Eslint-plugin-weblint-security NPM

eslint-plugin-weblint-security

Additional ESLint security rules for Javascript, React and Node.js / Express!

💿 Installation

Install ESLint either locally or globally. (Note that locally, per project, is strongly preferred)

$ npm install --save-dev eslint eslint-plugin-weblint-security

Requires Node.js >=14.4.0
Requires ESLint >=7.2.0
Requires ES-Parser >=2020

🔧 Setup & Usage

Include Weblint security plugin in your .eslintrc.json configuration file ("env" required*):

{
    "env": {
        "browser": true,
        "es2020": true
    },
    "plugins": [
        "weblint-security"
    ].
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended"
    ]
}

React support

For React projects, include the React specific rules and configurations:

{
    "env": {
        "browser": true,
        "es2020": true
    },
    "parserOptions": {
        "sourceType": "module"
    },
    "parser": "babel-eslint",
    "plugins": [
        "weblint-security"
    ],
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended",
        "plugin:weblint-security/react"
    ]
}

Node.js support (including Express.js security aspects)

For Node.js projects, include the Node.js specific rules and configurations:

{
    "env": {
        "node": true
    },
    "parser": "babel-eslint",
    "plugins": [
        "weblint-security"
    ],
    "extends": [
        "eslint:recommended",
        "plugin:weblint-security/recommended",
        "plugin:weblint-security/nodejs"
    ]
}

📖 Rules

✒️ - the mark of fixable rules. Use eslint --fix . to apply all available fixes to your project.

Recommended base rules (@/recommended)

Rule ID	Description
no-href-and-src-inline-xss	Disallows unescaped variables of uncertain origin from href and src attributes, due to the concern that they might originate from user input.	✒️

React specific rules (@/react)

Rule ID	Description
no-href-and-src-inline-xss-react	Disallows unescaped variables of uncertain origin from href and src JSX attributes, due to the concern that they might originate from user input.	✒️

Node.js specific rules (@/nodejs)

Rule ID	Description
detect-sql-injection	Detect the usage of SQL queries that might be vulnerable to SQL Injections.
detect-missing-helmet	Disallow use of ExpressJS applications without the use of Helmet.js defaults, due to the concern that the HTTP headers might be insecurely configured.	✒️

❤️ Contributions

We welcome contributions!

Please use GitHub's Issues/PRs.

Please make sure any contributions are covered within the tests, or that new tests are supplied for the contribution.

Testing the rules

To run the tests, use: npm test

Test coverage is achieved through the set of test files, located at: /tests/test-files/<relevant rule-name>/

All test files are prefixed with one of the following:

valid_ for files that should give no output. Useful for testing false positives and soundness.
invalid_ for files that should give some output. Useful for testing use-cases and completeness.
fixed_ for files that contain the output of applying eslint --fix to some invalid_ file.