eslint-plugin-security 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/.eslint-doc-generatorrc.js +1 -0
  2. package/CHANGELOG.md +7 -0
  3. package/README.md +12 -0
  4. package/index.js +9 -1
  5. package/package.json +1 -1
  6. package/test/configs/index.js +16 -0
  7. package/test/{detect-bidi-characters.js → rules/detect-bidi-characters.js} +2 -2
  8. package/test/{detect-buffer-noassert.js → rules/detect-buffer-noassert.js} +1 -1
  9. package/test/{detect-child-process.js → rules/detect-child-process.js} +1 -1
  10. package/test/{detect-disable-mustache-escape.js → rules/detect-disable-mustache-escape.js} +1 -1
  11. package/test/{detect-eval-with-expression.js → rules/detect-eval-with-expression.js} +1 -1
  12. package/test/{detect-new-buffer.js → rules/detect-new-buffer.js} +1 -1
  13. package/test/{detect-no-csrf-before-method-override.js → rules/detect-no-csrf-before-method-override.js} +1 -1
  14. package/test/{detect-non-literal-fs-filename.js → rules/detect-non-literal-fs-filename.js} +2 -2
  15. package/test/{detect-non-literal-regexp.js → rules/detect-non-literal-regexp.js} +1 -1
  16. package/test/{detect-non-literal-require.js → rules/detect-non-literal-require.js} +1 -1
  17. package/test/{detect-object-injection.js → rules/detect-object-injection.js} +1 -1
  18. package/test/{detect-possible-timing-attacks.js → rules/detect-possible-timing-attacks.js} +1 -1
  19. package/test/{detect-pseudoRandomBytes.js → rules/detect-pseudoRandomBytes.js} +1 -1
  20. package/test/{detect-unsafe-regexp.js → rules/detect-unsafe-regexp.js} +1 -1
package/.eslint-doc-generatorrc.js CHANGED
@@ -3,6 +3,7 @@ const prettierRC = require('./.prettierrc.json');
3
3
 
4
4
  /** @type {import('eslint-doc-generator').GenerateOptions} */
5
5
  const config = {
6
+ ignoreConfig: ['recommended-legacy'],
6
7
  postprocess: (doc) => format(doc, { ...prettierRC, parser: 'markdown' }),
7
8
  };
8
9
 
package/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## [2.1.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.0.0...v2.1.0) (2023-12-15)
4
+
5
+
6
+ ### Features
7
+
8
+ * add config recommended-legacy ([#132](https://www.github.com/eslint-community/eslint-plugin-security/issues/132)) ([13d3f2f](https://www.github.com/eslint-community/eslint-plugin-security/commit/13d3f2fc6ba327c894959db30462f3fda0272f0c))
9
+
3
10
  ## [2.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v1.7.1...v2.0.0) (2023-10-17)
4
11
 
5
12
 
package/README.md CHANGED
@@ -20,6 +20,8 @@ yarn add --dev eslint-plugin-security
20
20
 
21
21
  ## Usage
22
22
 
23
+ ### Flat config (requires eslint >= v8.23.0)
24
+
23
25
  Add the following to your `eslint.config.js` file:
24
26
 
25
27
  ```js
@@ -28,6 +30,16 @@ const pluginSecurity = require('eslint-plugin-security');
28
30
  module.exports = [pluginSecurity.configs.recommended];
29
31
  ```
30
32
 
33
+ ### eslintrc config (deprecated)
34
+
35
+ Add the following to your `.eslintrc` file:
36
+
37
+ ```js
38
+ module.exports = {
39
+ extends: ['plugin:security/recommended-legacy'],
40
+ };
41
+ ```
42
+
31
43
  ## Developer guide
32
44
 
33
45
  - Use [GitHub pull requests](https://help.github.com/articles/using-pull-requests).
package/index.js CHANGED
@@ -66,6 +66,14 @@ const recommended = {
66
66
  },
67
67
  };
68
68
 
