Skip to content

hhy5277/eslint-plugin-security

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits

docs

docs

 
 

rules

rules

 
 

test

test

 
 

.eslintrc

.eslintrc

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

index.js

index.js

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

eslint-plugin-security

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

Usage

Add the following to your .eslintrc file:

"plugins": [
  "security"
],
"extends": [
  "plugin:security/recommended"
]

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

detect-unsafe-regex

Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

More information: Regular Expression DoS and Node.js

detect-buffer-noassert

Detects calls to buffer with noAssert flag set

From the Node.js API docs: "Setting noAssert to true skips validation of the offset. This allows the offset to be beyond the end of the Buffer."

detect-child-process

Detects instances of child_process & non-literal exec()

More information: Avoiding Command Injection in Node.js

detect-disable-mustache-escape

Detects object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.

More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

detect-eval-with-expression

Detects eval(variable) which can allow an attacker to run arbitary code inside your process.

More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript

detect-no-csrf-before-method-override

Detects Express csrf middleware setup before method-override middleware. This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

More information: Bypass Connect CSRF protection by abusing methodOverride Middleware

detect-non-literal-fs-filename

Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system.

More information: https://www.owasp.org/index.php/Path_Traversal

detect-non-literal-regexp

Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression.

More information: Regular Expression DoS and Node.js

detect-non-literal-require

Detects require(variable), which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.

More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm

detect-object-injection

Detects variable[key] as a left- or right-hand assignment operand.

More information: The Dangers of Square Bracket Notation

detect-possible-timing-attacks

Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.

More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

detect-pseudoRandomBytes

Detects if pseudoRandomBytes() is in use, which might not give you the randomness you need and expect.

More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes

About

ESLint rules for Node Security

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • JavaScript 100.0%