eslint-plugin-security 1.6.0 → 1.7.0

package/.prettierignore

@@ -0,0 +1 @@
+/CHANGELOG.md

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.7.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.6.0...v1.7.0) (2023-01-26)
+
+
+### Features
+
+* improve detect-child-process rule ([#108](https://www.github.com/eslint-community/eslint-plugin-security/issues/108)) ([64ae529](https://www.github.com/eslint-community/eslint-plugin-security/commit/64ae52944a86f9d9daee769acd63ebbdfc5b6631))
+
 ## [1.6.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.5.0...v1.6.0) (2023-01-11)
 
 ### Features
@@ -21,25 +28,25 @@
 ## 1.5.0 / 2022-04-14
 
 - Fix avoid crash when exec() is passed no arguments
-  Closes [#82](https://github.com/nodesecurity/eslint-plugin-security/pull/82) with ref as [#23](https://github.com/nodesecurity/eslint-plugin-security/pull/23)
+  Closes [#82](https://github.com/eslint-community/eslint-plugin-security/pull/82) with ref as [#23](https://github.com/eslint-community/eslint-plugin-security/pull/23)
 - Fix incorrect method name in detect-buffer-noassert
-  Closes [#63](https://github.com/nodesecurity/eslint-plugin-security/pull/63) and [#80](https://github.com/nodesecurity/eslint-plugin-security/pull/80)
+  Closes [#63](https://github.com/eslint-community/eslint-plugin-security/pull/63) and [#80](https://github.com/eslint-community/eslint-plugin-security/pull/80)
 - Clean up source code formatting
-  Fixes [#4](https://github.com/nodesecurity/eslint-plugin-security/issues/4) and closes [#78](https://github.com/nodesecurity/eslint-plugin-security/pull/78)
+  Fixes [#4](https://github.com/eslint-community/eslint-plugin-security/issues/4) and closes [#78](https://github.com/eslint-community/eslint-plugin-security/pull/78)
 - Add release script
-  [Script](https://github.com/nodesecurity/eslint-plugin-security/commit/0a6631ea448eb0031af7b351c85b3aa298c2e44c)
-- Add non-literal require TemplateLiteral support [#81](https://github.com/nodesecurity/eslint-plugin-security/pull/81)
-- Add meta object documentation for all rules [#79](https://github.com/nodesecurity/eslint-plugin-security/pull/79)
+  [Script](https://github.com/eslint-community/eslint-plugin-security/commit/0a6631ea448eb0031af7b351c85b3aa298c2e44c)
+- Add non-literal require TemplateLiteral support [#81](https://github.com/eslint-community/eslint-plugin-security/pull/81)
+- Add meta object documentation for all rules [#79](https://github.com/eslint-community/eslint-plugin-security/pull/79)
 - Added Git pre-commit hook to format JS files
-  [Pre-commit hook](https://github.com/nodesecurity/eslint-plugin-security/commit/e2ae2ee9ef214ca6d8f69fbcc438d230fda2bf97)
+  [Pre-commit hook](https://github.com/eslint-community/eslint-plugin-security/commit/e2ae2ee9ef214ca6d8f69fbcc438d230fda2bf97)
 - Added yarn installation method
 - Fix linting errors and step
-  [Lint errors](https://github.com/nodesecurity/eslint-plugin-security/commit/1258118c2d07722e9fb388a672b287bb43bc73b3), [Lint step](https://github.com/nodesecurity/eslint-plugin-security/commit/84f3ed3ab88427753c7ac047d0bccbe557f28aa5)
+  [Lint errors](https://github.com/eslint-community/eslint-plugin-security/commit/1258118c2d07722e9fb388a672b287bb43bc73b3), [Lint step](https://github.com/eslint-community/eslint-plugin-security/commit/84f3ed3ab88427753c7ac047d0bccbe557f28aa5)
 - Create workflows
   Check commit message on pull requests, Set up ci on main branch
 - Update test and lint commands to work cross-platform
-  [Commit](https://github.com/nodesecurity/eslint-plugin-security/commit/d3d8e7a27894aa3f83b560f530eb49750e9ee19a)
-- Merge pull request [#47](https://github.com/nodesecurity/eslint-plugin-security/pull/47) from pdehaan/add-docs
+  [Commit](https://github.com/eslint-community/eslint-plugin-security/commit/d3d8e7a27894aa3f83b560f530eb49750e9ee19a)
+- Merge pull request [#47](https://github.com/eslint-community/eslint-plugin-security/pull/47) from pdehaan/add-docs
   Add old liftsecurity blog posts to docs/ folder
 - Bumped up dependencies
 - Added `package-lock.json`
@@ -50,19 +57,19 @@
 
