eslint-plugin-secure-coding 3.0.0 → 3.0.2

package/src/rules/no-redos-vulnerable-regex/index.d.ts

@@ -1,7 +1,28 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-redos-vulnerable-regex
+ * Detects ReDoS-vulnerable regex patterns in literal regex patterns
+ * CWE-400: Uncontrolled Resource Consumption
+ *
+ * Complements detect-non-literal-regexp by checking literal regex patterns
+ *
+ * @see https://cwe.mitre.org/data/definitions/400.html
+ * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'redosVulnerable' | 'useAtomicGroups' | 'usePossessiveQuantifiers' | 'restructureRegex' | 'useSafeLibrary';
 export interface Options {
     /** Allow certain common patterns. Default: false */
     allowCommonPatterns?: boolean;
     /** Maximum pattern length to analyze. Default: 500 */
     maxPatternLength?: number;
 }
-export declare const noRedosVulnerableRegex: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noRedosVulnerableRegex: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-redos-vulnerable-regex/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noRedosVulnerableRegex = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-sensitive-data-exposure/index.d.ts

@@ -1,3 +1,18 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-sensitive-data-exposure
+ * Detects PII/credentials in logs, responses, or error messages
+ * Priority 5: Security with Data Flow Analysis
+ * CWE-532: Information Exposure Through Log Files
+ *
+ * @see https://cwe.mitre.org/data/definitions/532.html
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'sensitiveDataExposure' | 'redactData' | 'useMasking' | 'removeFromLogs';
 export interface Options {
     /** Sensitive data patterns. Default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card'] */
     sensitivePatterns?: string[];
@@ -8,4 +23,8 @@ export interface Options {
     /** Check API responses. Default: true */
     checkApiResponses?: boolean;
 }
-export declare const noSensitiveDataExposure: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noSensitiveDataExposure: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-sensitive-data-exposure/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noSensitiveDataExposure = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unchecked-loop-condition/index.d.ts

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unchecked-loop-condition
+ * Detects unchecked loop conditions that could cause DoS (CWE-400, CWE-606)
+ *
+ * Loops with unchecked conditions can cause denial of service by consuming
+ * excessive CPU time or memory. This includes infinite loops, loops with
+ * user-controlled bounds, and loops without proper termination conditions.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe loop patterns with clear termination
+ * - Development/debugging loops
+ * - JSDoc annotations (@safe-loop, @intentional)
+ * - Timeout protections
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'uncheckedLoopCondition' | 'infiniteLoop' | 'userControlledLoopBound' | 'missingLoopTermination' | 'largeLoopBound' | 'unsafeRecursion' | 'limitLoopIterations';
 export interface Options extends SecurityRuleOptions {
     /** Maximum allowed loop iterations for static analysis */
     maxStaticIterations?: number;
@@ -9,4 +31,8 @@ export interface Options extends SecurityRuleOptions {
     /** Maximum recursion depth to allow */
     maxRecursionDepth?: number;
 }
-export declare const noUncheckedLoopCondition: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUncheckedLoopCondition: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-unchecked-loop-condition/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUncheckedLoopCondition = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unlimited-resource-allocation/index.d.ts

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unlimited-resource-allocation
+ * Detects unlimited resource allocation vulnerabilities (CWE-770)
+ *
+ * Unlimited resource allocation can cause denial of service by exhausting
+ * system resources like memory, file handles, or network connections.
+ * This rule detects patterns where resources are allocated without limits.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe resource allocation patterns
+ * - Proper resource limits
+ * - JSDoc annotations (@limited-resource, @safe-allocation)
+ * - Resource cleanup patterns
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'unlimitedResourceAllocation' | 'unlimitedBufferAllocation' | 'unlimitedFileOperations' | 'unlimitedNetworkConnections' | 'unlimitedMemoryAllocation' | 'userControlledResourceSize' | 'missingResourceLimits' | 'resourceAllocationInLoop' | 'implementResourceLimits' | 'validateResourceSize' | 'useResourcePools' | 'strategyResourceManagement' | 'strategyRateLimiting' | 'strategyResourceCleanup';
 export interface Options extends SecurityRuleOptions {
     /** Maximum allowed resource size for static analysis */
     maxResourceSize?: number;
@@ -9,4 +31,8 @@ export interface Options extends SecurityRuleOptions {
     /** Require resource validation */
     requireResourceValidation?: boolean;
 }
-export declare const noUnlimitedResourceAllocation: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnlimitedResourceAllocation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-unlimited-resource-allocation/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnlimitedResourceAllocation = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unsafe-deserialization/index.d.ts

