eslint-plugin-security 1.5.0 → 1.7.0

package/rules/detect-non-literal-fs-filename.js

@@ -5,12 +5,30 @@
 
 'use strict';
 
+const fsMetaData = require('../utils/data/fsFunctionData.json');
+const funcNames = Object.keys(fsMetaData);
+const fsPackageNames = ['fs', 'node:fs', 'fs/promises', 'node:fs/promises', 'fs-extra'];
+
+const { getImportAccessPath } = require('../utils/import-utils');
+
 //------------------------------------------------------------------------------
-// Rule Definition
+// Utils
 //------------------------------------------------------------------------------
 
-const fsMetaData = require('./data/fsFunctionData.json');
-const funcNames = Object.keys(fsMetaData);
+function getIndices(node, argMeta) {
+  return (argMeta || []).filter((argIndex) => node.arguments[argIndex].type !== 'Literal');
+}
+
+function generateReport({ context, node, packageName, methodName, indices }) {
+  if (!indices || indices.length === 0) {
+    return;
+  }
+  context.report({ node, message: `Found ${methodName} from package "${packageName}" with non literal argument at index ${indices.join(',')}` });
+}
+
+//------------------------------------------------------------------------------
+// Rule Definition
+//------------------------------------------------------------------------------
 
 module.exports = {
   meta: {
@@ -19,35 +37,65 @@ module.exports = {
       description: 'Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-non-literal-fs-filename',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-fs-filename.md',
     },
   },
   create: function (context) {
     return {
-      MemberExpression: function (node) {
-        const result = [];
-        if (funcNames.indexOf(node.property.name) !== -1) {
-          const meta = fsMetaData[node.property.name];
-          const args = node.parent.arguments;
-          meta.forEach((i) => {
-            if (args && args.length > i) {
-              if (args[i].type !== 'Literal') {
-                result.push(i);
-              }
-            }
-          });
+      CallExpression: function (node) {
+        // don't check require. If all arguments are Literals, it's surely safe!
+        if ((node.callee.type === 'Identifier' && node.callee.name === 'require') || node.arguments.every((argument) => argument.type === 'Literal')) {
+          return;
         }
 
-        if (result.length > 0) {
-          return context.report(node, `Found fs.${node.property.name} with non literal argument at index ${result.join(',')}`);
+        const pathInfo = getImportAccessPath({
+          node: node.callee,
+          scope: context.getScope(),
+          packageNames: fsPackageNames,
+        });
+        if (!pathInfo) {
+          return;
+        }
+        let fnName;
+        if (pathInfo.path.length === 1) {
+          // Check for:
+          // | var something = require('fs').readFile;
+          // | something(a);
+          // ,
+          // | var something = require('fs');
+          // | something.readFile(c);
+          // ,
+          // | var { readFile: something } = require('fs')
+          // | readFile(filename);
+          // ,
+          // | import { readFile as something } from 'fs';
+          // | something(filename);
+          // , or
+          // | import * as something from 'fs';
+          // | something.readFile(c);
+          fnName = pathInfo.path[0];
+        } else if (pathInfo.path.length === 2) {
+          // Check for:
+          // | var something = require('fs').promises;
+          // | something.readFile(filename)
+          fnName = pathInfo.path[1];
+        } else {
+          return;
+        }
+        if (!funcNames.includes(fnName)) {
+          return false;
         }
+        const packageName = pathInfo.packageName;
 
-        /*
-              if (node.parent && node.parent.arguments && node.parent.arguments[index].value) {
-                  return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true');
+        const indices = getIndices(node, fsMetaData[fnName]);
 
