`) from receiving children", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "react-hooks_rules-of-hooks", + "title": "React hooks: Rules of hooks", + "description": "Enforces the Rules of Hooks", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-hooks_exhaustive-deps", + "title": "React hooks: Exhaustive deps", + "description": "Verifies the list of dependencies for Hooks like useEffect and similar", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_no-unused-styles", + "title": "React native: No unused styles", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_no-inline-styles", + "title": "React native: No inline styles", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_no-color-literals", + "title": "React native: No color literals", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_sort-styles", + "title": "React native: Sort styles", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_split-platform-components", + "title": "React native: Split platform components", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_no-raw-text", + "title": "React native: No raw text", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-native_no-single-element-style-arrays", + "title": "React native: No single element style arrays", + "description": "Disallow single element style arrays. These cause unnecessary re-renders as the identity of the array always changes", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_connect-prefer-minimum-two-arguments", + "title": "React redux: Connect prefer minimum two arguments", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_connect-prefer-named-arguments", + "title": "React redux: Connect prefer named arguments", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapDispatchToProps-prefer-shorthand", + "title": "React redux: MapDispatchToProps prefer shorthand", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapDispatchToProps-returns-object", + "title": "React redux: MapDispatchToProps returns object", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapDispatchToProps-prefer-parameters-names", + "title": "React redux: MapDispatchToProps prefer parameters names", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapStateToProps-no-store", + "title": "React redux: MapStateToProps no store", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapStateToProps-prefer-hoisted", + "title": "React redux: MapStateToProps prefer hoisted", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapStateToProps-prefer-parameters-names", + "title": "React redux: MapStateToProps prefer parameters names", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_mapStateToProps-prefer-selectors", + "title": "React redux: MapStateToProps prefer selectors", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_useSelector-prefer-selectors", + "title": "React redux: UseSelector prefer selectors", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_no-unused-prop-types", + "title": "React redux: No unused prop types", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "react-redux_prefer-separate-component-file", + "title": "React redux: Prefer separate component file", + "timeToFix": 5 + }, { "parameters": [], "patternId": "redux-saga_no-yield-in-race", @@ -13409,316 +13771,266 @@ }, { "parameters": [], - "patternId": "scanjs-rules_accidental__assignment", - "title": "Scanjs rules: Accidental_assignment", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__hostname", - "title": "Scanjs rules: Assign_to_hostname", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__href", - "title": "Scanjs rules: Assign_to_href", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__location", - "title": "Scanjs rules: Assign_to_location", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__onmessage", - "title": "Scanjs rules: Assign_to_onmessage", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__pathname", - "title": "Scanjs rules: Assign_to_pathname", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__protocol", - "title": "Scanjs rules: Assign_to_protocol", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__search", - "title": "Scanjs rules: Assign_to_search", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_assign__to__src", - "title": "Scanjs rules: Assign_to_src", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_call__Function", - "title": "Scanjs rules: Call_Function", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_call__addEventListener", - "title": "Scanjs rules: Call_addEventListener", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_call__addEventListener__deviceproximity", - "title": "Scanjs rules: Call_addEventListener_deviceproximity", - "timeToFix": 5 - }, - { - "parameters": [], - "patternId": "scanjs-rules_call__addEventListener__message", - "title": "Scanjs rules: Call_addEventListener_message", + "patternId": "security_detect-unsafe-regex", + "title": "Security: Detect unsafe regex", + "description": "Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__connect", - "title": "Scanjs rules: Call_connect", + "patternId": "security_detect-non-literal-regexp", + "title": "Security: Detect non literal regexp", + "description": "Detects \"RegExp(variable)\", which might allow an attacker to DOS your server with a long-running regular expression.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__eval", - "title": "Scanjs rules: Call_eval", + "patternId": "security_detect-non-literal-require", + "title": "Security: Detect non literal require", + "description": "Detects \"require(variable)\", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__execScript", - "title": "Scanjs rules: Call_execScript", + "patternId": "security_detect-non-literal-fs-filename", + "title": "Security: Detect non literal fs filename", + "description": "Detects variable in filename argument of \"fs\" calls, which might allow an attacker to access anything on your system.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__hide", - "title": "Scanjs rules: Call_hide", + "patternId": "security_detect-eval-with-expression", + "title": "Security: Detect eval with expression", + "description": "Detects \"eval(variable)\" which can allow an attacker to run arbitrary code inside your process.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__open__remote=true", - "title": "Scanjs rules: Call_open_remote=true", + "patternId": "security_detect-pseudoRandomBytes", + "title": "Security: Detect pseudoRandomBytes", + "description": "Detects if \"pseudoRandomBytes()\" is in use, which might not give you the randomness you need and expect.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__parseFromString", - "title": "Scanjs rules: Call_parseFromString", + "patternId": "security_detect-possible-timing-attacks", + "title": "Security: Detect possible timing attacks", + "description": "Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__setAttribute__mozbrowser", - "title": "Scanjs rules: Call_setAttribute_mozbrowser", + "patternId": "security_detect-no-csrf-before-method-override", + "title": "Security: Detect no csrf before method override", + "description": "Detects Express \"csrf\" middleware setup before \"method-override\" middleware.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__setImmediate", - "title": "Scanjs rules: Call_setImmediate", + "patternId": "security_detect-buffer-noassert", + "title": "Security: Detect buffer noassert", + "description": "Detects calls to \"buffer\" with \"noAssert\" flag set.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__setInterval", - "title": "Scanjs rules: Call_setInterval", + "patternId": "security_detect-child-process", + "title": "Security: Detect child process", + "description": "Detects instances of \"child_process\" & non-literal \"exec()\" calls.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_call__setTimeout", - "title": "Scanjs rules: Call_setTimeout", + "patternId": "security_detect-disable-mustache-escape", + "title": "Security: Detect disable mustache escape", + "description": "Detects \"object.escapeMarkup = false\", which can be used with some template engines to disable escaping of HTML entities.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_identifier__indexedDB", - "title": "Scanjs rules: Identifier_indexedDB", + "patternId": "security_detect-object-injection", + "title": "Security: Detect object injection", + "description": "Detects \"variable[key]\" as a left- or right-hand assignment operand.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_identifier__localStorage", - "title": "Scanjs rules: Identifier_localStorage", + "patternId": "security_detect-new-buffer", + "title": "Security: Detect new buffer", + "description": "Detects instances of new Buffer(argument) where argument is any non-literal value.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_identifier__sessionStorage", - "title": "Scanjs rules: Identifier_sessionStorage", + "patternId": "security_detect-bidi-characters", + "title": "Security: Detect bidi characters", + "description": "Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_new__Function", - "title": "Scanjs rules: New_Function", + "patternId": "security-node_detect-absence-of-name-option-in-exrpress-session", + "title": "Security node: Detect absence of name option in exrpress session", + "description": "Detect the absence of name option in express session", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__addIdleObserver", - "title": "Scanjs rules: Property_addIdleObserver", + "patternId": "security-node_detect-buffer-unsafe-allocation", + "title": "Security node: Detect buffer unsafe allocation", + "description": "Buffer.allocUnsafe(size) is not safe and should not be used", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__createContextualFragment", - "title": "Scanjs rules: Property_createContextualFragment", + "patternId": "security-node_detect-child-process", + "title": "Security node: Detect child process", + "description": "Detect exec with non Literal argument", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__crypto", - "title": "Scanjs rules: Property_crypto", + "patternId": "security-node_detect-crlf", + "title": "Security node: Detect crlf", + "description": "Detect log forging attack ", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__geolocation", - "title": "Scanjs rules: Property_geolocation", + "patternId": "security-node_detect-dangerous-redirects", + "title": "Security node: Detect dangerous redirects", + "description": "Detect dangerous redirects", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__getUserMedia", - "title": "Scanjs rules: Property_getUserMedia", + "patternId": "security-node_detect-eval-with-expr", + "title": "Security node: Detect eval with expr", + "description": "Detect eval with string concatenation", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__indexedDB", - "title": "Scanjs rules: Property_indexedDB", + "patternId": "security-node_detect-html-injection", + "title": "Security node: Detect html injection", + "description": "Detect html injection", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__localStorage", - "title": "Scanjs rules: Property_localStorage", + "patternId": "security-node_detect-improper-exception-handling", + "title": "Security node: Detect improper exception handling", + "description": "Rule that detects improper exception handling", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__mgmt", - "title": "Scanjs rules: Property_mgmt", + "patternId": "security-node_detect-insecure-randomness", + "title": "Security node: Detect insecure randomness", + "description": "Detect insecure randomness via Math.random()", "timeToFix": 5 }, { "parameters": [], - "patternId": "scanjs-rules_property__sessionStorage", - "title": "Scanjs rules: Property_sessionStorage", + "patternId": "security-node_detect-non-literal-require-calls", + "title": "Security node: Detect non literal require calls", + "description": "Non literal require calls may cause an attack", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-unsafe-regex", - "title": "Security: Detect unsafe regex", - "description": "Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop.", + "patternId": "security-node_detect-nosql-injection", + "title": "Security node: Detect nosql injection", + "description": "Detect NOsql injection", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-non-literal-regexp", - "title": "Security: Detect non literal regexp", - "description": "Detects \"RegExp(variable)\", which might allow an attacker to DOS your server with a long-running regular expression.", + "patternId": "security-node_detect-option-multiplestatements-in-mysql", + "title": "Security node: Detect option multiplestatements in mysql", + "description": "Detect option mulitpleStatements:true in createConnection method of mysql", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-non-literal-require", - "title": "Security: Detect non literal require", - "description": "Detects \"require(variable)\", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.", + "patternId": "security-node_detect-option-rejectunauthorized-in-nodejs-httpsrequest", + "title": "Security node: Detect option rejectunauthorized in nodejs httpsrequest", + "description": "Detect option rejectUnauthorized:false in Nodejs https request method", "timeToFix": 5 }, { - "parameters": [], - "patternId": "security_detect-non-literal-fs-filename", - "title": "Security: Detect non literal fs filename", - "description": "Detects variable in filename argument of \"fs\" calls, which might allow an attacker to access anything on your system.", + "parameters": [], + "patternId": "security-node_detect-option-unsafe-in-serialize-javascript-npm-package", + "title": "Security node: Detect option unsafe in serialize javascript npm package", + "description": "Detect opion:unsafe in serialize method in serialize-javasript npm package", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-eval-with-expression", - "title": "Security: Detect eval with expression", - "description": "Detects \"eval(variable)\" which can allow an attacker to run arbitrary code inside your process.", + "patternId": "security-node_detect-possible-timing-attacks", + "title": "Security node: Detect possible timing attacks", + "description": "Detect possible timing attacks", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-pseudoRandomBytes", - "title": "Security: Detect pseudoRandomBytes", - "description": "Detects if \"pseudoRandomBytes()\" is in use, which might not give you the randomness you need and expect.", + "patternId": "security-node_detect-runinthiscontext-method-in-nodes-vm", + "title": "Security node: Detect runinthiscontext method in nodes vm", + "description": "Detect vm.runInThisContext() method in nodes vm with non Literal argument", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-possible-timing-attacks", - "title": "Security: Detect possible timing attacks", - "description": "Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially.", + "patternId": "security-node_detect-security-missconfiguration-cookie", + "title": "Security node: Detect security missconfiguration cookie", + "description": "Detect security missconfiguration in express cookie", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-no-csrf-before-method-override", - "title": "Security: Detect no csrf before method override", - "description": "Detects Express \"csrf\" middleware setup before \"method-override\" middleware.", + "patternId": "security-node_detect-sql-injection", + "title": "Security node: Detect sql injection", + "description": "Detect SQL injection", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-buffer-noassert", - "title": "Security: Detect buffer noassert", - "description": "Detects calls to \"buffer\" with \"noAssert\" flag set.", + "patternId": "security-node_detect-unhandled-event-errors", + "title": "Security node: Detect unhandled event errors", + "description": "Require listening to errors when using EventEmitter", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-child-process", - "title": "Security: Detect child process", - "description": "Detects instances of \"child_process\" & non-literal \"exec()\" calls.", + "patternId": "security-node_detect-unhandled-async-errors", + "title": "Security node: Detect unhandled async errors", + "description": "Handle errors in asynchronous calls", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-disable-mustache-escape", - "title": "Security: Detect disable mustache escape", - "description": "Detects \"object.escapeMarkup = false\", which can be used with some template engines to disable escaping of HTML entities.", + "patternId": "security-node_disable-ssl-across-node-server", + "title": "Security node: Disable ssl across node server", + "description": "Process.env.NODE_TLS_REJECT_UNAUTHORIZED='0' disables SSL across node server!", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-object-injection", - "title": "Security: Detect object injection", - "description": "Detects \"variable[key]\" as a left- or right-hand assignment operand.", + "patternId": "security-node_non-literal-reg-expr", + "title": "Security node: Non literal reg expr", + "description": "Non literal regural expressions may cause possible attack", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-new-buffer", - "title": "Security: Detect new buffer", - "description": "Detects instances of new Buffer(argument) where argument is any non-literal value.", + "patternId": "simple-import-sort_imports", + "title": "Simple import sort: Imports", "timeToFix": 5 }, { "parameters": [], - "patternId": "security_detect-bidi-characters", - "title": "Security: Detect bidi characters", - "description": "Detects trojan source attacks that employ unicode bidi attacks to inject malicious code.", + "patternId": "simple-import-sort_exports", + "title": "Simple import sort: Exports", "timeToFix": 5 }, { @@ -13764,7 +14076,12 @@ "timeToFix": 5 }, { - "parameters": [], + "parameters": [ + { + "name": "ignoreStrings", + "description": "ignoreStrings" + } + ], "patternId": "sonarjs_no-duplicate-string", "title": "Sonarjs: No duplicate string", "description": "String literals should not be duplicated", @@ -13972,6 +14289,13 @@ "description": "Enforce sorted import declarations within modules", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "sort-keys-custom-order-fix_sort-keys-custom-order-fix", + "title": "Sort keys custom order fix: Sort keys custom order fix", + "description": "Require object keys to be sorted", + "timeToFix": 5 + }, { "parameters": [], "patternId": "sort-keys-fix_sort-keys-fix", @@ -13979,6 +14303,12 @@ "description": "Require object keys to be sorted", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "sorting_sort-object-props", + "title": "Sorting: Sort object props", + "timeToFix": 5 + }, { "parameters": [ { @@ -14133,6 +14463,66 @@ "description": "Do not use testing-library directly on stories", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "suitescript_script-type", + "title": "Suitescript: Script type", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_api-version", + "title": "Suitescript: Api version", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_no-invalid-modules", + "title": "Suitescript: No invalid modules", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_no-extra-modules", + "title": "Suitescript: No extra modules", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_no-log-module", + "title": "Suitescript: No log module", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_log-args", + "title": "Suitescript: Log args", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_module-vars", + "title": "Suitescript: Module vars", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_no-amd-name", + "title": "Suitescript: No amd name", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_entry-points", + "title": "Suitescript: Entry points", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "suitescript_no-module-extensions", + "title": "Suitescript: No module extensions", + "timeToFix": 5 + }, { "parameters": [], "patternId": "tailwindcss_classnames-order", @@ -14238,6 +14628,25 @@ "description": "Requires test attribute data-test-id on elements with the onSubmit property.", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "tsdoc_syntax", + "title": "Tsdoc: Syntax", + "description": "Validates that TypeScript documentation comments conform to the TSDoc standard", + "timeToFix": 5 + }, + { + "parameters": [ + { + "name": "allowList", + "description": "allowList" + } + ], + "patternId": "turbo_no-undeclared-env-vars", + "title": "Turbo: No undeclared env vars", + "description": "Do not allow the use of `process.env` without including the env key in any turbo.json", + "timeToFix": 5 + }, { "parameters": [], "patternId": "typescript-sort-keys_interface", @@ -14592,13 +15001,6 @@ "description": "Disallow unreadable IIFEs.", "timeToFix": 5 }, - { - "parameters": [], - "patternId": "unicorn_no-unsafe-regex", - "title": "Unicorn: No unsafe regex", - "description": "Disallow unsafe regular expressions.", - "timeToFix": 5 - }, { "parameters": [], "patternId": "unicorn_no-unused-properties", @@ -14744,6 +15146,12 @@ "description": "Require `new` when throwing an error.", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "unicorn_no-unsafe-regex", + "title": "Unicorn: No unsafe regex", + "timeToFix": 5 + }, { "parameters": [], "patternId": "unused-imports_no-unused-vars", @@ -14816,6 +15224,13 @@ "description": "Disallow use other than available `lang`", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "vue_block-order", + "title": "Vue: Block order", + "description": "Enforce order of component top-level elements", + "timeToFix": 5 + }, { "parameters": [], "patternId": "vue_block-spacing", @@ -15331,6 +15746,13 @@ "description": "Disallow using deprecated `inline-template` attribute (in Vue.js 3.0.0+)", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "vue_no-deprecated-model-definition", + "title": "Vue: No deprecated model definition", + "description": "Disallow deprecated `model` definition (in Vue.js 3.0.0+)", + "timeToFix": 5 + }, { "parameters": [], "patternId": "vue_no-deprecated-props-default-this", @@ -15437,7 +15859,12 @@ "timeToFix": 5 }, { - "parameters": [], + "parameters": [ + { + "name": "allowObjectPatternsAsParameters", + "description": "allowObjectPatternsAsParameters" + } + ], "patternId": "vue_no-empty-pattern", "title": "Vue: No empty pattern", "description": "Disallow empty destructuring patterns in ``", @@ -15584,7 +16011,14 @@ "parameters": [], "patternId": "vue_no-ref-object-destructure", "title": "Vue: No ref object destructure", - "description": "Disallow destructuring of ref objects that can lead to loss of reactivity", + "description": "Disallow usages of ref objects that can lead to loss of reactivity", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "vue_no-ref-object-reactivity-loss", + "title": "Vue: No ref object reactivity loss", + "description": "Disallow usages of ref objects that can lead to loss of reactivity", "timeToFix": 5 }, { @@ -15703,7 +16137,14 @@ "parameters": [], "patternId": "vue_no-setup-props-destructure", "title": "Vue: No setup props destructure", - "description": "Disallow destructuring of `props` passed to `setup`", + "description": "Disallow usages that lose the reactivity of `props` passed to `setup`", + "timeToFix": 5 + }, + { + "parameters": [], + "patternId": "vue_no-setup-props-reactivity-loss", + "title": "Vue: No setup props reactivity loss", + "description": "Disallow usages that lose the reactivity of `props` passed to `setup`", "timeToFix": 5 }, { @@ -15832,11 +16273,18 @@ "description": "Disallow use computed property like method", "timeToFix": 5 }, + { + "parameters": [], + "patternId": "vue_no-use-v-else-with-v-for", + "title": "Vue: No use v else with v for", + "description": "Disallow using `v-else-if`/`v-else` on the same element as `v-for`", + "timeToFix": 5 + }, { "parameters": [], "patternId": "vue_no-use-v-if-with-v-for", "title": "Vue: No use v if with v for", - "description": "Disallow use v-if on the same element as v-for", + "description": "Disallow using `v-if` on the same element as `v-for`", "timeToFix": 5 }, { @@ -16170,6 +16618,13 @@ "description": "Require control the display of the content inside `
+
+**ES2020:**
+
+- `"BigInt"`
+- `"BigInt64Array"`
+- `"BigUint64Array"`
+- `"Promise.allSettled"`
+- `"globalThis"`
+
+**ES2019:**
+
+- `"Object.fromEntries"`
+
+**ES2017:**
+
+- `"Atomics"`
+- `"Object.values"`
+- `"Object.entries"`
+- `"Object.getOwnPropertyDescriptors"`
+- `"SharedArrayBuffer"`
+
+**ES2015:**
+
+- `"Array.from"`
+- `"Array.of"`
+- `"Map"`
+- `"Math.acosh"`
+- `"Math.asinh"`
+- `"Math.atanh"`
+- `"Math.cbrt"`
+- `"Math.clz32"`
+- `"Math.cosh"`
+- `"Math.expm1"`
+- `"Math.fround"`
+- `"Math.hypot"`
+- `"Math.imul"`
+- `"Math.log10"`
+- `"Math.log1p"`
+- `"Math.log2"`
+- `"Math.sign"`
+- `"Math.sinh"`
+- `"Math.tanh"`
+- `"Math.trunc"`
+- `"Number.EPSILON"`
+- `"Number.isFinite"`
+- `"Number.isInteger"`
+- `"Number.isNaN"`
+- `"Number.isSafeInteger"`
+- `"Number.MAX_SAFE_INTEGER"`
+- `"Number.MIN_SAFE_INTEGER"`
+- `"Number.parseFloat"`
+- `"Number.parseInt"`
+- `"Object.assign"`
+- `"Object.getOwnPropertySymbols"`
+- `"Object.is"`
+- `"Object.setPrototypeOf"`
+- `"Promise"`
+- `"Proxy"`
+- `"Reflect"`
+- `"Set"`
+- `"String.fromCodePoint"`
+- `"String.raw"`
+- `"Symbol"`
+- `"Int8Array"`
+- `"Uint8Array"`
+- `"Uint8ClampedArray"`
+- `"Int16Array"`
+- `"Uint16Array"`
+- `"Int32Array"`
+- `"Uint32Array"`
+- `"Float32Array"`
+- `"Float64Array"`
+- `"DataView"`
+- `"WeakMap"`
+- `"WeakSet"`
+
+
+
+### Shared Settings
+
+The following options can be set by [shared settings](http://eslint.org/docs/user-guide/configuring.html#adding-shared-settings).
+Several rules have the same option, but we can set this option at once.
+
+- `version`
+
+For Example:
+
+```json
+{
+ "settings": {
+ "node": {
+ "version": ">=16.0.0",
+ }
+ },
+ "rules": {
+ "n/no-unsupported-features/es-builtins": ["error", {
+ "ignores": []
+ }]
+ }
+}
+```
+
+### Known limitations
+
+This rule cannot find non-static things.
+For example:
+
+- New properties and methods of instances.
+- New parameters of functions.
+- New `options` properties of function parameters.
+- New events.
+
+[`engines`]: https://docs.npmjs.com/files/package.json#engines
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/no-unsupported-features/es-builtins.js)
+- [Test source](../../../tests/lib/rules/no-unsupported-features/es-builtins.js)
diff --git a/docs/description/n_no-unsupported-features_es-syntax.md b/docs/description/n_no-unsupported-features_es-syntax.md
new file mode 100644
index 000000000..e4f51daae
--- /dev/null
+++ b/docs/description/n_no-unsupported-features_es-syntax.md
@@ -0,0 +1,140 @@
+# Disallow unsupported ECMAScript syntax on the specified version (`n/no-unsupported-features/es-syntax`)
+
+💼 This rule is enabled in the ✅ `recommended` [config](https://github.com/eslint-community/eslint-plugin-n#-configs).
+
+
+
+ECMAScript standard is updating every two months.
+You can check [node.green](https://node.green/) to know which Node.js version supports each ECMAScript feature.
