0.8.0 • Published 3 years ago

eslint-plugin-security-rules v0.8.0

Weekly downloads
-
License
MIT
Repository
github
Last release
3 years ago

ESLint security rules to help harden your project as early as possible.

NB: This project was written as an artefact for a master's thesis at the IT University of Copenhagen and it should still be considered a work in progress.

Installation

  • Requires Node.js >=14
  • Requires ESLint >=8
yarn add --dev eslint-plugin-security-rules

Usage

To include the recommended eslint-plugin-security-rules to your ruleset add the following to your .eslintrc configuration:

{
  "extends": [
    "plugin:security-rules/recommended"
  ],
  // Please include the environments that you use when using this plugin. Doing
  // so will enhance the tracing algorithm greatly.
  "env": { 
    "node": true,
    "browser": true,
    "es6": true
  },
  "overrides": [
    {
      "files": ["*.ts", "*.tsx"],
      "extends": ["plugin:@typescript-eslint/recommended"],
      // If you would like to improve the accuracy of the tracing algorithm
      // when using typescript, then please include the "project" configuration
      // for the @typescript-eslint/parser.
      // See more at 
      // https://github.com/typescript-eslint/typescript-eslint/tree/main/packages/parser#parseroptionsproject
      "parserOptions": {
        "project": ["./tsconfig.json"]
      }
    },
  ]
}

Rules

eslint-plugin-security-rules comes with several rulesets, scoped to the environment that they target, allowing you to only enable rules relevant to your project.

  • 'plugin:security-rules/recommended': recommended security rules, including all available rules that you can drop in without any additional configuration.
  • 'plugin:security-rules/node': rules related to vulnerabilities occuring in code that is intended to be executed in a NodeJS environment.
  • 'plugin:security-rules/browser': rules related to vulnerabilities occuring in code that is intended to be executed in a browser.
  • 'plugin:security-rules/universal': rules related to vulnerabilities that may occur regardless of which environment the code is being run.
  • 'plugin:security-rules/package': rules related to ensure safe usage of dependencies by scanning package.json-files.
  • 'plugin:security-rules/react': security related rules targeting code using the react package.
  • 'plugin:security-rules/pg': security related rules targeting code using the pg (postgres) package.
  • 'plugin:security-rules/mysql': security related rules targeting code using the mysql package.

Key:

  • ✅ = recommended,
  • 🔧 = fixable with suggestion,
  • 💭 = enchaned with TypeScript type information,
  • 🌩 = requires TypeScript type information

Browser

NameDescription🔧💭🌩
security-rules/browser/no-xssDetects DOM-based XSS vulnerabilities in browser sinks🔧💭

Node

NameDescription🔧💭🌩
security-rules/node/no-unsafe-pathAvoids usage of unsafe paths when interacting with the file-system using "fs"🔧💭
security-rules/node/no-insecure-ciphersDetects unsafe ciphers algorithms that should not be used🔧💭

Universal

NameDescription🔧💭🌩
security-rules/universal/no-hardcoded-credentialsDetects hardcoded secrets in a file
security-rules/universal/no-vulnerable-dependenciesDetermines if import statements exist in a vulnerable version

Package.json

NameDescription🔧💭🌩
security-rules/package/no-vulnerable-dependenciesDetermines if any of the projects installed dependencies exist in a vulnerable version🔧

Package specific rulesets

The following ruleset are related to specific popular packages, scanning for vulnerable usages in these.

React

NameDescription🔧💭🌩
security-rules/react/no-xssDetects DOM-based XSS vulnerabilities introduced in JSX🔧💭

Postgres (pg)

NameDescription🔧💭🌩
security-rules/pg/no-sql-injectionsDetects queries vulnerable to SQL Injections🔧💭
security-rules/pg/no-hardcoded-credentialsDetects hardcoded secrets in a file💭

MySQL

NameDescription🔧💭🌩
security-rules/mysql/no-sql-injectionsDetects queries vulnerable to SQL Injections🔧💭
security-rules/mysql/no-hardcoded-credentialsDetects hardcoded secrets in a file💭
0.8.0

3 years ago

0.6.7

3 years ago

0.6.6

3 years ago

0.6.9

3 years ago

0.6.8

3 years ago

0.7.0

3 years ago

0.3.0

3 years ago

0.1.2

3 years ago

0.2.0

3 years ago

0.1.1

3 years ago

0.6.3

3 years ago

0.6.2

3 years ago

0.3.5

3 years ago

0.6.5

3 years ago

0.6.4

3 years ago

0.5.0

3 years ago

0.3.2

3 years ago

0.4.0

3 years ago

0.3.1

3 years ago

0.6.1

3 years ago

0.3.4

3 years ago

0.6.0

3 years ago

0.5.1

3 years ago

0.3.3

3 years ago

0.0.2

4 years ago

0.0.1

4 years ago