UNPKG

@microsoft/eslint-plugin-sdl

Version:

ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)

github.com/microsoft/eslint-plugin-sdl

microsoft/eslint-plugin-sdl

18 lines (12 loc) 1.15 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Do not use insecure random functions Methods such as Math.random or crypto.pseudoRandomBytes do not produce cryptographically-secure random numbers and must not be used for security purposes such as generating tokens, passwords or keys. Use crypto.randomBytes() or window.crypto.getRandomValues() instead. ## Related Rules - [tslint-microsoft-contrib/no-insecure-random](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/insecureRandomRule.ts) * https://help.semmle.com/wiki/display/JS/Insecure+randomness - [source](https://github.com/github/codeql/blob/master/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll) * https://vulncat.fortify.com/en/detail?id=desc.semantic.abap.insecure_randomness#JavaScript * https://rules.sonarsource.com/javascript/RSPEC-2245 - [source](https://github.com/SonarSource/SonarJS/blob/master/eslint-bridge/src/rules/pseudo-random.ts) * https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js * https://github.com/gkouziik/eslint-plugin-security-node/blob/master/lib/rules/detect-insecure-randomness.js