30+ rules for Node.js security. Cryptography. Process Isolation. File System Safety.
Quick Install
npm install --save-dev eslint-plugin-node-security
Flat Config
// eslint.config.js
import nodeSecurity from 'eslint-plugin-node-security';
export default [nodeSecurity.configs.recommended];
Run ESLint
npx eslint .
You'll see output like:
src/auth/hash.ts
15:27 error π CWE-328 CVSS:7.5 | Weak hash algorithm: MD5
[node-security/no-weak-hash-algorithm] Use crypto.createHash('sha256')
src/api/exec.ts
10:5 error π CWE-78 | Detected child process execution
[node-security/detect-child-process] Avoid exec(), use spawn() or execFile()
Rule Overview
| Category | Rules | Examples |
|---|---|---|
| Cryptography | 12 | Weak hashes, static IVs, ECB mode |
| System & Process | 5 |
exec(), eval(), unsafe require |
| File System | 6 | Zip Slip, TOCTOU, path injection |
| Best Practices | 8 | PII in logs, insecure temp storage |
Quick Wins
1. Cryptography
// β Weak hash
crypto.createHash('md5').update(data);
// β
Strong hash
crypto.createHash('sha256').update(data);
2. System Security
// β Shell injection risk
require('child_process').exec(`ls ${userInput}`);
// β
Safer execution
require('child_process').execFile('ls', [userInput]);
3. File System
// β Path traversal risk
fs.readFile(`/data/${userInput}`, cb);
// β
Validated path
if (isValid(userInput)) fs.readFile(path.join(ROOT, userInput), cb);
Available Presets
import nodeSecurity from 'eslint-plugin-node-security';
export default [
// Recommended (Low false positives, High impact)
nodeSecurity.configs.recommended,
// All Rules (Stricter auditing)
nodeSecurity.configs.all
];
Quick Reference
# Install
npm install --save-dev eslint-plugin-node-security
# Config (eslint.config.js)
import nodeSecurity from 'eslint-plugin-node-security';
export default [nodeSecurity.configs.recommended];
# Run
npx eslint .
π¦ npm: eslint-plugin-node-security
π Full Rule List
π grep -r exec( in your codebase!
Top comments (0)