-              }
-              */
+        generateReport({
+          context,
+          node,
+          packageName,
+          methodName: fnName,
+          indices,
+        });
       },
     };
   },

package/rules/detect-non-literal-regexp.js

@@ -16,7 +16,7 @@ module.exports = {
       description: 'Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/regular-expression-dos-and-node.md',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-regexp.md',
     },
   },
   create: function (context) {
@@ -25,7 +25,7 @@ module.exports = {
         if (node.callee.name === 'RegExp') {
           const args = node.arguments;
           if (args && args.length > 0 && args[0].type !== 'Literal') {
-            return context.report(node, 'Found non-literal argument to RegExp Constructor');
+            return context.report({ node: node, message: 'Found non-literal argument to RegExp Constructor' });
           }
         }
       },

package/rules/detect-non-literal-require.js

@@ -13,10 +13,10 @@ module.exports = {
   meta: {
     type: 'error',
     docs: {
-      description: 'Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. ',
+      description: 'Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-non-literal-require',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
     },
   },
   create: function (context) {
@@ -28,7 +28,7 @@ module.exports = {
             (args && args.length > 0 && args[0].type === 'TemplateLiteral' && args[0].expressions.length > 0) ||
             (args[0].type !== 'TemplateLiteral' && args[0].type !== 'Literal')
           ) {
-            return context.report(node, 'Found non-literal argument in require');
+            return context.report({ node: node, message: 'Found non-literal argument in require' });
           }
         }
       },

package/rules/detect-object-injection.js

@@ -58,7 +58,7 @@ module.exports = {
       description: 'Detects "variable[key]" as a left- or right-hand assignment operand.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/the-dangers-of-square-bracket-notation.md',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-object-injection.md',
     },
   },
   create: function (context) {
@@ -67,11 +67,11 @@ module.exports = {
         if (node.computed === true) {
           if (node.property.type === 'Identifier') {
             if (node.parent.type === 'VariableDeclarator') {
-              context.report(node, 'Variable Assigned to Object Injection Sink');
+              context.report({ node: node, message: 'Variable Assigned to Object Injection Sink' });
             } else if (node.parent.type === 'CallExpression') {
-              context.report(node, 'Function Call Object Injection Sink');
+              context.report({ node: node, message: 'Function Call Object Injection Sink' });
             } else {
-              context.report(node, 'Generic Object Injection Sink');
+              context.report({ node: node, message: 'Generic Object Injection Sink' });
             }
           }
         }

package/rules/detect-possible-timing-attacks.js

@@ -29,8 +29,8 @@ module.exports = {
       description: 'Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-possible-timing-attacks'
-    }
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-possible-timing-attacks.md',
+    },
   },
   create: function (context) {
     return {
@@ -40,19 +40,19 @@ module.exports = {
             if (node.test.left) {
               const left = containsKeyword(node.test.left);
               if (left) {
-                return context.report(node, `Potential timing attack, left side: ${left}`);
+                return context.report({ node: node, message: `Potential timing attack, left side: ${left}` });
               }
             }
 
             if (node.test.right) {
               const right = containsKeyword(node.test.right);
               if (right) {
-                return context.report(node, `Potential timing attack, right side: ${right}`);
+                return context.report({ node: node, message: `Potential timing attack, right side: ${right}` });
               }
             }
           }
         }
-      }
+      },
     };
-  }
+  },
 };

package/rules/detect-pseudoRandomBytes.js

@@ -16,14 +16,14 @@ module.exports = {
       description: 'Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-pseudorandombytes',
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-pseudoRandomBytes.md',
     },
   },
   create: function (context) {
     return {
       MemberExpression: function (node) {
         if (node.property.name === 'pseudoRandomBytes') {
-          return context.report(node, 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers');
+          return context.report({ node: node, message: 'Found crypto.pseudoRandomBytes which does not produce cryptographically strong numbers' });
         }
       },
     };

package/rules/detect-unsafe-regex.js

@@ -19,32 +19,32 @@ module.exports = {
   meta: {
     type: 'error',
     docs: {
-      description: 'Locates potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.',
+      description: 'Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.',
       category: 'Possible Security Vulnerability',
       recommended: true,
-      url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/regular-expression-dos-and-node.md'
-    }
+      url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-unsafe-regex.md',
+    },
   },
   create: function (context) {
     return {
       Literal: function (node) {
-        const token = context.getTokens(node)[0];
+        const token = context.getSourceCode().getTokens(node)[0];
         const nodeType = token.type;
         const nodeValue = token.value;
 
