eslint-plugin-secure-coding 3.0.0 → 3.0.2

package/src/rules/no-debug-code-in-production/index.js

@@ -1,51 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect debug code in production
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/489.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDebugCodeInProduction = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDebugCodeInProduction = (0, eslint_devkit_1.createRule)({
-    name: 'no-debug-code-in-production',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect debug code in production',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M7'],
-            cweIds: ["CWE-489"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-489',
-                description: 'Detect debug code in production detected - DEBUG, __DEV__, console',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            Identifier(node) {
-                if (['DEBUG', '__DEV__'].includes(node.name)) {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-            CallExpression(node) {
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.name === 'console' &&
-                    node.callee.property.name === 'log') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-disabled-certificate-validation/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Prevent disabled SSL/TLS certificate validation
- */
-export interface Options {
-}
-export declare const noDisabledCertificateValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-disabled-certificate-validation/index.js

@@ -1,61 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent disabled SSL/TLS certificate validation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDisabledCertificateValidation = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDisabledCertificateValidation = (0, eslint_devkit_1.createRule)({
-    name: 'no-disabled-certificate-validation',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent disabled SSL/TLS certificate validation',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Disabled Certificate Validation',
-                cwe: 'CWE-295',
-                description: 'SSL/TLS certificate validation is disabled - man-in-the-middle attack possible',
-                severity: 'CRITICAL',
-                fix: 'Remove rejectUnauthorized: false or verify: false, fix certificate issues properly',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const dangerousProperties = ['rejectUnauthorized', 'strictSSL', 'verify'];
-        return {
-            Property(node) {
-                // Check for dangerous SSL options set to false
-                if (node.key.type === 'Identifier' &&
-                    dangerousProperties.includes(node.key.name) &&
-                    node.value.type === 'Literal' &&
-                    node.value.value === false) {
-                    report(node);
-                }
-            },
-            AssignmentExpression(node) {
-                // Check for NODE_TLS_REJECT_UNAUTHORIZED = '0'
-                if (node.left.type === 'MemberExpression' &&
-                    node.left.object.type === 'MemberExpression' &&
-                    node.left.object.object.type === 'Identifier' &&
-                    node.left.object.object.name === 'process' &&
-                    node.left.object.property.type === 'Identifier' &&
-                    node.left.object.property.name === 'env' &&
-                    node.left.property.type === 'Identifier' &&
-                    node.left.property.name === 'NODE_TLS_REJECT_UNAUTHORIZED') {
-                    if (node.right.type === 'Literal' && node.right.value === '0') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-dynamic-dependency-loading/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent dynamic dependency injection
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/494.html
- */
-export interface Options {
-}
-export declare const noDynamicDependencyLoading: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-dynamic-dependency-loading/index.js

@@ -1,51 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent dynamic dependency injection
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/494.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noDynamicDependencyLoading = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noDynamicDependencyLoading = (0, eslint_devkit_1.createRule)({
-    name: 'no-dynamic-dependency-loading',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent runtime dependency injection with dynamic paths',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M2'],
-            cweIds: ['CWE-494'],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-1104',
-                description: 'Dynamic import/require detected - use static imports for security',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/1104.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            CallExpression(node) {
-                // Dynamic require
-                if (node.callee.name === 'require' && node.arguments[0]?.type !== 'Literal') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-            ImportExpression(node) {
-                // Dynamic import()
-                if (node.source.type !== 'Literal') {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-exposed-debug-endpoints/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Detect debug endpoints without auth
- */
-export interface Options {
-}
-export declare const noExposedDebugEndpoints: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-exposed-debug-endpoints/index.js

@@ -1,62 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect debug endpoints without auth
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noExposedDebugEndpoints = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noExposedDebugEndpoints = (0, eslint_devkit_1.createRule)({
-    name: 'no-exposed-debug-endpoints',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect debug endpoints without auth',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Exposed Debug Endpoint',
-                cwe: 'CWE-489',
-                description: 'Debug endpoint exposed without authentication',
-                severity: 'HIGH',
-                fix: 'Remove debug endpoints from production or add authentication',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/489.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        const debugPaths = ['/debug', '/__debug__', '/admin', '/_admin', '/test', '/health'];
-        return {
-            CallExpression(node) {
-                // Detect app.get('/debug', handler)
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.type === 'Identifier' &&
-                    ['app', 'router', 'express'].includes(node.callee.object.name) &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['get', 'post', 'use'].includes(node.callee.property.name)) {
-                    const pathArg = node.arguments[0];
-                    if (pathArg && pathArg.type === 'Literal' && typeof pathArg.value === 'string') {
-                        const path = pathArg.value.toLowerCase();
-                        if (debugPaths.some(dp => path.includes(dp))) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Flag debug path strings in general
-                if (typeof node.value === 'string') {
-                    const path = node.value.toLowerCase();
-                    if (debugPaths.some(dp => path === dp)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-exposed-sensitive-data/index.d.ts

@@ -1,11 +0,0 @@
-export interface Options {
-    /** Allow sensitive data in test files. Default: false */
-    allowInTests?: boolean;
-    /** Patterns to detect sensitive data. Default: ['ssn', 'social', 'credit', 'card', 'password', 'secret', 'token', 'apiKey'] */
-    sensitivePatterns?: string[];
-    /** Logging/output patterns to detect. Default: ['log', 'console', 'print', 'debug', 'error', 'warn', 'info', 'trace', 'response', 'res.', 'req.'] */
-    loggingPatterns?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-export declare const noExposedSensitiveData: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-exposed-sensitive-data/index.js

@@ -1,340 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noExposedSensitiveData = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Default sensitive data patterns
- */
-const DEFAULT_SENSITIVE_PATTERNS = [
-    'ssn',
-    'social',
-    'credit',
-    'card',
-    'password',
-    'secret',
-    'token',
-    'apiKey',
-    'apikey',
-    'api_key',
-    'privateKey',
-    'private_key',
-    'accessToken',
-    'access_token',
-    'refreshToken',
-    'refresh_token',
-    'authToken',
-    'auth_token',
-];
-/**
- * Default logging/output patterns
- */
-const DEFAULT_LOGGING_PATTERNS = [
-    'log',
-    'console',
-    'print',
-    'debug',
-    'error',
-    'warn',
-    'info',
-    'trace',
-    'response',
-    'res.',
-    'req.',
-];
-/**
- * Sensitive data regex patterns
- */
-const SENSITIVE_DATA_PATTERNS = {
-    // SSN pattern (XXX-XX-XXXX)
-    ssn: /\b\d{3}-\d{2}-\d{4}\b/,
-    // Credit card pattern (basic - 13-19 digits, may have spaces/dashes)
-    creditCard: /\b(?:\d{4}[-\s]?){3}\d{1,4}\b/,
-    // Email with sensitive context
-    sensitiveEmail: /\b(?:password|secret|token|key|credential)[\w.-]*@[\w.-]+\.\w+\b/i,
-};
-/**
- * Check if a string contains sensitive data patterns
- */
-function containsSensitiveData(value, sensitivePatterns) {
-    // Check for SSN pattern
-    if (SENSITIVE_DATA_PATTERNS.ssn.test(value)) {
-        return { isSensitive: true, type: 'SSN pattern detected' };
-    }
-    // Check for credit card pattern
-    if (SENSITIVE_DATA_PATTERNS.creditCard.test(value)) {
-        return { isSensitive: true, type: 'Credit card pattern detected' };
-    }
-    // Check for sensitive keywords in variable names or values
-    const lowerValue = value.toLowerCase();
-    for (const pattern of sensitivePatterns) {
-        if (lowerValue.includes(pattern.toLowerCase())) {
-            // Check if it's in a sensitive context (not just a comment or documentation)
-            if (/\b(?:log|console|print|debug|error|warn|info|trace|response|res\.|req\.|body|query|params)\b/i.test(value) ||
-                /\b(?:password|secret|token|key|credential)\s*[:=]/i.test(value)) {
-                return { isSensitive: true, type: `Sensitive data keyword: ${pattern}` };
-            }
-        }
-    }
-    return { isSensitive: false, type: '' };
-}
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text, patterns) {
-    return patterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            return false;
-        }
-    });
-}
-/**
- * Check if a node is in a logging or output context
- */
-function isInLoggingContext(node, sourceCode, loggingPatterns) {
-    // Build regex pattern from logging patterns
-    const patternRegex = new RegExp(`\\b(?:${loggingPatterns.map(p => p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|')})\\b`, 'i');
-    let current = node;
-    // Check parent chain for logging calls
-    while (current && 'parent' in current && current.parent) {
-        current = current.parent;
-        if (current.type === 'CallExpression') {
-            const callExpr = current;
-            const callText = sourceCode.getText(current);
-            // Check if it's a logging method call
-            if (callExpr.callee.type === 'MemberExpression') {
-                const memberExpr = callExpr.callee;
-                if (memberExpr.object.type === 'Identifier' && memberExpr.property.type === 'Identifier') {
-                    const objName = memberExpr.object.name.toLowerCase();
-                    const propName = memberExpr.property.name.toLowerCase();
-                    // Check against logging patterns
-                    if (loggingPatterns.some(p => objName.includes(p.toLowerCase()) || propName.includes(p.toLowerCase()))) {
-                        return true;
-                    }
-                }
-            }
-            // Also check for patterns in the call text
-            if (patternRegex.test(callText)) {
-                return true;
-            }
-        }
-        // Check if it's in an object expression that's being logged
-        if (current.type === 'ObjectExpression') {
-            // Check if parent is a CallExpression with logging
-            if (current.parent && current.parent.type === 'CallExpression') {
-                const parentCall = current.parent;
-                const callText = sourceCode.getText(parentCall);
-                if (patternRegex.test(callText)) {
-                    return true;
-                }
-            }
-        }
-    }
-    return false;
-}
-exports.noExposedSensitiveData = (0, eslint_devkit_2.createRule)({
-    name: 'no-exposed-sensitive-data',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects exposure of PII/sensitive data (SSN, credit card numbers in logs, etc.)',
-        },
-        hasSuggestions: true,
-        messages: {
-            exposedSensitiveData: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Exposed Sensitive Data',
-                cwe: 'CWE-200',
-                description: 'Sensitive data exposure detected: {{issue}}',
-                severity: 'CRITICAL',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
-            }),
-            sanitizeData: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Sanitize Data',
-                description: 'Remove or mask sensitive information',
-                severity: 'LOW',
-                fix: 'Mask or remove sensitive data before logging/transmitting',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow sensitive data in test files',
-                    },
-                    sensitivePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Patterns to detect sensitive data',
-                    },
-                    loggingPatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Logging/output patterns to detect',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            sensitivePatterns: [],
-            loggingPatterns: [],
-            ignorePatterns: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, sensitivePatterns, loggingPatterns, ignorePatterns = [], } = options;
-        const patternsToCheck = sensitivePatterns && sensitivePatterns.length > 0
-            ? sensitivePatterns
-            : DEFAULT_SENSITIVE_PATTERNS;
-        const loggingPatternsToCheck = loggingPatterns && loggingPatterns.length > 0
-            ? loggingPatterns
-            : DEFAULT_LOGGING_PATTERNS;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        function checkLiteral(node) {
-            if (isTestFile) {
-                return;
-            }
-            if (typeof node.value !== 'string') {
-                return;
-            }
-            const value = node.value;
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Only check if in logging/output context
-            if (!isInLoggingContext(node, sourceCode, loggingPatternsToCheck)) {
-                return;
-            }
-            const { isSensitive, type } = containsSensitiveData(value, patternsToCheck);
-            if (isSensitive) {
-                // For SSN and credit card patterns, don't provide auto-fix suggestions
-                // as they require manual review
-                const isPatternMatch = type.includes('pattern detected');
-                context.report({
-                    node,
-                    messageId: 'exposedSensitiveData',
-                    data: {
-                        issue: `${type} in logging/output context`,
-                        safeAlternative: 'Remove or mask sensitive data before logging: logger.info({ userId: user.id }) instead of logger.info({ password: user.password })',
-                    },
-                    ...(isPatternMatch ? {} : {
-                        suggest: [
-                            {
-                                messageId: 'sanitizeData',
-                                fix(fixer) {
-                                    // Suggest removing or masking the sensitive data
-                                    return fixer.replaceText(node, '"***REDACTED***"');
-                                },
-                            },
-                        ],
-                    }),
-                });
-            }
-        }
-        function checkIdentifier(node) {
-            if (isTestFile) {
-                return;
-            }
-            const name = node.name;
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Only check if in logging/output context
-            if (!isInLoggingContext(node, sourceCode, loggingPatternsToCheck)) {
-                return;
-            }
-            // Check if identifier name contains sensitive patterns
-            const lowerName = name.toLowerCase();
-            for (const pattern of patternsToCheck) {
-                if (lowerName.includes(pattern.toLowerCase())) {
-                    // Check if it's being accessed in a sensitive way
-                    if (node.parent) {
-                        const parentText = sourceCode.getText(node.parent);
-                        // Build regex pattern from logging patterns
-                        const loggingPatternRegex = new RegExp(`\\b(?:${loggingPatternsToCheck.map(p => p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|')})\\b`, 'i');
-                        if (loggingPatternRegex.test(parentText)) {
-                            // Get the actual property name from context
-                            const actualPropertyName = name;
-                            context.report({
-                                node,
-                                messageId: 'exposedSensitiveData',
-                                data: {
-                                    issue: `Sensitive variable "${name}" exposed in logging/output`,
-                                    safeAlternative: `Remove or mask sensitive data: logger.info({ userId: user.id }) instead of logger.info({ ${actualPropertyName}: user.${actualPropertyName} })`,
-                                },
-                                // Don't provide auto-fix suggestions for identifiers (too risky)
-                            });
-                            break;
-                        }
-                    }
-                }
-            }
-        }
-        function checkMemberExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Only check if in logging/output context
-            if (!isInLoggingContext(node, sourceCode, loggingPatternsToCheck)) {
-                return;
-            }
-            // Check if property name contains sensitive patterns
-            if (node.property.type === 'Identifier') {
-                const propertyName = node.property.name.toLowerCase();
-                for (const pattern of patternsToCheck) {
-                    if (propertyName.includes(pattern.toLowerCase())) {
-                        const objectName = node.object.type === 'Identifier' ? node.object.name : 'object';
-                        context.report({
-                            node,
-                            messageId: 'exposedSensitiveData',
-                            data: {
-                                issue: `Sensitive property "${node.property.name}" exposed in logging/output`,
-                                safeAlternative: `Remove or mask sensitive data: logger.info({ userId: user.id }) instead of logger.info({ ${node.property.name}: ${objectName}.${node.property.name} })`,
-                            },
-                            // Don't provide auto-fix suggestions for property access (too risky)
-                        });
-                        break;
-                    }
-                }
-            }
-        }
-        return {
-            Literal: checkLiteral,
-            Identifier: checkIdentifier,
-            MemberExpression: checkMemberExpression,
-        };
-    },
-});

package/src/rules/no-http-urls/index.d.ts

@@ -1,12 +0,0 @@
-/**
- * @fileoverview Disallow hardcoded HTTP URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/319.html
- */
-export interface Options {
-    /** List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1) */
-    allowedHosts?: string[];
-    /** List of ports allowed for HTTP (e.g., 3000, 8080 for development) */
-    allowedPorts?: number[];
-}
-export declare const noHttpUrls: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;