@microsoft/eslint-plugin-sdl
Version:
ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)
38 lines (34 loc) • 1.25 kB
JavaScript
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
/**
* @fileoverview Rule to disallow enabling Node.js integration in Electron apps
*/
;
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description:
"[Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-electron-node-integration.md"
},
messages: {
default: "Do not enable Node.js Integration for Remote Content"
}
},
create: function (context) {
return {
"NewExpression[callee.name=/BrowserWindow|BrowserView/] > ObjectExpression.arguments > Property.properties[key.name=webPreferences] > ObjectExpression.value > Property.properties[key.name=/nodeIntegration|nodeIntegrationInWorker|nodeIntegrationInSubFrames/][value.value='true']"(
node
) {
context.report({
node: node,
messageId: "default"
});
}
};
}
};