eslint-plugin-security 2.1.0 → 3.0.0

package/.github/workflows/ci.yml

@@ -12,12 +12,12 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: lts/*
 
       - name: Install Packages
         run: npm install
@@ -30,21 +30,21 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node: [12.22.0, 12, 14, 16, 18, 20]
+        node: [18.18.0, 18.x, 20.x, 21.x]
         include:
           - os: windows-latest
-            node: 18
+            node: lts/*
           - os: macOS-latest
-            node: 18
+            node: lts/*
     runs-on: ${{ matrix.os }}
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
 

package/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## [3.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.1.1...v3.0.0) (2024-04-10)
+
+
+### ⚠ BREAKING CHANGES
+
+* requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
+
+### Features
+
+* requires node ^18.18.0 || ^20.9.0 || >=21.1.0 ([#146](https://www.github.com/eslint-community/eslint-plugin-security/issues/146)) ([df1b606](https://www.github.com/eslint-community/eslint-plugin-security/commit/df1b6063c1224e1163dfdc37c96b64bb52d816bb))
+
+
+### Bug Fixes
+
+* Ensure everything works with ESLint v9 ([#145](https://www.github.com/eslint-community/eslint-plugin-security/issues/145)) ([ac50ab4](https://www.github.com/eslint-community/eslint-plugin-security/commit/ac50ab481ed63d7262513186136ca1429d3b8290))
+
+### [2.1.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.1.0...v2.1.1) (2024-02-14)
+
+
+### Bug Fixes
+
+* Ensure empty eval() doesn't crash detect-eval-with-expression ([#139](https://www.github.com/eslint-community/eslint-plugin-security/issues/139)) ([8a7c7db](https://www.github.com/eslint-community/eslint-plugin-security/commit/8a7c7db1e2b49e2831d510b8dc1db235dee0edf0))
+
 ## [2.1.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.0.0...v2.1.0) (2023-12-15)
 
 

package/docs/bypass-connect-csrf-protection-by-abusing.md

@@ -18,9 +18,9 @@ Considering the following code:
 
 ```js
 ...
-app.use express.csrf()
+app.use(express.csrf())
 ...
-app.use express.methodOverride()
+app.use(express.methodOverride())
 ```
 
 Connect's CSRF middleware does not check csrf tokens in case of idempotent verbs (GET/HEAD/OPTIONS, see lib/middleware/csrf.js). As a result, it is possible to bypass this security control by sending a GET request with a POST MethodOverride header or key.

package/docs/regular-expression-dos-and-node.md

@@ -2,13 +2,13 @@
 
 Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get `500 Internal Server Error`. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.
 
-Availability is not often treated as a security problem, which it is, and it's impacts are immediate, and deeply felt.
+Availability is not often treated as a security problem, which it is, and its impacts are immediate, and deeply felt.
 
 The attack surface for Node.js in regards to loss of availability is quite large, as we are dealing with a single event loop. If an attacker can control and block that event loop, then nothing else gets done.
 
 There are many ways to block the event loop, one way an attacker can do that is with [Regular Expression Denial of Service (ReDoS)](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).
 
-If user provided input finds it's way into a regular expression, or a regular expression is designed with certain attributes, such as grouping with repetition, you can find yourself in a vulnerable position, as the regular expression match could take a long time to process. [OWASP](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) has a deeper explanation of why this occurs.
+If user provided input finds its way into a regular expression, or a regular expression is designed with certain attributes, such as grouping with repetition, you can find yourself in a vulnerable position, as the regular expression match could take a long time to process. [OWASP](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) has a deeper explanation of why this occurs.
 
 Let's look at an vulnerable example. Below we are attempting the common task of validating an email address on the server.
 

package/docs/rules/detect-new-buffer.md

@@ -3,3 +3,7 @@
 ⚠️ This rule _warns_ in the ✅ `recommended` config.
 
 <!-- end auto-generated rule header -->
+
+`new Buffer()` now emits a deprecation warning in Node.js.
+
+More information: [new Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)

package/docs/rules/detect-object-injection.md

@@ -4,4 +4,35 @@
 
 <!-- end auto-generated rule header -->
 
+JavaScript allows you to use expressions to access object properties in addition to using dot notation. So instead of writing this:
+
+```js
+object.name = 'foo';
+```
+
+You can write this:
+
+```js
+object['name'] = 'foo';
+```
+
+Square bracket notation allows any expression to be used in place of an identifier, so you can also do this:
+
+```js
+const key = 'name';
+object[key] = 'foo';
+```
+
+By doing so, you've now obfuscated the property name from the reader, which makes it easy for a malicious actor to replace the value of `key` and change the behavior of the code.
+
+This rule flags any expression in the form of `object[expression]` no matter where it occurs. Examples of patterns this will be flagged are:
+
+```js
+object[key] = value;
+
+value = object[key];
+
+doSomething(object[key]);
+```
+
 More information: [The Dangers of Square Bracket Notation](../the-dangers-of-square-bracket-notation.md)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-security",
-  "version": "2.1.0",
+  "version": "3.0.0",
   "description": "Security rules for eslint",
   "main": "index.js",
   "scripts": {
@@ -46,13 +46,13 @@
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
-    "@eslint/js": "^8.51.0",
+    "@eslint/js": "^9.0.0",
     "changelog": "1.3.0",
-    "eslint": "^8.51.0",
+    "eslint": "^9.0.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
-    "eslint-doc-generator": "^1.0.2",
-    "eslint-plugin-eslint-plugin": "^5.1.1",
+    "eslint-doc-generator": "^1.7.0",
+    "eslint-plugin-eslint-plugin": "^5.5.1",
     "lint-staged": "^12.3.7",
     "markdownlint-cli": "^0.32.2",
     "mocha": "^9.2.2",
@@ -60,5 +60,8 @@
     "prettier": "^2.6.2",
     "semantic-release": "^19.0.2",
     "yorkie": "^2.0.0"
+  },
+  "engines": {
+    "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
   }
 }

package/rules/detect-bidi-characters.js

@@ -78,7 +78,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-bidi-characters.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       Program: function (node) {
         report({

package/rules/detect-buffer-noassert.js

@@ -61,7 +61,7 @@ module.exports = {
       write,
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         let index;

package/rules/detect-child-process.js

@@ -23,7 +23,8 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-child-process.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'require') {
@@ -41,19 +42,21 @@ module.exports = {
           return;
         }
 
+        const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
         // Reports non-literal `exec()` calls.
         if (
           !node.arguments.length ||
           isStaticExpression({
             node: node.arguments[0],
-            scope: context.getScope(),
+            scope,
           })
         ) {
           return;
         }
         const pathInfo = getImportAccessPath({
           node: node.callee,
-          scope: context.getScope(),
+          scope,
           packageNames: childProcessPackageNames,
         });
         const fnName = pathInfo && pathInfo.path.length === 1 && pathInfo.path[0];

package/rules/detect-disable-mustache-escape.js

@@ -10,7 +10,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-disable-mustache-escape.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       AssignmentExpression: function (node) {
         if (node.operator === '=') {

package/rules/detect-eval-with-expression.js

@@ -19,10 +19,10 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-eval-with-expression.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
-      CallExpression: function (node) {
-        if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
+      CallExpression(node) {
+        if (node.callee.name === 'eval' && node.arguments.length && node.arguments[0].type !== 'Literal') {
           context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
         }
       },

package/rules/detect-new-buffer.js

@@ -10,7 +10,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-new-buffer.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       NewExpression: function (node) {
         if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {

package/rules/detect-no-csrf-before-method-override.js

@@ -19,7 +19,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
     },
   },
-  create: function (context) {
+  create(context) {
     let csrf = false;
 
     return {

package/rules/detect-non-literal-fs-filename.js

@@ -26,17 +26,19 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-fs-filename.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
     return {
-      CallExpression: function (node) {
+      CallExpression(node) {
         // don't check require. If all arguments are Literals, it's surely safe!
         if ((node.callee.type === 'Identifier' && node.callee.name === 'require') || node.arguments.every((argument) => argument.type === 'Literal')) {
           return;
         }
 
