chore: add eslint-plugin-eslint-plugin (#91)

Author: bmish

.eslintrc

@@ -1,13 +1,26 @@
 {
   "extends": [
     "eslint:recommended",
-    "prettier"
+    "prettier",
+    "plugin:eslint-plugin/recommended"
   ],
   "parserOptions": {
     "ecmaVersion": "latest"
   },
   "env": {
     "node": true,
     "es2020": true
+  },
+  "rules": {
+    "eslint-plugin/prefer-message-ids": "off", // TODO: enable
+    "eslint-plugin/require-meta-docs-url": [
+      "error",
+      {
+        "pattern":
+          "https://github.com/nodesecurity/eslint-plugin-security#{{name}}",
+      },
+    ],
+    "eslint-plugin/require-meta-schema": "off", // TODO: enable
+    "eslint-plugin/require-meta-type": "off"// TODO: enable
   }
 }

package-lock.json

@@ -46,6 +46,7 @@
     "eslint": "^8.11.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-eslint-plugin": "^5.0.2",
     "lint-staged": "^12.3.7",
     "mocha": "^9.2.2",
     "prettier": "^2.6.2",

package.json

@@ -72,7 +72,7 @@ module.exports = {
         }
 
         if (index && node.parent && node.parent.arguments && node.parent.arguments[index] && node.parent.arguments[index].value) {
-          return context.report(node, `Found Buffer.${node.property.name} with noAssert flag set true`);
+          return context.report({ node: node, message: `Found Buffer.${node.property.name} with noAssert flag set true` });
         }
       },
     };

rules/detect-buffer-noassert.js

@@ -21,7 +21,7 @@ module.exports = {
       description: 'Detect instances of "child_process" & non-literal "exec()" calls.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/avoid-command-injection-node.md',
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-child-process',
     },
   },
   create: function (context) {
@@ -35,14 +35,14 @@ module.exports = {
             } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
               names.push(node.parent.left.name);
             }
-            return context.report(node, 'Found require("child_process")');
+            return context.report({ node: node, message: 'Found require("child_process")' });
           }
         }
       },
       MemberExpression: function (node) {
         if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
           if (node.parent && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
-            return context.report(node, 'Found child_process.exec() with non Literal first argument');
+            return context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
           }
         }
       },

rules/detect-child-process.js

@@ -7,8 +7,8 @@ module.exports = {
       description: 'Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-disable-mustache-escape'
-    }
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-disable-mustache-escape',
+    },
   },
   create: function (context) {
     return {
@@ -17,12 +17,12 @@ module.exports = {
           if (node.left.property) {
             if (node.left.property.name === 'escapeMarkup') {
               if (node.right.value === false) {
-                context.report(node, 'Markup escaping disabled.');
+                context.report({ node: node, message: 'Markup escaping disabled.' });
               }
             }
           }
         }
-      }
+      },
     };
-  }
+  },
 };

rules/detect-disable-mustache-escape.js

@@ -16,16 +16,16 @@ module.exports = {
       description: 'Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-eval-with-expression'
-    }
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-eval-with-expression',
+    },
   },
   create: function (context) {
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
-          context.report(node, `eval with argument of type ${node.arguments[0].type}`);
+          context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
         }
-      }
+      },
     };
-  }
+  },
 };

rules/detect-eval-with-expression.js

@@ -7,16 +7,16 @@ module.exports = {
       description: 'Detect instances of new Buffer(argument) where argument is any non-literal value.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/README.md'
-    }
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-new-buffer',
+    },
   },
   create: function (context) {
     return {
       NewExpression: function (node) {
         if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {
-          return context.report(node, 'Found new Buffer');
+          return context.report({ node: node, message: 'Found new Buffer' });
         }
-      }
+      },
     };
-  }
+  },
 };

rules/detect-new-buffer.js

@@ -16,15 +16,15 @@ module.exports = {
       description: 'Detects Express "csrf" middleware setup before "method-override" middleware.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/bypass-connect-csrf-protection-by-abusing.md',
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-no-csrf-before-method-override',
     },
   },
   create: function (context) {
     let csrf = false;
 
     return {
       CallExpression: function (node) {
-        const token = context.getTokens(node)[0];
+        const token = context.getSourceCode().getTokens(node)[0];
         const nodeValue = token.value;
 
         if (nodeValue === 'express') {
@@ -33,7 +33,7 @@ module.exports = {
           }
 
           if (node.callee.property.name === 'methodOverride' && csrf) {
-            context.report(node, 'express.csrf() middleware found before express.methodOverride()');
+            context.report({ node: node, message: 'express.csrf() middleware found before express.methodOverride()' });
           }
           if (node.callee.property.name === 'csrf') {
             // Keep track of found CSRF

rules/detect-no-csrf-before-method-override.js

@@ -39,7 +39,7 @@ module.exports = {
         }
 
         if (result.length > 0) {
-          return context.report(node, `Found fs.${node.property.name} with non literal argument at index ${result.join(',')}`);
+          return context.report({ node: node, message: `Found fs.${node.property.name} with non literal argument at index ${result.join(',')}` });
         }
 
         /*