detect-bidi-characters | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
detect-buffer-noassert | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
detect-child-process | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
detect-disable-mustache-escape | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
detect-eval-with-expression | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
detect-new-buffer | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
detect-no-csrf-before-method-override | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
detect-non-literal-fs-filename | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
detect-non-literal-regexp | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
detect-non-literal-require | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
detect-object-injection | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
detect-possible-timing-attacks | Detects insecure comparisons (== , != , !== and === ), which check input sequentially. | ✅ |
detect-pseudoRandomBytes | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
detect-unsafe-regex | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |