Skip to content

Several issues with using this plugin #22

Open
@rossPatton

Description

@rossPatton
  1. The security/detect-non-literal-fs-filename rule reports fs.${whatever} regardless of whether that's what i'm using or not. For example, i use jsonFile a lot, so an error with jsonFile.readFile gets reported as fs.readFile, when there is no reference to fs on that page. Sure, the error probably still applies, but it's confusing when the error output doesn't line up with the actual code

screen shot 2017-10-23 at 10 41 43 pm

  1. It's unclear, even with the linked resources, what exactly needs to be done to resolve an issue, or even what the issue is. With the above error, I was not at all sure what the problem really was or how to resolve it. For reference, that file (and just about all instances of that error on my code) are just using paths like this: ${process.cwd()}/path/to/json. I have a hard time seeing how this is exploitable?

  2. I'm getting several unsafe regex errors. Most of them were common regexes (verify zip codes, stuff like that). So as recommended, I used the OWASP link to replace them with their safe variants. Even after replacing them, the error still persists

  3. detect-object-injection. As this test is currently designed, it's completely overwhelming

I really want to use this plugin to easily catch minor security issues, but as is, i can't imagine it doing anything more than frustrate people

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions