Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@rushstack/eslint-plugin-security

Package Overview
Dependencies
Maintainers
3
Versions
24
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@rushstack/eslint-plugin-security

An ESLint plugin providing rules that identify common security vulnerabilities for browser applications, Node.js tools, and Node.js services

  • 0.8.3
  • latest
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
58K
decreased by-12.01%
Maintainers
3
Weekly downloads
 
Created
Source

@rushstack/eslint-plugin-security

This plugin implements a collection of security rules for ESLint.

Our ambition is to eventually provide a comprehensive set of recommended security rules for:

  • web browser applications
  • Node.js tools
  • Node.js services

If you would like to request or contribute a new security rule, you are encouraged to create a GitHub issue in the Rush Stack monorepo where this project is developed. Thanks!

@rushstack/security/no-unsafe-regexp

Require regular expressions to be constructed from string constants rather than dynamically building strings at runtime.

Rule Details

Regular expressions should be constructed from string constants. Dynamically building strings at runtime may introduce security vulnerabilities, performance concerns, and bugs involving incorrect escaping of special characters.

Examples

The following patterns are considered problems when @rushstack/security/no-unsafe-regexp is enabled:

function parseRestResponse(request: ICatalogRequest,
  items: ICatalogItem[]): ICatalogItem[] {

  // Security vulnerability: A malicious user could invoke the REST service using a
  // "searchPattern" with a complex RegExp that causes a denial of service.
  const regexp: RegExp = new RegExp(request.searchPattern);
  return items.filter(item => regexp.test(item.title));
}

function hasExtension(filePath: string, extension: string): boolean {
  // Escaping mistake: If the "extension" string contains a special character such as ".",
  // it will be interpreted as a regular expression operator. Correctly escaping an arbitrary
  // string is a nontrivial problem due to RegExp implementation differences, as well as contextual
  // issues (since which characters are special changes inside RegExp nesting constructs).
  // In most cases, this problem is better solved without regular expressions.
  const regexp: RegExp = new RegExp(`\.${extension}$`);
  return regexp.test(filePath);
}

The following patterns are NOT considered problems:

function isInteger(s: string): boolean {
  return /[0-9]+/.test(s);
}

function isInteger(s: string): boolean {
  return new RegExp('[0-9]+').test(s);
}

Links

@rushstack/eslint-plugin-security is part of the Rush Stack family of projects.

Keywords

FAQs

Package last updated on 19 Sep 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious npm Package Targets Solana Developers and Hijacks Funds

Research

Security News

Malicious npm Package Targets Solana Developers and Hijacks Funds

A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.

By Socket Research Team  -  Dec 02, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc