowing attackers to:
+ * - Bypass authentication and authorization
+ * - Extract sensitive directory information
+ * - Perform unauthorized LDAP operations
+ * - Enumerate users through blind injection techniques
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe LDAP libraries with built-in escaping
+ * - Input validation and sanitization functions
+ * - JSDoc annotations (@ldap-safe, @escaped)
+ * - Parameterized LDAP query construction
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'ldapInjection' | 'unsafeLdapFilter' | 'unescapedLdapInput' | 'dangerousLdapOperation' | 'useLdapEscaping' | 'validateLdapInput' | 'useParameterizedLdap' | 'strategyInputValidation' | 'strategySafeLibraries' | 'strategyFilterConstruction';
 export interface Options extends SecurityRuleOptions {
     /** LDAP-related function names to check */
     ldapFunctions?: string[];
@@ -7,4 +32,6 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate LDAP input */
     ldapValidationFunctions?: string[];
 }
-export declare const noLdapInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noLdapInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-ldap-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noLdapInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-missing-authentication/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-missing-authentication
+ * Detects missing authentication checks in route handlers
+ * CWE-287: Improper Authentication
+ *
+ * @see https://cwe.mitre.org/data/definitions/287.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Authentication
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'missingAuthentication' | 'addAuthentication';
 export interface Options {
     /** Allow missing authentication in test files. Default: false */
     allowInTests?: boolean;
@@ -10,4 +25,6 @@ export interface Options {
     /** Additional patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noMissingAuthentication: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noMissingAuthentication: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-missing-authentication/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noMissingAuthentication = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-missing-cors-check/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-missing-cors-check
+ * Detects missing CORS validation (wildcard CORS, missing origin check)
+ * CWE-346: Origin Validation Error
+ *
+ * @see https://cwe.mitre.org/data/definitions/346.html
+ * @see https://owasp.org/www-community/attacks/CORS_Misconfiguration
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'missingCorsCheck' | 'useOriginValidation' | 'useCorsMiddleware';
 export interface Options {
     /** Allow missing CORS checks in test files. Default: false */
     allowInTests?: boolean;
@@ -6,4 +21,6 @@ export interface Options {
     /** Additional safe patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noMissingCorsCheck: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noMissingCorsCheck: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-missing-cors-check/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noMissingCorsCheck = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-missing-csrf-protection/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-missing-csrf-protection
+ * Detects missing CSRF token validation in POST/PUT/DELETE requests
+ * CWE-352: Cross-Site Request Forgery (CSRF)
+ *
+ * @see https://cwe.mitre.org/data/definitions/352.html
+ * @see https://owasp.org/www-community/attacks/csrf
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'missingCsrfProtection' | 'addCsrfValidation';
 export interface Options {
     /** Allow missing CSRF protection in test files. Default: false */
     allowInTests?: boolean;
@@ -8,4 +23,6 @@ export interface Options {
     /** Additional safe patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noMissingCsrfProtection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noMissingCsrfProtection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-missing-csrf-protection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noMissingCsrfProtection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-missing-security-headers/index.d.ts CHANGED Viewed

@@ -1,7 +1,24 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-missing-security-headers
+ * Detects missing security headers in HTTP responses
+ * CWE-693: Protection Mechanism Failure
+ *
+ * @see https://cwe.mitre.org/data/definitions/693.html
+ * @see https://owasp.org/www-project-secure-headers/
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'missingSecurityHeader' | 'addSecurityHeaders' | 'useMiddleware' | 'setHeader';
 export interface Options {
     /** Required security headers. Default: ['Content-Security-Policy', 'X-Frame-Options', 'X-Content-Type-Options'] */
     requiredHeaders?: string[];
     /** Ignore in test files. Default: true */
     ignoreInTests?: boolean;
 }
-export declare const noMissingSecurityHeaders: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noMissingSecurityHeaders: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-missing-security-headers/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noMissingSecurityHeaders = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-password-in-url/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent passwords in URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/598.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noPasswordInUrl: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPasswordInUrl: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-password-in-url/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPasswordInUrl = void 0;
 /**
  * @fileoverview Prevent passwords in URLs
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/598.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPasswordInUrl = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noPasswordInUrl = (0, eslint_devkit_1.createRule)({
     name: 'no-password-in-url',
@@ -13,10 +18,6 @@ exports.noPasswordInUrl = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Prevent passwords in URLs',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M3'],
-            cweIds: ["CWE-598"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({

package/src/rules/no-permissive-cors/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent overly permissive CORS configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noPermissiveCors: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPermissiveCors: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-permissive-cors/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPermissiveCors = void 0;
 /**
  * @fileoverview Prevent overly permissive CORS configuration
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/942.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPermissiveCors = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
     name: 'no-permissive-cors',
@@ -15,10 +20,6 @@ exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
         replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
         docs: {
             description: 'Prevent overly permissive CORS configuration',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M8'],
-            cweIds: ["CWE-942"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
@@ -44,18 +45,26 @@ exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
         return {
             CallExpression(node) {
                 // Check for Access-Control-Allow-Origin: *
-                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    node.callee.property?.name === 'setHeader' &&
-                    node.arguments[0]?.value === 'Access-Control-Allow-Origin' &&
-                    node.arguments[1]?.value === '*') {
+                // res.setHeader('Access-Control-Allow-Origin', '*')
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                    node.callee.property.name === 'setHeader' &&
+                    node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
+                    node.arguments[0].value === 'Access-Control-Allow-Origin' &&
+                    node.arguments[1]?.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
+                    node.arguments[1].value === '*') {
                     report(node);
                 }
                 // Check cors({ origin: '*' })
-                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     node.callee.name === 'cors' &&
                     node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
-                    const originProp = node.arguments[0].properties.find(p => p.key?.name === 'origin');
-                    if (originProp?.value.type === 'Literal' && originProp.value.value === '*') {
+                    const originProp = node.arguments[0].properties.find((p) => p.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
+                        p.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
+                        p.key.name === 'origin');
+                    if (originProp &&
+                        originProp.value.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
+                        originProp.value.value === '*') {
                         report(node);
                     }
                 }

package/src/rules/no-pii-in-logs/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/532.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noPiiInLogs: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPiiInLogs: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-pii-in-logs/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPiiInLogs = void 0;
 /**
  * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/532.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPiiInLogs = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
     name: 'no-pii-in-logs',
@@ -13,10 +18,6 @@ exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Prevent PII (email, SSN, credit cards) in console logs',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M6'],
-            cweIds: ["CWE-532"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
@@ -42,21 +43,23 @@ exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
         return {
             CallExpression(node) {
                 // Check console.log/error/warn calls
-                if (node.type === 'CallExpression' &&
-                    node.callee.type === 'MemberExpression' &&
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                    node.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     node.callee.object.name === 'console' &&
+                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
                     // Check arguments for PII-related property access
                     for (const arg of node.arguments) {
-                        if (arg.type === 'MemberExpression') {
-                            const propName = arg.property.name?.toLowerCase();
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                            arg.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                            const propName = arg.property.name.toLowerCase();
                             const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
-                            if (piiProps.some(p => propName?.includes(p))) {
+                            if (piiProps.some(p => propName.includes(p))) {
                                 report(node);
                             }
                         }
                         // Check string literals mentioning PII
-                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof arg.value === 'string') {
                             const text = arg.value.toLowerCase();
                             if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
                                 report(node);

package/src/rules/no-privilege-escalation/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-privilege-escalation
+ * Detects potential privilege escalation vulnerabilities
+ * CWE-269: Improper Privilege Management
+ *
+ * @see https://cwe.mitre.org/data/definitions/269.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Access_Control
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'privilegeEscalation' | 'addRoleCheck';
 export interface Options {
     /** Allow privilege escalation patterns in test files. Default: false */
     allowInTests?: boolean;
@@ -10,4 +25,6 @@ export interface Options {
     /** Additional patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noPrivilegeEscalation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPrivilegeEscalation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-privilege-escalation/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noPrivilegeEscalation = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-redos-vulnerable-regex/index.d.ts CHANGED Viewed

@@ -1,7 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-redos-vulnerable-regex
+ * Detects ReDoS-vulnerable regex patterns in literal regex patterns
+ * CWE-400: Uncontrolled Resource Consumption
+ *
+ * Complements detect-non-literal-regexp by checking literal regex patterns
+ *
+ * @see https://cwe.mitre.org/data/definitions/400.html
+ * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'redosVulnerable' | 'useAtomicGroups' | 'usePossessiveQuantifiers' | 'restructureRegex' | 'useSafeLibrary';
 export interface Options {
     /** Allow certain common patterns. Default: false */
     allowCommonPatterns?: boolean;
     /** Maximum pattern length to analyze. Default: 500 */
     maxPatternLength?: number;
 }
-export declare const noRedosVulnerableRegex: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noRedosVulnerableRegex: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-redos-vulnerable-regex/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noRedosVulnerableRegex = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-sensitive-data-exposure/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-sensitive-data-exposure
+ * Detects PII/credentials in logs, responses, or error messages
+ * Priority 5: Security with Data Flow Analysis
+ * CWE-532: Information Exposure Through Log Files
+ *
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'sensitiveDataExposure' | 'redactData' | 'useMasking' | 'removeFromLogs';
 export interface Options {
     /** Sensitive data patterns. Default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card'] */
     sensitivePatterns?: string[];
@@ -8,4 +23,6 @@ export interface Options {
     /** Check API responses. Default: true */
     checkApiResponses?: boolean;
 }
-export declare const noSensitiveDataExposure: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noSensitiveDataExposure: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-sensitive-data-exposure/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noSensitiveDataExposure = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-sensitive-data-in-analytics/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent PII sent to analytics
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/359.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noSensitiveDataInAnalytics: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noSensitiveDataInAnalytics: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};