ESLint Plugin Thunderhorse

Disallow use of ExpressJS applications without the use of Helmet.js defaults, due to the concern that the HTTP headers might be insecurely configured.

Instantiation of Buffers are deprecated. Use Buffer.from() or Buffer.alloc().

HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use modern alternatives such as web storage.

The rule detects usage of methodOverride after declaring Express’s CSRF middleware, which can effectively disable or bypass CSRF protection.

Setting escapeMarkup to false is unsafe.

Setting rejectUnauthorized to false will not authorize socket messages.

Setting value of NODE_TLS_REJECT_UNAUTHORIZED to 0 is unsafe.

Using weak ciphers are insecure

Insecure protocols such as HTTP or FTP should be replaced by their encrypted counterparts (HTTPS, FTPS) to avoid sending potentially sensitive data over untrusted networks in plaintext.

Always provide specific target origin, not * when sending data to other windows using postMessage to avoid data leakage outside of trust boundary.

Using user input(s) in SQL statements can result in sql injection attacks

Using anything but a string to access object or class members are unsafe. Specify members via strings.

Specifying paths in document.domain with non-literal values is potentially unsafe. Specify path via a string.

File access via anything but strings is unsafe. Specify paths via strings.

Writing unvalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.

Specifying a non-literal value as the script to execute in runInThisContext is unsafe.

Using anything but a string as an argument to require() is unsafe. Specify libraries via strings.

Use of allocUnsafe() is unsafe. Use Buffer.alloc().

Specifying the command of a child-process member with a non-literal type is unsafe.

Using anything but a string in the constructor of a regular expression can result in a DOS attack. Specify expression via strings.

Math.random() is cryptographically insecure. It can produce predictable values and is therefore not safe to use in a security-sensitive context. Make sure to not use Math.random in cryptographic implementations.

Serializing Javascript with the option unsafe set to true is unsafe. Set option unsafe to false.