npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

gulp-mraudit

v1.0.1

Published

Mr Audit is a Gulp plugin to audit JavaScript code for security related static code analysis.

Downloads

9

Readme

Mr. Audit validates secure code guidelines and security best practices for JavaScript projects.

About

gulp-mraudit is a gulp plugin that ties into the build process and will scan specified JavaScript files to ensure that they conform with security best practices.

This gulp plugin extends gulp-contains for searching specific strings in files.

Example

Add to your Gulpfile a task called securecode that ensures there is no use of insecure functions like eval or child_process.exec in your source code:

gulp.task('securecode', function() {
  var options = {
    errList: {
      search: [
        'eval('
      ],
      onFound: function (string, file) { 
        var error = 'Error: found an occurrence of the code: "' + string;
        console.log(error);
      }
    }
  };
  gulp.src('gulpfile.js').pipe(mraudit(options));
});

Then run the task as part of your build process to enforce it:

$ gulp securecode

lirantal:~/workspace (master) $ gulp securecode
[07:10:58] Using gulpfile ~/workspace/gulpfile.js
[07:10:58] Starting 'securecode'...
[07:10:58] Finished 'securecode' after 12 ms

events.js:141
      throw er; // Unhandled 'error' event
      ^
Error: Your file contains "eval(", it should not.

Gulp Example

The project itself includes a gulpfile.js in the root directory as an example of an operational Gulpfile.

Install

npm install gulp-mraudit --save

Configuration

The plugin expects to receive an object with two properties: warnList and an errList. This granularity is provided so that project owners can provide callbacks, and warnings when a match is found in the file for any string in the warnList, and can entirely break the build if the errList is matched.

Simple object example:

var options = {
  warnList: {
    search: [
      ' req.body.'
    ]
  },
  errList: {
    search: [
      'eval(',
      'child_process.exec(',
      'setTimeout(',
      'setInterval('
    ]
  }
};

It is also possible to provide an onFound property for each of the errList and warnList properties so that you can completely customize any kind of callback function trigger that happens when a match is found in either case.

Security Best Practices

Out of the box Mr Audit is configured to assert the following list of security best practices:

Option | Description | --- | --- | req.body. | Potential noSQ injection with directly using parsed JSON objects in ExpressJS's req.body. This warning can be wavered if the object being accessed was already sanitized and filtered before. Or if ExpressJS does not use the bodyParser middleware for json or urlencoded options. child_process.exec( | Potential OS command injection due to the use of directly calling a command line option with .exec where the first argument is the name of a command, which could potentially be originated from user manipulated input. eval( | Interpreting JavaScript code in real-time on potential user manipulated input could result in malicious JavaScript code executed in the context of the application and complete access to the user's browser. setTimeout(, setInterval( | Both of these functions can result in malicious JavaScript injection similar to how eval( is dangerous to use.

Author

Liran Tal [email protected]