eslint-plugin-security 1.4.0 → 1.6.0

package/.eslint-doc-generatorrc.js

@@ -0,0 +1,9 @@
+const { format } = require('prettier');
+const prettierRC = require('./.prettierrc.json');
+
+/** @type {import('eslint-doc-generator').GenerateOptions} */
+const config = {
+  postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
+};
+
+module.exports = config;

package/.eslintrc

@@ -1,3 +1,31 @@
 {
-  "extends": "nodesecurity"
+  "extends": ["eslint:recommended", "prettier", "plugin:eslint-plugin/recommended"],
+  "parserOptions": {
+    "ecmaVersion": "latest"
+  },
+  "env": {
+    "node": true,
+    "es2020": true
+  },
+  "rules": {
+    "eslint-plugin/prefer-message-ids": "off", // TODO: enable
+    "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
+    "eslint-plugin/require-meta-docs-url": [
+      "error",
+      {
+        "pattern": "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md"
+      }
+    ],
+    "eslint-plugin/require-meta-schema": "off", // TODO: enable
+    "eslint-plugin/require-meta-type": "off" // TODO: enable
+  },
+  "overrides": [
+    {
+      "files": ["test/**/*.js"],
+      "globals": {
+        "describe": "readonly",
+        "it": "readonly"
+      }
+    }
+  ]
 }

package/.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,85 @@
+name: "\U0001F41E Report a problem"
+description: 'Report an issue with a rule'
+title: 'Bug: (fill in)'
+labels:
+  - bug
+  - 'repro:needed'
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What version of eslint-plugin-security are you using?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: ESLint Environment
+      description: |
+        Please tell us about how you're running ESLint (Run `npx eslint --env-info`.)
+      value: |
+        Node version: 
+        npm version: 
+        Local ESLint version: 
+        Global ESLint version: 
+        Operating System:
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What parser are you using?
+      description: |
+        Please keep in mind that some problems are parser-specific.
+      options:
+        - 'Default (Espree)'
+        - '@typescript-eslint/parser'
+        - '@babel/eslint-parser'
+        - 'vue-eslint-parser'
+        - '@angular-eslint/template-parser'
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        Please include a *minimal* reproduction case. If possible, include a link to a reproduction of the problem in the [ESLint demo](https://eslint.org/demo). Otherwise, include source code, configuration file(s), and any other information about how you're using ESLint. You can use Markdown in this field.
+      value: |
+        <details>
+        <summary>Configuration</summary>
+
+        ```
+        <!-- Paste your configuration here -->
+        ```
+        </details>
+
+        ```js
+        <!-- Paste your code here -->
+        ```
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you expect to happen?
+      description: |
+        You can use Markdown in this field.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What actually happened?
+      description: |
+        Please copy-paste the actual ESLint output. You can use Markdown in this field.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request for this issue.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/ISSUE_TEMPLATE/new-rule.yml

@@ -0,0 +1,39 @@
+name: "\U0001F680 Propose a new  rule"
+description: 'Propose a new rule to be added to the plugin'
+title: 'New Rule: (fill in)'
+labels:
+  - rule
+  - feature
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: Rule details
+      description: What should the new rule do?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Related CVE
+      description: We only accept new rules that have a published [CVE](https://www.redhat.com/en/topics/security/what-is-cve).
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example JavaScript code that this rule will warn about. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this rule.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/ISSUE_TEMPLATE/rule-change.yml

@@ -0,0 +1,61 @@
+name: "\U0001F4DD Request a rule change"
+description: 'Request a change to an existing rule'
+title: 'Rule Change: (fill in)'
+labels:
+  - enhancement
+  - rule
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What rule do you want to change?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What change to do you want to make?
+      options:
+        - Generate more warnings
+        - Generate fewer warnings
+        - Implement autofix
+        - Implement suggestions
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: How do you think the change should be implemented?
+      options:
+        - A new option
+        - A new default behavior
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example code that this change will affect. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What does the rule currently do for this code?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What will the rule do after it's changed?
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this change.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/workflows/ci.yml

