eslint-plugin-security
    Overview
    Documentation
    Tutorials
    Insights
    Code
    Dependencies
    Contributors
    Jobs

eslint-plugin-security

Security rules for eslint

1.4.0  •  Updated 2 years ago  •  by nodesecurity  •  Apache License 2.0

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

Usage

Add the following to your .eslintrc file:

"plugins": [
  "security"
],
"extends": [
  "plugin:security/recommended"
]

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

detect-unsafe-regex

Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js

detect-buffer-noassert

Detects calls to buffer with noAssert flag set

From the Node.js API docs: “Setting noAssert to true skips validation of the offset. This allows the offset to be beyond the end of the Buffer.”

detect-child-process

Detects instances of child_process & non-literal exec()

More information: https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js

detect-disable-mustache-escape

Detects object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.

More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

detect-eval-with-expression

Detects eval(variable) which can allow an attacker to run arbitary code inside your process.

More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript

detect-no-csrf-before-method-override

Detects Express csrf middleware setup before method-override middleware. This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

More information: https://blog.liftsecurity.io/2013/09/07/bypass-connect-csrf-protection-by-abusing

detect-non-literal-fs-filename

Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system.

More information: https://www.owasp.org/index.php/Path_Traversal

detect-non-literal-regexp

Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression.

More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js

detect-non-literal-require

Detects require(variable), which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.

More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm

detect-object-injection

Detects variable[key] as a left- or right-hand assignment operand.

More information: https://blog.liftsecurity.io/2015/01/14/the-dangers-of-square-bracket-notation/

detect-possible-timing-attacks

Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.

More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

detect-pseudoRandomBytes

Detects if pseudoRandomBytes() is in use, which might not give you the randomness you need and expect.

More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes

Popularity

Weekly Downloads
72.3K
Stars
1.2K

Maintenance

Development

Last ver 3 years ago
Created 4 years ago
Last commit 1 year ago
23 days between commits

Technology

Node version: 7.10.0
0 unpacked

Compliance

Apache License 2.0
OSI Approved
0 vulnerabilities

Contributors

12 contributors
Adam Baldwin
Maintainer, 10 commits, 14 merges
Works at npm
Adam Baldwin
20 commits
Jesús Pérez
8 commits, 1 PRs
Works at IBMResearch
Jonathan Lamendola
Maintainer, 2 commits, 2 merges
Works at ^Lift Security
Peter deHaan
4 commits, 5 PRs
Works at Mozilla
Cody Mikol
3 commits, 3 PRs

Tags

eslint
security
nodesecurity
Openbase helps developers choose among and use millions of open-source packages, so they can build amazing products faster.
FacebookTwitterLinkedIn
© 2020 Devstore, Inc.