eslint-plugin-security 1.2.0 → 1.5.0

package/rules/detect-non-literal-regexp.js

@@ -3,29 +3,32 @@
  * @author Jon Lamendola
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-
-module.exports = function(context) {
-
-        "use strict";
-
-        var getSource = function(token) {
-                return token.loc.start.line + ':  ' + context.getSourceLines().slice(token.loc.start.line - 1, token.loc.end.line).join('\n\t');
-        }
-        return {
-                "CallExpression": function(node) {
-                        if (node.callee.name === 'RegExp') {
-                                var args = node.arguments;
-                                if (args && args.length > 0 && args[0].type !== 'Literal') {
-                                        var token = context.getTokens(node)[0];
-                                        return context.report(node, 'found non-literal argument to RegExp Constructor\n\t' + getSource(token));
-                                }
-                        }
-
-                }
-
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/regular-expression-dos-and-node.md',
+    },
+  },
+  create: function (context) {
+    return {
+      NewExpression: function (node) {
+        if (node.callee.name === 'RegExp') {
+          const args = node.arguments;
+          if (args && args.length > 0 && args[0].type !== 'Literal') {
+            return context.report(node, 'Found non-literal argument to RegExp Constructor');
+          }
         }
-}
+      },
+    };
+  },
+};

package/rules/detect-non-literal-require.js

@@ -1,33 +1,37 @@
 /**
  * Tries to detect calls to require with non-literal argument
- * @author Adam Baldwin 
+ * @author Adam Baldwin
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-module.exports = function(context) {
-
-    "use strict";
-
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. ',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-non-literal-require',
+    },
+  },
+  create: function (context) {
     return {
-        "CallExpression": function (node) {
-            if (node.callee.name === 'require') {
-                var args = node.arguments;
-                if (args && args.length > 0 && args[0].type !== 'Literal') {
-                    var token = context.getTokens(node)[0];
-                    return context.report(node, 'found non-literal argument in require\n\t' + getSource(token));
-                }
-            }
-
+      CallExpression: function (node) {
+        if (node.callee.name === 'require') {
+          const args = node.arguments;
+          if (
+            (args && args.length > 0 && args[0].type === 'TemplateLiteral' && args[0].expressions.length > 0) ||
+            (args[0].type !== 'TemplateLiteral' && args[0].type !== 'Literal')
+          ) {
+            return context.report(node, 'Found non-literal argument in require');
+          }
         }
-
+      },
     };
-
+  },
 };
-

package/rules/detect-object-injection.js

@@ -3,77 +3,79 @@
  * @author Jon Lamendola
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-var Sinks = [];
-function getSerialize (fn, decycle) {
-  var seen = [], keys = [];
-  decycle = decycle || function(key, value) {
-    return '[Circular ' + getPath(value, seen, keys) + ']'
-  };
-  return function(key, value) {
-    var ret = value;
+const getPath = (value, seen, keys) => {
+  let index = seen.indexOf(value);
+  const path = [keys[index]];
+  for (index--; index >= 0; index--) {
+    if (seen[index][path[0]] === value) {
+      value = seen[index];
+      path.unshift(keys[index]);
+    }
+  }
+  return `~${path.join('.')}`;
+};
+
+const getSerialize = (fn, decycle) => {
+  const seen = [];
+  const keys = [];
+  decycle =
+    decycle ||
+    function (key, value) {
+      return `[Circular ${getPath(value, seen, keys)}]`;
+    };
+  return function (key, value) {
+    let ret = value;
     if (typeof value === 'object' && value) {
-      if (seen.indexOf(value) !== -1)
+      if (seen.indexOf(value) !== -1) {
         ret = decycle(key, value);
-      else {
+      } else {
         seen.push(value);
         keys.push(key);
       }
     }
-    if (fn) ret = fn(key, ret);
-    return ret;
-  }
-}
-
-function getPath (value, seen, keys) {
-  var index = seen.indexOf(value);
-  var path = [ keys[index] ];
-  for (index--; index >= 0; index--) {
-    if (seen[index][ path[0] ] === value) {
-      value = seen[index];
-      path.unshift(keys[index]);
+    if (fn) {
+      ret = fn(key, ret);
     }
-  }
-  return '~' + path.join('.');
-}
+    return ret;
+  };
+};
 
-function stringify(obj, fn, spaces, decycle) {
+const stringify = (obj, fn, spaces, decycle) => {
   return JSON.stringify(obj, getSerialize(fn, decycle), spaces);
-}
-
-stringify.getSerialize = getSerialize;module.exports = function(context) {
-
-        "use strict";
-
-var isChanged = false;
-
-
-
-        return {
-            "MemberExpression": function(node) {
-
-                if (node.computed === true) {
-                    var token = context.getTokens(node)[0];
-                    if (node.property.type === 'Identifier') {
-                        if (node.parent.type === 'VariableDeclarator') {
-   context.report(node, 'Variable Assigned to Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
-    
-                        } else if (node.parent.type === 'CallExpression') {
-                        //    console.log(node.parent)
-  context.report(node, 'Function Call Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
-                        } else {
-                        context.report(node, 'Generic Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
-    
-                        }
-
-                    }
-                }
+};
 
