Eslint-plugin-codesink NPM

eslint-plugin-codesink

Detect common javascript sinks that lead to web application vulnerabilities.

Installation

# minimal installation:
npm i eslint eslint-plugin-codesink
# for html and typescript support:
npm install eslint-plugin-html typescript@4.1.6 @typescript-eslint/parser @typescript-eslint/eslint-plugin@5.0.0-alpha.42

Usage

Add the following configuration to your .eslintrc.js file:

'use strict';

module.exports = {
  root: true,
  env: {
    node: true,
    es6: true,
  },
  parserOptions: {
    ecmaVersion: 2020,
    sourceType: 'module',
    ecmaFeatures: {
      jsx: true,
    },
  },
  parser: '@typescript-eslint/parser',
  plugins: ['codesink', 'html', '@typescript-eslint'],
  rules: {
    //add specific rules to your project here
    'codesink/no-dom-xss': 'warn',
    'codesink/no-open-redirect': 'warn',
    'codesink/no-eval-injection': 'warn',
    'codesink/no-cookie-manipulation': 'warn',
    'codesink/no-domain-manipulation': 'warn',
    'codesink/no-websocket-url-poisoning': 'warn',
    'codesink/no-link-manipulation': 'warn',
    'codesink/no-message-manipulation': 'warn',
    'codesink/no-path-traversal': 'warn',
    'codesink/no-evil-regex': 'warn',
    'codesink/no-regex-injection': 'warn',
    'codesink/no-hardcoded-credentials': 'warn',
  },
};

Add the following command to `package.json' scripts:

"scripts": {
    "lint": "eslint .",
}

To run eslint from your terminal:

npm run lint

Supported Rules

Vulnerability sinks	Rule
DOM-based XSS	no-dom-xss
DOM-based open redirect	no-open-redirect
DOM-based JavaScript injection	no-eval-injection
DOM-based Cookie manipulation	no-cookie-manipulation
DOM-based document-domain manipulation	no-document-manipulation
DOM-based WebSocket-URL poisoning	websocket-url-poisoning
DOM-based link manipulation	no-link-manipulation
Web message manipulation	no-message-manipulation
Path traversal	no-path-traversal
Evil regex	no-evil-regex
Regex injection	no-regex-injection
Hard-coded credentials	no-hardcoded-credentials