Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →

@microsoft/eslint-plugin-sdl

Package Overview

Dependencies

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@microsoft/eslint-plugin-sdl - npm Package Compare versions

Comparing version 0.0.0 to 0.1.0

config/angular.js

config/angularjs.js

config/common.js

config/electron.js

config/react.js

config/required.js

config/typescript.js

docs/rules/no-angular-bypass-sanitizer.md

docs/rules/no-angularjs-bypass-sce.md

docs/rules/no-angularjs-enable-svg.md

docs/rules/no-angularjs-sanitization-whitelist.md

docs/rules/no-cookies.md

docs/rules/no-document-domain.md

docs/rules/no-document-write.md

docs/rules/no-electron-node-integration.md

docs/rules/no-html-method.md

docs/rules/no-inner-html.md

docs/rules/no-msapp-exec-unsafe.md

docs/rules/no-postmessage-star-origin.md

docs/rules/no-winjs-html-unsafe.md

lib/ast-utils.js

lib/rules/no-angular-bypass-sanitizer.js

lib/rules/no-angularjs-bypass-sce.js

lib/rules/no-angularjs-enable-svg.js

lib/rules/no-angularjs-sanitization-whitelist.js

lib/rules/no-document-domain.js

lib/rules/no-document-write.js

lib/rules/no-electron-node-integration.js

lib/rules/no-html-method.js

lib/rules/no-inner-html.js

lib/rules/no-msapp-exec-unsafe.js

lib/rules/no-postmessage-star-origin.js

lib/rules/no-winjs-html-unsafe.js

CODE_OF_CONDUCT.md

@@ -0,0 +0,0 @@ # Microsoft Open Source Code of Conduct

lib/index.js

		@@ -5,3 +5,3 @@ // Copyright (c) Microsoft Corporation.
		/**
		* @fileoverview A plugin to extend the tslint rules for eslint
		* @fileoverview ESLint plugin that implements rules intended for static testing during SDL
		* @author Antonios Katopodis
		@@ -14,17 +14,20 @@ */
		//------------------------------------------------------------------------------
		const path = require("path");
		const fs = require('fs');

		module.exports.rules = {
		"no-cookies":{
		create: function(context){
		return {
		":matches(MemberExpression[object.name='document'], MemberExpression[object.object.name='window'][object.property.name='document'], :matches(MemberExpression[object.object.object.type='ThisExpression'], MemberExpression[object.object.object.name='globalThis'])[object.object.property.name='window'][object.property.name='document'])[property.name='cookie']"(node) {
		context.report(
		{
		node: node,
		message: "Forbidden access to document.cookie property"
		});
		}
		};
		}
		}
		};
		function readFilesAsMap(relativeDir) {
		var absoluteDir = path.resolve(__dirname, relativeDir);
		var files = fs.readdirSync(absoluteDir);
		var output = {};
		files.forEach(filename => {
		var file = path.parse(filename);
		var obj = require(path.join(absoluteDir, file.base));
		output[file.name] = obj;
		});
		return output;
		}

		module.exports = {
		rules: readFilesAsMap("./rules"),
		configs: readFilesAsMap("../config")
		}

lib/rules/no-cookies.js

		@@ -5,3 +5,3 @@ // Copyright (c) Microsoft Corporation.
		/**
		* @fileoverview Rule to disallow document.cookie property
		* @fileoverview Rule to disallow usage of HTTP cookies
		* @author Antonios Katopodis
		@@ -12,3 +12,3 @@ */

		const { reporters } = require("mocha");
		const astUtils = require("../ast-utils");

		@@ -18,20 +18,29 @@ //------------------------------------------------------------------------------
		//------------------------------------------------------------------------------

		module.exports = {
		meta: {
		type: "suggestion",
		fixable: "code",
		schema: [] // no options
		meta: {
		type: "suggestion",
		fixable: "code",
		schema: [],
		docs: {
		category: "Security",
		description: "HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other more modern methods instead.",
		url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-cookies.md"
		},
		create: function(context) {
		return {
		":matches(MemberExpression[object.name='document'], MemberExpression[object.object.name='window'][object.property.name='document'], :matches(MemberExpression[object.object.object.type='ThisExpression'], MemberExpression[object.object.object.name='globalThis'])[object.object.property.name='window'][object.property.name='document'])[property.name='cookie']"(node) {
		context.report(
		{
		node: node,
		message: "Forbidden access to document.cookie property"
		});
		}
		};
		messages: {
		doNotUseCookies: "Do not use HTTP cookies in modern applications"
		}
		},
		create: function (context) {
		const fullTypeChecker = astUtils.getFullTypeChecker(context);
		return {
		"MemberExpression[property.name='cookie']"(node) {
		if (astUtils.isDocumentObject(node.object, context, fullTypeChecker)) {
		context.report({
		node: node,
		messageId: "doNotUseCookies"
		});
		}
		}
		};
		}
		};

package.json

		{
		"name": "@microsoft/eslint-plugin-sdl",
		"version": "0.0.0",
		"description": "A plugin to extend the tslint rules for eslint",
		"version": "0.1.0",
		"description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)",
		"keywords": [
		"eslint",
		"eslintplugin",
		"eslint-plugin"
		"eslint-plugin",
		"sdl"
		],
		"author": "Antonios Katopodis",
		"author": "Microsoft",
		"main": "lib/index.js",
		@@ -16,4 +17,7 @@ "scripts": {
		"devDependencies": {
		"@typescript-eslint/eslint-plugin": "^3.7.0",
		"@typescript-eslint/parser": "^3.7.0",
		"eslint": "^7.1.0",
		"mocha": "^7.2.0"
		"mocha": "^7.2.0",
		"typescript": "^3.9.7"
		},
		@@ -20,0 +24,0 @@ "engines": {

README.md

		@@ -0,4 +1,50 @@
		# eslint-plugin-sdl

		# Contributing
		[ESLint Plugin](https://eslint.org/docs/developer-guide/working-with-plugins) focused on common security issues and misconfigurations.

		Plugin is intended as a baseline for projects that follow [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/en-us/securityengineering/sdl) and use ESLint to perform [Static Analysis Security Testing (SAST)](https://www.microsoft.com/en-us/securityengineering/sdl/practices#practice9).

		## Configs

		Plugin is shipped with following [Shareable Configs](http://eslint.org/docs/developer-guide/shareable-configs):

		- [angular](config/angular.js) - Set of rules for [Angular](https://angular.io) applications
		- [angularjs](config/angularjs.js) - Set of rules for [AngularJS](https://docs.angularjs.org) applications
		- [common](config/common.js) - Set of rules for common JavaScript applications
		- [electron](config/electron.js) - Set of rules for Electron applications
		- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications
		- [required](config/required.js) - SDL Required rules for all applications
		- [typescript](config/typescript.js) - Set of rules for TypeScript applications

		## Rules

		Where possible, we leverage existing rules from [ESLint](https://eslint.org/docs/rules/) and community plugins such as [react](https://github.com/yannickcr/eslint-plugin-react), [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/eslint-plugin#supported-rules) or [security](https://github.com/nodesecurity/eslint-plugin-security#rules).

		We also implemented several [custom rules](./lib/rules) where we did not find sufficient alternative in the community.

		\| Name \| Description \|
		\| --- \| --- \|
		\| [no-caller](https://eslint.org/docs/rules/no-caller) \| Bans usage of deprecated functions `arguments.caller()` and `arguments.callee` that could potentially allow access to call stack. \|
		\| [no-delete-var](https://eslint.org/docs/rules/no-delete-var) \| Bans usage of operator `delete` on variables as it can lead to unexpected behavior. \|
		\| [no-eval](https://eslint.org/docs/rules/no-eval) \| Bans usage of [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) that allows code execution from string argument. \|
		\| [no-implied-eval](https://eslint.org/docs/rules/no-implied-eval) \| Bans usage of `setTimeout()`, `setInterval()` and `execScript()`. These functions are similar to `eval()` and prone to code execution. \|
		\| [no-new-func](https://eslint.org/docs/rules/no-new-func) \| Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. \|
		\| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) \| Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) \| Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-enable-svg](./docs/rules/no-angularjs-enable-svg.md) \| Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-sanitization-whitelist](./docs/rules/no-angularjs-sanitization-whitelist.md) \| Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. \|
		\| [@microsoft/sdl/no-cookies](./docs/rules/no-cookies.md) \| HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. \|
		\| [@microsoft/sdl/no-document-domain](./docs/rules/no-document-domain.md) \| Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited. \|
		\| [@microsoft/sdl/no-document-write](./docs/rules/no-document-write.md) \| Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-electron-node-integration](./docs/rules/no-electron-node-integration.md) \| [Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks. \|
		\| [@microsoft/sdl/no-html-method](./docs/rules/no-html-method.md) \| Direct calls to method `html()` often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-inner-html](./docs/rules/no-inner-html.md) \| Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-msapp-exec-unsafe](./docs/rules/no-msapp-exec-unsafe.md) \| Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided. \|
		\| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) \| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. \|
		\| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) \| Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. \|
		\| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) \| Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. \|
		\| [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) \| Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. \|

