eslint-plugin-security 1.0.0 → 1.4.0

package/.eslintrc

@@ -0,0 +1,3 @@
+{
+  "extends": "nodesecurity"
+}

package/CHANGELOG.md

@@ -0,0 +1,34 @@
+1.4.0 / 2017-06-12
+==================
+  
+  * Add recommended ruleset to the usage example
+  * Removes filenames from error output
+  
+1.3.0 / 2017-02-09
+==================
+
+  * README.md - document detect-disable-mustache-escape rule
+  * README.md - documentation detect-new-buffer rule
+  * Fixed crash with `detect-no-csrf-before-method-override` rule.
+  * Style guide applied to all the code involving the tests
+  * Removing a repeated test and style changes
+  * ESLint added to the workflow
+  * Removed not needed variables
+  * Fix to a problem with a rule detected implementing the tests
+  * Test engine with tests for all the rules
+  * Add additional information to README for each rule
+
+1.2.0 / 2016-01-21
+==================
+
+  * updated to check for new RegExp too
+
+1.1.0 / 2016-01-06
+==================
+
+  * adding eslint rule to detect new buffer hotspot
+
+1.0.0 / 2015-11-15
+==================
+
+  * rules disabled by default

package/README.md

@@ -1,7 +1,8 @@
 # eslint-plugin-security
+
 ESLint rules for Node Security
 
-Probably not something you want to just toss and leave in a project. It will help identify potential security hotspots, but finds a lot of false positives that needs triaged by a human.
+This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
 
 ### Installation
 
@@ -14,20 +15,98 @@ Add the following to your `.eslintrc` file:
 ```js
 "plugins": [
   "security"
+],
+"extends": [
+  "plugin:security/recommended"
 ]
 ```
+
+
+## Developer guide
+
+- Use [GitHub pull requests](https://help.github.com/articles/using-pull-requests).
+- Conventions:
+ - We use our [custom ESLint setup](https://github.com/nodesecurity/eslint-config-nodesecurity).
+ - Please implement a test for each new rule and use this command to be sure the new code respects the style guide and the tests keep passing:
+ ```sh
+ npm run-script cont-int
+ ```
+
+### Tests
+```sh
+npm test
+```
+
 ### Rules
 
-- `detect-unsafe-regex` - Locates potentially unsafe regular expressions
-- `detect-buffer-noassert` - Detects calls to buffer with noassert flag set
-- `detect-child-process` - Detects instances of child_process & non-literal cp.exec()
-- `detect-disable-mustache-escape` -
-- `detect-eval-with-expression` - Detects eval(var)
-- `detect-no-csrf-before-method-override` - Detects Express.csrf before method-override
-- `detect-non-literal-fs-filename` - Detects var in filename argument of fs calls
-- `detect-non-literal-regexp` - Detects RegExp(var)
-- `detect-non-literal-require` - Detects require(var)
-- `detect-object-injection` - Detects var[var]
-- `detect-possible-timing-attacks` - Detects insecure comparisons (== != !== ===)
-- `detect-pseudoRandomBytes` - Detects if pseudoRandomBytes() is in use
+#### `detect-unsafe-regex`
+
+Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
+
+More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
+
+#### `detect-buffer-noassert`
+
+Detects calls to [`buffer`](https://nodejs.org/api/buffer.html) with `noAssert` flag set
+
+From the Node.js API docs: "Setting `noAssert` to true skips validation of the `offset`. This allows the `offset` to be beyond the end of the `Buffer`."
+
+#### `detect-child-process`
+
+Detects instances of [`child_process`](https://nodejs.org/api/child_process.html) & non-literal [`exec()`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
+
+More information: https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js
+
+#### `detect-disable-mustache-escape`
+
+Detects `object.escapeMarkup = false`, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
+
+More information: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+
+#### `detect-eval-with-expression`
+
+Detects `eval(variable)` which can allow an attacker to run arbitary code inside your process.
+
+More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript
+
+#### `detect-no-csrf-before-method-override`
+
+Detects Express `csrf` middleware setup before `method-override` middleware. This can allow `GET` requests (which are not checked by `csrf`) to turn into `POST` requests later.
+
+More information: https://blog.liftsecurity.io/2013/09/07/bypass-connect-csrf-protection-by-abusing
+
+#### `detect-non-literal-fs-filename`
+
+Detects variable in filename argument of `fs` calls, which might allow an attacker to access anything on your system.
+
+More information: https://www.owasp.org/index.php/Path_Traversal
+
+#### `detect-non-literal-regexp`
+
+Detects `RegExp(variable)`, which might allow an attacker to DOS your server with a long-running regular expression.
+
+More information: https://blog.liftsecurity.io/2014/11/03/regular-expression-dos-and-node.js
+
+#### `detect-non-literal-require`
+
+Detects `require(variable)`, which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
+
+More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm
+
+#### `detect-object-injection`
+
+Detects `variable[key]` as a left- or right-hand assignment operand.
+
+More information: https://blog.liftsecurity.io/2015/01/14/the-dangers-of-square-bracket-notation/
+
+#### `detect-possible-timing-attacks`
+
+Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.
+
+More information: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
+
+#### `detect-pseudoRandomBytes`
+
+Detects if `pseudoRandomBytes()` is in use, which might not give you the randomness you need and expect.
 
