Skip to content

eslint-community/eslint-plugin-security

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 6 tags
Code

Latest commit

@github-actions
github-actions[bot] chore: release 1.7.1 (#114)
0c9c1de Feb 2, 2023
chore: release 1.7.1 (#114) 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
0c9c1de

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
 
 
docs
 
 
rules
 
 
test
 
 
utils
 
 
.eslint-doc-generatorrc.js
 
 
.eslintrc
 
 
.gitignore
 
 
.markdownlint.json
 
 
.markdownlintignore
 
 
.prettierignore
 
 
.prettierrc.json
 
 
CHANGELOG.md
 
 
LICENSE
 
 
README.md
 
 
index.js
 
 
package-lock.json
 
 
package.json
 
 
eslint-plugin-security Installation Usage Developer guide Tests Rules

README.md

eslint-plugin-security

NPM version

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

or

yarn add --dev eslint-plugin-security

Usage

Add the following to your .eslintrc file:

"extends": [
  "plugin:security/recommended"
]

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

⚠️ Configurations set to warn in.
Set in the recommended configuration.

Name                                  Description ⚠️
detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

About

ESLint rules for Node Security

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy

Stars

1.9k stars

Watchers

37 watching

Forks

126 forks

Releases 3

eslint-plugin-security v1.7.1 Latest
Feb 2, 2023
+ 2 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Used by 19k

  • @MNizza
  • @guden
  • @vntero
  • @AlexXanderGrib
  • @PeterNelsonT
  • @timgado2022
  • @70747H
  • @dudiq
+ 18,966

Contributors 31

+ 20 contributors

Languages