Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

eslint-plugin-security

eslint-community2.3mApache-2.03.0.1TypeScript support: definitely-typed

Security rules for eslint

eslint, security, nodesecurity

readme

eslint-plugin-security

NPM version

ESLint rules for Node Security

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.

Installation

npm install --save-dev eslint-plugin-security

or

yarn add --dev eslint-plugin-security

Usage

Flat config (requires eslint >= v8.23.0)

Add the following to your eslint.config.js file:

const pluginSecurity = require('eslint-plugin-security');

module.exports = [pluginSecurity.configs.recommended];

eslintrc config (deprecated)

Add the following to your .eslintrc file:

module.exports = {
  extends: ['plugin:security/recommended-legacy'],
};

Developer guide

  • Use GitHub pull requests.
  • Conventions:
  • We use our custom ESLint setup.
  • Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
npm run-script cont-int

Tests

npm test

Rules

⚠️ Configurations set to warn in.\ ✅ Set in the recommended configuration.

Name Description ⚠️
detect-bidi-characters Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.
detect-buffer-noassert Detects calls to "buffer" with "noAssert" flag set.
detect-child-process Detects instances of "child_process" & non-literal "exec()" calls.
detect-disable-mustache-escape Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.
detect-eval-with-expression Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.
detect-new-buffer Detects instances of new Buffer(argument) where argument is any non-literal value.
detect-no-csrf-before-method-override Detects Express "csrf" middleware setup before "method-override" middleware.
detect-non-literal-fs-filename Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.
detect-non-literal-regexp Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.
detect-non-literal-require Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
detect-object-injection Detects "variable[key]" as a left- or right-hand assignment operand.
detect-possible-timing-attacks Detects insecure comparisons (==, !=, !== and ===), which check input sequentially.
detect-pseudoRandomBytes Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.
detect-unsafe-regex Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.

TypeScript support

Type definitions for this package are managed by DefinitelyTyped. Use @types/eslint-plugin-security for type checking.

npm install --save-dev @types/eslint-plugin-security

# OR

yarn add --dev @types/eslint-plugin-security

changelog

Changelog

3.0.1 (2024-06-13)

Bug Fixes

3.0.0 (2024-04-10)

⚠ BREAKING CHANGES

  • requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)

Features

  • requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)

Bug Fixes

  • Ensure everything works with ESLint v9 (#145) (ac50ab4)

2.1.1 (2024-02-14)

Bug Fixes

  • Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)

2.1.0 (2023-12-15)

Features

2.0.0 (2023-10-17)

⚠ BREAKING CHANGES

  • switch the recommended config to flat (#118)

Features

  • switch the recommended config to flat (#118) (e20a366)

1.7.1 (2023-02-02)

Bug Fixes

  • false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)

1.7.0 (2023-01-26)

Features

1.6.0 (2023-01-11)

Features

  • Add meta object documentation for all rules (#79) (fb1d9ef)
  • detect-bidi-characters rule (#95) (4294d29)
  • detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
  • extend detect non literal fs filename (#92) (08ba476)
  • non-literal-require: support template literals (#81) (208019b)

Bug Fixes

  • Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
  • Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
  • detect-child-process: false positive for destructuring with exec (#102) (657921a)
  • detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
  • Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80

1.5.0 / 2022-04-14

  • Fix avoid crash when exec() is passed no arguments Closes #82 with ref as #23
  • Fix incorrect method name in detect-buffer-noassert Closes #63 and #80
  • Clean up source code formatting Fixes #4 and closes #78
  • Add release script Script
  • Add non-literal require TemplateLiteral support #81
  • Add meta object documentation for all rules #79
  • Added Git pre-commit hook to format JS files Pre-commit hook
  • Added yarn installation method
  • Fix linting errors and step Lint errors, Lint step
  • Create workflows Check commit message on pull requests, Set up ci on main branch
  • Update test and lint commands to work cross-platform Commit
  • Merge pull request #47 from pdehaan/add-docs Add old liftsecurity blog posts to docs/ folder
  • Bumped up dependencies
  • Added package-lock.json
  • Fixed typos in README and documentation Replaced dead links in README

1.4.0 / 2017-06-12

  • 1.4.0
  • Stuff and things for 1.4.0 beep boop 🤖
  • Merge pull request #14 from travi/recommended-example Add recommended ruleset to the usage example
  • Merge pull request #19 from pdehaan/add-changelog Add basic CHANGELOG.md file
  • Merge pull request #17 from pdehaan/issue-16 Remove filename from error output
  • Add basic CHANGELOG.md file
  • Remove filename from error output
  • Add recommended ruleset to the usage example for #9
  • Merge pull request #10 from pdehaan/issue-9 Add 'plugin:security/recommended' config to plugin
  • Merge pull request #12 from tupaschoal/patch-1 Fix broken link for detect-object-injection
  • Fix broken link for detect-object-injection The current link leads to a 404 page, the new one is the proper page.
  • Add 'plugin:security/recommended' config to plugin

1.3.0 / 2017-02-09

  • 1.3.0
  • Merge branch 'scottnonnenberg-update-docs'
  • Fix merge conflicts because I can't figure out how to accept pr's in the right order
  • Merge pull request #7 from HamletDRC/patch-1 README.md - documentation detect-new-buffer rule
  • Merge pull request #8 from HamletDRC/patch-2 README.md - document detect-disable-mustache-escape rule
  • Merge pull request #3 from jesusprubio/master A bit of love
  • README.md - document detect-disable-mustache-escape rule
  • README.md - documentation detect-new-buffer rule
  • Merge pull request #6 from mathieumg/csrf-bug Fixed crash with detect-no-csrf-before-method-override rule
  • Fixed crash with detect-no-csrf-before-method-override rule.
  • Finishing last commit
  • Style guide applied to all the code involving the tests
  • Removing a repeated test and style changes
  • ESLint added to the workflow
  • Removed not needed variables
  • Fix to a problem with a rule detected implementing the tests
  • Test engine with tests for all the rules
  • Minor typos
  • A little bit of massage to readme intro
  • Add additional information to README for each rule

1.2.0 / 2016-01-21

  • 1.2.0
  • updated to check for new RegExp too

1.1.0 / 2016-01-06

  • 1.1.0
  • adding eslint rule to detect new buffer hotspot

1.0.0 / 2015-11-15

  • updated desc
  • rules disabled by default
  • update links
  • beep boop