eslint-plugin-secure-coding 3.0.1 → 3.0.3

package/src/rules/no-unvalidated-user-input/index.js

@@ -1,425 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noUnvalidatedUserInput = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Patterns that indicate unvalidated user input
- */
-const UNVALIDATED_INPUT_PATTERNS = [
-    // Express/Node.js patterns
-    { pattern: /\breq\.body\b/, name: 'req.body', context: 'Express request body' },
-    { pattern: /\breq\.query\b/, name: 'req.query', context: 'Express query parameters' },
-    { pattern: /\breq\.params\b/, name: 'req.params', context: 'Express route parameters' },
-    { pattern: /\breq\.headers\b/, name: 'req.headers', context: 'Express headers' },
-    { pattern: /\breq\.cookies\b/, name: 'req.cookies', context: 'Express cookies' },
-    // Fastify patterns
-    { pattern: /\brequest\.body\b/, name: 'request.body', context: 'Fastify request body' },
-    { pattern: /\brequest\.query\b/, name: 'request.query', context: 'Fastify query parameters' },
-    { pattern: /\brequest\.params\b/, name: 'request.params', context: 'Fastify route parameters' },
-    // Next.js patterns
-    { pattern: /\bsearchParams\b/, name: 'searchParams', context: 'Next.js search params' },
-    // Generic patterns - ONLY flag clearly user-related patterns
-    // Removed 'input' as it's too generic and causes many false positives
-    { pattern: /\buserInput\b/, name: 'userInput', context: 'Generic user input' },
-    { pattern: /\bunsafeInput\b/, name: 'unsafeInput', context: 'Explicitly unsafe input' },
-    { pattern: /\brawInput\b/, name: 'rawInput', context: 'Raw/unprocessed input' },
-];
-/**
- * Check if a node is inside a validation function call
- */
-function isInsideValidationCall(node, sourceCode, trustedLibraries) {
-    let current = node;
-    while (current) {
-        // Check if current is an argument to a CallExpression
-        if (current.parent && current.parent.type === 'CallExpression') {
-            const callExpr = current.parent;
-            // Verify that current is actually an argument of this call
-            const isArgument = callExpr.arguments.some((arg) => arg === current);
-            if (!isArgument) {
-                // Not an argument, continue traversing
-                if ('parent' in current && current.parent) {
-                    current = current.parent;
-                    continue;
-                }
-                else {
-                    break;
-                }
-            }
-            const callee = callExpr.callee;
-            // Check if it's a validation library call (e.g., schema.parse(), schema.validate())
-            if (callee.type === 'MemberExpression') {
-                const property = callee.property;
-                if (property.type === 'Identifier') {
-                    const methodName = property.name.toLowerCase();
-                    // Check for validation methods (including async variants)
-                    // Note: safeParse is one word, not two
-                    if (['parse', 'validate', 'safeparse', 'parseasync', 'validateasync', 'safe_parse'].includes(methodName)) {
-                        return true;
-                    }
-                }
-                // Check if the object is a validation library
-                const object = callee.object;
-                if (object.type === 'Identifier') {
-                    const objectName = object.name.toLowerCase();
-                    if (trustedLibraries.some(lib => objectName.includes(lib.toLowerCase()))) {
-                        return true;
-                    }
-                }
-            }
-            // Check if it's a direct validation function call (e.g., validate(), plainToClass())
-            if (callee.type === 'Identifier') {
-                const calleeName = callee.name.toLowerCase();
-                if (['validate', 'plaintoclass', 'transform'].includes(calleeName)) {
-                    return true;
-                }
-                if (trustedLibraries.some(lib => calleeName.includes(lib.toLowerCase()))) {
-                    return true;
-                }
-            }
-        }
-        // Traverse up the AST
-        if ('parent' in current && current.parent) {
-            current = current.parent;
-        }
-        else {
-            break;
-        }
-    }
-    return false;
-}
-/**
- * Check if a string matches any ignore pattern
- */
-function matchesIgnorePattern(text, ignorePatterns) {
-    return ignorePatterns.some(pattern => {
-        try {
-            const regex = new RegExp(pattern, 'i');
-            return regex.test(text);
-        }
-        catch {
-            // Invalid regex - treat as literal string match
-            return text.toLowerCase().includes(pattern.toLowerCase());
-        }
-    });
-}
-exports.noUnvalidatedUserInput = (0, eslint_devkit_2.createRule)({
-    name: 'no-unvalidated-user-input',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects unvalidated user input usage (req.body, req.query, etc.)',
-        },
-        hasSuggestions: true,
-        messages: {
-            unvalidatedInput: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Unvalidated User Input',
-                cwe: 'CWE-20',
-                description: 'Unvalidated user input detected: {{inputSource}}',
-                severity: 'HIGH',
-                fix: 'Use validation library: {{validationExample}}',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/20.html',
-            }),
-            useValidationLibrary: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Validation Library',
-                description: 'Use validation library',
-                severity: 'LOW',
-                fix: 'Use Zod, Joi, Yup, or class-validator',
-                documentationLink: 'https://zod.dev/',
-            }),
-            useZod: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Zod',
-                description: 'Use Zod for validation',
-                severity: 'LOW',
-                fix: 'const data = z.object({ name: z.string() }).parse(req.body)',
-                documentationLink: 'https://zod.dev/',
-            }),
-            useJoi: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Joi',
-                description: 'Use Joi for validation',
-                severity: 'LOW',
-                fix: 'Joi.object({ name: Joi.string() }).validate(req.body)',
-                documentationLink: 'https://joi.dev/',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow unvalidated input in test files',
-                    },
-                    trustedLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['zod', 'joi', 'yup', 'class-validator'],
-                        description: 'Trusted validation libraries',
-                    },
-                    ignorePatterns: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional safe patterns to ignore',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            trustedLibraries: ['zod', 'joi', 'yup', 'class-validator'],
-            ignorePatterns: ['^safe', '^sanitized', '^validated', '^clean'],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, trustedLibraries = ['zod', 'joi', 'yup', 'class-validator'], ignorePatterns = ['^safe', '^sanitized', '^validated', '^clean'], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        const sourceCode = context.sourceCode || context.sourceCode;
-        function checkMemberExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            const text = sourceCode.getText(node);
-            // Check if the variable name (if in assignment) matches ignore pattern
-            // For cases like: const safeInput = req.body;
-            if (node.parent && node.parent.type === 'VariableDeclarator' && node.parent.id.type === 'Identifier') {
-                const varName = node.parent.id.name;
-                if (matchesIgnorePattern(varName, ignorePatterns)) {
-                    return;
-                }
-            }
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Check if it matches unvalidated input patterns
-            // For nested member expressions like req.body.name, check the base (req.body)
-            let baseText = text;
-            if (node.object.type === 'MemberExpression') {
-                baseText = sourceCode.getText(node.object);
-            }
-            const matchedPattern = UNVALIDATED_INPUT_PATTERNS.find(p => p.pattern.test(text) || p.pattern.test(baseText));
-            if (matchedPattern) {
-                // Skip if this is a nested member expression and the parent also matches
-                // This prevents double reporting for cases like req.query.id
-                // We only want to report on the outermost matching expression
-                if (node.object.type === 'MemberExpression') {
-                    const parentText = sourceCode.getText(node.object);
-                    const parentMatches = UNVALIDATED_INPUT_PATTERNS.some(p => p.pattern.test(parentText));
-                    if (parentMatches) {
-                        // Parent also matches, skip this nested one - it will be reported when we visit the parent
-                        return;
-                    }
-                }
-                // Skip if this is in a destructuring assignment - checkObjectPattern will handle it
-                // This prevents double reporting for cases like: const { email } = req.body;
-                if (node.parent && node.parent.type === 'VariableDeclarator' && node.parent.id.type === 'ObjectPattern') {
-                    return; // checkObjectPattern will report on the init instead
-                }
-                // Check if it's inside a validation call
-                if (isInsideValidationCall(node, sourceCode, trustedLibraries)) {
-                    return;
-                }
-                // Determine validation example based on context
-                let validationExample = 'const schema = z.object({ field: z.string() }); const data = schema.parse(req.body);';
-                if (text.includes('query')) {
-                    validationExample = 'const schema = z.object({ id: z.string() }); const data = schema.parse(req.query);';
-                }
-                else if (text.includes('params')) {
-                    validationExample = 'const schema = z.object({ id: z.string() }); const data = schema.parse(req.params);';
-                }
-                // Build suggestions - provide same code as output for test framework recognition
-                const suggestions = [
-                    {
-                        messageId: 'useZod',
-                        // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                        fix: (_fixer) => {
-                            // This is a suggestion, not an auto-fix, so we return null
-                            return null;
-                        },
-                    },
-                    {
-                        messageId: 'useJoi',
-                        // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                        fix: (_fixer) => {
-                            return null;
-                        },
-                    },
-                ];
-                context.report({
-                    node,
-                    messageId: 'unvalidatedInput',
-                    data: {
-                        inputSource: matchedPattern.name,
-                        validationExample,
-                    },
-                    suggest: suggestions,
-                });
-            }
-        }
-        function checkIdentifier(node) {
-            if (isTestFile) {
-                return;
-            }
-            const text = node.name;
-            // Check if it matches any ignore pattern
-            if (matchesIgnorePattern(text, ignorePatterns)) {
-                return;
-            }
-            // Skip if this identifier is assigned from a user input source (MemberExpression)
-            // For cases like: const userInput = req.body;
-            // We should only report on req.body, not on userInput
-            // But don't skip if the init is the same identifier (e.g., const data = input;)
-            if (node.parent && node.parent.type === 'VariableDeclarator' && node.parent.init) {
-                const init = node.parent.init;
-                // Only skip if init is a MemberExpression (like req.body) that will be caught by checkMemberExpression
-                // Don't skip if init is the same identifier (like input) - we want to report on it
-                if (init.type === 'MemberExpression') {
-                    const initText = sourceCode.getText(init);
-                    // Check if init matches any user input pattern
-                    const initMatchesPattern = UNVALIDATED_INPUT_PATTERNS.some(p => p.pattern.test(initText));
-                    if (initMatchesPattern) {
-                        return; // Skip - the init (e.g., req.body) will be reported by checkMemberExpression
-                    }
-                }
-            }
-            // Check for generic input patterns (userInput, unsafeInput, rawInput)
-            const genericInputPatternNames = ['userInput', 'unsafeInput', 'rawInput'];
-            const matchedPattern = UNVALIDATED_INPUT_PATTERNS.find(p => genericInputPatternNames.includes(p.name) && p.pattern.test(text));
-            if (matchedPattern) {
-                // Check if it's inside a validation call
-                if (isInsideValidationCall(node, sourceCode, trustedLibraries)) {
-                    return;
-                }
-                context.report({
-                    node,
-                    messageId: 'unvalidatedInput',
-                    data: {
-                        inputSource: matchedPattern.name,
-                        validationExample: 'const schema = z.object({ field: z.string() }); const data = schema.parse(input);',
-                    },
-                    suggest: [
-                        {
-                            messageId: 'useZod',
-                            // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                            fix: (_fixer) => null,
-                        },
-                        {
-                            messageId: 'useJoi',
-                            // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                            fix: (_fixer) => null,
-                        },
-                    ],
-                });
-            }
-        }
-        function checkObjectPattern(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check destructuring patterns like: const { page, limit } = req.query;
-            if (node.parent && node.parent.type === eslint_devkit_1.AST_NODE_TYPES.VariableDeclarator && node.parent.init) {
-                const init = node.parent.init;
-                const initText = sourceCode.getText(init);
-                // If init is a CallExpression, check if it's a validation call
-                // If so, the input is being validated, so skip
-                if (init.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                    const callee = init.callee;
-                    if (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression && callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                        const methodName = callee.property.name.toLowerCase();
-                        if (['parse', 'validate', 'safeparse', 'parseasync', 'validateasync', 'safe_parse'].includes(methodName)) {
-                            return; // It's a validation call, skip
-                        }
-                    }
-                    if (callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                        const calleeName = callee.name.toLowerCase();
-                        if (['validate', 'plaintoclass', 'transform'].includes(calleeName)) {
-                            return; // It's a validation call, skip
-                        }
-                    }
-                }
-                // Check if the right side matches unvalidated input patterns
-                const matchedPattern = UNVALIDATED_INPUT_PATTERNS.find(p => p.pattern.test(initText));
-                if (matchedPattern) {
-                    // For CallExpressions, check the arguments to see if they're validated
-                    // The init itself being a validation call was already checked above
-                    if (init.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression) {
-                        // Check each argument to see if it's validated
-                        // If init is a validation call (like schema.validate(req.body)),
-                        // then req.body is validated, so skip
-                        const callee = init.callee;
-                        const isValidationCall = (callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression && callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                            ['parse', 'validate', 'safeparse', 'parseasync', 'validateasync', 'safe_parse'].includes(callee.property.name.toLowerCase())) ||
-                            (callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                                ['validate', 'plaintoclass', 'transform'].includes(callee.name.toLowerCase()));
-                        if (isValidationCall) {
-                            return; // The init is a validation call, so the input is validated
-                        }
-                        // If init is not a validation call, check if arguments are validated
-                        const hasValidatedArg = init.arguments.some((arg) => {
-                            if (arg.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression || arg.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                                return isInsideValidationCall(arg, sourceCode, trustedLibraries);
-                            }