@@ -0,0 +1,55 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16.x'
+
+      - name: Install Packages
+        run: npm install
+
+      - name: Lint Files
+        run: npm run lint
+
+  test:
+    name: Test
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
+        include:
+          - os: windows-latest
+            node: '16.x'
+          - os: macOS-latest
+            node: '16.x'
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Install Packages
+        run: npm install
+
+      - name: Test
+        run: npm test

package/.github/workflows/pr.yml

@@ -0,0 +1,19 @@
+name: Pull Request Titles
+on: pull_request
+
+jobs:
+  conventional:
+    name: Conventional PR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
+      - uses: beemojs/conventional-pr-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          config-preset: angular

package/.github/workflows/release-please.yml

@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - main
+name: release-please
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GoogleCloudPlatform/release-please-action@v2
+        id: release
+        with:
+          release-type: node
+          package-name: test-release-please
+      # The logic below handles the npm publication:
+      - uses: actions/checkout@v3
+        # these if statements ensure that a publication only occurs when
+        # a new release is created:
+        if: ${{ steps.release.outputs.release_created }}
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          registry-url: 'https://registry.npmjs.org'
+        if: ${{ steps.release.outputs.release_created }}
+      - run: npm ci
+        if: ${{ steps.release.outputs.release_created }}
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+        if: ${{ steps.release.outputs.release_created }}
+
+      # Tweets out release announcement
+      - run: 'npx @humanwhocodes/tweet "${{ github.event.repository.full_name }} v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }} has been released!\n\n${{ github.event.repository.html_url }}/releases/tag/v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}"'
+        if: ${{ steps.release.outputs.release_created }}
+        env:
+          TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
+          TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}
+          TWITTER_ACCESS_TOKEN_KEY: ${{ secrets.TWITTER_ACCESS_TOKEN_KEY }}
+          TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}

package/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "line-length": false,
+  "no-inline-html": { "allowed_elements": ["kbd"] }
+}

package/.markdownlintignore

@@ -0,0 +1,3 @@
+CHANGELOG.md
+LICENSE
+node_modules

package/.prettierrc.json

@@ -0,0 +1,7 @@
+{
+  "trailingComma": "es5",
+  "tabWidth": 2,
+  "semi": true,
+  "singleQuote": true,
+  "printWidth": 180
+}

package/CHANGELOG.md

@@ -1,34 +1,114 @@
-1.4.0 / 2017-06-12
-==================
-  
-  * Add recommended ruleset to the usage example
-  * Removes filenames from error output
-  
-1.3.0 / 2017-02-09
-==================
-
-  * README.md - document detect-disable-mustache-escape rule
-  * README.md - documentation detect-new-buffer rule
-  * Fixed crash with `detect-no-csrf-before-method-override` rule.
-  * Style guide applied to all the code involving the tests
-  * Removing a repeated test and style changes
-  * ESLint added to the workflow
-  * Removed not needed variables
-  * Fix to a problem with a rule detected implementing the tests
-  * Test engine with tests for all the rules
-  * Add additional information to README for each rule
-
-1.2.0 / 2016-01-21
-==================
-
-  * updated to check for new RegExp too
-
-1.1.0 / 2016-01-06
-==================
-
-  * adding eslint rule to detect new buffer hotspot
-
-1.0.0 / 2015-11-15
-==================
-
-  * rules disabled by default
+# Changelog
+
+## [1.6.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.5.0...v1.6.0) (2023-01-11)
+
+### Features
+
+* Add meta object documentation for all rules ([#79](https://www.github.com/eslint-community/eslint-plugin-security/issues/79)) ([fb1d9ef](https://www.github.com/eslint-community/eslint-plugin-security/commit/fb1d9ef56e0cf2705b9e413b483261df394c45e1))
+* detect-bidi-characters rule ([#95](https://www.github.com/eslint-community/eslint-plugin-security/issues/95)) ([4294d29](https://www.github.com/eslint-community/eslint-plugin-security/commit/4294d29cca8af5c627de759919add6dd698644ba))
+* **detect-non-literal-fs-filename:** change to track non-top-level `require()` as well ([#105](https://www.github.com/eslint-community/eslint-plugin-security/issues/105)) ([d3b1543](https://www.github.com/eslint-community/eslint-plugin-security/commit/d3b15435b45b9ac2ee5f0d3249f590e32369d7d2))
+* extend detect non literal fs filename ([#92](https://www.github.com/eslint-community/eslint-plugin-security/issues/92)) ([08ba476](https://www.github.com/eslint-community/eslint-plugin-security/commit/08ba4764a83761f6f44cb28940923f1d25f88581))
+* **non-literal-require:** support template literals ([#81](https://www.github.com/eslint-community/eslint-plugin-security/issues/81)) ([208019b](https://www.github.com/eslint-community/eslint-plugin-security/commit/208019bad4f70a142ab1f0ea7238c37cb70d1a5a))
+
+### Bug Fixes
+
+* Avoid crash when exec() is passed no arguments ([7f97815](https://www.github.com/eslint-community/eslint-plugin-security/commit/7f97815accf6bcd87de73c32a967946b1b3b0530)), closes [#82](https://www.github.com/eslint-community/eslint-plugin-security/issues/82) [#23](https://www.github.com/eslint-community/eslint-plugin-security/issues/23)
+* Avoid TypeError when exec stub is used with no arguments ([#97](https://www.github.com/eslint-community/eslint-plugin-security/issues/97)) ([9c18f16](https://www.github.com/eslint-community/eslint-plugin-security/commit/9c18f16187719b58cc5dfde9860344bad823db28))
+* **detect-child-process:** false positive for destructuring with `exec` ([#102](https://www.github.com/eslint-community/eslint-plugin-security/issues/102)) ([657921a](https://www.github.com/eslint-community/eslint-plugin-security/commit/657921a93f6f73c0de6113e497b22e7cf079f520))
+* **detect-child-process:** false positives for destructuring `spawn` ([#103](https://www.github.com/eslint-community/eslint-plugin-security/issues/103)) ([fdfe37d](https://www.github.com/eslint-community/eslint-plugin-security/commit/fdfe37d667367e5fd228c26573a1791c81a044d2))
+* Incorrect method name in detect-buffer-noassert. ([313c0c6](https://www.github.com/eslint-community/eslint-plugin-security/commit/313c0c693f48aa85d0c9b65a46f6c620cd10f907)), closes [#63](https://www.github.com/eslint-community/eslint-plugin-security/issues/63) [#80](https://www.github.com/eslint-community/eslint-plugin-security/issues/80)
+
+## 1.5.0 / 2022-04-14
+
+- Fix avoid crash when exec() is passed no arguments
+  Closes [#82](https://github.com/nodesecurity/eslint-plugin-security/pull/82) with ref as [#23](https://github.com/nodesecurity/eslint-plugin-security/pull/23)
+- Fix incorrect method name in detect-buffer-noassert
+  Closes [#63](https://github.com/nodesecurity/eslint-plugin-security/pull/63) and [#80](https://github.com/nodesecurity/eslint-plugin-security/pull/80)
+- Clean up source code formatting
+  Fixes [#4](https://github.com/nodesecurity/eslint-plugin-security/issues/4) and closes [#78](https://github.com/nodesecurity/eslint-plugin-security/pull/78)
+- Add release script
+  [Script](https://github.com/nodesecurity/eslint-plugin-security/commit/0a6631ea448eb0031af7b351c85b3aa298c2e44c)
+- Add non-literal require TemplateLiteral support [#81](https://github.com/nodesecurity/eslint-plugin-security/pull/81)
+- Add meta object documentation for all rules [#79](https://github.com/nodesecurity/eslint-plugin-security/pull/79)
+- Added Git pre-commit hook to format JS files
+  [Pre-commit hook](https://github.com/nodesecurity/eslint-plugin-security/commit/e2ae2ee9ef214ca6d8f69fbcc438d230fda2bf97)
+- Added yarn installation method
+- Fix linting errors and step
+  [Lint errors](https://github.com/nodesecurity/eslint-plugin-security/commit/1258118c2d07722e9fb388a672b287bb43bc73b3), [Lint step](https://github.com/nodesecurity/eslint-plugin-security/commit/84f3ed3ab88427753c7ac047d0bccbe557f28aa5)
+- Create workflows
+  Check commit message on pull requests, Set up ci on main branch
+- Update test and lint commands to work cross-platform
+  [Commit](https://github.com/nodesecurity/eslint-plugin-security/commit/d3d8e7a27894aa3f83b560f530eb49750e9ee19a)
+- Merge pull request [#47](https://github.com/nodesecurity/eslint-plugin-security/pull/47) from pdehaan/add-docs
+  Add old liftsecurity blog posts to docs/ folder
+- Bumped up dependencies
+- Added `package-lock.json`
+- Fixed typos in README and documentation
+  Replaced dead links in README
+
+## 1.4.0 / 2017-06-12
+
+- 1.4.0
+- Stuff and things for 1.4.0 beep boop 🤖
+- Merge pull request [#14](https://github.com/nodesecurity/eslint-plugin-security/issues/14) from travi/recommended-example
+  Add recommended ruleset to the usage example
+- Merge pull request [#19](https://github.com/nodesecurity/eslint-plugin-security/issues/19) from pdehaan/add-changelog
+  Add basic CHANGELOG.md file
+- Merge pull request [#17](https://github.com/nodesecurity/eslint-plugin-security/issues/17) from pdehaan/issue-16
+  Remove filename from error output
+- Add basic CHANGELOG.md file
+- Remove filename from error output
+- Add recommended ruleset to the usage example
+  for [#9](https://github.com/nodesecurity/eslint-plugin-security/issues/9)
+- Merge pull request [#10](https://github.com/nodesecurity/eslint-plugin-security/issues/10) from pdehaan/issue-9
+  Add 'plugin:security/recommended' config to plugin
+- Merge pull request [#12](https://github.com/nodesecurity/eslint-plugin-security/issues/12) from tupaschoal/patch-1
+  Fix broken link for detect-object-injection
+- Fix broken link for detect-object-injection
+  The current link leads to a 404 page, the new one is the proper page.
+- Add 'plugin:security/recommended' config to plugin
+
+## 1.3.0 / 2017-02-09
+
+- 1.3.0
+- Merge branch 'scottnonnenberg-update-docs'
+- Fix merge conflicts because I can't figure out how to accept pr's in the right order
+- Merge pull request [#7](https://github.com/nodesecurity/eslint-plugin-security/issues/7) from HamletDRC/patch-1
+  README.md - documentation detect-new-buffer rule
+- Merge pull request [#8](https://github.com/nodesecurity/eslint-plugin-security/issues/8) from HamletDRC/patch-2
+  README.md - document detect-disable-mustache-escape rule
+- Merge pull request [#3](https://github.com/nodesecurity/eslint-plugin-security/issues/3) from jesusprubio/master
+  A bit of love
+- README.md - document detect-disable-mustache-escape rule
+- README.md - documentation detect-new-buffer rule
+- Merge pull request [#6](https://github.com/nodesecurity/eslint-plugin-security/issues/6) from mathieumg/csrf-bug
+  Fixed crash with `detect-no-csrf-before-method-override` rule
+- Fixed crash with `detect-no-csrf-before-method-override` rule.
+- Finishing last commit
+- Style guide applied to all the code involving the tests
+- Removing a repeated test and style changes
+- ESLint added to the workflow
+- Removed not needed variables
+- Fix to a problem with a rule detected implementing the tests
+- Test engine with tests for all the rules
+- Minor typos
+- A little bit of massage to readme intro
+- Add additional information to README for each rule
+
+
+## 1.2.0 / 2016-01-21
+
+- 1.2.0
+- updated to check for new RegExp too
+
+## 1.1.0 / 2016-01-06
+
+- 1.1.0
+- adding eslint rule to detect new buffer hotspot
+
+## 1.0.0 / 2015-11-15
+
+- updated desc
+- rules disabled by default
+- update links
+- beep boop