@microsoft/eslint-plugin-sdl

What is @microsoft/eslint-plugin-sdl?

@microsoft/eslint-plugin-sdl is an ESLint plugin designed to help developers enforce security best practices in their JavaScript code. It provides a set of rules that can be integrated into your ESLint configuration to automatically check for common security issues and ensure that your code adheres to Microsoft's Security Development Lifecycle (SDL) guidelines.

What are @microsoft/eslint-plugin-sdl's main functionalities?

no-eval

This rule disallows the use of `eval()` in your code, which can lead to security vulnerabilities by allowing the execution of arbitrary code.

module.exports = {
  "rules": {
    "@microsoft/sdl/no-eval": "error"
  }
};

no-inner-html

This rule prevents the use of `innerHTML` to set HTML content, which can expose your application to cross-site scripting (XSS) attacks.

module.exports = {
  "rules": {
    "@microsoft/sdl/no-inner-html": "error"
  }
};

no-insecure-random

This rule ensures that you do not use insecure random number generators, which can be predictable and compromise the security of your application.

module.exports = {
  "rules": {
    "@microsoft/sdl/no-insecure-random": "error"
  }
};

Other packages similar to @microsoft/eslint-plugin-sdl

eslint-plugin-security

eslint-plugin-security is an ESLint plugin that identifies potential security issues in your code. It provides a set of rules to detect common security vulnerabilities such as the use of `eval()`, potential XSS issues, and more. Compared to @microsoft/eslint-plugin-sdl, it offers a broader range of security checks but may not be as tightly aligned with Microsoft's SDL guidelines.

eslint-plugin-no-unsanitized

eslint-plugin-no-unsanitized is an ESLint plugin that helps prevent the use of unsanitized methods that can lead to XSS attacks. It specifically targets methods like `innerHTML` and `outerHTML`. This plugin is more focused on preventing XSS vulnerabilities compared to the broader security scope of @microsoft/eslint-plugin-sdl.

README

eslint-plugin-sdl

ESLint Plugin focused on common security issues and misconfigurations.

Plugin is intended as a baseline for projects that follow Microsoft Security Development Lifecycle (SDL) and use ESLint to perform Static Analysis Security Testing (SAST).

Installation

npm install microsoft/eslint-plugin-sdl

or

yarn add microsoft/eslint-plugin-sdl

Configs

Including an ESLint configuration file in your project allows you to customize how ESLint applies rules to your project. You can include the plugin in your configuration file as described in examples for recommended and required configurations.

ESLint will then only enforce rules you specify in the rules section of your configuration file at the severity level you designate. For example:

const pluginMicrosoftSdl = require("@microsoft/eslint-plugin-sdl");

module.exports = [
  ...pluginMicrosoftSdl.configs.recommended,
  {
    rules: {
      "no-eval": "error",
      "@microsoft/sdl/no-inner-html": "error"
    }
  }
];

You can also used the below Shareable Config files using flat config model as guidelines depending on the type of project.

Plugin is shipped with following Shareable Configs:

• angular - Set of rules for modern Angular applications
• angularjs - Set of rules for legacy AngularJS applications
• common - Set of rules for common JavaScript applications
• electron - Set of rules for Electron applications
• node - Set of rules for Node.js applications
• react - Set of rules for ReactJS applications
• recommended - SDL Recommended rules for all applications
• required - SDL Required rules for all applications
• typescript - Set of rules for TypeScript applications

Rules

Where possible, we leverage existing rules from ESLint and community plugins such as react, typescript-eslint or security.

We also implemented several custom rules where we did not find sufficient alternative in the community.

Name	Description
no-caller	Bans usage of deprecated functions arguments.caller() and arguments.callee that could potentially allow access to call stack.
no-delete-var	Bans usage of operator delete on variables as it can lead to unexpected behavior.
no-eval	Bans usage of eval() that allows code execution from string argument.
no-implied-eval	Bans usage of setTimeout(), setInterval() and execScript(). These functions are similar to eval() and prone to code execution.
no-new-func	Bans calling new Function() as it's similar to eval() and prone to code execution.
node/no-deprecated-api	Bans usage of deprecated APIs in Node.
@microsoft/sdl/no-angular-bypass-sanitizer	Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass DomSanitizer in Angular and need to be reviewed.
@microsoft/sdl/no-angularjs-bypass-sce	Calls to $sceProvider.enabled(false), $sceDelegate.trustAs(), $sce.trustAs() and relevant shorthand methods (e.g. trustAsHtml or trustAsJs) bypass Strict Contextual Escaping (SCE) in AngularJS and need to be reviewed.
@microsoft/sdl/no-angularjs-enable-svg	Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed.
@microsoft/sdl/no-angularjs-sanitization-whitelist	Calls to $compileProvider.aHrefSanitizationWhitelist or $compileProvider.imgSrcSanitizationWhitelist configure whitelists in AngularJS sanitizer and need to be reviewed.
@microsoft/sdl/no-cookies	HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead.
@microsoft/sdl/no-document-domain	Writes to document.domain property must be reviewed to avoid bypass of same-origin checks. Usage of top level domains such as azurewebsites.net is strictly prohibited.
@microsoft/sdl/no-document-write	Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.
@microsoft/sdl/no-electron-node-integration	Node.js Integration must not be enabled in any renderer that loads remote content to avoid remote code execution attacks.
@microsoft/sdl/no-html-method	Direct calls to method html() often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead.
@microsoft/sdl/no-inner-html	Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.
@microsoft/sdl/no-insecure-url	Insecure protocols such as HTTP or FTP should be replaced by their encrypted counterparts (HTTPS, FTPS) to avoid sending potentially sensitive data over untrusted networks in plaintext.
@microsoft/sdl/no-msapp-exec-unsafe	Calls to MSApp.execUnsafeLocalFunction() bypass script injection validation and should be avoided.
@microsoft/sdl/no-postmessage-star-origin	Always provide specific target origin, not * when sending data to other windows using postMessage to avoid data leakage outside of trust boundary.
@microsoft/sdl/no-unsafe-alloc	When calling Buffer.allocUnsafe and Buffer.allocUnsafeSlow, the allocated memory is not wiped-out and can contain old, potentially sensitive data.
@microsoft/sdl/no-winjs-html-unsafe	Calls to WinJS.Utilities.setInnerHTMLUnsafe() and similar methods do not perform any input validation and should be avoided. Use WinJS.Utilities.setInnerHTML() instead.
react/iframe-missing-sandbox	The sandbox attribute enables an extra set of restrictions for the content in the iframe and should always be specified.
react/no-danger	Bans usage of dangerouslySetInnerHTML property in React as it allows passing unsanitized HTML in DOM.
@typescript-eslint/no-implied-eval	Similar to built-in ESLint rule no-implied-eval. Bans usage of setTimeout(), setInterval(), setImmediate(), execScript() or new Function() as they are similar to eval() and allow code execution from string arguments.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.