UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

64 lines (57 loc) 1.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
/** * Custom ESLint rule: S039 – Do not include session tokens in URL parameters * Rule ID: custom/s039 */ "use strict"; module.exports = { meta: { type: "problem", docs: { description: "Ensure session tokens are not exposed in URL query parameters", recommended: true, }, schema: [], messages: { tokenInUrl: "Do not expose session token '{{param}}' in URL parameters.", }, }, create(context) { const tokenKeywords = ["token", "session", "auth", "jwt", "sid"]; return { Literal(node) { if (typeof node.value === "string") { const url = node.value; // Simple match ?token=abc123 or &sid=xyz or ?session=... const regex = /[?&]([a-zA-Z0-9_-]+)=/g; let match; while ((match = regex.exec(url)) !== null) { const param = match[1].toLowerCase(); if (tokenKeywords.some((key) => param.includes(key))) { context.report({ node, messageId: "tokenInUrl", data: { param: match[1] }, }); } } } }, TemplateLiteral(node) { const raw = context.getSourceCode().getText(node); const regex = /[?&]([a-zA-Z0-9_-]+)=/g; let match; while ((match = regex.exec(raw)) !== null) { const param = match[1].toLowerCase(); if (tokenKeywords.some((key) => param.includes(key))) { context.report({ node, messageId: "tokenInUrl", data: { param: match[1] }, }); } } }, }; }, };