+More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes

package/index.js

@@ -17,7 +17,8 @@ module.exports = {
     'detect-buffer-noassert': require('./rules/detect-buffer-noassert'),
     'detect-child-process': require('./rules/detect-child-process'),
     'detect-disable-mustache-escape': require('./rules/detect-disable-mustache-escape'),
-    'detect-object-injection': require('./rules/detect-object-injection')
+    'detect-object-injection': require('./rules/detect-object-injection'),
+    'detect-new-buffer': require('./rules/detect-new-buffer')
   },
   rulesConfig: {
     'detect-unsafe-regex': 0,
@@ -31,6 +32,29 @@ module.exports = {
     'detect-buffer-noassert': 0,
     'detect-child-process': 0,
     'detect-disable-mustache-escape': 0,
-    'detect-object-injection': 0
+    'detect-object-injection': 0,
+    'detect-new-buffer': 0
+  },
+  configs: {
+    recommended: {
+      plugins: [
+        'security'
+      ],
+      rules: {
+        'security/detect-buffer-noassert': 'warn',
+        'security/detect-child-process': 'warn',
+        'security/detect-disable-mustache-escape': 'warn',
+        'security/detect-eval-with-expression': 'warn',
+        'security/detect-new-buffer': 'warn',
+        'security/detect-no-csrf-before-method-override': 'warn',
+        'security/detect-non-literal-fs-filename': 'warn',
+        'security/detect-non-literal-regexp': 'warn',
+        'security/detect-non-literal-require': 'warn',
+        'security/detect-object-injection': 'warn',
+        'security/detect-possible-timing-attacks': 'warn',
+        'security/detect-pseudoRandomBytes': 'warn',
+        'security/detect-unsafe-regex': 'warn'
+      }
+    }
   }
 };

package/package.json

@@ -1,10 +1,13 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.0.0",
+  "version": "1.4.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "changelog": "changelog eslint-plugin-security all > CHANGELOG.md",
+    "test": "./node_modules/.bin/mocha test/**/*",
+    "lint": "./node_modules/.bin/eslint .",
+    "cont-int": "npm test && npm run-script lint"
   },
   "repository": {
     "type": "git",
@@ -25,6 +28,9 @@
     "safe-regex": "^1.1.0"
   },
   "devDependencies": {
-    "eslint": "^1.8.0"
+    "changelog": "1.3.0",
+    "eslint": "^2.10.1",
+    "eslint-config-nodesecurity": "^1.3.1",
+    "mocha": "^2.4.5"
   }
 }

package/rules/detect-buffer-noassert.js

@@ -47,11 +47,6 @@ module.exports = function(context) {
         "writeDoubleBE"
     ];
 
-
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             var index;
@@ -63,7 +58,7 @@ module.exports = function(context) {
 
             if (index && node.parent && node.parent.arguments && node.parent.arguments[index] &&  node.parent.arguments[index].value) {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
+                return context.report(node, 'Found Buffer.' + node.property.name + ' with noAssert flag set true');
                 
