Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
@microsoft/eslint-plugin-sdl
Advanced tools
ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)
ESLint Plugin focused on common security issues and misconfigurations.
Plugin is intended as a baseline for projects that follow Microsoft Security Development Lifecycle (SDL) and use ESLint to perform Static Analysis Security Testing (SAST).
Plugin is shipped with following Shareable Configs:
Where possible, we leverage existing rules from ESLint and community plugins such as react, typescript-eslint or security.
We also implemented several custom rules where we did not find sufficient alternative in the community.
Name | Description |
---|---|
no-caller | Bans usage of deprecated functions arguments.caller() and arguments.callee that could potentially allow access to call stack. |
no-delete-var | Bans usage of operator delete on variables as it can lead to unexpected behavior. |
no-eval | Bans usage of eval() that allows code execution from string argument. |
no-implied-eval | Bans usage of setTimeout() , setInterval() and execScript() . These functions are similar to eval() and prone to code execution. |
no-new-func | Bans calling new Function() as it's similar to eval() and prone to code execution. |
node/no-deprecated-api | Bans usage of deprecated APIs in Node. |
@microsoft/sdl/no-angular-bypass-sanitizer | Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass DomSanitizer in Angular and need to be reviewed. |
@microsoft/sdl/no-angularjs-bypass-sce | Calls to $sceProvider.enabled(false) , $sceDelegate.trustAs() , $sce.trustAs() and relevant shorthand methods (e.g. trustAsHtml or trustAsJs ) bypass Strict Contextual Escaping (SCE) in AngularJS and need to be reviewed. |
@microsoft/sdl/no-angularjs-enable-svg | Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. |
@microsoft/sdl/no-angularjs-sanitization-whitelist | Calls to $compileProvider.aHrefSanitizationWhitelist or $compileProvider.imgSrcSanitizationWhitelist configure whitelists in AngularJS sanitizer and need to be reviewed. |
@microsoft/sdl/no-cookies | HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. |
@microsoft/sdl/no-document-domain | Writes to document.domain property must be reviewed to avoid bypass of same-origin checks. Usage of top level domains such as azurewebsites.net is strictly prohibited. |
@microsoft/sdl/no-document-write | Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. |
@microsoft/sdl/no-electron-node-integration | Node.js Integration must not be enabled in any renderer that loads remote content to avoid remote code execution attacks. |
@microsoft/sdl/no-html-method | Direct calls to method html() often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead. |
@microsoft/sdl/no-inner-html | Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. |
@microsoft/sdl/no-msapp-exec-unsafe | Calls to MSApp.execUnsafeLocalFunction() bypass script injection validation and should be avoided. |
@microsoft/sdl/no-postmessage-star-origin | Always provide specific target origin, not * when sending data to other windows using postMessage to avoid data leakage outside of trust boundary. |
@microsoft/sdl/no-unsafe-alloc | When calling Buffer.allocUnsafe and Buffer.allocUnsafeSlow , the allocated memory is not wiped-out and can contain old, potentially sensitive data. |
@microsoft/sdl/no-winjs-html-unsafe | Calls to WinJS.Utilities.setInnerHTMLUnsafe() and similar methods do not perform any input validation and should be avoided. Use WinJS.Utilities.setInnerHTML() instead. |
@microsoft/sdl/react-iframe-missing-sandbox | The sandbox attribute enables an extra set of restrictions for the content in the iframe and should always be specified. |
react/no-danger | Bans usage of dangerouslySetInnerHTML property in React as it allows passing unsanitized HTML in DOM. |
@typescript-eslint/no-implied-eval | Similar to built-in ESLint rule no-implied-eval . Bans usage of setTimeout() , setInterval() , setImmediate() , execScript() or new Function() as they are similar to eval() and allow code execution from string arguments. |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
FAQs
ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)
The npm package @microsoft/eslint-plugin-sdl receives a total of 38,589 weekly downloads. As such, @microsoft/eslint-plugin-sdl popularity was classified as popular.
We found that @microsoft/eslint-plugin-sdl demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.