Package Exports
- eslint-plugin-security
- eslint-plugin-security/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (eslint-plugin-security) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
eslint-plugin-security
ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
Installation
npm install --save-dev eslint-plugin-securityor
yarn add --dev eslint-plugin-securityUsage
Flat config (requires eslint >= v8.23.0)
Add the following to your eslint.config.js file:
const pluginSecurity = require('eslint-plugin-security');
module.exports = [pluginSecurity.configs.recommended];eslintrc config (deprecated)
Add the following to your .eslintrc file:
module.exports = {
extends: ['plugin:security/recommended-legacy'],
};Developer guide
- Use GitHub pull requests.
- Conventions:
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-intTests
npm testRules
⚠️ Configurations set to warn in.
✅ Set in the recommended configuration.
| Name | Description | ⚠️ |
|---|---|---|
| detect-bidi-characters | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
| detect-buffer-noassert | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
| detect-child-process | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
| detect-disable-mustache-escape | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
| detect-eval-with-expression | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
| detect-new-buffer | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
| detect-no-csrf-before-method-override | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
| detect-non-literal-fs-filename | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
| detect-non-literal-regexp | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
| detect-non-literal-require | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
| detect-object-injection | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
| detect-possible-timing-attacks | Detects insecure comparisons (==, !=, !== and ===), which check input sequentially. |
✅ |
| detect-pseudoRandomBytes | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
| detect-unsafe-regex | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
TypeScript support
Type definitions for this package are managed by DefinitelyTyped. Use @types/eslint-plugin-security for type checking.
npm install --save-dev @types/eslint-plugin-security
# OR
yarn add --dev @types/eslint-plugin-security