일부 자바스크립트 분석을 시도하기 위해 여러 보안 플러그인과 함께 ESLint를 설치했지만 소량의 취약한 자바스크립트를 입력하면 출력이 나오지 않습니다.
다음을 사용하여 ESLint를 설치했습니다.
npm i -g eslint eslint-plugin-standard eslint-plugin-import \
eslint-plugin-node eslint-plugin-promise eslint-config-standard \
eslint-config-semistandard
npm i -g eslint-plugin-scanjs-rules
npm i -g eslint-plugin-angularjs-security-rules
npm i -g eslint-plugin-react
npm i -g eslint-plugin-security
npm i -g eslint-plugin-no-wildcard-postmessage
npm i -g eslint-plugin-no-unsanitized
npm i -g eslint-plugin-vue
npm i -g eslint-plugin-prototype-pollution-security-rules
그런 다음 두 가지 모두에서 init를 실행했습니다.
npm init
eslint --init
? How would you like to use ESLint? To check syntax and find problems
? What type of modules does your project use? JavaScript modules (import/export)
? Which framework does your project use? None of these
? Where does your code run? (Press <space> to select, <a> to toggle all, <i> to invert selection)Browser
? What format do you want your config file to be in? JavaScript
[...]
Successfully created .eslintrc.js file in /js-analysis
다음과 같은 취약한 데모 코드를 입력합니다.
$ cat demo.js
var input = ['value',window.location.search.substring(2)]
document.getElementById("demo1").innerHTML = input.value;
var url = window.location.search.substring(1);
document.getElementById("demo2").innerHTML = "<a href='"+url+"'>About</a>";
패키지는 다음과 같습니다.
$ cat package.json
{
"name": "js-analysis",
"version": "1.0.0",
"description": "",
"main": "demo.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
그러나 이 명령(플러그인은 취약한 unnerHTML 사용을 표시해야 한다고 말함)은 출력을 제공하지 않습니다.
$ eslint --plugin no-unsanitized ./demo.js
답변1
--plugin 옵션이 왜 작동하지 않는지 아직도 잘 모르겠습니다. 그러나 제가 찾은 해결 방법은 'eslint --init'를 실행한 후 생성된 .eslintrc.js 파일에 다음을 추가하는 것이었습니다.
다음과 같이 플러그인과 해당 규칙을 수동으로 추가하면 됩니다.
cat .eslintrc.js
module.exports = {
"env" : {
"browser" : true,
"es6" : true /** all es6 features except modules */
},
"plugins" : [
"scanjs-rules",
"no-unsanitized",
"prototype-pollution-security-rules"
],
"rules" : {
/** useful rules from eslint **/
/** ScanJS rules **/
"scanjs-rules/accidental_assignment": 1,
"scanjs-rules/assign_to_hostname" : 1,
"scanjs-rules/assign_to_href" : 1,
"scanjs-rules/assign_to_location" : 1,
"scanjs-rules/assign_to_onmessage" : 1,
"scanjs-rules/assign_to_pathname" : 1,
"scanjs-rules/assign_to_protocol" : 1,
"scanjs-rules/assign_to_search" : 1,
"scanjs-rules/assign_to_src" : 1,
"scanjs-rules/call_Function" : 1,
"scanjs-rules/call_addEventListener" : 1,
"scanjs-rules/call_addEventListener_deviceproximity" : 1,
"scanjs-rules/call_addEventListener_message" : 1,
"scanjs-rules/call_connect" : 1,
"scanjs-rules/call_eval" : 1,
"scanjs-rules/call_execScript" : 1,
"scanjs-rules/call_hide" : 1,
"scanjs-rules/call_open_remote=true" : 1,
"scanjs-rules/call_parseFromString" : 1,
"scanjs-rules/call_setImmediate" : 1,
"scanjs-rules/call_setInterval" : 1,
"scanjs-rules/call_setTimeout" : 1,
"scanjs-rules/identifier_indexedDB" : 1,
"scanjs-rules/identifier_localStorage" : 1,
"scanjs-rules/identifier_sessionStorage" : 1,
"scanjs-rules/new_Function" : 1,
"scanjs-rules/property_addIdleObserver" : 1,
"scanjs-rules/property_createContextualFragment" : 1,
"scanjs-rules/property_crypto": 1,
"scanjs-rules/property_geolocation" : 1,
"scanjs-rules/property_getUserMedia" : 1,
"scanjs-rules/property_indexedDB" : 1,
"scanjs-rules/property_localStorage" : 1,
"scanjs-rules/property_mgmt" : 1,
"scanjs-rules/property_sessionStorage" : 1,
/** no-unsanitized rules**/
"no-unsanitized/method": "error",
"no-unsanitized/property": "error",
/** prototype-pollution-security-rules rules**/
"prototype-pollution-security-rules/detect-merge": 1,
"prototype-pollution-security-rules/detect-merge-objects": 1,
"prototype-pollution-security-rules/detect-merge-options": 1,
"prototype-pollution-security-rules/detect-deep-extend": 1
}
};
다음과 같은 결합된 플러그인을 실행하는 것이 가능했습니다.
$ eslint vulnerable-javascript.js