69
- Object.assign(plugin.configs, { recommended });
69
+ const recommendedLegacy = {
70
+ plugins: ['security'],
71
+ rules: recommended.rules,
72
+ };
73
+
74
+ Object.assign(plugin.configs, {
75
+ recommended,
76
+ 'recommended-legacy': recommendedLegacy
77
+ });
70
78
 
71
79
  module.exports = plugin;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "2.0.0",
3
+ "version": "2.1.0",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/test/configs/index.js ADDED
@@ -0,0 +1,16 @@
1
+ 'use strict';
2
+ const plugin = require('../../index.js');
3
+ const assert = require('assert').strict;
4
+
5
+ describe('export plugin object', () => {
6
+ it('should export rules', () => {
7
+ assert(plugin.rules);
8
+ assert(typeof plugin.rules['detect-unsafe-regex'] === 'object');
9
+ });
10
+
11
+ it('should export configs', () => {
12
+ assert(plugin.configs);
13
+ assert(plugin.configs['recommended']);
14
+ assert(plugin.configs['recommended-legacy']);
15
+ });
16
+ });
package/test/{detect-bidi-characters.js → rules/detect-bidi-characters.js} RENAMED
@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
4
4
  const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-bidi-characters';
7
- const Rule = require(`../rules/${ruleName}`);
7
+ const Rule = require(`../../rules/${ruleName}`);
8
8
 
9
9
  tester.run(ruleName, Rule, {
10
10
  valid: [
@@ -54,7 +54,7 @@ tester.run(`${ruleName} in comment-line`, Rule, {
54
54
  console.log("You are an admin.");
55
55
  /* end admins only ‮
56
56
  ⁦*/
57
- /* end admins only ‮
57
+ /* end admins only ‮
58
58
  { ⁦*/
59
59
  `,
60
60
  errors: [
package/test/{detect-buffer-noassert.js → rules/detect-buffer-noassert.js} RENAMED
@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
4
4
  const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-buffer-noassert';
7
- const rule = require(`../rules/${ruleName}`);
7
+ const rule = require(`../../rules/${ruleName}`);
8
8
 
9
9
  const allMethodNames = [...rule.meta.__methodsToCheck.read, ...rule.meta.__methodsToCheck.write];
10
10
 
package/test/{detect-child-process.js → rules/detect-child-process.js} RENAMED
@@ -9,7 +9,7 @@ const tester = new RuleTester({
9
9
  });
10
10
 
11
11
  const ruleName = 'detect-child-process';
12
- const rule = require(`../rules/${ruleName}`);
12
+ const rule = require(`../../rules/${ruleName}`);
13
13
 
14
14
  tester.run(ruleName, rule, {
15
15
  valid: [
package/test/{detect-disable-mustache-escape.js → rules/detect-disable-mustache-escape.js} RENAMED
@@ -5,7 +5,7 @@ const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-disable-mustache-escape';
7
7
 
8
- tester.run(ruleName, require(`../rules/${ruleName}`), {
8
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
9
9
  valid: [{ code: 'escapeMarkup = false' }],
10
10
  invalid: [
11
11
  {
package/test/{detect-eval-with-expression.js → rules/detect-eval-with-expression.js} RENAMED
@@ -5,7 +5,7 @@ const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-eval-with-expression';
7
7
 
8
- tester.run(ruleName, require(`../rules/${ruleName}`), {
8
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
9
9
  valid: [{ code: "eval('alert()')" }],
10
10
  invalid: [
11
11
  {
package/test/{detect-new-buffer.js → rules/detect-new-buffer.js} RENAMED
@@ -6,7 +6,7 @@ const tester = new RuleTester();
6
6
  const ruleName = 'detect-new-buffer';
7
7
  const invalid = 'var a = new Buffer(c)';
8
8
 
9
- tester.run(ruleName, require(`../rules/${ruleName}`), {
9
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
10
10
  valid: [{ code: "var a = new Buffer('test')" }],
11
11
  invalid: [
12
12
  {
package/test/{detect-no-csrf-before-method-override.js → rules/detect-no-csrf-before-method-override.js} RENAMED
@@ -5,7 +5,7 @@ const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-no-csrf-before-method-override';
7
7
 
