eslint-plugin-sonarjs/cjs/S5739/rule.js

SonarJS rules for ESLint

"use strict";
/*
 * SonarQube JavaScript Plugin
 * Copyright (C) 2011-2025 SonarSource SA
 * mailto:info AT sonarsource DOT com
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the Sonar Source-Available License for more details.
 *
 * You should have received a copy of the Sonar Source-Available License
 * along with this program; if not, see https://sonarsource.com/license/ssal/
 */
// https://sonarsource.github.io/rspec/#/rspec/S5734/javascript
Object.defineProperty(exports, "__esModule", { value: true });
exports.rule = void 0;
const index_js_1 = require("../helpers/index.js");
const meta_js_1 = require("./meta.js");
const HSTS = 'hsts';
const HELMET = 'helmet';
const MAX_AGE = 'maxAge';
const INCLUDE_SUB_DOMAINS = 'includeSubDomains';
const RECOMMENDED_MAX_AGE = 15552000;
exports.rule = index_js_1.Express.SensitiveMiddlewarePropertyRule(findSensitiveTransportSecurityPolicyProperty, `Disabling Strict-Transport-Security policy is security-sensitive.`, (0, index_js_1.generateMeta)(meta_js_1.meta, undefined, true));
function findSensitiveTransportSecurityPolicyProperty(context, node) {
    const sensitiveFinders = [findSensitiveHsts, findSensitiveMaxAge, findSensitiveIncludeSubDomains];
    const sensitives = [];
    const { callee, arguments: args } = node;
    if (args.length === 1 && args[0].type === 'ObjectExpression') {
        const [options] = args;
        for (const finder of sensitiveFinders) {
            const maybeSensitive = finder(context, callee, options);
            if (maybeSensitive) {
                sensitives.push(maybeSensitive);
            }
        }
    }
    return sensitives;
}
function findSensitiveHsts(context, middleware, options) {
    if ((0, index_js_1.getFullyQualifiedName)(context, middleware) === HELMET) {
        return (0, index_js_1.getPropertyWithValue)(context, options, HSTS, false);
    }
    return undefined;
}
function findSensitiveMaxAge(context, middleware, options) {
    if (isHstsMiddlewareNode(context, middleware)) {
        const maybeMaxAgeProperty = (0, index_js_1.getProperty)(options, MAX_AGE, context);
        if (maybeMaxAgeProperty) {
            const maybeMaxAgeValue = (0, index_js_1.getValueOfExpression)(context, maybeMaxAgeProperty.value, 'Literal');
            if (typeof maybeMaxAgeValue?.value === 'number' &&
                maybeMaxAgeValue.value < RECOMMENDED_MAX_AGE) {
                return maybeMaxAgeProperty;
            }
        }
    }
    return undefined;
}
function findSensitiveIncludeSubDomains(context, middleware, options) {
    if (isHstsMiddlewareNode(context, middleware)) {
        return (0, index_js_1.getPropertyWithValue)(context, options, INCLUDE_SUB_DOMAINS, false);
    }
    return undefined;
}
function isHstsMiddlewareNode(context, node) {
    const fqn = (0, index_js_1.getFullyQualifiedName)(context, node);
    return fqn === `${HELMET}.${HSTS}` || fqn === HSTS;
}