eslint-plugin-secure-coding 3.0.0 → 3.0.2

package/src/rules/detect-non-literal-fs-filename/index.js

@@ -1,454 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectNonLiteralFsFilename = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const FS_OPERATIONS = [
-    {
-        method: 'readFile',
-        dangerous: true,
-        vulnerability: 'file-access',
-        safePattern: 'path.resolve(SAFE_DIR, path.basename(userInput))',
-        example: {
-            bad: 'fs.readFile(userPath, callback)',
-            good: 'const safePath = path.join(SAFE_UPLOADS_DIR, path.basename(userPath)); fs.readFile(safePath, callback)'
-        },
-        effort: '10-15 minutes'
-    },
-    {
-        method: 'writeFile',
-        dangerous: true,
-        vulnerability: 'file-access',
-        safePattern: 'path.resolve(SAFE_DIR, path.basename(userInput))',
-        example: {
-            bad: 'fs.writeFile(userPath, data, callback)',
-            good: 'const safePath = path.join(SAFE_WRITES_DIR, path.basename(userPath)); fs.writeFile(safePath, data, callback)'
-        },
-        effort: '10-15 minutes'
-    },
-    {
-        method: 'stat',
-        dangerous: true,
-        vulnerability: 'path-traversal',
-        safePattern: 'path.resolve(baseDir, userInput) with validation',
-        example: {
-            bad: 'fs.stat(userPath, callback)',
-            good: 'const resolvedPath = path.resolve(SAFE_DIR, userPath);\nif (!resolvedPath.startsWith(SAFE_DIR)) return;\nfs.stat(resolvedPath, callback)'
-        },
-        effort: '15-20 minutes'
-    },
-    {
-        method: 'readdir',
-        dangerous: true,
-        vulnerability: 'directory-traversal',
-        safePattern: 'Validate directory is within allowed paths',
-        example: {
-            bad: 'fs.readdir(userDir, callback)',
-            good: 'const resolvedDir = path.resolve(ALLOWED_DIRS, userDir);\nif (!resolvedDir.startsWith(ALLOWED_DIRS)) return;\nfs.readdir(resolvedDir, callback)'
-        },
-        effort: '15-20 minutes'
-    }
-];
-exports.detectNonLiteralFsFilename = (0, eslint_devkit_2.createRule)({
-    name: 'detect-non-literal-fs-filename',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system',
-        },
-        messages: {
-            // 🎯 Token optimization: 39% reduction (49→30 tokens) - template variables still work
-            fsPathTraversal: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: '🔑',
-                issueName: 'Path traversal',
-                cwe: 'CWE-22',
-                description: 'Path traversal vulnerability',
-                severity: '{{riskLevel}}',
-                fix: '{{safePattern}}',
-                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
-            }),
-            usePathResolve: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use path.resolve',
-                description: 'Use path.resolve() to normalize paths',
-                severity: 'LOW',
-                fix: 'path.resolve(SAFE_DIR, userInput)',
-                documentationLink: 'https://nodejs.org/api/path.html#pathresolvepaths',
-            }),
-            validatePath: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Validate Path',
-                description: 'Validate resolved path starts with allowed base',
-                severity: 'LOW',
-                fix: 'if (!resolved.startsWith(SAFE_DIR)) throw new Error()',
-                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
-            }),
-            useBasename: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use path.basename',
-                description: 'Use path.basename() to strip directory components',
-                severity: 'LOW',
-                fix: 'path.basename(userInput)',
-                documentationLink: 'https://nodejs.org/api/path.html#pathbasenamepath-suffix',
-            }),
-            createSafeDir: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Define Safe Directory',
-                description: 'Define SAFE_DIR constant',
-                severity: 'LOW',
-                fix: 'const SAFE_DIR = path.resolve(__dirname, "uploads")',
-                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
-            }),
-            whitelistExtensions: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Whitelist Extensions',
-                description: 'Whitelist allowed file extensions',
-                severity: 'LOW',
-                fix: 'const ALLOWED_EXT = [".txt", ".pdf"]; if (!ALLOWED_EXT.includes(ext)) throw',
-                documentationLink: 'https://owasp.org/www-community/attacks/Path_Traversal',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowLiterals: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow literal string paths'
-                    },
-                    additionalMethods: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional fs methods to check'
-                    },
-                    allowedExtensions: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Allowed file extensions (e.g., [".txt", ".json"])'
-                    }
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowLiterals: false,
-            additionalMethods: []
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { allowLiterals = false, additionalMethods = [] } = options || {};
-        /**
-         * File system methods that can be dangerous with user input
-         */
-        const dangerousMethods = [
-            'readFile', 'readFileSync',
-            'writeFile', 'writeFileSync',
-            'appendFile', 'appendFileSync',
-            'stat', 'statSync',
-            'lstat', 'lstatSync',
-            'readdir', 'readdirSync',
-            'unlink', 'unlinkSync',
-            'mkdir', 'mkdirSync',
-            'rmdir', 'rmdirSync',
-            'access', 'accessSync',
-            'createReadStream', 'createWriteStream',
-            ...additionalMethods
-        ];
-        /**
-         * Check if a node is a literal string (safe)
-         */
-        const isLiteralString = (node) => {
-            return node.type === 'Literal' && typeof node.value === 'string';
-        };
-        /**
-         * Check if path has dangerous patterns like ../ or ..\
-         */
-        const hasTraversalPatterns = (pathStr) => {
-            return /\.\.[/\\]/.test(pathStr) || /^\.\.[/\\]/.test(pathStr);
-        };
-        /**
-         * Extract path argument from fs call
-         */
-        const extractPathArgument = (node) => {
-            const method = node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier
-                ? node.callee.property.name
-                : 'unknown';
-            const operation = FS_OPERATIONS.find(op => op.method === method) || null;
-            // First argument is usually the path
-            const pathNode = node.arguments.length > 0 ? node.arguments[0] : null;
-            const sourceCode = context.sourceCode || context.sourceCode;
-            const path = pathNode ? sourceCode.getText(pathNode) : '';
-            return { path, pathNode, method, operation };
-        };
-        /**
-         * Determine if the path argument is potentially dangerous
-         */
-        const isDangerousPath = (pathNode, pathStr) => {
-            // Allow literals if configured
-            if (allowLiterals && pathNode && isLiteralString(pathNode)) {
-                return false;
-            }
-            // Check for obvious traversal patterns in literals
-            if (pathNode && isLiteralString(pathNode) && hasTraversalPatterns(pathStr)) {
-                return true;
-            }
-            // SAFE: path.join(__dirname, 'literal', 'path') with all literal args
-            if (pathNode && isSafePathConstruction(pathNode)) {
-                return false;
-            }
-            // SAFE: Path variable inside validated if-block with startsWith check
-            if (pathNode && hasPathValidation(pathNode)) {
-                return false;
-            }
-            // Any non-literal is dangerous
-            return !pathNode || !isLiteralString(pathNode);
-        };
-        /**
-         * Check if path is constructed safely using path.join/__dirname with literal args
-         *
-         * Safe patterns:
-         * - path.join(__dirname, 'data', 'file.json')
-         * - path.resolve(__dirname, 'uploads')
-         */
-        const isSafePathConstruction = (pathNode) => {
-            if (pathNode.type !== eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                return false;
-            }
-            const callee = pathNode.callee;
-            if (callee.type !== eslint_devkit_1.AST_NODE_TYPES.MemberExpression ||
-                callee.object.type !== eslint_devkit_1.AST_NODE_TYPES.Identifier ||
-                callee.object.name !== 'path' ||
-                callee.property.type !== eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                return false;
-            }
-            const method = callee.property.name;
-            if (!['join', 'resolve'].includes(method)) {
-                return false;
-            }
-            const args = pathNode.arguments;
-            if (args.length === 0) {
-                return false;
-            }
-            // First arg should be __dirname or a literal
-            const firstArg = args[0];
-            const isFirstArgSafe = (firstArg.type === eslint_devkit_1.AST_NODE_TYPES.Identifier && firstArg.name === '__dirname') ||
-                (firstArg.type === eslint_devkit_1.AST_NODE_TYPES.Literal && typeof firstArg.value === 'string');
-            if (!isFirstArgSafe) {
-                return false;
-            }
-            // All remaining args should be literals
-            for (let i = 1; i < args.length; i++) {
-                const arg = args[i];
-                if (arg.type !== eslint_devkit_1.AST_NODE_TYPES.Literal || typeof arg.value !== 'string') {
-                    return false;
-                }
-                // Also check for traversal patterns in literals
-                if (hasTraversalPatterns(String(arg.value))) {
-                    return false;
-                }
-            }
-            return true;
-        };
-        /**
-         * Check if the path variable has been validated with startsWith()
-         *
-         * Safe patterns:
-         * 1. Inside if-block: if (safePath.startsWith(SAFE_DIR)) { fs.readFileSync(safePath); }
-         * 2. After guard clause: if (!safePath.startsWith(SAFE_DIR)) { throw }; fs.readFileSync(safePath);
-         */
-        const hasPathValidation = (pathNode) => {
-            if (pathNode.type !== eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                return false;
-            }
-            const varName = pathNode.name;
-            // AST-based validation detection (faster than getText + regex)
-            const isStartsWithOrIncludesCall = (testNode) => {
-                // Handle negation: !path.startsWith(...)
-                if (testNode.type === eslint_devkit_1.AST_NODE_TYPES.UnaryExpression &&
-                    testNode.operator === '!' &&
-                    testNode.argument.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                    testNode = testNode.argument;
-                }
-                // Pattern: varName.startsWith(...) or varName.includes(...)
-                if (testNode.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    testNode.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    testNode.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    testNode.callee.object.name === varName &&
-                    testNode.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    (testNode.callee.property.name === 'startsWith' ||
-                        testNode.callee.property.name === 'includes')) {
-                    return true;
-                }
-                return false;
-            };
-            const hasEarlyExit = (consequent) => {
-                if (consequent.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement) {
-                    return consequent.body.some(stmt => stmt.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement ||
-                        stmt.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement);
-                }
-                return consequent.type === eslint_devkit_1.AST_NODE_TYPES.ThrowStatement ||
-                    consequent.type === eslint_devkit_1.AST_NODE_TYPES.ReturnStatement;
-            };
-            // Walk up to find enclosing IfStatement or BlockStatement
-            let current = pathNode.parent;
-            let foundFunctionBody = false;
-            while (current && !foundFunctionBody) {
-                // Check 1: Inside an if-block with validation
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement) {
-                    if (isStartsWithOrIncludesCall(current.test)) {
-                        return true;
-                    }
-                }
-                // Check 2: In a function body, look for preceding sibling if-statements with guard clause
-                if (current.type === eslint_devkit_1.AST_NODE_TYPES.BlockStatement && current.parent && (current.parent.type === eslint_devkit_1.AST_NODE_TYPES.FunctionDeclaration ||
-                    current.parent.type === eslint_devkit_1.AST_NODE_TYPES.FunctionExpression ||
-                    current.parent.type === eslint_devkit_1.AST_NODE_TYPES.ArrowFunctionExpression)) {
-                    foundFunctionBody = true;
-                    const blockBody = current.body;
-                    const nodeIndex = blockBody.findIndex((stmt) => {
-                        let check = pathNode;
-                        while (check) {
-                            if (check === stmt)
-                                return true;
-                            check = check.parent;
-                        }
-                        return false;
-                    });
-                    // Look at preceding statements for validation patterns with early exit
-                    for (let i = 0; i < nodeIndex; i++) {
-                        const stmt = blockBody[i];
-                        if (stmt.type === eslint_devkit_1.AST_NODE_TYPES.IfStatement &&
-                            isStartsWithOrIncludesCall(stmt.test) &&
-                            hasEarlyExit(stmt.consequent)) {
-                            return true;
-                        }
-                    }
-                }
-                current = current.parent;
-            }
-            return false;
-        };
-        /**
-         * Generate refactoring steps based on the operation
-         */
-        const generateRefactoringSteps = (operation) => {
-            switch (operation.method) {
-                case 'readFile':
-                case 'writeFile':
-                    return [
-                        '   1. Define a SAFE_DIR constant for allowed operations',
-                        '   2. Use path.basename() to strip directory components',
-                        '   3. Combine with SAFE_DIR: path.join(SAFE_DIR, path.basename(userPath))',
-                        '   4. Optionally validate file extensions',
-                        '   5. Add error handling for invalid paths'
-                    ].join('\n');
-                case 'stat':
-                    return [
-                        '   1. Use path.resolve() to normalize the path',
-                        '   2. Check if resolved path starts with allowed base directory',
-                        '   3. Reject requests that escape the allowed directory',
-                        '   4. Use path.relative() for additional validation',
-                        '   5. Log security events for monitoring'
-                    ].join('\n');
-                case 'readdir':
-                    return [
-                        '   1. Resolve the directory path: path.resolve(ALLOWED_DIRS, userDir)',
-                        '   2. Validate resolved path starts with ALLOWED_DIRS',
-                        '   3. Check directory exists and is readable',
-                        '   4. Consider whitelisting allowed directories',
-                        '   5. Add rate limiting to prevent enumeration attacks'
-                    ].join('\n');
-                default:
-                    return [
-                        '   1. Identify the specific file operation needed',
-                        '   2. Define safe base directories for operations',
-                        '   3. Use path.resolve() and validate containment',
-                        '   4. Sanitize user input (basename, extension validation)',
-                        '   5. Add comprehensive error handling'
-                    ].join('\n');
-            }
-        };
-        /**
-         * Determine risk level based on the operation and path
-         */
-        const determineRiskLevel = (operation, pathStr) => {
-            if (hasTraversalPatterns(pathStr)) {
-                return 'CRITICAL';
-            }
-            if (operation.dangerous) {
-                return 'HIGH';
-            }
-            return 'MEDIUM';
-        };
-        /**
-         * Check fs method calls for path traversal vulnerabilities
-         */
-        const checkFsCall = (node) => {
-            // Check if it's an fs method call
-            if (node.callee.type !== 'MemberExpression' ||
-                node.callee.object.type !== 'Identifier' ||
-                node.callee.object.name !== 'fs' ||
-                node.callee.property.type !== 'Identifier') {
-                return;
-            }
-            const methodName = node.callee.property.name;
-            // Skip if not a dangerous method
-            if (!dangerousMethods.includes(methodName)) {
-                return;
-            }
-            const { path, pathNode, method, operation } = extractPathArgument(node);
-            // Check if the path argument is dangerous
-            if (!isDangerousPath(pathNode, path)) {
-                return;
-            }
-            const riskLevel = determineRiskLevel(operation || FS_OPERATIONS[0], path);
-            const steps = operation ? generateRefactoringSteps(operation) : 'Review file system access patterns';
-            const safePattern = operation?.safePattern || 'Use path.resolve() with validation';
-            context.report({
-                node,
-                messageId: 'fsPathTraversal',
-                data: {
-                    method,
-                    path,
-                    riskLevel,
-                    vulnerability: operation?.vulnerability || 'path traversal',
-                    safePattern,
-                    steps,
-                    effort: operation?.effort || '15-20 minutes'
-                },
-                suggest: [
-                    {
-                        messageId: 'usePathResolve',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'validatePath',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'useBasename',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'createSafeDir',
-                        fix: () => null
-                    },
-                    {
-                        messageId: 'whitelistExtensions',
-                        fix: () => null
-                    }
-                ]
-            });
-        };
-        return {
-            CallExpression: checkFsCall
-        };
-    },
-});

package/src/rules/detect-suspicious-dependencies/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Detect potential typosquatting in dependencies
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/506.html
- */
-export interface Options {
-}
-export declare const detectSuspiciousDependencies: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/detect-suspicious-dependencies/index.js

@@ -1,71 +0,0 @@
-"use strict";
-/**
- * @fileoverview Detect potential typosquatting in dependencies
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/506.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectSuspiciousDependencies = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.detectSuspiciousDependencies = (0, eslint_devkit_1.createRule)({
-    name: 'detect-suspicious-dependencies',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detect typosquatting in package names',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Suspicious Dependency',
-                cwe: 'CWE-506',
-                description: 'Suspicious package name detected - possible typosquatting',
-                severity: 'HIGH',
-                fix: 'Verify package authenticity on npm registry',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/506.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        const popularPackages = ['react', 'lodash', 'express', 'axios', 'webpack'];
-        function levenshtein(a, b) {
-            const matrix = [];
-            for (let i = 0; i <= b.length; i++) {
-                matrix[i] = [i];
-            }
-            for (let j = 0; j <= a.length; j++) {
-                matrix[0][j] = j;
-            }
-            for (let i = 1; i <= b.length; i++) {
-                for (let j = 1; j <= a.length; j++) {
-                    if (b.charAt(i - 1) === a.charAt(j - 1)) {
-                        matrix[i][j] = matrix[i - 1][j - 1];
-                    }
-                    else {
-                        matrix[i][j] = Math.min(matrix[i - 1][j - 1] + 1, matrix[i][j - 1] + 1, matrix[i - 1][j] + 1);
-                    }
-                }
-            }
-            return matrix[b.length][a.length];
-        }
-        return {
-            ImportDeclaration(node) {
-                const source = node.source.value;
-                if (typeof source === 'string' && !source.startsWith('.') && !source.startsWith('@')) {
-                    for (const popular of popularPackages) {
-                        const distance = levenshtein(source, popular);
-                        if (distance > 0 && distance <= 2) {
-                            context.report({
-                                node,
-                                messageId: 'violationDetected',
-                                data: { name: source, similar: popular },
-                            });
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-allow-arbitrary-loads/index.d.ts

@@ -1,8 +0,0 @@
-/**
- * @fileoverview Prevent configuration allowing insecure loads
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/749.html
- */
-export interface Options {
-}
-export declare const noAllowArbitraryLoads: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-allow-arbitrary-loads/index.js

@@ -1,47 +0,0 @@
-"use strict";
-/**
- * @fileoverview Prevent configuration allowing insecure loads
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/749.html
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noAllowArbitraryLoads = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noAllowArbitraryLoads = (0, eslint_devkit_1.createRule)({
-    name: 'no-allow-arbitrary-loads',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent configuration allowing insecure loads',
-            category: 'Security',
-            recommended: true,
-            owaspMobile: ['M5'],
-            cweIds: ["CWE-749"],
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-295',
-                description: 'Prevent configuration allowing insecure loads detected - allowArbitraryLoads: true',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/295.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            Property(node) {
-                if (node.key.type === 'Identifier' &&
-                    node.key.name === 'allowArbitraryLoads' &&
-                    node.value.type === 'Literal' &&
-                    node.value.value === true) {
-                    context.report({ node, messageId: 'violationDetected' });
-                }
-            },
-        };
-    },
-});

package/src/rules/no-arbitrary-file-access/index.d.ts

@@ -1,13 +0,0 @@
-/**
- * @fileoverview Prevent file access from user input
- *
- * False Positive Reduction:
- * This rule detects safe patterns including:
- * - path.basename() sanitization
- * - path.join() with validated base directories
- * - startsWith() validation guards
- * - Early-return throw patterns
- */
-export interface Options {
-}
-export declare const noArbitraryFileAccess: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;