8
- tester.run(ruleName, require(`../rules/${ruleName}`), {
8
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
9
9
  valid: [{ code: 'express.methodOverride();express.csrf()' }],
10
10
  invalid: [
11
11
  {
package/test/{detect-non-literal-fs-filename.js → rules/detect-non-literal-fs-filename.js} RENAMED
@@ -10,7 +10,7 @@ const tester = new RuleTester({
10
10
 
11
11
  const ruleName = 'detect-non-literal-fs-filename';
12
12
 
13
- tester.run(ruleName, require(`../rules/${ruleName}`), {
13
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
14
14
  valid: [
15
15
  {
16
16
  code: `var fs = require('fs');
@@ -29,7 +29,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
29
29
  import { promises as fsp } from 'fs';
30
30
  import fs from 'fs';
31
31
  import path from 'path';
32
-
32
+
33
33
  const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
34
34
  const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
35
35
  await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,
package/test/{detect-non-literal-regexp.js → rules/detect-non-literal-regexp.js} RENAMED
@@ -6,7 +6,7 @@ const tester = new RuleTester();
6
6
  const ruleName = 'detect-non-literal-regexp';
7
7
  const invalid = "var a = new RegExp(c, 'i')";
8
8
 
9
- tester.run(ruleName, require(`../rules/${ruleName}`), {
9
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
10
10
  valid: [
11
11
  { code: "var a = new RegExp('ab+c', 'i')" },
12
12
  {
package/test/{detect-non-literal-require.js → rules/detect-non-literal-require.js} RENAMED
@@ -6,7 +6,7 @@ const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
6
6
 
7
7
  const ruleName = 'detect-non-literal-require';
8
8
 
9
- tester.run(ruleName, require(`../rules/${ruleName}`), {
9
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
10
10
  valid: [
11
11
  { code: "var a = require('b')" },
12
12
  { code: 'var a = require(`b`)' },
package/test/{detect-object-injection.js → rules/detect-object-injection.js} RENAMED
@@ -5,7 +5,7 @@ const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-object-injection';
7
7
 
8
- const Rule = require(`../rules/${ruleName}`);
8
+ const Rule = require(`../../rules/${ruleName}`);
9
9
 
10
10
  const valid = 'var a = {};';
11
11
  // const invalidVariable = "TODO";
package/test/{detect-possible-timing-attacks.js → rules/detect-possible-timing-attacks.js} RENAMED
@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
4
4
  const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-possible-timing-attacks';
7
- const Rule = require(`../rules/${ruleName}`);
7
+ const Rule = require(`../../rules/${ruleName}`);
8
8
 
9
9
  const valid = 'if (age === 5) {}';
10
10
  const invalidLeft = "if (password === 'mypass') {}";
package/test/{detect-pseudoRandomBytes.js → rules/detect-pseudoRandomBytes.js} RENAMED
@@ -6,7 +6,7 @@ const tester = new RuleTester();
6
6
  const ruleName = 'detect-pseudoRandomBytes';
7
7
  const invalid = 'crypto.pseudoRandomBytes';
8
8
 
9
- tester.run(ruleName, require(`../rules/${ruleName}`), {
9
+ tester.run(ruleName, require(`../../rules/${ruleName}`), {
10
10
  valid: [{ code: 'crypto.randomBytes' }],
11
11
  invalid: [
12
12
  {
package/test/{detect-unsafe-regexp.js → rules/detect-unsafe-regexp.js} RENAMED
@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
4
4
  const tester = new RuleTester();
5
5
 
6
6
  const ruleName = 'detect-unsafe-regex';
7
- const Rule = require(`../rules/${ruleName}`);
7
+ const Rule = require(`../../rules/${ruleName}`);
8
8
 
9
9
  tester.run(ruleName, Rule, {
10
10
  valid: [{ code: '/^d+1337d+$/' }],