You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-`detect-pseudoRandomBytes` - Detects if pseudoRandomBytes() is in use
21
+
#### `detect-unsafe-regex`
33
22
23
+
Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
24
+
25
+
More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
26
+
27
+
#### `detect-buffer-noassert`
28
+
29
+
Detects calls to [`buffer`](https://nodejs.org/api/buffer.html) with `noAssert` flag set
30
+
31
+
From the Node.js API docs: "Setting `noAssert` to true skips validation of the `offset`. This allows the `offset` to be beyond the end of the `Buffer`."
32
+
33
+
#### `detect-child-process`
34
+
35
+
Detects instances of [`child_process`](https://nodejs.org/api/child_process.html) & non-literal [`exec()`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
36
+
37
+
More information: https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js
38
+
39
+
#### `detect-disable-mustache-escape`
40
+
41
+
Detects `object.escapeMarkup = false`, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
42
+
43
+
More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
44
+
45
+
#### `detect-eval-with-expression`
46
+
47
+
Detects `eval(variable)` which can allow an attacker to run arbitary code inside your process.
48
+
49
+
More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript
50
+
51
+
#### `detect-no-csrf-before-method-override`
52
+
53
+
Detects Express `csrf` middleware setup before `method-override` middleware. This can allow `GET` requests (which are not checked by `csrf`) to turn into `POST` requests later.
54
+
55
+
More information: https://blog.liftsecurity.io/2013/09/07/bypass-connect-csrf-protection-by-abusing
56
+
57
+
#### `detect-non-literal-fs-filename`
58
+
59
+
Detects variable in filename argument of `fs` calls, which might allow an attacker to access anything on your system.
60
+
61
+
More information: https://www.owasp.org/index.php/Path_Traversal
62
+
63
+
#### `detect-non-literal-regexp`
64
+
65
+
Detects `RegExp(variable)`, which might allow an attacker to DOS your server with a long-running regular expression.
66
+
67
+
More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
68
+
69
+
#### `detect-non-literal-require`
70
+
71
+
Detects `require(variable)`, which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
72
+
73
+
More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm
74
+
75
+
#### `detect-object-injection`
76
+
77
+
Detects `variable[key]` as a left- or right-hand assignment operand.
78
+
79
+
More information: https://blog.liftsecurity.io/2015/01/15/the-dangers-of-square-bracket-notation
80
+
81
+
#### `detect-possible-timing-attacks`
82
+
83
+
Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.
84
+
85
+
More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
86
+
87
+
#### `detect-pseudoRandomBytes`
88
+
89
+
Detects if `pseudoRandomBytes()` is in use, which might not give you the randomness you need and expect.
90
+
91
+
More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes
0 commit comments