npm - eslint-plugin-secure-coding - Versions diffs - 3.0.0 → 3.0.1 - Mend

eslint-plugin-secure-coding 3.0.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/src/rules/no-sensitive-data-in-analytics/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataInAnalytics = void 0;
 /**
  * @fileoverview Prevent PII sent to analytics
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/359.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInAnalytics = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
     name: 'no-sensitive-data-in-analytics',
@@ -13,10 +18,6 @@ exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Prevent PII being sent to analytics services',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M6'],
-            cweIds: ['CWE-359'],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
@@ -40,15 +41,18 @@ exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
         return {
             CallExpression(node) {
                 // analytics.track() with sensitive data
-                if (node.callee.type === 'MemberExpression' &&
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                    node.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     node.callee.object.name === 'analytics' &&
+                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     node.callee.property.name === 'track') {
                     const dataArg = node.arguments[1];
-                    if (dataArg?.type === 'ObjectExpression') {
+                    if (dataArg?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
                         dataArg.properties.forEach(prop => {
-                            if (prop.type === 'Property') {
-                                const key = prop.key.name?.toLowerCase();
-                                const matchedField = sensitiveFields.find(f => key?.includes(f));
+                            if (prop.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
+                                prop.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                                const key = prop.key.name.toLowerCase();
+                                const matchedField = sensitiveFields.find(f => key.includes(f));
                                 if (matchedField) {
                                     report(prop, matchedField);
                                 }

package/src/rules/no-sensitive-data-in-cache/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent caching sensitive data without encryption
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/524.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noSensitiveDataInCache: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noSensitiveDataInCache: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-sensitive-data-in-cache/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noSensitiveDataInCache = void 0;
 /**
  * @fileoverview Prevent caching sensitive data without encryption
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/524.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInCache = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noSensitiveDataInCache = (0, eslint_devkit_1.createRule)({
     name: 'no-sensitive-data-in-cache',
@@ -13,10 +18,6 @@ exports.noSensitiveDataInCache = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Prevent caching sensitive data without encryption',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M9'],
-            cweIds: ["CWE-524"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({

package/src/rules/no-toctou-vulnerability/index.d.ts CHANGED Viewed

@@ -1,7 +1,24 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-toctou-vulnerability
+ * Detects Time-of-Check-Time-of-Use vulnerabilities
+ * CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
+ *
+ * @see https://cwe.mitre.org/data/definitions/367.html
+ * @see https://owasp.org/www-community/vulnerabilities/TOCTOU_Race_Condition
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'toctouVulnerability' | 'useAtomicOperations' | 'useFsPromises' | 'addProperLocking';
 export interface Options {
     /** Ignore in test files. Default: true */
     ignoreInTests?: boolean;
     /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
     fsMethods?: string[];
 }
-export declare const noToctouVulnerability: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noToctouVulnerability: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-toctou-vulnerability/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noToctouVulnerability = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-tracking-without-consent/index.d.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 /**
- * @fileoverview Require consent before tracking
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noTrackingWithoutConsent: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noTrackingWithoutConsent: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-tracking-without-consent/index.js CHANGED Viewed

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Require consent before tracking
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noTrackingWithoutConsent = void 0;
+/**
+ * @fileoverview Require consent before tracking
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noTrackingWithoutConsent = (0, eslint_devkit_1.createRule)({
     name: 'no-tracking-without-consent',

package/src/rules/no-unchecked-loop-condition/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unchecked-loop-condition
+ * Detects unchecked loop conditions that could cause DoS (CWE-400, CWE-606)
+ *
+ * Loops with unchecked conditions can cause denial of service by consuming
+ * excessive CPU time or memory. This includes infinite loops, loops with
+ * user-controlled bounds, and loops without proper termination conditions.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe loop patterns with clear termination
+ * - Development/debugging loops
+ * - JSDoc annotations (@safe-loop, @intentional)
+ * - Timeout protections
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'uncheckedLoopCondition' | 'infiniteLoop' | 'userControlledLoopBound' | 'missingLoopTermination' | 'largeLoopBound' | 'unsafeRecursion' | 'limitLoopIterations';
 export interface Options extends SecurityRuleOptions {
     /** Maximum allowed loop iterations for static analysis */
     maxStaticIterations?: number;
@@ -9,4 +31,6 @@ export interface Options extends SecurityRuleOptions {
     /** Maximum recursion depth to allow */
     maxRecursionDepth?: number;
 }
-export declare const noUncheckedLoopCondition: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUncheckedLoopCondition: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unchecked-loop-condition/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUncheckedLoopCondition = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unencrypted-transmission/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unencrypted-transmission
+ * Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)
+ * CWE-319: Cleartext Transmission of Sensitive Information
+ *
+ * @see https://cwe.mitre.org/data/definitions/319.html
+ * @see https://owasp.org/www-community/vulnerabilities/Insecure_Transport
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'unencryptedTransmission' | 'useHttps';
 export interface Options {
     /** Allow unencrypted transmission in test files. Default: false */
     allowInTests?: boolean;
@@ -8,4 +23,6 @@ export interface Options {
     /** Additional safe patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noUnencryptedTransmission: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnencryptedTransmission: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unencrypted-transmission/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnencryptedTransmission = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unescaped-url-parameter/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unescaped-url-parameter
+ * Detects unescaped URL parameters
+ * CWE-79: Cross-site Scripting (XSS)
+ *
+ * @see https://cwe.mitre.org/data/definitions/79.html
+ * @see https://owasp.org/www-community/attacks/xss/
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'unescapedUrlParameter' | 'useEncodeURIComponent' | 'useURLSearchParams';
 export interface Options {
     /** Allow unescaped URL parameters in test files. Default: false */
     allowInTests?: boolean;
@@ -6,4 +21,6 @@ export interface Options {
     /** Additional safe patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noUnescapedUrlParameter: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnescapedUrlParameter: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unescaped-url-parameter/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnescapedUrlParameter = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unlimited-resource-allocation/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unlimited-resource-allocation
+ * Detects unlimited resource allocation vulnerabilities (CWE-770)
+ *
+ * Unlimited resource allocation can cause denial of service by exhausting
+ * system resources like memory, file handles, or network connections.
+ * This rule detects patterns where resources are allocated without limits.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe resource allocation patterns
+ * - Proper resource limits
+ * - JSDoc annotations (@limited-resource, @safe-allocation)
+ * - Resource cleanup patterns
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'unlimitedResourceAllocation' | 'unlimitedBufferAllocation' | 'unlimitedFileOperations' | 'unlimitedNetworkConnections' | 'unlimitedMemoryAllocation' | 'userControlledResourceSize' | 'missingResourceLimits' | 'resourceAllocationInLoop' | 'implementResourceLimits' | 'validateResourceSize' | 'useResourcePools' | 'strategyResourceManagement' | 'strategyRateLimiting' | 'strategyResourceCleanup';
 export interface Options extends SecurityRuleOptions {
     /** Maximum allowed resource size for static analysis */
     maxResourceSize?: number;
@@ -9,4 +31,6 @@ export interface Options extends SecurityRuleOptions {
     /** Require resource validation */
     requireResourceValidation?: boolean;
 }
-export declare const noUnlimitedResourceAllocation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnlimitedResourceAllocation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unlimited-resource-allocation/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnlimitedResourceAllocation = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unsafe-deserialization/index.d.ts CHANGED Viewed

@@ -1,4 +1,30 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-deserialization
+ * Detects unsafe deserialization of untrusted data (CWE-502)
+ *
+ * Unsafe deserialization occurs when untrusted data is deserialized in a way that
+ * allows attackers to execute arbitrary code or manipulate application logic.
+ * This includes:
+ * - Using dangerous deserialization libraries
+ * - eval() or Function() on untrusted data
+ * - YAML/XML parsers that can execute code
+ * - Unsafe use of serialization libraries
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe deserialization patterns
+ * - Input validation and sanitization
+ * - JSDoc annotations (@safe, @validated)
+ * - Trusted deserialization libraries
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'unsafeDeserialization' | 'dangerousEvalUsage' | 'unsafeYamlParsing' | 'dangerousFunctionConstructor' | 'untrustedDeserializationInput' | 'useSafeDeserializer' | 'validateBeforeDeserialization' | 'avoidEval' | 'strategySafeLibraries' | 'strategyInputValidation' | 'strategySandboxing';
 export interface Options extends SecurityRuleOptions {
     /** Dangerous deserialization functions to detect */
     dangerousFunctions?: string[];
@@ -7,4 +33,6 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate input before deserialization */
     validationFunctions?: string[];
 }
-export declare const noUnsafeDeserialization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnsafeDeserialization: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unsafe-deserialization/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnsafeDeserialization = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unsafe-dynamic-require/index.d.ts CHANGED Viewed

@@ -1,5 +1,17 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-dynamic-require
+ * Detects dynamic require() calls that could lead to code injection
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 export interface Options {
     /** Allow dynamic import() expressions. Default: false (stricter) */
     allowDynamicImport?: boolean;
 }
-export declare const noUnsafeDynamicRequire: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnsafeDynamicRequire: TSESLint.RuleModule<"unsafeDynamicRequire", RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unsafe-dynamic-require/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnsafeDynamicRequire = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unsafe-regex-construction/index.d.ts CHANGED Viewed

