You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|[detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md)| Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
-
|[detect-eval-with-expression](docs/rules/detect-eval-with-expression.md)| Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
-
|[detect-new-buffer](docs/rules/detect-new-buffer.md)| Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
|[detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md)| Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
-
|[detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md)| Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
-
|[detect-non-literal-require](docs/rules/detect-non-literal-require.md)| Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
-
|[detect-object-injection](docs/rules/detect-object-injection.md)| Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
-
|[detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md)| Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
-
|[detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md)| Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
-
|[detect-unsafe-regex](docs/rules/detect-unsafe-regex.md)| Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
|[detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md)| Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
+
|[detect-eval-with-expression](docs/rules/detect-eval-with-expression.md)| Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
+
|[detect-new-buffer](docs/rules/detect-new-buffer.md)| Detects instances of new Buffer(argument) where argument is any non-literal value. ([new Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660))| ✅ |
|[detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md)| Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
+
|[detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md)| Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
+
|[detect-non-literal-require](docs/rules/detect-non-literal-require.md)| Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
+
|[detect-object-injection](docs/rules/detect-object-injection.md)| Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
+
|[detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md)| Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
+
|[detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md)| Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
+
|[detect-unsafe-regex](docs/rules/detect-unsafe-regex.md)| Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
0 commit comments