eslint-plugin-security 1.2.0 → 1.5.0

package/test/detect-object-injection.js

@@ -0,0 +1,45 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-object-injection';
+
+const Rule = require(`../rules/${ruleName}`);
+
+const valid = 'var a = {};';
+// const invalidVariable = "TODO";
+// const invalidFunction = "TODO";
+const invalidGeneric = 'var a = {}; a[b] = 4';
+
+// TODO
+// tester.run(`${ruleName} (Variable Assigned to)`, Rule, {
+//   valid: [{ code: valid }],
+//   invalid: [
+//     {
+//       code: invalidVariable,
+//       errors: [{ message: 'Variable Assigned to Object Injection Sink' }]
+//     }
+//   ]
+// });
+//
+//
+// tester.run(`${ruleName} (Function)`, Rule, {
+//   valid: [{ code: valid }],
+//   invalid: [
+//     {
+//       code: invalidFunction,
+//       errors: [{ message: `Variable Assigned to Object Injection Sink: <input>: 1\n\t${invalidFunction}\n\n` }]
+//     }
+//   ]
+// });
+
+tester.run(`${ruleName} (Generic)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidGeneric,
+      errors: [{ message: 'Generic Object Injection Sink' }]
+    }
+  ]
+});

package/test/detect-possible-timing-attacks.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-possible-timing-attacks';
+const Rule = require(`../rules/${ruleName}`);
+
+const valid = 'if (age === 5) {}';
+const invalidLeft = 'if (password === \'mypass\') {}';
+const invalidRigth = 'if (\'mypass\' === password) {}';
+
+// We only check with one string "password" and operator "==="
+// to KISS.
+
+tester.run(`${ruleName} (left side)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidLeft,
+      errors: [{ message: 'Potential timing attack, left side: true' }]
+    }
+  ]
+});
+
+tester.run(`${ruleName} (right side)`, Rule, {
+  valid: [{ code: valid }],
+  invalid: [
+    {
+      code: invalidRigth,
+      errors: [{ message: 'Potential timing attack, right side: true' }]
+    }
+  ]
+});

package/test/detect-pseudoRandomBytes.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-pseudoRandomBytes';
+const invalid = 'crypto.pseudoRandomBytes';
+
+tester.run(ruleName, require(`../rules/${ruleName}`), {
+  valid: [{ code: 'crypto.randomBytes' }],
+  invalid: [
+    {
+      code: invalid,
+      errors: [{ message: 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers' }]
+    }
+  ]
+});

package/test/detect-unsafe-regexp.js

@@ -0,0 +1,27 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-unsafe-regex';
+const Rule = require(`../rules/${ruleName}`);
+
+tester.run(ruleName, Rule, {
+  valid: [{ code: '/^d+1337d+$/' }],
+  invalid: [
+    {
+      code: '/(x+x+)+y/',
+      errors: [{ message: 'Unsafe Regular Expression' }]
+    }
+  ]
+});
+
+tester.run(`${ruleName} (new RegExp)`, Rule, {
+  valid: [{ code: 'new RegExp(\'^d+1337d+$\')' }],
+  invalid: [
+    {
+      code: 'new RegExp(\'x+x+)+y\')',
+      errors: [{ message: 'Unsafe Regular Expression (new RegExp)' }]
+    }
+  ]
+});

package/.npmignore

@@ -1 +0,0 @@
-node_modules