@@ -1,3 +1,20 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-regex-construction
+ * Detects unsafe regex construction patterns (user input without escaping, dynamic flags)
+ * CWE-400: Uncontrolled Resource Consumption
+ *
+ * Extends detect-non-literal-regexp with pattern analysis
+ *
+ * @see https://cwe.mitre.org/data/definitions/400.html
+ * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'unsafeRegexConstruction' | 'escapeUserInput' | 'validatePattern' | 'useSafeLibrary' | 'avoidDynamicFlags';
 export interface Options {
     /** Allow literal string patterns. Default: false */
     allowLiterals?: boolean;
@@ -6,4 +23,6 @@ export interface Options {
     /** Maximum pattern length for dynamic regex. Default: 100 */
     maxPatternLength?: number;
 }
-export declare const noUnsafeRegexConstruction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnsafeRegexConstruction: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unsafe-regex-construction/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnsafeRegexConstruction = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unvalidated-deeplinks/index.d.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 /**
- * @fileoverview Require validation of deep link URLs
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noUnvalidatedDeeplinks: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnvalidatedDeeplinks: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-unvalidated-deeplinks/index.js CHANGED Viewed

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Require validation of deep link URLs
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnvalidatedDeeplinks = void 0;
+/**
+ * @fileoverview Require validation of deep link URLs
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noUnvalidatedDeeplinks = (0, eslint_devkit_1.createRule)({
     name: 'no-unvalidated-deeplinks',

package/src/rules/no-unvalidated-user-input/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unvalidated-user-input
+ * Detects unvalidated user input usage (req.body, req.query, etc.)
+ * CWE-20: Improper Input Validation
+ *
+ * @see https://cwe.mitre.org/data/definitions/20.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Input_Validation
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'unvalidatedInput' | 'useValidationLibrary' | 'useZod' | 'useJoi';
 export interface Options {
     /** Allow unvalidated input in test files. Default: false */
     allowInTests?: boolean;
@@ -6,4 +21,6 @@ export interface Options {
     /** Additional safe patterns to ignore. Default: ['^safe', '^sanitized', '^validated', '^clean'] (prefix patterns) */
     ignorePatterns?: string[];
 }
-export declare const noUnvalidatedUserInput: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnvalidatedUserInput: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-unvalidated-user-input/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnvalidatedUserInput = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-verbose-error-messages/index.d.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 /**
- * @fileoverview Prevent exposing stack traces to users
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/209.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noVerboseErrorMessages: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noVerboseErrorMessages: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export {};

package/src/rules/no-verbose-error-messages/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noVerboseErrorMessages = void 0;
 /**
  * @fileoverview Prevent exposing stack traces to users
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/209.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noVerboseErrorMessages = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noVerboseErrorMessages = (0, eslint_devkit_1.createRule)({
     name: 'no-verbose-error-messages',

package/src/rules/no-weak-password-recovery/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-weak-password-recovery
+ * Detects weak password recovery mechanisms (CWE-640)
+ *
+ * Weak password recovery mechanisms can allow attackers to reset passwords
+ * for other users, gain unauthorized access, or perform account takeover.
+ * This rule detects obvious vulnerabilities in password recovery logic.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Proper recovery implementations
+ * - Rate limiting mechanisms
+ * - Secure token generation
+ * - JSDoc annotations (@secure-recovery, @rate-limited)
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'weakPasswordRecovery' | 'missingRateLimit' | 'predictableRecoveryToken' | 'unlimitedRecoveryAttempts' | 'insufficientTokenEntropy' | 'missingTokenExpiration' | 'recoveryLoggingSensitiveData' | 'weakRecoveryVerification' | 'tokenReuseVulnerability' | 'implementRateLimiting' | 'useCryptographicallySecureTokens' | 'implementTokenExpiration' | 'secureRecoveryFlow' | 'strategyMultiFactor' | 'strategyOutOfBandVerification' | 'strategyTimeBoundTokens';
 export interface Options extends SecurityRuleOptions {
     /** Minimum token entropy bits */
     minTokenEntropy?: number;
@@ -9,4 +31,6 @@ export interface Options extends SecurityRuleOptions {
     /** Secure token generation functions */
     secureTokenFunctions?: string[];
 }
-export declare const noWeakPasswordRecovery: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noWeakPasswordRecovery: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export {};

package/src/rules/no-weak-password-recovery/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noWeakPasswordRecovery = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");