+stringify.getSerialize = getSerialize;
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects "variable[key]" as a left- or right-hand assignment operand.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/the-dangers-of-square-bracket-notation.md',
+    },
+  },
+  create: function (context) {
+    return {
+      MemberExpression: function (node) {
+        if (node.computed === true) {
+          if (node.property.type === 'Identifier') {
+            if (node.parent.type === 'VariableDeclarator') {
+              context.report(node, 'Variable Assigned to Object Injection Sink');
+            } else if (node.parent.type === 'CallExpression') {
+              context.report(node, 'Function Call Object Injection Sink');
+            } else {
+              context.report(node, 'Generic Object Injection Sink');
             }
-
-        };
-    }
-
+          }
+        }
+      },
+    };
+  },
+};

package/rules/detect-possible-timing-attacks.js

@@ -3,62 +3,56 @@
  * @author Adam Baldwin / Jon Lamendola
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-var keywords = '((' + [
-    'password',
-    'secret',
-    'api',
-    'apiKey',
-    'token',
-    'auth',
-    'pass',
-    'hash'
-].join(')|(') + '))';
-
-var re = new RegExp('^' + keywords + '$', 'im');
-
-function containsKeyword (node) {
-    if (node.type === 'Identifier') {
-        if (re.test(node.name))
-            return true;
-        }
-        return
-}
-
-module.exports = function(context) {
+const keywords = `((${['password', 'secret', 'api', 'apiKey', 'token', 'auth', 'pass', 'hash'].join(')|(')}))`;
 
-    "use strict";
+const re = new RegExp(`^${keywords}$`, 'im');
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
+const containsKeyword = (node) => {
+  if (node.type === 'Identifier') {
+    if (re.test(node.name)) {
+      return true;
     }
+  }
+  return;
+};
 
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-possible-timing-attacks'
+    }
+  },
+  create: function (context) {
     return {
-        "IfStatement": function(node) {
-            if (node.test && node.test.type === 'BinaryExpression') {
-                if (node.test.operator === '==' || node.test.operator === '===' || node.test.operator === '!=' || node.test.operator === '!==') {
-
-                    var token = context.getTokens(node)[0];
-
-                    if (node.test.left) {
-                    var left = containsKeyword(node.test.left);
-                        if (left) {
-                            return context.report(node, "Potential timing attack, left side: " + left + '\n\t' + getSource(token));
-                        }
-                    }
+      IfStatement: function (node) {
+        if (node.test && node.test.type === 'BinaryExpression') {
+          if (node.test.operator === '==' || node.test.operator === '===' || node.test.operator === '!=' || node.test.operator === '!==') {
+            if (node.test.left) {
+              const left = containsKeyword(node.test.left);
+              if (left) {
+                return context.report(node, `Potential timing attack, left side: ${left}`);
+              }
+            }
 
-                    if (node.test.right) {
-                    var right = containsKeyword(node.test.right);
-                        if (right) {
-                            return context.report(node, "Potential timing attack, right side: " + right + '\n\t' + getSource(token));
-                        }
-                    }
-                }
+            if (node.test.right) {
+              const right = containsKeyword(node.test.right);
+              if (right) {
+                return context.report(node, `Potential timing attack, right side: ${right}`);
+              }
             }
+          }
         }
+      }
     };
-
+  }
 };

package/rules/detect-pseudoRandomBytes.js

@@ -3,26 +3,29 @@
  * @author Adam Baldwin
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-module.exports = function(context) {
-
-    "use strict";
-
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-pseudorandombytes',
+    },
+  },
+  create: function (context) {
     return {
-        "MemberExpression": function (node) {
-            if (node.property.name === 'pseudoRandomBytes') {
-                var token = context.getTokens(node)[0];
-                return context.report(node, 'found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers:\n\t' + getSource(token));
-            }
+      MemberExpression: function (node) {
+        if (node.property.name === 'pseudoRandomBytes') {
+          return context.report(node, 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers');
         }
-
+      },
     };
-
+  },
 };

package/rules/detect-unsafe-regex.js

@@ -1,37 +1,50 @@
-var safe = require('safe-regex');
 /**
  * Check if the regex is evil or not using the safe-regex module
  * @author Adam Baldwin
  */
 
+'use strict';
+
+//-----------------------------------------------------------------------------
+// Requirements
+//-----------------------------------------------------------------------------
+
+const safe = require('safe-regex');
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-module.exports = function(context) {
-
-    "use strict";
-
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/regular-expression-dos-and-node.md'
+    }
+  },
+  create: function (context) {
     return {
-        "Literal": function(node) {
-            var token = context.getTokens(node)[0],
-                nodeType = token.type,
-                nodeValue = token.value;
+      Literal: function (node) {
+        const token = context.getTokens(node)[0];
+        const nodeType = token.type;
+        const nodeValue = token.value;
 
-            if (nodeType === "RegularExpression") {
-                if (!safe(nodeValue)) {
-                    context.report(node, "Unsafe Regular Expression");
-                }
-            }
-        },
-        "NewExpression": function(node) {
-            if (node.callee.name == "RegExp" && node.arguments && node.arguments.length > 0 && node.arguments[0].type == "Literal") {
-                if (!safe(node.arguments[0].value)) {
-                    context.report(node, "Unsafe Regular Expression (new RegExp)");
-                }
-            }
+        if (nodeType === 'RegularExpression') {
+          if (!safe(nodeValue)) {
+            context.report(node, 'Unsafe Regular Expression');
+          }
+        }
+      },
+      NewExpression: function (node) {
+        if (node.callee.name === 'RegExp' && node.arguments && node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
+          if (!safe(node.arguments[0].value)) {
+            context.report(node, 'Unsafe Regular Expression (new RegExp)');
+          }
         }
+      }
     };
-
+  }
 };
-

package/test/detect-buffer-noassert.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-buffer-noassert';
+const rule = require(`../rules/${ruleName}`);
+
+const allMethodNames = [...rule.meta.__methodsToCheck.read, ...rule.meta.__methodsToCheck.write];
+
+tester.run(ruleName, rule, {
+  valid: [...allMethodNames.map((methodName) => `a.${methodName}(0)`), ...allMethodNames.map((methodName) => `a.${methodName}(0, false)`)],
+  invalid: [
+    ...rule.meta.__methodsToCheck.read.map((methodName) => ({
+      code: `a.${methodName}(0, true)`,
+      errors: [{ message: `Found Buffer.${methodName} with noAssert flag set true` }],
+    })),
+
+    ...rule.meta.__methodsToCheck.write.map((methodName) => ({
+      code: `a.${methodName}(0, 0, true)`,
+      errors: [{ message: `Found Buffer.${methodName} with noAssert flag set true` }],
+    })),
+
+    // hard-coded test to ensure #63 is fixed
+    {
+      code: 'a.readDoubleLE(0, true);',
+      errors: [{ message: 'Found Buffer.readDoubleLE with noAssert flag set true' }],
+    },
+  ],
+});

package/test/detect-child-process.js

@@ -0,0 +1,25 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-child-process';
+const rule = require(`../rules/${ruleName}`);
+
+tester.run(ruleName, rule, {
+  valid: ["child_process.exec('ls')"],
+  invalid: [
+    {
+      code: "require('child_process')",
+      errors: [{ message: 'Found require("child_process")' }],
+    },
+    {
+      code: "var child = require('child_process'); child.exec(com)",
+      errors: [{ message: 'Found require("child_process")' }, { message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "var child = require('child_process'); child.exec()",
+      errors: [{ message: 'Found require("child_process")' }],
+    },
+  ],
+});

package/test/detect-disable-mustache-escape.js

@@ -0,0 +1,16 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-disable-mustache-escape';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'escapeMarkup = false' }],
+  invalid: [
+    {
+      code: 'a.escapeMarkup = false',
+      errors: [{ message: 'Markup escaping disabled.' }]
+    }
+  ]
+});

package/test/detect-eval-with-expression.js

@@ -0,0 +1,16 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-eval-with-expression';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'eval(\'alert()\')' }],
+  invalid: [
+    {
+      code: 'eval(a);',
+      errors: [{ message: 'eval with argument of type Identifier' }]
+    }
+  ]
+});

package/test/detect-new-buffer.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-new-buffer';
+const invalid = 'var a = new Buffer(c)';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = new Buffer(\'test\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found new Buffer' }]
+    }
+  ]
+});

package/test/detect-no-csrf-before-method-override.js

@@ -0,0 +1,16 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-no-csrf-before-method-override';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'express.methodOverride();express.csrf()' }],
+  invalid: [
+    {
+      code: 'express.csrf();express.methodOverride()',
+      errors: [{ message: 'express.csrf() middleware found before express.methodOverride()' }]
+    }
+  ]
+});

package/test/detect-non-literal-fs-filename.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const invalid = 'var a = fs.open(c)';
+
+const ruleName = 'detect-non-literal-fs-filename';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = fs.open(\'test\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found fs.open with non literal argument at index 0' }]
+    }
+  ]
+});

package/test/detect-non-literal-regexp.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-non-literal-regexp';
+const invalid = 'var a = new RegExp(c, \'i\')';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = new RegExp(\'ab+c\', \'i\')' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found non-literal argument to RegExp Constructor' }]
+    }
+  ]
+});

package/test/detect-non-literal-require.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+
+const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
+
+const ruleName = 'detect-non-literal-require';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'var a = require(\'b\')' }, { code: 'var a = require(`b`)' }],
+  invalid: [
+    {
+      code: 'var a = require(c)',
+      errors: [{ message: 'Found non-literal argument in require' }]
+    },
+    {
+      code: 'var a = require(`${c}`)',
+      errors: [{ message: 'Found non-literal argument in require' }]
+    }
+  ]
+});