eslint-plugin-secure-coding 3.0.1 → 3.0.3

package/src/rules/no-sensitive-data-exposure/index.js

@@ -9,11 +9,23 @@ exports.noSensitiveDataExposure = void 0;
 const eslint_devkit_1 = require("@interlace/eslint-devkit");
 const eslint_devkit_2 = require("@interlace/eslint-devkit");
 /**
- * Check if string contains sensitive data patterns
+ * Check if string contains sensitive data patterns.
+ * Handles camelCase (secretKey), snake_case (secret_key), and plain text.
  */
 function containsSensitiveData(text, patterns) {
-    const lowerText = text.toLowerCase();
-    return patterns.some(pattern => lowerText.includes(pattern.toLowerCase()));
+    // Normalize camelCase → space separated for matching (secretKey → secret key)
+    const normalized = text
+        .replace(/([a-z])([A-Z])/g, '$1 $2')
+        .toLowerCase();
+    for (const pattern of patterns) {
+        const escaped = pattern.toLowerCase().replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        // Allow spaces or underscores as word separators (e.g. 'credit card' matches 'credit_card')
+        const flexPattern = escaped.replace(/[_ ]/g, '[_ ]');
+        if (new RegExp(`\\b${flexPattern}\\b`, 'i').test(normalized)) {
+            return pattern;
+        }
+    }
+    return null;
 }
 exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
     name: 'no-sensitive-data-exposure',
@@ -65,7 +77,7 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                     sensitivePatterns: {
                         type: 'array',
                         items: { type: 'string' },
-                        default: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+                        default: ['password', 'passwd', 'secret', 'token', 'access_token', 'auth_token', 'ssn', 'credit_card', 'creditcard', 'api_key', 'apikey', 'secret_key', 'private_key', 'encryption_key'],
                         description: 'Sensitive data patterns',
                     },
                     checkConsoleLog: {
@@ -90,14 +102,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
     },
     defaultOptions: [
         {
-            sensitivePatterns: ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'],
+            sensitivePatterns: ['password', 'passwd', 'secret', 'token', 'access_token', 'auth_token', 'ssn', 'credit_card', 'creditcard', 'api_key', 'apikey', 'secret_key', 'private_key', 'encryption_key'],
             checkConsoleLog: true,
             checkErrorMessages: true,
             checkApiResponses: true,
         },
     ],
     create(context, [options = {}]) {
-        const { sensitivePatterns = ['password', 'secret', 'token', 'key', 'ssn', 'credit', 'card', 'api_key', 'apikey'], checkConsoleLog = true, checkErrorMessages = true, } = options || {};
+        const { sensitivePatterns = ['password', 'passwd', 'secret', 'token', 'access_token', 'auth_token', 'ssn', 'credit_card', 'creditcard', 'api_key', 'apikey', 'secret_key', 'private_key', 'encryption_key'], checkConsoleLog = true, checkErrorMessages = true, } = options || {};
         /**
          * Check CallExpression for logging calls with sensitive data
          */
@@ -134,13 +146,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                 for (const arg of node.arguments) {
                     if (arg.type === 'Literal' && typeof arg.value === 'string') {
                         const text = arg.value;
-                        if (containsSensitiveData(text, sensitivePatterns)) {
+                        const matchedPattern = containsSensitiveData(text, sensitivePatterns);
+                        if (matchedPattern) {
                             context.report({
                                 node: arg,
                                 messageId: 'sensitiveDataExposure',
                                 data: {
                                     context: 'logs',
-                                    dataType: 'password',
+                                    dataType: matchedPattern,
                                 },
                                 suggest: [
                                     { messageId: 'redactData', fix: () => null },
@@ -152,14 +165,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                         }
                     }
                     else if (arg.type === 'Identifier' && arg.name) {
-                        const name = arg.name.toLowerCase();
-                        if (containsSensitiveData(name, sensitivePatterns)) {
+                        const matchedPattern2 = containsSensitiveData(arg.name, sensitivePatterns);
+                        if (matchedPattern2) {
                             context.report({
                                 node: arg,
                                 messageId: 'sensitiveDataExposure',
                                 data: {
                                     context: 'logs',
-                                    dataType: 'password',
+                                    dataType: matchedPattern2,
                                 },
                                 suggest: [
                                     { messageId: 'redactData', fix: () => null },
@@ -185,13 +198,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                 for (const arg of node.arguments) {
                     if (arg.type === 'Literal' && typeof arg.value === 'string') {
                         const text = arg.value;
-                        if (containsSensitiveData(text, sensitivePatterns)) {
+                        const matchedErrPattern = containsSensitiveData(text, sensitivePatterns);
+                        if (matchedErrPattern) {
                             context.report({
                                 node: arg,
                                 messageId: 'sensitiveDataExposure',
                                 data: {
                                     context: 'error messages',
-                                    dataType: 'password',
+                                    dataType: matchedErrPattern,
                                 },
                                 suggest: [
                                     { messageId: 'redactData', fix: () => null },
@@ -206,13 +220,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                         // Check left side if it's a literal
                         if (arg.left && arg.left.type === 'Literal' && typeof arg.left.value === 'string') {
                             const leftText = arg.left.value;
-                            if (containsSensitiveData(leftText, sensitivePatterns)) {
+                            const leftMatchedPattern = containsSensitiveData(leftText, sensitivePatterns);
+                            if (leftMatchedPattern) {
                                 context.report({
                                     node: arg.left,
                                     messageId: 'sensitiveDataExposure',
                                     data: {
                                         context: 'error messages',
-                                        dataType: 'password',
+                                        dataType: leftMatchedPattern,
                                     },
                                     suggest: [
                                         { messageId: 'redactData', fix: () => null },
@@ -225,14 +240,14 @@ exports.noSensitiveDataExposure = (0, eslint_devkit_2.createRule)({
                         }
                         // Check right side if it's an identifier
                         if (arg.right && arg.right.type === 'Identifier' && arg.right.name) {
-                            const rightName = arg.right.name.toLowerCase();
-                            if (containsSensitiveData(rightName, sensitivePatterns)) {
+                            const rightMatchedPattern = containsSensitiveData(arg.right.name, sensitivePatterns);
+                            if (rightMatchedPattern) {
                                 context.report({
                                     node: arg.right,
                                     messageId: 'sensitiveDataExposure',
                                     data: {
                                         context: 'error messages',
-                                        dataType: 'password',
+                                        dataType: rightMatchedPattern,
                                     },
                                     suggest: [
                                         { messageId: 'redactData', fix: () => null },

package/src/rules/no-unchecked-loop-condition/index.d.ts

@@ -32,5 +32,7 @@ export interface Options extends SecurityRuleOptions {
     maxRecursionDepth?: number;
 }
 type RuleOptions = [Options?];
-export declare const noUncheckedLoopCondition: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noUncheckedLoopCondition: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-unlimited-resource-allocation/index.d.ts

@@ -32,5 +32,7 @@ export interface Options extends SecurityRuleOptions {
     requireResourceValidation?: boolean;
 }
 type RuleOptions = [Options?];
-export declare const noUnlimitedResourceAllocation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noUnlimitedResourceAllocation: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-unsafe-deserialization/index.d.ts

@@ -34,5 +34,7 @@ export interface Options extends SecurityRuleOptions {
     validationFunctions?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noUnsafeDeserialization: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noUnsafeDeserialization: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-unsafe-regex-construction/index.d.ts

@@ -24,5 +24,7 @@ export interface Options {
     maxPatternLength?: number;
 }
 type RuleOptions = [Options?];
-export declare const noUnsafeRegexConstruction: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noUnsafeRegexConstruction: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-weak-password-recovery/index.d.ts

@@ -32,5 +32,7 @@ export interface Options extends SecurityRuleOptions {
     secureTokenFunctions?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noWeakPasswordRecovery: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noWeakPasswordRecovery: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-xpath-injection/index.d.ts

@@ -33,5 +33,7 @@ export interface Options extends SecurityRuleOptions {
     xpathValidationFunctions?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noXpathInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noXpathInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/no-xpath-injection/index.js

@@ -355,8 +355,32 @@ exports.noXpathInjection = (0, eslint_devkit_1.createRule)({
             // Check template literals for XPath expressions
             TemplateLiteral(node) {
                 const fullText = sourceCode.getText(node);
-                // Check if this looks like an XPath expression
-                if (!fullText.includes('/') && !fullText.includes('[') && !fullText.includes('@')) {
+                // Skip common non-XPath patterns
+                // URLs and API endpoints
+                if (/https?:\/\//.test(fullText) || /^[`'"]\s*\/api\//.test(fullText)) {
+                    return;
+                }
+                // File paths (start with / or contain common path patterns)
+                if (/^[`'"]\s*\/home\//.test(fullText) || /^[`'"]\s*\/usr\//.test(fullText) || /^[`'"]\s*\/tmp\//.test(fullText)) {
+                    return;
+                }
+                // CSS selectors  
+                if (/\[data-[\w-]+/.test(fullText) || /\[class=/.test(fullText) || /\[id=/.test(fullText)) {
+                    return;
+                }
+                // Search/query strings
+                if (/\?.*=/.test(fullText) && !/\[@/.test(fullText)) {
+                    return;
+                }
+                // Check if this looks like an ACTUAL XPath expression
+                // Must have XPath-specific syntax, not just forward slashes
+                const hasXpathSyntax = /\/\/\w+/.test(fullText) || // //element
+                    /\[@\w+/.test(fullText) || // [@attr
+                    /\[contains\(/.test(fullText) || // [contains(
+                    /\[text\(\)/.test(fullText) || // [text()
+                    /\/child::/.test(fullText) || // /child::
+                    /\/descendant::/.test(fullText); // /descendant::
+                if (!hasXpathSyntax) {
                     return;
                 }
                 // Check for interpolation in XPath-like expressions

package/src/rules/no-xxe-injection/index.d.ts

@@ -30,5 +30,7 @@ export interface Options {
     xmlValidationFunctions?: string[];
 }
 type RuleOptions = [Options?];
-export declare const noXxeInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
+export declare const noXxeInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/require-backend-authorization/index.d.ts

@@ -6,5 +6,7 @@
 export interface Options {
 }
 type RuleOptions = [Options?];
-export declare const requireBackendAuthorization: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export declare const requireBackendAuthorization: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
 export {};

package/src/rules/require-secure-defaults/index.d.ts

@@ -6,5 +6,7 @@
 export interface Options {
 }
 type RuleOptions = [Options?];
-export declare const requireSecureDefaults: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
+export declare const requireSecureDefaults: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener> & {
+    name: string;
+};
 export {};

package/src/types/index.d.ts

@@ -7,28 +7,13 @@
  * eslint-plugin-secure-coding Type Exports
  *
  * Barrel file that exports all security rule Options types with consistent naming.
- *
- * Usage:
- * ```typescript
- * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
- *
- * const config: NoHardcodedCredentialsOptions = {
- *   ignorePatterns: ['test/*'],
- * };
- * ```
  */
-import type { Options as DetectEvalWithExpressionOptions } from '../rules/detect-eval-with-expression';
-import type { Options as DetectChildProcessOptions } from '../rules/detect-child-process';
-import type { Options as NoUnsafeDynamicRequireOptions } from '../rules/no-unsafe-dynamic-require';
 import type { Options as NoGraphqlInjectionOptions } from '../rules/no-graphql-injection';
 import type { Options as NoXxeInjectionOptions } from '../rules/no-xxe-injection';
 import type { Options as NoXpathInjectionOptions } from '../rules/no-xpath-injection';
 import type { Options as NoLdapInjectionOptions } from '../rules/no-ldap-injection';
 import type { Options as NoDirectiveInjectionOptions } from '../rules/no-directive-injection';
 import type { Options as NoFormatStringInjectionOptions } from '../rules/no-format-string-injection';
-import type { Options as DetectNonLiteralFsFilenameOptions } from '../rules/detect-non-literal-fs-filename';
-import type { Options as NoZipSlipOptions } from '../rules/no-zip-slip';
-import type { Options as NoToctouVulnerabilityOptions } from '../rules/no-toctou-vulnerability';
 import type { Options as DetectNonLiteralRegexpOptions } from '../rules/detect-non-literal-regexp';
 import type { Options as NoRedosVulnerableRegexOptions } from '../rules/no-redos-vulnerable-regex';
 import type { Options as NoUnsafeRegexConstructionOptions } from '../rules/no-unsafe-regex-construction';
@@ -36,52 +21,28 @@ import type { Options as DetectObjectInjectionOptions } from '../rules/detect-ob
 import type { Options as NoUnsafeDeserializationOptions } from '../rules/no-unsafe-deserialization';
 import type { Options as NoHardcodedCredentialsOptions } from '../rules/no-hardcoded-credentials';
 import type { Options as NoInsecureComparisonOptions } from '../rules/no-insecure-comparison';
-import type { Options as NoUnvalidatedUserInputOptions } from '../rules/no-unvalidated-user-input';
-import type { Options as NoUnescapedUrlParameterOptions } from '../rules/no-unescaped-url-parameter';
 import type { Options as NoImproperSanitizationOptions } from '../rules/no-improper-sanitization';
 import type { Options as NoImproperTypeValidationOptions } from '../rules/no-improper-type-validation';
 import type { Options as NoMissingAuthenticationOptions } from '../rules/no-missing-authentication';
 import type { Options as NoPrivilegeEscalationOptions } from '../rules/no-privilege-escalation';
 import type { Options as NoWeakPasswordRecoveryOptions } from '../rules/no-weak-password-recovery';
-import type { Options as NoMissingCsrfProtectionOptions } from '../rules/no-missing-csrf-protection';
-import type { Options as NoMissingCorsCheckOptions } from '../rules/no-missing-cors-check';
-import type { Options as NoMissingSecurityHeadersOptions } from '../rules/no-missing-security-headers';
-import type { Options as NoInsecureRedirectsOptions } from '../rules/no-insecure-redirects';
-import type { Options as NoUnencryptedTransmissionOptions } from '../rules/no-unencrypted-transmission';
-import type { Options as NoClickjackingOptions } from '../rules/no-clickjacking';
-import type { Options as NoExposedSensitiveDataOptions } from '../rules/no-exposed-sensitive-data';
+import type { Options as RequireBackendAuthorizationOptions } from '../rules/require-backend-authorization';
 import type { Options as NoSensitiveDataExposureOptions } from '../rules/no-sensitive-data-exposure';
-import type { Options as NoBufferOverreadOptions } from '../rules/no-buffer-overread';
+import type { Options as NoPiiInLogsOptions } from '../rules/no-pii-in-logs';
 import type { Options as NoUnlimitedResourceAllocationOptions } from '../rules/no-unlimited-resource-allocation';
 import type { Options as NoUncheckedLoopConditionOptions } from '../rules/no-unchecked-loop-condition';
 import type { Options as NoElectronSecurityIssuesOptions } from '../rules/no-electron-security-issues';
-export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
+export type { NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoPiiInLogsOptions, RequireBackendAuthorizationOptions, NoSensitiveDataExposureOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
 /**
  * Combined type for all security rule options
- * Useful for creating unified configuration objects
- *
- * @example
- * ```typescript
- * const config: AllSecurityRulesOptions = {
- *   'no-hardcoded-credentials': {
- *     ignorePatterns: ['test/*'],
- *   },
- * };
- * ```
  */
 export type AllSecurityRulesOptions = {
-    'detect-eval-with-expression'?: DetectEvalWithExpressionOptions;
-    'detect-child-process'?: DetectChildProcessOptions;
-    'no-unsafe-dynamic-require'?: NoUnsafeDynamicRequireOptions;
     'no-graphql-injection'?: NoGraphqlInjectionOptions;
     'no-xxe-injection'?: NoXxeInjectionOptions;
     'no-xpath-injection'?: NoXpathInjectionOptions;
     'no-ldap-injection'?: NoLdapInjectionOptions;
     'no-directive-injection'?: NoDirectiveInjectionOptions;
     'no-format-string-injection'?: NoFormatStringInjectionOptions;
-    'detect-non-literal-fs-filename'?: DetectNonLiteralFsFilenameOptions;
-    'no-zip-slip'?: NoZipSlipOptions;
-    'no-toctou-vulnerability'?: NoToctouVulnerabilityOptions;
     'detect-non-literal-regexp'?: DetectNonLiteralRegexpOptions;
     'no-redos-vulnerable-regex'?: NoRedosVulnerableRegexOptions;
     'no-unsafe-regex-construction'?: NoUnsafeRegexConstructionOptions;
@@ -89,22 +50,14 @@ export type AllSecurityRulesOptions = {
     'no-unsafe-deserialization'?: NoUnsafeDeserializationOptions;
     'no-hardcoded-credentials'?: NoHardcodedCredentialsOptions;
     'no-insecure-comparison'?: NoInsecureComparisonOptions;
-    'no-unvalidated-user-input'?: NoUnvalidatedUserInputOptions;
-    'no-unescaped-url-parameter'?: NoUnescapedUrlParameterOptions;
     'no-improper-sanitization'?: NoImproperSanitizationOptions;
     'no-improper-type-validation'?: NoImproperTypeValidationOptions;
     'no-missing-authentication'?: NoMissingAuthenticationOptions;
     'no-privilege-escalation'?: NoPrivilegeEscalationOptions;
     'no-weak-password-recovery'?: NoWeakPasswordRecoveryOptions;
-    'no-missing-csrf-protection'?: NoMissingCsrfProtectionOptions;
-    'no-missing-cors-check'?: NoMissingCorsCheckOptions;
-    'no-missing-security-headers'?: NoMissingSecurityHeadersOptions;
-    'no-insecure-redirects'?: NoInsecureRedirectsOptions;
-    'no-unencrypted-transmission'?: NoUnencryptedTransmissionOptions;
-    'no-clickjacking'?: NoClickjackingOptions;
-    'no-exposed-sensitive-data'?: NoExposedSensitiveDataOptions;
+    'no-pii-in-logs'?: NoPiiInLogsOptions;
+    'require-backend-authorization'?: RequireBackendAuthorizationOptions;
     'no-sensitive-data-exposure'?: NoSensitiveDataExposureOptions;
-    'no-buffer-overread'?: NoBufferOverreadOptions;
     'no-unlimited-resource-allocation'?: NoUnlimitedResourceAllocationOptions;
     'no-unchecked-loop-condition'?: NoUncheckedLoopConditionOptions;
     'no-electron-security-issues'?: NoElectronSecurityIssuesOptions;

package/src/rules/detect-child-process/index.d.ts

@@ -1,28 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: detect-child-process
- * Detects instances of child_process & non-literal exec() calls
- * LLM-optimized with comprehensive command injection prevention guidance
- *
- * @see https://owasp.org/www-community/attacks/Command_Injection
- * @see https://cwe.mitre.org/data/definitions/78.html
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'childProcessCommandInjection' | 'useExecFile' | 'useSpawn' | 'useSaferLibrary' | 'validateInput' | 'useShellFalse' | 'strategyValidate' | 'strategySanitize' | 'strategyRestrict';
-export interface Options {
-    /** Allow exec() with literal strings. Default: false (stricter) */
-    allowLiteralStrings?: boolean;
-    /** Allow spawn() with literal arguments. Default: false (stricter) */
-    allowLiteralSpawn?: boolean;
-    /** Additional child_process methods to check */
-    additionalMethods?: string[];
-    /** Strategy for fixing command injection: 'validate', 'sanitize', 'restrict', or 'auto' */
-    strategy?: 'validate' | 'sanitize' | 'restrict' | 'auto';
-}
-type RuleOptions = [Options?];
-export declare const detectChildProcess: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};