UNPKG

eslint-plugin-security

Version:

Security rules for eslint

github.com/eslint-community/eslint-plugin-security

eslint-community/eslint-plugin-security

39 lines (24 loc) 1.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`) ⚠️ This rule _warns_ in the ✅ `recommended` config. <!-- end auto-generated rule header --> JavaScript allows you to use expressions to access object properties in addition to using dot notation. So instead of writing this: ```js object.name = 'foo'; ``` You can write this: ```js object['name'] = 'foo'; ``` Square bracket notation allows any expression to be used in place of an identifier, so you can also do this: ```js const key = 'name'; object[key] = 'foo'; ``` By doing so, you've now obfuscated the property name from the reader, which makes it easy for a malicious actor to replace the value of `key` and change the behavior of the code. This rule flags any expression in the form of `object[expression]` no matter where it occurs. Examples of patterns this will be flagged are: ```js object[key] = value; value = object[key]; doSomething(object[key]); ``` More information: [The Dangers of Square Bracket Notation](../the-dangers-of-square-bracket-notation.md)