         if (nodeType === 'RegularExpression') {
           if (!safe(nodeValue)) {
-            context.report(node, 'Unsafe Regular Expression');
+            context.report({ node: node, message: 'Unsafe Regular Expression' });
           }
         }
       },
       NewExpression: function (node) {
         if (node.callee.name === 'RegExp' && node.arguments && node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
           if (!safe(node.arguments[0].value)) {
-            context.report(node, 'Unsafe Regular Expression (new RegExp)');
+            context.report({ node: node, message: 'Unsafe Regular Expression (new RegExp)' });
           }
         }
-      }
+      },
     };
-  }
+  },
 };

package/test/detect-bidi-characters.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const RuleTester = require('eslint').RuleTester;
+const tester = new RuleTester();
+
+const ruleName = 'detect-bidi-characters';
+const Rule = require(`../rules/${ruleName}`);
+
+tester.run(ruleName, Rule, {
+  valid: [
+    {
+      code: `
+  var accessLevel = "user";
+  if (accessLevel != "user") { // Check if admin
+    console.log("You are an admin.");
+  }
+  `,
+    },
+  ],
+  invalid: [
+    {
+      code: `
+      var accessLevel = "user";
+      if (accessLevel != "user‮ ⁦// Check if admin⁩ ⁦") {
+          console.log("You are an admin.");
+      }
+      `,
+      errors: [
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this code/i, line: 3, endLine: 3, column: 31, endColumn: 32 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this code/i, line: 3, endLine: 3, column: 33, endColumn: 34 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this code/i, line: 3, endLine: 3, column: 51, endColumn: 52 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this code/i, line: 3, endLine: 3, column: 53, endColumn: 54 },
+      ],
+    },
+  ],
+});
+
+tester.run(`${ruleName} in comment-line`, Rule, {
+  valid: [
+    {
+      code: `
+  var isAdmin = false;
+  /* begin admins only */ if (isAdmin) {
+    console.log("You are an admin.");
+  /* end admins only */ }
+  `,
+    },
+  ],
+  invalid: [
+    {
+      code: `
+      var isAdmin = false;
+      /*‮ } ⁦if (isAdmin)⁩ ⁦ begin admins only */
+          console.log("You are an admin.");
+      /* end admins only ‮
+⁦*/
+      /* end admins only ‮ 
+ { ⁦*/
+        `,
+      errors: [
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 3, endLine: 3, column: 9, endColumn: 10 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 3, endLine: 3, column: 13, endColumn: 14 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 3, endLine: 3, column: 26, endColumn: 27 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 3, endLine: 3, column: 28, endColumn: 29 },
+
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 5, endLine: 5, column: 26, endColumn: 27 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 6, endLine: 6, column: 1, endColumn: 2 },
+
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 7, endLine: 7, column: 26, endColumn: 27 },
+        { message: /Detected potential trojan source attack with unicode bidi introduced in this comment/i, line: 8, endLine: 8, column: 4, endColumn: 5 },
+      ],
+    },
+  ],
+});

package/test/detect-child-process.js

@@ -1,25 +1,136 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester();
+const tester = new RuleTester({
+  parserOptions: {
+    ecmaVersion: 6,
+    sourceType: 'module',
+  },
+});
 
 const ruleName = 'detect-child-process';
 const rule = require(`../rules/${ruleName}`);
 
