Skip to content

Commit 577ab78

Browse files
author
Adam Baldwin
committed
Merge branch 'scottnonnenberg-update-docs'
2 parents 5aaa080 + 4793eaa commit 577ab78

File tree

1 file changed

+76
-17
lines changed

1 file changed

+76
-17
lines changed

README.md

Lines changed: 76 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
# eslint-plugin-security
2+
23
ESLint rules for Node Security
34

4-
Probably not something you want to just toss and leave in a project. It will help identify potential security hotspots, but finds a lot of false positives that needs triaged by a human.
5+
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
56

67
### Installation
78

@@ -17,22 +18,6 @@ Add the following to your `.eslintrc` file:
1718
]
1819
```
1920

20-
### Rules
21-
22-
- `detect-unsafe-regex` - Locates potentially unsafe regular expressions
23-
- `detect-buffer-noassert` - Detects calls to buffer with noassert flag set
24-
- `detect-child-process` - Detects instances of child_process & non-literal cp.exec()
25-
- `detect-disable-mustache-escape` - Detects instances of setting the escapeMarkup property to false
26-
- `detect-eval-with-expression` - Detects eval(var)
27-
- `detect-new-buffer` - Detects instances of new Buffer(argument) where argument is any non literal value
28-
- `detect-no-csrf-before-method-override` - Detects Express.csrf before method-override
29-
- `detect-non-literal-fs-filename` - Detects var in filename argument of fs calls
30-
- `detect-non-literal-regexp` - Detects RegExp(var)
31-
- `detect-non-literal-require` - Detects require(var)
32-
- `detect-object-injection` - Detects var[var]
33-
- `detect-possible-timing-attacks` - Detects insecure comparisons (== != !== ===)
34-
- `detect-pseudoRandomBytes` - Detects if pseudoRandomBytes() is in use
35-
3621

3722
## Developer guide
3823

@@ -48,3 +33,77 @@ Add the following to your `.eslintrc` file:
4833
```sh
4934
npm test
5035
```
36+
37+
### Rules
38+
39+
#### `detect-unsafe-regex`
40+
41+
Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
42+
43+
More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
44+
45+
#### `detect-buffer-noassert`
46+
47+
Detects calls to [`buffer`](https://nodejs.org/api/buffer.html) with `noAssert` flag set
48+
49+
From the Node.js API docs: "Setting `noAssert` to true skips validation of the `offset`. This allows the `offset` to be beyond the end of the `Buffer`."
50+
51+
#### `detect-child-process`
52+
53+
Detects instances of [`child_process`](https://nodejs.org/api/child_process.html) & non-literal [`exec()`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
54+
55+
More information: https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js
56+
57+
#### `detect-disable-mustache-escape`
58+
59+
Detects `object.escapeMarkup = false`, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
60+
61+
More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
62+
63+
#### `detect-eval-with-expression`
64+
65+
Detects `eval(variable)` which can allow an attacker to run arbitary code inside your process.
66+
67+
More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript
68+
69+
#### `detect-no-csrf-before-method-override`
70+
71+
Detects Express `csrf` middleware setup before `method-override` middleware. This can allow `GET` requests (which are not checked by `csrf`) to turn into `POST` requests later.
72+
73+
More information: https://blog.liftsecurity.io/2013/09/07/bypass-connect-csrf-protection-by-abusing
74+
75+
#### `detect-non-literal-fs-filename`
76+
77+
Detects variable in filename argument of `fs` calls, which might allow an attacker to access anything on your system.
78+
79+
More information: https://www.owasp.org/index.php/Path_Traversal
80+
81+
#### `detect-non-literal-regexp`
82+
83+
Detects `RegExp(variable)`, which might allow an attacker to DOS your server with a long-running regular expression.
84+
85+
More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
86+
87+
#### `detect-non-literal-require`
88+
89+
Detects `require(variable)`, which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
90+
91+
More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm
92+
93+
#### `detect-object-injection`
94+
95+
Detects `variable[key]` as a left- or right-hand assignment operand.
96+
97+
More information: https://blog.liftsecurity.io/2015/01/15/the-dangers-of-square-bracket-notation
98+
99+
#### `detect-possible-timing-attacks`
100+
101+
Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.
102+
103+
More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
104+
105+
#### `detect-pseudoRandomBytes`
106+
107+
Detects if `pseudoRandomBytes()` is in use, which might not give you the randomness you need and expect.
108+
109+
More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes

0 commit comments

Comments
 (0)