feat: ✨ security related rules

2023-09-04 20:56:00 -03:00
parent dcce924286
commit 2e1914c733
9 changed files with 130 additions and 0 deletions
--- a/.changeset/thirty-parrots-fry.md
+++ b/.changeset/thirty-parrots-fry.md
@@ -0,0 +1,6 @@
+---
+"@eslegant/js": minor
+---
+
+New rules related to possible security vulnerabilities in JavaScript.
+Provided by `eslint-plugin-security` and `eslint-plugin-no-secrets`
--- a/configs/js/package.json
+++ b/configs/js/package.json
@@ -47,6 +47,7 @@
    "eslint-plugin-i": "2.28.0-2",
    "eslint-plugin-jsdoc": "^46.5.0",
    "eslint-plugin-n": "^16.0.2",
+    "eslint-plugin-no-secrets": "^0.8.9",
    "eslint-plugin-perfectionist": "^1.5.1",
    "eslint-plugin-security": "^1.7.1",
    "eslint-plugin-unicorn": "^48.0.1",
--- a/configs/js/src/@types/eslint-plugin-no-secrets.d.ts
+++ b/configs/js/src/@types/eslint-plugin-no-secrets.d.ts
@@ -0,0 +1,24 @@
+/**
+ * @file
+ * Type declaration for the `eslint-plugin-no-secrets` package in a attempt to make it
+ * compatible with the new flat config.
+ * @license MIT
+ * @author Guz013 <contact.guz013@gmail.com> (https://guz.one)
+ */
+
+import type { ESLint } from 'eslint';
+
+/**
+ * @summary An eslint plugin to find strings that might be secrets/credentials.
+ *
+ * ---
+ * **Note:** Types in this project where overridden to be compatible with
+ * ESLint new flat config types. ESlint already has backwards compatibility
+ * for plugins not created in the new flat config.
+ * @see {@link https://www.npmjs.com/package/eslint-plugin-no-secrets npm package}
+ */
+declare module 'eslint-plugin-no-secrets' {
+	declare const plugin: ESLint.Plugin;
+	export default plugin;
+}
+
--- a/configs/js/src/configs/index.d.ts
+++ b/configs/js/src/configs/index.d.ts
@@ -225,6 +225,28 @@ const configs: Readonly<{
 		 */
 		strict: ConfigVariations,
 	},
+	/**
+	 * @summary
+	 * Prevents possible vulnerabilities.
+	 * @description
+	 * This configuration tries to prevent possible vulnerabilities
+	 * in you code, such as hard-coded secrets, personal information in comments,
+	 * XSS attacks, etc.
+	 */
+	security: {
+		/**
+		 * @description
+		 * Rules which warns you about possible security vulnerabilities.
+		 */
+		recommended: ConfigVariations,
+		/**
+		 * @borrows Builds on top of the recommended configuration
+		 * @description
+		 * Similar to recommended config, but with rules in error-level
+		 * to make possible vulnerabilities harder to ignore.
+		 */
+		strict: ConfigVariations,
+	},
 	/**
 	 * @summary
 	 * Enforces different ways of coding in JavaScript and TypeScript.
--- a/configs/js/src/configs/index.js
+++ b/configs/js/src/configs/index.js
@@ -11,6 +11,7 @@ import documentation from './documentation.js';
 import suggestions from './suggestions.js';
 import formatting from './formatting.js';
 import overrides from './overrides.js';
+import security from './security.js';
 import problems from './problems.js';
 import naming from './naming.js';
 import core from './core.js';
@@ -23,6 +24,7 @@ const configs = {
 	naming,
 	overrides,
 	problems,
+	security,
 	suggestions,
 	'suggestions-typescript': typescript,
 };
--- a/configs/js/src/configs/security.js
+++ b/configs/js/src/configs/security.js
@@ -0,0 +1,61 @@
+/* eslint-disable import/no-relative-parent-imports */
+/* eslint-disable unicorn/no-useless-spread */
+/**
+ * @file
+ * Configuration objects for preventing possible security vulnerabilities.
+ * See more info on the configs type declaration file.
+ * @license MIT
+ * @author Guz013 <contact.guz013@gmail.com> (https://guz.one)
+ */
+
+import noSecretsPluginRegexes from 'eslint-plugin-no-secrets/regexes.js';
+import noSecretsPlugin from 'eslint-plugin-no-secrets';
+
+import { createVariations } from '../lib/rule-variations.js';
+import { jsFiles, tsFiles } from '../constants.js';
+
+const recommended = createVariations({
+	files: [...tsFiles, ...jsFiles],
+	plugins: {
+		'no-secrets': noSecretsPlugin,
+	},
+	rules: {
+		...{}, // Plugin: eslint-plugin-security
+		'security/detect-bidi-characters': 'warn',
+		'security/detect-disable-mustache-escape': 'warn',
+		'security/detect-eval-with-expression': 'warn',
+		'security/detect-non-literal-regexp': 'warn',
+		'security/detect-object-injection': 'warn',
+		'security/detect-possible-timing-attacks': 'warn',
+		'security/detect-pseudoRandomBytes': 'warn',
+		'security/detect-unsafe-regex': 'warn',
+
+		...{}, // Plugin: eslint-plugin-no-secrets
+		'no-secrets/no-secrets': 'warn',
+	},
+});
+
+const strict = createVariations({
+	...recommended.error,
+	rules: {
+		...recommended.error.rules,
+
+		...{}, // Plugin: eslint-plugin-security
+		'security/detect-bidi-characters': 'error',
+		'security/detect-disable-mustache-escape': 'error',
+		'security/detect-eval-with-expression': 'error',
+		'security/detect-non-literal-regexp': 'error',
+		'security/detect-object-injection': 'warn',
+		'security/detect-possible-timing-attacks': 'warn',
+		'security/detect-pseudoRandomBytes': 'error',
+		'security/detect-unsafe-regex': 'error',
+
+		...{}, // Plugin: eslint-plugin-no-secrets
+		'no-secrets/no-secrets': ['error', {
+			additionalRegexes: noSecretsPluginRegexes,
+		}],
+	},
+});
+
+const security = { recommended, strict };
+export default security;
--- a/configs/js/src/presets/recommended.js
+++ b/configs/js/src/presets/recommended.js
@@ -18,5 +18,6 @@ const recommended = [
 	configs.formatting.recommended.default,
 	configs.naming.recommended.default,
 	configs.documentation.recommended.default,
+	configs.security.recommended.default,
 ];
 export default recommended;
--- a/configs/js/src/presets/strict.js
+++ b/configs/js/src/presets/strict.js
@@ -18,5 +18,6 @@ const strict = [
 	configs.formatting.strict.default,
 	configs.naming.strict.default,
 	configs.documentation.recommended.default,
+	configs.security.strict.default,
 ];
 export default strict;
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -63,6 +63,9 @@ importers:
      eslint-plugin-n:
        specifier: ^16.0.2
        version: 16.0.2(eslint@8.47.0)
+      eslint-plugin-no-secrets:
+        specifier: ^0.8.9
+        version: 0.8.9(eslint@8.47.0)
      eslint-plugin-perfectionist:
        specifier: ^1.5.1
        version: 1.5.1(eslint@8.47.0)(typescript@5.1.6)
@@ -2134,6 +2137,15 @@ packages:
      semver: 7.5.4
    dev: false

+  /eslint-plugin-no-secrets@0.8.9(eslint@8.47.0):
+    resolution: {integrity: sha512-CqaBxXrImABCtxMWspAnm8d5UKkpNylC7zqVveb+fJHEvsSiNGJlSWzdSIvBUnW1XhJXkzifNIZQC08rEII5Ng==}
+    engines: {node: '>=10.0.0', npm: '>=6.9.0'}
+    peerDependencies:
+      eslint: '>=3.0.0'
+    dependencies:
+      eslint: 8.47.0
+    dev: false
+
  /eslint-plugin-perfectionist@1.5.1(eslint@8.47.0)(typescript@5.1.6):
    resolution: {integrity: sha512-PiUrAfGDc/l6MKKUP8qt5RXueC7FZC6F/0j8ijXYU8o3x8o2qUi6zEEYBkId/IiKloIXM5KTD4jrH9833kDNzA==}
    peerDependencies: