Description
- The
security/detect-non-literal-fs-filename
rule reportsfs.${whatever}
regardless of whether that's what i'm using or not. For example, i use jsonFile a lot, so an error withjsonFile.readFile
gets reported asfs.readFile
, when there is no reference to fs on that page. Sure, the error probably still applies, but it's confusing when the error output doesn't line up with the actual code
-
It's unclear, even with the linked resources, what exactly needs to be done to resolve an issue, or even what the issue is. With the above error, I was not at all sure what the problem really was or how to resolve it. For reference, that file (and just about all instances of that error on my code) are just using paths like this:
${process.cwd()}/path/to/json
. I have a hard time seeing how this is exploitable? -
I'm getting several unsafe regex errors. Most of them were common regexes (verify zip codes, stuff like that). So as recommended, I used the OWASP link to replace them with their safe variants. Even after replacing them, the error still persists
-
detect-object-injection
. As this test is currently designed, it's completely overwhelming
I really want to use this plugin to easily catch minor security issues, but as is, i can't imagine it doing anything more than frustrate people