eslint-community/eslint-plugin-security

A more relevant "detect-object-injection"

Open

#21 opened on 2017年8月30日

GitHub で見る
 (20 comments) (12 reactions) (0 assignees)JavaScript (2,074 stars) (131 forks)batch import
help wanted

説明

Is there any way that we can work towards a more helpful/relevant report of Object injection sinks?

I can't think of a relevant security use case where Object injection would be relevant outside of the scope of a function directly linked to a web service.

I can understand based on tree traversal that determining the difference in between functions that are used in response to direct network calls would be [near] impossible to determine, but if I use bracket notation at the top level of my module, likely this rule should not notify.

コントリビューターガイド

技術スタック
javascriptnodejs
領域
backendsecurity
Issue 種別
feature
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
half day
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
stale
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
mostly clear
前提条件
Node.js and JavaScriptESLint plugin developmentObject injection security concept
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
50
調査方針
Investigate the current implementation of the 'detect object injection' rule in the plugin. Review the comments in the issue for proposed approaches to reduce false positives. Consider adding a configuration option to limit the rule to functions directly handling network requests. See relevant files in the rules directory and existing test cases to understand the pattern detection logic.