npm - eslint-plugin-secure-coding - Versions diffs - 3.0.0 → 3.0.2 - Mend

eslint-plugin-secure-coding 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/src/rules/no-http-urls/index.js DELETED Viewed

@@ -1,114 +0,0 @@
-"use strict";
-/**
- * @fileoverview Disallow hardcoded HTTP URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/319.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noHttpUrls = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noHttpUrls = (0, eslint_devkit_1.createRule)({
-    name: 'no-http-urls',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Disallow hardcoded HTTP URLs (require HTTPS)',
-        },
-        messages: {
-            insecureHttp: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 7.5,
-                description: 'Hardcoded HTTP URL detected: "{{url}}"',
-                severity: 'HIGH',
-                compliance: ['SOC2', 'PCI-DSS', 'HIPAA'],
-                fix: 'Use HTTPS instead: const url = "https://..."',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-            insecureHttpWithException: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.WARNING,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 5.3,
-                description: 'HTTP URL detected: "{{url}}"',
-                severity: 'MEDIUM',
-                fix: 'Use HTTPS or add to allowedHosts config',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowedHosts: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        description: 'List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1)',
-                    },
-                    allowedPorts: {
-                        type: 'array',
-                        items: { type: 'number' },
-                        description: 'List of ports allowed for HTTP (e.g., 3000, 8080 for development)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowedHosts: ['localhost', '127.0.0.1'],
-            allowedPorts: [],
-        },
-    ],
-    create(context) {
-        const [options = {}] = context.options;
-        const allowedHosts = options.allowedHosts ?? ['localhost', '127.0.0.1'];
-        const allowedPorts = options.allowedPorts ?? [];
-        function isAllowedException(url) {
-            try {
-                const parsedUrl = new URL(url);
-                // Check if host is in allowed list
-                if (allowedHosts.includes(parsedUrl.hostname)) {
-                    return true;
-                }
-                // Check if port is in allowed list
-                if (parsedUrl.port && allowedPorts.includes(parseInt(parsedUrl.port, 10))) {
-                    return true;
-                }
-                return false;
-            }
-            catch {
-                // If URL parsing fails, treat as pattern match
-                return allowedHosts.some(host => url.includes(host));
-            }
-        }
-        function checkStringValue(node, value) {
-            const httpPattern = /^http:\/\//i;
-            if (httpPattern.test(value) && !isAllowedException(value)) {
-                context.report({
-                    node,
-                    messageId: allowedHosts.length > 0 || allowedPorts.length > 0
-                        ? 'insecureHttpWithException'
-                        : 'insecureHttp',
-                    data: { url: value },
-                });
-            }
-        }
-        return {
-            Literal(node) {
-                if (typeof node.value === 'string') {
-                    checkStringValue(node, node.value);
-                }
-            },
-            TemplateElement(node) {
-                if (node.value.cooked) {
-                    checkStringValue(node, node.value.cooked);
-                }
-            },
-        };
-    },
-});

package/src/rules/no-insecure-redirects/index.d.ts DELETED Viewed

@@ -1,7 +0,0 @@
-export interface Options {
-    /** Ignore in test files. Default: true */
-    ignoreInTests?: boolean;
-    /** Allowed redirect domains. Default: [] */
-    allowedDomains?: string[];
-}
-export declare const noInsecureRedirects: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-insecure-redirects/index.js DELETED Viewed

@@ -1,216 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureRedirects = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if redirect URL is validated
- */
-function isRedirectValidated(node, sourceCode) {
-    const callText = sourceCode.getText(node);
-    // Check if URL is from user input (req.query, req.body, req.params)
-    const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-    if (!userInputPattern.test(callText)) {
-        // Not from user input, assume safe
-        return true;
-    }
-    // Look for validation patterns in the surrounding code
-    // This is a simplified static analysis - in practice, would need data flow analysis
-    const program = sourceCode.ast;
-    const nodeStart = node.loc?.start;
-    const nodeEnd = node.loc?.end;
-    /* c8 ignore start -- Guard clause: loc is always present in RuleTester */
-    if (!nodeStart || !nodeEnd || !program) {
-        return false;
-    }
-    /* c8 ignore stop */
-    // Check for validation function calls before this redirect
-    const validationPatterns = [
-        /\b(validateUrl|validateRedirect|isValidUrl|isSafeUrl)\s*\(/,
-        /\b(whitelist|allowedDomains|permittedUrls)\s*\./,
-        /\b(url\.hostname|url\.host)\s*===/,
-        /\ballowedDomains\.includes\s*\(/,
-        /\bstartsWith\s*\(\s*['"]/,
-        /\bendsWith\s*\(\s*['"]/,
-        /\bindexOf\s*\(\s*['"]/,
-        /\bmatch\s*\(\s*\//,
-    ];
-    // Look for validation in the same function scope
-    let current = node;
-    let depth = 0;
-    const maxDepth = 20;
-    while (current && depth < maxDepth) {
-        // Check siblings before this node
-        const parent = current.parent;
-        if (!parent)
-            break;
-        if (parent.type === 'BlockStatement') {
-            const body = parent.body;
-            const currentIndex = body.indexOf(current);
-            // Check previous statements in the same block
-            for (let i = currentIndex - 1; i >= 0 && i >= currentIndex - 5; i--) {
-                const stmt = body[i];
-                const stmtText = sourceCode.getText(stmt);
-                if (validationPatterns.some(pattern => pattern.test(stmtText))) {
-                    return true; // Found validation
-                }
-            }
-        }
-        current = parent;
-        depth++;
-    }
-    // No validation found
-    return false;
-}
-exports.noInsecureRedirects = (0, eslint_devkit_2.createRule)({
-    name: 'no-insecure-redirects',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects open redirect vulnerabilities',
-        },
-        hasSuggestions: true,
-        messages: {
-            insecureRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Open redirect',
-                cwe: 'CWE-601',
-                description: 'Unvalidated redirect detected - user-controlled URL',
-                severity: 'HIGH',
-                fix: 'Whitelist allowed domains or validate redirect target',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            whitelistDomains: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Whitelist Domains',
-                description: 'Whitelist allowed redirect domains',
-                severity: 'LOW',
-                fix: 'if (allowedDomains.includes(url.hostname)) redirect(url)',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            validateRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Validate Redirect',
-                description: 'Validate redirect URL before use',
-                severity: 'LOW',
-                fix: 'validateRedirectUrl(userInput) before redirect',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            useRelativeUrl: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Relative URL',
-                description: 'Use relative URLs for internal redirects',
-                severity: 'LOW',
-                fix: 'redirect("/internal/path") instead of absolute URLs',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                    allowedDomains: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignoreInTests: true,
-            allowedDomains: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { ignoreInTests = true } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check redirect calls and assignments
-         */
-        function checkCallExpression(node) {
-            // Check for res.redirect, window.location, etc.
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property.type === 'Identifier') {
-                const methodName = node.callee.property.name;
-                if (['redirect', 'replace', 'assign'].includes(methodName)) {
-                    // Check if redirect URL is validated
-                    if (!isRedirectValidated(node, sourceCode)) {
-                        context.report({
-                            node,
-                            messageId: 'insecureRedirect',
-                            suggest: [
-                                {
-                                    messageId: 'whitelistDomains',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'validateRedirect',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'useRelativeUrl',
-                                    fix: () => null,
-                                },
-                            ],
-                        });
-                    }
-                }
-            }
-        }
-        /**
-         * Check assignment expressions like window.location.href = ...
-         */
-        function checkAssignmentExpression(node) {
-            // Check for window.location.href assignments
-            if (node.left.type === 'MemberExpression' &&
-                node.left.object.type === 'MemberExpression' &&
-                node.left.object.object.type === 'Identifier' &&
-                node.left.object.object.name === 'window' &&
-                node.left.object.property.type === 'Identifier' &&
-                node.left.object.property.name === 'location' &&
-                node.left.property.type === 'Identifier' &&
-                ['href', 'replace', 'assign'].includes(node.left.property.name)) {
-                // Check if assignment value comes from user input
-                const rightText = sourceCode.getText(node.right);
-                const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-                if (userInputPattern.test(rightText)) {
-                    context.report({
-                        node,
-                        messageId: 'insecureRedirect',
-                        suggest: [
-                            {
-                                messageId: 'whitelistDomains',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'validateRedirect',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'useRelativeUrl',
-                                fix: () => null,
-                            },
-                        ],
-                    });
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-            AssignmentExpression: checkAssignmentExpression,
-        };
-    },
-});

package/src/rules/no-insecure-websocket/index.d.ts DELETED Viewed

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require secure WebSocket connections (wss://)
- */
-export interface Options {
-}
-export declare const noInsecureWebsocket: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-insecure-websocket/index.js DELETED Viewed

@@ -1,61 +0,0 @@
-"use strict";
-/**
- * @fileoverview Require secure WebSocket connections (wss://)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureWebsocket = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noInsecureWebsocket = (0, eslint_devkit_1.createRule)({
-    name: 'no-insecure-websocket',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require secure WebSocket connections (wss://)',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure WebSocket',
-                cwe: 'CWE-319',
-                description: 'Insecure WebSocket connection (ws://) - data transmitted in clear text',
-                severity: 'HIGH',
-                fix: 'Use wss:// instead of ws:// for secure WebSocket connections',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            NewExpression(node) {
-                // Check for new WebSocket('ws://...')
-                if (node.callee.type === 'Identifier' && node.callee.name === 'WebSocket') {
-                    const urlArg = node.arguments[0];
-                    // Check literal string
-                    if (urlArg && urlArg.type === 'Literal' &&
-                        typeof urlArg.value === 'string' &&
-                        urlArg.value.startsWith('ws://')) {
-                        report(node);
-                    }
-                    // Check template literal
-                    if (urlArg && urlArg.type === 'TemplateLiteral') {
-                        const text = context.sourceCode.getText(urlArg);
-                        if (text.includes('ws://')) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Check for ws:// URLs in string literals
-                if (typeof node.value === 'string' && node.value.startsWith('ws://')) {
-                    report(node);
-                }
-            },
-        };
-    },
-});

package/src/rules/no-missing-cors-check/index.d.ts DELETED Viewed

@@ -1,9 +0,0 @@
-export interface Options {
-    /** Allow missing CORS checks in test files. Default: false */
-    allowInTests?: boolean;
-    /** Trusted CORS libraries. Default: ['cors', '@koa/cors', 'express-cors'] */
-    trustedLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-export declare const noMissingCorsCheck: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;