eslint-plugin-secure-coding 3.0.1 → 3.0.2

package/src/rules/no-unescaped-url-parameter/index.js

@@ -1,360 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnescapedUrlParameter = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if a node is inside a URL encoding function call
- */
-function isInsideEncodingCall(node, sourceCode, trustedLibraries) {
-    let current = node;
-    while (current) {
-        if (current.type === 'CallExpression') {
-            const callee = current.callee;
-            // Check for encodeURIComponent, encodeURI
-            if (callee.type === 'Identifier') {
-                const calleeName = callee.name;
-                if (['encodeURIComponent', 'encodeURI', 'escape'].includes(calleeName)) {
-                    return true;
-                }
-            }
-            // Check if it's a trusted library call
-            if (callee.type === 'MemberExpression') {
-                const object = callee.object;
-                if (object.type === 'Identifier') {
-                    const objectName = object.name.toLowerCase();
-                    if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
-                        return true;
-                    }
-                }
-            }
-        }
-        // Traverse up the AST
-        if ('parent' in current && current.parent) {
-            current = current.parent;
-        }
-        else {
-            break;
-        }
-    }
-    return false;
-}
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text, ignorePatterns) {
-    return ignorePatterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            return false;
-        }
-    });
-}
-/**
- * Check if a node is a URL construction pattern
- */
-function isUrlConstruction(node, sourceCode) {
-    let text = sourceCode.getText(node);
-    // For template literals, combine raw strings to improve pattern detection
-    if (node.type === 'TemplateLiteral') {
-        text = node.quasis.map(q => q.value.raw).join('');
-    }
-    // Check for URL construction patterns
-    const urlPatterns = [
-        /\bhttps?:\/\//, // HTTP/HTTPS URLs
-        /\bnew\s+URL\s*\(/,
-        /\burl\s*[=:]\s*/, // url = or url:
-        /\burl\s*\+/, // url +
-        /\bwindow\.location/,
-        /\blocation\.href/,
-        /\bwindow\.open\s*\(/,
-        /\?[^=]+=/, // Query parameters
-    ];
-    return urlPatterns.some(pattern => pattern.test(text));
-}
-exports.noUnescapedUrlParameter = (0, eslint_devkit_2.createRule)({
-    name: 'no-unescaped-url-parameter',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects unescaped URL parameters',
-        },
-        hasSuggestions: true,
-        messages: {
-            unescapedUrlParameter: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unescaped URL Parameter',
-                cwe: 'CWE-79',
-                description: 'Unescaped URL parameter detected: {{parameter}}',
-                severity: 'HIGH',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/79.html',
-            }),
-            useEncodeURIComponent: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use encodeURIComponent',
-                description: 'Use encodeURIComponent for URL params',
-                severity: 'LOW',
-                fix: '`https://example.com?q=${encodeURIComponent(param)}`',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent',
-            }),
-            useURLSearchParams: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use URLSearchParams',
-                description: 'Use URLSearchParams for safe URL construction',
-                severity: 'LOW',
-                fix: 'new URLSearchParams({ q: param }).toString()',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow unescaped URL parameters in test files',
-                    },
-                    trustedLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['url', 'querystring'],
-                        description: 'Trusted URL construction libraries',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            trustedLibraries: ['url', 'querystring'],
-            ignorePatterns: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, trustedLibraries = ['url', 'querystring'], ignorePatterns = [], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        function checkTemplateLiteral(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check if this is a URL construction
-            if (!isUrlConstruction(node, sourceCode)) {
-                return;
-            }
-            // Check each expression in the template
-            for (const expression of node.expressions) {
-                const text = sourceCode.getText(expression);
-                // Check if it matches any ignore pattern
-                if (matchesIgnorePattern(text, ignorePatterns)) {
-                    continue;
-                }
-                // Check if it's already encoded
-                if (isInsideEncodingCall(expression, sourceCode, trustedLibraries)) {
-                    continue;
-                }
-                // Check if it's a user input pattern
-                const userInputPatterns = [
-                    /\breq\.(query|params|body|headers|cookies)/,
-                    /\brequest\.(query|params|body)/,
-                    /\buserInput\b/i,
-                    /\binput\b/i,
-                    /\bsearchParams\b/,
-                    /\bparam\b/i, // Generic param variable
-                ];
-                // Check both the expression text and the full template literal
-                // This catches nested patterns like req.query.id
-                const fullText = sourceCode.getText(node);
-                const exprText = sourceCode.getText(expression);
-                const isUserInput = userInputPatterns.some(pattern => pattern.test(text)) ||
-                    userInputPatterns.some(pattern => pattern.test(fullText)) ||
-                    userInputPatterns.some(pattern => pattern.test(exprText)) ||
-                    // Also check for nested member expressions like req.query.id
-                    (expression.type === 'MemberExpression' &&
-                        userInputPatterns.some(pattern => {
-                            // Check the full expression including nested properties
-                            return pattern.test(exprText);
-                        }));
-                if (isUserInput) {
-                    context.report({
-                        node: expression,
-                        messageId: 'unescapedUrlParameter',
-                        data: {
-                            parameter: text,
-                            safeAlternative: `Use encodeURIComponent() or URLSearchParams: const url = \`https://example.com?q=\${encodeURIComponent(${text})}\`;`,
-                        },
-                        suggest: [
-                            {
-                                messageId: 'useEncodeURIComponent',
-                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                fix: (_fixer) => null,
-                            },
-                            {
-                                messageId: 'useURLSearchParams',
-                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                fix: (_fixer) => null,
-                            },
-                        ],
-                    });
-                }
-            }
-        }
-        function checkBinaryExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check for string concatenation in URL construction
-            if (node.operator === '+') {
-                if (!isUrlConstruction(node, sourceCode)) {
-                    return;
-                }
-                // Check right side (usually the parameter)
-                if (node.right.type !== 'Literal') {
-                    const rightText = sourceCode.getText(node.right);
-                    // Check if it matches any ignore pattern
-                    if (matchesIgnorePattern(rightText, ignorePatterns)) {
-                        return;
-                    }
-                    // Check if it's already encoded
-                    if (isInsideEncodingCall(node.right, sourceCode, trustedLibraries)) {
-                        return;
-                    }
-                    // Check if it's a user input pattern
-                    const userInputPatterns = [
-                        /\breq\.(query|params|body)/,
-                        /\brequest\.(query|params|body)/,
-                        /\buserInput\b/,
-                        /\binput\b/,
-                    ];
-                    const isUserInput = userInputPatterns.some(pattern => pattern.test(rightText));
-                    if (isUserInput) {
-                        context.report({
-                            node: node.right,
-                            messageId: 'unescapedUrlParameter',
-                            data: {
-                                parameter: rightText,
-                                safeAlternative: `Use encodeURIComponent(): ${sourceCode.getText(node.left)} + encodeURIComponent(${rightText})`,
-                            },
-                            suggest: [
-                                {
-                                    messageId: 'useEncodeURIComponent',
-                                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                    fix: (_fixer) => null,
