eslint-plugin-security 1.5.0 → 1.7.0

package/.eslint-doc-generatorrc.js

@@ -0,0 +1,9 @@
+const { format } = require('prettier');
+const prettierRC = require('./.prettierrc.json');
+
+/** @type {import('eslint-doc-generator').GenerateOptions} */
+const config = {
+  postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
+};
+
+module.exports = config;

package/.eslintrc

@@ -1,13 +1,31 @@
 {
-  "extends": [
-    "eslint:recommended",
-    "prettier"
-  ],
+  "extends": ["eslint:recommended", "prettier", "plugin:eslint-plugin/recommended"],
   "parserOptions": {
     "ecmaVersion": "latest"
   },
   "env": {
     "node": true,
     "es2020": true
-  }
+  },
+  "rules": {
+    "eslint-plugin/prefer-message-ids": "off", // TODO: enable
+    "eslint-plugin/require-meta-docs-description": ["error", { "pattern": "^(Detects|Enforces|Requires|Disallows) .+\\.$" }],
+    "eslint-plugin/require-meta-docs-url": [
+      "error",
+      {
+        "pattern": "https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/{{name}}.md"
+      }
+    ],
+    "eslint-plugin/require-meta-schema": "off", // TODO: enable
+    "eslint-plugin/require-meta-type": "off" // TODO: enable
+  },
+  "overrides": [
+    {
+      "files": ["test/**/*.js"],
+      "globals": {
+        "describe": "readonly",
+        "it": "readonly"
+      }
+    }
+  ]
 }

package/.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,85 @@
+name: "\U0001F41E Report a problem"
+description: 'Report an issue with a rule'
+title: 'Bug: (fill in)'
+labels:
+  - bug
+  - 'repro:needed'
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What version of eslint-plugin-security are you using?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: ESLint Environment
+      description: |
+        Please tell us about how you're running ESLint (Run `npx eslint --env-info`.)
+      value: |
+        Node version: 
+        npm version: 
+        Local ESLint version: 
+        Global ESLint version: 
+        Operating System:
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What parser are you using?
+      description: |
+        Please keep in mind that some problems are parser-specific.
+      options:
+        - 'Default (Espree)'
+        - '@typescript-eslint/parser'
+        - '@babel/eslint-parser'
+        - 'vue-eslint-parser'
+        - '@angular-eslint/template-parser'
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        Please include a *minimal* reproduction case. If possible, include a link to a reproduction of the problem in the [ESLint demo](https://eslint.org/demo). Otherwise, include source code, configuration file(s), and any other information about how you're using ESLint. You can use Markdown in this field.
+      value: |
+        <details>
+        <summary>Configuration</summary>
+
+        ```
+        <!-- Paste your configuration here -->
+        ```
+        </details>
+
+        ```js
+        <!-- Paste your code here -->
+        ```
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What did you expect to happen?
+      description: |
+        You can use Markdown in this field.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What actually happened?
+      description: |
+        Please copy-paste the actual ESLint output. You can use Markdown in this field.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request for this issue.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/ISSUE_TEMPLATE/new-rule.yml

@@ -0,0 +1,39 @@
+name: "\U0001F680 Propose a new  rule"
+description: 'Propose a new rule to be added to the plugin'
+title: 'New Rule: (fill in)'
+labels:
+  - rule
+  - feature
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: Rule details
+      description: What should the new rule do?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Related CVE
+      description: We only accept new rules that have a published [CVE](https://www.redhat.com/en/topics/security/what-is-cve).
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example JavaScript code that this rule will warn about. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this rule.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/ISSUE_TEMPLATE/rule-change.yml

@@ -0,0 +1,61 @@
+name: "\U0001F4DD Request a rule change"
+description: 'Request a change to an existing rule'
+title: 'Rule Change: (fill in)'
+labels:
+  - enhancement
+  - rule
+body:
+  - type: markdown
+    attributes:
+      value: By opening an issue, you agree to abide by the [Open JS Foundation Code of Conduct](https://eslint.org/conduct).
+  - type: input
+    attributes:
+      label: What rule do you want to change?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: What change to do you want to make?
+      options:
+        - Generate more warnings
+        - Generate fewer warnings
+        - Implement autofix
+        - Implement suggestions
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: How do you think the change should be implemented?
+      options:
+        - A new option
+        - A new default behavior
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Example code
+      description: Please provide some example code that this change will affect. This field will render as JavaScript.
+      render: js
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What does the rule currently do for this code?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: What will the rule do after it's changed?
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Participation
+      options:
+        - label: I am willing to submit a pull request to implement this change.
+          required: false
+  - type: textarea
+    attributes:
+      label: Additional comments
+      description: Is there anything else that's important for the team to know?

package/.github/workflows/ci.yml

@@ -9,9 +9,13 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
         with:
           node-version: '16.x'
 
@@ -26,17 +30,21 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node: [17.x, 16.x, 14.x, 12.x, '12.22.0']
+        node: [18.x, 16.x, 14.x, 12.x, '12.22.0']
         include:
           - os: windows-latest
             node: '16.x'
           - os: macOS-latest
             node: '16.x'
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}
 

package/.github/workflows/pr.yml

@@ -5,9 +5,13 @@ jobs:
   conventional:
     name: Conventional PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v3
       - uses: beemojs/conventional-pr-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/release-please.yml

@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - main
+name: release-please
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GoogleCloudPlatform/release-please-action@v2
+        id: release
+        with:
+          release-type: node
+          package-name: test-release-please
+      # The logic below handles the npm publication:
+      - uses: actions/checkout@v3
+        # these if statements ensure that a publication only occurs when
+        # a new release is created:
+        if: ${{ steps.release.outputs.release_created }}
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          registry-url: 'https://registry.npmjs.org'
+        if: ${{ steps.release.outputs.release_created }}
+      - run: npm ci
+        if: ${{ steps.release.outputs.release_created }}
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+        if: ${{ steps.release.outputs.release_created }}
+
+      # Tweets out release announcement
+      - run: 'npx @humanwhocodes/tweet "${{ github.event.repository.full_name }} v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }} has been released!\n\n${{ github.event.repository.html_url }}/releases/tag/v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}"'
+        if: ${{ steps.release.outputs.release_created }}
+        env:
+          TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
+          TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}
+          TWITTER_ACCESS_TOKEN_KEY: ${{ secrets.TWITTER_ACCESS_TOKEN_KEY }}
+          TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}

package/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "line-length": false,
+  "no-inline-html": { "allowed_elements": ["kbd"] }
+}

package/.markdownlintignore

@@ -0,0 +1,3 @@
+CHANGELOG.md
+LICENSE
+node_modules

package/.prettierignore

@@ -0,0 +1 @@
+/CHANGELOG.md

package/CHANGELOG.md

@@ -1,39 +1,94 @@
-# 1.4.0 / 2017-06-12
+# Changelog
+
+## [1.7.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.6.0...v1.7.0) (2023-01-26)
+
+
+### Features
+
+* improve detect-child-process rule ([#108](https://www.github.com/eslint-community/eslint-plugin-security/issues/108)) ([64ae529](https://www.github.com/eslint-community/eslint-plugin-security/commit/64ae52944a86f9d9daee769acd63ebbdfc5b6631))
+
+## [1.6.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.5.0...v1.6.0) (2023-01-11)
+
+### Features
+
+* Add meta object documentation for all rules ([#79](https://www.github.com/eslint-community/eslint-plugin-security/issues/79)) ([fb1d9ef](https://www.github.com/eslint-community/eslint-plugin-security/commit/fb1d9ef56e0cf2705b9e413b483261df394c45e1))
+* detect-bidi-characters rule ([#95](https://www.github.com/eslint-community/eslint-plugin-security/issues/95)) ([4294d29](https://www.github.com/eslint-community/eslint-plugin-security/commit/4294d29cca8af5c627de759919add6dd698644ba))
+* **detect-non-literal-fs-filename:** change to track non-top-level `require()` as well ([#105](https://www.github.com/eslint-community/eslint-plugin-security/issues/105)) ([d3b1543](https://www.github.com/eslint-community/eslint-plugin-security/commit/d3b15435b45b9ac2ee5f0d3249f590e32369d7d2))
+* extend detect non literal fs filename ([#92](https://www.github.com/eslint-community/eslint-plugin-security/issues/92)) ([08ba476](https://www.github.com/eslint-community/eslint-plugin-security/commit/08ba4764a83761f6f44cb28940923f1d25f88581))
+* **non-literal-require:** support template literals ([#81](https://www.github.com/eslint-community/eslint-plugin-security/issues/81)) ([208019b](https://www.github.com/eslint-community/eslint-plugin-security/commit/208019bad4f70a142ab1f0ea7238c37cb70d1a5a))
+
+### Bug Fixes
+
+* Avoid crash when exec() is passed no arguments ([7f97815](https://www.github.com/eslint-community/eslint-plugin-security/commit/7f97815accf6bcd87de73c32a967946b1b3b0530)), closes [#82](https://www.github.com/eslint-community/eslint-plugin-security/issues/82) [#23](https://www.github.com/eslint-community/eslint-plugin-security/issues/23)
+* Avoid TypeError when exec stub is used with no arguments ([#97](https://www.github.com/eslint-community/eslint-plugin-security/issues/97)) ([9c18f16](https://www.github.com/eslint-community/eslint-plugin-security/commit/9c18f16187719b58cc5dfde9860344bad823db28))
+* **detect-child-process:** false positive for destructuring with `exec` ([#102](https://www.github.com/eslint-community/eslint-plugin-security/issues/102)) ([657921a](https://www.github.com/eslint-community/eslint-plugin-security/commit/657921a93f6f73c0de6113e497b22e7cf079f520))
+* **detect-child-process:** false positives for destructuring `spawn` ([#103](https://www.github.com/eslint-community/eslint-plugin-security/issues/103)) ([fdfe37d](https://www.github.com/eslint-community/eslint-plugin-security/commit/fdfe37d667367e5fd228c26573a1791c81a044d2))
+* Incorrect method name in detect-buffer-noassert. ([313c0c6](https://www.github.com/eslint-community/eslint-plugin-security/commit/313c0c693f48aa85d0c9b65a46f6c620cd10f907)), closes [#63](https://www.github.com/eslint-community/eslint-plugin-security/issues/63) [#80](https://www.github.com/eslint-community/eslint-plugin-security/issues/80)
+
+## 1.5.0 / 2022-04-14
+
+- Fix avoid crash when exec() is passed no arguments
+  Closes [#82](https://github.com/eslint-community/eslint-plugin-security/pull/82) with ref as [#23](https://github.com/eslint-community/eslint-plugin-security/pull/23)
+- Fix incorrect method name in detect-buffer-noassert
+  Closes [#63](https://github.com/eslint-community/eslint-plugin-security/pull/63) and [#80](https://github.com/eslint-community/eslint-plugin-security/pull/80)
+- Clean up source code formatting
+  Fixes [#4](https://github.com/eslint-community/eslint-plugin-security/issues/4) and closes [#78](https://github.com/eslint-community/eslint-plugin-security/pull/78)
+- Add release script
+  [Script](https://github.com/eslint-community/eslint-plugin-security/commit/0a6631ea448eb0031af7b351c85b3aa298c2e44c)
+- Add non-literal require TemplateLiteral support [#81](https://github.com/eslint-community/eslint-plugin-security/pull/81)
+- Add meta object documentation for all rules [#79](https://github.com/eslint-community/eslint-plugin-security/pull/79)
+- Added Git pre-commit hook to format JS files
+  [Pre-commit hook](https://github.com/eslint-community/eslint-plugin-security/commit/e2ae2ee9ef214ca6d8f69fbcc438d230fda2bf97)
+- Added yarn installation method
+- Fix linting errors and step
+  [Lint errors](https://github.com/eslint-community/eslint-plugin-security/commit/1258118c2d07722e9fb388a672b287bb43bc73b3), [Lint step](https://github.com/eslint-community/eslint-plugin-security/commit/84f3ed3ab88427753c7ac047d0bccbe557f28aa5)
+- Create workflows
+  Check commit message on pull requests, Set up ci on main branch
+- Update test and lint commands to work cross-platform
+  [Commit](https://github.com/eslint-community/eslint-plugin-security/commit/d3d8e7a27894aa3f83b560f530eb49750e9ee19a)
+- Merge pull request [#47](https://github.com/eslint-community/eslint-plugin-security/pull/47) from pdehaan/add-docs
+  Add old liftsecurity blog posts to docs/ folder
+- Bumped up dependencies
+- Added `package-lock.json`
+- Fixed typos in README and documentation
+  Replaced dead links in README
+
+## 1.4.0 / 2017-06-12
 
 - 1.4.0
 - Stuff and things for 1.4.0 beep boop 🤖
-- Merge pull request [#14](https://github.com/nodesecurity/eslint-plugin-security/issues/14) from travi/recommended-example
+- Merge pull request [#14](https://github.com/eslint-community/eslint-plugin-security/issues/14) from travi/recommended-example
   Add recommended ruleset to the usage example
-- Merge pull request [#19](https://github.com/nodesecurity/eslint-plugin-security/issues/19) from pdehaan/add-changelog
+- Merge pull request [#19](https://github.com/eslint-community/eslint-plugin-security/issues/19) from pdehaan/add-changelog
   Add basic CHANGELOG.md file
-- Merge pull request [#17](https://github.com/nodesecurity/eslint-plugin-security/issues/17) from pdehaan/issue-16
+- Merge pull request [#17](https://github.com/eslint-community/eslint-plugin-security/issues/17) from pdehaan/issue-16
   Remove filename from error output
 - Add basic CHANGELOG.md file
 - Remove filename from error output
 - Add recommended ruleset to the usage example
-  for [#9](https://github.com/nodesecurity/eslint-plugin-security/issues/9)
-- Merge pull request [#10](https://github.com/nodesecurity/eslint-plugin-security/issues/10) from pdehaan/issue-9
+  for [#9](https://github.com/eslint-community/eslint-plugin-security/issues/9)
+- Merge pull request [#10](https://github.com/eslint-community/eslint-plugin-security/issues/10) from pdehaan/issue-9
   Add 'plugin:security/recommended' config to plugin
-- Merge pull request [#12](https://github.com/nodesecurity/eslint-plugin-security/issues/12) from tupaschoal/patch-1
+- Merge pull request [#12](https://github.com/eslint-community/eslint-plugin-security/issues/12) from tupaschoal/patch-1
   Fix broken link for detect-object-injection
 - Fix broken link for detect-object-injection
   The current link leads to a 404 page, the new one is the proper page.
 - Add 'plugin:security/recommended' config to plugin
 
-# 1.3.0 / 2017-02-09
+## 1.3.0 / 2017-02-09
 
 - 1.3.0
 - Merge branch 'scottnonnenberg-update-docs'
 - Fix merge conflicts because I can't figure out how to accept pr's in the right order
-- Merge pull request [#7](https://github.com/nodesecurity/eslint-plugin-security/issues/7) from HamletDRC/patch-1
+- Merge pull request [#7](https://github.com/eslint-community/eslint-plugin-security/issues/7) from HamletDRC/patch-1
   README.md - documentation detect-new-buffer rule
-- Merge pull request [#8](https://github.com/nodesecurity/eslint-plugin-security/issues/8) from HamletDRC/patch-2
+- Merge pull request [#8](https://github.com/eslint-community/eslint-plugin-security/issues/8) from HamletDRC/patch-2
   README.md - document detect-disable-mustache-escape rule
-- Merge pull request [#3](https://github.com/nodesecurity/eslint-plugin-security/issues/3) from jesusprubio/master
+- Merge pull request [#3](https://github.com/eslint-community/eslint-plugin-security/issues/3) from jesusprubio/master
   A bit of love
 - README.md - document detect-disable-mustache-escape rule
 - README.md - documentation detect-new-buffer rule
-- Merge pull request [#6](https://github.com/nodesecurity/eslint-plugin-security/issues/6) from mathieumg/csrf-bug
+- Merge pull request [#6](https://github.com/eslint-community/eslint-plugin-security/issues/6) from mathieumg/csrf-bug
   Fixed crash with `detect-no-csrf-before-method-override` rule
 - Fixed crash with `detect-no-csrf-before-method-override` rule.
 - Finishing last commit
@@ -47,17 +102,17 @@
 - A little bit of massage to readme intro
 - Add additional information to README for each rule
 
-# 1.2.0 / 2016-01-21
+## 1.2.0 / 2016-01-21
 
 - 1.2.0
 - updated to check for new RegExp too
 
-# 1.1.0 / 2016-01-06
+## 1.1.0 / 2016-01-06
 
 - 1.1.0
 - adding eslint rule to detect new buffer hotspot
 
-# 1.0.0 / 2015-11-15
+## 1.0.0 / 2015-11-15
 
 - updated desc
 - rules disabled by default

package/README.md

@@ -1,14 +1,24 @@
 # eslint-plugin-security
 
+[![NPM version](https://img.shields.io/npm/v/eslint-plugin-security.svg?style=flat)](https://npmjs.org/package/eslint-plugin-security)
+
 ESLint rules for Node Security
 
 This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
 
-### Installation
+## Installation
+
+```sh
+npm install --save-dev eslint-plugin-security
+```
+
+or
 
-`npm install --save-dev eslint-plugin-security` or `yarn add eslint-plugin-security --dev`
+```sh
+yarn add --dev eslint-plugin-security
+```
 
-### Usage
+## Usage
 
 Add the following to your `.eslintrc` file:
 
@@ -29,86 +39,34 @@ Add the following to your `.eslintrc` file:
 npm run-script cont-int
 ```
 
-### Tests
+## Tests
 
 ```sh
 npm test
 ```
 
-### Rules
-
-#### `detect-unsafe-regex`
-
-Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.
-
-More information: [Regular Expression DoS and Node.js](docs/regular-expression-dos-and-node.md)
-
-#### `detect-buffer-noassert`
-
-Detect calls to [`buffer`](https://nodejs.org/api/buffer.html) with `noAssert` flag set.
-
-From the Node.js API docs: "Setting `noAssert` to true skips validation of the `offset`. This allows the `offset` to be beyond the end of the `Buffer`."
-
-#### `detect-child-process`
-
-Detect instances of [`child_process`](https://nodejs.org/api/child_process.html) & non-literal [`exec()`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
-
-More information: [Avoiding Command Injection in Node.js](docs/avoid-command-injection-node.md)
-
-#### `detect-disable-mustache-escape`
-
-Detects `object.escapeMarkup = false`, which can be used with some template engines to disable escaping of HTML entities. This can lead to Cross-Site Scripting (XSS) vulnerabilities.
-
-More information: [OWASP XSS](<https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>)
-
-#### `detect-eval-with-expression`
-
-Detects `eval(variable)` which can allow an attacker to run arbitrary code inside your process.
-
-More information: [What are the security issues with eval in JavaScript?](http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript)
-
-#### `detect-no-csrf-before-method-override`
-
-Detects Express `csrf` middleware setup before `method-override` middleware. This can allow `GET` requests (which are not checked by `csrf`) to turn into `POST` requests later.
-
-More information: [Bypass Connect CSRF protection by abusing methodOverride Middleware](docs/bypass-connect-csrf-protection-by-abusing.md)
-
-#### `detect-non-literal-fs-filename`
-
-Detects variable in filename argument of `fs` calls, which might allow an attacker to access anything on your system.
-
-More information: [OWASP Path Traversal](https://www.owasp.org/index.php/Path_Traversal)
-
-#### `detect-non-literal-regexp`
-
-Detects `RegExp(variable)`, which might allow an attacker to DOS your server with a long-running regular expression.
-
-More information: [Regular Expression DoS and Node.js](docs/regular-expression-dos-and-node.md)
-
-#### `detect-non-literal-require`
-
-Detects `require(variable)`, which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.
-
-More information: [Where does Node.js and require look for modules?](http://www.bennadel.com/blog/2169-where-does-node-js-and-require-look-for-modules.htm)
-
-#### `detect-object-injection`
-
-Detects `variable[key]` as a left- or right-hand assignment operand.
-
-More information: [The Dangers of Square Bracket Notation](docs/the-dangers-of-square-bracket-notation.md)
-
-#### `detect-possible-timing-attacks`
-
-Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.
-
-More information: [A lesson in timing attacks](https://codahale.com/a-lesson-in-timing-attacks/)
-
-#### `detect-pseudoRandomBytes`
-
-Detects if `pseudoRandomBytes()` is in use, which might not give you the randomness you need and expect.
-
-More information: [Randombytes vs pseudorandombytes](http://stackoverflow.com/questions/18130254/randombytes-vs-pseudorandombytes)
-
-#### `detect-new-buffer`
-
-Detect instances of new Buffer(argument) where argument is any non-literal value.
+## Rules
+
+<!-- begin auto-generated rules list -->
+
+⚠️ Configurations set to warn in.\
+✅ Set in the `recommended` configuration.
+
+| Name                                                                                         | Description                                                                                                                   | ⚠️  |
+| :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :-- |
+| [detect-bidi-characters](docs/rules/detect-bidi-characters.md)                               | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.                                      | ✅  |
+| [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md)                               | Detects calls to "buffer" with "noAssert" flag set.                                                                           | ✅  |
+| [detect-child-process](docs/rules/detect-child-process.md)                                   | Detects instances of "child_process" & non-literal "exec()" calls.                                                            | ✅  |
+| [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md)               | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.     | ✅  |
+| [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md)                     | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.                               | ✅  |
+| [detect-new-buffer](docs/rules/detect-new-buffer.md)                                         | Detects instances of new Buffer(argument) where argument is any non-literal value.                                            | ✅  |
+| [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware.                                                  | ✅  |
+| [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md)               | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.         | ✅  |
+| [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md)                         | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.          | ✅  |
+| [detect-non-literal-require](docs/rules/detect-non-literal-require.md)                       | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅  |
+| [detect-object-injection](docs/rules/detect-object-injection.md)                             | Detects "variable[key]" as a left- or right-hand assignment operand.                                                          | ✅  |
+| [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md)               | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.                                   | ✅  |
+| [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md)                           | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.                      | ✅  |
+| [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md)                                     | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.              | ✅  |
+
+<!-- end auto-generated rules list -->

package/docs/bypass-connect-csrf-protection-by-abusing.md

@@ -8,7 +8,7 @@ This issue was found and reported to us by [Luca Carettoni](http://twitter.com/_
 
 Connect, methodOverride middleware
 
-### Description:
+### Description
 
 **Connect's "methodOverride" middleware allows an HTTP request to override the method of the request with the value of the "\_method" post key or with the header "x-http-method-override".**
 
@@ -25,7 +25,7 @@ app.use express.methodOverride()
 
 Connect's CSRF middleware does not check csrf tokens in case of idempotent verbs (GET/HEAD/OPTIONS, see lib/middleware/csrf.js). As a result, it is possible to bypass this security control by sending a GET request with a POST MethodOverride header or key.
 
-### Example:
+### Example
 
 ```sh
 GET / HTTP/1.1
@@ -33,7 +33,7 @@ GET / HTTP/1.1
 _method=POST
 ```
 
-### Mitigation Factors:
+### Mitigation Factors
 
 Disable methodOverride or make sure that it takes precedence over other middleware declarations.