堆栈内存溢出
  简体   繁体   English

为什么ESLint插件不标记不安全的方法

[英]Why Isn't ESLint plugin flagging unsafe methods

 原文  2019-03-31 17:28:21       javascript/ npm/ eslint

问题描述

I've installed ESLint along with a number of security plugins to attempt some javascript analysis, however when i feed it a small amount of vulnerable javascript, i get no output. 我已经安装了ESLint以及一些安全插件来尝试一些javascript分析,但是当我向它提供少量易受攻击的javascript时,我没有输出。

I installed ESLint with the following: 我用以下内容安装了ESLint: 

npm i -g eslint eslint-plugin-standard eslint-plugin-import \
eslint-plugin-node eslint-plugin-promise eslint-config-standard \
eslint-config-semistandard
npm i -g eslint-plugin-scanjs-rules
npm i -g eslint-plugin-angularjs-security-rules
npm i -g eslint-plugin-react
npm i -g eslint-plugin-security
npm i -g eslint-plugin-no-wildcard-postmessage
npm i -g eslint-plugin-no-unsanitized
npm i -g eslint-plugin-vue
npm i -g eslint-plugin-prototype-pollution-security-rules

Then i ran init on both: 然后我在两个上运行init: 

npm init 
eslint --init
? How would you like to use ESLint? To check syntax and find problems
? What type of modules does your project use? JavaScript modules (import/export)
? Which framework does your project use? None of these
? Where does your code run? (Press <space> to select, <a> to toggle all, <i> to invert selection)Browser
? What format do you want your config file to be in? JavaScript
[...]
Successfully created .eslintrc.js file in /js-analysis

I feed in the following vulnerable demo code: 我提供以下易受攻击的演示代码: 

$ cat demo.js
var input = ['value',window.location.search.substring(2)]
document.getElementById("demo1").innerHTML = input.value;

var url = window.location.search.substring(1);
document.getElementById("demo2").innerHTML = "<a href='"+url+"'>About</a>";

The package looks like this: 包看起来像这样: 

$ cat package.json
{
  "name": "js-analysis",
  "version": "1.0.0",
  "description": "",
  "main": "demo.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

But then this command(which the plugin says should flag vulnerable unnerHTML use) gives no output: 但是这个命令(插件说应该标记易受攻击的unnerHTML使用)没有输出: 

$ eslint --plugin no-unsanitized ./demo.js

1 个解决方案

解决方案1
 0  2019-04-01 19:50:38

I'm still not sure why the --plugin option didn't work, however the workaround I found was to add the following to the .eslintrc.js file created after running 'eslint --init'. 我仍然不确定为什么--plugin选项不起作用,但我找到的解决方法是将以下内容添加到运行'eslint --init'后创建的.eslintrc.js文件中。

By adding the plugins and their rules manually like so: 通过手动添加插件及其规则,如下所示: 

$ cat .eslintrc.js
module.exports = {
  "env" : {
    "browser" : true,
    "es6" : true /** all es6 features except modules */
  },
  "plugins" : [
    "scanjs-rules",
    "no-unsanitized",
    "prototype-pollution-security-rules"
  ],
  "rules" : {
    /** useful rules from eslint **/

    /** ScanJS rules **/
    "scanjs-rules/accidental_assignment": 1,
    "scanjs-rules/assign_to_hostname" : 1,
    "scanjs-rules/assign_to_href" : 1,
    "scanjs-rules/assign_to_location" : 1,
    "scanjs-rules/assign_to_onmessage" : 1,
    "scanjs-rules/assign_to_pathname" : 1,
    "scanjs-rules/assign_to_protocol" : 1,
    "scanjs-rules/assign_to_search" : 1,
    "scanjs-rules/assign_to_src" : 1,
    "scanjs-rules/call_Function" : 1,
    "scanjs-rules/call_addEventListener" : 1,
    "scanjs-rules/call_addEventListener_deviceproximity" : 1,
    "scanjs-rules/call_addEventListener_message" : 1,
    "scanjs-rules/call_connect" : 1,
    "scanjs-rules/call_eval" : 1,
    "scanjs-rules/call_execScript" : 1,
    "scanjs-rules/call_hide" : 1,
    "scanjs-rules/call_open_remote=true" : 1,
    "scanjs-rules/call_parseFromString" : 1,
    "scanjs-rules/call_setImmediate" : 1,
    "scanjs-rules/call_setInterval" : 1,
    "scanjs-rules/call_setTimeout" : 1,
    "scanjs-rules/identifier_indexedDB" : 1,
    "scanjs-rules/identifier_localStorage" : 1,
    "scanjs-rules/identifier_sessionStorage" : 1,
    "scanjs-rules/new_Function" : 1,
    "scanjs-rules/property_addIdleObserver" : 1,
    "scanjs-rules/property_createContextualFragment" : 1,
    "scanjs-rules/property_crypto": 1,
    "scanjs-rules/property_geolocation" : 1,
    "scanjs-rules/property_getUserMedia" : 1,
    "scanjs-rules/property_indexedDB" : 1,
    "scanjs-rules/property_localStorage" : 1,
    "scanjs-rules/property_mgmt" : 1,
    "scanjs-rules/property_sessionStorage" : 1,

    /** no-unsanitized rules**/
    "no-unsanitized/method": "error",
    "no-unsanitized/property": "error",

    /** prototype-pollution-security-rules rules**/
    "prototype-pollution-security-rules/detect-merge": 1,
    "prototype-pollution-security-rules/detect-merge-objects": 1,
    "prototype-pollution-security-rules/detect-merge-options": 1,
    "prototype-pollution-security-rules/detect-deep-extend": 1
  }
};

It was possible to run combined plugins like: 可以运行组合插件,如: 

$ eslint vulnerable-javascript.js

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ESLint 找不到插件“eslint-plugin-@typescript-eslint” - ESLint couldn't find the plugin "eslint-plugin-@typescript-eslint" 为什么用于导入订单的 Eslint 插件在 CRA 中不起作用? - Why Eslint plugin for import order doesn't work in CRA? 为什么Promise中没有方法的括号? - Why there isn't parentheses for methods inside of promises? 比较2个数组,打印共有的并标记不共有的 - Comparing 2 arrays, printing what's in common and flagging what isn't 无法弄清楚为什么JS插件无法正常工作 - Can't figure out why JS plugin isn't working Eslint 不检查 .ts 或 .tsx 文件 - Eslint isn't checking .ts or .tsx files ESLint 将函数标记为“未定义”,它们在 html 中加载 - ESLint flagging functions as 'not defined' where they are loaded in the html jQuery插件tinysort不起作用,不确定为什么 - Jquery plugin tinysort isn't working, not sure why 为什么我的Jquery弹出插件不起作用? - Why my Jquery popup plugin isn't working? 为什么我的javascript插件中没有加载我的JavaScript? - Why isn't my javascript loading in my WordPress plugin?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM