npm - eslint-plugin-security - Versions diffs - 1.4.0 → 1.6.0 - Mend

eslint-plugin-security 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/.eslint-doc-generatorrc.js +9 -0
package/.eslintrc +29 -1
package/.github/ISSUE_TEMPLATE/bug-report.yml +85 -0
package/.github/ISSUE_TEMPLATE/new-rule.yml +39 -0
package/.github/ISSUE_TEMPLATE/rule-change.yml +61 -0
package/.github/workflows/ci.yml +55 -0
package/.github/workflows/pr.yml +19 -0
package/.github/workflows/release-please.yml +39 -0
package/.markdownlint.json +4 -0
package/.markdownlintignore +3 -0
package/.prettierrc.json +7 -0
package/CHANGELOG.md +114 -34
package/README.md +45 -85
package/docs/avoid-command-injection-node.md +85 -0
package/docs/bypass-connect-csrf-protection-by-abusing.md +42 -0
package/docs/regular-expression-dos-and-node.md +83 -0
package/docs/rules/detect-bidi-characters.md +50 -0
package/docs/rules/detect-buffer-noassert.md +9 -0
package/docs/rules/detect-child-process.md +9 -0
package/docs/rules/detect-disable-mustache-escape.md +9 -0
package/docs/rules/detect-eval-with-expression.md +7 -0
package/docs/rules/detect-new-buffer.md +5 -0
package/docs/rules/detect-no-csrf-before-method-override.md +9 -0
package/docs/rules/detect-non-literal-fs-filename.md +7 -0
package/docs/rules/detect-non-literal-regexp.md +7 -0
package/docs/rules/detect-non-literal-require.md +7 -0
package/docs/rules/detect-object-injection.md +7 -0
package/docs/rules/detect-possible-timing-attacks.md +5 -0
package/docs/rules/detect-pseudoRandomBytes.md +5 -0
package/docs/rules/detect-unsafe-regex.md +7 -0
package/docs/the-dangers-of-square-bracket-notation.md +107 -0
package/index.js +10 -9
package/package.json +34 -7
package/rules/detect-bidi-characters.js +101 -0
package/rules/detect-buffer-noassert.js +66 -55
package/rules/detect-child-process.js +57 -25
package/rules/detect-disable-mustache-escape.js +24 -14
package/rules/detect-eval-with-expression.js +19 -9
package/rules/detect-new-buffer.js +19 -16
package/rules/detect-no-csrf-before-method-override.js +32 -25
package/rules/detect-non-literal-fs-filename.js +86 -33
package/rules/detect-non-literal-regexp.js +24 -18
package/rules/detect-non-literal-require.js +25 -17
package/rules/detect-object-injection.js +61 -59
package/rules/detect-possible-timing-attacks.js +40 -42
package/rules/detect-pseudoRandomBytes.js +18 -11
package/rules/detect-unsafe-regex.js +36 -23
package/test/detect-bidi-characters.js +74 -0
package/test/detect-buffer-noassert.js +18 -18
package/test/detect-child-process.js +49 -23
package/test/detect-disable-mustache-escape.js +3 -4
package/test/detect-eval-with-expression.js +4 -5
package/test/detect-new-buffer.js +4 -5
package/test/detect-no-csrf-before-method-override.js +3 -4
package/test/detect-non-literal-fs-filename.js +135 -9
package/test/detect-non-literal-regexp.js +5 -6
package/test/detect-non-literal-require.js +11 -8
package/test/detect-object-injection.js +3 -5
package/test/detect-possible-timing-attacks.js +8 -10
package/test/detect-pseudoRandomBytes.js +3 -4
package/test/detect-unsafe-regexp.js +9 -11
package/test/utils/import-utils.js +172 -0
package/utils/data/fsFunctionData.json +51 -0
package/utils/import-utils.js +196 -0
package/.npmignore +0 -1
package/rules/data/fsFunctionData.json +0 -51

package/test/utils/import-utils.js ADDED Viewed

@@ -0,0 +1,172 @@
+'use strict';
+const { getImportAccessPath } = require('../../utils/import-utils');
+const { deepStrictEqual } = require('assert');
+const Linter = require('eslint').Linter;
+function getGetImportAccessPathResult(code) {
+  const linter = new Linter();
+  const result = [];
+  linter.defineRule('test-rule', {
+    create(context) {
+      return {
+        'Identifier[name = target]'(node) {
+          let expr = node;
+          if (node.parent.type === 'MemberExpression' && node.parent.property === node) {
+            expr = node.parent;
+          }
+          const info = getImportAccessPath({
+            node: expr,
+            scope: context.getScope(),
+            packageNames: ['target', 'target-foo', 'target-bar'],
+          });
+          if (!info) return;
+          result.push({
+            path: info.path,
+            packageName: info.packageName,
+            ...(info.defaultImport ? { defaultImport: info.defaultImport } : {}),
+          });
+        },
+      };
+    },
+  });
+  const linterResult = linter.verify(code, {
+    parserOptions: {
+      ecmaVersion: 6,
+      sourceType: 'module',
+    },
+    rules: {
+      'test-rule': 'error',
+    },
+  });
+  deepStrictEqual(linterResult, []);
+  return result;
+}
+describe('getImportAccessPath', () => {
+  describe('The result of getImportAccessPath should be as expected.', () => {
+    for (const { code, result } of [
+      {
+        code: `var something = require('target');
+               something.target(c);`,
+        result: [
+          {
+            path: ['target'],
+            packageName: 'target',
+          },
+        ],
+      },
+      {
+        code: `var target = require('target');
+               target(c);
+               var { foo } = require('target-foo');
+               foo.target(c);
+               foo.bar.target(c);
+               var { a: bar } = require('target-bar');
+               bar.target(c);
+               var baz = require('target-baz');
+               baz.target(c);
+               var qux = qux.foo.target;`,
+        result: [
+          {
+            path: [],
+            packageName: 'target',
+          },
+          {
+            path: [],
+            packageName: 'target',
+          },
+          {
+            path: ['foo', 'target'],
+            packageName: 'target-foo',
+          },
+          {
+            path: ['foo', 'bar', 'target'],
+            packageName: 'target-foo',
+          },
+          {
+            path: ['a', 'target'],
+            packageName: 'target-bar',
+          },
+        ],
+      },
+      {
+        code: `require('target').target;
+               function fn () {
+                 var { foo } = require('target-foo');
+                 foo.target(c);
+               }`,
+        result: [
+          {
+            path: ['target'],
+            packageName: 'target',
+          },
+          {
+            path: ['foo', 'target'],
+            packageName: 'target-foo',
+          },
+        ],
+      },
+      {
+        code: `import { foo } from 'target-foo';
+               foo.target(c);
+               foo.bar.target(c);
+               import { a as bar } from 'target-bar';
+               bar.target(c);
+               import baz from 'target-baz';
+               baz.target(c);`,
+        result: [
+          {
+            path: ['foo', 'target'],
+            packageName: 'target-foo',
+          },
+          {
+            path: ['foo', 'bar', 'target'],
+            packageName: 'target-foo',
+          },
+          {
+            path: ['a', 'target'],
+            packageName: 'target-bar',
+          },
+        ],
+      },
+      {
+        code: `import foo from 'target-foo';
+               foo.target(c);
+               import * as bar from 'target-bar';
+               bar.target(c);`,
+        result: [
+          {
+            path: ['target'],
+            defaultImport: true,
+            packageName: 'target-foo',
+          },
+          {
+            path: ['target'],
+            packageName: 'target-bar',
+          },
+        ],
+      },
+      {
+        code: `import foo from 'target-foo';
+               function fn () {
+                 foo.target(c);
+               }`,
+        result: [
+          {
+            path: ['target'],
+            defaultImport: true,
+            packageName: 'target-foo',
+          },
+        ],
+      },
+    ]) {
+      it(code, () => {
+        deepStrictEqual(getGetImportAccessPathResult(code), result);
+      });
+    }
+  });
+});

package/utils/data/fsFunctionData.json ADDED Viewed

@@ -0,0 +1,51 @@
+{
+  "appendFile": [0],
+  "appendFileSync": [0],
+  "chmod": [0],
+  "chmodSync": [0],
+  "chown": [0],
+  "chownSync": [0],
+  "createReadStream": [0],
+  "createWriteStream": [0],
+  "exists": [0],
+  "existsSync": [0],
+  "lchmod": [0],
+  "lchmodSync": [0],
+  "lchown": [0],
+  "lchownSync": [0],
+  "link": [0, 1],
+  "linkSync": [0, 1],
+  "lstat": [0],
+  "lstatSync": [0],
+  "mkdir": [0],
+  "mkdirSync": [0],
+  "open": [0],
+  "openSync": [0],
+  "readdir": [0],
+  "readdirSync": [0],
+  "readFile": [0],
+  "readFileSync": [0],
+  "readlink": [0],
+  "readlinkSync": [0],
+  "realpath": [0],
+  "realpathSync": [0],
+  "rename": [0, 1],
+  "renameSync": [0, 1],
+  "rmdir": [0],
+  "rmdirSync": [0],
+  "stat": [0],
+  "statSync": [0],
+  "symlink": [0, 1],
+  "symlinkSync": [0, 1],
+  "truncate": [0],
+  "truncateSync": [0],
+  "unlink": [0],
+  "unlinkSync": [0],
+  "unwatchFile": [0],
+  "utimes": [0],
+  "utimesSync": [0],
+  "watch": [0],
+  "watchFile": [0],
+  "writeFile": [0],
+  "writeFileSync": [0]
+}

package/utils/import-utils.js ADDED Viewed

@@ -0,0 +1,196 @@
+module.exports.getImportAccessPath = getImportAccessPath;
+/**
+ * @typedef {Object} ImportAccessPathInfo
+ * @property {string[]} path
+ * @property {boolean} [defaultImport]
+ * @property {string} packageName
+ * @property {import("estree").SimpleCallExpression | import("estree").ImportDeclaration} node
+ */
+/**
+ * Returns the access path information from a require or import
+ *
+ * @param {Object} params
+ * @param {import("estree").Expression} params.node The node to check.
+ * @param {import("eslint").Scope.Scope} params.scope The scope of the given node.
+ * @param {string[]} params.packageNames The interesting packages the method is imported from
+ * @returns {ImportAccessPathInfo | null}
+ */
+function getImportAccessPath({ node, scope, packageNames }) {
+  const tracked = new Set();
+  return getImportAccessPathInternal(node);
+  /**
+   * @param {import("estree").Expression} node
+   * @returns {ImportAccessPathInfo | null}
+   */
+  function getImportAccessPathInternal(node) {
+    if (tracked.has(node)) {
+      // Guard infinite loops.
+      return null;
+    }
+    tracked.add(node);
+    if (node.type === 'Identifier') {
+      // Track variables.
+      const variable = findVariable(scope, node.name);
+      if (!variable) {
+        return null;
+      }
+      // Check variables defined in `var foo = ...`.
+      const declDef = variable.defs.find(
+        /** @returns {def is import("eslint").Scope.Definition & {type: 'Variable'}} */
+        (def) => def.type === 'Variable' && def.node.type === 'VariableDeclarator' && def.node.init
+      );
+      if (declDef) {
+        let propName = null;
+        if (declDef.node.id.type === 'ObjectPattern') {
+          const property = declDef.node.id.properties.find((property) => property.type === 'Property' && property.value.type === 'Identifier' && property.value.name === node.name);
+          if (property && !property.computed) {
+            propName = property.key.name;
+          }
+        } else if (declDef.node.id.type !== 'Identifier') {
+          // Unknown access path
+          return null;
+        }
+        const nesting = getImportAccessPathInternal(declDef.node.init);
+        if (!nesting) {
+          return null;
+        }
+        /**
+         * Detects:
+         * | var something = require('package-name');
+         * | something(c);
+         * , or
+         * | var { propName: something } = require('package-name');
+         * | something(c);
+         */
+        return {
+          path: propName ? [...nesting.path, propName] : nesting.path,
+          defaultImport: nesting.defaultImport,
+          packageName: nesting.packageName,
+          node: nesting.node,
+        };
+      }
+      // Check variables defined in `import foo from ...`.
+      const importDef = variable.defs.find(
+        /** @returns {def is import("eslint").Scope.Definition & {type: 'ImportBinding'}} */
+        (def) =>
+          def.type === 'ImportBinding' &&
+          (def.node.type === 'ImportDefaultSpecifier' || def.node.type === 'ImportNamespaceSpecifier' || def.node.type === 'ImportSpecifier') &&
+          isImportDeclaration(def.node.parent)
+      );
+      if (importDef) {
+        let propName = null;
+        let defaultImport;
+        if (importDef.node.type === 'ImportSpecifier') {
+          propName = importDef.node.imported.name;
+        } else if (importDef.node.type === 'ImportDefaultSpecifier') {
+          defaultImport = true;
+        } else if (importDef.node.type !== 'ImportNamespaceSpecifier') {
+          // Unknown access path
+          return null;
+        }
+        /**
+         * Detects:
+         * | import { propName as something } from 'package-name';
+         * | something(c);
+         * ,
+         * | import * as something from 'package-name';
+         * | something(c);
+         * , or
+         * | import something from 'package-name';
+         * | something(c);
+         */
+        return {
+          path: propName ? [propName] : [],
+          defaultImport: defaultImport,
+          packageName: importDef.node.parent.source.value,
+          node: importDef.node.parent,
+        };
+      }
+      return null;
+    } else if (node.type === 'MemberExpression') {
+      if (node.computed) {
+        return null;
+      }
+      const nesting = getImportAccessPathInternal(node.object);
+      if (!nesting) {
+        return null;
+      }
+      /**
+       * Detects:
+       * | var something = require('package-name');
+       * | something.propName(c);
+       * ,
+       * | var { something } = require('package-name');
+       * | something.propName(c);
+       * ,
+       * | import something from 'package-name';
+       * | something.propName(c);
+       * ,
+       * | import * as something from 'package-name';
+       * | something.propName(c);
+       * , or
+       * | import { something } from 'package-name';
+       * | something.propName(c);
+       */
+      return {
+        path: [...nesting.path, node.property.name],
+        defaultImport: nesting.defaultImport,
+        packageName: nesting.packageName,
+        node: nesting.node,
+      };
+    } else if (isRequireBasedImport(node)) {
+      /**
+       * Detects:
+       * | require('package-name');
+       * ,
+       * | require('package-name').propName(c);
+       * , or
+       * | require('package-name')(c);
+       */
+      return {
+        path: [],
+        packageName: node.arguments[0].value,
+        node,
+      };
+    }
+    return null;
+  }
+  /**
+   * Checks whether the given expression node is a require based import, or not
+   * @param {import("estree").Expression} expression
+   */
+  function isRequireBasedImport(expression) {
+    return (
+      expression &&
+      expression.type === 'CallExpression' &&
+      expression.callee.name === 'require' &&
+      expression.arguments.length &&
+      expression.arguments[0].type === 'Literal' &&
+      packageNames.includes(expression.arguments[0].value)
+    );
+  }
+  /**
+   * Checks whether the given node is a import, or not
+   * @param {import("estree").Node} node
+   */
+  function isImportDeclaration(node) {
+    return node && node.type === 'ImportDeclaration' && packageNames.includes(node.source.value);
+  }
+}
+/** @returns {import("eslint").Scope.Variable | null} */
+function findVariable(scope, name) {
+  while (scope != null) {
+    const variable = scope.set.get(name);
+    if (variable != null) {
+      return variable;
+    }
+    scope = scope.upper;
+  }
+  return null;
+}

package/.npmignore DELETED Viewed

	@@ -1 +0,0 @@
1	- node_modules

package/rules/data/fsFunctionData.json DELETED Viewed

@@ -1,51 +0,0 @@
-{
-    "appendFile": [0],
-    "appendFileSync": [0],
-    "chmod": [0],
-    "chmodSync": [0],
-    "chown": [0],
-    "chownSync": [0],
-    "createReadStream": [0],
-    "createWriteStream": [0],
-    "exists": [0],
-    "existsSync": [0],
-    "lchmod": [0],
-    "lchmodSync": [0],
-    "lchown": [0],
-    "lchownSync": [0],
-    "link": [0,1],
-    "linkSync": [0,1],
-    "lstat": [0],
-    "lstatSync": [0],
-    "mkdir": [0],
-    "mkdirSync": [0],
-    "open": [0],
-    "openSync": [0],
-    "readdir": [0],
-    "readdirSync": [0],
-    "readFile": [0],
-    "readFileSync": [0],
-    "readlink": [0],
-    "readlinkSync": [0],
-    "realpath": [0],
-    "realpathSync": [0],
-    "rename": [0,1],
-    "renameSync": [0,1],
-    "rmdir": [0],
-    "rmdirSync": [0],
-    "stat": [0],
-    "statSync": [0],
-    "symlink": [0,1],
-    "symlinkSync": [0,1],
-    "truncate": [0],
-    "truncateSync": [0],
-    "unlink": [0],
-    "unlinkSync": [0],
-    "unwatchFile": [0],
-    "utimes": [0],
-    "utimesSync": [0],
-    "watch": [0],
-    "watchFile": [0],
-    "writeFile": [0],
-    "writeFileSync": [0]
-}