eslint-plugin-weblint-security

1.2.9 • Public • Published

eslint-plugin-weblint-security

npm version Downloads/month

Additional ESLint security rules for Javascript, React and Node.js / Express!

💿 Installation

Install ESLint either locally or globally. (Note that locally, per project, is strongly preferred)

$ npm install --save-dev eslint eslint-plugin-weblint-security
  • Requires Node.js >=14.4.0
  • Requires ESLint >=7.2.0
  • Requires ES-Parser >=2020

🔧 Setup & Usage

Include Weblint security plugin in your .eslintrc.json configuration file ("env" required*):

{
    "env": {
        "browser": true,
        "es2020": true
    },
    "plugins": [
        "weblint-security"
    ].
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended"
    ]
}

React support

For React projects, include the React specific rules and configurations:

{
    "env": {
        "browser": true,
        "es2020": true
    },
    "parserOptions": {
        "sourceType": "module"
    },
    "parser": "babel-eslint",
    "plugins": [
        "weblint-security"
    ],
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended",
        "plugin:weblint-security/react"
    ]
}

Node.js support (including Express.js security aspects)

For Node.js projects, include the Node.js specific rules and configurations:

{
    "env": {
        "node": true
    },
    "parser": "babel-eslint",
    "plugins": [
        "weblint-security"
    ],
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended",
        "plugin:weblint-security/nodejs"
    ]
}

📖 Rules

✒️ - the mark of fixable rules. Use eslint --fix . to apply all available fixes to your project.

Recommended base rules (@/recommended)

Rule ID Description
no-href-and-src-inline-xss Disallows unescaped variables of uncertain
origin from href and src attributes, due to the
concern that they might originate from user input.
✒️

React specific rules (@/react)

Rule ID Description
no-href-and-src-inline-xss-react Disallows unescaped variables of uncertain
origin from href and src JSX attributes, due to the
concern that they might originate from user input.
✒️

Node.js specific rules (@/nodejs)

Rule ID Description
detect-sql-injection Detect the usage of SQL queries that might be
vulnerable to SQL Injections.
detect-missing-helmet Disallow use of ExpressJS applications without
the use of Helmet.js defaults, due to the concern that
the HTTP headers might be insecurely configured.
✒️

❤️ Contributions

We welcome contributions!

Please use GitHub's Issues/PRs.

Please make sure any contributions are covered within the tests, or that new tests are supplied for the contribution.

Testing the rules

To run the tests, use: npm test

Test coverage is achieved through the set of test files, located at:
/tests/test-files/<relevant rule-name>/

All test files are prefixed with one of the following:

  • valid_ for files that should give no output. Useful for testing false positives and soundness.

  • invalid_ for files that should give some output. Useful for testing use-cases and completeness.

  • fixed_ for files that contain the output of applying eslint --fix to some invalid_ file.

Package Sidebar

Install

npm i eslint-plugin-weblint-security

Weekly Downloads

4

Version

1.2.9

License

MIT

Unpacked Size

103 kB

Total Files

88

Last publish

Collaborators

  • markido