1.0.3 • Published 4 years ago
eslint-config-sdl v1.0.3
eslint-config-sdl
A set of ESLint Shareable Configs for JavaScript and TypeScript applications that focuses on common security issues and misconfigurations.
Configs are intended as a baseline for projects that follow Microsoft Security Development Lifecycle (SDL) and use ESLint to perform Static Analysis Security Testing (SAST).
Install
npm install eslint-config-sdl
Usage
See Shareable Configs on the official ESLint website.
Shareable Configs
Config | Description |
---|---|
sdl-required.json | Set of required rules that should run on every project. |
sdl-recommended.json | Extension to sdl-required config that adds additional rules to increase coverage with potentially higher false positive rate. |
Enabled Rules
Rule | Applicability | Severity | Description |
---|---|---|---|
no-caller | Required for JS and TS | Error | Bans usage of deprecated functions arguments.caller() and arguments.callee that could potentially allow access to call stack. |
no-delete-var | Required for JS and TS | Error | Bans usage of operator delete on variables as it can lead to unexpected behavior. |
no-eval | Required for JS and TS | Error | Bans usage of eval() that allows code exection from string argument. |
no-implied-eval | Required for JS | Error | Bans usage of setTimeout() , setInterval() and execScript() . These functions are similar to eval() and prone to code execution. |
no-new-func | Required for JS | Error | Bans calling new Function() as it's similar to eval() and prone to code execution. |
no-restricted-syntax | Required fo JS and TS | Error | This is a generic rule we use for banning specific patterns in the code that are not yet covered by custom rules: - Call to document.write or document.writeln - These methods pass HTML directly into DOM without validation and are prone to script-injection. - Access to document.cookie - Cookies often contain sensitive information, access to this property needs to be strictly controlled. - Assignment to document.domain - Any assignment to this property must be strictly controlled to make sure the value is on a list of allowed sites. - Assignment to innerHTML or outerHTML property - Assignment to these properties is done without sanitization and is prone to script-injection. - Call to .html() method - Frameworks such as jQuery implement this method to allow passing unsanitized content into DOM. Calls should be reviewed properly to avoid script-injection. - Call to MSApp.execUnsafeLocalFunction() , WinJS.Utilities.setInnerHTMLUnsafe() , WinJS.Utilities.setOuterHTMLUnsafe - Disabling auto-sanitization can lead to script-injection. - Call to $sceProvider.enabled(false) - This method disables Strict Contextual Escaping which is a built-in mechanism in Angular framework for prevention against script-injection. |
react/no-danger | Required for TS | Error | Bans usage of dangerouslySetInnerHTML property in React as it allows passing unsanitized HTML in DOM. |
@typescript-eslint/no-implied-eval | Required for TS | Error | Similar to built-in ESLint rule no-implied-eval . Bans usage of setTimeout() , setInterval() , setImmediate() , execScript() or new Function() as they are similar to eval() and allow code execution from string arguments. |