Nameless Package Manager

    tslint-config-security

    1.16.0 • Public • Published

    tslint-config-security

    Build Status npm npm npm

    TSLint security rules

    Inspired by eslint-plugin-security

    How to use

    • Install package:
    npm i tslint-config-security --save-dev  --production
    • Update your tslint.json:
    {
      "extends": ["tslint-config-security"]
    }

    By default tslint-config-security enables all rules, but you may disable any of them (not recommended):

    {
      "extends": ["tslint-config-security"],
      "rules": {
        "tsr-detect-html-injection": false,
        "tsr-detect-unsafe-regexp": false
      }
    }

    Rules

    All rules start from the prefix tsr- (TSLint Security Rule) to prevent name collisions.

    tsr-detect-unsafe-regexp

    Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

    Examples: test/rules/tsr-detect-unsafe-regexp/default/test.ts.lint

    More information:

    tsr-detect-non-literal-buffer

    Detects variable in new Buffer argument

    Examples: test/rules/tsr-detect-non-literal-buffer/default/test.ts.lint

    tsr-detect-buffer-noassert

    Detects calls to Buffer with noAssert flag set

    From the Node.js API docs: "Setting noAssert to true skips validation of the offset. This allows the offset to be beyond the end of the Buffer."

    Examples: test/rules/tsr-detect-buffer-noassert/default/test.ts.lint

    tsr-detect-child-process

    Detects instances of child_process & non-literal exec()

    More information: https://web.archive.org/web/20170129010544/https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js#avoiding-command-injection-in-nodejs

    Examples: test/rules/tsr-detect-child-process/default/test.ts.lint

    tsr-disable-mustache-escape

    Detects object.escapeMarkup = false, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.

    More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

    Examples: test/rules/tsr-disable-mustache-escape/default/test.ts.lint

    tsr-detect-eval-with-expression

    Detects eval(variable) which can allow an attacker to run arbitrary code inside your process.

    More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript

    Examples: test/rules/tsr-detect-eval-with-expression/default/test.ts.lint

    tsr-detect-no-csrf-before-method-override

    Detects Express csrf middleware setup before method-override middleware. This can allow GET requests (which are not checked by csrf) to turn into POST requests later.

    More information: http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html

    Examples: test/rules/tsr-detect-no-csrf-before-method-override/default/test.ts.lint

    tsr-detect-non-literal-fs-filename

    Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system.

    More information: https://www.owasp.org/index.php/Path_Traversal

    Known limitations

    Due to the known issues in the typed TSLint rules:

    tslint-config-security module will analyze methods only on fs variable or on 'fs' module. E.g.:

    const fs = require('fs');
     
    fs.open(somePath); // triggers the error
    require('fs').symlink(path1, path2); // triggers the error
    require("fs").symlink(path1, path2); // triggers the error
     
    const myFs = require('fs');
     
    myFs.open(somePath); // no error

    More examples: test/rules/tsr-detect-non-literal-fs-filename/default/test.ts.lint

    tsr-detect-non-literal-regexp

    Detects RegExp(variable), which might allow an attacker to DOS your server with a long-running regular expression.

    More information:

    Examples: test/rules/tsr-detect-non-literal-regexp/default/test.ts.lint

    tsr-detect-non-literal-require

    Detects require(variable), which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.

    More information:

    Examples: test/rules/tsr-detect-non-literal-require/default/test.ts.lint

    tsr-detect-possible-timing-attacks

    Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.

    More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

    Examples: test/rules/tsr-detect-possible-timing-attacks/default/test.ts.lint

    tsr-detect-pseudo-random-bytes

    Detects if pseudoRandomBytes() is in use, which might not give you the randomness you need and expect.

    More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes

    Examples: test/rules/tsr-detect-pseudo-random-bytes/default/test.ts.lint

    tsr-detect-html-injection

    Detects HTML injections:

    • document.write(variable)
    • document.writeln(variable)
    • Element.innerHTML = variable;
    • Element.outerHTML = variable;
    • el.insertAdjacentHTML(variable);

    More examples: test/rules/tsr-detect-html-injection/default/test.ts.lint

    tsr-detect-sql-literal-injection

    Detects possible SQL injections in string literals:

    // invalid
    const userId = 1;
    const query1 = `SELECT * FROM users WHERE id = ${userId}`;
    const query2 = `SELECT * FROM users WHERE id = ` + userId;
    const query3 = 'SELECT * FROM users WHERE id =' + userId;
     
    const columns = 'id, name';
    Users.query(`SELECT ${columns} FROM users`);
     
    // valid
    const userId = 1;
    const query = sql`SELECT * FROM users WHERE id = ${userId}`;
    db.query(query);
     
    // See https://github.com/mysqljs/mysql
    db.query('SELECT * FROM `books` WHERE `author` = ?', ['David'], function (error, results, fields) {
      //...
    });

    More examples: test/rules/tsr-detect-sql-literal-injection/default/test.ts.lint

    tsr-detect-unsafe-cross-origin-communication

    Detects when all windows & frames on your page (including ones that were injected by 3rd-party scripts) may receive your data.

    Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site. https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

    const myWindow = document.getElementById('myIFrame').contentWindow;
     
    myWindow.postMessage(message, "*"); // Noncompliant

    tsr-detect-unsafe-properties-access

    Detects a potential unsafe access to the object properties

    /* 
     
    It equals to `new Function(prop3)`
     
    const a = {};
     
    a["constructor"]["constructor"]("alert(1)")()
     */
     
    // unsafe
    obj[prop1][prop2](prop3)
     
    // unsafe
    obj[prop1][prop2](prop3)()  
     

    More information:

    Solutions:

    • use Map
    • use .hasOwnProperty check
    • use Content-Security-Policy on your page

    Install

    npm i tslint-config-security

    DownloadsWeekly Downloads

    5,801

    Version

    1.16.0

    License

    MIT

    Unpacked Size

    59.2 kB

    Total Files

    24

    Last publish

    Collaborators

    • webschik