feat(linter): add oxc-security/api-keys

.typos.toml

@@ -34,6 +34,7 @@ trivia = "trivia"
 xdescribe = "xdescribe"
 seeked = "seeked"
 labeledby = "labeledby"
+hashi = "hashi"
 
 [default.extend-identifiers]
 IIFEs = "IIFEs"

apps/oxlint/src/command/lint.rs

@@ -265,6 +265,10 @@ pub struct EnablePlugins {
     /// Enable the node plugin and detect node usage problems
     #[bpaf(switch, hide_usage)]
     pub node_plugin: bool,
+
+    /// Enable the security plugin and detect security problems
+    #[bpaf(switch, hide_usage)]
+    pub security_plugin: bool,
 }
 
 #[cfg(test)]

apps/oxlint/src/lint/mod.rs

@@ -116,7 +116,8 @@ impl Runner for LintRunner {
             .with_nextjs_plugin(enable_plugins.nextjs_plugin)
             .with_react_perf_plugin(enable_plugins.react_perf_plugin)
             .with_promise_plugin(enable_plugins.promise_plugin)
-            .with_node_plugin(enable_plugins.node_plugin);
+            .with_node_plugin(enable_plugins.node_plugin)
+            .with_security_plugin(enable_plugins.security_plugin);
 
         let linter = match Linter::from_options(lint_options) {
             Ok(lint_service) => lint_service,

crates/oxc_linter/src/context/mod.rs

@@ -344,4 +344,5 @@ const PLUGIN_PREFIXES: phf::Map<&'static str, &'static str> = phf::phf_map! {
     "unicorn" => "eslint-plugin-unicorn",
     "vitest" => "eslint-plugin-vitest",
     "node" => "eslint-plugin-node",
+    "security" => "oxc-security",
 };

crates/oxc_linter/src/options/mod.rs

@@ -178,6 +178,12 @@ impl OxlintOptions {
         self.plugins.node = yes;
         self
     }
+
+    #[must_use]
+    pub fn with_security_plugin(mut self, yes: bool) -> Self {
+        self.plugins.security = yes;
+        self
+    }
 }
 
 impl OxlintOptions {
@@ -286,6 +292,7 @@ impl OxlintOptions {
                 "eslint" | "tree_shaking" => true,
                 "promise" => self.plugins.promise,
                 "node" => self.plugins.node,
+                "security" => self.plugins.security,
                 name => panic!("Unhandled plugin: {name}"),
             })
             .cloned()

crates/oxc_linter/src/options/plugins.rs

@@ -34,6 +34,8 @@ bitflags! {
         const PROMISE = 1 << 11;
         /// `eslint-plugin-node`
         const NODE = 1 << 12;
+        /// Custom security rules made by the Oxc team
+        const SECURITY = 1 << 13;
     }
 }
 impl Default for LintPlugins {
@@ -59,6 +61,7 @@ impl From<LintPluginOptions> for LintPlugins {
         plugins.set(LintPlugins::REACT_PERF, options.react_perf);
         plugins.set(LintPlugins::PROMISE, options.promise);
         plugins.set(LintPlugins::NODE, options.node);
+        plugins.set(LintPlugins::SECURITY, options.security);
         plugins
     }
 }
@@ -108,6 +111,7 @@ impl From<&str> for LintPlugins {
             "react-perf" | "react_perf" => LintPlugins::REACT_PERF,
             "promise" => LintPlugins::PROMISE,
             "node" => LintPlugins::NODE,
+            "security" | "oxc-security" => LintPlugins::SECURITY,
             // "eslint" is not really a plugin, so it's 'empty'. This has the added benefit of
             // making it the default value.
             _ => LintPlugins::empty(),
@@ -131,6 +135,7 @@ impl From<LintPlugins> for &'static str {
             LintPlugins::REACT_PERF => "react-perf",
             LintPlugins::PROMISE => "promise",
             LintPlugins::NODE => "node",
+            LintPlugins::SECURITY => "security",
             _ => "",
         }
     }
@@ -189,6 +194,7 @@ pub struct LintPluginOptions {
     pub react_perf: bool,
     pub promise: bool,
     pub node: bool,
+    pub security: bool,
 }
 
 impl Default for LintPluginOptions {
@@ -207,6 +213,7 @@ impl Default for LintPluginOptions {
             react_perf: false,
             promise: false,
             node: false,
+            security: false,
         }
     }
 }
@@ -229,6 +236,7 @@ impl LintPluginOptions {
             react_perf: false,
             promise: false,
             node: false,
+            security: false,
         }
     }
 
@@ -249,6 +257,7 @@ impl LintPluginOptions {
             react_perf: true,
             promise: true,
             node: true,
+            security: true,
         }
     }
 }
@@ -272,6 +281,7 @@ impl<S: AsRef<str>> FromIterator<(S, bool)> for LintPluginOptions {
                 LintPlugins::REACT_PERF => options.react_perf = enabled,
                 LintPlugins::PROMISE => options.promise = enabled,
                 LintPlugins::NODE => options.node = enabled,
+                LintPlugins::SECURITY => options.security = enabled,
                 _ => {} // ignored
             }
         }
@@ -304,6 +314,7 @@ mod test {
                 && self.react_perf == other.react_perf
                 && self.promise == other.promise
                 && self.node == other.node
+                && self.security == other.security
         }
     }
 
@@ -343,6 +354,7 @@ mod test {
             react_perf: false,
             promise: false,
             node: false,
+            security: false,
         };
         assert_eq!(plugins, expected);
     }

crates/oxc_linter/src/rules.rs

@@ -411,6 +411,10 @@ mod oxc {
     pub mod uninvoked_array_callback;
 }
 
+mod security {
+    pub mod api_keys;
+}
+
 mod nextjs {
     pub mod google_font_display;
     pub mod google_font_preconnect;
@@ -789,6 +793,7 @@ oxc_macros::declare_all_lint_rules! {
     react_perf::jsx_no_new_array_as_prop,
     react_perf::jsx_no_new_function_as_prop,
     react_perf::jsx_no_new_object_as_prop,
+    security::api_keys,
     tree_shaking::no_side_effects_in_initialization,
     typescript::adjacent_overload_signatures,
     typescript::array_type,

crates/oxc_linter/src/rules/security/api_keys/entropy.rs

@@ -0,0 +1,65 @@
+/// Calculates the Shannon entropy of a byte string.
+///
+/// Implementation borrowed from [Rosetta Code](https://rosettacode.org/wiki/Entropy#Rust).
+///
+/// see: [Entropy (Wikipedial)](https://en.wikipedia.org/wiki/Entropy_(information_theory))
+#[allow(clippy::cast_precision_loss)]
+pub(crate) fn entropy<S: AsRef<[u8]>>(string: S) -> f32 {
+    let mut histogram = [0u32; 256];
+    let bytes = string.as_ref();
+    // we don't care if this is truncated
+    let len = bytes.len() as f32;
+
+    for &b in bytes {
+        histogram[b as usize] += 1;
+    }
+
+    histogram
+        .iter()
+        .copied()
+        .filter(|&h| h != 0)
+        .map(|h| h as f32 / len) // we don't care if this is truncated
+        .map(|ratio| -ratio * ratio.log2())
+        .sum()
+}
+
+pub(crate) trait Entropy {
+    /// Calculates the Shannon entropy of a byte string.
+    ///
+    /// Implementation borrowed from [Rosetta Code](https://rosettacode.org/wiki/Entropy#Rust).
+    ///
+    /// see: [Entropy (Wikipedial)](https://en.wikipedia.org/wiki/Entropy_(information_theory))
+    fn entropy(&self) -> f32;
+}
+
+impl<S> Entropy for S
+where
+    S: AsRef<[u8]>,
+{
+    fn entropy(&self) -> f32 {
+        entropy(self)
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[test]
+    fn test_entropy() {
+        let test_cases = vec![
+            ("hello world", "hello world".entropy()),
+            ("hello world", b"hello world".entropy()),
+            ("hello world", String::from("hello world").entropy()),
+            ("hello world", 2.845_351_2),
+        ];
+
+        for (input, expected) in test_cases {
+            let actual = entropy(input);
+            assert!(
+                (actual - expected).abs() < f32::EPSILON,
+                "expected entropy({input}) to be {expected}, got {actual}"
+            );
+        }
+    }
+}