+        const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
         const pathInfo = getImportAccessPath({
           node: node.callee,
-          scope: context.getScope(),
+          scope,
           packageNames: fsPackageNames,
         });
         if (!pathInfo) {
@@ -79,7 +81,8 @@ module.exports = {
             continue;
           }
           const argument = node.arguments[index];
-          if (isStaticExpression({ node: argument, scope: context.getScope() })) {
+
+          if (isStaticExpression({ node: argument, scope })) {
             continue;
           }
           indices.push(index);

package/rules/detect-non-literal-regexp.js

@@ -21,17 +21,21 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-regexp.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
+
     return {
-      NewExpression: function (node) {
+      NewExpression(node) {
         if (node.callee.name === 'RegExp') {
           const args = node.arguments;
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           if (
             args &&
             args.length > 0 &&
             !isStaticExpression({
               node: args[0],
-              scope: context.getScope(),
+              scope,
             })
           ) {
             return context.report({ node: node, message: 'Found non-literal argument to RegExp Constructor' });

package/rules/detect-non-literal-require.js

@@ -21,17 +21,21 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
+
     return {
-      CallExpression: function (node) {
+      CallExpression(node) {
         if (node.callee.name === 'require') {
           const args = node.arguments;
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           if (
             args &&
             args.length > 0 &&
             !isStaticExpression({
               node: args[0],
-              scope: context.getScope(),
+              scope,
             })
           ) {
             return context.report({ node: node, message: 'Found non-literal argument in require' });

package/rules/detect-object-injection.js

@@ -61,7 +61,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-object-injection.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         if (node.computed === true) {

package/rules/detect-possible-timing-attacks.js

@@ -32,7 +32,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-possible-timing-attacks.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       IfStatement: function (node) {
         if (node.test && node.test.type === 'BinaryExpression') {

package/rules/detect-pseudoRandomBytes.js

@@ -19,7 +19,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-pseudoRandomBytes.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         if (node.property.name === 'pseudoRandomBytes') {

package/rules/detect-unsafe-regex.js

@@ -25,7 +25,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-unsafe-regex.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       Literal: function (node) {
         const token = context.getSourceCode().getTokens(node)[0];

package/test/rules/detect-child-process.js

@@ -1,12 +1,7 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester({
-  parserOptions: {
-    ecmaVersion: 6,
-    sourceType: 'module',
-  },
-});
+const tester = new RuleTester();
 
 const ruleName = 'detect-child-process';
 const rule = require(`../../rules/${ruleName}`);

package/test/rules/detect-eval-with-expression.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-eval-with-expression';
 
 tester.run(ruleName, require(`../../rules/${ruleName}`), {
-  valid: [{ code: "eval('alert()')" }],
+  valid: [{ code: "eval('alert()')" }, { code: 'eval("some nefarious code");' }, { code: 'eval()' }],
   invalid: [
     {
       code: 'eval(a);',

package/test/rules/detect-non-literal-fs-filename.js

@@ -1,12 +1,7 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester({
-  parserOptions: {
-    ecmaVersion: 13,
-    sourceType: 'module',
-  },
-});
+const tester = new RuleTester();
 
 const ruleName = 'detect-non-literal-fs-filename';
 
@@ -33,8 +28,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
             const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
             await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,
-      globals: {
-        __dirname: 'readonly',
+      languageOptions: {
+        globals: {
+          __dirname: 'readonly',
+        },
       },
     },
     {
@@ -43,16 +40,20 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             import path from 'path';
             const dirname = path.dirname(__filename)
             const key = fs.readFileSync(path.resolve(dirname, './index.html'));`,
-      globals: {
-        __filename: 'readonly',
+      languageOptions: {
+        globals: {
+          __filename: 'readonly',
+        },
       },
     },
     {
       code: `
             import fs from 'fs';
             const key = fs.readFileSync(\`\${process.cwd()}/path/to/foo.json\`);`,
-      globals: {
-        process: 'readonly',
+      languageOptions: {
+        globals: {
+          process: 'readonly',
+        },
       },
     },
     `
@@ -65,8 +66,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
       code: `
       import fs from 'fs';
       const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');`,
-      globals: {
-        require: 'readonly',
+      languageOptions: {
+        globals: {
+          require: 'readonly',
+        },
       },
     },
   ],
@@ -191,8 +194,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             import fs from 'fs';
             import path from 'path';
             const key = fs.readFileSync(path.resolve(__dirname, foo));`,
-      globals: {
-        __filename: 'readonly',
+      languageOptions: {
+        globals: {
+          __filename: 'readonly',
+        },
       },
       errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
     },

package/test/rules/detect-non-literal-require.js

@@ -2,7 +2,7 @@
 
 const RuleTester = require('eslint').RuleTester;
 
-const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
+const tester = new RuleTester({ languageOptions: { sourceType: 'commonjs' } });
 
 const ruleName = 'detect-non-literal-require';
 
@@ -17,8 +17,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
     },
     {
       code: "const utils = require(__dirname + '/utils');",
-      globals: {
-        __dirname: 'readonly',
+      languageOptions: {
+        globals: {
+          __dirname: 'readonly',
+        },
       },
     },
   ],

package/test/utils/import-utils.js

@@ -8,17 +8,20 @@ const Linter = require('eslint').Linter;
 function getGetImportAccessPathResult(code) {
   const linter = new Linter();
   const result = [];
-  linter.defineRule('test-rule', {
+  const testRule = {
     create(context) {
+      const sourceCode = context.sourceCode || context.getSourceCode();
       return {
         'Identifier[name = target]'(node) {
           let expr = node;
           if (node.parent.type === 'MemberExpression' && node.parent.property === node) {
             expr = node.parent;
           }
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           const info = getImportAccessPath({
             node: expr,
-            scope: context.getScope(),
+            scope,
             packageNames: ['target', 'target-foo', 'target-bar'],
           });
           if (!info) return;
@@ -30,15 +33,18 @@ function getGetImportAccessPathResult(code) {
         },
       };
     },
-  });
+  };
 
   const linterResult = linter.verify(code, {
-    parserOptions: {
-      ecmaVersion: 6,
-      sourceType: 'module',
+    plugins: {
+      test: {
+        rules: {
+          'test-rule': testRule,
+        },
+      },
     },
     rules: {
-      'test-rule': 'error',
+      'test/test-rule': 'error',
     },
   });
   deepStrictEqual(linterResult, []);

package/test/utils/is-static-expression.js

@@ -12,35 +12,45 @@ const Linter = require('eslint').Linter;
 function getIsStaticExpressionResult(code) {
   const linter = new Linter();
   const result = [];
-  linter.defineRule('test-rule', {
+  const testRule = {
     create(context) {
+      const sourceCode = context.sourceCode || context.getSourceCode();
+
       return {
         'CallExpression[callee.name = target]'(node) {
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           result.push(
             ...node.arguments.map((expr) =>
               isStaticExpression({
                 node: expr,
-                scope: context.getScope(),
+                scope,
               })
             )
           );
         },
       };
     },
-  });
+  };
 
   const linterResult = linter.verify(code, {
-    parserOptions: {
-      ecmaVersion: 11,
-      sourceType: 'module',
+    plugins: {
+      test: {
+        rules: {
+          'test-rule': testRule,
+        },
+      },
     },
-    globals: {
-      __dirname: 'readonly',
-      __filename: 'readonly',
-      require: 'readonly',
+    languageOptions: {
+      sourceType: 'module',
+      globals: {
+        __dirname: 'readonly',
+        __filename: 'readonly',
+        require: 'readonly',
+      },
     },
     rules: {
-      'test-rule': 'error',
+      'test/test-rule': 'error',
     },
   });
   deepStrictEqual(linterResult, []);