0.1.1 • Published 6 years ago

solium-plugin-security v0.1.1

Weekly downloads
3,802
License
MIT
Repository
github
Last release
6 years ago

The official Security Plugin for Solium

Build Status

This Plugin provides security-focused lint rules for Solium.

The rules have been taken from Consensys' Recommended Smart Contract Practices and Solium's Rule Wishlist.

Installation

NOTE: If you're using Solium v1.0.1 or above, this plugin comes pre-installed as a local dependency and you can skip this section.

npm install -g solium-plugin-security

Usage

NOTE: If you've installed Solium v1.0.1 or above and created soliumrc.json using solium --init, you can skip this step since solium automatically applies the security plugin for you.

Add security to your soliumrc.json's plugins array. Your configuration file should look like:

{
    "extends": "solium:all",
    "plugins": ["security"],
    "rules": {
        ...
    }
}

List of rules

Below are the rules supplied by this plugin and the information on passing options to them and their auto-fixing capabilities.

Some of them aren't always desirable and are therefore disabled by default (marked below as OFF). You should explicitly enable them in your .soliumrc.json.

NameDescriptionOptionsDefaultsFixes
no-throwDiscourage use of 'throw' statement for error flaggingYES
no-tx-originDiscourage use of 'tx.origin' global variable
enforce-explicit-visibilityEncourage user to explicitly specify visibility of functionYES
no-block-membersDiscourage use of members 'blockhash' & 'timestamp' (and alias 'now') of 'block' global variableList of members to warn against"blockhash", "timestamp"
no-call-valueDiscourage use of .call.value()()
no-assign-paramsDisallow assigning to function parameters
no-fixedDisallow fixed point types
no-inline-assemblyDiscourage use of inline assembly
no-low-level-callsDiscourage the use of low-level functions - call(), callcode() & delegatecall()List of functions to warn against"call", "callcode", "delegatecall"
no-modify-for-iter-varDiscourage user to modify a for loop iteration counting variable in the loop body
no-sendDiscourage the use of unsafe method 'send'
no-sha3Encourage use of 'keccak256()' over 'sha3()' functionYES
no-unreachable-codeDisallow unreachable code
OFF else-after-elseifEncourage user to use else statement after else-if statement
OFF enforce-loop-boundsEncourage use of loops with fixed bounds
OFF enforce-placeholder-lastEnforce that the function placeholder is the last statement in the modifier
OFF return-at-endDiscourage use of early returns in functions
OFF one-break-per-loopDiscourage use of multiple breaks in while/for/do loops
OFF max-statements-in-funcEnforce upper limit on number of statements inside a functionMaximum number of statements25
OFF no-abstract-funcDiscourage use of abstract functions
OFF no-bit-operationsDisallow bitwise operations
OFF no-continueDiscourage use of 'continue' statement
OFF no-inheritanceDiscourage use of inheritanceDisallow interface inheritance{ "no-interface": false }
OFF no-multiple-inheritanceDiscourage use of multiple inheritanceDisallow interface inheritance{ "no-interface": false }
OFF no-named-paramsDisallow named function parameters
OFF no-named-returnsDiscourage use of named returns in functions
OFF 256-bit-ints-onlyDisallow non-256 bit integers
OFF no-suicide-or-selfdestructDisallow suicide and selfdestruct
OFF no-varDisallow type deduction via var
OFF no-user-defined-modifiersDisallow user-defined modifiers
OFF no-void-returnsDiscourage use of void returns in functions prototypes
OFF no-func-overridingDiscourage function overriding

An example soliumrc.json configuring and applying this plugin is:

{
    "plugins": ["security"],
    "rules": {
        "some-other-solium-rule": 1,
        "security/no-low-level-calls": ["error", ["call", "delegatecall"]],
        "security/no-block-members": [1, ["timestamp"]],
        "security/no-throw": "off"
    }
}

This tells solium to apply the 3 security/ rules with special configuration provided and apply the remaining rules of the plugin with their default configurations. If you want to disable a plugin rule, you have to explicitly disable it inside rules.

Lint normally using solium -d contracts/ or solium -d contracts/ --fix to apply fixes as well.

Developer Setup

  • git clone <URL-of-this-repo>
  • cd solium-plugin-security
  • npm install --dev
  • npm link
  • npm link solium-plugin-security
  • npm test

If you'd also like to use your develop build of this plugin with dev build of Solium, go to Solium's directory and run npm link solium-plugin-security. This will let Solium access your modified plugin instead of its pre-installed security module.

Access Solium's Developer Docs

Roadmap

  • Add automated tests
  • Refine rule enforce-explicit-visibility
  • Add more security rules

Security rules to be implemented

  • no-multiple-send-calls
  • check-send-result

Access the complete Solium documentation

soliumsoliumpluginsolidityethereumblockchaindapplintstatic-analysissmart-contractsecuritydecentralized
@everything-registry/sub-chunk-2796soliumethlint
0.1.1

6 years ago

0.1.0

6 years ago

0.0.2

6 years ago

0.0.1

6 years ago

0.0.0

6 years ago