Notable Pseudocode Mashups

    eslint-plugin-security

    1.7.1 • Public • Published

    eslint-plugin-security

    NPM version

    ESLint rules for Node Security

    This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

    Installation

    npm install --save-dev eslint-plugin-security

    or

    yarn add --dev eslint-plugin-security

    Usage

    Add the following to your .eslintrc file:

    "extends": [
      "plugin:security/recommended"
    ]

    Developer guide

    • Use GitHub pull requests.
    • Conventions:
    • We use our custom ESLint setup.
    • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
    npm run-script cont-int

    Tests

    npm test

    Rules

    ⚠️ Configurations set to warn in.
    Set in the recommended configuration.

    Name                                  Description ⚠️
    detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
    detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
    detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
    detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
    detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
    detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
    detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
    detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
    detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
    detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
    detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
    detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
    detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
    detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

    Install

    npm i eslint-plugin-security

    DownloadsWeekly Downloads

    584,699

    Version

    1.7.1

    License

    Apache-2.0

    Unpacked Size

    134 kB

    Total Files

    69

    Last publish

    Collaborators

    • nzakas
    • nlf
    • adam_baldwin
    • ljon
    • michaeldeboey
    • eslint-community-bot