Comments (5)
@modestfake Your case is different. You should open a separate issue for it.
from eslint-plugin-security.
I found the case when this rule is false-positive
const string = 'hello'
const result = /hello/.exec(string) // Yields here
UPDATE: created a separate issue #64
from eslint-plugin-security.
Summary
Possible false positive requiring spawn
(vs exec
).
Still relevant?
Yes.
Next steps
- Verify the false positive.
- If this is a false positive -> fix it
- If not -> improve the documentation if needed
from eslint-plugin-security.
Verified the rule is triggered for:
const { spawn } = require('child_process');
1:19 warning Found require("child_process") security/detect-child-process
from eslint-plugin-security.
As described in the doc, we consider spawn
secure: https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/avoid-command-injection-node.md#so-how-do-we-do-this-the-right-way
I think the confusion comes from the fact of having two same rule errors for a vulnerable exec
example like this:
const child_process = require('child_process');
var path = "user input";
child_process.exec('ls -l' + input, function (err, data) {
console.log(data);
});
Output:
1:23 warning Found require("child_process") security/detect-child-process
4:1 warning Found child_process.exec() with non Literal first argument security/detect-child-process
Maybe we should include two different rules like: detect-child-process
and detect-child-process-exec
. As a developer or security researcher both data is interesting, but the exec
related one is more important.
from eslint-plugin-security.
Related Issues (20)
- Improve detect-child-process rule
- docs: maybe an error in the-dangers-of-square-bracket-notation HOT 1
- Bug: object injection not detected HOT 2
- A Suggestion for the Docs HOT 2
- New Rule: Detect invisible characters
- New Rule: disallow unicode confusable identifiers HOT 4
- Bug: `security/detect-non-literal-regexp` should ignore `escapeStringRegexp()` HOT 1
- Bug: `security/detect-object-injection` should be ignored when property is switch case discriminant. HOT 2
- `security/detect-object-injection` false alarm on type safe key HOT 5
- Rule Change: (fill in) HOT 2
- Bug: Crashes ESLint due to circular reference in config HOT 4
- Bug: Converting circular structure to JSON when running eslint HOT 2
- Upgrade causes obscure error HOT 4
- Help wanted: Issue and PR Review HOT 2
- Deprecate detect-buffer-noassert
- Add missing 1.5.0 changelog
- `detect-non-literal-fs-filename` matches inconsistently HOT 2
- Java generator always adds @Json annotations for enums
- Invitation to move to official `eslint-community` org HOT 7
- docs: use `eslint-doc-generator`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eslint-plugin-security.