ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
npm install --save-dev eslint-plugin-security
Add the following to your
- Use GitHub pull requests.
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int
Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
Detects calls to
noAssert flag set
From the Node.js API docs: "Setting
noAssert to true skips validation of the
offset. This allows the
offset to be beyond the end of the
More information: https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js
object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
eval(variable) which can allow an attacker to run arbitary code inside your process.
csrf middleware setup before
method-override middleware. This can allow
GET requests (which are not checked by
csrf) to turn into
POST requests later.
Detects variable in filename argument of
fs calls, which might allow an attacker to access anything on your system.
More information: https://www.owasp.org/index.php/Path_Traversal
RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression.
require(variable), which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
variable[key] as a left- or right-hand assignment operand.
Detects insecure comparisons (
===), which check input sequentially.
More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
pseudoRandomBytes() is in use, which might not give you the randomness you need and expect.