ESLint

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://github.com/eslint/eslint SOURCE_CODE high high high critical
[ESLint](https://github.com/eslint/eslint) is a static analysis tool for JavaScript code. We are interested in hearing about cases where running ESLint on attacker-supplied source file, with an attacker-supplied set of JSON rule/parser option/environment configurations, could allow an attacker to execute arbitrary code. For example, the [demo](https://eslint.org/demo/) on `eslint.org` runs ESLint in the user's browser, with the source code and configuration specified in the URL hash. Some of our users also host services that can be used to lint untrusted code. An attack of this nature would likely indicate a [reflected cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) vulnerability on `eslint.org`, and similar vulnerabilities on other sites that run ESLint on user-supplied input. Other potential security vulnerabilities in ESLint are also in scope, but note that most aspects of ESLint are not security-sensitive. For example ESLint allows the user to load plugins and JavaScript config files, which are executed during a lint run. As a result, a malicious config file or plugin could compromise the user's system. However, we don't consider this to be an issue specific to ESLint; in general, it's important that a user doesn't run untrusted third-party code on a system. For bugs in ESLint which don't have a security impact, please create an issue [here](https://github.com/eslint/eslint/issues/new?template=BUG_REPORT.md) instead.
https://github.com/eslint/eslint-github-bot SOURCE_CODE low high high critical
`eslint-github-bot` is a webhook service that automates some common tasks for repositories run by the ESLint team. ESLint's instance of `eslint-github-bot` is hosted at https://jenkins.eslint.org:7999. Examples of potential security bugs in the bot include: * An issue that allows an attacker to impersonate webhook events from GitHub * An issue that allows an attacker to read or write files on the server hosting the bot * An issue that causes the bot to create a large number of GitHub notifications resulting from a disproportionately small set of actions by an unauthorized GitHub user. For example, if it's possible to get the bot to comment on 100 issues by opening a single pull request, we'd like to know about it.
jenkins.eslint.org URL medium high high critical
ESLint's Jenkins server is used to carry out releases of ESLint-maintained packages. As such, it has access to several confidential resources, including an npm token and ssh key with access to all of ESLint's packages and repositories, respectively. The Jenkins server is intended to be locked down such that only authorized ESLint team members can view build information/logs and start releases. We'd be interested in hearing about any issues that would allow an unauthorized user to gain access to build information or configure/start builds.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity