UNPKG

@sun-asterisk/sunlint

Version:

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint

sun-asterisk/engineer-excellence

75 lines (67 loc) 1.88 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/** * ESLint rule: S007 – Plaintext OTP Check * Rule ID: custom/s007 * Description: Verify that OTPs are not stored or transmitted in plaintext form. */ "use strict"; module.exports = { meta: { type: 'problem', docs: { description: 'Verify that OTPs are not stored or transmitted in plaintext form.', recommended: true, url: 'https://owasp.org/www-community/vulnerabilities/Insecure_Storage', }, messages: { plaintextOtp: 'OTP should not be stored or transmitted in plaintext. Consider hashing or encrypting it.', }, schema: [], }, create(context) { return { Property(node) { if ( node.key && node.key.type === 'Identifier' && /otp/i.test(node.key.name) && node.value && node.value.type === 'Identifier' && !/hash|encrypt|bcrypt|sha/i.test(node.value.name) ) { context.report({ node, messageId: 'plaintextOtp', }); } }, CallExpression(node) { const calleeName = getCalleeName(node.callee); if (!calleeName) return; if (/(insert|update|save|query|create)/i.test(calleeName)) { for (const arg of node.arguments) { const text = context.getSourceCode().getText(arg); if (/otp/i.test(text) && !/hash|encrypt|bcrypt|sha/i.test(text)) { context.report({ node: arg, messageId: 'plaintextOtp', }); } } } }, }; }, }; // ===== Helper function ===== function getCalleeName(callee) { if (callee.type === 'Identifier') { return callee.name; } else if ( callee.type === 'MemberExpression' && callee.property.type === 'Identifier' ) { return callee.property.name; } return null; }