-                            return false;
-                        });
-                        if (hasValidatedArg) {
-                            return; // At least one argument is validated
-                        }
-                    }
-                    else {
-                        // For non-call expressions, check if init itself is inside a validation call
-                        if (isInsideValidationCall(init, sourceCode, trustedLibraries)) {
-                            return;
-                        }
-                    }
-                    // Check if variable name matches ignore pattern
-                    if (node.parent.id.type === eslint_devkit_1.AST_NODE_TYPES.ObjectPattern) {
-                        const varText = sourceCode.getText(node.parent.id);
-                        if (matchesIgnorePattern(varText, ignorePatterns)) {
-                            return;
-                        }
-                    }
-                    context.report({
-                        node: init,
-                        messageId: 'unvalidatedInput',
-                        data: {
-                            inputSource: matchedPattern.name,
-                            validationExample: 'const schema = z.object({ page: z.string(), limit: z.string() }); const { page, limit } = schema.parse(req.query);',
-                        },
-                        suggest: [
-                            {
-                                messageId: 'useZod',
-                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                fix: (_fixer) => null,
-                            },
-                            {
-                                messageId: 'useJoi',
-                                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                                fix: (_fixer) => null,
-                            },
-                        ],
-                    });
-                }
-            }
-        }
-        return {
-            MemberExpression: checkMemberExpression,
-            Identifier: checkIdentifier,
-            ObjectPattern: checkObjectPattern,
-        };
-    },
-});

package/src/rules/no-verbose-error-messages/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noVerboseErrorMessages: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-verbose-error-messages/index.js

@@ -1,73 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noVerboseErrorMessages = void 0;
-/**
- * @fileoverview Prevent exposing stack traces to users
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/209.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noVerboseErrorMessages = (0, eslint_devkit_1.createRule)({
-    name: 'no-verbose-error-messages',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent exposing stack traces to users',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-209',
-                description: 'Prevent exposing stack traces to users detected - this is a security risk',
-                severity: 'MEDIUM',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/209.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            CallExpression(node) {
-                // Check res.send/res.json with error.stack
-                if (node.type === eslint_devkit_1.AST_NODE_TYPES.CallExpression &&
-                    node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    ['send', 'json'].includes(node.callee.property.name)) {
-                    const arg = node.arguments[0];
-                    // Check for error.stack or err.stack
-                    if (arg?.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                        arg.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                        arg.property.name === 'stack') {
-                        report(node);
-                    }
-                    // Check for { stack: error.stack } in object
-                    if (arg?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
-                        const stackProp = arg.properties.find(p => p.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
-                            p.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                            (p.key.name === 'stack' ||
-                                (p.value.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                                    p.value.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                                    p.value.property.name === 'stack')));
-                        if (stackProp) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-zip-slip/index.d.ts

@@ -1,33 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-zip-slip
- * Detects zip slip/archive extraction vulnerabilities (CWE-22)
- *
- * Zip slip vulnerabilities occur when extracting archives without properly
- * validating file paths, allowing attackers to write files outside the
- * intended extraction directory using path traversal sequences like "../".
- *
- * False Positive Reduction:
- * This rule uses security utilities to reduce false positives by detecting:
- * - Safe archive extraction patterns
- * - Path validation functions
- * - JSDoc annotations (@safe, @validated)
- * - Trusted extraction libraries
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'zipSlipVulnerability' | 'unsafeArchiveExtraction' | 'pathTraversalInArchive' | 'unvalidatedArchivePath' | 'dangerousArchiveDestination' | 'useSafeArchiveExtraction' | 'validateArchivePaths' | 'sanitizeArchiveNames' | 'strategyPathValidation' | 'strategySafeLibraries' | 'strategySandboxing';
-export interface Options {
-    /** Archive extraction functions to check */
-    archiveFunctions?: string[];
-    /** Functions that safely validate archive paths */
-    pathValidationFunctions?: string[];
-    /** Safe archive extraction libraries */
-    safeLibraries?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noZipSlip: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};