 - 1.4.0
 - Stuff and things for 1.4.0 beep boop 🤖
-- Merge pull request [#14](https://github.com/nodesecurity/eslint-plugin-security/issues/14) from travi/recommended-example
+- Merge pull request [#14](https://github.com/eslint-community/eslint-plugin-security/issues/14) from travi/recommended-example
   Add recommended ruleset to the usage example
-- Merge pull request [#19](https://github.com/nodesecurity/eslint-plugin-security/issues/19) from pdehaan/add-changelog
+- Merge pull request [#19](https://github.com/eslint-community/eslint-plugin-security/issues/19) from pdehaan/add-changelog
   Add basic CHANGELOG.md file
-- Merge pull request [#17](https://github.com/nodesecurity/eslint-plugin-security/issues/17) from pdehaan/issue-16
+- Merge pull request [#17](https://github.com/eslint-community/eslint-plugin-security/issues/17) from pdehaan/issue-16
   Remove filename from error output
 - Add basic CHANGELOG.md file
 - Remove filename from error output
 - Add recommended ruleset to the usage example
-  for [#9](https://github.com/nodesecurity/eslint-plugin-security/issues/9)
-- Merge pull request [#10](https://github.com/nodesecurity/eslint-plugin-security/issues/10) from pdehaan/issue-9
+  for [#9](https://github.com/eslint-community/eslint-plugin-security/issues/9)
+- Merge pull request [#10](https://github.com/eslint-community/eslint-plugin-security/issues/10) from pdehaan/issue-9
   Add 'plugin:security/recommended' config to plugin
-- Merge pull request [#12](https://github.com/nodesecurity/eslint-plugin-security/issues/12) from tupaschoal/patch-1
+- Merge pull request [#12](https://github.com/eslint-community/eslint-plugin-security/issues/12) from tupaschoal/patch-1
   Fix broken link for detect-object-injection
 - Fix broken link for detect-object-injection
   The current link leads to a 404 page, the new one is the proper page.
@@ -73,15 +80,15 @@
 - 1.3.0
 - Merge branch 'scottnonnenberg-update-docs'
 - Fix merge conflicts because I can't figure out how to accept pr's in the right order
-- Merge pull request [#7](https://github.com/nodesecurity/eslint-plugin-security/issues/7) from HamletDRC/patch-1
+- Merge pull request [#7](https://github.com/eslint-community/eslint-plugin-security/issues/7) from HamletDRC/patch-1
   README.md - documentation detect-new-buffer rule
-- Merge pull request [#8](https://github.com/nodesecurity/eslint-plugin-security/issues/8) from HamletDRC/patch-2
+- Merge pull request [#8](https://github.com/eslint-community/eslint-plugin-security/issues/8) from HamletDRC/patch-2
   README.md - document detect-disable-mustache-escape rule
-- Merge pull request [#3](https://github.com/nodesecurity/eslint-plugin-security/issues/3) from jesusprubio/master
+- Merge pull request [#3](https://github.com/eslint-community/eslint-plugin-security/issues/3) from jesusprubio/master
   A bit of love
 - README.md - document detect-disable-mustache-escape rule
 - README.md - documentation detect-new-buffer rule
-- Merge pull request [#6](https://github.com/nodesecurity/eslint-plugin-security/issues/6) from mathieumg/csrf-bug
+- Merge pull request [#6](https://github.com/eslint-community/eslint-plugin-security/issues/6) from mathieumg/csrf-bug
   Fixed crash with `detect-no-csrf-before-method-override` rule
 - Fixed crash with `detect-no-csrf-before-method-override` rule.
 - Finishing last commit
@@ -95,7 +102,6 @@
 - A little bit of massage to readme intro
 - Add additional information to README for each rule
 
