eslint-plugin-security 1.5.0 → 1.6.0

package/docs/rules/detect-child-process.md

@@ -0,0 +1,9 @@
+# Detects instances of "child_process" & non-literal "exec()" calls (`security/detect-child-process`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+Detect instances of [`child_process`](https://nodejs.org/api/child_process.html) & non-literal [`exec()`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
+
+More information: [Avoiding Command Injection in Node.js](../avoid-command-injection-node.md)

package/docs/rules/detect-disable-mustache-escape.md

@@ -0,0 +1,9 @@
+# Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities (`security/detect-disable-mustache-escape`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+This can lead to Cross-Site Scripting (XSS) vulnerabilities.
+
+More information: [OWASP XSS](<https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>)

package/docs/rules/detect-eval-with-expression.md

@@ -0,0 +1,7 @@
+# Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process (`security/detect-eval-with-expression`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [What are the security issues with eval in JavaScript?](http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript)

package/docs/rules/detect-new-buffer.md

@@ -0,0 +1,5 @@
+# Detects instances of new Buffer(argument) where argument is any non-literal value (`security/detect-new-buffer`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->

package/docs/rules/detect-no-csrf-before-method-override.md

@@ -0,0 +1,9 @@
+# Detects Express "csrf" middleware setup before "method-override" middleware (`security/detect-no-csrf-before-method-override`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+This can allow `GET` requests (which are not checked by `csrf`) to turn into `POST` requests later.
+
+More information: [Bypass Connect CSRF protection by abusing methodOverride Middleware](../bypass-connect-csrf-protection-by-abusing.md)

package/docs/rules/detect-non-literal-fs-filename.md

@@ -0,0 +1,7 @@
+# Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system (`security/detect-non-literal-fs-filename`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [OWASP Path Traversal](https://www.owasp.org/index.php/Path_Traversal)

package/docs/rules/detect-non-literal-regexp.md

@@ -0,0 +1,7 @@
+# Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression (`security/detect-non-literal-regexp`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [Regular Expression DoS and Node.js](../regular-expression-dos-and-node.md)

package/docs/rules/detect-non-literal-require.md

@@ -0,0 +1,7 @@
+# Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk (`security/detect-non-literal-require`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [Where does Node.js and require look for modules?](http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm)

package/docs/rules/detect-object-injection.md

@@ -0,0 +1,7 @@
+# Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [The Dangers of Square Bracket Notation](../the-dangers-of-square-bracket-notation.md)

package/docs/rules/detect-possible-timing-attacks.md

@@ -0,0 +1,5 @@
+# Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially (`security/detect-possible-timing-attacks`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->

package/docs/rules/detect-pseudoRandomBytes.md

@@ -0,0 +1,5 @@
+# Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect (`security/detect-pseudoRandomBytes`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->

package/docs/rules/detect-unsafe-regex.md

@@ -0,0 +1,7 @@
+# Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop (`security/detect-unsafe-regex`)
+
+⚠️ This rule _warns_ in the ✅ `recommended` config.
+
+<!-- end auto-generated rule header -->
+
+More information: [Regular Expression DoS and Node.js](../regular-expression-dos-and-node.md)

package/docs/the-dangers-of-square-bracket-notation.md

@@ -8,7 +8,7 @@ _Note: These examples are simple, and seemingly obvious - we will take a look at
 
 Let's take a look at why this could be a problem.
 
-### Issue #1: Bracket object notation with user input grants access to every property available on the object.
+## Issue #1: Bracket object notation with user input grants access to every property available on the object
 
 ```js
 exampleClass[userInput[1]] = userInput[2];
@@ -16,7 +16,7 @@ exampleClass[userInput[1]] = userInput[2];
 
 I won't spend much time here, as I believe this is fairly well known. If exampleClass contains a sensitive property, the above code will allow it to be edited.
 
-### Issue #2: Bracket object notation with user input grants access to every property available on the object, **_including prototypes._**
+## Issue #2: Bracket object notation with user input grants access to every property available on the object, **_including prototypes._**
 
 ```js
 userInput = ['constructor', '{}'];
@@ -25,7 +25,7 @@ exampleClass[userInput[1]] = userInput[2];
 
 This looks pretty innocuous, even if it is an uncommon pattern. The problem here is that we can access or overwrite prototypes such as `constructor` or `__defineGetter__`, which may be used later on. The most likely outcome of this scenario would be an application crash, when a string is attempted to be called as a function.
 
-### Issue #3: Bracket object notation with user input grants access to every property available on the object, including prototypes, **_which can lead to Remote Code Execution._**
+## Issue #3: Bracket object notation with user input grants access to every property available on the object, including prototypes, **_which can lead to Remote Code Execution._**
 
 Now here's where things get really dangerous. It's also where example code gets really implausible - bear with me.
 
@@ -43,7 +43,7 @@ function handler(userInput) {
 
 In the previous section, I mentioned that constructor can be accessed from square brackets. In this case, since we are dealing with a function, the constructor we get back is the `Function` Constructor, which compiles a string of code into a function.
 
-### Exploitation:
+## Exploitation
 
 In order to exploit the above code, we need a two stage exploit function.
 
@@ -84,11 +84,11 @@ user.anyVal = user.anyVal('date');
 
 What we end up with is this:
 
-![](https://cldup.com/lR_Xp0PwU9.png)
+![Exploiting date screenshot](https://cldup.com/lR_Xp0PwU9.png)
 
 Remote Code Execution. The biggest problem here is that there is very little indication in the code that this is what is going on. With something so serious, method calls tend to be very explicit - eval, child_process, etc. It's pretty difficult in node to accidentally introduce one of those into your application. Here though, without having either deep knowledge of JavaScript builtins or having done previous research, it is very easy to accidentally introduce this into your application.
 
-### Isn't this so obscure that it doesn't matter a whole lot?
+## Isn't this so obscure that it doesn't matter a whole lot?
 
 Well, yes and no. Is this particular vector a widespread problem? No, because current JavaScript style guides don't advocate programming this way. Might it become a widespread problem in the future? Absolutely. This pattern is avoided because it isn't common, and therefore not learned and taken up as habit, not because it's a known insecure pattern.
 
@@ -96,12 +96,12 @@ Yes, we are talking about some fairly extreme edge cases, but don't make the ass
 
 Edge cases are uncommon, but because they are uncommon the problems with them are not well known, and they frequently go un-noticed during code review. If the code works, these types of problems tend to disappear. If the code works, and the problems are buried in a module nested n-levels deep, it's likely it won't be found until it causes problems, and by then it's too late. A blind require is essentially running untrusted code in your application. Be [aware of what you require.](https://requiresafe.com)
 
-### How do I fix it?
+## How do I fix it?
 
 The most direct fix here is going to be to **avoid the use of user input in property name fields**. This isn't reasonable in all circumstances, however, and there should be a way to safely use core language features.
 
-Another option is to create a whitelist of allowed property names, and filter each user input through a helper function to check before allowing it to be used. This is a great option in situations where you know specifically what property names to allow.
+Another option is to create a allowlist of allowed property names, and filter each user input through a helper function to check before allowing it to be used. This is a great option in situations where you know specifically what property names to allow.
 
-In cases where you don't have a strictly defined data model ( which isn't ideal, but there are cases where it has to be so ) then using the same method as above, but with a blacklist of disallowed properties instead is a valid choice.
+In cases where you don't have a strictly defined data model ( which isn't ideal, but there are cases where it has to be so ) then using the same method as above, but with a denylist of disallowed properties instead is a valid choice.
 
