UNPKG

eslint-plugin-security-node

Version:

Create a security plugin for node.js

github.com/gkouziik/eslint-plugin-security-node

gkouziik/eslint-plugin-security-node

67 lines (64 loc) 2.13 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/** * @fileoverview detect instances of child_process.exec with or without string concatenation and shell:true option in chil_process functions * @author gkouziik */ 'use strict' const { getDocsUrl } = require('../utils') module.exports = { meta: { type: 'suggestion', messages: { avoidNonLiteral: 'Found require with non-literal argument' }, docs: { description: 'Non literal require calls may cause an attack', category: 'Possible Errors', recommended: true, url: getDocsUrl('detect-non-literal-require-calls') }, fixable: null }, create: function (context) { return { 'CallExpression': function (node) { if (node.callee.name === 'require') { var args = node.arguments if (args.length > 0 && (args[0].type !== 'Literal' && args[0].type !== 'TemplateLiteral')) { if (args[0].type === 'BinaryExpression') { if (args[0].hasOwnProperty('left') && args[0].hasOwnProperty('right')) { if (args[0].left.type === 'Identifier' && (args[0].right.type === 'Literal' || args[0].right.type === 'TemplateLiteral')) { if (args[0].left.name !== '__dirname') { context.report({ node: node, messageId: 'avoidNonLiteral', loc: { start: args[0].loc.start, end: args[0].loc.end } }) } } else { context.report({ node: node, messageId: 'avoidNonLiteral', start: args[0].loc.start, end: args[0].loc.end }) } } } else { context.report({ node: node, messageId: 'avoidNonLiteral', loc: { start: args[0].loc.start, end: args[0].loc.end } }) } } } } } } }