eslint-plugin-security 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/README.md +16 -16
  3. package/docs/rules/detect-new-buffer.md +4 -0
  4. package/docs/rules/detect-object-injection.md +31 -0
  5. package/package.json +1 -1
  6. package/rules/detect-eval-with-expression.js +3 -3
  7. package/test/rules/detect-eval-with-expression.js +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ### [2.1.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.1.0...v2.1.1) (2024-02-14)
4
+
5
+
6
+ ### Bug Fixes
7
+
8
+ * Ensure empty eval() doesn't crash detect-eval-with-expression ([#139](https://www.github.com/eslint-community/eslint-plugin-security/issues/139)) ([8a7c7db](https://www.github.com/eslint-community/eslint-plugin-security/commit/8a7c7db1e2b49e2831d510b8dc1db235dee0edf0))
9
+
3
10
  ## [2.1.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.0.0...v2.1.0) (2023-12-15)
4
11
 
5
12
 
package/README.md CHANGED
@@ -64,21 +64,21 @@ npm test
64
64
  ⚠️ Configurations set to warn in.\
65
65
  ✅ Set in the `recommended` configuration.
66
66
 
67
- | Name                                  | Description | ⚠️ |
68
- | :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :-- |
69
- | [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
70
- | [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
71
- | [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
72
- | [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
- | [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
- | [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
75
- | [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
76
- | [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
- | [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
- | [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
- | [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
- | [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
- | [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
- | [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
67
+ | Name                                  | Description | ⚠️ |
68
+ | :------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-- |
69
+ | [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
70
+ | [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
71
+ | [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
72
+ | [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
+ | [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
+ | [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. ([new Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)) | ✅ |
75
+ | [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
76
+ | [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
+ | [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
+ | [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
+ | [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
+ | [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
+ | [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
+ | [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
83
83
 
84
84
  <!-- end auto-generated rules list -->
package/docs/rules/detect-new-buffer.md CHANGED
@@ -3,3 +3,7 @@
3
3
  ⚠️ This rule _warns_ in the ✅ `recommended` config.
4
4
 
5
5
  <!-- end auto-generated rule header -->
6
+
7
+ `new Buffer()` now emits a deprecation warning in Node.js.
8
+
9
+ More information: [new Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)
package/docs/rules/detect-object-injection.md CHANGED
@@ -4,4 +4,35 @@
4
4
 
5
5
  <!-- end auto-generated rule header -->
6
6
 
7
+ JavaScript allows you to use expressions to access object properties in addition to using dot notation. So instead of writing this:
8
+
9
+ ```js
10
+ object.name = 'foo';
11
+ ```
12
+
13
+ You can write this:
14
+
15
+ ```js
16
+ object['name'] = 'foo';
17
+ ```
18
+
19
+ Square bracket notation allows any expression to be used in place of an identifier, so you can also do this:
20
+
21
+ ```js
22
+ const key = 'name';
23
+ object[key] = 'foo';
24
+ ```
25
+
26
+ By doing so, you've now obfuscated the property name from the reader, which makes it easy for a malicious actor to replace the value of `key` and change the behavior of the code.
27
+
28
+ This rule flags any expression in the form of `object[expression]` no matter where it occurs. Examples of patterns this will be flagged are:
29
+
30
+ ```js
31
+ object[key] = value;
32
+
33
+ value = object[key];
34
+
35
+ doSomething(object[key]);
36
+ ```
37
+
7
38
  More information: [The Dangers of Square Bracket Notation](../the-dangers-of-square-bracket-notation.md)
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "2.1.0",
3
+ "version": "2.1.1",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/rules/detect-eval-with-expression.js CHANGED
@@ -19,10 +19,10 @@ module.exports = {
19
19
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-eval-with-expression.md',
20
20
  },
21
21
  },
22
- create: function (context) {
22
+ create(context) {
23
23
  return {
24
- CallExpression: function (node) {
25
- if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
24
+ CallExpression(node) {
25
+ if (node.callee.name === 'eval' && node.arguments.length && node.arguments[0].type !== 'Literal') {
26
26
  context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
27
27
  }
28
28
  },
package/test/rules/detect-eval-with-expression.js CHANGED
@@ -6,7 +6,7 @@ const tester = new RuleTester();
6
6
  const ruleName = 'detect-eval-with-expression';
7
7
 
8
8
  tester.run(ruleName, require(`../../rules/${ruleName}`), {
9
- valid: [{ code: "eval('alert()')" }],
9
+ valid: [{ code: "eval('alert()')" }, { code: 'eval("some nefarious code");' }, { code: 'eval()' }],
10
10
  invalid: [
11
11
  {
12
12
  code: 'eval(a);',