eslint-community/eslint-plugin-security

A more relevant "detect-object-injection"

Open

#21 opened on Aug 30, 2017

View on GitHub
 (20 comments) (12 reactions) (0 assignees)JavaScript (2,074 stars) (131 forks)batch import
help wanted

Description

Is there any way that we can work towards a more helpful/relevant report of Object injection sinks?

I can't think of a relevant security use case where Object injection would be relevant outside of the scope of a function directly linked to a web service.

I can understand based on tree traversal that determining the difference in between functions that are used in response to direct network calls would be [near] impossible to determine, but if I use bracket notation at the top level of my module, likely this rule should not notify.

Contributor guide

Tech stack
javascriptnodejs
Domain
backendsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Node.js and JavaScriptESLint plugin developmentObject injection security concept
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Investigate the current implementation of the 'detect object injection' rule in the plugin. Review the comments in the issue for proposed approaches to reduce false positives. Consider adding a configuration option to limit the rule to functions directly handling network requests. See relevant files in the rules directory and existing test cases to understand the pattern detection logic.