             }
         }

package/rules/detect-child-process.js

@@ -13,10 +13,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "CallExpression": function (node) {
             var token = context.getTokens(node)[0];
@@ -28,7 +24,7 @@ module.exports = function(context) {
                     } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
                         names.push(node.parent.left.name);
                     }
-                    return context.report(node, 'found require("child_process")\n\t' + getSource(token));
+                    return context.report(node, 'Found require("child_process")');
                 }
             }
         },
@@ -36,7 +32,7 @@ module.exports = function(context) {
             var token = context.getTokens(node)[0];
             if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
                 if (node.parent && node.parent.arguments  && node.parent.arguments[0].type !== 'Literal') {
-                    return context.report(node, 'found child_process.exec() with non Literal first argument\n\t' + getSource(token));
+                    return context.report(node, 'Found child_process.exec() with non Literal first argument');
                 }
             }
         }

package/rules/detect-new-buffer.js

@@ -0,0 +1,19 @@
+module.exports = function (context) {
+    // Detects instances of new Buffer(argument)
+    // where argument is any non literal value.
+    return {
+      "NewExpression": function (node) {
+        if (node.callee.name === 'Buffer' &&
+          node.arguments[0] &&
+          node.arguments[0].type != 'Literal') {
+
+          return context.report(node, "Found new Buffer");
+        }
+
+
+
+      }
+    };
+
+}
+

package/rules/detect-no-csrf-before-method-override.js

@@ -1,6 +1,6 @@
 /**
- * Check and see if CSRF middleware is before methodOverride 
- * @author Adam Baldwin 
+ * Check and see if CSRF middleware is before methodOverride
+ * @author Adam Baldwin
  */
 
 //------------------------------------------------------------------------------
@@ -20,6 +20,10 @@ module.exports = function(context) {
                 nodeValue = token.value;
 
             if (nodeValue === "express") {
+                if (!node.callee || !node.callee.property) {
+                    return;
+                }
+
                 if (node.callee.property.name === "methodOverride" && csrf) {
                     context.report(node, "express.csrf() middleware found before express.methodOverride()");
                 }

package/rules/detect-non-literal-fs-filename.js

@@ -15,10 +15,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             var result = [];
@@ -36,13 +32,13 @@ module.exports = function(context) {
 
             if (result.length > 0) {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'found fs.' + node.property.name + ' with non literal argument at index ' + result.join(',') + '\n\t' + getSource(token));
+                return context.report(node, 'Found fs.' + node.property.name + ' with non literal argument at index ' + result.join(','));
             }
 
 
             /*
             if (node.parent && node.parent.arguments && node.parent.arguments[index].value) {
-                return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
+                return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true');
 
             }
             */

package/rules/detect-non-literal-regexp.js

@@ -12,16 +12,13 @@ module.exports = function(context) {
 
         "use strict";
 
-        var getSource = function(token) {
-                return token.loc.start.line + ':  ' + context.getSourceLines().slice(token.loc.start.line - 1, token.loc.end.line).join('\n\t');
-        }
         return {
-                "CallExpression": function(node) {
+                "NewExpression": function(node) {
                         if (node.callee.name === 'RegExp') {
                                 var args = node.arguments;
                                 if (args && args.length > 0 && args[0].type !== 'Literal') {
                                         var token = context.getTokens(node)[0];
-                                        return context.report(node, 'found non-literal argument to RegExp Constructor\n\t' + getSource(token));
+                                        return context.report(node, 'Found non-literal argument to RegExp Constructor');
                                 }
                         }
 

package/rules/detect-non-literal-require.js

@@ -11,17 +11,13 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "CallExpression": function (node) {
             if (node.callee.name === 'require') {
                 var args = node.arguments;
                 if (args && args.length > 0 && args[0].type !== 'Literal') {
                     var token = context.getTokens(node)[0];
-                    return context.report(node, 'found non-literal argument in require\n\t' + getSource(token));
+                    return context.report(node, 'Found non-literal argument in require');
                 }
             }
 

package/rules/detect-object-injection.js

@@ -59,13 +59,13 @@ var isChanged = false;
                     var token = context.getTokens(node)[0];
                     if (node.property.type === 'Identifier') {
                         if (node.parent.type === 'VariableDeclarator') {
-   context.report(node, 'Variable Assigned to Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+   context.report(node, 'Variable Assigned to Object Injection Sink');
     
                         } else if (node.parent.type === 'CallExpression') {
                         //    console.log(node.parent)
-  context.report(node, 'Function Call Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+  context.report(node, 'Function Call Object Injection Sink');
                         } else {
-                        context.report(node, 'Generic Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+                        context.report(node, 'Generic Object Injection Sink');
     
                         }
 

package/rules/detect-possible-timing-attacks.js

@@ -32,10 +32,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "IfStatement": function(node) {
             if (node.test && node.test.type === 'BinaryExpression') {
@@ -46,14 +42,14 @@ module.exports = function(context) {
                     if (node.test.left) {
                     var left = containsKeyword(node.test.left);
                         if (left) {
-                            return context.report(node, "Potential timing attack, left side: " + left + '\n\t' + getSource(token));
+                            return context.report(node, "Potential timing attack, left side: " + left);
                         }
                     }
 
                     if (node.test.right) {
                     var right = containsKeyword(node.test.right);
                         if (right) {
-                            return context.report(node, "Potential timing attack, right side: " + right + '\n\t' + getSource(token));
+                            return context.report(node, "Potential timing attack, right side: " + right);
                         }
                     }
                 }

package/rules/detect-pseudoRandomBytes.js

@@ -11,15 +11,11 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             if (node.property.name === 'pseudoRandomBytes') {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers:\n\t' + getSource(token));
+                return context.report(node, 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers');
             }
         }
 

package/rules/detect-unsafe-regex.js

@@ -1,7 +1,7 @@
 var safe = require('safe-regex');
 /**
  * Check if the regex is evil or not using the safe-regex module
- * @author Adam Baldwin 
+ * @author Adam Baldwin
  */
 
 //------------------------------------------------------------------------------
@@ -11,9 +11,6 @@ var safe = require('safe-regex');
 module.exports = function(context) {
 
     "use strict";
-    var getSource = function(token) {
-            return token.loc.start.line + ':  ' + context.getSourceLines().slice(token.loc.start.line - 1, token.loc.end.line).join('\n\t');
-    }
 
     return {
         "Literal": function(node) {
@@ -23,7 +20,14 @@ module.exports = function(context) {
 
             if (nodeType === "RegularExpression") {
                 if (!safe(nodeValue)) {
-                    context.report(node, "Unsafe Regular Expression\n" + getSource(token));
+                    context.report(node, "Unsafe Regular Expression");
+                }
+            }
+        },
+        "NewExpression": function(node) {
+            if (node.callee.name == "RegExp" && node.arguments && node.arguments.length > 0 && node.arguments[0].type == "Literal") {
+                if (!safe(node.arguments[0].value)) {
+                    context.report(node, "Unsafe Regular Expression (new RegExp)");
                 }
             }
         }

package/test/detect-buffer-noassert.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-buffer-noassert';
+const Rule = require(`../rules/${ruleName}`);
+
+const invalid = 'a.readUInt8(0, true);';
+
+
+tester.run(ruleName, Rule, {
+  valid: [{ code: 'a.readUInt8(0);' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found Buffer.readUInt8 with noAssert flag set true' }]
+    }
+  ]
+});
+
+tester.run(`${ruleName} (false)`, Rule, {
+  valid: [{ code: 'a.readUInt8(0, false);' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found Buffer.readUInt8 with noAssert flag set true' }]
+    }
+  ]
+});

package/test/detect-child-process.js

@@ -0,0 +1,35 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-child-process';
+const Rule = require(`../rules/${ruleName}`);
+
+const valid = 'child_process.exec(\'ls\')';
+const invalidRequire = 'require(\'child_process\')';
+const invalidExec = 'var child = require(\'child_process\'); child.exec(com)';
+
+
+tester.run(`${ruleName} (require("child_process"))`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidRequire,
+      errors: [{ message: 'Found require("child_process")' }]
+    }
+  ]
+});
+
+
+tester.run(`${ruleName} (child_process.exec() wih non literal 1st arg.)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidExec,
+      errors: [
+        { message: 'Found require("child_process")' },
+        { message: 'Found child_process.exec() with non Literal first argument' }]
+    }
+  ]
+});

package/test/detect-disable-mustache-escape.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-disable-mustache-escape';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'escapeMarkup = false' }],
+  invalid: [
+    {
+      code: 'a.escapeMarkup = false',
+      errors: [{ message: 'Markup escaping disabled.' }]
+    }
+  ]
+});

package/test/detect-eval-with-expression.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-eval-with-expression';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'eval(\'alert()\')' }],
+  invalid: [
+    {
+      code: 'eval(a);',
+      errors: [{ message: 'eval with argument of type Identifier' }]
+    }
+  ]
+});

package/test/detect-new-buffer.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-new-buffer';
+const invalid = 'var a = new Buffer(c)';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = new Buffer(\'test\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found new Buffer' }]
+    }
+  ]
+});

package/test/detect-no-csrf-before-method-override.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-no-csrf-before-method-override';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'express.methodOverride();express.csrf()' }],
+  invalid: [
+    {
+      code: 'express.csrf();express.methodOverride()',
+      errors: [{ message: 'express.csrf() middleware found before express.methodOverride()' }]
+    }
+  ]
+});

package/test/detect-non-literal-fs-filename.js

@@ -0,0 +1,19 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const invalid = 'var a = fs.open(c)';
+
+const ruleName = 'detect-non-literal-fs-filename';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = fs.open(\'test\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found fs.open with non literal argument at index 0' }]
+    }
+  ]
+});

package/test/detect-non-literal-regexp.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-non-literal-regexp';
+const invalid = 'var a = new RegExp(c, \'i\')';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = new RegExp(\'ab+c\', \'i\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found non-literal argument to RegExp Constructor' }]
+    }
+  ]
+});

package/test/detect-non-literal-require.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-non-literal-require';
+const invalid = 'var a = require(c)';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = require(\'b\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found non-literal argument in require' }]
+    }
+  ]
+});

package/test/detect-object-injection.js

@@ -0,0 +1,47 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-object-injection';
+
+const Rule = require(`../rules/${ruleName}`);
+
+const valid = 'var a = {};';
+// const invalidVariable = "TODO";
+// const invalidFunction = "TODO";
+const invalidGeneric = 'var a = {}; a[b] = 4';
+
+
+// TODO
+// tester.run(`${ruleName} (Variable Assigned to)`, Rule, {
+//   valid: [{ code: valid }],
+//   invalid: [
+//     {
+//       code: invalidVariable,
+//       errors: [{ message: 'Variable Assigned to Object Injection Sink' }]
+//     }
+//   ]
+// });
+//
+//
+// tester.run(`${ruleName} (Function)`, Rule, {
+//   valid: [{ code: valid }],
+//   invalid: [
+//     {
+//       code: invalidFunction,
+//       errors: [{ message: `Variable Assigned to Object Injection Sink: <input>: 1\n\t${invalidFunction}\n\n` }]
+//     }
+//   ]
+// });
+
+
+tester.run(`${ruleName} (Generic)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidGeneric,
+      errors: [{ message: 'Generic Object Injection Sink' }]
+    }
+  ]
+});

package/test/detect-possible-timing-attacks.js

@@ -0,0 +1,36 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-possible-timing-attacks';
+const Rule = require(`../rules/${ruleName}`);
+
+const valid = 'if (age === 5) {}';
+const invalidLeft = 'if (password === \'mypass\') {}';
+const invalidRigth = 'if (\'mypass\' === password) {}';
+
+
+// We only check with one string "password" and operator "==="
+// to KISS.
+
+tester.run(`${ruleName} (left side)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidLeft,
+      errors: [{ message: 'Potential timing attack, left side: true' }]
+    }
+  ]
+});
+
+
+tester.run(`${ruleName} (right side)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidRigth,
+      errors: [{ message: 'Potential timing attack, right side: true' }]
+    }
+  ]
+});

package/test/detect-pseudoRandomBytes.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-pseudoRandomBytes';
+const invalid = 'crypto.pseudoRandomBytes';
+
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'crypto.randomBytes' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers' }]
+    }
+  ]
+});

package/test/detect-unsafe-regexp.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-unsafe-regex';
+const Rule = require(`../rules/${ruleName}`);
+
+
+tester.run(ruleName, Rule, {
+  valid: [{ code: '/^\d+1337\d+$/' }],
+  invalid: [
+    {
+      code: '/(x+x+)+y/',
+      errors: [{ message: 'Unsafe Regular Expression' }]
+    }
+  ]
+});
+
+
+tester.run(`${ruleName} (new RegExp)`, Rule, {
+  valid: [{ code: 'new RegExp(\'^\d+1337\d+$\')' }],
+  invalid: [
+    {
+      code: 'new RegExp(\'x+x+)+y\')',
+      errors: [{ message: 'Unsafe Regular Expression (new RegExp)' }]
+    }
+  ]
+});