Posted on by & filed under Content - Highlights and Reviews, Programming & Development.

codeA guest post by Adam Baldwin, the Chief Security officer at &yet and the Team Lead at ^Lift Security, where they help teams build more secure Node.js applications through assessments, consulting and education. Adam can be reached at @adam_baldwin.

As part of our code quality efforts at &yet, we require that developers lint their code. This allows us to technically enforce a number of things that contribute to code quality and help us keep code consistent among the developers on our team.

A new linting tool called ESLint for JavaScript has emerged that I feel will give the classics like jslint and jshint a run for their money, due to its plugin architecture and use of Esprima to provide the parsed JavaScript AST (Abstract Syntax Tree).

I’ve been experimenting with ESLint to identify potential security issues within code and I’ve published the work-in-progress here.

This post is a short walk-through of an ESLint plugin I created to identify regular expressions that are potentially vulnerable to ReDoS (Regular Express Denial of Service) and to give you some background for creating your own security-minded plugins.

Creating your first plugin

Getting started with your first ESLint plugin is easy. Just pop over and read the Developer Guide. It’s the best place to start!

Just as the developer guide suggests, we need our plugin to essentially subscribe to an AST node type. A great reference for this is the SpiderMonkey Parser API.

A lot of rule construction, until you get familiar with AST, is trial and error. Looking at how other rules are implemented can also be helpful.

The way I found out what I wanted to search for was to use the Esprima online parsing demo:

Once you have your rule firing on the right node type, it’s time to implement the logic.

To get some useful information about a given node we use context.getToken(). Here is what that function produces for the example when the rule is fired:

Now that we have found our regular expression, how do we test to see if it’s vulnerable? James Halliday (Substack) created a really nice module called safe-regex that takes a regular expression and tries to see if it’s vulnerable to ReDoS. This is so we can just require safe-regex to complete our tests.

Here is the final no-unsafe-regex plugin:

Running your plugin

This hung me up for a while. Say you need to create a config file that tells ESLint you want to run the plugin. It looks something like this (config.json):

Then we call our plugin by telling it which config file we want, where to find our rules, and finally what code to assess.

Given the file test.js, to lint that it looks like this:

The result looks something like this:

If you were paying close attention you noticed an issue with the plugin. It may identify regular_expressions, but it fails to identify regular expressions that look like:

I’ll leave solving this case as an exercise for the reader.

Linting doesn’t have to be just a tool to enforce pedantic rules about whitespace, semicolons or eval statements. ESLint provides a powerful framework for eliminating a wide variety of potentially dangerous patterns in your code (regular expressions, input validation, and so on). I think it provides a powerful new tool that’s worthy of consideration by security-conscious JavaScript developers.

For more information, checkout our Node.js books that cover security in Safari Books Online.

Not a subscriber? Sign up for a free trial.

Safari Books Online has the content you need

Node.js Recipes: A Problem-Solution Approach is your one-stop reference for learning how to solve Node.js problems. Node.js is the de facto framework for building JavaScript-powered servers. You will first be introduced to this exciting technology and what it can do, then learn through comprehensive and easy-to-follow recipes that use a problem-solution approach. Node.js Recipes teaches you to fully utilize the Node.js API, and leverage existing modules to build truly exciting projects.
Mastering Node.js will take you deep into this exciting development environment. Beginning with a comprehensive breakdown of its innovative non-blocking evented design, Node’s structure is explained in detail, laying out how its blazingly fast I/O performance simplifies the creation of fast servers, scalable architectures, and responsive web applications.
Node Security will start by helping you delve into the building blocks that make up typical Node applications. By understanding all of the layers that you are building on top of, you can write code defensively and securely. In doing so, you will be able to protect your user’s data and your infrastructure, while still using the rock-star technology behind Node.js.
Node.js in Action is an example-driven tutorial that starts at square one and guides you through all the features, techniques, and concepts you’ll need to build production-quality Node applications. You’ll start by learning how to set up your Node development environment, including loading the community-created extensions. Next, you’ll run several simple demonstration programs where you’ll learn the basics of a few common types of Node applications. Then you’ll dive into asynchronous programming, a model Node leverages to lessen application bottlenecks.

Tags: ESlint, Javascript, Node.js, plugins, security,

Comments are closed.