Skip to content

/standard

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider adding eslint-plugin-security #1086

Closed
LinusU opened this issue Mar 8, 2018 · 5 comments

Comments

@LinusU
Copy link
Member

commented Mar 8, 2018

This seems to catch quite a few security related issues: https://github.com/nodesecurity/eslint-plugin-security

also see #1085
@LinusU LinusU referenced this issue Mar 8, 2018
Closed
@feross

This comment has been minimized.

Sign in to view
Copy link
Member

commented Mar 8, 2018

Yes, this has been on my list of things to look at. Will consider for standard 12.

@feross feross added this to the standard v12 milestone Mar 8, 2018

@alasdairhurst

This comment has been minimized.

Sign in to view
Copy link

commented Mar 23, 2018

Given that standard is supposed to be no-config, having plugin security could be a pain out the box. There's a lot of stuff in it warning on the use of child_process, buffers and the like which are not bad, they can just be used in bad ways if you're not careful. most of the time will just get eslint ignored resulting in comment clutter.
@LinusU

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Mar 23, 2018

Yeah, we should evaluate each individual rule and decide which to turn on 👍
@stale

This comment has been minimized.

Sign in to view
Copy link

commented Jun 21, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Jun 21, 2018

@stale stale bot closed this Jun 28, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Sep 26, 2018

@standard standard unlocked this conversation Aug 4, 2019

@feross feross added accepted enhancement and removed stale labels Aug 4, 2019

@feross feross reopened this Aug 4, 2019

@feross feross modified the milestones: standard v12, standard v14 Aug 4, 2019

@feross

This comment has been minimized.

Sign in to view
Copy link
Member

commented Aug 14, 2019

I just took a closer look at the rules available in eslint-plugin-security. While there's some good stuff in here, the false positive rate is waay too high on almost every rule for this to be a daily rule. This seems mostly geared towards security auditors and pen-testers who want to look at a big list of possibly unsafe code patterns to find the needle in the haystack.

Of all the rules, the only three that had a low enough error rate that we could plausibly enable them are:

detect-disable-mustache-escape
Detects object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.

Could be useful but it's specific to one template language. Worth adding a whole new ESLint plugin to get this rule?

detect-no-csrf-before-method-override
Detects Express csrf middleware setup before method-override middleware. This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

Again, could be useful in some codebases, but specific to express and two middlewares.

detect-possible-timing-attacks
Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.

Detects comparisons of a variable named hash with something else using ===, which could lead to a timing attack. Triggered false positives in the webtorrent codebase since we use the variable name hash decently often and it has nothing to do with user passwords.

Overall, not too concerned about not getting these rules, so I'm going to close this issue. Feedback on this decision welcome.

@feross feross removed the accepted label Aug 14, 2019

@feross feross removed this from the standard 14 milestone Aug 14, 2019

@feross feross closed this Aug 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
3 participants
@LinusU @feross @alasdairhurst
You can’t perform that action at this time.