@taktikorg/labore-ad NPM

@taktikorg/labore-ad

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev @taktikorg/labore-ad

yarn add --dev @taktikorg/labore-ad

Usage

Add the following to your eslint.config.js file:

const pluginSecurity = require('@taktikorg/labore-ad');

module.exports = [pluginSecurity.configs.recommended];

Add the following to your .eslintrc file:

module.exports = {
  extends: ['plugin:security/recommended-legacy'],
};

Developer guide

Use GitHub pull requests.
Conventions:
We use our custom ESLint setup.
Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:

npm run-script cont-int

Tests

npm test

Rules

⚠️ Configurations set to warn in.\ ✅ Set in the recommended configuration.

Name	Description	⚠️
detect-bidi-characters	Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.	✅
detect-buffer-noassert	Detects calls to "buffer" with "noAssert" flag set.	✅
detect-child-process	Detects instances of "child_process" & non-literal "exec()" calls.	✅
detect-disable-mustache-escape	Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.	✅
detect-eval-with-expression	Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.	✅
detect-new-buffer	Detects instances of new Buffer(argument) where argument is any non-literal value.	✅
detect-no-csrf-before-method-override	Detects Express "csrf" middleware setup before "method-override" middleware.	✅
detect-non-literal-fs-filename	Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.	✅
detect-non-literal-regexp	Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.	✅
detect-non-literal-require	Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.	✅
detect-object-injection	Detects "variablekey" as a left- or right-hand assignment operand.	✅
detect-possible-timing-attacks	Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.	✅
detect-pseudoRandomBytes	Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.	✅
detect-unsafe-regex	Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.	✅

TypeScript support

Type definitions for this package are managed by DefinitelyTyped. Use @types/@taktikorg/labore-ad for type checking.

npm install --save-dev @types/@taktikorg/labore-ad

# OR

yarn add --dev @types/@taktikorg/labore-ad

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago

@taktikorg/labore-ad

Installation

Usage

Flat config (requires eslint >= v8.23.0)

eslintrc config (deprecated)

Developer guide

Tests

Rules

TypeScript support