feat: add config recommended-legacy

it also moves rule tests to `./test/rules`, and adds a test for the configs.

fixes #131

Signed-off-by: 唯然 <weiran.zsd@outlook.com>

README.md

@@ -20,6 +20,8 @@ yarn add --dev eslint-plugin-security
 
 ## Usage
 
+### flat config(requires eslint >= v8.23.0)
+
 Add the following to your `eslint.config.js` file:
 
 ```js
@@ -28,6 +30,16 @@ const pluginSecurity = require('eslint-plugin-security');
 module.exports = [pluginSecurity.configs.recommended];
 ```
 
+### eslintrc config(legacy)
+
+Add the following to your `.eslintrc` file:
+
+```js
+"extends": [
+ "plugin:security/recommended-legacy"
+]
+```
+
 ## Developer guide
 
 - Use [GitHub pull requests](https://help.github.com/articles/using-pull-requests).
@@ -52,21 +64,21 @@ npm test
 ⚠️ Configurations set to warn in.\
 ✅ Set in the `recommended` configuration.
 
-| Name                                  | Description | ⚠️ |
-| :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :-- |
-| [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
-| [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
-| [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
-| [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
-| [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
-| [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
-| [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
-| [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
-| [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
-| [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
-| [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
-| [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
-| [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
-| [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
+| Name                                  | Description | ⚠️  |
+| :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :------------------------------- |
+| [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ ![badge-recommended-legacy][] |
+| [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ ![badge-recommended-legacy][] |
+| [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ ![badge-recommended-legacy][] |
+| [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ ![badge-recommended-legacy][] |
+| [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ ![badge-recommended-legacy][] |
+| [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ ![badge-recommended-legacy][] |
+| [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ ![badge-recommended-legacy][] |
+| [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ ![badge-recommended-legacy][] |
+| [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ ![badge-recommended-legacy][] |
+| [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ ![badge-recommended-legacy][] |
+| [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ ![badge-recommended-legacy][] |
+| [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ ![badge-recommended-legacy][] |
+| [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ ![badge-recommended-legacy][] |
+| [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ ![badge-recommended-legacy][] |
 
 <!-- end auto-generated rules list -->

docs/rules/detect-bidi-characters.md

@@ -1,6 +1,6 @@
 # Detects trojan source attacks that employ unicode bidi attacks to inject malicious code (`security/detect-bidi-characters`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-buffer-noassert.md

@@ -1,6 +1,6 @@
 # Detects calls to "buffer" with "noAssert" flag set (`security/detect-buffer-noassert`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-child-process.md

@@ -1,6 +1,6 @@
 # Detects instances of "child_process" & non-literal "exec()" calls (`security/detect-child-process`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-disable-mustache-escape.md

@@ -1,6 +1,6 @@
 # Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities (`security/detect-disable-mustache-escape`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-eval-with-expression.md

@@ -1,6 +1,6 @@
 # Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process (`security/detect-eval-with-expression`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-new-buffer.md

@@ -1,5 +1,5 @@
 # Detects instances of new Buffer(argument) where argument is any non-literal value (`security/detect-new-buffer`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->

docs/rules/detect-no-csrf-before-method-override.md

@@ -1,6 +1,6 @@
 # Detects Express "csrf" middleware setup before "method-override" middleware (`security/detect-no-csrf-before-method-override`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-non-literal-fs-filename.md

@@ -1,6 +1,6 @@
 # Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system (`security/detect-non-literal-fs-filename`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-non-literal-regexp.md

@@ -1,6 +1,6 @@
 # Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression (`security/detect-non-literal-regexp`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-non-literal-require.md

@@ -1,6 +1,6 @@
 # Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk (`security/detect-non-literal-require`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-object-injection.md

@@ -1,6 +1,6 @@
 # Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

docs/rules/detect-possible-timing-attacks.md

@@ -1,5 +1,5 @@
 # Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially (`security/detect-possible-timing-attacks`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->

docs/rules/detect-pseudoRandomBytes.md

@@ -1,5 +1,5 @@
 # Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect (`security/detect-pseudoRandomBytes`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->

docs/rules/detect-unsafe-regex.md

@@ -1,6 +1,6 @@
 # Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop (`security/detect-unsafe-regex`)
 
-⚠️ This rule _warns_ in the ✅ `recommended` config.
+⚠️ This rule _warns_ in the following configs: ✅ `recommended`, `recommended-legacy`.
 
 <!-- end auto-generated rule header -->
 

index.js

@@ -66,6 +66,11 @@ const recommended = {
  },
 };
 
-Object.assign(plugin.configs, { recommended });
+const recommendedLegacy = {
+ plugins: ['security'],
+ rules: recommended.rules,
+};
+
+Object.assign(plugin.configs, { recommended, 'recommended-legacy': recommendedLegacy });
 
 module.exports = plugin;

test/configs/index.js

@@ -0,0 +1,16 @@
+'use strict';
+const plugin = require('../../index.js');
+const assert = require('assert').strict;
+
+describe('export plugin object', () => {
+ it('should export rules', () => {
+ assert(plugin.rules);
+ assert(typeof plugin.rules['detect-unsafe-regex'] === 'object');
+ });
+
+ it('should export configs', () => {
+ assert(plugin.configs);
+ assert(plugin.configs['recommended']);
+ assert(plugin.configs['recommended-legacy']);
+ });
+});

test/detect-bidi-characters.js → test/rules/detect-bidi-characters.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-bidi-characters';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, Rule, {
  valid: [
@@ -54,7 +54,7 @@ tester.run(`${ruleName} in comment-line`, Rule, {
  console.log("You are an admin.");
  /* end admins only ‮
 ⁦*/
- /* end admins only ‮ 
+ /* end admins only ‮
  { ⁦*/
  `,
  errors: [

test/detect-buffer-noassert.js → test/rules/detect-buffer-noassert.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-buffer-noassert';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 
 const allMethodNames = [...rule.meta.__methodsToCheck.read, ...rule.meta.__methodsToCheck.write];
 

test/detect-child-process.js → test/rules/detect-child-process.js

@@ -9,7 +9,7 @@ const tester = new RuleTester({
 });
 
 const ruleName = 'detect-child-process';
-const rule = require(`../rules/${ruleName}`);
+const rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, rule, {
  valid: [

test/detect-disable-mustache-escape.js → test/rules/detect-disable-mustache-escape.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-disable-mustache-escape';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [{ code: 'escapeMarkup = false' }],
  invalid: [
  {

test/detect-eval-with-expression.js → test/rules/detect-eval-with-expression.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-eval-with-expression';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [{ code: "eval('alert()')" }],
  invalid: [
  {

test/detect-new-buffer.js → test/rules/detect-new-buffer.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-new-buffer';
 const invalid = 'var a = new Buffer(c)';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [{ code: "var a = new Buffer('test')" }],
  invalid: [
  {

test/detect-no-csrf-before-method-override.js → test/rules/detect-no-csrf-before-method-override.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-no-csrf-before-method-override';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [{ code: 'express.methodOverride();express.csrf()' }],
  invalid: [
  {

test/detect-non-literal-fs-filename.js → test/rules/detect-non-literal-fs-filename.js

@@ -10,7 +10,7 @@ const tester = new RuleTester({
 
 const ruleName = 'detect-non-literal-fs-filename';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [
  {
  code: `var fs = require('fs');
@@ -29,7 +29,7 @@ tester.run(ruleName, require(`../rules/${ruleName}`), {
  import { promises as fsp } from 'fs';
  import fs from 'fs';
  import path from 'path';
- 
+
  const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
  const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
  await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,

test/detect-non-literal-regexp.js → test/rules/detect-non-literal-regexp.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-non-literal-regexp';
 const invalid = "var a = new RegExp(c, 'i')";
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [
  { code: "var a = new RegExp('ab+c', 'i')" },
  {

test/detect-non-literal-require.js → test/rules/detect-non-literal-require.js

@@ -6,7 +6,7 @@ const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
 
 const ruleName = 'detect-non-literal-require';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [
  { code: "var a = require('b')" },
  { code: 'var a = require(`b`)' },

test/detect-object-injection.js → test/rules/detect-object-injection.js

@@ -5,7 +5,7 @@ const tester = new RuleTester();
 
 const ruleName = 'detect-object-injection';
 
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 const valid = 'var a = {};';
 // const invalidVariable = "TODO";

test/detect-possible-timing-attacks.js → test/rules/detect-possible-timing-attacks.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-possible-timing-attacks';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 const valid = 'if (age === 5) {}';
 const invalidLeft = "if (password === 'mypass') {}";

test/detect-pseudoRandomBytes.js → test/rules/detect-pseudoRandomBytes.js

@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-pseudoRandomBytes';
 const invalid = 'crypto.pseudoRandomBytes';
 
-tester.run(ruleName, require(`../rules/${ruleName}`), {
+tester.run(ruleName, require(`../../rules/${ruleName}`), {
  valid: [{ code: 'crypto.randomBytes' }],
  invalid: [
  {

test/detect-unsafe-regexp.js → test/rules/detect-unsafe-regexp.js

@@ -4,7 +4,7 @@ const RuleTester = require('eslint').RuleTester;
 const tester = new RuleTester();
 
 const ruleName = 'detect-unsafe-regex';
-const Rule = require(`../rules/${ruleName}`);
+const Rule = require(`../../rules/${ruleName}`);
 
 tester.run(ruleName, Rule, {
  valid: [{ code: '/^d+1337d+$/' }],