eslint-plugin-security 1.3.0 → 1.4.0

package/CHANGELOG.md

@@ -0,0 +1,34 @@
+1.4.0 / 2017-06-12
+==================
+  
+  * Add recommended ruleset to the usage example
+  * Removes filenames from error output
+  
+1.3.0 / 2017-02-09
+==================
+
+  * README.md - document detect-disable-mustache-escape rule
+  * README.md - documentation detect-new-buffer rule
+  * Fixed crash with `detect-no-csrf-before-method-override` rule.
+  * Style guide applied to all the code involving the tests
+  * Removing a repeated test and style changes
+  * ESLint added to the workflow
+  * Removed not needed variables
+  * Fix to a problem with a rule detected implementing the tests
+  * Test engine with tests for all the rules
+  * Add additional information to README for each rule
+
+1.2.0 / 2016-01-21
+==================
+
+  * updated to check for new RegExp too
+
+1.1.0 / 2016-01-06
+==================
+
+  * adding eslint rule to detect new buffer hotspot
+
+1.0.0 / 2015-11-15
+==================
+
+  * rules disabled by default

package/README.md

@@ -15,6 +15,9 @@ Add the following to your `.eslintrc` file:
 ```js
 "plugins": [
   "security"
+],
+"extends": [
+  "plugin:security/recommended"
 ]
 ```
 
@@ -94,7 +97,7 @@ More information: http://www.bennadel.com/blog/2169-where-does-node-js-and-requi
 
 Detects `variable[key]` as a left- or right-hand assignment operand.
 
-More information: https://blog.liftsecurity.io/2015/01/15/the-dangers-of-square-bracket-notation
+More information: https://blog.liftsecurity.io/2015/01/14/the-dangers-of-square-bracket-notation/
 
 #### `detect-possible-timing-attacks`
 

package/index.js

@@ -34,5 +34,27 @@ module.exports = {
     'detect-disable-mustache-escape': 0,
     'detect-object-injection': 0,
     'detect-new-buffer': 0
+  },
+  configs: {
+    recommended: {
+      plugins: [
+        'security'
+      ],
+      rules: {
+        'security/detect-buffer-noassert': 'warn',
+        'security/detect-child-process': 'warn',
+        'security/detect-disable-mustache-escape': 'warn',
+        'security/detect-eval-with-expression': 'warn',
+        'security/detect-new-buffer': 'warn',
+        'security/detect-no-csrf-before-method-override': 'warn',
+        'security/detect-non-literal-fs-filename': 'warn',
+        'security/detect-non-literal-regexp': 'warn',
+        'security/detect-non-literal-require': 'warn',
+        'security/detect-object-injection': 'warn',
+        'security/detect-possible-timing-attacks': 'warn',
+        'security/detect-pseudoRandomBytes': 'warn',
+        'security/detect-unsafe-regex': 'warn'
+      }
+    }
   }
 };

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
+    "changelog": "changelog eslint-plugin-security all > CHANGELOG.md",
     "test": "./node_modules/.bin/mocha test/**/*",
     "lint": "./node_modules/.bin/eslint .",
     "cont-int": "npm test && npm run-script lint"
@@ -27,6 +28,7 @@
     "safe-regex": "^1.1.0"
   },
   "devDependencies": {
+    "changelog": "1.3.0",
     "eslint": "^2.10.1",
     "eslint-config-nodesecurity": "^1.3.1",
     "mocha": "^2.4.5"

package/rules/detect-buffer-noassert.js

@@ -47,11 +47,6 @@ module.exports = function(context) {
         "writeDoubleBE"
     ];
 
-
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             var index;
@@ -63,7 +58,7 @@ module.exports = function(context) {
 
             if (index && node.parent && node.parent.arguments && node.parent.arguments[index] &&  node.parent.arguments[index].value) {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'Found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
+                return context.report(node, 'Found Buffer.' + node.property.name + ' with noAssert flag set true');
                 
             }
         }

package/rules/detect-child-process.js

@@ -13,10 +13,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "CallExpression": function (node) {
             var token = context.getTokens(node)[0];
@@ -28,7 +24,7 @@ module.exports = function(context) {
                     } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
                         names.push(node.parent.left.name);
                     }
-                    return context.report(node, 'Found require("child_process")\n\t' + getSource(token));
+                    return context.report(node, 'Found require("child_process")');
                 }
             }
         },
@@ -36,7 +32,7 @@ module.exports = function(context) {
             var token = context.getTokens(node)[0];
             if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
                 if (node.parent && node.parent.arguments  && node.parent.arguments[0].type !== 'Literal') {
-                    return context.report(node, 'Found child_process.exec() with non Literal first argument\n\t' + getSource(token));
+                    return context.report(node, 'Found child_process.exec() with non Literal first argument');
                 }
             }
         }

package/rules/detect-new-buffer.js

@@ -1,11 +1,4 @@
 module.exports = function (context) {
-
-    var getSource = function (node) {
-        var token = context.getTokens(node)[0];
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
-
     // Detects instances of new Buffer(argument)
     // where argument is any non literal value.
     return {
@@ -14,7 +7,7 @@ module.exports = function (context) {
           node.arguments[0] &&
           node.arguments[0].type != 'Literal') {
 
-          return context.report(node, "Found new Buffer\n\t" + getSource(node));
+          return context.report(node, "Found new Buffer");
         }
 
 

package/rules/detect-non-literal-fs-filename.js

@@ -15,10 +15,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             var result = [];
@@ -36,13 +32,13 @@ module.exports = function(context) {
 
             if (result.length > 0) {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'Found fs.' + node.property.name + ' with non literal argument at index ' + result.join(',') + '\n\t' + getSource(token));
+                return context.report(node, 'Found fs.' + node.property.name + ' with non literal argument at index ' + result.join(','));
             }
 
 
             /*
             if (node.parent && node.parent.arguments && node.parent.arguments[index].value) {
-                return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
+                return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true');
 
             }
             */

package/rules/detect-non-literal-regexp.js

@@ -12,16 +12,13 @@ module.exports = function(context) {
 
         "use strict";
 
-        var getSource = function(token) {
-                return token.loc.start.line + ':  ' + context.getSourceLines().slice(token.loc.start.line - 1, token.loc.end.line).join('\n\t');
-        }
         return {
                 "NewExpression": function(node) {
                         if (node.callee.name === 'RegExp') {
                                 var args = node.arguments;
                                 if (args && args.length > 0 && args[0].type !== 'Literal') {
                                         var token = context.getTokens(node)[0];
-                                        return context.report(node, 'Found non-literal argument to RegExp Constructor\n\t' + getSource(token));
+                                        return context.report(node, 'Found non-literal argument to RegExp Constructor');
                                 }
                         }
 

package/rules/detect-non-literal-require.js

@@ -11,17 +11,13 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "CallExpression": function (node) {
             if (node.callee.name === 'require') {
                 var args = node.arguments;
                 if (args && args.length > 0 && args[0].type !== 'Literal') {
                     var token = context.getTokens(node)[0];
-                    return context.report(node, 'Found non-literal argument in require\n\t' + getSource(token));
+                    return context.report(node, 'Found non-literal argument in require');
                 }
             }
 

package/rules/detect-object-injection.js

@@ -59,13 +59,13 @@ var isChanged = false;
                     var token = context.getTokens(node)[0];
                     if (node.property.type === 'Identifier') {
                         if (node.parent.type === 'VariableDeclarator') {
-   context.report(node, 'Variable Assigned to Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+   context.report(node, 'Variable Assigned to Object Injection Sink');
     
                         } else if (node.parent.type === 'CallExpression') {
                         //    console.log(node.parent)
-  context.report(node, 'Function Call Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+  context.report(node, 'Function Call Object Injection Sink');
                         } else {
-                        context.report(node, 'Generic Object Injection Sink: ' + context.getFilename() + ': ' + token.loc.start.line+ '\n\t' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t') + '\n\n');
+                        context.report(node, 'Generic Object Injection Sink');
     
                         }
 

package/rules/detect-possible-timing-attacks.js

@@ -32,10 +32,6 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "IfStatement": function(node) {
             if (node.test && node.test.type === 'BinaryExpression') {
@@ -46,14 +42,14 @@ module.exports = function(context) {
                     if (node.test.left) {
                     var left = containsKeyword(node.test.left);
                         if (left) {
-                            return context.report(node, "Potential timing attack, left side: " + left + '\n\t' + getSource(token));
+                            return context.report(node, "Potential timing attack, left side: " + left);
                         }
                     }
 
                     if (node.test.right) {
                     var right = containsKeyword(node.test.right);
                         if (right) {
-                            return context.report(node, "Potential timing attack, right side: " + right + '\n\t' + getSource(token));
+                            return context.report(node, "Potential timing attack, right side: " + right);
                         }
                     }
                 }

package/rules/detect-pseudoRandomBytes.js

@@ -11,15 +11,11 @@ module.exports = function(context) {
 
     "use strict";
 
-    var getSource = function (token) {
-        return token.loc.start.line+ ':  ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
-    }
-
     return {
         "MemberExpression": function (node) {
             if (node.property.name === 'pseudoRandomBytes') {
                 var token = context.getTokens(node)[0];
-                return context.report(node, 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers:\n\t' + getSource(token));
+                return context.report(node, 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers');
             }
         }
 

package/test/detect-buffer-noassert.js

@@ -14,7 +14,7 @@ tester.run(ruleName, Rule, {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found Buffer.readUInt8 with noAssert flag set true:\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found Buffer.readUInt8 with noAssert flag set true' }]
     }
   ]
 });
@@ -24,7 +24,7 @@ tester.run(`${ruleName} (false)`, Rule, {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found Buffer.readUInt8 with noAssert flag set true:\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found Buffer.readUInt8 with noAssert flag set true' }]
     }
   ]
 });

package/test/detect-child-process.js

@@ -16,7 +16,7 @@ tester.run(`${ruleName} (require("child_process"))`, Rule, {
   invalid: [
     {
       code: invalidRequire,
-      errors: [{ message: `Found require("child_process")\n\t1:  ${invalidRequire}` }]
+      errors: [{ message: 'Found require("child_process")' }]
     }
   ]
 });
@@ -28,8 +28,8 @@ tester.run(`${ruleName} (child_process.exec() wih non literal 1st arg.)`, Rule,
     {
       code: invalidExec,
       errors: [
-        { message: `Found require("child_process")\n\t1:  ${invalidExec}` },
-        { message: `Found child_process.exec() with non Literal first argument\n\t1:  ${invalidExec}` }]
+        { message: 'Found require("child_process")' },
+        { message: 'Found child_process.exec() with non Literal first argument' }]
     }
   ]
 });

package/test/detect-new-buffer.js

@@ -12,7 +12,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found new Buffer\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found new Buffer' }]
     }
   ]
 });

package/test/detect-non-literal-fs-filename.js

@@ -13,7 +13,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found fs.open with non literal argument at index 0\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found fs.open with non literal argument at index 0' }]
     }
   ]
 });

package/test/detect-non-literal-regexp.js

@@ -12,7 +12,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found non-literal argument to RegExp Constructor\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found non-literal argument to RegExp Constructor' }]
     }
   ]
 });

package/test/detect-non-literal-require.js

@@ -12,7 +12,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found non-literal argument in require\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found non-literal argument in require' }]
     }
   ]
 });

package/test/detect-object-injection.js

@@ -19,7 +19,7 @@ const invalidGeneric = 'var a = {}; a[b] = 4';
 //   invalid: [
 //     {
 //       code: invalidVariable,
-//       errors: [{ message: `Variable Assigned to Object Injection Sink: <input>: 1\n\t${invalidVariable}\n\n` }]
+//       errors: [{ message: 'Variable Assigned to Object Injection Sink' }]
 //     }
 //   ]
 // });
@@ -41,7 +41,7 @@ tester.run(`${ruleName} (Generic)`, Rule, {
   invalid: [
     {
       code: invalidGeneric,
-      errors: [{ message: `Generic Object Injection Sink: <input>: 1\n\t${invalidGeneric}\n\n` }]
+      errors: [{ message: 'Generic Object Injection Sink' }]
     }
   ]
 });

package/test/detect-possible-timing-attacks.js

@@ -19,7 +19,7 @@ tester.run(`${ruleName} (left side)`, Rule, {
   invalid: [
     {
       code: invalidLeft,
-      errors: [{ message: `Potential timing attack, left side: true\n\t1:  ${invalidLeft}` }]
+      errors: [{ message: 'Potential timing attack, left side: true' }]
     }
   ]
 });
@@ -30,7 +30,7 @@ tester.run(`${ruleName} (right side)`, Rule, {
   invalid: [
     {
       code: invalidRigth,
-      errors: [{ message: `Potential timing attack, right side: true\n\t1:  ${invalidRigth}` }]
+      errors: [{ message: 'Potential timing attack, right side: true' }]
     }
   ]
 });

package/test/detect-pseudoRandomBytes.js

@@ -12,7 +12,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: invalid,
-      errors: [{ message: `Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers:\n\t1:  ${invalid}` }]
+      errors: [{ message: 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers' }]
     }
   ]
 });