Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
eslint-plugin-anti-trojan-source
Advanced tools
ESLint plugin to detect and stop Trojan Source attacks
ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase
ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.
If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
👋 Jan 2023 Update:
This plugin inspired work to create an anti-trojan rule detect-bidi-characters
in eslint-plugin-security and if you're already using that security plugin then it is advised to turn on that rule.
npm install --save-dev eslint-plugin-anti-trojan-source
Once you've installed this plugin, add it to your eslint configuration as follows.
This plugin exports a recommended
configuration.
To enable this configuration, extend it in the configuration for your project.
{
"extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}
First, you need to define it as a plugin:
Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.
{
"plugins": ["anti-trojan-source"]
}
Then, add an ESLint rule that halts if it finds a Trojan Source attack:
"rules": {
"anti-trojan-source/no-bidi": "error"
}
Following is a complete example of configuration if you are defining ESLint configuration in your package.json
file:
"eslintConfig": {
"plugins": [
"anti-trojan-source"
],
"rules": {
"anti-trojan-source/no-bidi": "error"
}
}
The following is an example output when the plugin finds a Trojan Source attack in your codebase:
/Users/lirantal/projects/repos/@gigsboat/cli/index.js
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' } if (isAdmin) begin admins only ' anti-trojan-source/no-bidi
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only { ' anti-trojan-source/no-bidi
/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
2:1 error Detected potential trojan source attack with unicode bidi introduced in this code: '"user // Check if admin "' anti-trojan-source/no-bidi
eslint-plugin-anti-trojan-source © Liran Tal, Released under the Apache-2.0 License.
FAQs
ESLint plugin to detect and stop Trojan Source attacks
The npm package eslint-plugin-anti-trojan-source receives a total of 28,357 weekly downloads. As such, eslint-plugin-anti-trojan-source popularity was classified as popular.
We found that eslint-plugin-anti-trojan-source demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
Security News
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.