eslint-plugin-security

javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression

returntocorp

Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.

javascript.lang.security.detect-child-process.detect-child-process

returntocorp

Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

javascript.lang.security.detect-non-literal-require.detect-non-literal-require

returntocorp

This rule is deprecated.

javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape

returntocorp

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes

returntocorp

Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.

javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert

returntocorp

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override

returntocorp

Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.