 If you are using the `--harmony` flag or [io.js](https://iojs.org/), you also have the option of using [ECMAScript 6 direct proxies](http://wiki.ecmascript.org/doku.php?id=harmony:direct_proxies), which can stand in front of your real object ( private API ) and expose a limited subset of the object ( public API ). This is probably the best approach if you are using this pattern, as it is most consistent with typical object oriented programming paradigms.

package/index.js

@@ -18,7 +18,8 @@ module.exports = {
     'detect-child-process': require('./rules/detect-child-process'),
     'detect-disable-mustache-escape': require('./rules/detect-disable-mustache-escape'),
     'detect-object-injection': require('./rules/detect-object-injection'),
-    'detect-new-buffer': require('./rules/detect-new-buffer')
+    'detect-new-buffer': require('./rules/detect-new-buffer'),
+    'detect-bidi-characters': require('./rules/detect-bidi-characters'),
   },
   rulesConfig: {
     'detect-unsafe-regex': 0,
@@ -33,7 +34,8 @@ module.exports = {
     'detect-child-process': 0,
     'detect-disable-mustache-escape': 0,
     'detect-object-injection': 0,
-    'detect-new-buffer': 0
+    'detect-new-buffer': 0,
+    'detect-bidi-characters': 0,
   },
   configs: {
     recommended: {
@@ -51,8 +53,9 @@ module.exports = {
         'security/detect-object-injection': 'warn',
         'security/detect-possible-timing-attacks': 'warn',
         'security/detect-pseudoRandomBytes': 'warn',
-        'security/detect-unsafe-regex': 'warn'
-      }
-    }
-  }
+        'security/detect-unsafe-regex': 'warn',
+        'security/detect-bidi-characters': 'warn',
+      },
+    },
+  },
 };

package/package.json

@@ -1,16 +1,20 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
     "changelog": "changelog eslint-plugin-security all > CHANGELOG.md",
+    "cont-int": "npm test && npm run lint",
+    "format": "prettier --write .",
+    "lint": "npm-run-all \"lint:*\"",
+    "lint:docs": "markdownlint \"**/*.md\"",
+    "lint:eslint-docs": "npm run update:eslint-docs -- --check",
+    "lint:js": "eslint .",
+    "lint:js:fix": "npm run lint:js -- --fix",
     "release": "npx semantic-release",
-    "test": "mocha test/**/*",
-    "format": "prettier --write **/*.{md,js,yml}",
-    "lint": "eslint .",
-    "lint:fix": "eslint --fix .",
-    "cont-int": "npm test && npm run lint"
+    "test": "mocha test/**",
+    "update:eslint-docs": "eslint-doc-generator"
   },
   "repository": {
     "type": "git",
@@ -46,8 +50,12 @@
     "eslint": "^8.11.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
+    "eslint-doc-generator": "^1.0.2",
+    "eslint-plugin-eslint-plugin": "^5.0.2",
     "lint-staged": "^12.3.7",
+    "markdownlint-cli": "^0.32.2",
     "mocha": "^9.2.2",
+    "npm-run-all": "^4.1.5",
     "prettier": "^2.6.2",
     "semantic-release": "^19.0.2",
     "yorkie": "^2.0.0"

package/rules/detect-bidi-characters.js

@@ -0,0 +1,101 @@
+/**
+ * Detect trojan source attacks that employ unicode bidi attacks to inject malicious code
+ * @author Luciamo Mammino
+ * @author Simone Sanfratello
+ * @author Liran Tal
+ */
+
+'use strict';
+
+const dangerousBidiCharsRegexp = /[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]/gu;
+
+/**
+ * Detects all the dangerous bidi characters in a given source text
+ *
+ * @param {object} options - Options
+ * @param {string} options.sourceText - The source text to search for dangerous bidi characters
+ * @param {number} options.firstLineOffset - The offset of the first line in the source text
+ * @returns {Array<{line: number, column: number}>} - An array of reports, each report is an
+ *    object with the line and column of the dangerous character
+ */
+function detectBidiCharacters({ sourceText, firstLineOffset }) {
+  const sourceTextToSearch = sourceText.toString();
+
+  const lines = sourceTextToSearch.split(/\r?\n/);
+
+  return lines.reduce((reports, line, lineIndex) => {
+    let match;
+    let offset = lineIndex == 0 ? firstLineOffset : 0;
+
+    while ((match = dangerousBidiCharsRegexp.exec(line)) !== null) {
+      reports.push({ line: lineIndex, column: offset + match.index });
+    }
+
+    return reports;
+  }, []);
+}
+
+function report({ context, node, tokens, message, firstLineOffset }) {
+  if (!tokens || !Array.isArray(tokens)) {
+    return;
+  }
+  tokens.forEach((token) => {
+    const reports = detectBidiCharacters({ sourceText: token.value, firstLineOffset: token.loc.start.column + firstLineOffset });
+
+    reports.forEach((report) => {
+      context.report({
+        node: node,
+        data: {
+          text: token.value,
+        },
+        loc: {
+          start: {
+            line: token.loc.start.line + report.line,
+            column: report.column,
+          },
+          end: {
+            line: token.loc.start.line + report.line,
+            column: report.column + 1,
+          },
+        },
+        message,
+      });
+    });
+  });
+}
+
+//------------------------------------------------------------------------------
+// Rule Definition
+//------------------------------------------------------------------------------
+
+module.exports = {
+  meta: {
+    type: 'error',
+    docs: {
+      description: 'Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.',
+      category: 'Possible Security Vulnerability',
+      recommended: true,
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-bidi-characters.md',
+    },
+  },
+  create: function (context) {
+    return {
+      Program: function (node) {
+        report({
+          context,
+          node,
+          tokens: node.tokens,
+          firstLineOffset: 0,
+          message: "Detected potential trojan source attack with unicode bidi introduced in this code: '{{text}}'.",
+        });
+        report({
+          context,
+          node,
+          tokens: node.comments,
+          firstLineOffset: 2,
+          message: "Detected potential trojan source attack with unicode bidi introduced in this comment: '{{text}}'.",
+        });
+      },
+    };
+  },
+};

package/rules/detect-buffer-noassert.js

@@ -51,10 +51,10 @@ module.exports = {
   meta: {
     type: 'error',
     docs: {
-      description: 'Detect calls to "buffer" with "noAssert" flag set.',
+      description: 'Detects calls to "buffer" with "noAssert" flag set.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-buffer-noassert',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-buffer-noassert.md',
     },
     __methodsToCheck: {
       read,
@@ -72,7 +72,7 @@ module.exports = {
         }
 
         if (index && node.parent && node.parent.arguments && node.parent.arguments[index] && node.parent.arguments[index].value) {
-          return context.report(node, `Found Buffer.${node.property.name} with noAssert flag set true`);
+          return context.report({ node: node, message: `Found Buffer.${node.property.name} with noAssert flag set true` });
         }
       },
     };

package/rules/detect-child-process.js

@@ -9,40 +9,63 @@
 // Rule Definition
 //------------------------------------------------------------------------------
 
-/*
- * Stores variable names pointing to child_process to check (child_process).exec()
- */
-const names = [];
-
 module.exports = {
   meta: {
     type: 'error',
     docs: {
-      description: 'Detect instances of "child_process" & non-literal "exec()" calls.',
+      description: 'Detects instances of "child_process" & non-literal "exec()" calls.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/avoid-command-injection-node.md',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-child-process.md',
     },
   },
   create: function (context) {
+    /*
+     * Stores variable identifiers pointing to child_process to check (child_process).exec()
+     */
+    const childProcessIdentifiers = new Set();
+
+    /**
+     * Extract identifiers assigned the expression `require("child_process")`.
+     * @param {Pattern} node
+     */
+    function extractChildProcessIdentifiers(node) {
+      if (node.type !== 'Identifier') {
+        return;
+      }
+      const variable = context.getScope().set.get(node.name);
+      if (!variable) {
+        return;
+      }
+      for (const reference of variable.references) {
+        childProcessIdentifiers.add(reference.identifier);
+      }
+    }
+
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'require') {
           const args = node.arguments[0];
           if (args && args.type === 'Literal' && args.value === 'child_process') {
+            let pattern;
             if (node.parent.type === 'VariableDeclarator') {
-              names.push(node.parent.id.name);
+              pattern = node.parent.id;
             } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
-              names.push(node.parent.left.name);
+              pattern = node.parent.left;
+            }
+            if (pattern) {
+              extractChildProcessIdentifiers(pattern);
+            }
+            if (!pattern || pattern.type === 'Identifier') {
+              return context.report({ node: node, message: 'Found require("child_process")' });
             }
-            return context.report(node, 'Found require("child_process")');
           }
         }
       },
       MemberExpression: function (node) {
-        if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
-          if (node.parent && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
-            return context.report(node, 'Found child_process.exec() with non Literal first argument');
+        if (node.property.name === 'exec' && childProcessIdentifiers.has(node.object)) {
+          if (node.parent && node.parent.arguments && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
+            return context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
           }
         }
       },

package/rules/detect-disable-mustache-escape.js

@@ -7,8 +7,8 @@ module.exports = {
       description: 'Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-disable-mustache-escape'
-    }
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-disable-mustache-escape.md',
+    },
   },
   create: function (context) {
     return {
@@ -17,12 +17,12 @@ module.exports = {
           if (node.left.property) {
             if (node.left.property.name === 'escapeMarkup') {
               if (node.right.value === false) {
-                context.report(node, 'Markup escaping disabled.');
+                context.report({ node: node, message: 'Markup escaping disabled.' });
               }
             }
           }
         }
-      }
+      },
     };
-  }
+  },
 };

package/rules/detect-eval-with-expression.js

@@ -16,16 +16,16 @@ module.exports = {
       description: 'Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-eval-with-expression'
-    }
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-eval-with-expression.md',
+    },
   },
   create: function (context) {
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
-          context.report(node, `eval with argument of type ${node.arguments[0].type}`);
+          context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
         }
-      }
+      },
     };
-  }
+  },
 };

package/rules/detect-new-buffer.js

@@ -4,19 +4,19 @@ module.exports = {
   meta: {
     type: 'error',
     docs: {
-      description: 'Detect instances of new Buffer(argument) where argument is any non-literal value.',
+      description: 'Detects instances of new Buffer(argument) where argument is any non-literal value.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/README.md'
-    }
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-new-buffer.md',
+    },
   },
   create: function (context) {
     return {
       NewExpression: function (node) {
         if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {
-          return context.report(node, 'Found new Buffer');
+          return context.report({ node: node, message: 'Found new Buffer' });
         }
-      }
+      },
     };
-  }
+  },
 };

package/rules/detect-no-csrf-before-method-override.js

@@ -16,7 +16,7 @@ module.exports = {
       description: 'Detects Express "csrf" middleware setup before "method-override" middleware.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/bypass-connect-csrf-protection-by-abusing.md',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
     },
   },
   create: function (context) {
@@ -24,7 +24,7 @@ module.exports = {
 
     return {
       CallExpression: function (node) {
-        const token = context.getTokens(node)[0];
+        const token = context.getSourceCode().getTokens(node)[0];
         const nodeValue = token.value;
 
         if (nodeValue === 'express') {
@@ -33,7 +33,7 @@ module.exports = {
           }
 
           if (node.callee.property.name === 'methodOverride' && csrf) {
-            context.report(node, 'express.csrf() middleware found before express.methodOverride()');
+            context.report({ node: node, message: 'express.csrf() middleware found before express.methodOverride()' });
           }
           if (node.callee.property.name === 'csrf') {
             // Keep track of found CSRF