Writing more secure Javascript with ESLint

Transcript

1. Writing more secure Javascript with ESLint [email protected] @cphoton

2. ESLint - The pluggable Linting tool! Identifies patterns in JS

   code • Enforces coding styles • Enforces best practices Integrates with most editors and build tools Everything as a plugin: • Rules - Write your own rules! Use yeoman to get the boilerplate written for you! • Parsers - Write or choose your desired parser, e.g. espree/esprima, babel-eslint • Processors - If you want to process non-JS files as well

3. Use ESLint to help one write more secure code Goal:

   Spot potentially suspicious code at build time ScanJS plugin Set of rules developed by Mozilla Most appropriate for security reviews Good starting point to write more complex rules $ git clone https://github.com/mozfreddyb/eslin t-config-scanjs.git $ cd eslint-config-scanjs $ ./install.sh $ cd your-project-folder $ eslint --no-eslintrc -c ~/.scanjs-eslintrc .

4. Caveats False positives • Need a way to filter successive

   scan results False negatives • Runtime errors require a different set of tools • Unaware of Custom APIs, cross layer vulnerabilities or configuration files Write custom rules to mitigate - search on npm first!

5. Resources ESLint: http://eslint.org/ ScanJS rules for ESLint: https://github.com/mozfreddyb/eslint-config-scanjs JavaScript Static

   Code Analyzer talk @ AppSecRioDeLaPlata 2015 How to write ESLint Plugin: http://eslint.org/docs/developer-guide/working-with-plugins

6. Thank you!