+
+This rule reports unsupported ECMAScript syntax on the configured Node.js version as lint errors.
+Editor integrations of ESLint would be useful to know it in real-time.
+
+## 📖 Rule Details
+
+### Supported ECMAScript features
+
+This rule supports ECMAScript 2019 and proposals that have been approved as Stage 4 by August 2019.
+See also [TC39 finished proposals](https://github.com/tc39/proposals/blob/master/finished-proposals.md).
+
+Please configure your `.eslintrc` file to succeed to succeed in parsing the syntax.
+For example, set `2020` to `parserOptions.ecmaVersion`.
+
+### Configured Node.js version range
+
+[Configured Node.js version range](../../../README.md#configured-nodejs-version-range)
+
+### Options
+
+```json
+{
+ "n/no-unsupported-features/es-syntax": ["error", {
+ "version": ">=16.0.0",
+ "ignores": []
+ }]
+}
+```
+
+#### version
+
+As mentioned above, this rule reads the [`engines`] field of `package.json`.
+But, you can overwrite the version by `version` option.
+
+The `version` option accepts [the valid version range of `node-semver`](https://github.com/npm/node-semver#range-grammar).
+
+#### ignores
+
+If you are using transpilers, maybe you want to ignore the warnings about some features.
+You can use this `ignores` option to ignore the given features.
+
+The `"ignores"` option accepts an array of the following strings.
+
+
+
+**ES2020:**
+
+- `"bigint"`
+- `"dynamicImport"`
+- `"optionalChaining"`
+- `"nullishCoalescingOperators"`
+
+**ES2019:**
+
+- `"jsonSuperset"`
+- `"optionalCatchBinding"`
+
+**ES2018:**
+
+- `"asyncIteration"`
+- `"malformedTemplateLiterals"`
+- `"regexpLookbehind"`
+- `"regexpNamedCaptureGroups"`
+- `"regexpS"`
+- `"regexpUnicodeProperties"`
+- `"restSpreadProperties"`
+
+**ES2017:**
+
+- `"asyncFunctions"`
+- `"trailingCommasInFunctions"`
+
+**ES2016:**
+
+- `"exponentialOperators"`
+
+**ES2015:**
+
+- `"arrowFunctions"`
+- `"binaryNumericLiterals"`
+- `"blockScopedFunctions"`
+- `"blockScopedVariables"`
+- `"classes"`
+- `"computedProperties"`
+- `"defaultParameters"`
+- `"destructuring"`
+- `"forOfLoops"`
+- `"generators"`
+- `"modules"`
+- `"new.target"`
+- `"objectSuperProperties"`
+- `"octalNumericLiterals"`
+- `"propertyShorthands"`
+- `"regexpU"`
+- `"regexpY"`
+- `"restParameters"`
+- `"spreadElements"`
+- `"templateLiterals"`
+- `"unicodeCodePointEscapes"`
+
+
+
+[`engines`]: https://docs.npmjs.com/files/package.json#engines
+
+### Shared Settings
+
+The following options can be set by [shared settings](http://eslint.org/docs/user-guide/configuring.html#adding-shared-settings).
+Several rules have the same option, but we can set this option at once.
+
+- `version`
+
+For Example:
+
+```json
+{
+ "settings": {
+ "node": {
+ "version": ">=16.0.0",
+ }
+ },
+ "rules": {
+ "n/no-unsupported-features/es-syntax": ["error", {
+ "ignores": []
+ }]
+ }
+}
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/no-unsupported-features/es-syntax.js)
+- [Test source](../../../tests/lib/rules/no-unsupported-features/es-syntax.js)
diff --git a/docs/description/n_no-unsupported-features_node-builtins.md b/docs/description/n_no-unsupported-features_node-builtins.md
new file mode 100644
index 000000000..a31dfc3d0
--- /dev/null
+++ b/docs/description/n_no-unsupported-features_node-builtins.md
@@ -0,0 +1,351 @@
+# Disallow unsupported Node.js built-in APIs on the specified version (`n/no-unsupported-features/node-builtins`)
+
+💼 This rule is enabled in the ✅ `recommended` [config](https://github.com/eslint-community/eslint-plugin-n#-configs).
+
+
+
+Node.js community is improving built-in APIs continuously.
+You can check [Node.js Documentation](https://nodejs.org/api/) to know which Node.js version supports each Node.js API.
+
+This rule reports unsupported Node.js built-in APIs on the configured Node.js version as lint errors.
+Editor integrations of ESLint would be useful to know it in real-time.
+
+## 📖 Rule Details
+
+This rule reports APIs of Node.js built-in APIs on the basis of [Node.js v13.2.0 Documentation](https://nodejs.org/docs/v13.2.0/api/).
+
+### Configured Node.js version range
+
+[Configured Node.js version range](../../../README.md#configured-nodejs-version-range)
+
+### Options
+
+```json
+{
+ "n/no-unsupported-features/node-builtins": ["error", {
+ "version": ">=16.0.0",
+ "ignores": []
+ }]
+}
+```
+
+#### version
+
+As mentioned above, this rule reads the [`engines`] field of `package.json`.
+But, you can overwrite the version by `version` option.
+
+The `version` option accepts [the valid version range of `node-semver`](https://github.com/npm/node-semver#range-grammar).
+
+#### ignores
+
+If you are using transpilers, maybe you want to ignore the warnings about some features.
+You can use this `ignores` option to ignore the given features.
+
+The `"ignores"` option accepts an array of the following strings.
+
+
+
+**Globals:**
+
+- `"Buffer.alloc"`
+- `"Buffer.allocUnsafe"`
+- `"Buffer.allocUnsafeSlow"`
+- `"Buffer.from"`
+- `"TextDecoder"`
+- `"TextEncoder"`
+- `"URL"`
+- `"URLSearchParams"`
+- `"console.clear"`
+- `"console.count"`
+- `"console.countReset"`
+- `"console.debug"`
+- `"console.dirxml"`
+- `"console.group"`
+- `"console.groupCollapsed"`
+- `"console.groupEnd"`
+- `"console.table"`
+- `"console.markTimeline"`
+- `"console.profile"`
+- `"console.profileEnd"`
+- `"console.timeLog"`
+- `"console.timeStamp"`
+- `"console.timeline"`
+- `"console.timelineEnd"`
+- `"process.allowedNodeEnvironmentFlags"`
+- `"process.argv0"`
+- `"process.channel"`
+- `"process.cpuUsage"`
+- `"process.emitWarning"`
+- `"process.getegid"`
+- `"process.geteuid"`
+- `"process.hasUncaughtExceptionCaptureCallback"`
+- `"process.hrtime.bigint"`
+- `"process.ppid"`
+- `"process.release"`
+- `"process.report"`
+- `"process.setegid"`
+- `"process.seteuid"`
+- `"process.setUncaughtExceptionCaptureCallback"`
+- `"process.stdout.getColorDepth"`
+- `"process.stdout.hasColor"`
+- `"process.stderr.getColorDepth"`
+- `"process.stderr.hasColor"`
+- `"queueMicrotask"`
+- `"require.resolve.paths"`
+
+**`assert` module:**
+
+- `"assert.deepStrictEqual"`
+- `"assert.doesNotReject"`
+- `"assert.notDeepStrictEqual"`
+- `"assert.rejects"`
+- `"assert.strict"`
+- `"assert.strict.doesNotReject"`
+- `"assert.strict.rejects"`
+
+**`async_hooks` module:**
+
+- `"async_hooks"`
+- `"async_hooks.createHook"`
+
+**`buffer` module:**
+
+- `"buffer.Buffer.alloc"`
+- `"buffer.Buffer.allocUnsafe"`
+- `"buffer.Buffer.allocUnsafeSlow"`
+- `"buffer.Buffer.from"`
+- `"buffer.constants"`
+- `"buffer.kMaxLength"`
+- `"buffer.transcode"`
+
+**`child_process` module:**
+
+- `"child_process.ChildProcess"`
+
+**`console` module:**
+
+- `"console.clear"`
+- `"console.count"`
+- `"console.countReset"`
+- `"console.debug"`
+- `"console.dirxml"`
+- `"console.group"`
+- `"console.groupCollapsed"`
+- `"console.groupEnd"`
+- `"console.table"`
+- `"console.markTimeline"`
+- `"console.profile"`
+- `"console.profileEnd"`
+- `"console.timeLog"`
+- `"console.timeStamp"`
+- `"console.timeline"`
+- `"console.timelineEnd"`
+
+**`crypto` module:**
+
+- `"crypto.Certificate.exportChallenge"`
+- `"crypto.Certificate.exportPublicKey"`
+- `"crypto.Certificate.verifySpkac"`
+- `"crypto.KeyObject"`
+- `"crypto.createPrivateKey"`
+- `"crypto.createPublicKey"`
+- `"crypto.createSecretKey"`
+- `"crypto.constants"`
+- `"crypto.fips"`
+- `"crypto.generateKeyPair"`
+- `"crypto.generateKeyPairSync"`
+- `"crypto.getCurves"`
+- `"crypto.getFips"`
+- `"crypto.privateEncrypt"`
+- `"crypto.publicDecrypt"`
+- `"crypto.randomFillSync"`
+- `"crypto.randomFill"`
+- `"crypto.scrypt"`
+- `"crypto.scryptSync"`
+- `"crypto.setFips"`
+- `"crypto.sign"`
+- `"crypto.timingSafeEqual"`
+- `"crypto.verify"`
+
+**`dns` module:**
+
+- `"dns.Resolver"`
+- `"dns.resolvePtr"`
+- `"dns.promises"`
+
+**`events` module:**
+
+- `"events.EventEmitter.once"`
+- `"events.once"`
+
+**`fs` module:**
+
+- `"fs.Dirent"`
+- `"fs.copyFile"`
+- `"fs.copyFileSync"`
+- `"fs.mkdtemp"`
+- `"fs.mkdtempSync"`
+- `"fs.realpath.native"`
+- `"fs.realpathSync.native"`
+- `"fs.promises"`
+- `"fs.writev"`
+- `"fs.writevSync"`
+
+**`http2` module:**
+
+- `"http2"`
+
+**`inspector` module:**
+
+- `"inspector"`
+
+**`module` module:**
+
+- `"module.Module.builtinModules"`
+- `"module.Module.createRequireFromPath"`
+- `"module.Module.createRequire"`
+- `"module.Module.syncBuiltinESMExports"`
+- `"module.builtinModules"`
+- `"module.createRequireFromPath"`
+- `"module.createRequire"`
+- `"module.syncBuiltinESMExports"`
+
+**`os` module:**
+
+- `"os.constants"`
+- `"os.constants.priority"`
+- `"os.getPriority"`
+- `"os.homedir"`
+- `"os.setPriority"`
+- `"os.userInfo"`
+
+**`path` module:**
+
+- `"path.toNamespacedPath"`
+
+**`perf_hooks` module:**
+
+- `"perf_hooks"`
+- `"perf_hooks.monitorEventLoopDelay"`
+
+**`process` module:**
+
+- `"process.allowedNodeEnvironmentFlags"`
+- `"process.argv0"`
+- `"process.channel"`
+- `"process.cpuUsage"`
+- `"process.emitWarning"`
+- `"process.getegid"`
+- `"process.geteuid"`
+- `"process.hasUncaughtExceptionCaptureCallback"`
+- `"process.hrtime.bigint"`
+- `"process.ppid"`
+- `"process.release"`
+- `"process.report"`
+- `"process.resourceUsage"`
+- `"process.setegid"`
+- `"process.seteuid"`
+- `"process.setUncaughtExceptionCaptureCallback"`
+- `"process.stdout.getColorDepth"`
+- `"process.stdout.hasColor"`
+- `"process.stderr.getColorDepth"`
+- `"process.stderr.hasColor"`
+
+**`stream` module:**
+
+- `"stream.Readable.from"`
+- `"stream.finished"`
+- `"stream.pipeline"`
+
+**`trace_events` module:**
+
+- `"trace_events"`
+
+**`url` module:**
+
+- `"url.URL"`
+- `"url.URLSearchParams"`
+- `"url.domainToASCII"`
+- `"url.domainToUnicode"`
+
+**`util` module:**
+
+- `"util.callbackify"`
+- `"util.formatWithOptions"`
+- `"util.getSystemErrorName"`
+- `"util.inspect.custom"`
+- `"util.inspect.defaultOptions"`
+- `"util.inspect.replDefaults"`
+- `"util.isDeepStrictEqual"`
+- `"util.promisify"`
+- `"util.TextDecoder"`
+- `"util.TextEncoder"`
+- `"util.types"`
+- `"util.types.isBoxedPrimitive"`
+
+**`v8` module:**
+
+- `"v8"`
+- `"v8.DefaultDeserializer"`
+- `"v8.DefaultSerializer"`
+- `"v8.Deserializer"`
+- `"v8.Serializer"`
+- `"v8.cachedDataVersionTag"`
+- `"v8.deserialize"`
+- `"v8.getHeapCodeStatistics"`
+- `"v8.getHeapSnapshot"`
+- `"v8.getHeapSpaceStatistics"`
+- `"v8.serialize"`
+- `"v8.writeHeapSnapshot"`
+
+**`vm` module:**
+
+- `"vm.Module"`
+- `"vm.compileFunction"`
+
+**`worker_threads` module:**
+
+- `"worker_threads"`
+
+
+
+### Shared Settings
+
+The following options can be set by [shared settings](http://eslint.org/docs/user-guide/configuring.html#adding-shared-settings).
+Several rules have the same option, but we can set this option at once.
+
+- `version`
+
+For Example:
+
+```json
+{
+ "settings": {
+ "node": {
+ "version": ">=16.0.0",
+ }
+ },
+ "rules": {
+ "n/no-unsupported-features/node-builtins": ["error", {
+ "ignores": []
+ }]
+ }
+}
+```
+
+### Known limitations
+
+This rule cannot find non-static things.
+For example:
+
+- New properties and methods of instances.
+- New parameters of functions.
+- New `options` properties of function parameters.
+- New events.
+
+[`engines`]: https://docs.npmjs.com/files/package.json#engines
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/no-unsupported-features/node-builtins.js)
+- [Test source](../../../tests/lib/rules/no-unsupported-features/node-builtins.js)
diff --git a/docs/description/n_prefer-global_buffer.md b/docs/description/n_prefer-global_buffer.md
new file mode 100644
index 000000000..8acd74178
--- /dev/null
+++ b/docs/description/n_prefer-global_buffer.md
@@ -0,0 +1,71 @@
+# Enforce either `Buffer` or `require("buffer").Buffer` (`n/prefer-global/buffer`)
+
+
+
+The `Buffer` class of `buffer` module is defined as a global variable.
+
+```js
+console.log(Buffer === require("buffer").Buffer) //→ true
+```
+
+It will be readable if we use either `Buffer` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `Buffer` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/buffer": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `Buffer` rather than `require("buffer").Buffer`.
+- `"never"` ... enforces to use `require("buffer").Buffer` rather than the global variable `Buffer`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/buffer: [error]*/
+
+const { Buffer } = require("buffer")
+const b = Buffer.alloc(16)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/buffer: [error]*/
+
+const b = Buffer.alloc(16)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/buffer: [error, never]*/
+
+const b = Buffer.alloc(16)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/buffer: [error, never]*/
+
+const { Buffer } = require("buffer")
+const b = Buffer.alloc(16)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/buffer.js)
+- [Test source](../../../tests/lib/rules/prefer-global/buffer.js)
diff --git a/docs/description/n_prefer-global_console.md b/docs/description/n_prefer-global_console.md
new file mode 100644
index 000000000..f14fd6c94
--- /dev/null
+++ b/docs/description/n_prefer-global_console.md
@@ -0,0 +1,71 @@
+# Enforce either `console` or `require("console")` (`n/prefer-global/console`)
+
+
+
+The `console` module is defined as a global variable.
+
+```js
+console.log(console === require("console")) //→ true
+```
+
+It will be readable if we use either `console` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `console` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/console": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `console` rather than `require("console")`.
+- `"never"` ... enforces to use `require("console")` rather than the global variable `console`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/console: [error]*/
+
+const console = require("console")
+console.log("hello")
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/console: [error]*/
+
+console.log("hello")
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/console: [error, never]*/
+
+console.log("hello")
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/console: [error, never]*/
+
+const console = require("console")
+console.log("hello")
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/console.js)
+- [Test source](../../../tests/lib/rules/prefer-global/console.js)
diff --git a/docs/description/n_prefer-global_process.md b/docs/description/n_prefer-global_process.md
new file mode 100644
index 000000000..d99e27f51
--- /dev/null
+++ b/docs/description/n_prefer-global_process.md
@@ -0,0 +1,71 @@
+# Enforce either `process` or `require("process")` (`n/prefer-global/process`)
+
+
+
+The `process` module is defined as a global variable.
+
+```js
+process.log(process === require("process")) //→ true
+```
+
+It will be readable if we use either `process` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `process` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/process": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `process` rather than `require("process")`.
+- `"never"` ... enforces to use `require("process")` rather than the global variable `process`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/process: [error]*/
+
+const process = require("process")
+process.exit(0)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/process: [error]*/
+
+process.exit(0)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/process: [error, never]*/
+
+process.exit(0)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/process: [error, never]*/
+
+const process = require("process")
+process.exit(0)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/process.js)
+- [Test source](../../../tests/lib/rules/prefer-global/process.js)
diff --git a/docs/description/n_prefer-global_text-decoder.md b/docs/description/n_prefer-global_text-decoder.md
new file mode 100644
index 000000000..eeb523068
--- /dev/null
+++ b/docs/description/n_prefer-global_text-decoder.md
@@ -0,0 +1,71 @@
+# Enforce either `TextDecoder` or `require("util").TextDecoder` (`n/prefer-global/text-decoder`)
+
+
+
+The `TextDecoder` class of `util` module is defined as a global variable.
+
+```js
+console.log(TextDecoder === require("util").TextDecoder) //→ true
+```
+
+It will be readable if we use either `TextDecoder` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `TextDecoder` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/text-decoder": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `TextDecoder` rather than `require("util").TextDecoder`.
+- `"never"` ... enforces to use `require("util").TextDecoder` rather than the global variable `TextDecoder`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/text-decoder: [error]*/
+
+const { TextDecoder } = require("util")
+const u = new TextDecoder(s)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/text-decoder: [error]*/
+
+const u = new TextDecoder(s)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/text-decoder: [error, never]*/
+
+const u = new TextDecoder(s)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/text-decoder: [error, never]*/
+
+const { TextDecoder } = require("util")
+const u = new TextDecoder(s)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/text-decoder.js)
+- [Test source](../../../tests/lib/rules/prefer-global/text-decoder.js)
diff --git a/docs/description/n_prefer-global_text-encoder.md b/docs/description/n_prefer-global_text-encoder.md
new file mode 100644
index 000000000..371f9b3e2
--- /dev/null
+++ b/docs/description/n_prefer-global_text-encoder.md
@@ -0,0 +1,71 @@
+# Enforce either `TextEncoder` or `require("util").TextEncoder` (`n/prefer-global/text-encoder`)
+
+
+
+The `TextEncoder` class of `util` module is defined as a global variable.
+
+```js
+console.log(TextEncoder === require("util").TextEncoder) //→ true
+```
+
+It will be readable if we use either `TextEncoder` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `TextEncoder` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/text-encoder": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `TextEncoder` rather than `require("util").TextEncoder`.
+- `"never"` ... enforces to use `require("util").TextEncoder` rather than the global variable `TextEncoder`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/text-encoder: [error]*/
+
+const { TextEncoder } = require("util")
+const u = new TextEncoder(s)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/text-encoder: [error]*/
+
+const u = new TextEncoder(s)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/text-encoder: [error, never]*/
+
+const u = new TextEncoder(s)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/text-encoder: [error, never]*/
+
+const { TextEncoder } = require("util")
+const u = new TextEncoder(s)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/text-encoder.js)
+- [Test source](../../../tests/lib/rules/prefer-global/text-encoder.js)
diff --git a/docs/description/n_prefer-global_url-search-params.md b/docs/description/n_prefer-global_url-search-params.md
new file mode 100644
index 000000000..e2ff4b174
--- /dev/null
+++ b/docs/description/n_prefer-global_url-search-params.md
@@ -0,0 +1,71 @@
+# Enforce either `URLSearchParams` or `require("url").URLSearchParams` (`n/prefer-global/url-search-params`)
+
+
+
+The `URLSearchParams` class of `url` module is defined as a global variable.
+
+```js
+console.log(URLSearchParams === require("url").URLSearchParams) //→ true
+```
+
+It will be readable if we use either `URLSearchParams` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `URLSearchParams` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/url-search-params": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `URLSearchParams` rather than `require("url").URLSearchParams`.
+- `"never"` ... enforces to use `require("url").URLSearchParams` rather than the global variable `URLSearchParams`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/url-search-params: [error]*/
+
+const { URLSearchParams } = require("url")
+const u = new URLSearchParams(s)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/url-search-params: [error]*/
+
+const u = new URLSearchParams(s)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/url-search-params: [error, never]*/
+
+const u = new URLSearchParams(s)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/url-search-params: [error, never]*/
+
+const { URLSearchParams } = require("url")
+const u = new URLSearchParams(s)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/url-search-params.js)
+- [Test source](../../../tests/lib/rules/prefer-global/url-search-params.js)
diff --git a/docs/description/n_prefer-global_url.md b/docs/description/n_prefer-global_url.md
new file mode 100644
index 000000000..a38ab8f6e
--- /dev/null
+++ b/docs/description/n_prefer-global_url.md
@@ -0,0 +1,71 @@
+# Enforce either `URL` or `require("url").URL` (`n/prefer-global/url`)
+
+
+
+The `URL` class of `url` module is defined as a global variable.
+
+```js
+console.log(URL === require("url").URL) //→ true
+```
+
+It will be readable if we use either `URL` consistently.
+
+## 📖 Rule Details
+
+This rule enforces which `URL` we should use.
+
+### Options
+
+This rule has a string option.
+
+```json
+{
+ "n/prefer-global/url": ["error", "always" | "never"]
+}
+```
+
+- `"always"` (default) ... enforces to use the global variable `URL` rather than `require("url").URL`.
+- `"never"` ... enforces to use `require("url").URL` rather than the global variable `URL`.
+
+#### always
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-global/url: [error]*/
+
+const { URL } = require("url")
+const u = new URL(s)
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-global/url: [error]*/
+
+const u = new URL(s)
+```
+
+#### never
+
+Examples of 👎 **incorrect** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/url: [error, never]*/
+
+const u = new URL(s)
+```
+
+Examples of 👍 **correct** code for the `"never"` option:
+
+```js
+/*eslint n/prefer-global/url: [error, never]*/
+
+const { URL } = require("url")
+const u = new URL(s)
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-global/url.js)
+- [Test source](../../../tests/lib/rules/prefer-global/url.js)
diff --git a/docs/description/n_prefer-promises_dns.md b/docs/description/n_prefer-promises_dns.md
new file mode 100644
index 000000000..6e0a73ff1
--- /dev/null
+++ b/docs/description/n_prefer-promises_dns.md
@@ -0,0 +1,61 @@
+# Enforce `require("dns").promises` (`n/prefer-promises/dns`)
+
+
+
+Since Node.js v11.14.0, `require("dns").promises` API has been stable.
