no-insecure-comparison
Detects insecure comparison operators (`==`, `!=`) that can lead to type coercion vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`](https://
Keywords: insecure comparison, CWE-697, security, ESLint rule, loose equality, type coercion, == vs ===, strict equality, JavaScript security, auto-fix, LLM-optimized, code security
Detects insecure comparison operators (==, !=) that can lead to type coercion vulnerabilities. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can automatically fix.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-697 (Incorrect Comparison) |
| Severity | High (security vulnerability) |
| Auto-Fix | ✅ Yes (replaces == with ===, != with !==) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | All JavaScript/TypeScript applications, especially security-sensitive code |
Vulnerability and Risk
Vulnerability: Insecure comparison occurs when using loose equality operators (== or !=) which perform type coercion before comparison.
Risk: This can lead to logic bypasses where different values are treated as equal (e.g., 0 == "0" or [] == 0). Attackers can often exploit this behavior to bypass authentication checks or authorization logic.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-697 OWASP:A06 CVSS:5.3 | Incorrect Comparison detected | MEDIUM
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-697 OWASP:A06 CVSS:5.3 |
| Issue Description | Specific vulnerability | Incorrect Comparison detected |
| Severity & Compliance | Impact assessment | MEDIUM |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Insecure comparison operators (==, !=) use type coercion, which can lead to unexpected behavior and security vulnerabilities. This rule enforces strict equality (===, !==) which compares both value and type.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 Security | Type coercion can bypass checks | Use strict equality (===) |
| 🐛 Bugs | Unexpected type conversions | Compare type and value |
| 🔐 Reliability | Hard-to-debug issues | Predictable comparisons |
| 📊 Best Practice | Violates JavaScript best practices | Always use strict equality |
Detection Patterns
The rule detects:
- Loose equality:
==operator - Loose inequality:
!=operator
Examples
❌ Incorrect
// Insecure comparison with type coercion
if (user.id == userId) {
// ❌ Type coercion
// Process user
}
// Insecure inequality
if (value != null) {
// ❌ Type coercion
// Handle value
}
// Ternary with loose equality
const result = a == b ? 1 : 0; // ❌ Type coercion✅ Correct
// Strict equality - no type coercion
if (user.id === userId) {
// ✅ Type and value match
// Process user
}
// Strict inequality
if (value !== null && value !== undefined) {
// ✅ Explicit checks
// Handle value
}
// Ternary with strict equality
const result = a === b ? 1 : 0; // ✅ Type and value matchConfiguration
Default Configuration
{
"secure-coding/no-insecure-comparison": "warn"
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow insecure comparison in tests |
ignorePatterns | string[] | [] | Additional patterns to ignore |
Example Configuration
{
"secure-coding/no-insecure-comparison": [
"warn",
{
"allowInTests": true,
"ignorePatterns": ["x == y"]
}
]
}Best Practices
- Always use strict equality (
===,!==) for all comparisons - Explicit null checks: Use
value !== null && value !== undefinedinstead ofvalue != null - Type safety: Strict equality prevents accidental type coercion bugs
- Consistency: Use strict equality throughout the codebase
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Related Rules
no-unvalidated-user-input- Detects unvalidated user inputno-privilege-escalation- Detects privilege escalation vulnerabilities
Resources
no-improper-type-validation
Detects improper type validation in user input handling. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure
no-insecure-redirects
ESLint Rule: no-insecure-redirects. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).