npm - eslint-plugin-secure-coding - Versions diffs - 3.0.1 → 3.1.0 - Mend

eslint-plugin-secure-coding 3.0.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (128) hide show

package/src/rules/no-missing-security-headers/index.js DELETED Viewed

@@ -1,223 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noMissingSecurityHeaders = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const DEFAULT_REQUIRED_HEADERS = [
-    'Content-Security-Policy',
-    'X-Frame-Options',
-    'X-Content-Type-Options',
-];
-/**
- * Extract header name from setHeader call
- */
-function extractHeaderName(node) {
-    if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
-        return String(node.arguments[0].value);
-    }
-    return null;
-}
-/**
- * Check if all security headers are set in the current scope
- */
-function checkFunctionForSecurityHeaders(node, requiredHeaders, context) {
-    const setHeaders = new Set();
-    // Find the function that contains this setHeader call
-    let current = node;
-    let scopeNode = null;
-    while (current) {
-        if (current.type === 'FunctionDeclaration' ||
-            current.type === 'FunctionExpression' ||
-            current.type === 'ArrowFunctionExpression') {
-            scopeNode = current;
-            break;
-        }
-        current = current.parent ?? null;
-    }
-    // If no function found, use the program scope (for test cases)
-    if (!scopeNode) {
-        scopeNode = context.sourceCode.ast;
-    }
-    // Collect all setHeader calls in this scope
-    function collectHeaders(node) {
-        if (node.type === 'CallExpression' &&
-            node.callee.type === 'MemberExpression' &&
-            node.callee.property.type === 'Identifier' &&
-            ['setHeader', 'header', 'set'].includes(node.callee.property.name)) {
-            const headerName = extractHeaderName(node);
-            if (headerName) {
-                setHeaders.add(headerName);
-            }
-        }
-        // Recursively check children - only traverse standard AST properties
-        if (node.type === 'Program' && node.body) {
-            node.body.forEach(collectHeaders);
-        }
-        else if ((node.type === 'FunctionDeclaration' ||
-            node.type === 'FunctionExpression' ||
-            node.type === 'ArrowFunctionExpression') && node.body) {
-            collectHeaders(node.body);
-        }
-        else if (node.type === 'BlockStatement' && node.body) {
-            node.body.forEach(collectHeaders);
-        }
-        else if (node.type === 'ExpressionStatement' && node.expression) {
-            collectHeaders(node.expression);
-        }
-    }
-    if (scopeNode) {
-        collectHeaders(scopeNode);
-    }
-    // Return missing headers
-    return requiredHeaders.filter(header => !setHeaders.has(header));
-}
-exports.noMissingSecurityHeaders = (0, eslint_devkit_2.createRule)({
-    name: 'no-missing-security-headers',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-express-security/require-helmet'],
-        docs: {
-            description: 'Detects missing security headers in HTTP responses',
-        },
-        hasSuggestions: true,
-        messages: {
-            missingSecurityHeader: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Missing security headers',
-                cwe: 'CWE-693',
-                description: 'Missing security headers: {{headers}}',
-                severity: 'HIGH',
-                fix: 'Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options',
-                documentationLink: 'https://owasp.org/www-project-secure-headers/',
-            }),
-            addSecurityHeaders: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Add Security Headers',
-                description: 'Add security headers middleware',
-                severity: 'LOW',
-                fix: 'Add Content-Security-Policy, X-Frame-Options headers',
-                documentationLink: 'https://owasp.org/www-project-secure-headers/',
-            }),
-            useMiddleware: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Helmet',
-                description: 'Use helmet.js for security headers',
-                severity: 'LOW',
-                fix: 'app.use(helmet())',
-                documentationLink: 'https://helmetjs.github.io/',
-            }),
-            setHeader: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Set Headers',
-                description: 'Set security headers manually',
-                severity: 'LOW',
-                fix: 'res.setHeader("X-Frame-Options", "DENY")',
-                documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    requiredHeaders: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: DEFAULT_REQUIRED_HEADERS,
-                    },
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            requiredHeaders: DEFAULT_REQUIRED_HEADERS,
-            ignoreInTests: true,
-        },
-    ],
-    create(context, [options = {}]) {
-        const { requiredHeaders = DEFAULT_REQUIRED_HEADERS, ignoreInTests = true, } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const reportedScopes = new Set();
-        /**
-         * Get a unique key for the current scope
-         */
-        function getScopeKey(node) {
-            // Find the function that contains this call
-            let current = node;
-            while (current) {
-                if (current.type === 'FunctionDeclaration' ||
-                    current.type === 'FunctionExpression' ||
-                    current.type === 'ArrowFunctionExpression') {
-                    return `${current.range?.[0]}-${current.range?.[1]}`;
-                }
-                current = current.parent ?? null;
-            }
-            // If no function found, use program scope
-            return 'program';
-        }
-        /**
-         * Check for response header setting
-         */
-        function checkCallExpression(node) {
-            // Check for res.setHeader, res.header, res.set
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property.type === 'Identifier') {
-                const methodName = node.callee.property.name;
-                if (['setHeader', 'header', 'set'].includes(methodName)) {
-                    const scopeKey = getScopeKey(node);
-                    // Only check once per scope
-                    if (reportedScopes.has(scopeKey)) {
-                        return;
-                    }
-                    const missing = checkFunctionForSecurityHeaders(node, requiredHeaders, context);
-                    if (missing.length > 0) {
-                        reportedScopes.add(scopeKey);
-                        context.report({
-                            node,
-                            messageId: 'missingSecurityHeader',
-                            data: {
-                                headers: missing.join(', '),
-                            },
-                            suggest: [
-                                {
-                                    messageId: 'addSecurityHeaders',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'useMiddleware',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'setHeader',
-                                    fix: () => null,
-                                },
-                            ],
-                        });
-                    }
-                    else {
-                        // Mark as checked even if no error
-                        reportedScopes.add(scopeKey);
-                    }
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});

package/src/rules/no-password-in-url/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noPasswordInUrl: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-password-in-url/index.js DELETED Viewed

@@ -1,55 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPasswordInUrl = void 0;
-/**
- * @fileoverview Prevent passwords in URLs
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/598.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPasswordInUrl = (0, eslint_devkit_1.createRule)({
-    name: 'no-password-in-url',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent passwords in URLs',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-521',
-                description: 'Prevent passwords in URLs detected - this is a security risk',
-                severity: 'CRITICAL',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/521.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            Literal(node) {
-                // Check for http://user:password@host patterns
-                if (node.type === 'Literal' && typeof node.value === 'string') {
-                    const urlPattern = /https?:\/\/[^:]+:[^@]+@/;
-                    if (urlPattern.test(node.value)) {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-permissive-cors/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noPermissiveCors: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-permissive-cors/index.js DELETED Viewed

@@ -1,74 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noPermissiveCors = void 0;
-/**
- * @fileoverview Prevent overly permissive CORS configuration
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/942.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noPermissiveCors = (0, eslint_devkit_1.createRule)({
-    name: 'no-permissive-cors',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-express-security/no-permissive-cors'],
-        docs: {
-            description: 'Prevent overly permissive CORS configuration',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-942',
-                description: 'Prevent overly permissive CORS configuration detected - this is a security risk',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/942.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({
-                node,
-                messageId: 'violationDetected',
-            });
-        }
-        return {
-            CallExpression(node) {
-                // Check for Access-Control-Allow-Origin: *
-                // res.setHeader('Access-Control-Allow-Origin', '*')
-                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    node.callee.property.name === 'setHeader' &&
-                    node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
-                    node.arguments[0].value === 'Access-Control-Allow-Origin' &&
-                    node.arguments[1]?.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
-                    node.arguments[1].value === '*') {
-                    report(node);
-                }
-                // Check cors({ origin: '*' })
-                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    node.callee.name === 'cors' &&
-                    node.arguments[0]?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
-                    const originProp = node.arguments[0].properties.find((p) => p.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
-                        p.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                        p.key.name === 'origin');
-                    if (originProp &&
-                        originProp.value.type === eslint_devkit_1.AST_NODE_TYPES.Literal &&
-                        originProp.value.value === '*') {
-                        report(node);
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-sensitive-data-in-analytics/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noSensitiveDataInAnalytics: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-sensitive-data-in-analytics/index.js DELETED Viewed

@@ -1,66 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInAnalytics = void 0;
-/**
- * @fileoverview Prevent PII sent to analytics
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/359.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noSensitiveDataInAnalytics = (0, eslint_devkit_1.createRule)({
-    name: 'no-sensitive-data-in-analytics',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent PII being sent to analytics services',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Sensitive Data in Analytics',
-                cwe: 'CWE-359',
-                description: 'Sensitive field sent to analytics - this is a privacy violation',
-                severity: 'HIGH',
-                fix: 'Remove PII from analytics tracking data',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/359.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        const sensitiveFields = ['email', 'ssn', 'creditcard', 'password', 'phone', 'address'];
-        function report(node, field) {
-            context.report({ node, messageId: 'violationDetected', data: { field } });
-        }
-        return {
-            CallExpression(node) {
-                // analytics.track() with sensitive data
-                if (node.callee.type === eslint_devkit_1.AST_NODE_TYPES.MemberExpression &&
-                    node.callee.object.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    node.callee.object.name === 'analytics' &&
-                    node.callee.property.type === eslint_devkit_1.AST_NODE_TYPES.Identifier &&
-                    node.callee.property.name === 'track') {
-                    const dataArg = node.arguments[1];
-                    if (dataArg?.type === eslint_devkit_1.AST_NODE_TYPES.ObjectExpression) {
-                        dataArg.properties.forEach(prop => {
-                            if (prop.type === eslint_devkit_1.AST_NODE_TYPES.Property &&
-                                prop.key.type === eslint_devkit_1.AST_NODE_TYPES.Identifier) {
-                                const key = prop.key.name.toLowerCase();
-                                const matchedField = sensitiveFields.find(f => key.includes(f));
-                                if (matchedField) {
-                                    report(prop, matchedField);
-                                }
-                            }
-                        });
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-sensitive-data-in-cache/index.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-export interface Options {
-}
-type RuleOptions = [Options?];
-export declare const noSensitiveDataInCache: import("@typescript-eslint/utils/ts-eslint").RuleModule<"violationDetected", RuleOptions, unknown, import("@typescript-eslint/utils/ts-eslint").RuleListener>;
-export {};

package/src/rules/no-sensitive-data-in-cache/index.js DELETED Viewed

@@ -1,53 +0,0 @@
-"use strict";
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noSensitiveDataInCache = void 0;
-/**
- * @fileoverview Prevent caching sensitive data without encryption
- * @see https://owasp.org/www-project-mobile-top-10/
- * @see https://cwe.mitre.org/data/definitions/524.html
- */
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noSensitiveDataInCache = (0, eslint_devkit_1.createRule)({
-    name: 'no-sensitive-data-in-cache',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Prevent caching sensitive data without encryption',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'violation Detected',
-                cwe: 'CWE-200',
-                description: 'Prevent caching sensitive data without encryption detected - Sensitive data in cache',
-                severity: 'HIGH',
-                fix: 'Review and apply secure practices',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/200.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        return {
-            CallExpression(node) {
-                if (node.callee.type === 'MemberExpression' &&
-                    node.callee.property.type === 'Identifier' &&
-                    ['set', 'put', 'store'].includes(node.callee.property.name)) {
-                    const keyArg = node.arguments[0];
-                    if (keyArg && keyArg.type === 'Literal') {
-                        const key = keyArg.value.toString().toLowerCase();
-                        if (['password', 'token', 'credit', 'ssn'].some(k => key.includes(k))) {
-                            context.report({ node, messageId: 'violationDetected' });
-                        }
-                    }
-                }
-            },
-        };
-    },
-});

package/src/rules/no-toctou-vulnerability/index.d.ts DELETED Viewed

@@ -1,24 +0,0 @@
-/**
- * Copyright (c) 2025 Ofri Peretz
- * Licensed under the MIT License. Use of this source code is governed by the
- * MIT license that can be found in the LICENSE file.
- */
-/**
- * ESLint Rule: no-toctou-vulnerability
- * Detects Time-of-Check-Time-of-Use vulnerabilities
- * CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
- *
- * @see https://cwe.mitre.org/data/definitions/367.html
- * @see https://owasp.org/www-community/vulnerabilities/TOCTOU_Race_Condition
- */
-import type { TSESLint } from '@interlace/eslint-devkit';
-type MessageIds = 'toctouVulnerability' | 'useAtomicOperations' | 'useFsPromises' | 'addProperLocking';
-export interface Options {
-    /** Ignore in test files. Default: true */
-    ignoreInTests?: boolean;
-    /** File system methods to check. Default: ['fs.existsSync', 'fs.statSync', 'fs.accessSync'] */
-    fsMethods?: string[];
-}
-type RuleOptions = [Options?];
-export declare const noToctouVulnerability: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener>;
-export {};