Security rules for eslint
Package: eslint-plugin-security
Created by: eslint-community
Last modified: Wed, 10 Apr 2024 17:47:34 GMT
Version: 3.0.0
License: Apache-2.0
Downloads: 3,526,941
Repository: https://github.com/eslint-community/eslint-plugin-security
Install
npm install eslint-plugin-security
yarn add eslint-plugin-security
eslint-plugin-security
ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
Installation
npm install --save-dev eslint-plugin-security
or
yarn add --dev eslint-plugin-security
Usage
Flat config (requires eslint >= v8.23.0)
Add the following to your eslint.config.js file:
const pluginSecurity = require('eslint-plugin-security');
module.exports = [pluginSecurity.configs.recommended];
eslintrc config (deprecated)
Add the following to your .eslintrc file:
module.exports = {
extends: ['plugin:security/recommended-legacy'],
};
Developer guide
- Use GitHub pull requests.
- Conventions:
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int
Tests
npm test
Rules
⚠️ Configurations set to warn in.
✅ Set in the recommended configuration.
| Name | Description | ⚠️ |
|---|---|---|
| detect-bidi-characters | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
| detect-buffer-noassert | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
| detect-child-process | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
| detect-disable-mustache-escape | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
| detect-eval-with-expression | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
| detect-new-buffer | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
| detect-no-csrf-before-method-override | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
| detect-non-literal-fs-filename | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
| detect-non-literal-regexp | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
| detect-non-literal-require | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
| detect-object-injection | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
| detect-possible-timing-attacks | Detects insecure comparisons (==, !=, !== and ===), which check input sequentially. |
✅ |
| detect-pseudoRandomBytes | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
| detect-unsafe-regex | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
Dependencies
Dependencies
@eslint/js: ^9.0.0changelog: 1.3.0eslint: ^9.0.0eslint-config-nodesecurity: ^1.3.1eslint-config-prettier: ^8.5.0eslint-doc-generator: ^1.7.0eslint-plugin-eslint-plugin: ^5.5.1lint-staged: ^12.3.7markdownlint-cli: ^0.32.2mocha: ^9.2.2npm-run-all: ^4.1.5prettier: ^2.6.2semantic-release: ^19.0.2yorkie: ^2.0.0
