Skip to content

eslint-community/eslint-plugin-security

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Folders and files

NameName
Last commit message
Last commit date
Apr 10, 2024
Mar 26, 2024
Apr 10, 2024
Apr 10, 2024
Feb 2, 2023
Dec 15, 2023
Mar 30, 2022
Jan 11, 2023
Dec 14, 2022
Jan 17, 2023
Apr 18, 2022
Apr 10, 2024
Nov 1, 2015
Apr 9, 2024
Oct 17, 2023
Dec 15, 2023
Apr 11, 2024
Apr 10, 2024

Repository files navigation

eslint-plugin-security

NPM version

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

or

yarn add --dev eslint-plugin-security

Usage

Flat config (requires eslint >= v8.23.0)

Add the following to your eslint.config.js file:

const pluginSecurity = require('eslint-plugin-security');

module.exports = [pluginSecurity.configs.recommended];

eslintrc config (deprecated)

Add the following to your .eslintrc file:

module.exports = {
  extends: ['plugin:security/recommended-legacy'],
};

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

⚠️ Configurations set to warn in.
✅ Set in the recommended configuration.

Name                                  Description ⚠️
detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.