+Promise API and `async`/`await` syntax will make code more readable than callback API.
+
+## 📖 Rule Details
+
+This rule disallows callback API in favor of promise API.
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-promises/dns: [error]*/
+const dns = require("dns")
+
+function lookup(hostname) {
+ dns.lookup(hostname, (error, address, family) => {
+ //...
+ })
+}
+```
+
+```js
+/*eslint n/prefer-promises/dns: [error]*/
+import dns from "dns"
+
+function lookup(hostname) {
+ dns.lookup(hostname, (error, address, family) => {
+ //...
+ })
+}
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-promises/dns: [error]*/
+const { promises: dns } = require("dns")
+
+async function lookup(hostname) {
+ const { address, family } = await dns.lookup(hostname)
+ //...
+}
+```
+
+```js
+/*eslint n/prefer-promises/dns: [error]*/
+import { promises as dns } from "dns"
+
+async function lookup(hostname) {
+ const { address, family } = await dns.lookup(hostname)
+ //...
+}
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-promises/dns.js)
+- [Test source](../../../tests/lib/rules/prefer-promises/dns.js)
diff --git a/docs/description/n_prefer-promises_fs.md b/docs/description/n_prefer-promises_fs.md
new file mode 100644
index 000000000..e38130f4b
--- /dev/null
+++ b/docs/description/n_prefer-promises_fs.md
@@ -0,0 +1,61 @@
+# Enforce `require("fs").promises` (`n/prefer-promises/fs`)
+
+
+
+Since Node.js v11.14.0, `require("fs").promises` API has been stable.
+Promise API and `async`/`await` syntax will make code more readable than callback API.
+
+## 📖 Rule Details
+
+This rule disallows callback API in favor of promise API.
+
+Examples of 👎 **incorrect** code for this rule:
+
+```js
+/*eslint n/prefer-promises/fs: [error]*/
+const fs = require("fs")
+
+function readData(filePath) {
+ fs.readFile(filePath, "utf8", (error, content) => {
+ //...
+ })
+}
+```
+
+```js
+/*eslint n/prefer-promises/fs: [error]*/
+import fs from "fs"
+
+function readData(filePath) {
+ fs.readFile(filePath, "utf8", (error, content) => {
+ //...
+ })
+}
+```
+
+Examples of 👍 **correct** code for this rule:
+
+```js
+/*eslint n/prefer-promises/fs: [error]*/
+const { promises: fs } = require("fs")
+
+async function readData(filePath) {
+ const content = await fs.readFile(filePath, "utf8")
+ //...
+}
+```
+
+```js
+/*eslint n/prefer-promises/fs: [error]*/
+import { promises as fs } from "fs"
+
+async function readData(filePath) {
+ const content = await fs.readFile(filePath, "utf8")
+ //...
+}
+```
+
+## 🔎 Implementation
+
+- [Rule source](../../../lib/rules/prefer-promises/fs.js)
+- [Test source](../../../tests/lib/rules/prefer-promises/fs.js)
diff --git a/docs/description/n_process-exit-as-throw.md b/docs/description/n_process-exit-as-throw.md
new file mode 100644
index 000000000..aaf0ef139
--- /dev/null
+++ b/docs/description/n_process-exit-as-throw.md
@@ -0,0 +1,38 @@
+# Require that `process.exit()` expressions use the same code path as `throw` (`n/process-exit-as-throw`)
+
+💼 This rule is enabled in the ✅ `recommended` [config](https://github.com/eslint-community/eslint-plugin-n#-configs).
+
+
+
+## 📖 Rule Details
+
+```js
+function foo(a) {
+ if (a) {
+ return new Bar();
+ } else {
+ process.exit(1);
+ }
+}
+```
+
+ESLint does not address `process.exit()` as stop in code path analysis, then [consistent-return] rule will warn the above code.
+
+If you turn this rule on, ESLint comes to address `process.exit()` as throw in code path analysis. So, above code will get expected code path.
+
+This rule itself never warn code.
+
+## 📚 Related Rules
+
+- [consistent-return]
+- [no-fallthrough]
+- [no-unreachable]
+
+[consistent-return]: http://eslint.org/docs/rules/consistent-return
+[no-fallthrough]: http://eslint.org/docs/rules/no-fallthrough
+[no-unreachable]: http://eslint.org/docs/rules/no-unreachable
+
+## 🔎 Implementation
+
+- [Rule source](../../lib/rules/process-exit-as-throw.js)
+- [Test source](../../tests/lib/rules/process-exit-as-throw.js)
diff --git a/docs/description/n_shebang.md b/docs/description/n_shebang.md
new file mode 100644
index 000000000..63ab36392
--- /dev/null
+++ b/docs/description/n_shebang.md
@@ -0,0 +1,148 @@
+# Require correct usage of shebang (`n/shebang`)
+
+💼 This rule is enabled in the ✅ `recommended` [config](https://github.com/eslint-community/eslint-plugin-n#-configs).
+
+🔧 This rule is automatically fixable by the [`--fix` CLI option](https://eslint.org/docs/latest/user-guide/command-line-interface#--fix).
+
+
+
+When we make a CLI tool with Node.js, we add `bin` field to `package.json`, then we add a shebang the entry file.
+This rule suggests correct usage of shebang.
+
+## 📖 Rule Details
+
+This rule looks up `package.json` file from each linting target file.
+Starting from the directory of the target file, it goes up ancestor directories until found.
+
+If `package.json` was not found, this rule does nothing.
+
+This rule checks `bin` field of `package.json`, then if a target file matches one of `bin` files, it checks whether or not there is a correct shebang.
+Otherwise it checks whether or not there is not a shebang.
+
+The following patterns are considered problems for files in `bin` field of `package.json`:
+
+```js
+console.log("hello"); /*error This file needs shebang "#!/usr/bin/env node".*/
+```
+
+```js
+#!/usr/bin/env node /*error This file must not have Unicode BOM.*/
+console.log("hello");
+// If this file has Unicode BOM.
+```
+
+```js
+#!/usr/bin/env node /*error This file must have Unix linebreaks (LF).*/
+console.log("hello");
+// If this file has Windows' linebreaks (CRLF).
+```
+
+The following patterns are considered problems for other files:
+
+```js
+#!/usr/bin/env node /*error This file needs no shebang.*/
+console.log("hello");
+```
+
+The following patterns are not considered problems for files in `bin` field of `package.json`:
+
+```js
+#!/usr/bin/env node
+console.log("hello");
+```
+
+The following patterns are not considered problems for other files:
+
+```js
+console.log("hello");
+```
+
+### Options
+
+```json
+{
+ "n/shebang": ["error", {"convertPath": null}]
+}
+```
+
+#### convertPath
+
+If we use transpilers (e.g. Babel), perhaps the file path to a source code is never handled as a bin file.
+`convertPath` option tells to the rule, it needs to convert file paths.
+
+For example:
+
+```json
+{
+ "rules": {
+ "n/shebang": ["error", {
+ "convertPath": {
+ "src/**/*.jsx": ["^src/(.+?)\\.jsx$", "lib/$1.js"]
+ }
+ }]
+ }
+}
+```
+
+This option has the following shape: `{this.props.myData}
;
+ }
+ }
+
+ MyComponent.propTypes = {
+ myProp: PropTypes.string.isRequired
+ };
+
+ export default connect(mapStateToProps)(MyComponent);
+ ```
+
+ # Implementation details and Limitations
+
+ The rule actually runs `react/no-unused-prop-types` rule and then filters out the reports of props that are used within redux's `mapStateToProps` or `mapDispatchToProps`.
+ The rule only works within a context of a single file. So it would only work properly if compoent and container (react connect fucntion) are defined within the same file.
+
+ # Configuration
+
+ You'd want to disable `react/no-unused-prop-types` if you using this rule.
\ No newline at end of file
diff --git a/docs/description/react-redux_prefer-separate-component-file.md b/docs/description/react-redux_prefer-separate-component-file.md
new file mode 100644
index 000000000..70539b9af
--- /dev/null
+++ b/docs/description/react-redux_prefer-separate-component-file.md
@@ -0,0 +1,24 @@
+# Enforces that all connected components are defined in a separate file (react-redux/prefer-separate-component-file)
+
+And imports it to the container.
+
+## Rule details
+
+The following pattern is considered incorrect:
+
+```js
+const Component = () => {};
+connect(mapStateToProps, null)(Component)
+```
+
+The following patterns are considered correct:
+
+```js
+import Component from './component';
+connect(mapStateToProps, mapDispatchToProps)(Component)
+```
+
+```js
+const Component = require('./component')
+connect(mapStateToProps, mapDispatchToProps)(Component)
+```
diff --git a/docs/description/react-redux_useSelector-prefer-selectors.md b/docs/description/react-redux_useSelector-prefer-selectors.md
new file mode 100644
index 000000000..aab7f630f
--- /dev/null
+++ b/docs/description/react-redux_useSelector-prefer-selectors.md
@@ -0,0 +1,59 @@
+# Enforces that all useSelector hooks use named selector functions. (react-redux/useSelector-prefer-selectors)
+
+Using selectors in `useSelector` to pull data from the store or [compute derived data](https://redux.js.org/recipes/computing-derived-data#composing-selectors) allows you to decouple your containers from the state architecture and more easily enable memoization. This rule will ensure that every hook utilizes a named selector.
+
+## Rule details
+
+The following pattern is considered incorrect:
+
+```js
+const property = useSelector((state) => state.property)
+const property = useSelector(function (state) { return state.property })
+```
+
+The following patterns are considered correct:
+
+```js
+const selector = (state) => state.property
+
+function Component() {
+ const property = useSelector(selector)
+ // ...
+}
+```
+
+## Rule Options
+
+```js
+...
+"react-redux/useSelector-prefer-selectors": [Hello " + userControlledVal
++ "
"
+anyElement.insertAdjacentHTML | All | divElem.insertAdjacentHTML("",""+ userControlledVal + "");)
+
+### Difference between document.write functions and properties like innerHTML
+The document.write method:
+
+Let's take functions like document.write (or document.writeln) as an example to explain better the Sink and let's see the difference between this function and for example, the property innerHTML.
+
+As we can see, the document.write goes to operate in a direct way as Sink writing (output) the malicious code entered by a user who checks the value, going, in fact, to the following URL:
+
+ http://example.tld/page.html#?foo=
+
+ And, by analyzing the page code:
+
+```javascript
+
+```
+We can see that the Sink in question, therefore, the document.write will have the task of printing screen the data value inserted into the function as an argument, and though having passed the user argument of malicious JavaScript code, then the function will only unintentionally execute writing in the DOM code in question, then:
+
+```javascript
+alert(document.cookie);
+```
+
+Building up the browser side, then Client-side, a popup containing the cookie values of the current user session.
+
+**The innerHTML method:**
+Concerning the use of the innerHTML method, and, of how this can be abused by an object controlled directly by a user, we can make a more detailed example, then let’s take the following code:
+```javascript
+John Doe
+
+```
+As you can see, if we call the innerHTML method to retrieve the information, nothing happens, even in the case that instead of the name "John Doe" there has been the malicious JavaScript code; Instead let’s take another example:
+```javascript
+John Doe
+
+```
+
+Following this example script and browsing its URL:
+
+ http://example.tld/page.html?name=
+
+In this case, the browser will return us a window that is to show us that our JavaScript code passed to the URL parameter name, was executed.
