1.0.3 • Published 4 years ago
eslint-config-sdl v1.0.3
eslint-config-sdl
A set of ESLint Shareable Configs for JavaScript and TypeScript applications that focuses on common security issues and misconfigurations.
Configs are intended as a baseline for projects that follow Microsoft Security Development Lifecycle (SDL) and use ESLint to perform Static Analysis Security Testing (SAST).
Install
npm install eslint-config-sdlUsage
See Shareable Configs on the official ESLint website.
Shareable Configs
| Config | Description |
|---|---|
| sdl-required.json | Set of required rules that should run on every project. |
| sdl-recommended.json | Extension to sdl-required config that adds additional rules to increase coverage with potentially higher false positive rate. |
Enabled Rules
| Rule | Applicability | Severity | Description |
|---|---|---|---|
| no-caller | Required for JS and TS | Error | Bans usage of deprecated functions arguments.caller() and arguments.callee that could potentially allow access to call stack. |
| no-delete-var | Required for JS and TS | Error | Bans usage of operator delete on variables as it can lead to unexpected behavior. |
| no-eval | Required for JS and TS | Error | Bans usage of eval() that allows code exection from string argument. |
| no-implied-eval | Required for JS | Error | Bans usage of setTimeout(), setInterval() and execScript(). These functions are similar to eval() and prone to code execution. |
| no-new-func | Required for JS | Error | Bans calling new Function() as it's similar to eval() and prone to code execution. |
| no-restricted-syntax | Required fo JS and TS | Error | This is a generic rule we use for banning specific patterns in the code that are not yet covered by custom rules: - Call to document.write or document.writeln - These methods pass HTML directly into DOM without validation and are prone to script-injection. - Access to document.cookie - Cookies often contain sensitive information, access to this property needs to be strictly controlled. - Assignment to document.domain - Any assignment to this property must be strictly controlled to make sure the value is on a list of allowed sites. - Assignment to innerHTML or outerHTML property - Assignment to these properties is done without sanitization and is prone to script-injection. - Call to .html() method - Frameworks such as jQuery implement this method to allow passing unsanitized content into DOM. Calls should be reviewed properly to avoid script-injection. - Call to MSApp.execUnsafeLocalFunction(), WinJS.Utilities.setInnerHTMLUnsafe(), WinJS.Utilities.setOuterHTMLUnsafe - Disabling auto-sanitization can lead to script-injection. - Call to $sceProvider.enabled(false) - This method disables Strict Contextual Escaping which is a built-in mechanism in Angular framework for prevention against script-injection. |
| react/no-danger | Required for TS | Error | Bans usage of dangerouslySetInnerHTML property in React as it allows passing unsanitized HTML in DOM. |
| @typescript-eslint/no-implied-eval | Required for TS | Error | Similar to built-in ESLint rule no-implied-eval. Bans usage of setTimeout(), setInterval(), setImmediate(), execScript() or new Function() as they are similar to eval() and allow code execution from string arguments. |