-                                },
-                            ],
-                        });
-                    }
-                }
-            }
-        }
-        function isUserControlled(node, visited = new Set()) {
-            const text = sourceCode.getText(node);
-            const patterns = [
-                /\breq\.(query|params|body|headers|cookies)/,
-                /\brequest\.(query|params|body)/,
-                /\buserInput\b/i,
-                /\binput\b/i,
-                /\bsearchParams\b/,
-                /\bparam\b/i,
-                /\breturnUrl\b/i,
-                /\burl\b/i,
-                /\bredirect\b/i,
-                /\bnext\b/i,
-            ];
-            if (patterns.some(p => p.test(text)))
-                return true;
-            // Trace identifiers
-            if (node.type === 'Identifier') {
-                if (visited.has(node.name))
-                    return false;
-                visited.add(node.name);
-                const scope = sourceCode.getScope(node);
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any
-                const variable = scope.variables.find((v) => v.name === node.name);
-                if (variable && variable.defs.length > 0) {
-                    const def = variable.defs[0];
-                    if (def.type === 'Variable' && def.node.init) {
-                        const init = def.node.init;
-                        // Check if init is constructed from other user inputs
-                        if (isUserControlled(init, visited))
-                            return true;
-                        // Check if init is a TemplateLiteral containing user inputs in expressions
-                        if (init.type === 'TemplateLiteral') {
-                            return init.expressions.some(expr => isUserControlled(expr, visited));
-                        }
-                        // Check if init is BinaryExpression (concatenation)
-                        if (init.type === 'BinaryExpression') {
-                            return isUserControlled(init.left, visited) || isUserControlled(init.right, visited);
-                        }
-                    }
-                }
-            }
-            return false;
-        }
-        return {
-            TemplateLiteral: checkTemplateLiteral,
-            BinaryExpression: checkBinaryExpression,
-            AssignmentExpression(node) {
-                if (isTestFile)
-                    return;
-                // Check for window.location = ... or window.location.href = ...
-                const left = node.left;
-                let isLocationAssignment = false;
-                if (left.type === 'MemberExpression') {
-                    const objectName = left.object.type === 'Identifier' ? left.object.name :
-                        (left.object.type === 'MemberExpression' ? sourceCode.getText(left.object) : '');
-                    const propName = left.property.type === 'Identifier' ? left.property.name : '';
-                    if ((objectName === 'window' && propName === 'location') ||
-                        (propName === 'href' && objectName.includes('location'))) {
-                        isLocationAssignment = true;
-                    }
-                }
-                else if (left.type === 'Identifier' && left.name === 'location') {
-                    // In browser location = ... is valid
-                    isLocationAssignment = true;
-                }
-                if (isLocationAssignment) {
-                    const right = node.right;
-                    const rightText = sourceCode.getText(right);
-                    // Skip TemplateLiteral and BinaryExpression as they are covered by their own visitors
-                    if (right.type === 'TemplateLiteral' || right.type === 'BinaryExpression') {
-                        return;
-                    }
-                    if (matchesIgnorePattern(rightText, ignorePatterns))
-                        return;
-                    if (isInsideEncodingCall(right, sourceCode, trustedLibraries))
-                        return;
-                    if (isUserControlled(right)) {
-                        context.report({
-                            node: right,
-                            messageId: 'unescapedUrlParameter',
-                            data: {
-                                parameter: rightText,
-                                safeAlternative: 'Validate and encode URL before redirecting',
-                            }
-                        });
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/no-unsafe-dynamic-require/index.d.ts

@@ -1,17 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-unsafe-dynamic-require
- * Detects dynamic require() calls that could lead to code injection
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-export interface Options {
-    /** Allow dynamic import() expressions. Default: false (stricter) */
-    allowDynamicImport?: boolean;
-}
-type RuleOptions = [Options?];
-export declare const noUnsafeDynamicRequire: TSESLint.RuleModule<"unsafeDynamicRequire", RuleOptions, unknown, TSESLint.RuleListener>;
-export {};

package/src/rules/no-unsafe-dynamic-require/index.js

@@ -1,111 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnsafeDynamicRequire = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-exports.noUnsafeDynamicRequire = (0, eslint_devkit_2.createRule)({
-    name: 'no-unsafe-dynamic-require',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent unsafe dynamic require() calls that could enable code injection',
-        },
-        fixable: 'code',
-        hasSuggestions: false,
-        messages: {
-            unsafeDynamicRequire: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Dynamic require()',
-                cwe: 'CWE-95',
-                description: 'Dynamic require() detected',
-                severity: 'CRITICAL',
-                fix: 'Use allowlist: const ALLOWED = ["mod1", "mod2"]; if (!ALLOWED.includes(name)) throw Error("Not allowed")',
-                documentationLink: 'https://owasp.org/www-community/attacks/Code_Injection',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowDynamicImport: {
-                        type: 'boolean',
-                        default: false,
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowDynamicImport: false,
-        },
-    ],
-    create(context) {
-        /**
-         * Track variables that reference require
-         * Maps variable name to the node where it was assigned
-         */
-        const requireVariables = new Set();
-        /**
-         * Check if a node is a reference to require
-         */
-        const isRequireReference = (node) => {
-            if (node.type === 'Identifier' && node.name === 'require') {
-                return true;
-            }
-            if (node.type === 'Identifier' && requireVariables.has(node.name)) {
-                return true;
-            }
-            return false;
-        };
-        /**
-         * Check if argument is dynamic (not a literal)
-         */
-        const isDynamicArgument = (arg) => {
-            if (arg.type === 'Literal')
-                return false;
-            if (arg.type === 'TemplateLiteral' && arg.expressions.length === 0)
-                return false;
-            return true;
-        };
-        return {
-            VariableDeclarator(node) {
-                // Track when require is assigned to a variable
-                if (node.id.type === 'Identifier' && node.init) {
-                    if (node.init.type === 'Identifier' && node.init.name === 'require') {
-                        requireVariables.add(node.id.name);
-                    }
-                }
-            },
-            CallExpression(node) {
-                // Check for require() calls (direct or via variable)
-                if (node.callee.type !== 'Identifier') {
-                    return;
-                }
-                // Check if callee is require or a variable that references require
-                if (!isRequireReference(node.callee)) {
-                    return;
-                }
-                // Must have at least one argument
-                if (node.arguments.length === 0)
-                    return;
-                const firstArg = node.arguments[0];
-                if (firstArg.type === 'SpreadElement')
-                    return;
-                // Check if dynamic
-                if (!isDynamicArgument(firstArg))
-                    return;
-                context.report({
-                    node,
-                    messageId: 'unsafeDynamicRequire',
-                });
-            },
-        };
-    },
-});

package/src/rules/no-unvalidated-deeplinks/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noUnvalidatedDeeplinks: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-unvalidated-deeplinks/index.js

@@ -1,67 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnvalidatedDeeplinks = void 0;
-/**
- * @fileoverview Require validation of deep link URLs
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noUnvalidatedDeeplinks = (0, eslint_devkit_1.createRule)({
-    name: 'no-unvalidated-deeplinks',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require validation of deep link URLs',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unvalidated Deeplink',
-                cwe: 'CWE-939',
-                description: 'Deep link URL used without validation - potential open redirect',
-                severity: 'HIGH',
-                fix: 'Validate deep link URLs against a whitelist before navigation',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/939.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            CallExpression(node) {
-                // Detect Linking.openURL() with variable argument (React Native)
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.object.type === 'Identifier' &&
-                    node.callee.object.name === 'Linking' &&
-                    node.callee.property.type === 'Identifier' &&
-                    node.callee.property.name === 'openURL') {
-                    const urlArg = node.arguments[0];
-                    // Flag if URL is a variable/expression, not a literal
-                    if (urlArg && urlArg.type === 'Identifier') {
-                        report(node);
-                    }
-                    if (urlArg && urlArg.type === 'MemberExpression') {
-                        report(node);
-                    }
-                }
-                // Detect navigation.navigate with external URLs
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.property.type === 'Identifier' &&
-                    node.callee.property.name === 'navigate') {
-                    const urlArg = node.arguments[0];
-                    if (urlArg && urlArg.type === 'Identifier') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-unvalidated-user-input/index.d.ts

@@ -1,26 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-unvalidated-user-input
- * Detects unvalidated user input usage (req.body, req.query, etc.)
- * CWE-20: Improper Input Validation
- *
- * @see https://cwe.mitre.org/data/definitions/20.html
- * @see https://owasp.org/www-community/vulnerabilities/Improper_Input_Validation
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'unvalidatedInput' | 'useValidationLibrary' | 'useZod' | 'useJoi';
-export interface Options {
-    /** Allow unvalidated input in test files. Default: false */
-    allowInTests?: boolean;
-    /** Trusted validation libraries. Default: ['zod', 'joi', 'yup', 'class-validator'] */
-    trustedLibraries?: string[];
-    /** Additional safe patterns to ignore. Default: ['^safe', '^sanitized', '^validated', '^clean'] (prefix patterns) */
-    ignorePatterns?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noUnvalidatedUserInput: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};