eslint-plugin-codesink
Detect common javascript sinks that lead to web application vulnerabilities.
Installation
# minimal installation:
npm i eslint eslint-plugin-codesink
# for html and typescript support:
npm install eslint-plugin-html typescript@4.1.6 @typescript-eslint/parser @typescript-eslint/eslint-plugin@5.0.0-alpha.42
Usage
Add the following configuration to your .eslintrc.js
file:
'use strict';
module.exports = {
root: true,
env: {
node: true,
es6: true,
},
parserOptions: {
ecmaVersion: 2020,
sourceType: 'module',
ecmaFeatures: {
jsx: true,
},
},
parser: '@typescript-eslint/parser',
plugins: ['codesink', 'html', '@typescript-eslint'],
rules: {
//add specific rules to your project here
'codesink/no-dom-xss': 'warn',
'codesink/no-open-redirect': 'warn',
'codesink/no-eval-injection': 'warn',
'codesink/no-cookie-manipulation': 'warn',
'codesink/no-domain-manipulation': 'warn',
'codesink/no-websocket-url-poisoning': 'warn',
'codesink/no-link-manipulation': 'warn',
'codesink/no-message-manipulation': 'warn',
'codesink/no-path-traversal': 'warn',
'codesink/no-evil-regex': 'warn',
'codesink/no-regex-injection': 'warn',
'codesink/no-hardcoded-credentials': 'warn',
},
};
Add the following command to `package.json' scripts:
"scripts": {
"lint": "eslint .",
}
To run eslint from your terminal:
npm run lint
Supported Rules
Vulnerability sinks | Rule |
---|---|
DOM-based XSS | no-dom-xss |
DOM-based open redirect | no-open-redirect |
DOM-based JavaScript injection | no-eval-injection |
DOM-based Cookie manipulation | no-cookie-manipulation |
DOM-based document-domain manipulation | no-document-manipulation |
DOM-based WebSocket-URL poisoning | websocket-url-poisoning |
DOM-based link manipulation | no-link-manipulation |
Web message manipulation | no-message-manipulation |
Path traversal | no-path-traversal |
Evil regex | no-evil-regex |
Regex injection | no-regex-injection |
Hard-coded credentials | no-hardcoded-credentials |