@microsoft/eslint-plugin-sdl - npm Package Compare versions

Comparing version 0.1.0 to 0.1.1

.vscode/launch.json

config/node.js

config/recommended.js

docs/rules/no-insecure-random.md

docs/rules/no-unsafe-alloc.md

docs/rules/react-iframe-missing-sandbox.md

lib/rules/no-insecure-random.js

lib/rules/no-unsafe-alloc.js

lib/rules/react-iframe-missing-sandbox.js

config/angularjs.js

		@@ -8,10 +8,10 @@ /**
		module.exports = {
		plugins: [
		"@microsoft/sdl"
		],
		rules: {
		"@microsoft/sdl/no-angularjs-enable-svg": "error",
		"@microsoft/sdl/no-angularjs-sanitization-whitelist": "error",
		"@microsoft/sdl/no-angularjs-bypass-sce": "error"
		}
		plugins: [
		"@microsoft/sdl"
		],
		rules: {
		"@microsoft/sdl/no-angularjs-enable-svg": "error",
		"@microsoft/sdl/no-angularjs-sanitization-whitelist": "error",
		"@microsoft/sdl/no-angularjs-bypass-sce": "error"
		}
		}

config/common.js

		@@ -8,2 +8,5 @@ /**
		module.exports = {
		plugins: [
		"@microsoft/sdl"
		],
		rules: {
		@@ -10,0 +13,0 @@ "no-caller": "error",

config/electron.js

		@@ -8,8 +8,8 @@ /**
		module.exports = {
		plugins: [
		"@microsoft/sdl"
		],
		rules: {
		"@microsoft/sdl/no-electron-node-integration": "error"
		}
		plugins: [
		"@microsoft/sdl"
		],
		rules: {
		"@microsoft/sdl/no-electron-node-integration": "error"
		}
		}

config/react.js

		@@ -9,7 +9,9 @@ /**
		plugins: [
		"react"
		"react",
		"@microsoft/sdl"
		],
		rules: {
		"react/no-danger": "error"
		"react/no-danger": "error",
		"@microsoft/sdl/react-iframe-missing-sandbox": "error"
		}
		}

config/required.js

		@@ -16,2 +16,3 @@ /**
		"plugin:@microsoft/sdl/electron",
		"plugin:@microsoft/sdl/node",
		"plugin:@microsoft/sdl/react",
		@@ -18,0 +19,0 @@ "plugin:@microsoft/sdl/typescript"

config/typescript.js

		@@ -14,3 +14,4 @@ /**
		jsx: true
		}
		},
		project: "**/tsconfig.json"
		},
		@@ -17,0 +18,0 @@ plugins: [

docs/rules/no-inner-html.md

		# Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html)

		Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.
		Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.

		* [Rule Source](../../lib/rules/no-inner-html.js)
		* [Rule Test](../../tests/lib/rules/no-inner-html.js)

		## Related Rules

		* [tslint-microsoft-contrib/no-inner-html](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noInnerHtml.ts)
		* [eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/docs/rules/method.md)

lib/ast-utils.js

		@@ -37,2 +37,8 @@ // Copyright (c) Microsoft Corporation.
		},
		getCallerType(fullTypeChecker, object, context){
		const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(object);
		const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
		const type = fullTypeChecker.typeToString(tsType);
		return type;
		},
		isDocumentObject(node, context, fullTypeChecker) {
		@@ -39,0 +45,0 @@ if (fullTypeChecker) {

lib/rules/no-inner-html.js

		@@ -21,13 +21,46 @@ // Copyright (c) Microsoft Corporation.
		schema: [],
		docs:{
		description: "Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.",
		docs: {
		description: "Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.",
		url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-inner-html.md"
		},
		messages: {
		default: 'Do not write to DOM directly using innerHTML/outerHTML property'
		noInnerHtml: 'Do not write to DOM directly using innerHTML/outerHTML property',
		noInsertAdjacentHTML: 'Do not write to DOM using insertAdjacentHTML method'
		}
		},
		create: function(context) {
		create: function (context) {
		const fullTypeChecker = astUtils.getFullTypeChecker(context);

		function getNodeTypeAsString(node) {
		if (fullTypeChecker && node) {
		const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node);
		const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
		const type = fullTypeChecker.typeToString(tsType);
		return type;
		}
		return "any";
		}

		function mightBeHTMLElement(node) {
		const type = getNodeTypeAsString(node);
		return type === "HTMLElement" \|\| type === "any";
		}

		return {
		"CallExpression[arguments.length=2] > MemberExpression.callee[property.name='insertAdjacentHTML']"(node) {
		// Ignore known false positives
		if (
		// element.insertAdjacentHTML('')
		node.parent?.arguments[1]?.type === 'Literal' && node.parent?.arguments[1]?.value === ''
		) {
		return;
		}

		if (mightBeHTMLElement(node.object)) {
		context.report({
		node: node,
		messageId: "noInsertAdjacentHTML"
		});
		}
		},
		"AssignmentExpression[left.type='MemberExpression'][left.property.name=/innerHTML\|outerHTML/]"(node) {
		@@ -41,18 +74,9 @@ // Ignore known false positives
		}

		// Test whether object type is HTMLElement when full type information is available
		if (fullTypeChecker) {
		const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node.left.object);
		const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
		const type = fullTypeChecker.typeToString(tsType);
		if (type !== "any" && type !== "HTMLElement"){
		return;
		}

		if (mightBeHTMLElement(node.left.object)) {
		context.report({
		node: node,
		messageId: "noInnerHtml"
		});
		}

		// Report it
		context.report({
		node: node,
		messageId: "default"
		});
		}
		@@ -59,0 +83,0 @@ };

package.json

		{
		"name": "@microsoft/eslint-plugin-sdl",
		"version": "0.1.0",
		"version": "0.1.1",
		"description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)",
		@@ -12,2 +12,8 @@ "keywords": [
		"author": "Microsoft",
		"repository": {
		"type": "git",
		"url": "https://github.com/microsoft/eslint-plugin-sdl"
		},
		"homepage": "https://github.com/microsoft/eslint-plugin-sdl",
		"bugs": "https://github.com/microsoft/eslint-plugin-sdl/issues",
		"main": "lib/index.js",
		@@ -14,0 +20,0 @@ "scripts": {

README.md

		@@ -15,3 +15,5 @@ # eslint-plugin-sdl
		- [electron](config/electron.js) - Set of rules for Electron applications
		- [node](config/node.js) - Set of rules for Node applications
		- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications
		- [recommended](config/recommended.js) - SDL Recommended rules for all applications
		- [required](config/required.js) - SDL Required rules for all applications
		@@ -33,2 +35,3 @@ - [typescript](config/typescript.js) - Set of rules for TypeScript applications
		\| [no-new-func](https://eslint.org/docs/rules/no-new-func) \| Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. \|
		\| [node/no-deprecated-api](https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/no-deprecated-api.md) \| Bans usage of deprecated APIs in Node. \|
		\| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) \| Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. \|
		@@ -46,3 +49,5 @@ \| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) \| Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. \|
		\| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) \| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. \|
		\| [@microsoft/sdl/no-unsafe-alloc](./docs/rules/no-unsafe-alloc.md) \| When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data. \|
		\| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) \| Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. \|
		\| [@microsoft/sdl/react-iframe-missing-sandbox](./docs/rules/react-iframe-missing-sandbox.md) \| The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified. \|
		\| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) \| Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. \|
		@@ -49,0 +54,0 @@ \| [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) \| Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. \|

		@@ -15,3 +15,5 @@ # eslint-plugin-sdl
		- [electron](config/electron.js) - Set of rules for Electron applications
		- [node](config/node.js) - Set of rules for Node applications
		- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications
		- [recommended](config/recommended.js) - SDL Recommended rules for all applications
		- [required](config/required.js) - SDL Required rules for all applications
		@@ -33,2 +35,3 @@ - [typescript](config/typescript.js) - Set of rules for TypeScript applications
		\| [no-new-func](https://eslint.org/docs/rules/no-new-func) \| Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. \|
		\| [node/no-deprecated-api](https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/no-deprecated-api.md) \| Bans usage of deprecated APIs in Node. \|
		\| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) \| Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. \|
		@@ -46,3 +49,5 @@ \| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) \| Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. \|
		\| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) \| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. \|
		\| [@microsoft/sdl/no-unsafe-alloc](./docs/rules/no-unsafe-alloc.md) \| When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data. \|
		\| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) \| Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. \|
		\| [@microsoft/sdl/react-iframe-missing-sandbox](./docs/rules/react-iframe-missing-sandbox.md) \| The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified. \|
		\| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) \| Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. \|
		@@ -49,0 +54,0 @@ \| [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) \| Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. \|

@microsoft/eslint-plugin-sdl - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics