eslint-plugin-security 1.4.0 → 1.6.0

package/index.js

@@ -18,7 +18,8 @@ module.exports = {
     'detect-child-process': require('./rules/detect-child-process'),
     'detect-disable-mustache-escape': require('./rules/detect-disable-mustache-escape'),
     'detect-object-injection': require('./rules/detect-object-injection'),
-    'detect-new-buffer': require('./rules/detect-new-buffer')
+    'detect-new-buffer': require('./rules/detect-new-buffer'),
+    'detect-bidi-characters': require('./rules/detect-bidi-characters'),
   },
   rulesConfig: {
     'detect-unsafe-regex': 0,
@@ -33,13 +34,12 @@ module.exports = {
     'detect-child-process': 0,
     'detect-disable-mustache-escape': 0,
     'detect-object-injection': 0,
-    'detect-new-buffer': 0
+    'detect-new-buffer': 0,
+    'detect-bidi-characters': 0,
   },
   configs: {
     recommended: {
-      plugins: [
-        'security'
-      ],
+      plugins: ['security'],
       rules: {
         'security/detect-buffer-noassert': 'warn',
         'security/detect-child-process': 'warn',
@@ -53,8 +53,9 @@ module.exports = {
         'security/detect-object-injection': 'warn',
         'security/detect-possible-timing-attacks': 'warn',
         'security/detect-pseudoRandomBytes': 'warn',
-        'security/detect-unsafe-regex': 'warn'
-      }
-    }
-  }
+        'security/detect-unsafe-regex': 'warn',
+        'security/detect-bidi-characters': 'warn',
+      },
+    },
+  },
 };

package/package.json

@@ -1,13 +1,20 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
     "changelog": "changelog eslint-plugin-security all > CHANGELOG.md",
-    "test": "./node_modules/.bin/mocha test/**/*",
-    "lint": "./node_modules/.bin/eslint .",
-    "cont-int": "npm test && npm run-script lint"
+    "cont-int": "npm test && npm run lint",
+    "format": "prettier --write .",
+    "lint": "npm-run-all \"lint:*\"",
+    "lint:docs": "markdownlint \"**/*.md\"",
+    "lint:eslint-docs": "npm run update:eslint-docs -- --check",
+    "lint:js": "eslint .",
+    "lint:js:fix": "npm run lint:js -- --fix",
+    "release": "npx semantic-release",
+    "test": "mocha test/**",
+    "update:eslint-docs": "eslint-doc-generator"
   },
   "repository": {
     "type": "git",
@@ -24,13 +31,33 @@
     "url": "https://github.com/nodesecurity/eslint-plugin-security/issues"
   },
   "homepage": "https://github.com/nodesecurity/eslint-plugin-security#readme",
+  "gitHooks": {
+    "pre-commit": "lint-staged"
+  },
+  "lint-staged": {
+    "*.js": [
+      "prettier --write",
+      "eslint --fix"
+    ],
+    "*.md": "prettier --write",
+    "*.yml": "prettier --write"
+  },
   "dependencies": {
-    "safe-regex": "^1.1.0"
+    "safe-regex": "^2.1.1"
   },
   "devDependencies": {
     "changelog": "1.3.0",
-    "eslint": "^2.10.1",
+    "eslint": "^8.11.0",
     "eslint-config-nodesecurity": "^1.3.1",
-    "mocha": "^2.4.5"
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-doc-generator": "^1.0.2",
+    "eslint-plugin-eslint-plugin": "^5.0.2",
+    "lint-staged": "^12.3.7",
+    "markdownlint-cli": "^0.32.2",
+    "mocha": "^9.2.2",
+    "npm-run-all": "^4.1.5",
+    "prettier": "^2.6.2",
+    "semantic-release": "^19.0.2",
+    "yorkie": "^2.0.0"
   }
 }

package/rules/detect-bidi-characters.js

@@ -0,0 +1,101 @@
+/**
+ * Detect trojan source attacks that employ unicode bidi attacks to inject malicious code
+ * @author Luciamo Mammino
+ * @author Simone Sanfratello
+ * @author Liran Tal
+ */
+
+'use strict';
+
+const dangerousBidiCharsRegexp = /[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]/gu;
+
+/**
+ * Detects all the dangerous bidi characters in a given source text
+ *
+ * @param {object} options - Options
+ * @param {string} options.sourceText - The source text to search for dangerous bidi characters
+ * @param {number} options.firstLineOffset - The offset of the first line in the source text
+ * @returns {Array<{line: number, column: number}>} - An array of reports, each report is an
+ *    object with the line and column of the dangerous character
+ */
+function detectBidiCharacters({ sourceText, firstLineOffset }) {
+  const sourceTextToSearch = sourceText.toString();
+
+  const lines = sourceTextToSearch.split(/\r?\n/);
+
+  return lines.reduce((reports, line, lineIndex) => {
+    let match;
+    let offset = lineIndex == 0 ? firstLineOffset : 0;
+
+    while ((match = dangerousBidiCharsRegexp.exec(line)) !== null) {
+      reports.push({ line: lineIndex, column: offset + match.index });
+    }
+
+    return reports;
+  }, []);
+}
+
+function report({ context, node, tokens, message, firstLineOffset }) {
+  if (!tokens || !Array.isArray(tokens)) {
+    return;
+  }
+  tokens.forEach((token) => {
+    const reports = detectBidiCharacters({ sourceText: token.value, firstLineOffset: token.loc.start.column + firstLineOffset });
+
+    reports.forEach((report) => {
+      context.report({
+        node: node,
+        data: {
+          text: token.value,
+        },
+        loc: {
+          start: {
+            line: token.loc.start.line + report.line,
+            column: report.column,
+          },
+          end: {
+            line: token.loc.start.line + report.line,
+            column: report.column + 1,
+          },
+        },
+        message,
+      });
+    });
+  });
+}
+
+//------------------------------------------------------------------------------
+// Rule Definition
+//------------------------------------------------------------------------------
+
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-bidi-characters.md',
+    },
+  },
+  create: function (context) {
+    return {
+      Program: function (node) {
+        report({
+          context,
+          node,
+          tokens: node.tokens,
+          firstLineOffset: 0,
+          message: "Detected potential trojan source attack with unicode bidi introduced in this code: '{{text}}'.",
+        });
+        report({
+          context,
+          node,
+          tokens: node.comments,
+          firstLineOffset: 2,
+          message: "Detected potential trojan source attack with unicode bidi introduced in this comment: '{{text}}'.",
+        });
+      },
+    };
+  },
+};

package/rules/detect-buffer-noassert.js

@@ -1,69 +1,80 @@
 /**
  * Tries to detect buffer read / write calls that use noAssert set to true
- * @author Adam Baldwin 
+ * @author Adam Baldwin
  */
 
-//------------------------------------------------------------------------------
-// Rule Definition
-//------------------------------------------------------------------------------
+'use strict';
 
-var names = [];
+//-----------------------------------------------------------------------------
+// Helpers
+//-----------------------------------------------------------------------------
 
-module.exports = function(context) {
+const read = [
+  'readUInt8',
+  'readUInt16LE',
+  'readUInt16BE',
+  'readUInt32LE',
+  'readUInt32BE',
+  'readInt8',
+  'readInt16LE',
+  'readInt16BE',
+  'readInt32LE',
+  'readInt32BE',
+  'readFloatLE',
+  'readFloatBE',
+  'readDoubleLE',
+  'readDoubleBE',
+];
 
-    "use strict";
+const write = [
+  'writeUInt8',
+  'writeUInt16LE',
+  'writeUInt16BE',
+  'writeUInt32LE',
+  'writeUInt32BE',
+  'writeInt8',
+  'writeInt16LE',
+  'writeInt16BE',
+  'writeInt32LE',
+  'writeInt32BE',
+  'writeFloatLE',
+  'writeFloatBE',
+  'writeDoubleLE',
+  'writeDoubleBE',
+];
 