 tester.run(ruleName, rule, {
-  valid: ["child_process.exec('ls')"],
+  valid: [
+    "child_process.exec('ls')",
+    `
+    var {} = require('child_process');
+    var result = /hello/.exec(str);`,
+    `
+    var {} = require('node:child_process');
+    var result = /hello/.exec(str);`,
+    `
+    import {} from 'child_process';
+    var result = /hello/.exec(str);`,
+    `
+    import {} from 'node:child_process';
+    var result = /hello/.exec(str);`,
+    "var { spawn } = require('child_process'); spawn(str);",
+    "var { spawn } = require('node:child_process'); spawn(str);",
+    "import { spawn } from 'child_process'; spawn(str);",
+    "import { spawn } from 'node:child_process'; spawn(str);",
+    `
+    var foo = require('child_process');
+    function fn () {
+      var foo = /hello/;
+      var result = foo.exec(str);
+    }`,
+    "var child = require('child_process'); child.spawn(str)",
+    "var child = require('node:child_process'); child.spawn(str)",
+    "import child from 'child_process'; child.spawn(str)",
+    "import child from 'node:child_process'; child.spawn(str)",
+    `
+    var foo = require('child_process');
+    function fn () {
+      var result = foo.spawn(str);
+    }`,
+    "require('child_process').spawn(str)",
+    `
+    function fn () {
+      require('child_process').spawn(str)
+    }`,
+  ],
   invalid: [
     {
       code: "require('child_process')",
       errors: [{ message: 'Found require("child_process")' }],
     },
+    {
+      code: "require('node:child_process')",
+      errors: [{ message: 'Found require("node:child_process")' }],
+    },
     {
       code: "var child = require('child_process'); child.exec(com)",
-      errors: [{ message: 'Found require("child_process")' }, { message: 'Found child_process.exec() with non Literal first argument' }],
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
     },
     {
-      code: "var child = require('child_process'); child.exec()",
+      code: "var child = require('node:child_process'); child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "import child from 'child_process'; child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "import child from 'node:child_process'; child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "var child = sinon.stub(require('child_process')); child.exec.returns({});",
       errors: [{ message: 'Found require("child_process")' }],
     },
+    {
+      code: "var child = sinon.stub(require('node:child_process')); child.exec.returns({});",
+      errors: [{ message: 'Found require("node:child_process")' }],
+    },
+    {
+      code: `
+      var foo = require('child_process');
+      function fn () {
+        var result = foo.exec(str);
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
+    },
+    {
+      code: `
+      import foo from 'child_process';
+      function fn () {
+        var result = foo.exec(str);
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
+    },
+    {
+      code: `
+      import foo from 'node:child_process';
+      function fn () {
+        var result = foo.exec(str);
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
+    },
+    {
+      code: `
+      require('child_process').exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 2 }],
+    },
+    {
+      code: `
+      function fn () {
+        require('child_process').exec(str)
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
+    },
+    {
+      code: `
+      const {exec} = require('child_process');
+      exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
+    },
+    {
+      code: `
+      const {exec} = require('node:child_process');
+      exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
+    },
   ],
 });

package/test/detect-disable-mustache-escape.js

@@ -10,7 +10,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: 'a.escapeMarkup = false',
-      errors: [{ message: 'Markup escaping disabled.' }]
-    }
-  ]
+      errors: [{ message: 'Markup escaping disabled.' }],
+    },
+  ],
 });

package/test/detect-eval-with-expression.js

@@ -6,11 +6,11 @@ const tester = new RuleTester();
 const ruleName = 'detect-eval-with-expression';
 
 tester.run(ruleName, require(`../rules/${ruleName}`), {
-  valid: [{ code: 'eval(\'alert()\')' }],
+  valid: [{ code: "eval('alert()')" }],
   invalid: [
     {
       code: 'eval(a);',
-      errors: [{ message: 'eval with argument of type Identifier' }]
-    }
-  ]
+      errors: [{ message: 'eval with argument of type Identifier' }],
+    },
+  ],
 });

package/test/detect-new-buffer.js

@@ -7,11 +7,11 @@ const ruleName = 'detect-new-buffer';
 const invalid = 'var a = new Buffer(c)';
 
 tester.run(ruleName, require(`../rules/${ruleName}`), {
-  valid: [{ code: 'var a = new Buffer(\'test\')' }],
+  valid: [{ code: "var a = new Buffer('test')" }],
   invalid: [
     {
       code: invalid,
-      errors: [{ message: 'Found new Buffer' }]
-    }
-  ]
+      errors: [{ message: 'Found new Buffer' }],
+    },
+  ],
 });

package/test/detect-no-csrf-before-method-override.js

@@ -10,7 +10,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
   invalid: [
     {
       code: 'express.csrf();express.methodOverride()',
-      errors: [{ message: 'express.csrf() middleware found before express.methodOverride()' }]
-    }
-  ]
+      errors: [{ message: 'express.csrf() middleware found before express.methodOverride()' }],
+    },
+  ],
 });