eslint-plugin-anti-trojan-source
Advanced tools
ESLint plugin to detect and stop Trojan Source attacks
ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase
ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.
If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
👋 Jan 2023 Update:
This plugin inspired work to create an anti-trojan rule detect-bidi-characters in eslint-plugin-security and if you're already using that security plugin then it is advised to turn on that rule.
npm install --save-dev eslint-plugin-anti-trojan-source
Once you've installed this plugin, add it to your eslint configuration as follows.
This plugin exports a recommended configuration.
To enable this configuration, extend it in the configuration for your project.
{
"extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}
First, you need to define it as a plugin:
Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.
{
"plugins": ["anti-trojan-source"]
}
Then, add an ESLint rule that halts if it finds a Trojan Source attack:
"rules": {
"anti-trojan-source/no-bidi": "error"
}
Following is a complete example of configuration if you are defining ESLint configuration in your package.json file:
"eslintConfig": {
"plugins": [
"anti-trojan-source"
],
"rules": {
"anti-trojan-source/no-bidi": "error"
}
}
The following is an example output when the plugin finds a Trojan Source attack in your codebase:
/Users/lirantal/projects/repos/@gigsboat/cli/index.js
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' } if (isAdmin) begin admins only ' anti-trojan-source/no-bidi
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only { ' anti-trojan-source/no-bidi
/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
2:1 error Detected potential trojan source attack with unicode bidi introduced in this code: '"user // Check if admin "' anti-trojan-source/no-bidi
eslint-plugin-anti-trojan-source © Liran Tal, Released under the Apache-2.0 License.
FAQs
ESLint plugin to detect and stop Trojan Source attacks
The npm package eslint-plugin-anti-trojan-source receives a total of 21,988 weekly downloads. As such, eslint-plugin-anti-trojan-source popularity was classified as popular.
We found that eslint-plugin-anti-trojan-source demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.