-    var read = [
-        "readUInt8",
-        "readUInt16LE",
-        "readUInt16BE",
-        "readUInt32LE",
-        "readUInt32BE",
-        "readInt8",
-        "readInt16LE",
-        "readInt16BE",
-        "readInt32LE",
-        "readInt32BE",
-        "readFloatLE",
-        "readFloatBE",
-        "readDoubleL",
-        "readDoubleBE"
-    ];
-
-    var write = [
-        "writeUInt8",
-        "writeUInt16LE",
-        "writeUInt16BE",
-        "writeUInt32LE",
-        "writeUInt32BE",
-        "writeInt8",
-        "writeInt16LE",
-        "writeInt16BE",
-        "writeInt32LE",
-        "writeInt32BE",
-        "writeFloatLE",
-        "writeFloatBE",
-        "writeDoubleLE",
-        "writeDoubleBE"
-    ];
+//------------------------------------------------------------------------------
+// Rule Definition
+//------------------------------------------------------------------------------
 
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects calls to "buffer" with "noAssert" flag set.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-buffer-noassert.md',
+    },
+    __methodsToCheck: {
+      read,
+      write,
+    },
+  },
+  create: function (context) {
     return {
-        "MemberExpression": function (node) {
-            var index;
-            if (read.indexOf(node.property.name) !== -1) {
-                index = 1;
-            } else if (write.indexOf(node.property.name) !== -1) {
-                index = 2;
-            }
-
-            if (index && node.parent && node.parent.arguments && node.parent.arguments[index] &&  node.parent.arguments[index].value) {
-                var token = context.getTokens(node)[0];
-                return context.report(node, 'Found Buffer.' + node.property.name + ' with noAssert flag set true');
-                
-            }
+      MemberExpression: function (node) {
+        let index;
+        if (read.indexOf(node.property.name) !== -1) {
+          index = 1;
+        } else if (write.indexOf(node.property.name) !== -1) {
+          index = 2;
         }
 
+        if (index && node.parent && node.parent.arguments && node.parent.arguments[index] && node.parent.arguments[index].value) {
+          return context.report({ node: node, message: `Found Buffer.${node.property.name} with noAssert flag set true` });
+        }
+      },
     };
-
+  },
 };
-

package/rules/detect-child-process.js

@@ -3,40 +3,72 @@
  * @author Adam Baldwin
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-var names = [];
-
-module.exports = function(context) {
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects instances of "child_process" & non-literal "exec()" calls.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-child-process.md',
+    },
+  },
+  create: function (context) {
+    /*
+     * Stores variable identifiers pointing to child_process to check (child_process).exec()
+     */
+    const childProcessIdentifiers = new Set();
 
-    "use strict";
+    /**
+     * Extract identifiers assigned the expression `require("child_process")`.
+     * @param {Pattern} node
+     */
+    function extractChildProcessIdentifiers(node) {
+      if (node.type !== 'Identifier') {
+        return;
+      }
+      const variable = context.getScope().set.get(node.name);
+      if (!variable) {
+        return;
+      }
+      for (const reference of variable.references) {
+        childProcessIdentifiers.add(reference.identifier);
+      }
+    }
 
     return {
-        "CallExpression": function (node) {
-            var token = context.getTokens(node)[0];
-            if (node.callee.name === 'require') {
-                var args = node.arguments[0];
-                if (args && args.type === 'Literal' && args.value === 'child_process') {
-                    if (node.parent.type === 'VariableDeclarator') {
-                        names.push(node.parent.id.name);
-                    } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
-                        names.push(node.parent.left.name);
-                    }
-                    return context.report(node, 'Found require("child_process")');
-                }
+      CallExpression: function (node) {
+        if (node.callee.name === 'require') {
+          const args = node.arguments[0];
+          if (args && args.type === 'Literal' && args.value === 'child_process') {
+            let pattern;
+            if (node.parent.type === 'VariableDeclarator') {
+              pattern = node.parent.id;
+            } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
+              pattern = node.parent.left;
+            }
+            if (pattern) {
+              extractChildProcessIdentifiers(pattern);
             }
-        },
-        "MemberExpression": function (node) {
-            var token = context.getTokens(node)[0];
-            if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
-                if (node.parent && node.parent.arguments  && node.parent.arguments[0].type !== 'Literal') {
-                    return context.report(node, 'Found child_process.exec() with non Literal first argument');
-                }
+            if (!pattern || pattern.type === 'Identifier') {
+              return context.report({ node: node, message: 'Found require("child_process")' });
             }
+          }
         }
-
+      },
+      MemberExpression: function (node) {
+        if (node.property.name === 'exec' && childProcessIdentifiers.has(node.object)) {
+          if (node.parent && node.parent.arguments && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
+            return context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
+          }
+        }
+      },
     };
-
+  },
 };

package/rules/detect-disable-mustache-escape.js

@@ -1,18 +1,28 @@
-module.exports = function(context) {
+'use strict';
 
-    "use strict";
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-disable-mustache-escape.md',
+    },
+  },
+  create: function (context) {
     return {
-        "AssignmentExpression": function(node) {
-            if (node.operator === '=') {
-                if (node.left.property) {
-                    if (node.left.property.name == 'escapeMarkup') {
-                        if (node.right.value == false) {
-                            context.report(node, 'Markup escaping disabled.')
-                        }
-                    }
-                }
+      AssignmentExpression: function (node) {
+        if (node.operator === '=') {
+          if (node.left.property) {
+            if (node.left.property.name === 'escapeMarkup') {
+              if (node.right.value === false) {
+                context.report({ node: node, message: 'Markup escaping disabled.' });
+              }
             }
+          }
         }
-    }
-
-}
+      },
+    };
+  },
+};

package/rules/detect-eval-with-expression.js

@@ -1,21 +1,31 @@
 /**
- * Idnetifies eval with expression
+ * Identifies eval with expression
  * @author Adam Baldwin
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-module.exports = function(context) {
-
-    "use strict";
-
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-eval-with-expression.md',
+    },
+  },
+  create: function (context) {
     return {
-        "CallExpression": function(node) {
-            if (node.callee.name === "eval" && node.arguments[0].type !== 'Literal') {
-                context.report(node, "eval with argument of type " + node.arguments[0].type);
-            }
+      CallExpression: function (node) {
+        if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
+          context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
         }
+      },
     };
+  },
 };

package/rules/detect-new-buffer.js

@@ -1,19 +1,22 @@
-module.exports = function (context) {
-    // Detects instances of new Buffer(argument)
-    // where argument is any non literal value.
-    return {
-      "NewExpression": function (node) {
-        if (node.callee.name === 'Buffer' &&
-          node.arguments[0] &&
-          node.arguments[0].type != 'Literal') {
+'use strict';
 
-          return context.report(node, "Found new Buffer");
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects instances of new Buffer(argument) where argument is any non-literal value.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-new-buffer.md',
+    },
+  },
+  create: function (context) {
+    return {
+      NewExpression: function (node) {
+        if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {
+          return context.report({ node: node, message: 'Found new Buffer' });
         }
-
-
-
-      }
+      },
     };
-
-}
-
+  },
+};

package/rules/detect-no-csrf-before-method-override.js

@@ -3,37 +3,44 @@
  * @author Adam Baldwin
  */
 
+'use strict';
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
 
-
-module.exports = function(context) {
-
-    "use strict";
-    var csrf = false;
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects Express "csrf" middleware setup before "method-override" middleware.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
+    },
+  },
+  create: function (context) {
+    let csrf = false;
 
     return {
-        "CallExpression": function(node) {
-            var token = context.getTokens(node)[0],
-                nodeType = token.type,
-                nodeValue = token.value;
-
-            if (nodeValue === "express") {
-                if (!node.callee || !node.callee.property) {
-                    return;
-                }
-
-                if (node.callee.property.name === "methodOverride" && csrf) {
-                    context.report(node, "express.csrf() middleware found before express.methodOverride()");
-                }
-                if (node.callee.property.name === "csrf") {
-                    // Keep track of found CSRF
-                    csrf = true;
-                }
-            }
+      CallExpression: function (node) {
+        const token = context.getSourceCode().getTokens(node)[0];
+        const nodeValue = token.value;
+
+        if (nodeValue === 'express') {
+          if (!node.callee || !node.callee.property) {
+            return;
+          }
+
+          if (node.callee.property.name === 'methodOverride' && csrf) {
+            context.report({ node: node, message: 'express.csrf() middleware found before express.methodOverride()' });
+          }
+          if (node.callee.property.name === 'csrf') {
+            // Keep track of found CSRF
+            csrf = true;
+          }
         }
+      },
     };
-
+  },
 };
-