eslint-plugin-secure-coding 3.0.1 → 3.0.2

package/src/rules/no-http-urls/index.js

@@ -1,119 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noHttpUrls = void 0;
-/**
- * @fileoverview Disallow hardcoded HTTP URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/319.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noHttpUrls = (0, eslint_devkit_1.createRule)({
-    name: 'no-http-urls',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Disallow hardcoded HTTP URLs (require HTTPS)',
-        },
-        messages: {
-            insecureHttp: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 7.5,
-                description: 'Hardcoded HTTP URL detected: "{{url}}"',
-                severity: 'HIGH',
-                compliance: ['SOC2', 'PCI-DSS', 'HIPAA'],
-                fix: 'Use HTTPS instead: const url = "https://..."',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-            insecureHttpWithException: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.WARNING,
-                issueName: 'Insecure HTTP URL',
-                cwe: 'CWE-319',
-                owasp: 'A02:2021',
-                cvss: 5.3,
-                description: 'HTTP URL detected: "{{url}}"',
-                severity: 'MEDIUM',
-                fix: 'Use HTTPS or add to allowedHosts config',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowedHosts: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        description: 'List of hostnames allowed to use HTTP (e.g., localhost, 127.0.0.1)',
-                    },
-                    allowedPorts: {
-                        type: 'array',
-                        items: { type: 'number' },
-                        description: 'List of ports allowed for HTTP (e.g., 3000, 8080 for development)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowedHosts: ['localhost', '127.0.0.1'],
-            allowedPorts: [],
-        },
-    ],
-    create(context) {
-        const [options = {}] = context.options;
-        const allowedHosts = options.allowedHosts ?? ['localhost', '127.0.0.1'];
-        const allowedPorts = options.allowedPorts ?? [];
-        function isAllowedException(url) {
-            try {
-                const parsedUrl = new URL(url);
-                // Check if host is in allowed list
-                if (allowedHosts.includes(parsedUrl.hostname)) {
-                    return true;
-                }
-                // Check if port is in allowed list
-                if (parsedUrl.port && allowedPorts.includes(parseInt(parsedUrl.port, 10))) {
-                    return true;
-                }
-                return false;
-            }
-            catch {
-                // If URL parsing fails, treat as pattern match
-                return allowedHosts.some(host => url.includes(host));
-            }
-        }
-        function checkStringValue(node, value) {
-            const httpPattern = /^http:\/\//i;
-            if (httpPattern.test(value) && !isAllowedException(value)) {
-                context.report({
-                    node,
-                    messageId: allowedHosts.length > 0 || allowedPorts.length > 0
-                        ? 'insecureHttpWithException'
-                        : 'insecureHttp',
-                    data: { url: value },
-                });
-            }
-        }
-        return {
-            Literal(node) {
-                if (typeof node.value === 'string') {
-                    checkStringValue(node, node.value);
-                }
-            },
-            TemplateElement(node) {
-                if (node.value.cooked) {
-                    checkStringValue(node, node.value.cooked);
-                }
-            },
-        };
-    },
-});

package/src/rules/no-insecure-redirects/index.d.ts

@@ -1,24 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-insecure-redirects
- * Detects open redirect vulnerabilities
- * CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- *
- * @see https://cwe.mitre.org/data/definitions/601.html
- * @see https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'insecureRedirect' | 'whitelistDomains' | 'validateRedirect' | 'useRelativeUrl';
-export interface Options {
-    /** Ignore in test files. Default: true */
-    ignoreInTests?: boolean;
-    /** Allowed redirect domains. Default: [] */
-    allowedDomains?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noInsecureRedirects: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};

package/src/rules/no-insecure-redirects/index.js

@@ -1,221 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureRedirects = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if redirect URL is validated
- */
-function isRedirectValidated(node, sourceCode) {
-    const callText = sourceCode.getText(node);
-    // Check if URL is from user input (req.query, req.body, req.params)
-    const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-    if (!userInputPattern.test(callText)) {
-        // Not from user input, assume safe
-        return true;
-    }
-    // Look for validation patterns in the surrounding code
-    // This is a simplified static analysis - in practice, would need data flow analysis
-    const program = sourceCode.ast;
-    const nodeStart = node.loc?.start;
-    const nodeEnd = node.loc?.end;
-    /* c8 ignore start -- Guard clause: loc is always present in RuleTester */
-    if (!nodeStart || !nodeEnd || !program) {
-        return false;
-    }
-    /* c8 ignore stop */
-    // Check for validation function calls before this redirect
-    const validationPatterns = [
-        /\b(validateUrl|validateRedirect|isValidUrl|isSafeUrl)\s*\(/,
-        /\b(whitelist|allowedDomains|permittedUrls)\s*\./,
-        /\b(url\.hostname|url\.host)\s*===/,
-        /\ballowedDomains\.includes\s*\(/,
-        /\bstartsWith\s*\(\s*['"]/,
-        /\bendsWith\s*\(\s*['"]/,
-        /\bindexOf\s*\(\s*['"]/,
-        /\bmatch\s*\(\s*\//,
-    ];
-    // Look for validation in the same function scope
-    let current = node;
-    let depth = 0;
-    const maxDepth = 20;
-    while (current && depth < maxDepth) {
-        // Check siblings before this node
-        const parent = current.parent;
-        if (!parent)
-            break;
-        if (parent.type === 'BlockStatement') {
-            const body = parent.body;
-            const currentIndex = body.indexOf(current);
-            // Check previous statements in the same block
-            for (let i = currentIndex - 1; i >= 0 && i >= currentIndex - 5; i--) {
-                const stmt = body[i];
-                const stmtText = sourceCode.getText(stmt);
-                if (validationPatterns.some(pattern => pattern.test(stmtText))) {
-                    return true; // Found validation
-                }
-            }
-        }
-        current = parent;
-        depth++;
-    }
-    // No validation found
-    return false;
-}
-exports.noInsecureRedirects = (0, eslint_devkit_2.createRule)({
-    name: 'no-insecure-redirects',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects open redirect vulnerabilities',
-        },
-        hasSuggestions: true,
-        messages: {
-            insecureRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Open redirect',
-                cwe: 'CWE-601',
-                description: 'Unvalidated redirect detected - user-controlled URL',
-                severity: 'HIGH',
-                fix: 'Whitelist allowed domains or validate redirect target',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            whitelistDomains: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Whitelist Domains',
-                description: 'Whitelist allowed redirect domains',
-                severity: 'LOW',
-                fix: 'if (allowedDomains.includes(url.hostname)) redirect(url)',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            validateRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Validate Redirect',
-                description: 'Validate redirect URL before use',
-                severity: 'LOW',
-                fix: 'validateRedirectUrl(userInput) before redirect',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            useRelativeUrl: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Relative URL',
-                description: 'Use relative URLs for internal redirects',
-                severity: 'LOW',
-                fix: 'redirect("/internal/path") instead of absolute URLs',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                    allowedDomains: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignoreInTests: true,
-            allowedDomains: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { ignoreInTests = true } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check redirect calls and assignments
-         */
-        function checkCallExpression(node) {
-            // Check for res.redirect, window.location, etc.
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property.type === 'Identifier') {
-                const methodName = node.callee.property.name;
-                if (['redirect', 'replace', 'assign'].includes(methodName)) {
-                    // Check if redirect URL is validated
-                    if (!isRedirectValidated(node, sourceCode)) {
-                        context.report({
-                            node,
-                            messageId: 'insecureRedirect',
-                            suggest: [
-                                {
-                                    messageId: 'whitelistDomains',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'validateRedirect',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'useRelativeUrl',
-                                    fix: () => null,
-                                },
-                            ],
-                        });
-                    }
-                }
-            }
-        }
-        /**
-         * Check assignment expressions like window.location.href = ...
-         */
-        function checkAssignmentExpression(node) {
-            // Check for window.location.href assignments
-            if (node.left.type === 'MemberExpression' &&
-                node.left.object.type === 'MemberExpression' &&
-                node.left.object.object.type === 'Identifier' &&
-                node.left.object.object.name === 'window' &&
-                node.left.object.property.type === 'Identifier' &&
-                node.left.object.property.name === 'location' &&
-                node.left.property.type === 'Identifier' &&
-                ['href', 'replace', 'assign'].includes(node.left.property.name)) {
-                // Check if assignment value comes from user input
-                const rightText = sourceCode.getText(node.right);
-                const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-                if (userInputPattern.test(rightText)) {
-                    context.report({
-                        node,
-                        messageId: 'insecureRedirect',
-                        suggest: [
-                            {
-                                messageId: 'whitelistDomains',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'validateRedirect',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'useRelativeUrl',
-                                fix: () => null,
-                            },
-                        ],
-                    });
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-            AssignmentExpression: checkAssignmentExpression,
-        };
-    },
-});

package/src/rules/no-insecure-websocket/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noInsecureWebsocket: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-insecure-websocket/index.js

@@ -1,66 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureWebsocket = void 0;
-/**
- * @fileoverview Require secure WebSocket connections (wss://)
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noInsecureWebsocket = (0, eslint_devkit_1.createRule)({
-    name: 'no-insecure-websocket',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require secure WebSocket connections (wss://)',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure WebSocket',
-                cwe: 'CWE-319',
-                description: 'Insecure WebSocket connection (ws://) - data transmitted in clear text',
-                severity: 'HIGH',
-                fix: 'Use wss:// instead of ws:// for secure WebSocket connections',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            NewExpression(node) {
-                // Check for new WebSocket('ws://...')
-                if (node.callee.type === 'Identifier' && node.callee.name === 'WebSocket') {
-                    const urlArg = node.arguments[0];
-                    // Check literal string
-                    if (urlArg && urlArg.type === 'Literal' &&
-                        typeof urlArg.value === 'string' &&
-                        urlArg.value.startsWith('ws://')) {
-                        report(node);
-                    }
-                    // Check template literal
-                    if (urlArg && urlArg.type === 'TemplateLiteral') {
-                        const text = context.sourceCode.getText(urlArg);
-                        if (text.includes('ws://')) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Check for ws:// URLs in string literals
-                if (typeof node.value === 'string' && node.value.startsWith('ws://')) {
-                    report(node);
-                }
-            },
-        };
-    },
-});

package/src/rules/no-missing-cors-check/index.d.ts

@@ -1,26 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-missing-cors-check
- * Detects missing CORS validation (wildcard CORS, missing origin check)
- * CWE-346: Origin Validation Error
- *
- * @see https://cwe.mitre.org/data/definitions/346.html
- * @see https://owasp.org/www-community/attacks/CORS_Misconfiguration
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'missingCorsCheck' | 'useOriginValidation' | 'useCorsMiddleware';
-export interface Options {
-    /** Allow missing CORS checks in test files. Default: false */
-    allowInTests?: boolean;
-    /** Trusted CORS libraries. Default: ['cors', '@koa/cors', 'express-cors'] */
-    trustedLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noMissingCorsCheck: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};