+
+### Examples of vulnerable source code for the HTML Manipulation vulnerabilities
+At this point we can do is give a few examples so you can see the various existing possibilities that allow you to identify and subsequently Exploiting a vulnerability in HTML Manipulation type, then:
+* DOM Based XSS
+* Stored DOM Based XSS
+* Others
+
+###DOM Based Cross-Site-Scripting(DOM XSS)
+So,to explain this type of vulnerabality,we can also take one of the above examples that made it very simple:
+Taking the following vulnerable code:
+```javascript
+
+```
+* Source: document.URL
+* Sink: document.write()
+* Result: document.write(“”);
+
+The attack is possible to a Client-side level (this due to the # fragment identifier).
+
+To exploiting this attack just go to the following URL and specify the malicious code in the “foo=” parameter:
+
+ http://example.tld/page.html#foo=
+
+## Rule Details
+
+This rule aims to...
+
+Examples of **incorrect** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+Examples of **correct** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+## Further Reading
+[link 1](http://blog.blueclosure.com/2017/09/javascript-dangerous-functions-part-1.html)
diff --git a/docs/description/security-node_detect-improper-exception-handling.md b/docs/description/security-node_detect-improper-exception-handling.md
new file mode 100644
index 000000000..63de84a4c
--- /dev/null
+++ b/docs/description/security-node_detect-improper-exception-handling.md
@@ -0,0 +1,20 @@
+# detect improper exception handling (detect-improper-exception-handling)
+
+Node.js has the process global object, which is an EventEmitter object that in this case emits uncaught exceptions and brought up to the main event loop. In the event that an uncaught exception is thrown while your application is executing, it will result to it crashing. Thus, it is essential to make a listener for uncaught exceptions uwing the process object. There is no need for importing the process core module as it is nautomatically injected with Node.js.
+
+It is worth noting that this way of exception handling is intended as a last resort. Moreover, this type of event signals that the application is in an undefined state, and resuming the application is strongly discouraged and can cause greater issues.
+
+To not miss any uncaught exception and correctly use it is to do synchronous cleanup of allocated resources such as using handlers, file descriptors, custom loggers and similar before exiting the process with a non-zero exit code. Be aware that in displaying error messages it is recommended to log the necessary details but not as far as leaking detailed information such as stack traces to the user.
+
+### Example
+```javascript
+process.on("uncaughtException", function(err) {
+ // clean up allocated resources
+ // log necessary error details to log files
+ process.exit(1); // exit the process to avoid unknown state
+});
+```
+
+[link 1](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#handle-uncaughtexception)
+[link 2](https://nodejs.org/dist/latest-v16.x/docs/api/process.html#event-uncaughtexception)
+[link 3](https://nodejs.dev/learn/error-handling-in-nodejs#catching-uncaught-exceptions)
\ No newline at end of file
diff --git a/docs/description/security-node_detect-insecure-randomness.md b/docs/description/security-node_detect-insecure-randomness.md
new file mode 100644
index 000000000..255e790f5
--- /dev/null
+++ b/docs/description/security-node_detect-insecure-randomness.md
@@ -0,0 +1,71 @@
+# detect insecure randomness via Math.random() (detect-insecure-randomness)
+### Insecure Randomness
+The **Math.random()** function returns a floating-point, pseudo-random number in the range 0–1 (inclusive of 0, but not 1) with approximately uniform distribution over that range — which you can then scale to your desired range.
+The implementation selects the initial seed to the random number generation algorithm; it cannot be chosen or reset by the user.
+
+The **Math.random()** is often used to generate nonpredictable values such as random tokens, resource IDs, or UUIDs.
+However, Math.random() is cryptographically insecure.
+It can produce predictable values and is therefore not safe to use in a security-sensitive context.
+
+### How To Prevent It?
+Math.random() does not provide cryptographically secure random numbers.
+Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.
+
+### Crypto.getRandomValues()
+The Crypto.getRandomValues() method lets you get cryptographically strong random values.
+The array given as the parameter is filled with random numbers (random in its cryptographic meaning).
+
+To guarantee enough performance, implementations are not using a truly random number generator, but they are using a pseudo-random number generator seeded with a value with enough entropy.
+The PRNG used differs from one implementation to the other but is suitable for cryptographic usages.
+Implementations are also required to use a seed with enough entropy, like a system-level entropy source.
+
+### Syntax
+```javascript
+cryptoObj.getRandomValues(typedArray);
+```
+### Examples
+```javascript
+/* Assuming that window.crypto.getRandomValues is available */
+
+var array = new Uint32Array(10);
+window.crypto.getRandomValues(array);
+
+console.log("Your lucky numbers:");
+for (var i = 0; i < array.length; i++) {
+ console.log(array[i]);
+}
+```
+For a more secure implementation of **Math.random()**, you could try this:
+
+```javascript
+function secureMathRandom() {
+ // Divide a random UInt32 by the maximum value (2^32 -1) to get a result between 0 and 1
+ return window.crypto.getRandomValues(new Uint32Array(1))[0] / 4294967295;
+}
+```
+
+
+## Rule Details
+
+This rule aims to...
+
+Examples of **incorrect** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+Examples of **correct** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+
+## Further Reading
+[link 1](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
+[link 2](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random)
\ No newline at end of file
diff --git a/docs/description/security-node_detect-non-literal-require-calls.md b/docs/description/security-node_detect-non-literal-require-calls.md
new file mode 100644
index 000000000..8ac0e1a54
--- /dev/null
+++ b/docs/description/security-node_detect-non-literal-require-calls.md
@@ -0,0 +1,23 @@
+# Non literal require calls may cause an attack (detect-non-literal-require-calls)
+### require() with only literal arguments!
+Avoid requiring/importing another file with a path that was given as a parameter due to the concern that it could have originated from user input.
+This rule can be extended for accessing files in general(i.e fs.readFile()) or other sensitive resource access with dynamic variables originating from user input!
+Malicious user input could find its way to a parameter that is used to require tampered files, for example, a previously uploaded file on the filesystem, or access already existing system files.
+
+
+## Rule Details
+This rule is looking for require() with non-literal arguments!
+
+Examples of **incorrect** code for this rule:
+
+```js
+// insecure, as helperPath variable may have been modified by user input
+const uploadHelpers = require(helperPath);
+```
+
+Examples of **correct** code for this rule:
+
+```js
+// secure
+const uploadHelpers = require('./helpers/upload');
+```
diff --git a/docs/description/security-node_detect-nosql-injection.md b/docs/description/security-node_detect-nosql-injection.md
new file mode 100644
index 000000000..7ac2f09c6
--- /dev/null
+++ b/docs/description/security-node_detect-nosql-injection.md
@@ -0,0 +1,88 @@
+# detect NOsql injection (detect-nosql-injection)
+### The $where operator attack
+The **$where** operator has a vary dangerous feature: it allows you to pass a string that will be evaluated inside your server.
+
+To reproduce the problem, suppose that you have an online store and want to find out which users have more than X canceled orders.
+You could query as the following:
+```javascript
+var query = {
+ $where: "this.canceledOrders > " + req.body.canceled
+}
+db.collection('users').find(query).each(function(err, doc){
+ console.log(doc);
+})
+```
+
+In this case,mongo-sanitize will not help you if the input string **'0; return true'**.
+Your $where clause will be evaluated aas **this.canceledOrders > 0; return true** and all users would be returned.
+
+Or you could receive **'0; while(true){}'** as input and suffer a DoS attack.
+
+It also works for string inputs,like:
+```javascript
+var query = {
+ $where: "this.name === '" + req.body.name + "'"
+}
+```
+
+The attack could be the string **'\'; return \'\' == \''** and the where clause would be evaluated to **this.name === ''; return '' == ''**,that results in returning all users instead of only those who matches the clause.
+
+The solution here is to never use the $where operator.
+Why? I list it here:
+
+* Performance: since you can run arbitrary JavaScript code, the $where operator is not optimized. That means: indexes will be ignored.
+
+* Scope is not accessible: the solution to avoid the code injection would be to add the where clause inside a function, like the following:
+
+```javascript
+var query = {
+ $where : function() {
+ return.this.canceledOrders > threshold
+ }
+}
+```
+
+However, it won't work.
+The local variable value is not passed to Mongo and it returns the following error if executed in a shell
+
+```javascript
+Error: error: {
+ "$err" : "ReferenceError: threshold is not defined\n at _funcs2(_funcs2:1:45) near 's.canceledOrders > threshold }'",
+ "code" : 16722
+}
+```
+
+* There is always a better solution. In this case, you would use te operators **$eq** or **$gt**.
+
+
+## Rule Details
+
+This rule aims to...
+
+Examples of **incorrect** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+Examples of **correct** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+### Options
+
+If there are any options, describe them here. Otherwise, delete this section.
+
+## When Not To Use It
+
+Give a short description of when it would be appropriate to turn off this rule.
+
+## Further Reading
+
+If there are other links that describe the issue this rule addresses, please include them here in a bulleted list.
diff --git a/docs/description/security-node_detect-option-multiplestatements-in-mysql.md b/docs/description/security-node_detect-option-multiplestatements-in-mysql.md
new file mode 100644
index 000000000..0e1fafc79
--- /dev/null
+++ b/docs/description/security-node_detect-option-multiplestatements-in-mysql.md
@@ -0,0 +1,36 @@
+# detect option mulitpleStatements:true in createConnection method of mysql (detect-option-multiplestatements-in-mysql)
+
+Please describe the origin of the rule here.
+
+
+## Rule Details
+
+This rule aims to...
+
+Examples of **incorrect** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+Examples of **correct** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+### Options
+
+If there are any options, describe them here. Otherwise, delete this section.
+
+## When Not To Use It
+
+Give a short description of when it would be appropriate to turn off this rule.
+
+## Further Reading
+
+If there are other links that describe the issue this rule addresses, please include them here in a bulleted list.
diff --git a/docs/description/security-node_detect-option-rejectunauthorized-in-nodejs-httpsrequest.md b/docs/description/security-node_detect-option-rejectunauthorized-in-nodejs-httpsrequest.md
new file mode 100644
index 000000000..f99ed56ff
--- /dev/null
+++ b/docs/description/security-node_detect-option-rejectunauthorized-in-nodejs-httpsrequest.md
@@ -0,0 +1,36 @@
+# detect option rejectUnauthorized:false in Nodejs https request method (detect-option-rejectunauthorized-in-nodejs-httpsrequest)
+
+Please describe the origin of the rule here.
+
+
+## Rule Details
+
+This rule aims to...
+
+Examples of **incorrect** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+Examples of **correct** code for this rule:
+
+```js
+
+// fill me in
+
+```
+
+### Options
+
+If there are any options, describe them here. Otherwise, delete this section.
+
+## When Not To Use It
+
+Give a short description of when it would be appropriate to turn off this rule.
+
+## Further Reading
+
+If there are other links that describe the issue this rule addresses, please include them here in a bulleted list.
diff --git a/docs/description/security-node_detect-option-unsafe-in-serialize-javascript-npm-package.md b/docs/description/security-node_detect-option-unsafe-in-serialize-javascript-npm-package.md
new file mode 100644
index 000000000..ef6445d31
--- /dev/null
+++ b/docs/description/security-node_detect-option-unsafe-in-serialize-javascript-npm-package.md
@@ -0,0 +1,89 @@
+# detect opion:unsafe in serialize method in serialize-javasript npm package (detect-option-unsafe-in-serialize-javascript-npm-package)
+
+Serialize-javascript is a famous npm package that serializes javascript to a superset of JSON that includes regular expressions, dates and functions.
+
+### Automatic Escaping of HTML Characters
+A primary feature of this package is to serialize code to a string of literal JavaScript which can be embedded in an HTML document by adding it as the contents of the script element.
+In order to make this safe, HTML characters and JavaScript line terminators are escaped automatically.
+```javascript
+serialize({
+ haxorXSS: ''
+});
+```
+
+The above will produce the following string,HTML-escaped output which is safe to put into an HTML document as it will not cause the inline script element to terminate.
+```js
+'{"haxorXSS":"\\u003C\\u002Fscript\\u003E"}'
+```
+You can pass an optional unsafe argument to serialize() for straight serialization.
+
+### Options
+The serialize() function accepts an options object as its second argument.
+All options are being defaulted to undefined.
+
+### What about options.unsafe?
+This option is used to signal serialize() that we want to do a straight conversion, without the XSS protection.
+This options needs to be explicitly set to true.
+HTML characters and JavaScript line terminators will not be escaped.
+You will have to roll your own.
+
+```js
+serialize(obj,{unsafe:true});
+```
+
+### How does this HTML Injection Attack work in practice?
+
+Let's say we have a node.js web app.
+We’re running express.js and using ejs for our templating language.
+We’re fetching the name url param and injecting it into the ejs template.
+
+```js
+// routes/index.js
+router.get('/', function(req,res,next){
+ var name = req.query.name;
+ // we are passing the 'name' query to the template
+ res.render('index', {title: 'Home', name: name});
+});
+```
+
+```html
+//views/index.js template
+
+<%= title %>
+Welcome to <%= title %>
+Hi my name is <%- name %>
+ +``` +### The Attack +So far so good. Nothing fishy going on here. Now let’s try to insert a +``` +This is bad because we are allowing an (untrusted) user to execute any JavaScript they want on our page. + +### How can this attack hurt me? +An alert box on a page is pretty harmless. +So how could this hurt somebody? + +Here’s how an attacker could use this to get access to your bank account. + +* You’d receive an email with instructions to log into your bank + +* After login, you’re instructed to click on this link +```js + https://yourBankWebsite.com/account?id= +``` +When you log in, your bank’s website server starts a session for you (usually lasting 10–15 minutes, after which you are automatically logged out). +The session information (usually called a token) is stored in a cookie on your computer. +If the hacker can get you to log in, and then click the link he sent you, then maliciousCodeHere will run and could send your session token to the hacker. +This allows him to steal your session. +He could then (in theory) create a cookie on his computer and store your session information in it. +If that session is still active, he can visit your bank's website, and he’ll be logged in as you, and can browse around, look at bank account information, and possibly even initiate a transfer or change your password. +In summary, the hacker sent you a link, which caused you to run JavaScript in your browser, after you logged in, allowing him to steal protected information (in this case, the session token). +This is dangerous because you are running unsafe JS after you’ve been given access to your sensitive info. + + + +## Further Reading +[link 1](https://medium.com/@jamischarles/xss-aka-html-injection-attack-explained-538f46475f6c) +[link 2](https://www.npmjs.com/package/serialize-javascript) diff --git a/docs/description/security-node_detect-possible-timing-attacks.md b/docs/description/security-node_detect-possible-timing-attacks.md new file mode 100644 index 000000000..9f060cc12 --- /dev/null +++ b/docs/description/security-node_detect-possible-timing-attacks.md @@ -0,0 +1,36 @@ +# detect possible timing attacks (detect-possible-timing-attacks) + +Please describe the origin of the rule here. + + +## Rule Details + +This rule aims to... + +Examples of **incorrect** code for this rule: + +```js + +// fill me in + +``` + +Examples of **correct** code for this rule: + +```js + +// fill me in + +``` + +### Options + +If there are any options, describe them here. Otherwise, delete this section. + +## When Not To Use It + +Give a short description of when it would be appropriate to turn off this rule. + +## Further Reading + +If there are other links that describe the issue this rule addresses, please include them here in a bulleted list. diff --git a/docs/description/security-node_detect-runinthiscontext-method-in-nodes-vm.md b/docs/description/security-node_detect-runinthiscontext-method-in-nodes-vm.md new file mode 100644 index 000000000..28d68ab26 --- /dev/null +++ b/docs/description/security-node_detect-runinthiscontext-method-in-nodes-vm.md @@ -0,0 +1,54 @@ +# detect vm.runInThisContext() method in nodes vm (detect-runinthiscontext-method-in-nodes-vm) + +### Dive into VM's world +With node.js VM you can run JS code in a new "node process" that has no access to the standard node library - no **process**, no **console**, just basic plain JS: that's what the vm module lets you do. + +Let's take a look at the following example: + +```js +const vm = require('vm'); +let result = vm.runInNewContext('a + 1', {a: 2}); +console.log(result); // 3 +``` + +Here we are asking Node to create a new V8 context and run a bunch of code (a + 1) there for us, passing an object that constitutes the global environment of that new context ({a: 2}). + +Note that the current execution context is not affected by what happens in that new context: + +```js +let a = 0; +let result = vm.runInNewContext('a += 1', {a}); +console.log(a) // a +``` + +unless you specifically tell the VM that you want to re-use an existing context or to use the current context with **vm.runInThisContext()**: + +```js +a = 0; +vm.runInThisContext('a += 1'); +console.log(a) // 1 +``` +When you use the current execution context (runInThisContext) the executed code is going to have access to globally-defined variables of the current context which, of course, exposes us to the same kind of problems we’d have with eval. + + + + +Examples of **incorrect** code for this rule: + +```js + +// fill me in + +``` + +Examples of **correct** code for this rule: + +```js + +// fill me in + +``` + + +## Further Reading +[link 1](https://odino.org/eval-no-more-understanding-vm-vm2-nodejs/) diff --git a/docs/description/security-node_detect-security-missconfiguration-cookie.md b/docs/description/security-node_detect-security-missconfiguration-cookie.md new file mode 100644 index 000000000..8ae9c0a12 --- /dev/null +++ b/docs/description/security-node_detect-security-missconfiguration-cookie.md @@ -0,0 +1,41 @@ +# detect security missconfiguration in express cookie (detect-security-missconfiguration-cookie) +This vulnerability allows an attacker to access default accounts, unused pages, unpatched flaws, unprotected files, and directories, etc. to gain unauthorized access to or knowledge of the system. + +Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. + +Developers and system administrators need to work together to ensure that the entire stack is configured properly. + +### Attack Mechanics +If the server is misconfigured to leak internal implementation details via cookie names or HTTP response headers, then an attacker can use this information towards building site's risk profile and finding vulnerabilities + +### What about express-session? + +#### What is Express session used for? +You can **use sessions** to communicate data to middleware that's executed later or retrieve it later on, on subsequent requests. +Where is the session data stored? It depends on how you set up the express-session module. +All solutions store the session id in a cookie and keep the data server-side. + +#### How does express session work? +Until the cookie expires, every time you make a request, your browser will send the cookies back to the server. +A module like express-session will provide you with a nice API to work with sessions (letting you get & set data to the session), but under the hood, it will save and retrieve this data using a cookie. + +#### "Security" options of express-session +* **cookie.httpOnly**: Specifies the **boolean** value for the **HttpOnly Set-Cookie** attribute. +When truthy, the HttpOnly attribute is set, otherwise, it is not. +**By default**, the HttpOnly attribute **is set**. + +**Note**: Be careful when setting it to true, as compliant clients will not allow client-side JavaScript to see the cookie in document.cookie! + +So if this attribute is set, it prevents cookies from being accessed by browser JS scripts. + +* **cookie.secure**: Specifies the **boolean** value for the **Secure Set-Cookie** attribute. +When truthy, the Secure attribute is set, otherwise it is not.**By default**, the Secure attribute is **not** set. + +**Note**: Be careful when setting this to true, as compliant clients will not send the cookie back to the server in the future if the browser does not have an **HTTPS** connection. + +So if this attribute is set, cookies can only be configured over secure HTTPS connections. + + +## Further Reading +[link 1](https://www.npmjs.com/package/express-session) +[link 2](http://nodegoat.herokuapp.com/tutorial/a5) diff --git a/docs/description/security-node_detect-sql-injection.md b/docs/description/security-node_detect-sql-injection.md new file mode 100644 index 000000000..3f4cdcc4c --- /dev/null +++ b/docs/description/security-node_detect-sql-injection.md @@ -0,0 +1,93 @@ +# detect SQL injection (detect-sql-injection) + +### Database Injection +With a successful database injection, an attacker can execute malicious commands on a database to steal sensitive data, tamper with stored data, execute database administration operations, access contents of files present on the database filesystem, and, in some cases, issue commands to the host operating system. + +### SQL Injection Attack Mechanics +Dynamic database queries that include user-supplied inputs are the primary target behind the SQL injection attack. +When malicious data is concatenated to a SQL query, the SQL interpreter fails to distinguish between the intended command and input data, resulting in the execution of the malicious data as SQL commands. + +Let's consider a vulnerable SQL query, as shown in the example, that authenticates a user. + +```javascript +connection.query( + 'SELSECT * FROM accounts WHERE username = "' + + req.body.username + '" AND password = "' + passwordHash + '"', + function(err, rows, fields) { + console.log("Result = " + JSON.stringify(rows)); + }); +``` + +The above example illustrates code that dynamically constructs a SQL query by appending the user-supplied request parameter username. +To exploit this query, an attacker can enter admin' -- as a username, which ultimately results in executing the SQL query, as shown in the following Example + +```javascript +SELECT * FROM accounts WHERE username = 'admin' +``` + +The malicious user input eliminated the need for an attacker to submit a correct password because the part after -- in a SQL query is interpreted a comment, thus skipping the password comparison. + +Another more destructive, variation of SQL injection is possible with databases that support batch execution of multiple statements when those statements are followed by a semicolon. + +For example, if an attacker enters the string admin'; DELETE FROM accounts; --as username, the resultant query is equivalent to two statements, as shown in the following example, + +Example: Resultant query containing multiple SQL injection +```javascript +SELECT * FROM accounts WHERE username = 'admin'; +DELETE FROM accounts; +``` + +This query results in removing all user accounts from the database. + +An attacker can use a wide variety of malicious inputs for concluding injection, such as the following: + +* 1' OR '1'='1 or its equivalent URL-encoded text 1%27%200R%20%271%27%20%3D%20%271 to get all records and ignore-the latter part of the WHERE clause + +* %in user input to match any substring or _ to match any character + +### Preventing SQL Injection +The good news is that SQL injection is easy to prevent by using a few simple measures. + +### Use Pramaterized Queries To Bind All User-Supplied Data +A parameterized query is considered a silver bullet for preventing the dreaded SQL injection. +Parameterized queries prevent an attacker from changing the intent of a query, and enable the SQL interpreter to distinguish clearly between code and data. +Hence, as shown in the following example, always bind all user inputs to the query with parameters. + +Example: +```javascript +var mysql = require('mysql'); +var bcrypt = require('bcrypt-nodejs'); + +//Prepare query parameters +var username = req.body.username; +var passwordHash = bcrypt.hashSync(req.body.password,bcrypt.genSaltSync()); + +//Make connection to the MySQL database +var connection = mysql.createConnection({ + host: 'localhost', + user: 'db_user', + password: 'secret', + database: 'node_app_db' +}); +connection.connect(); +//Execute prepared statement with parameterized uesr inputs +var query = 'SELECT * FROM accounts WHERE username=? AND password=?'; +connection.query(query, [username,passwordHash], +function(err,rows,fields){ + console.log("Results = " JSON.stringify(rows)); +}); +connection.end(); +``` + +If an attacker enters the username as admin' --, the resultant query from the code in the above example would explicitly look for a username that matches the exact string admin' -- instead of admin, thus foiling the SQL injection attack. + +So what you can do? + +**You can use prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation** + +That's exactly what this rule does! It checks for dynamic queries using string concatenation! + + +## Further Reading +[link 1](http://nodegoat.herokuapp.com/tutorial/a1) +[link 2](https://www.oreilly.com/library/view/securing-node-applications/9781491982426) diff --git a/docs/description/security-node_detect-unhandled-async-errors.md b/docs/description/security-node_detect-unhandled-async-errors.md new file mode 100644 index 000000000..fe94cddab --- /dev/null +++ b/docs/description/security-node_detect-unhandled-async-errors.md @@ -0,0 +1,64 @@ +# detect unhandled async errors (detect-unhandled-async-errors) + +It is impossible to have no errors in your program, even those of the best programmers have one way or another. There are some ways to handle errors in order to find and fix them. + +### try-catch method +```javascript +async function userProfile() { + try { + let user = await getUser(); + let friendsOfUser = await getFriendsOfUser(userId); + let posts = await getUsersPosts(userId); + + showUserProfilePage(user, friendsOfUser, posts); + } catch(e) { + console.log(e); + } +} +``` +Your code won't look too good having multiple request handlers each with a try/catch statement. + +### .catch method +The .catch method can be used if we want to know which error comes from which async request. + +```javascript +async function userProfile() { + let user = await getUser().catch(err => console.error('an error occurred')); + let friendsOfUser = await getFriendsOfUser(userId).catch(err => console.error('an error occurred')); + let posts = await getUsersPosts(userId).catch(err => console.error('an error occurred')); + + showUserProfilePage(user, friendsOfUser, posts); +} +``` + +### using a separate error handling function (Recommended) +With error handler functions. Lessening the need for try-catch blocks and .catch methods. + +```javascript +const handle = (promise) => { + return promise + .then(data => ([data, undefined])) + .catch(error => Promise.resolve([undefined, error])); +} + +async function userProfile() { + let [user, userErr] = await handle(getUser()); + + if(userErr) throw new Error('Could not fetch user details'); + + let [friendsOfUser, friendErr] = await handle( + getFriendsOfUser(userId) + ); + + if(friendErr) throw new Error('Could not fetch user\'s friends'); + + let [posts, postErr] = await handle(getUsersPosts(userId)); + + if(postErr) throw new Error('Could not fetch user\'s posts'); + + showUserProfilePage(user, friendsOfUser, posts); +} +``` + +[link 1](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#handle-errors-in-asynchronous-calls) +[link 2](https://dev.to/sobiodarlington/better-error-handling-with-async-await-2e5m) \ No newline at end of file diff --git a/docs/description/security-node_detect-unhandled-event-errors.md b/docs/description/security-node_detect-unhandled-event-errors.md new file mode 100644 index 000000000..50fcf6770 --- /dev/null +++ b/docs/description/security-node_detect-unhandled-event-errors.md @@ -0,0 +1,30 @@ +# detect unhandled error events (detect-unhandled-error-events) + +When using the EventEmitter, it cannot be denied that errors can occur anywhere in the chain. + +Given this code below: +```javascript +const EventEmitter = require('events') +const myEmitter = new EventEmitter() + +myEmitter.emit('error', new Error('whoops!')) +// Throws and crashes Node.js +``` +Since there is no error event listener called, the error will be thrown and will be treated as an uncaughtException. Once an error is emitted and unhandled, the Node.js application will crash. + +There should always be listeners for events at the least. This of course does not count out error events. + +```javascript +const EventEmitter = require('events') +const myEmitter = new EventEmitter() +// MUST: include error listener +myEmitter.on('error', (err) => { + console.error('An error occurred') +}) +myEmitter.emit('error', new Error('whoops!')) +// Prints: An error occurred +``` + + +[link 1](https://nodejs.org/dist/latest-v16.x/docs/api/events.html#error-events) +[link 2](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#listen-to-errors-when-using-eventemitter) \ No newline at end of file diff --git a/docs/description/security-node_disable-ssl-across-node-server.md b/docs/description/security-node_disable-ssl-across-node-server.md new file mode 100644 index 000000000..1fc173737 --- /dev/null +++ b/docs/description/security-node_disable-ssl-across-node-server.md @@ -0,0 +1,36 @@ +# process.env.NODE_TLS_REJECT_UNAUTHORIZED='0' disables SSL across node server! (disable-ssl-across-node-server) + +Please describe the origin of the rule here. + + +## Rule Details + +This rule aims to... + +Examples of **incorrect** code for this rule: + +```js + +// fill me in + +``` + +Examples of **correct** code for this rule: + +```js + +// fill me in + +``` + +### Options + +If there are any options, describe them here. Otherwise, delete this section. + +## When Not To Use It + +Give a short description of when it would be appropriate to turn off this rule. + +## Further Reading + +If there are other links that describe the issue this rule addresses, please include them here in a bulleted list. diff --git a/docs/description/security-node_non-literal-reg-expr.md b/docs/description/security-node_non-literal-reg-expr.md new file mode 100644 index 000000000..137e7868b --- /dev/null +++ b/docs/description/security-node_non-literal-reg-expr.md @@ -0,0 +1,41 @@ +# Non-literal regular expressions may cause possible attack (non-literal-reg-expr) + +### How a Regular Expression can bring your Node.js service down +The use of Regular Expressions (RegEx) is quite common among software engineers and DevOps IT roles where they specify a string pattern to match a specific string in a text. + +Often, programmers will use RegEx to validate that an input received from a user conforms to an expected condition. +For example: + +Testing that a user's provided e-mail address is valid: + +```js +var testEmail = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/.exec('john@example.com'); +``` + +### What does it have to do with Node.js? +The risk that is inherent with the use of Regular Expressions is the computational resources that require to parse text and match a given pattern. +A flawed Regular Expression pattern can be attacked in a manner where a provided user input for text to match will require an outstanding amount of CPU cycles to process the RegEx execution. +Such an attack will render a Node.js or JavaScript application unresponsive, and thus is referred to as a ReDoS — Regular Expression Denial of Service. + + +## Rule Details + +This rule aims to detect non-literal RegExp that may contains user's input! + +Examples of **incorrect** code for this rule: + +```js +RegExp('/\w+/' + input); +// OR +RegExp(input); +``` + +Examples of **correct** code for this rule: + +```js +RegExp('/\w+/'); +``` + + +## Further Reading +[link 1](https://medium.com/@liran.tal/node-js-pitfalls-how-a-regex-can-bring-your-system-down-cbf1dc6c4e02) \ No newline at end of file diff --git a/docs/description/suitescript_api-version.md b/docs/description/suitescript_api-version.md new file mode 100644 index 000000000..74ed686a4 --- /dev/null +++ b/docs/description/suitescript_api-version.md @@ -0,0 +1,51 @@ +# suitescript/api-version + +Enforces valid `@NApiVersion` tag values in the header block comment of every SuiteScript file. + +Does not report missing `@NApiVersion` tags. + +## Rule Details + +Valid tag values are `1.0`, `2.x`, `2.0`, and `2.1`. + +:white_check_mark: Using one of these values, the following pattern is **correct**: + +```js +/* eslint suitescript/api-version: "error" */ + +/** + * @NApiVersion [value] + */ +``` + +:x: The following patterns are **incorrect**: + +```js +/* eslint suitescript/api-version: "error" */ + +/** + * @NApiVersion + */ +``` +```js +/* eslint suitescript/api-version: "error" */ + +/** + * @NApiVersion2 + */ +``` +```js +/* eslint suitescript/api-version: "error" */ + +/** + * @NApiVersion 2 + */ +``` + +## Version + +This rule was introduced in version 1.0.0. + +## Source + +- [Rule source](../../lib/rules/api-version.js) \ No newline at end of file diff --git a/docs/description/suitescript_entry-points.md b/docs/description/suitescript_entry-points.md new file mode 100644 index 000000000..6173fbdc2 --- /dev/null +++ b/docs/description/suitescript_entry-points.md @@ -0,0 +1,127 @@ +# suitescript/entry-points + +Enforces the inclusion of at least one entry point based on the value provided in the `@NScriptType` tag. If no tag is provided, no entry point will be enforced. + +## Rule Details + +:white_check_mark: The following patterns are **correct**: + +```js +/* eslint suitescript/entry-points: "error" */ + +/** + * @NScriptType UserEventScript + */ + +define([], function() { + return { + beforeLoad: function() {} + } +}); +``` +```js +/* eslint suitescript/entry-points: "error" */ + +/** + * @NScriptType ClientScript + */ + +define([], function() { + return { + pageInit: function() {}, + somethingElse: function() {} + } +}); +``` +```js +/* eslint suitescript/entry-points: "error" */ + +// No @NScriptType tag + +define([], function() { + return { + somethingElse: function() {} + } +}); +``` + +:x: The following patterns are **incorrect**: + +```js +/* eslint suitescript/entry-points: "error" */ + +/** + * @NScriptType UserEventScript + */ + +define([], function() {}); +``` +```js +/* eslint suitescript/entry-points: "error" */ + +/** + * @NScriptType ClientScript + */ + +define([], function() { + return { + somethingElse: function() {} + } +}); +``` + +### Script Types and Their Respective Entry Points + +- BundleInstallationScript + - afterInstall + - afterUpdate + - beforeInstall + - beforeUninstall + - beforeUpdate +- ClientScript + - fieldChanged + - lineInit + - pageInit + - postSourcing + - saveRecord + - sublistChanged + - validateDelete + - validateField + - validateInsert + - validateLine + - localizationContextEnter + - localizationContextExit +- MapReduceScript + - getInputData + - map + - reduce + - summarize +- MassUpdateScript + - each +- Portlet + - render +- Restlet + - delete + - get + - post + - put +- ScheduledScript + - execute +- SDFInstallationScript + - run +- Suitelet + - onRequest +- UserEventScript + - afterSubmit + - beforeLoad + - beforeSubmit +- WorkflowActionScript + - onAction + +## Version + +This rule was introduced in version 1.0.0. + +## Source + +- [Rule source](../../lib/rules/entry-points.js) \ No newline at end of file diff --git a/docs/description/suitescript_log-args.md b/docs/description/suitescript_log-args.md new file mode 100644 index 000000000..2327ebfa1 --- /dev/null +++ b/docs/description/suitescript_log-args.md @@ -0,0 +1,81 @@ +# suitescript/log-args + +Enforces correct log arguments (title and details) in all `Log` methods. + +## Rule Details + +If no options are provided, the rule will require both title and details. + +:white_check_mark: The following patterns are **correct**: + +```js +/* eslint suitescript/log-args: "error" */ + +log.debug({ title: 'Title', details: 'Details' }); +``` +```js +/* eslint suitescript/log-args: "error" */ + +log.audit('Title', 'Details'); +``` +```js +/* eslint suitescript/log-args: "error" */ + +log.error('', 'Details'); +``` + +:x: The following patterns are **incorrect**: + +```js +/* eslint suitescript/log-args: "error" */ + +log.debug('Title'); +``` +```js +/* eslint suitescript/log-args: "error" */ + +log.audit({ details: 'Details' }); +``` + +## Rule Options + +```js +'suitescript/log-args': [foo
+
+ {{ x }}
+
+
+ {{ x }}
+
+
+
+ foo
+ {{ x }}
+ {{ x }}
+
+```
+
+