@@ -1,4 +1,30 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-deserialization
+ * Detects unsafe deserialization of untrusted data (CWE-502)
+ *
+ * Unsafe deserialization occurs when untrusted data is deserialized in a way that
+ * allows attackers to execute arbitrary code or manipulate application logic.
+ * This includes:
+ * - Using dangerous deserialization libraries
+ * - eval() or Function() on untrusted data
+ * - YAML/XML parsers that can execute code
+ * - Unsafe use of serialization libraries
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe deserialization patterns
+ * - Input validation and sanitization
+ * - JSDoc annotations (@safe, @validated)
+ * - Trusted deserialization libraries
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'unsafeDeserialization' | 'dangerousEvalUsage' | 'unsafeYamlParsing' | 'dangerousFunctionConstructor' | 'untrustedDeserializationInput' | 'useSafeDeserializer' | 'validateBeforeDeserialization' | 'avoidEval' | 'strategySafeLibraries' | 'strategyInputValidation' | 'strategySandboxing';
 export interface Options extends SecurityRuleOptions {
     /** Dangerous deserialization functions to detect */
     dangerousFunctions?: string[];
@@ -7,4 +33,8 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate input before deserialization */
     validationFunctions?: string[];
 }
-export declare const noUnsafeDeserialization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnsafeDeserialization: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-unsafe-deserialization/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnsafeDeserialization = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-unsafe-regex-construction/index.d.ts

@@ -1,3 +1,20 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-unsafe-regex-construction
+ * Detects unsafe regex construction patterns (user input without escaping, dynamic flags)
+ * CWE-400: Uncontrolled Resource Consumption
+ *
+ * Extends detect-non-literal-regexp with pattern analysis
+ *
+ * @see https://cwe.mitre.org/data/definitions/400.html
+ * @see https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'unsafeRegexConstruction' | 'escapeUserInput' | 'validatePattern' | 'useSafeLibrary' | 'avoidDynamicFlags';
 export interface Options {
     /** Allow literal string patterns. Default: false */
     allowLiterals?: boolean;
@@ -6,4 +23,8 @@ export interface Options {
     /** Maximum pattern length for dynamic regex. Default: 100 */
     maxPatternLength?: number;
 }
-export declare const noUnsafeRegexConstruction: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noUnsafeRegexConstruction: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-unsafe-regex-construction/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noUnsafeRegexConstruction = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-weak-password-recovery/index.d.ts

@@ -1,4 +1,26 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-weak-password-recovery
+ * Detects weak password recovery mechanisms (CWE-640)
+ *
+ * Weak password recovery mechanisms can allow attackers to reset passwords
+ * for other users, gain unauthorized access, or perform account takeover.
+ * This rule detects obvious vulnerabilities in password recovery logic.
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Proper recovery implementations
+ * - Rate limiting mechanisms
+ * - Secure token generation
+ * - JSDoc annotations (@secure-recovery, @rate-limited)
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'weakPasswordRecovery' | 'missingRateLimit' | 'predictableRecoveryToken' | 'unlimitedRecoveryAttempts' | 'insufficientTokenEntropy' | 'missingTokenExpiration' | 'recoveryLoggingSensitiveData' | 'weakRecoveryVerification' | 'tokenReuseVulnerability' | 'implementRateLimiting' | 'useCryptographicallySecureTokens' | 'implementTokenExpiration' | 'secureRecoveryFlow' | 'strategyMultiFactor' | 'strategyOutOfBandVerification' | 'strategyTimeBoundTokens';
 export interface Options extends SecurityRuleOptions {
     /** Minimum token entropy bits */
     minTokenEntropy?: number;
@@ -9,4 +31,8 @@ export interface Options extends SecurityRuleOptions {
     /** Secure token generation functions */
     secureTokenFunctions?: string[];
 }
-export declare const noWeakPasswordRecovery: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noWeakPasswordRecovery: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-weak-password-recovery/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noWeakPasswordRecovery = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-xpath-injection/index.d.ts

@@ -1,4 +1,29 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-xpath-injection
+ * Detects XPath injection vulnerabilities (CWE-643)
+ *
+ * XPath injection occurs when user input is improperly inserted into XPath
+ * queries, allowing attackers to:
+ * - Access unauthorized XML nodes and data
+ * - Extract sensitive information from XML documents
+ * - Perform XPath-based attacks and data exfiltration
+ * - Bypass authentication or authorization checks
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe XPath construction methods
+ * - Input validation and sanitization
+ * - JSDoc annotations (@xpath-safe, @validated)
+ * - Trusted XPath libraries
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
 import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
+type MessageIds = 'xpathInjection' | 'unsafeXpathConcatenation' | 'unvalidatedXpathInput' | 'dangerousXpathExpression' | 'useParameterizedXpath' | 'escapeXpathInput' | 'validateXpathQueries' | 'strategyParameterizedQueries' | 'strategyInputValidation' | 'strategySafeConstruction';
 export interface Options extends SecurityRuleOptions {
     /** XPath-related function names to check */
     xpathFunctions?: string[];
@@ -7,4 +32,8 @@ export interface Options extends SecurityRuleOptions {
     /** Functions that validate/sanitize XPath input */
     xpathValidationFunctions?: string[];
 }
-export declare const noXpathInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noXpathInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-xpath-injection/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noXpathInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/no-xxe-injection/index.d.ts

@@ -1,7 +1,36 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+/**
+ * ESLint Rule: no-xxe-injection
+ * Detects XML External Entity (XXE) injection vulnerabilities (CWE-611)
+ *
+ * XXE injection occurs when XML parsers process external entity references,
+ * allowing attackers to:
+ * - Read sensitive local files
+ * - Make HTTP requests to internal services
+ * - Cause DoS through entity expansion (billion laughs)
+ * - Perform SSRF attacks
+ *
+ * False Positive Reduction:
+ * This rule uses security utilities to reduce false positives by detecting:
+ * - Safe XML libraries (libxmljs with secure config, xmldom with entity resolution disabled)
+ * - Proper parser configuration
+ * - JSDoc annotations (@safe, @xxe-safe)
+ * - Input validation and sanitization
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+type MessageIds = 'xxeInjection' | 'unsafeXmlParser' | 'externalEntityEnabled' | 'untrustedXmlSource';
 export interface Options {
     /** Parser options that indicate safe configuration */
     safeParserOptions?: string[];
     /** Functions that validate/sanitize XML input */
     xmlValidationFunctions?: string[];
 }
-export declare const noXxeInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const noXxeInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/no-xxe-injection/index.js

@@ -1,4 +1,9 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noXxeInjection = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");

package/src/rules/require-backend-authorization/index.d.ts

@@ -1,6 +1,12 @@
 /**
- * @fileoverview Require server-side authorization checks
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const requireBackendAuthorization: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const requireBackendAuthorization: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/require-backend-authorization/index.js

@@ -1,9 +1,14 @@
 "use strict";
 /**
- * @fileoverview Require server-side authorization checks
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.requireBackendAuthorization = void 0;
+/**
+ * @fileoverview Require server-side authorization checks
+ */
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.requireBackendAuthorization = (0, eslint_devkit_1.createRule)({
     name: 'require-backend-authorization',

package/src/rules/require-secure-defaults/index.d.ts

@@ -1,8 +1,12 @@
 /**
- * @fileoverview Ensure secure default configurations
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/453.html
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 export interface Options {
 }
-export declare const requireSecureDefaults: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
+type RuleOptions = [Options?];
+export declare const requireSecureDefaults: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
+export {};

package/src/rules/require-secure-defaults/index.js

@@ -1,11 +1,16 @@
 "use strict";
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireSecureDefaults = void 0;
 /**
  * @fileoverview Ensure secure default configurations
  * @see https://owasp.org/www-project-mobile-top-10/
  * @see https://cwe.mitre.org/data/definitions/453.html
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireSecureDefaults = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 exports.requireSecureDefaults = (0, eslint_devkit_1.createRule)({
     name: 'require-secure-defaults',
@@ -13,10 +18,6 @@ exports.requireSecureDefaults = (0, eslint_devkit_1.createRule)({
         type: 'problem',
         docs: {
             description: 'Ensure secure default configurations',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M8'],
-            cweIds: ["CWE-453"],
         },
         messages: {
             violationDetected: (0, eslint_devkit_1.formatLLMMessage)({

package/src/types/index.d.ts

@@ -1,29 +1,19 @@
+/**
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
+ */
 /**
  * eslint-plugin-secure-coding Type Exports
  *
  * Barrel file that exports all security rule Options types with consistent naming.
- *
- * Usage:
- * ```typescript
- * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
- *
- * const config: NoHardcodedCredentialsOptions = {
- *   ignorePatterns: ['test/*'],
- * };
- * ```
  */
-import type { Options as DetectEvalWithExpressionOptions } from '../rules/detect-eval-with-expression';
-import type { Options as DetectChildProcessOptions } from '../rules/detect-child-process';
-import type { Options as NoUnsafeDynamicRequireOptions } from '../rules/no-unsafe-dynamic-require';
 import type { Options as NoGraphqlInjectionOptions } from '../rules/no-graphql-injection';
 import type { Options as NoXxeInjectionOptions } from '../rules/no-xxe-injection';
 import type { Options as NoXpathInjectionOptions } from '../rules/no-xpath-injection';
 import type { Options as NoLdapInjectionOptions } from '../rules/no-ldap-injection';
 import type { Options as NoDirectiveInjectionOptions } from '../rules/no-directive-injection';
 import type { Options as NoFormatStringInjectionOptions } from '../rules/no-format-string-injection';
-import type { Options as DetectNonLiteralFsFilenameOptions } from '../rules/detect-non-literal-fs-filename';
-import type { Options as NoZipSlipOptions } from '../rules/no-zip-slip';
-import type { Options as NoToctouVulnerabilityOptions } from '../rules/no-toctou-vulnerability';
 import type { Options as DetectNonLiteralRegexpOptions } from '../rules/detect-non-literal-regexp';
 import type { Options as NoRedosVulnerableRegexOptions } from '../rules/no-redos-vulnerable-regex';
 import type { Options as NoUnsafeRegexConstructionOptions } from '../rules/no-unsafe-regex-construction';
@@ -31,52 +21,28 @@ import type { Options as DetectObjectInjectionOptions } from '../rules/detect-ob
 import type { Options as NoUnsafeDeserializationOptions } from '../rules/no-unsafe-deserialization';
 import type { Options as NoHardcodedCredentialsOptions } from '../rules/no-hardcoded-credentials';
 import type { Options as NoInsecureComparisonOptions } from '../rules/no-insecure-comparison';
-import type { Options as NoUnvalidatedUserInputOptions } from '../rules/no-unvalidated-user-input';
-import type { Options as NoUnescapedUrlParameterOptions } from '../rules/no-unescaped-url-parameter';
 import type { Options as NoImproperSanitizationOptions } from '../rules/no-improper-sanitization';
 import type { Options as NoImproperTypeValidationOptions } from '../rules/no-improper-type-validation';
 import type { Options as NoMissingAuthenticationOptions } from '../rules/no-missing-authentication';
 import type { Options as NoPrivilegeEscalationOptions } from '../rules/no-privilege-escalation';
 import type { Options as NoWeakPasswordRecoveryOptions } from '../rules/no-weak-password-recovery';
-import type { Options as NoMissingCsrfProtectionOptions } from '../rules/no-missing-csrf-protection';
-import type { Options as NoMissingCorsCheckOptions } from '../rules/no-missing-cors-check';
-import type { Options as NoMissingSecurityHeadersOptions } from '../rules/no-missing-security-headers';
-import type { Options as NoInsecureRedirectsOptions } from '../rules/no-insecure-redirects';
-import type { Options as NoUnencryptedTransmissionOptions } from '../rules/no-unencrypted-transmission';
-import type { Options as NoClickjackingOptions } from '../rules/no-clickjacking';
-import type { Options as NoExposedSensitiveDataOptions } from '../rules/no-exposed-sensitive-data';
+import type { Options as RequireBackendAuthorizationOptions } from '../rules/require-backend-authorization';
 import type { Options as NoSensitiveDataExposureOptions } from '../rules/no-sensitive-data-exposure';
-import type { Options as NoBufferOverreadOptions } from '../rules/no-buffer-overread';
+import type { Options as NoPiiInLogsOptions } from '../rules/no-pii-in-logs';
 import type { Options as NoUnlimitedResourceAllocationOptions } from '../rules/no-unlimited-resource-allocation';
 import type { Options as NoUncheckedLoopConditionOptions } from '../rules/no-unchecked-loop-condition';
 import type { Options as NoElectronSecurityIssuesOptions } from '../rules/no-electron-security-issues';
-export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
+export type { NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoPiiInLogsOptions, RequireBackendAuthorizationOptions, NoSensitiveDataExposureOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
 /**
  * Combined type for all security rule options
- * Useful for creating unified configuration objects
- *
- * @example
- * ```typescript
- * const config: AllSecurityRulesOptions = {
- *   'no-hardcoded-credentials': {
- *     ignorePatterns: ['test/*'],
- *   },
- * };
- * ```
  */
 export type AllSecurityRulesOptions = {
-    'detect-eval-with-expression'?: DetectEvalWithExpressionOptions;
-    'detect-child-process'?: DetectChildProcessOptions;
-    'no-unsafe-dynamic-require'?: NoUnsafeDynamicRequireOptions;
     'no-graphql-injection'?: NoGraphqlInjectionOptions;
     'no-xxe-injection'?: NoXxeInjectionOptions;
     'no-xpath-injection'?: NoXpathInjectionOptions;
     'no-ldap-injection'?: NoLdapInjectionOptions;
     'no-directive-injection'?: NoDirectiveInjectionOptions;
     'no-format-string-injection'?: NoFormatStringInjectionOptions;
-    'detect-non-literal-fs-filename'?: DetectNonLiteralFsFilenameOptions;
-    'no-zip-slip'?: NoZipSlipOptions;
-    'no-toctou-vulnerability'?: NoToctouVulnerabilityOptions;
     'detect-non-literal-regexp'?: DetectNonLiteralRegexpOptions;
     'no-redos-vulnerable-regex'?: NoRedosVulnerableRegexOptions;
     'no-unsafe-regex-construction'?: NoUnsafeRegexConstructionOptions;
@@ -84,22 +50,14 @@ export type AllSecurityRulesOptions = {
     'no-unsafe-deserialization'?: NoUnsafeDeserializationOptions;
     'no-hardcoded-credentials'?: NoHardcodedCredentialsOptions;
     'no-insecure-comparison'?: NoInsecureComparisonOptions;
-    'no-unvalidated-user-input'?: NoUnvalidatedUserInputOptions;
-    'no-unescaped-url-parameter'?: NoUnescapedUrlParameterOptions;
     'no-improper-sanitization'?: NoImproperSanitizationOptions;
     'no-improper-type-validation'?: NoImproperTypeValidationOptions;
     'no-missing-authentication'?: NoMissingAuthenticationOptions;
     'no-privilege-escalation'?: NoPrivilegeEscalationOptions;
     'no-weak-password-recovery'?: NoWeakPasswordRecoveryOptions;
-    'no-missing-csrf-protection'?: NoMissingCsrfProtectionOptions;
-    'no-missing-cors-check'?: NoMissingCorsCheckOptions;
-    'no-missing-security-headers'?: NoMissingSecurityHeadersOptions;
-    'no-insecure-redirects'?: NoInsecureRedirectsOptions;
-    'no-unencrypted-transmission'?: NoUnencryptedTransmissionOptions;
-    'no-clickjacking'?: NoClickjackingOptions;
-    'no-exposed-sensitive-data'?: NoExposedSensitiveDataOptions;
+    'no-pii-in-logs'?: NoPiiInLogsOptions;
+    'require-backend-authorization'?: RequireBackendAuthorizationOptions;
     'no-sensitive-data-exposure'?: NoSensitiveDataExposureOptions;
-    'no-buffer-overread'?: NoBufferOverreadOptions;
     'no-unlimited-resource-allocation'?: NoUnlimitedResourceAllocationOptions;
     'no-unchecked-loop-condition'?: NoUncheckedLoopConditionOptions;
     'no-electron-security-issues'?: NoElectronSecurityIssuesOptions;

package/src/types/index.js

@@ -1,16 +1,7 @@
 "use strict";
 /**
- * eslint-plugin-secure-coding Type Exports
- *
- * Barrel file that exports all security rule Options types with consistent naming.
- *
- * Usage:
- * ```typescript
- * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
- *
- * const config: NoHardcodedCredentialsOptions = {
- *   ignorePatterns: ['test/*'],
- * };
- * ```
+ * Copyright (c) 2025 Ofri Peretz
+ * Licensed under the MIT License. Use of this source code is governed by the
+ * MIT license that can be found in the LICENSE file.
  */
 Object.defineProperty(exports, "__esModule", { value: true });