eslint-plugin-weblint-security
Additional ESLint security rules for Javascript, React and Node.js / Express!
💿 Installation
Install ESLint either locally or globally. (Note that locally, per project, is strongly preferred)
$ npm install --save-dev eslint eslint-plugin-weblint-security
- Requires Node.js
>=14.4.0
- Requires ESLint
>=7.2.0
- Requires ES-Parser
>=2020
🔧 Setup & Usage
Include Weblint security plugin in your .eslintrc.json configuration file ("env" required*):
{
"env": {
"browser": true,
"es2020": true
},
"plugins": [
"weblint-security"
].
"extends": [
"eslint:recommended",
"plugin:weblint-security/recommended"
]
}
React support
For React projects, include the React specific rules and configurations:
{
"env": {
"browser": true,
"es2020": true
},
"parserOptions": {
"sourceType": "module"
},
"parser": "babel-eslint",
"plugins": [
"weblint-security"
],
"extends": [
"eslint:recommended",
"plugin:weblint-security/recommended",
"plugin:weblint-security/react"
]
}
Node.js support (including Express.js security aspects)
For Node.js projects, include the Node.js specific rules and configurations:
{
"env": {
"node": true
},
"parser": "babel-eslint",
"plugins": [
"weblint-security"
],
"extends": [
"eslint:recommended",
"plugin:weblint-security/recommended",
"plugin:weblint-security/nodejs"
]
}
📖 Rules
✒️ - the mark of fixable rules. Use eslint --fix .
to apply all available fixes to your project.
Recommended base rules (@/recommended)
Rule ID | Description | |
---|---|---|
no-href-and-src-inline-xss | Disallows unescaped variables of uncertain origin from href and src attributes, due to the concern that they might originate from user input. |
✒️ |
React specific rules (@/react)
Rule ID | Description | |
---|---|---|
no-href-and-src-inline-xss-react | Disallows unescaped variables of uncertain origin from href and src JSX attributes, due to the concern that they might originate from user input. |
✒️ |
Node.js specific rules (@/nodejs)
Rule ID | Description | |
---|---|---|
detect-sql-injection | Detect the usage of SQL queries that might be vulnerable to SQL Injections. |
|
detect-missing-helmet | Disallow use of ExpressJS applications without the use of Helmet.js defaults, due to the concern that the HTTP headers might be insecurely configured. |
✒️ |
❤️ Contributions
We welcome contributions!
Please use GitHub's Issues/PRs.
Please make sure any contributions are covered within the tests, or that new tests are supplied for the contribution.
Testing the rules
To run the tests, use: npm test
Test coverage is achieved through the set of test files, located at: /tests/test-files/<relevant rule-name>/
All test files are prefixed with one of the following:
-
valid_
for files that should give no output. Useful for testing false positives and soundness. -
invalid_
for files that should give some output. Useful for testing use-cases and completeness. -
fixed_
for files that contain the output of applyingeslint --fix
to someinvalid_
file.