eslint-plugin-codesink
v1.0.12
Published
Detect common javascript sinks that lead to web application vulnerabilities.
Downloads
49
Maintainers
timothee_desurmontReadme
eslint-plugin-codesink
Detect common javascript sinks that lead to web application vulnerabilities.
Installation
# minimal installation:
npm i eslint eslint-plugin-codesink
# for html and typescript support:
npm install eslint-plugin-html [email protected] @typescript-eslint/parser @typescript-eslint/[email protected]Usage
Add the following configuration to your .eslintrc.js file:
'use strict';
module.exports = {
root: true,
env: {
node: true,
es6: true,
},
parserOptions: {
ecmaVersion: 2020,
sourceType: 'module',
ecmaFeatures: {
jsx: true,
},
},
parser: '@typescript-eslint/parser',
plugins: ['codesink', 'html', '@typescript-eslint'],
rules: {
//add specific rules to your project here
'codesink/no-dom-xss': 'warn',
'codesink/no-open-redirect': 'warn',
'codesink/no-eval-injection': 'warn',
'codesink/no-cookie-manipulation': 'warn',
'codesink/no-domain-manipulation': 'warn',
'codesink/no-websocket-url-poisoning': 'warn',
'codesink/no-link-manipulation': 'warn',
'codesink/no-message-manipulation': 'warn',
'codesink/no-path-traversal': 'warn',
'codesink/no-evil-regex': 'warn',
'codesink/no-regex-injection': 'warn',
'codesink/no-hardcoded-credentials': 'warn',
},
};Add the following command to `package.json' scripts:
"scripts": {
"lint": "eslint .",
}To run eslint from your terminal:
npm run lintSupported Rules
| Vulnerability sinks | Rule | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | DOM-based XSS | no-dom-xss | | DOM-based open redirect | no-open-redirect | | DOM-based JavaScript injection | no-eval-injection | | DOM-based Cookie manipulation | no-cookie-manipulation | | DOM-based document-domain manipulation | no-document-manipulation | | DOM-based WebSocket-URL poisoning | websocket-url-poisoning | | DOM-based link manipulation | no-link-manipulation | | Web message manipulation | no-message-manipulation | | Path traversal | no-path-traversal | | Evil regex | no-evil-regex | | Regex injection | no-regex-injection | | Hard-coded credentials | no-hardcoded-credentials |