		## Contributing

		This project welcomes contributions and suggestions. Most contributions require you to agree to a
		@@ -5,0 +51,0 @@ Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us

SECURITY.md

@@ -0,0 +0,0 @@

LICENSE

Sorry, the diff of this file is not supported yet

		@@ -0,4 +1,50 @@
		# eslint-plugin-sdl

		# Contributing
		[ESLint Plugin](https://eslint.org/docs/developer-guide/working-with-plugins) focused on common security issues and misconfigurations.

		Plugin is intended as a baseline for projects that follow [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/en-us/securityengineering/sdl) and use ESLint to perform [Static Analysis Security Testing (SAST)](https://www.microsoft.com/en-us/securityengineering/sdl/practices#practice9).

		## Configs

		Plugin is shipped with following [Shareable Configs](http://eslint.org/docs/developer-guide/shareable-configs):

		- [angular](config/angular.js) - Set of rules for [Angular](https://angular.io) applications
		- [angularjs](config/angularjs.js) - Set of rules for [AngularJS](https://docs.angularjs.org) applications
		- [common](config/common.js) - Set of rules for common JavaScript applications
		- [electron](config/electron.js) - Set of rules for Electron applications
		- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications
		- [required](config/required.js) - SDL Required rules for all applications
		- [typescript](config/typescript.js) - Set of rules for TypeScript applications

		## Rules

		Where possible, we leverage existing rules from [ESLint](https://eslint.org/docs/rules/) and community plugins such as [react](https://github.com/yannickcr/eslint-plugin-react), [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/eslint-plugin#supported-rules) or [security](https://github.com/nodesecurity/eslint-plugin-security#rules).

		We also implemented several [custom rules](./lib/rules) where we did not find sufficient alternative in the community.

		\| Name \| Description \|
		\| --- \| --- \|
		\| [no-caller](https://eslint.org/docs/rules/no-caller) \| Bans usage of deprecated functions `arguments.caller()` and `arguments.callee` that could potentially allow access to call stack. \|
		\| [no-delete-var](https://eslint.org/docs/rules/no-delete-var) \| Bans usage of operator `delete` on variables as it can lead to unexpected behavior. \|
		\| [no-eval](https://eslint.org/docs/rules/no-eval) \| Bans usage of [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) that allows code execution from string argument. \|
		\| [no-implied-eval](https://eslint.org/docs/rules/no-implied-eval) \| Bans usage of `setTimeout()`, `setInterval()` and `execScript()`. These functions are similar to `eval()` and prone to code execution. \|
		\| [no-new-func](https://eslint.org/docs/rules/no-new-func) \| Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. \|
		\| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) \| Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) \| Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-enable-svg](./docs/rules/no-angularjs-enable-svg.md) \| Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. \|
		\| [@microsoft/sdl/no-angularjs-sanitization-whitelist](./docs/rules/no-angularjs-sanitization-whitelist.md) \| Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. \|
		\| [@microsoft/sdl/no-cookies](./docs/rules/no-cookies.md) \| HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. \|
		\| [@microsoft/sdl/no-document-domain](./docs/rules/no-document-domain.md) \| Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited. \|
		\| [@microsoft/sdl/no-document-write](./docs/rules/no-document-write.md) \| Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-electron-node-integration](./docs/rules/no-electron-node-integration.md) \| [Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks. \|
		\| [@microsoft/sdl/no-html-method](./docs/rules/no-html-method.md) \| Direct calls to method `html()` often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-inner-html](./docs/rules/no-inner-html.md) \| Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. \|
		\| [@microsoft/sdl/no-msapp-exec-unsafe](./docs/rules/no-msapp-exec-unsafe.md) \| Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided. \|
		\| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) \| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. \|
		\| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) \| Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. \|
		\| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) \| Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. \|
		\| [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) \| Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. \|

		## Contributing

		This project welcomes contributions and suggestions. Most contributions require you to agree to a
		@@ -5,0 +51,0 @@ Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us

@microsoft/eslint-plugin-sdl - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics