eslint-plugin-secure-coding 3.0.1 → 3.0.2

package/src/rules/no-toctou-vulnerability/index.js

@@ -1,213 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noToctouVulnerability = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-exports.noToctouVulnerability = (0, eslint_devkit_2.createRule)({
-    name: 'no-toctou-vulnerability',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects Time-of-Check-Time-of-Use vulnerabilities',
-        },
-        hasSuggestions: true,
-        messages: {
-            toctouVulnerability: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'TOCTOU vulnerability',
-                cwe: 'CWE-367',
-                description: 'Time-of-check Time-of-use race condition detected',
-                severity: 'HIGH',
-                fix: 'Use atomic operations or fs.promises for file operations',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/367.html',
-            }),
-            useAtomicOperations: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Atomic Operations',
-                description: 'Use atomic file operations',
-                severity: 'LOW',
-                fix: 'fs.promises.access() then fs.promises.readFile()',
-                documentationLink: 'https://nodejs.org/api/fs.html#fspromisesaccesspath-mode',
-            }),
-            useFsPromises: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use fs.promises',
-                description: 'Use fs.promises API',
-                severity: 'LOW',
-                fix: 'await fs.promises.readFile() instead of sync operations',
-                documentationLink: 'https://nodejs.org/api/fs.html#promises-api',
-            }),
-            addProperLocking: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Add File Locking',
-                description: 'Add proper locking mechanism',
-                severity: 'LOW',
-                fix: 'Use proper-lockfile or similar for concurrent access',
-                documentationLink: 'https://github.com/moxystudio/node-proper-lockfile',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                    fsMethods: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignoreInTests: true,
-            fsMethods: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { ignoreInTests = true } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check for TOCTOU patterns
-         */
-        function checkCallExpression(node) {
-            // 1. Identify the file operation (Use)
-            let useMethodName = '';
-            if (node.callee.type === 'MemberExpression' && node.callee.property.type === 'Identifier') {
-                const objectName = node.callee.object.type === 'Identifier' ? node.callee.object.name : '';
-                if (objectName === 'fs' || objectName === 'fsPromises') {
-                    useMethodName = node.callee.property.name;
-                }
-            }
-            else if (node.callee.type === 'Identifier') {
-                useMethodName = node.callee.name;
-            }
-            const riskyUseMethods = ['readFileSync', 'writeFileSync', 'readFile', 'writeFile', 'openSync', 'open', 'unlinkSync', 'unlink'];
-            if (!riskyUseMethods.includes(useMethodName)) {
-                return;
-            }
-            const useArg = node.arguments[0];
-            if (!useArg)
-                return;
-            // 2. Walk up to find the condition (Check)
-            let current = node.parent;
-            while (current) {
-                if (current.type === 'IfStatement') {
-                    // Extract the condition node
-                    let condition = current.test;
-                    // Handle negated condition: if (!exists(path)) { create(path) } -> also TOCTOU but different logic? 
-                    // Actually TOCTOU is usually Check(exists) -> Use(read).
-                    // If (!exists) -> create is Check -> Use.
-                    // But strict TOCTOU is checking state then acting.
-                    // If checking for negation
-                    if (condition.type === 'UnaryExpression' && condition.operator === '!') {
-                        condition = condition.argument;
-                    }
-                    if (condition.type === 'CallExpression') {
-                        // Check if it's a file check method
-                        let checkMethodName = '';
-                        if (condition.callee.type === 'MemberExpression' && condition.callee.property.type === 'Identifier') {
-                            checkMethodName = condition.callee.property.name;
-                        }
-                        else if (condition.callee.type === 'Identifier') {
-                            checkMethodName = condition.callee.name;
-                        }
-                        const checkMethods = ['existsSync', 'statSync', 'accessSync', 'exists', 'stat', 'access'];
-                        if (checkMethods.includes(checkMethodName)) {
-                            // Compare arguments
-                            const checkArg = condition.arguments[0];
-                            if (checkArg) {
-                                // Method 1: Identifier match (same variable)
-                                if (checkArg.type === 'Identifier' && useArg.type === 'Identifier' && checkArg.name === useArg.name) {
-                                    reportToctou(node);
-                                    return;
-                                }
-                                // Method 2: Text match (fallback)
-                                const checkArgText = sourceCode.getText(checkArg).replace(/\s/g, '');
-                                const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
-                                if (checkArgText === useArgText) {
-                                    reportToctou(node);
-                                    return;
-                                }
-                            }
-                        }
-                        // Handle stats.isFile() / stats.isDirectory() pattern
-                        if (condition.callee.type === 'MemberExpression' &&
-                            condition.callee.property.type === 'Identifier' &&
-                            ['isFile', 'isDirectory'].includes(condition.callee.property.name) &&
-                            condition.callee.object.type === 'Identifier') {
-                            const statsVarName = condition.callee.object.name;
-                            let currentScope = sourceCode.getScope(condition);
-                            let variable = null;
-                            while (currentScope) {
-                                variable = currentScope.variables.find(v => v.name === statsVarName);
-                                if (variable)
-                                    break;
-                                currentScope = currentScope.upper;
-                            }
-                            if (variable && variable.defs.length > 0) {
-                                const def = variable.defs[0];
-                                if (def.type === 'Variable' && def.node.init && def.node.init.type === 'CallExpression') {
-                                    const init = def.node.init;
-                                    if (init.callee.type === 'MemberExpression' &&
-                                        init.callee.property.type === 'Identifier' &&
-                                        ['statSync', 'lstatSync', 'stat', 'lstat'].includes(init.callee.property.name)) {
-                                        const statArg = init.arguments[0];
-                                        if (statArg) {
-                                            const checkArgText = sourceCode.getText(statArg).replace(/\s/g, '');
-                                            const useArgText = sourceCode.getText(useArg).replace(/\s/g, '');
-                                            if (checkArgText === useArgText) {
-                                                reportToctou(node);
-                                                return;
-                                            }
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-                current = current.parent;
-            }
-        }
-        function reportToctou(node) {
-            context.report({
-                node,
-                messageId: 'toctouVulnerability',
-                suggest: [
-                    {
-                        messageId: 'useAtomicOperations',
-                        fix: () => null,
-                    },
-                    {
-                        messageId: 'useFsPromises',
-                        fix: () => null,
-                    },
-                    {
-                        messageId: 'addProperLocking',
-                        fix: () => null,
-                    },
-                ],
-            });
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});

package/src/rules/no-tracking-without-consent/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noTrackingWithoutConsent: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-tracking-without-consent/index.js

@@ -1,72 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noTrackingWithoutConsent = void 0;
-/**
- * @fileoverview Require consent before tracking
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noTrackingWithoutConsent = (0, eslint_devkit_1.createRule)({
-    name: 'no-tracking-without-consent',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require consent before analytics tracking',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Tracking Without Consent',
-                cwe: 'CWE-359',
-                description: 'Analytics tracking without consent check - violates privacy regulations',
-                severity: 'MEDIUM',
-                fix: 'Wrap tracking calls in consent check: if (hasConsent) { analytics.track(...) }',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        function isInsideConsentCheck(node) {
-            let current = node.parent;
-            while (current) {
-                if (current.type === 'IfStatement') {
-                    return true;
-                }
-                if (current.type === 'ConditionalExpression') {
-                    return true;
-                }
-                current = current.parent;
-            }
-            return false;
-        }
-        return {
-            CallExpression(node) {
-                // Detect analytics.track() or similar
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.type === 'Identifier' &&
-                    node.callee.object.name === 'analytics' &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['track', 'identify', 'page'].includes(node.callee.property.name)) {
-                    if (!isInsideConsentCheck(node)) {
-                        report(node);
-                    }
-                }
-                // Google Analytics gtag
-                if (node.callee.type === 'Identifier' && node.callee.name === 'gtag') {
-                    if (!isInsideConsentCheck(node)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-unencrypted-transmission/index.d.ts

@@ -1,28 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-unencrypted-transmission
- * Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)
- * CWE-319: Cleartext Transmission of Sensitive Information
- *
- * @see https://cwe.mitre.org/data/definitions/319.html
- * @see https://owasp.org/www-community/vulnerabilities/Insecure_Transport
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'unencryptedTransmission' | 'useHttps';
-export interface Options {
-    /** Allow unencrypted transmission in test files. Default: false */
-    allowInTests?: boolean;
-    /** Insecure protocol patterns. Default: ['http://', 'ws://', 'ftp://', 'tcp://', 'mongodb://', 'redis://', 'mysql://'] */
-    insecureProtocols?: string[];
-    /** Secure protocol alternatives mapping. Default: { 'http://': 'https://', 'ws://': 'wss://', ... } */
-    secureAlternatives?: Record<string, string>;
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noUnencryptedTransmission: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};

package/src/rules/no-unencrypted-transmission/index.js

@@ -1,241 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnencryptedTransmission = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Default insecure protocol patterns
- */
-const DEFAULT_INSECURE_PROTOCOLS = [
-    'http://',
-    'ws://',
-    'ftp://',
-    'tcp://',
-    'mongodb://',
-    'redis://',
-    'mysql://',
-];
-/**
- * Secure protocol alternatives
- */
-const SECURE_ALTERNATIVES = {
-    'http://': 'https://',
-    'ws://': 'wss://',
-    'ftp://': 'ftps://',
-    'tcp://': 'tls://',
-    'mongodb://': 'mongodb+srv://',
-    'redis://': 'rediss://',
-    'mysql://': 'mysqls://',
-};
-/**
- * Check if a string contains insecure protocol
- */
-function containsInsecureProtocol(value, insecureProtocols, secureAlternatives) {
-    const lowerValue = value.toLowerCase();
-    for (const protocol of insecureProtocols) {
-        const lowerProtocol = protocol.toLowerCase();
-        // Check if the protocol appears in the value (as a URL scheme)
-        if (lowerValue.includes(lowerProtocol)) {
-            // Check if it's not already using the secure version
-            const secureAlternative = secureAlternatives[lowerProtocol];
-            if (secureAlternative) {
-                // Only report if secure version is not present
-                if (!lowerValue.includes(secureAlternative.toLowerCase())) {
-                    return { isInsecure: true, protocol };
-                }
-            }
-            else {
-                // No secure alternative defined, so it's insecure
-                return { isInsecure: true, protocol };
-            }
-        }
-    }
-    return { isInsecure: false, protocol: '' };
-}
-/**
- * Check if a string matches any ignore pattern
- */
-/* c8 ignore start -- ignore-pattern matching is defensive */
-function matchesIgnorePattern(text, patterns) {
-    return patterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            return false;
-        }
-    });
-}
-/* c8 ignore stop */
-exports.noUnencryptedTransmission = (0, eslint_devkit_2.createRule)({
-    name: 'no-unencrypted-transmission',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols)',
-        },
-        hasSuggestions: true,
-        messages: {
-            unencryptedTransmission: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unencrypted Transmission',
-                cwe: 'CWE-319',
-                description: 'Unencrypted transmission detected: {{issue}}',
-                severity: 'HIGH',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            }),
-            useHttps: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use HTTPS',
-                description: 'Use secure protocol',
-                severity: 'LOW',
-                fix: 'Replace http:// with https://',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow unencrypted transmission in test files',
-                    },
-                    insecureProtocols: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Insecure protocol patterns to detect',
-                    },
-                    secureAlternatives: {
-                        type: 'object',
-                        additionalProperties: { type: 'string' },
-                        default: {},
-                        description: 'Mapping of insecure protocols to their secure alternatives',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            insecureProtocols: [],
-            secureAlternatives: {},
-            ignorePatterns: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, insecureProtocols, secureAlternatives, ignorePatterns = [], } = options;
-        const protocolsToCheck = insecureProtocols && insecureProtocols.length > 0
-            ? insecureProtocols
-            : DEFAULT_INSECURE_PROTOCOLS;
-        // Merge user-provided secure alternatives with defaults
-        const secureAlternativesToUse = secureAlternatives && Object.keys(secureAlternatives).length > 0
-            ? { ...SECURE_ALTERNATIVES, ...secureAlternatives }
-            : SECURE_ALTERNATIVES;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        function checkLiteral(node) {
-            if (typeof node.value !== 'string') {
-                return;
-            }
-            const value = node.value;
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Skip test files (allow localhost in test files)
-            if (isTestFile) {
-                // Only allow localhost URLs in test files
-                if (text.includes('localhost')) {
-                    return;
-                }
-                // For other URLs in test files, still check them
-            }
-            const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
-            if (isInsecure) {
-                // Allow localhost URLs in test files
-                if (isTestFile && text.includes('localhost')) {
-                    return;
-                }
-                const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
-                const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
-                context.report({
-                    node,
-                    messageId: 'unencryptedTransmission',
-                    data: {
-                        issue: `using insecure protocol ${protocol}`,
-                        safeAlternative,
-                    },
-                    suggest: [
-                        {
-                            messageId: 'useHttps',
-                            data: {
-                                protocol,
-                                secureProtocol,
-                            },
-                            fix(fixer) {
-                                if (secureProtocol && secureProtocol !== 'secure protocol') {
-                                    // Replace the insecure protocol with secure one
-                                    const newValue = value.replace(new RegExp(protocol.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'gi'), secureProtocol);
-                                    return fixer.replaceText(node, JSON.stringify(newValue));
-                                }
-                                return null;
-                            },
-                        },
-                    ],
-                });
-            }
-        }
-        function checkTemplateLiteral(node) {
-            if (isTestFile) {
-                return;
-            }
-            const text = sourceCode.getText(node);
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Check each quasis (static parts) and expressions
-            for (const quasi of node.quasis) {
-                const value = quasi.value.raw;
-                const { isInsecure, protocol } = containsInsecureProtocol(value, protocolsToCheck, secureAlternativesToUse);
-                if (isInsecure) {
-                    const secureProtocol = secureAlternativesToUse[protocol.toLowerCase()] || 'secure protocol';
-                    const safeAlternative = `Use ${secureProtocol} instead of ${protocol}`;
-                    context.report({
-                        node: quasi,
-                        messageId: 'unencryptedTransmission',
-                        data: {
-                            issue: `using insecure protocol ${protocol} in template literal`,
-                            safeAlternative,
-                        },
-                        // Don't provide auto-fix for template literals (too risky - might break interpolation)
-                    });
-                }
-            }
-        }
-        return {
-            Literal: checkLiteral,
-            TemplateLiteral: checkTemplateLiteral,
-        };
-    },
-});

package/src/rules/no-unescaped-url-parameter/index.d.ts

@@ -1,26 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-unescaped-url-parameter
- * Detects unescaped URL parameters
- * CWE-79: Cross-site Scripting (XSS)
- *
- * @see https://cwe.mitre.org/data/definitions/79.html
- * @see https://owasp.org/www-community/attacks/xss/
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'unescapedUrlParameter' | 'useEncodeURIComponent' | 'useURLSearchParams';
-export interface Options {
-    /** Allow unescaped URL parameters in test files. Default: false */
-    allowInTests?: boolean;
-    /** Trusted URL construction libraries. Default: ['url', 'querystring'] */
-    trustedLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: [] */
-    ignorePatterns?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noUnescapedUrlParameter: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};