fix: major haul of lint errors

Author: GangGreenTemperTatum

packages/backend/src/blacklists.ts

@@ -176,7 +176,8 @@ export class BlacklistManager {
 
         // Check if path matches any vulnerable paths
         if (
-          path &&
+          path !== undefined &&
+          path.trim() !== "" &&
           vulnHost.paths.some((vulnPath) => path.includes(vulnPath))
         ) {
           return { isVulnerable: true, risk: vulnHost.risk };
@@ -207,7 +208,7 @@ export class BlacklistManager {
       results.push({
         type: "vulnerable-js",
         risk:
-          vulnCheck.risk ||
+          vulnCheck.risk ??
           "Domain hosts known vulnerable JavaScript libraries",
       });
     }

packages/backend/src/bypass-database.ts

@@ -5,11 +5,11 @@ import { readFileSync } from "fs";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
 
-let cachedData: string | null = null;
-let cachedCount: number | null = null;
+let cachedData: string | undefined = undefined;
+let cachedCount: number | undefined = undefined;
 
 export const getCSPBypassData = (): string => {
-  if (cachedData === null) {
+  if (cachedData === undefined) {
     try {
       // Read the TSV file from the project root
       const tsvPath = join(process.cwd(), "data", "csp-bypass-data.tsv");
@@ -36,7 +36,7 @@ export const getCSPBypassData = (): string => {
           );
         } catch (finalError) {
           console.error(
-            "Failed to load TSV data from all paths: " + finalError,
+            "Failed to load TSV data from all paths: " + String(finalError),
           );
           cachedData = "Domain\tCode\n"; // Empty TSV with header
         }
@@ -47,7 +47,7 @@ export const getCSPBypassData = (): string => {
 };
 
 export const getBypassCount = (): number => {
-  if (cachedCount === null) {
+  if (cachedCount === undefined) {
     const data = getCSPBypassData();
     const lines = data.trim().split("\n");
     cachedCount = Math.max(0, lines.length - 1); // Subtract 1 for header

packages/backend/src/csp-parser.ts

@@ -77,7 +77,7 @@ export class CspParser {
       if (parts.length === 0) continue;
 
       const directiveName = parts[0]?.toLowerCase();
-      if (!directiveName) continue;
+      if (directiveName === undefined || directiveName.trim() === "") continue;
       const directiveValues = parts.slice(1);
 
       const directive: CspDirective = {
@@ -187,14 +187,14 @@ export class CspParser {
     }
   }
 
-  static computeEffectivePolicy(policies: CspPolicy[]): CspPolicy | null {
-    if (policies.length === 0) return null;
-    if (policies.length === 1) return policies[0] ?? null;
+  static computeEffectivePolicy(policies: CspPolicy[]): CspPolicy | undefined {
+    if (policies.length === 0) return undefined;
+    if (policies.length === 1) return policies[0] ?? undefined;
 
     // For multiple policies, we need to intersect the directives
     // This is a simplified approach - real CSP combination is complex
     const firstPolicy = policies[0];
-    if (!firstPolicy) return null;
+    if (!firstPolicy) return undefined;
 
     const effectivePolicy = { ...firstPolicy };
     effectivePolicy.id = generateId();

packages/backend/src/enhanced-analyzer.ts

@@ -282,7 +282,7 @@ export class EnhancedCspAnalyzer {
           type: "permissive-base-uri",
           severity: "medium",
           directive: "base-uri",
-          value: baseUri?.values.join(" ") || "missing",
+          value: baseUri?.values.join(" ") ?? "missing",
           title: "Permissive Base URI Policy",
           description: "Unrestricted base URI can enable injection attacks",
           remediation: "Set base-uri to 'self' or specific trusted origins",

packages/backend/src/enhanced-blacklists.ts

@@ -361,7 +361,12 @@ export class EnhancedBlacklistManager {
     for (const vulnJs of ENHANCED_VULNERABLE_JS) {
       if (cleanDomain.includes(vulnJs.domain)) {
         // Check path matching if specified
-        if (vulnJs.paths && path) {
+        if (
+          vulnJs.paths &&
+          vulnJs.paths.length > 0 &&
+          path !== undefined &&
+          path.trim() !== ""
+        ) {
           const pathMatch = vulnJs.paths.some((vulnPath) =>
             path.includes(vulnPath),
           );
@@ -412,26 +417,45 @@ export class EnhancedBlacklistManager {
     if (supplyChain.isRisky) {
       threats.push({
         type: "supply-chain",
-        severity: supplyChain.severity || "medium",
-        risk: supplyChain.risk || "Supply chain risk detected",
+        severity:
+          supplyChain.severity !== undefined &&
+          supplyChain.severity.trim() !== ""
+            ? supplyChain.severity
+            : "medium",
+        risk:
+          supplyChain.risk !== undefined && supplyChain.risk.trim() !== ""
+            ? supplyChain.risk
+            : "Supply chain risk detected",
       });
     }
 
     const aiMl = this.checkAiMlServiceRisk(domain);
     if (aiMl.isRisky) {
       threats.push({
         type: "ai-ml-service",
-        severity: aiMl.severity || "medium",
-        risk: aiMl.risk || "AI/ML service integration risk",
+        severity:
+          aiMl.severity !== undefined && aiMl.severity.trim() !== ""
+            ? aiMl.severity
+            : "medium",
+        risk:
+          aiMl.risk !== undefined && aiMl.risk.trim() !== ""
+            ? aiMl.risk
+            : "AI/ML service integration risk",
       });
     }
 
     const web3 = this.checkWeb3Risk(domain);
     if (web3.isRisky) {
       threats.push({
         type: "web3-integration",
-        severity: web3.severity || "high",
-        risk: web3.risk || "Web3/Cryptocurrency integration risk",
+        severity:
+          web3.severity !== undefined && web3.severity.trim() !== ""
+            ? web3.severity
+            : "high",
+        risk:
+          web3.risk !== undefined && web3.risk.trim() !== ""
+            ? web3.risk
+            : "Web3/Cryptocurrency integration risk",
       });
     }
 
@@ -440,7 +464,10 @@ export class EnhancedBlacklistManager {
       threats.push({
         type: "vulnerable-js",
         severity: "high",
-        risk: vulnJs.risk || "Vulnerable JavaScript library detected",
+        risk:
+          vulnJs.risk !== undefined && vulnJs.risk.trim() !== ""
+            ? vulnJs.risk
+            : "Vulnerable JavaScript library detected",
         cve: vulnJs.cve,
       });
     }

packages/backend/src/enhanced-policy-generator.ts

@@ -26,20 +26,20 @@ export class EnhancedPolicyGenerator {
     // Enhanced script-src with modern security
     let scriptSrc = "script-src 'self'";
 
-    if (options.useStrictDynamic) {
+    if (options.useStrictDynamic === true) {
       // CSP Level 3 strict-dynamic for modern apps
       scriptSrc += " 'strict-dynamic'";
     }
 
-    if (options.allowInlineScripts) {
+    if (options.allowInlineScripts === true) {
       // Discouraged but provide guidance
       scriptSrc += " 'unsafe-inline'";
     } else {
       // Recommend nonce/hash approach
       scriptSrc += " 'nonce-{GENERATED_NONCE}'";
     }
 
-    if (!options.allowDataUris) {
+    if (options.allowDataUris !== true) {
       // Block data: URIs by default
       scriptSrc += " 'unsafe-eval'"; // Remove this - typo, should not add unsafe-eval when blocking data
       scriptSrc = scriptSrc.replace(" 'unsafe-eval'", ""); // Fix the typo
@@ -49,7 +49,7 @@ export class EnhancedPolicyGenerator {
 
     // Modern style-src
     let styleSrc = "style-src 'self'";
-    if (options.allowInlineStyles) {
+    if (options.allowInlineStyles === true) {
       styleSrc += " 'unsafe-inline'";
     } else {
       styleSrc += " 'nonce-{GENERATED_NONCE}'";
@@ -64,7 +64,10 @@ export class EnhancedPolicyGenerator {
     directives.push("upgrade-insecure-requests"); // Force HTTPS
 
     // CSP Level 3 features
-    if (options.enableTrustedTypes && options.includeCsp3Features) {
+    if (
+      options.enableTrustedTypes === true &&
+      options.includeCsp3Features === true
+    ) {
       directives.push("trusted-types default");
       directives.push("require-trusted-types-for 'script'");
     }
@@ -376,7 +379,7 @@ export class EnhancedPolicyGenerator {
       const parts = directive.split(/\s+/);
       const name = parts[0];
       const values = parts.slice(1);
-      if (name) {
+      if (name !== undefined && name.trim() !== "") {
         directiveMap.set(name, values);
       }
     }
@@ -396,7 +399,8 @@ export class EnhancedPolicyGenerator {
     }
 
     // Security features (30 points total)
-    if (directiveMap.get("object-src")?.includes("'none'")) {
+    const objectSrc = directiveMap.get("object-src");
+    if (objectSrc && objectSrc.includes("'none'")) {
       score += 10;
       strengths.push("Objects/plugins completely blocked");
     }

packages/backend/src/findings-generator.ts

@@ -1,4 +1,5 @@
 import type { SDK } from "caido:plugin";
+import type { Request, Response } from "caido:utils";
 
 import type { CspVulnerability } from "./types";
 import { VULNERABILITY_RULES } from "./vulnerability-rules";
@@ -8,8 +9,8 @@ export class FindingsGenerator {
 
   static async createFinding(
     vulnerability: CspVulnerability,
-    request: any, // Caido Request object
-    response: any, // Caido Response object
+    request: unknown, // Caido Request object
+    response: unknown, // Caido Response object
     sdk: SDK,
   ): Promise<void> {
     try {
@@ -19,8 +20,8 @@ export class FindingsGenerator {
         title: rule.title,
         description: this.generateDetailedDescription(vulnerability, rule),
         reporter: this.REPORTER_NAME,
-        request: request,
-        response: response,
+        request: request as Request,
+        response: response as Response,
         severity: this.mapSeverityToCaido(vulnerability.severity),
       };
 
@@ -37,15 +38,16 @@ export class FindingsGenerator {
 
   static async createMultipleFindings(
     vulnerabilities: CspVulnerability[],
-    request: any,
-    response: any,
+    request: unknown,
+    response: unknown,
     sdk: SDK,
   ): Promise<void> {
     const promises = vulnerabilities.map((vuln) =>
       this.createFinding(vuln, request, response, sdk),
     );
 
     try {
+      // eslint-disable-next-line compat/compat
       await Promise.all(promises);
       sdk.console.log(`Created ${vulnerabilities.length} CSP findings`);
     } catch (error) {
@@ -73,7 +75,7 @@ export class FindingsGenerator {
     ];
 
     // Add CWE information if available
-    if (rule.cweId) {
+    if (typeof rule.cweId === "number" && rule.cweId > 0) {
       sections.push(
         `<h3>References</h3>`,
         `<p><strong>CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/${rule.cweId}.html">CWE-${rule.cweId}</a></p>`,
@@ -232,10 +234,10 @@ export class FindingsGenerator {
     return grouped;
   }
 
-  static async cleanupOldFindings(
+  static cleanupOldFindings(
     sdk: SDK,
     maxAge: number = 24 * 60 * 60 * 1000,
-  ): Promise<void> {
+  ): void {
     // This would need to be implemented based on Caido's findings API
     // For now, we'll just log the intent
     sdk.console.log(`Would cleanup CSP findings older than ${maxAge}ms`);