Skip to content

eslint-community/eslint-plugin-security

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
0c9c1de

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

eslint-plugin-security

NPM version

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

or

yarn add --dev eslint-plugin-security

Usage

Add the following to your .eslintrc file:

"extends": [
  "plugin:security/recommended"
]

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

⚠️ Configurations set to warn in.
Set in the recommended configuration.

Name                                  Description ⚠️
detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.