npm - eslint-plugin-secure-coding - Versions diffs - 3.0.0 → 3.0.2 - Mend

eslint-plugin-secure-coding 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/src/rules/no-directive-injection/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-directive-injection
+ * Detects directive injection vulnerabilities (CWE-96)
+ *
+ * Directive injection occurs when user input is used to inject malicious
+ * directives into template systems (Angular, Vue, React, etc.). Attackers
+ * can inject directives that execute arbitrary code or manipulate the DOM.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe directive usage patterns
+ * - Trusted directive sources
+ * - JSDoc annotations (@trusted-directive, @safe-template)
+ * - Framework-specific safe patterns
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'directiveInjection' | 'unsafeDirectiveName' | 'dynamicDirectiveCreation' | 'templateInjection' | 'unsafeComponentBinding' | 'userControlledTemplate' | 'dangerousInnerHTML' | 'untrustedDirectiveSource' | 'useTrustedDirectives' | 'sanitizeTemplateInput' | 'validateDirectiveNames' | 'strategyTemplateSanitization' | 'strategyContentSecurity' | 'strategyInputValidation';
 export interface Options extends SecurityRuleOptions {
     /** Trusted directive/component names */
     trustedDirectives?: string[];
@@ -9,4 +31,8 @@ export interface Options extends SecurityRuleOptions {
     /** Allow dynamic directives in specific contexts */
     allowDynamicInComponents?: boolean;
 }
-export declare const noDirectiveInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noDirectiveInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-directive-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noDirectiveInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-electron-security-issues/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-electron-security-issues
+ * Detects Electron security vulnerabilities (CWE-16)
+ *
+ * Electron applications can be vulnerable to security issues when not properly
+ * configured. This rule detects insecure Electron configurations and patterns
+ * that could allow privilege escalation, code execution, or data leakage.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe Electron configurations
+ * - Development vs production environments
+ * - JSDoc annotations (@electron-safe, @dev-only)
+ * - Trusted Electron security patterns
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'electronSecurityIssue' | 'nodeIntegrationEnabled' | 'contextIsolationDisabled' | 'webSecurityDisabled' | 'insecureContentEnabled' | 'unsafePreloadScript' | 'directNodeAccess' | 'insecureIpcPattern' | 'missingSandbox' | 'enableSecurityFeatures' | 'useContextIsolation' | 'securePreloadScripts' | 'strategySecureDefaults' | 'strategyProcessSeparation' | 'strategyInputValidation';
 export interface Options extends SecurityRuleOptions {
     /** Allow insecure settings in development */
     allowInDev?: boolean;
@@ -7,4 +29,8 @@ export interface Options extends SecurityRuleOptions {
     /** Allowed IPC channels */
     allowedIpcChannels?: string[];
 }
-export declare const noElectronSecurityIssues: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noElectronSecurityIssues: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-electron-security-issues/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noElectronSecurityIssues = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-format-string-injection/index.d.ts CHANGED Viewed

@@ -1,3 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-format-string-injection
+ * Detects format string injection vulnerabilities (CWE-134)
+ *
+ * Format string injection occurs when user input is used as a format string
+ * in functions like util.format(), printf-style functions, or logging functions.
+ * Attackers can use format specifiers (%s, %d, etc.) to leak information or
+ * cause crashes.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe format strings (hardcoded, validated)
+ * - Proper format string escaping
+ * - JSDoc annotations (@safe-format, @validated)
+ * - Trusted formatting libraries
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'formatStringInjection' | 'unsafeFormatSpecifier' | 'userControlledFormatString' | 'missingFormatValidation' | 'escapeFormatString' | 'useSafeFormatting';
 export interface Options {
     /** Functions that use format strings */
     formatFunctions?: string[];
@@ -14,4 +37,8 @@ export interface Options {
     /** Disable all false positive detection (strict mode) */
     strictMode?: boolean;
 }
-export declare const noFormatStringInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noFormatStringInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-format-string-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noFormatStringInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-graphql-injection/index.d.ts CHANGED Viewed

@@ -1,4 +1,28 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-graphql-injection
+ * Detects GraphQL injection vulnerabilities and DoS attacks (CWE-89, CWE-400)
+ *
+ * GraphQL injection occurs when user input is improperly inserted into GraphQL
+ * queries, allowing attackers to:
+ * - Read/modify unauthorized data
+ * - Perform DoS attacks with complex queries
+ * - Extract schema information via introspection
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe GraphQL libraries (apollo-server, graphql-tools)
+ * - Proper query builders and sanitizers
+ * - JSDoc annotations (@safe, @validated)
+ * - Input validation functions
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'graphqlInjection' | 'introspectionQuery' | 'complexQueryDos' | 'unsafeVariableInterpolation' | 'missingInputValidation' | 'useQueryBuilder' | 'disableIntrospection' | 'limitQueryDepth' | 'strategyQueryBuilder' | 'strategyInputValidation' | 'strategyIntrospection';
 export interface Options extends SecurityRuleOptions {
     /** Allow introspection queries. Default: false (security-first) */
     allowIntrospection?: boolean;
@@ -9,4 +33,8 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate GraphQL input */
     validationFunctions?: string[];
 }
-export declare const noGraphqlInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noGraphqlInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-graphql-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noGraphqlInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-hardcoded-credentials/index.d.ts CHANGED Viewed

@@ -1,3 +1,17 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-hardcoded-credentials
+ * Detects hardcoded passwords, API keys, tokens, and other sensitive credentials
+ * CWE-798: Use of Hard-coded Credentials
+ *
+ * @see https://cwe.mitre.org/data/definitions/798.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'useEnvironmentVariable' | 'useSecretManager' | 'strategyEnv' | 'strategyConfig' | 'strategyVault' | 'strategyAuto';
 export interface Options {
     /** Patterns to ignore (regex strings). Default: [] */
     ignorePatterns?: string[];
@@ -23,4 +37,8 @@ export interface Options {
     /** Strategy for fixing hardcoded credentials: 'env', 'config', 'vault', 'auto' */
     strategy?: 'env' | 'config' | 'vault' | 'auto';
 }
-export declare const noHardcodedCredentials: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noHardcodedCredentials: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-hardcoded-credentials/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noHardcodedCredentials = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-hardcoded-session-tokens/index.d.ts CHANGED Viewed

@@ -1,6 +1,12 @@
 /**
- * @fileoverview Detect hardcoded session/JWT tokens
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noHardcodedSessionTokens: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noHardcodedSessionTokens: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-hardcoded-session-tokens/index.js CHANGED Viewed

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Detect hardcoded session/JWT tokens
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noHardcodedSessionTokens = void 0;
+/**
+ * @fileoverview Detect hardcoded session/JWT tokens
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noHardcodedSessionTokens = (0, eslint_devkit_1.createRule)({
     name: 'no-hardcoded-session-tokens',

package/src/rules/no-improper-sanitization/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-improper-sanitization
+ * Detects improper sanitization of user input (CWE-94, CWE-79, CWE-116)
+ *
+ * Improper sanitization occurs when user input is not properly cleaned
+ * before use in sensitive contexts. This can lead to injection attacks,
+ * XSS, or other security vulnerabilities.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Known safe sanitization patterns
+ * - Trusted sanitization libraries
+ * - JSDoc annotations (@sanitized, @safe)
+ * - Context-aware validation
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'improperSanitization' | 'insufficientXssProtection' | 'incompleteHtmlEscaping' | 'unsafeReplaceSanitization' | 'missingContextEncoding' | 'dangerousSanitizerUsage' | 'sqlInjectionSanitization' | 'commandInjectionSanitization' | 'useProperSanitization' | 'validateSanitization' | 'implementContextAware' | 'strategyDefenseInDepth' | 'strategyInputValidation' | 'strategyOutputEncoding';
 export interface Options extends SecurityRuleOptions {
     /** Safe sanitization functions */
     safeSanitizers?: string[];
@@ -9,4 +31,8 @@ export interface Options extends SecurityRuleOptions {
     /** Trusted sanitization libraries */
     trustedLibraries?: string[];
 }
-export declare const noImproperSanitization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noImproperSanitization: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-improper-sanitization/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noImproperSanitization = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-improper-type-validation/index.d.ts CHANGED Viewed

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-improper-type-validation
+ * Detects improper type validation in user input handling (CWE-1287)
+ *
+ * Improper type validation can lead to security vulnerabilities when
+ * user input is not properly validated, allowing attackers to bypass
+ * security checks or cause unexpected behavior.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe type checking patterns
+ * - TypeScript type guards
+ * - Proper validation functions
+ * - JSDoc annotations (@validated, @type-checked)
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'improperTypeValidation' | 'unsafeTypeofCheck' | 'unsafeInstanceofUsage' | 'looseEqualityTypeCheck' | 'missingNullCheck' | 'unreliableConstructorCheck' | 'incompleteTypeValidation' | 'useTypeofCorrectly' | 'useProperTypeGuards' | 'validateUserInput' | 'strategyTypeGuards' | 'strategySchemaValidation' | 'strategyDefensiveProgramming';
 export interface Options extends SecurityRuleOptions {
     /** Variables that contain user input and should be validated */
     userInputVariables?: string[];
@@ -7,4 +29,8 @@ export interface Options extends SecurityRuleOptions {
     /** Whether to allow instanceof in same-realm contexts */
     allowInstanceofSameRealm?: boolean;
 }
-export declare const noImproperTypeValidation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noImproperTypeValidation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-improper-type-validation/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noImproperTypeValidation = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-insecure-comparison/index.d.ts CHANGED Viewed

@@ -1,7 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-insecure-comparison
+ * Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities
+ * CWE-697: Incorrect Comparison
+ *
+ * @see https://cwe.mitre.org/data/definitions/697.html
+ * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'insecureComparison' | 'useStrictEquality' | 'timingUnsafeComparison';
 export interface Options {
     /** Allow insecure comparison in test files. Default: false */
     allowInTests?: boolean;
     /** Additional patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noInsecureComparison: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noInsecureComparison: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-insecure-comparison/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noInsecureComparison = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-ldap-injection/index.d.ts CHANGED Viewed

@@ -1,4 +1,29 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-ldap-injection
+ * Detects LDAP injection vulnerabilities (CWE-90)
+ *
+ * LDAP injection occurs when user input is improperly inserted into LDAP
+ * queries, allowing attackers to:
+ * - Bypass authentication and authorization
+ * - Extract sensitive directory information
+ * - Perform unauthorized LDAP operations
+ * - Enumerate users through blind injection techniques
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe LDAP libraries with built-in escaping
+ * - Input validation and sanitization functions
+ * - JSDoc annotations (@ldap-safe, @escaped)
+ * - Parameterized LDAP query construction
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'ldapInjection' | 'unsafeLdapFilter' | 'unescapedLdapInput' | 'dangerousLdapOperation' | 'useLdapEscaping' | 'validateLdapInput' | 'useParameterizedLdap' | 'strategyInputValidation' | 'strategySafeLibraries' | 'strategyFilterConstruction';
 export interface Options extends SecurityRuleOptions {
     /** LDAP-related function names to check */
     ldapFunctions?: string[];
@@ -7,4 +32,8 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate LDAP input */
     ldapValidationFunctions?: string[];
 }
-export declare const noLdapInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noLdapInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-ldap-injection/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noLdapInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-missing-authentication/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-missing-authentication
+ * Detects missing authentication checks in route handlers
+ * CWE-287: Improper Authentication
+ *
+ * @see https://cwe.mitre.org/data/definitions/287.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Authentication
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'missingAuthentication' | 'addAuthentication';
 export interface Options {
     /** Allow missing authentication in test files. Default: false */
     allowInTests?: boolean;
@@ -10,4 +25,8 @@ export interface Options {
     /** Additional patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noMissingAuthentication: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noMissingAuthentication: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-missing-authentication/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noMissingAuthentication = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
@@ -316,7 +321,6 @@ exports.noMissingAuthentication = (0, eslint_devkit_2.createRule)({
                                 suggest: [
                                     {
                                         messageId: 'addAuthentication',
-                                        // eslint-disable-next-line @typescript-eslint/no-unused-vars
                                         fix: (_fixer) => null,
                                     },
                                 ],

package/src/rules/no-pii-in-logs/index.d.ts CHANGED Viewed

@@ -1,8 +1,12 @@
 /**
- * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/532.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const noPiiInLogs: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPiiInLogs: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-pii-in-logs/index.js CHANGED Viewed

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noPiiInLogs = void 0;
 /**
  * @fileoverview Prevent PII (email, SSN, credit cards) in console logs
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/532.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPiiInLogs = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
     name: 'no-pii-in-logs',
@@ -13,10 +18,6 @@ exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Prevent PII (email, SSN, credit cards) in console logs',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M6'],
-            cweIds: ["CWE-532"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
@@ -42,21 +43,23 @@ exports.noPiiInLogs = (0, eslint_devkit_1.createRule)({
         return {
             CallExpression(node) {
                 // Check console.log/error/warn calls
-                if (node.type === 'CallExpression' &&
-                    node.callee.type === 'MemberExpression' &&
+                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                    node.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     node.callee.object.name === 'console' &&
+                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
                     ['log', 'error', 'warn', 'info'].includes(node.callee.property.name)) {
                     // Check arguments for PII-related property access
                     for (const arg of node.arguments) {
-                        if (arg.type === 'MemberExpression') {
-                            const propName = arg.property.name?.toLowerCase();
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
+                            arg.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
+                            const propName = arg.property.name.toLowerCase();
                             const piiProps = ['email', 'ssn', 'password', 'creditcard', 'phone'];
-                            if (piiProps.some(p => propName?.includes(p))) {
+                            if (piiProps.some(p => propName.includes(p))) {
                                 report(node);
                             }
                         }
                         // Check string literals mentioning PII
-                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
+                        if (arg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof arg.value === 'string') {
                             const text = arg.value.toLowerCase();
                             if (text.includes('email:') || text.includes('ssn:') || text.includes('password:')) {
                                 report(node);

package/src/rules/no-privilege-escalation/index.d.ts CHANGED Viewed

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-privilege-escalation
+ * Detects potential privilege escalation vulnerabilities
+ * CWE-269: Improper Privilege Management
+ *
+ * @see https://cwe.mitre.org/data/definitions/269.html
+ * @see https://owasp.org/www-community/vulnerabilities/Improper_Access_Control
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'privilegeEscalation' | 'addRoleCheck';
 export interface Options {
     /** Allow privilege escalation patterns in test files. Default: false */
     allowInTests?: boolean;
@@ -10,4 +25,8 @@ export interface Options {
     /** Additional patterns to ignore. Default: [] */
     ignorePatterns?: string[];
 }
-export declare const noPrivilegeEscalation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noPrivilegeEscalation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-privilege-escalation/index.js CHANGED Viewed

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noPrivilegeEscalation = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");