ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
npm install --save-dev eslint-plugin-security
yarn add --dev eslint-plugin-security
Add the following to your
"extends": [ "plugin:security/recommended" ]
- Use GitHub pull requests.
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int
|detect-bidi-characters||Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.|
|detect-buffer-noassert||Detects calls to "buffer" with "noAssert" flag set.|
|detect-child-process||Detects instances of "child_process" & non-literal "exec()" calls.|
|detect-disable-mustache-escape||Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.|
|detect-eval-with-expression||Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.|
|detect-new-buffer||Detects instances of new Buffer(argument) where argument is any non-literal value.|
|detect-no-csrf-before-method-override||Detects Express "csrf" middleware setup before "method-override" middleware.|
|detect-non-literal-fs-filename||Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.|
|detect-non-literal-regexp||Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.|
|detect-non-literal-require||Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.|
|detect-object-injection||Detects "variable[key]" as a left- or right-hand assignment operand.|
|detect-possible-timing-attacks||Detects insecure comparisons (
|detect-pseudoRandomBytes||Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.|
|detect-unsafe-regex||Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.|