no-sensitive-data-exposure
ESLint Rule: no-sensitive-data-exposure. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).
Keywords: no sensitive data exposure, security, ESLint rule, JavaScript, TypeScript, CWE-532
ESLint Rule: no-sensitive-data-exposure. This rule is part of eslint-plugin-secure-coding.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-200 (Information Exposure) |
| Severity | High (security vulnerability) |
| Auto-Fix | ❌ No |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | Applications handling PII |
Vulnerability and Risk
Vulnerability: Sensitive data exposure happens when an application inadequately protects sensitive information such as passwords, financial data, or health records.
Risk: Attackers can access this data to conduct identity theft, credit card fraud, or further attacks on the system. It often leads to severe regulatory penalties (GDPR, PCI-DSS compliance failure).
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-532 OWASP:A09 CVSS:5.3 | Log Information Exposure detected | MEDIUM [GDPR,HIPAA,PCI-DSS,SOC2]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A09_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-532 OWASP:A09 CVSS:5.3 |
| Issue Description | Specific vulnerability | Log Information Exposure detected |
| Severity & Compliance | Impact assessment | MEDIUM [GDPR,HIPAA,PCI-DSS,SOC2] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 Security/Code Quality | [Specific issue] | [Solution approach] |
| 🐛 Maintainability | [Impact] | [Fix] |
| ⚡ Performance | [Impact] | [Optimization] |
Configuration
No configuration options available.
Examples
❌ Incorrect
// Example of incorrect usage✅ Correct
// Example of correct usageConfiguration Examples
Basic Usage
// eslint.config.mjs
export default [
{
rules: {
'secure-coding/no-sensitive-data-exposure': 'error',
},
},
];LLM-Optimized Output
🚨 no sensitive data exposure | Description | MEDIUM
Fix: Suggestion | ReferenceRelated Rules
rule-name- Description
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP Selective Data Exposure - Guidelines
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - Official CWE entry