-
 ## 1.2.0 / 2016-01-21
 
 - 1.2.0

package/docs/the-dangers-of-square-bracket-notation.md

@@ -11,7 +11,7 @@ Let's take a look at why this could be a problem.
 ## Issue #1: Bracket object notation with user input grants access to every property available on the object
 
 ```js
-exampleClass[userInput[1]] = userInput[2];
+exampleClass[userInput[0]] = userInput[1];
 ```
 
 I won't spend much time here, as I believe this is fairly well known. If exampleClass contains a sensitive property, the above code will allow it to be edited.
@@ -20,7 +20,7 @@ I won't spend much time here, as I believe this is fairly well known. If example
 
 ```js
 userInput = ['constructor', '{}'];
-exampleClass[userInput[1]] = userInput[2];
+exampleClass[userInput[0]] = userInput[1];
 ```
 
 This looks pretty innocuous, even if it is an uncommon pattern. The problem here is that we can access or overwrite prototypes such as `constructor` or `__defineGetter__`, which may be used later on. The most likely outcome of this scenario would be an application crash, when a string is attempted to be called as a function.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-security",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
@@ -18,7 +18,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/nodesecurity/eslint-plugin-security.git"
+    "url": "git+https://github.com/eslint-community/eslint-plugin-security.git"
   },
   "keywords": [
     "eslint",
@@ -28,9 +28,9 @@
   "author": "Node Security Project",
   "license": "Apache-2.0",
   "bugs": {
-    "url": "https://github.com/nodesecurity/eslint-plugin-security/issues"
+    "url": "https://github.com/eslint-community/eslint-plugin-security/issues"
   },
-  "homepage": "https://github.com/nodesecurity/eslint-plugin-security#readme",
+  "homepage": "https://github.com/eslint-community/eslint-plugin-security#readme",
   "gitHooks": {
     "pre-commit": "lint-staged"
   },

package/rules/detect-child-process.js

@@ -5,6 +5,9 @@
 
 'use strict';
 
+const { getImportAccessPath } = require('../utils/import-utils');
+const childProcessPackageNames = ['child_process', 'node:child_process'];
+
 //------------------------------------------------------------------------------
 // Rule Definition
 //------------------------------------------------------------------------------
@@ -20,54 +23,37 @@ module.exports = {
     },
   },
   create: function (context) {
-    /*
-     * Stores variable identifiers pointing to child_process to check (child_process).exec()
-     */
-    const childProcessIdentifiers = new Set();
-
-    /**
-     * Extract identifiers assigned the expression `require("child_process")`.
-     * @param {Pattern} node
-     */
-    function extractChildProcessIdentifiers(node) {
-      if (node.type !== 'Identifier') {
-        return;
-      }
-      const variable = context.getScope().set.get(node.name);
-      if (!variable) {
-        return;
-      }
-      for (const reference of variable.references) {
-        childProcessIdentifiers.add(reference.identifier);
-      }
-    }
-
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'require') {
           const args = node.arguments[0];
-          if (args && args.type === 'Literal' && args.value === 'child_process') {
-            let pattern;
-            if (node.parent.type === 'VariableDeclarator') {
-              pattern = node.parent.id;
-            } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
-              pattern = node.parent.left;
-            }
-            if (pattern) {
-              extractChildProcessIdentifiers(pattern);
-            }
-            if (!pattern || pattern.type === 'Identifier') {
-              return context.report({ node: node, message: 'Found require("child_process")' });
-            }
+          if (
+            args &&
+            args.type === 'Literal' &&
+            childProcessPackageNames.includes(args.value) &&
+            node.parent.type !== 'VariableDeclarator' &&
+            node.parent.type !== 'AssignmentExpression' &&
+            node.parent.type !== 'MemberExpression'
+          ) {
+            context.report({ node: node, message: 'Found require("' + args.value + '")' });
           }
+          return;
         }
-      },
-      MemberExpression: function (node) {
-        if (node.property.name === 'exec' && childProcessIdentifiers.has(node.object)) {
-          if (node.parent && node.parent.arguments && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
-            return context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
-          }
+
+        // Reports non-literal `exec()` calls.
+        if (!node.arguments.length || node.arguments[0].type === 'Literal') {
+          return;
+        }
+        const pathInfo = getImportAccessPath({
+          node: node.callee,
+          scope: context.getScope(),
+          packageNames: childProcessPackageNames,
+        });
+        const fnName = pathInfo && pathInfo.path.length === 1 && pathInfo.path[0];
+        if (fnName !== 'exec') {
+          return;
         }
+        context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
       },
     };
   },

package/test/detect-child-process.js

@@ -1,7 +1,12 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester();
+const tester = new RuleTester({
+  parserOptions: {
+    ecmaVersion: 6,
+    sourceType: 'module',
+  },
+});
 
 const ruleName = 'detect-child-process';
 const rule = require(`../rules/${ruleName}`);
@@ -9,53 +14,123 @@ const rule = require(`../rules/${ruleName}`);
 tester.run(ruleName, rule, {
   valid: [
     "child_process.exec('ls')",
-    {
-      code: `
-      var {} = require('child_process');
-      var result = /hello/.exec(str);`,
-      parserOptions: { ecmaVersion: 6 },
-    },
-    {
-      code: "var { spawn } = require('child_process'); spawn(str);",
-      parserOptions: { ecmaVersion: 6 },
-    },
+    `
+    var {} = require('child_process');
+    var result = /hello/.exec(str);`,
+    `
+    var {} = require('node:child_process');
+    var result = /hello/.exec(str);`,
+    `
+    import {} from 'child_process';
+    var result = /hello/.exec(str);`,
+    `
+    import {} from 'node:child_process';
+    var result = /hello/.exec(str);`,
+    "var { spawn } = require('child_process'); spawn(str);",
+    "var { spawn } = require('node:child_process'); spawn(str);",
+    "import { spawn } from 'child_process'; spawn(str);",
+    "import { spawn } from 'node:child_process'; spawn(str);",
+    `
+    var foo = require('child_process');
+    function fn () {
+      var foo = /hello/;
+      var result = foo.exec(str);
+    }`,
+    "var child = require('child_process'); child.spawn(str)",
+    "var child = require('node:child_process'); child.spawn(str)",
+    "import child from 'child_process'; child.spawn(str)",
+    "import child from 'node:child_process'; child.spawn(str)",
+    `
+    var foo = require('child_process');
+    function fn () {
+      var result = foo.spawn(str);
+    }`,
+    "require('child_process').spawn(str)",
+    `
+    function fn () {
+      require('child_process').spawn(str)
+    }`,
   ],
   invalid: [
     {
       code: "require('child_process')",
       errors: [{ message: 'Found require("child_process")' }],
     },
+    {
+      code: "require('node:child_process')",
+      errors: [{ message: 'Found require("node:child_process")' }],
+    },
     {
       code: "var child = require('child_process'); child.exec(com)",
-      errors: [{ message: 'Found require("child_process")' }, { message: 'Found child_process.exec() with non Literal first argument' }],
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
     },
     {
-      code: "var child = require('child_process'); child.exec()",
-      errors: [{ message: 'Found require("child_process")' }],
+      code: "var child = require('node:child_process'); child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "import child from 'child_process'; child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
+    },
+    {
+      code: "import child from 'node:child_process'; child.exec(com)",
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
     },
     {
       code: "var child = sinon.stub(require('child_process')); child.exec.returns({});",
       errors: [{ message: 'Found require("child_process")' }],
     },
+    {
+      code: "var child = sinon.stub(require('node:child_process')); child.exec.returns({});",
+      errors: [{ message: 'Found require("node:child_process")' }],
+    },
     {
       code: `
       var foo = require('child_process');
       function fn () {
         var result = foo.exec(str);
       }`,
-      errors: [
-        { message: 'Found require("child_process")', line: 2 },
-        { message: 'Found child_process.exec() with non Literal first argument', line: 4 },
-      ],
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
     },
     {
       code: `
-      var foo = require('child_process');
+      import foo from 'child_process';
+      function fn () {
+        var result = foo.exec(str);
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
+    },
+    {
+      code: `
+      import foo from 'node:child_process';
       function fn () {
-        var foo = /hello/;
         var result = foo.exec(str);
       }`,
-      errors: [{ message: 'Found require("child_process")', line: 2 }],
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
+    },
+    {
+      code: `
+      require('child_process').exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 2 }],
+    },
+    {
+      code: `
+      function fn () {
+        require('child_process').exec(str)
+      }`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
+    },
+    {
+      code: `
+      const {exec} = require('child_process');
+      exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
+    },
+    {
+      code: `
+      const {exec} = require('node:child_process');
+      exec(str)`,
+      errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
     },
   ],
 });