ESLint rules for Node Security
This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
npm install --save-dev eslint-plugin-security
or yarn add eslint-plugin-security --dev
Add the following to your .eslintrc
file:
"extends": [
"plugin:security/recommended"
]
- Use GitHub pull requests.
- Conventions:
- We use our custom ESLint setup.
- Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int
npm test
Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
More information: Regular Expression DoS and Node.js
Detect calls to buffer
with noAssert
flag set.
From the Node.js API docs: "Setting noAssert
to true skips validation of the offset
. This allows the offset
to be beyond the end of the Buffer
."
Detect instances of child_process
& non-literal exec()
More information: Avoiding Command Injection in Node.js
Detects object.escapeMarkup = false
, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
More information: OWASP XSS
Detects eval(variable)
which can allow an attacker to run arbitrary code inside your process.
More information: What are the security issues with eval in JavaScript?
Detects Express csrf
middleware setup before method-override
middleware. This can allow GET
requests (which are not checked by csrf
) to turn into POST
requests later.
More information: Bypass Connect CSRF protection by abusing methodOverride Middleware
Detects variable in filename argument of fs
calls, which might allow an attacker to access anything on your system.
More information: OWASP Path Traversal
Detects RegExp(variable)
, which might allow an attacker to DOS your server with a long-running regular expression.
More information: Regular Expression DoS and Node.js
Detects require(variable)
, which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
More information: Where does Node.js and require look for modules?
Detects variable[key]
as a left- or right-hand assignment operand.
More information: The Dangers of Square Bracket Notation
Detects insecure comparisons (==
, !=
, !==
and ===
), which check input sequentially.
More information: A lesson in timing attacks
Detects if pseudoRandomBytes()
is in use, which might not give you the randomness you need and expect.
More information: Randombytes vs pseudorandombytes
Detect instances of new Buffer(argument) where argument is any non-literal value.