Rules
All ESLint security rules provided by eslint-plugin-node-security
31 Security Rules
Comprehensive coverage of Node.js built-in module security including fs, child_process, vm, and crypto.
All Rules
| Rule | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|
| detect-child-process Detects instances of childprocess & non-literal exec() calls that may allow command injection | |||||
| detect-eval-with-expression Detects eval(variable) which can allow an attacker to run arbitrary code inside your process | |||||
| detect-non-literal-fs-filename Detects variable in filename argument of fs calls, which might allow an attacker to access anything on your system | |||||
| detect-suspicious-dependencies This rule detects package imports that look like typosquatting attempts on popular npm packages | |||||
| lock-file CWE: [CWE-829](https://cwe.mitre.org/data/definitions/829.html) | |||||
| no-arbitrary-file-access Prevents file system access with unsanitized user input to protect against path traversal attacks. | |||||
| no-buffer-overread Detects buffer access beyond bounds | |||||
| no-cryptojs Disallow deprecated crypto-js library (use native crypto instead) | |||||
| no-cryptojs-weak-random Disallow crypto-js WordArray.random() (CVE-2020-36732) | |||||
| no-data-in-temp-storage Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected | |||||
| no-deprecated-cipher-method Disallow deprecated crypto.createCipher/createDecipher methods | |||||
| no-dynamic-dependency-loading This rule detects dynamically constructed paths in require() and import() statements | |||||
| no-dynamic-require Forbid require() calls with non-literal arguments | |||||
| no-ecb-mode Disallow ECB encryption mode (use GCM or CBC instead) | |||||
| no-insecure-key-derivation Disallow PBKDF2 with insufficient iterations (< 100,000) | |||||
| no-insecure-rsa-padding Disallow RSA PKCS#1 v1.5 padding (CVE-2023-46809 Marvin Attack) | |||||
| no-pii-in-logs CWE: [CWE-532](https://cwe.mitre.org/data/definitions/532.html) | |||||
| no-self-signed-certs Disallow rejectUnauthorized false in TLS options | |||||
| no-sha1-hash Disallow sha1() from crypto-hash package (use sha256 or sha512) | |||||
| no-static-iv Disallow static or hardcoded initialization vectors (IVs) | |||||
| no-timing-unsafe-compare Disallow timing-unsafe comparison of secrets | |||||
| no-toctou-vulnerability Detects Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerabilities in file system operations. | |||||
| no-unsafe-dynamic-require Disallows dynamic require() calls with non-literal arguments that could lead to security vulnerabilities | |||||
| no-weak-cipher-algorithm Disallow weak cipher algorithms (DES, 3DES, RC4, Blowfish, RC2, IDEA) | |||||
| no-weak-hash-algorithm Disallow weak hash algorithms (MD5, MD4, SHA-1, RIPEMD) | |||||
| no-zip-slip Detects zip slip/archive extraction vulnerabilities | |||||
| prefer-native-crypto Prefer native crypto over third-party libraries | |||||
| require-dependency-integrity CWE: [CWE-494](https://cwe.mitre.org/data/definitions/494.html) | |||||
| require-secure-credential-storage This rule detects when credentials are stored using localStorage.setItem() or fs.writeFile() without encryption | |||||
| require-secure-deletion CWE: [CWE-459](https://cwe.mitre.org/data/definitions/459.html) | |||||
| require-storage-encryption CWE: [CWE-312](https://cwe.mitre.org/data/definitions/312.html) |
Rule Categories
Command Injection
Rules detecting child_process vulnerabilities and unsafe command execution.
File System Security
Rules preventing path traversal, TOCTOU vulnerabilities, and unsafe file operations.
Cryptographic Security
Rules enforcing secure crypto implementations and preventing weak algorithms.
Module Security
Rules detecting unsafe require patterns and dependency vulnerabilities.
Data Protection
Rules preventing PII exposure in logs and requiring secure storage.