Add security rules

Author: David Bradshaw

README.md

@@ -62,7 +62,7 @@ The following esLint plugins are always loaded in this configuration:
 
 These plugins will be loaded in based on your project `dependencies` in `package.json`. If a supported library is part of your project then it's related esLint plugins will be loaded. The following packages are supported:
 
-- [eslint-plugin-fsa](https://github.com/joseph-galindo/eslint-plugin-fsa) - Flux Standard Action
+- [eslint-plugin-fsa](https://github.com/joseph-galindo/eslint-plugin-fsa)
 - [eslint-plugin-lodash](https://github.com/wix/eslint-plugin-lodash)
 - [eslint-plugin-lodash-fp](https://github.com/jfmengels/eslint-plugin-lodash-fp)
 - [eslint-plugin-ramda](https://github.com/ramda/eslint-plugin-ramda)
@@ -83,6 +83,7 @@ The prettier configs for different eslint plugins are also automatically include
 These plugins add code security rules to esLint.
 
 - [eslint-plugin-no-secrets](https://github.com/nickdeis/eslint-plugin-no-secrets)
+- [eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
 - [eslint-plugin-scanjs-rules](https://github.com/mozfreddyb/eslint-plugin-scanjs-rules)
 - [eslint-plugin-security](https://github.com/nodesecurity/eslint-plugin-security)
 - [eslint-plugin-sonarjs](https://github.com/SonarSource/eslint-plugin-sonarjs)

index.js

@@ -1,62 +1,8 @@
 const checkMissing = require('./lib/missing')
 const showLoaded = require('./lib/loaded')
-const { hasAnyDep } = require('./lib/utils')
+const { rules, extraInstallPackage } = require('./packages')
 
-// Base rules
-const rules = [
-  'array-func',
-  'eslint-comments',
-  'html',
-  'json-format',
-  'markdown',
-  'no-constructor-bind',
-  'no-use-extend-native',
-  'optimize-regex',
-  'promise',
-  'simple-import-sort',
-  'switch-case',
-  'unicorn',
-
-  // Security Rules
-  'no-secrets@0.5.4',
-  'scanjs-rules',
-  'security',
-  'sonarjs',
-]
-
-// Optionals rules besed on project dependencies
-const depRules = [
-  'lodash',
-  ['lodash', 'lodash-fp'],
-  'ramda',
-  'react-redux',
-  ['redux', 'fsa'],
-  'redux-saga',
-
-  // Test tools
-  'ava',
-  ['chai', 'chai-expect'],
-  ['chai', 'chai-friendly'],
-  'jasmine',
-  'jest',
-  ['jest', 'jest-async'],
-  'mocha',
-  ['mocha', 'mocha-cleanup'],
-  'qunit',
-  ['grunt-contrib-qunit', 'qunit'],
-  'cypress',
-  'prettier',
-]
-
-depRules.forEach((depRule) => {
-  const rule = typeof depRule === 'string' ? [depRule, depRule] : depRule
-  if (hasAnyDep(rule[0])) rules.push(rule[1])
-})
-
-// Extra required optional packages
-const extraInstallPkg = [['prettier', 'eslint-config-prettier']]
-
-checkMissing(rules, extraInstallPkg)
+checkMissing(rules, extraInstallPackage)
 showLoaded(rules, [])
 
 // Disable some rules in unit tests

package.json

@@ -32,6 +32,7 @@
     "read-pkg-up": "^7.0.1"
   },
   "devDependencies": {
+    "@typescript-eslint/eslint-plugin": "^3.1.0",
     "ava": "^3.8.2",
     "babel-eslint": "^10.1.0",
     "chai": "^4.2.0",
@@ -64,6 +65,7 @@
     "eslint-plugin-mocha-cleanup": "^1.8.0",
     "eslint-plugin-no-constructor-bind": "^2.0.0",
     "eslint-plugin-no-secrets": "^0.5.4",
+    "eslint-plugin-no-unsanitized": "^3.1.1",
     "eslint-plugin-no-use-extend-native": "^0.5.0",
     "eslint-plugin-only-error": "^1.0.2",
     "eslint-plugin-optimize-regex": "^1.2.0",

packages.js

@@ -0,0 +1,58 @@
+const { hasAnyDep } = require('./lib/utils')
+
+// Base rules
+const rules = [
+  'array-func',
+  'eslint-comments',
+  'html',
+  'json-format',
+  'markdown',
+  'no-constructor-bind',
+  'no-use-extend-native',
+  'optimize-regex',
+  'promise',
+  'simple-import-sort',
+  'switch-case',
+  'unicorn',
+
+  // Security Rules
+  'no-secrets@0.5.4',
+  'no-unsanitized',
+  'scanjs-rules',
+  'security',
+  'sonarjs',
+]
+
+// Optionals rules besed on project dependencies
+const depRules = [
+  ['redux', 'fsa'],
+  'lodash',
+  ['lodash', 'lodash-fp'],
+  'ramda',
+  'react-redux',
+  'redux-saga',
+
+  // Test tools
+  'ava',
+  ['chai', 'chai-expect'],
+  ['chai', 'chai-friendly'],
+  'jasmine',
+  'jest',
+  ['jest', 'jest-async'],
+  'mocha',
+  ['mocha', 'mocha-cleanup'],
+  'qunit',
+  ['grunt-contrib-qunit', 'qunit'],
+  'cypress',
+  'prettier',
+]
+
+depRules.forEach((depRule) => {
+  const rule = typeof depRule === 'string' ? [depRule, depRule] : depRule
+  if (hasAnyDep(rule[0])) rules.push(rule[1])
+})
+
+// Extra required optional packages
+const extraInstallPackage = [['prettier', 'eslint-config-prettier']]
+
+module.exports = { rules, extraInstallPackage }

rules/markdown.js

@@ -2,7 +2,7 @@ module.exports = {
   plugins: ['markdown'],
   overrides: [
     {
-      files: ['**/*.md'],
+      files: ['*.md', '**/*.md'],
       parserOptions: {
         ecmacFeatures: {
           impliedStrict: true,
@@ -17,7 +17,6 @@ module.exports = {
         'no-unused-vars': 'off',
         'prefer-reflect': 'off',
         strict: 'off',
-        'unicorn/filename-case': 'off',
       },
     },
   ],

rules/no-unsanitized.js

@@ -0,0 +1,7 @@
+module.exports = {
+  plugins: ['no-unsanitized'],
+  rules: {
+    'no-unsanitized/method': 'error',
+    'no-unsanitized/property': 'error',
+  },
+}

rules/security.js

@@ -3,5 +3,5 @@ module.exports = {
   extends: ['plugin:security/recommended'],
   rules: {
     'security/detect-object-injection': 0,
-  }
+  },
 }

rules/unicorn.js

@@ -1,5 +1,13 @@
 module.exports = {
   extends: ['plugin:unicorn/recommended'],
+  overrides: [
+    {
+      files: ['*.md', '**/*.md'],
+      rules: {
+        'unicorn/filename-case': 'off',
+      },
+    },
+  ],
   rules: {
     'unicorn/prefer-exponentiation-operator': 0,
     'unicorn/regex-shorthand': 0,