@microsoft/eslint-plugin-sdl
Advanced tools
Comparing version 0.1.0 to 0.1.1
@@ -8,10 +8,10 @@ /** | ||
module.exports = { | ||
plugins: [ | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
"@microsoft/sdl/no-angularjs-enable-svg": "error", | ||
"@microsoft/sdl/no-angularjs-sanitization-whitelist": "error", | ||
"@microsoft/sdl/no-angularjs-bypass-sce": "error" | ||
} | ||
plugins: [ | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
"@microsoft/sdl/no-angularjs-enable-svg": "error", | ||
"@microsoft/sdl/no-angularjs-sanitization-whitelist": "error", | ||
"@microsoft/sdl/no-angularjs-bypass-sce": "error" | ||
} | ||
} |
@@ -8,2 +8,5 @@ /** | ||
module.exports = { | ||
plugins: [ | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
@@ -10,0 +13,0 @@ "no-caller": "error", |
@@ -8,8 +8,8 @@ /** | ||
module.exports = { | ||
plugins: [ | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
"@microsoft/sdl/no-electron-node-integration": "error" | ||
} | ||
plugins: [ | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
"@microsoft/sdl/no-electron-node-integration": "error" | ||
} | ||
} |
@@ -9,7 +9,9 @@ /** | ||
plugins: [ | ||
"react" | ||
"react", | ||
"@microsoft/sdl" | ||
], | ||
rules: { | ||
"react/no-danger": "error" | ||
"react/no-danger": "error", | ||
"@microsoft/sdl/react-iframe-missing-sandbox": "error" | ||
} | ||
} |
@@ -16,2 +16,3 @@ /** | ||
"plugin:@microsoft/sdl/electron", | ||
"plugin:@microsoft/sdl/node", | ||
"plugin:@microsoft/sdl/react", | ||
@@ -18,0 +19,0 @@ "plugin:@microsoft/sdl/typescript" |
@@ -14,3 +14,4 @@ /** | ||
jsx: true | ||
} | ||
}, | ||
project: "**/tsconfig.json" | ||
}, | ||
@@ -17,0 +18,0 @@ plugins: [ |
# Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html) | ||
Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | ||
Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | ||
* [Rule Source](../../lib/rules/no-inner-html.js) | ||
* [Rule Test](../../tests/lib/rules/no-inner-html.js) | ||
## Related Rules | ||
* [tslint-microsoft-contrib/no-inner-html](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noInnerHtml.ts) | ||
* [eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/docs/rules/method.md) |
@@ -37,2 +37,8 @@ // Copyright (c) Microsoft Corporation. | ||
}, | ||
getCallerType(fullTypeChecker, object, context){ | ||
const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(object); | ||
const tsType = fullTypeChecker.getTypeAtLocation(tsNode); | ||
const type = fullTypeChecker.typeToString(tsType); | ||
return type; | ||
}, | ||
isDocumentObject(node, context, fullTypeChecker) { | ||
@@ -39,0 +45,0 @@ if (fullTypeChecker) { |
@@ -21,13 +21,46 @@ // Copyright (c) Microsoft Corporation. | ||
schema: [], | ||
docs:{ | ||
description: "Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", | ||
docs: { | ||
description: "Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", | ||
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-inner-html.md" | ||
}, | ||
messages: { | ||
default: 'Do not write to DOM directly using innerHTML/outerHTML property' | ||
noInnerHtml: 'Do not write to DOM directly using innerHTML/outerHTML property', | ||
noInsertAdjacentHTML: 'Do not write to DOM using insertAdjacentHTML method' | ||
} | ||
}, | ||
create: function(context) { | ||
create: function (context) { | ||
const fullTypeChecker = astUtils.getFullTypeChecker(context); | ||
function getNodeTypeAsString(node) { | ||
if (fullTypeChecker && node) { | ||
const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node); | ||
const tsType = fullTypeChecker.getTypeAtLocation(tsNode); | ||
const type = fullTypeChecker.typeToString(tsType); | ||
return type; | ||
} | ||
return "any"; | ||
} | ||
function mightBeHTMLElement(node) { | ||
const type = getNodeTypeAsString(node); | ||
return type === "HTMLElement" || type === "any"; | ||
} | ||
return { | ||
"CallExpression[arguments.length=2] > MemberExpression.callee[property.name='insertAdjacentHTML']"(node) { | ||
// Ignore known false positives | ||
if ( | ||
// element.insertAdjacentHTML('') | ||
node.parent?.arguments[1]?.type === 'Literal' && node.parent?.arguments[1]?.value === '' | ||
) { | ||
return; | ||
} | ||
if (mightBeHTMLElement(node.object)) { | ||
context.report({ | ||
node: node, | ||
messageId: "noInsertAdjacentHTML" | ||
}); | ||
} | ||
}, | ||
"AssignmentExpression[left.type='MemberExpression'][left.property.name=/innerHTML|outerHTML/]"(node) { | ||
@@ -41,18 +74,9 @@ // Ignore known false positives | ||
} | ||
// Test whether object type is HTMLElement when full type information is available | ||
if (fullTypeChecker) { | ||
const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node.left.object); | ||
const tsType = fullTypeChecker.getTypeAtLocation(tsNode); | ||
const type = fullTypeChecker.typeToString(tsType); | ||
if (type !== "any" && type !== "HTMLElement"){ | ||
return; | ||
} | ||
if (mightBeHTMLElement(node.left.object)) { | ||
context.report({ | ||
node: node, | ||
messageId: "noInnerHtml" | ||
}); | ||
} | ||
// Report it | ||
context.report({ | ||
node: node, | ||
messageId: "default" | ||
}); | ||
} | ||
@@ -59,0 +83,0 @@ }; |
{ | ||
"name": "@microsoft/eslint-plugin-sdl", | ||
"version": "0.1.0", | ||
"version": "0.1.1", | ||
"description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)", | ||
@@ -12,2 +12,8 @@ "keywords": [ | ||
"author": "Microsoft", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/microsoft/eslint-plugin-sdl" | ||
}, | ||
"homepage": "https://github.com/microsoft/eslint-plugin-sdl", | ||
"bugs": "https://github.com/microsoft/eslint-plugin-sdl/issues", | ||
"main": "lib/index.js", | ||
@@ -14,0 +20,0 @@ "scripts": { |
@@ -15,3 +15,5 @@ # eslint-plugin-sdl | ||
- [electron](config/electron.js) - Set of rules for Electron applications | ||
- [node](config/node.js) - Set of rules for Node applications | ||
- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications | ||
- [**recommended**](config/recommended.js) - SDL Recommended rules for all applications | ||
- [**required**](config/required.js) - SDL Required rules for all applications | ||
@@ -33,2 +35,3 @@ - [typescript](config/typescript.js) - Set of rules for TypeScript applications | ||
| [no-new-func](https://eslint.org/docs/rules/no-new-func) | Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. | | ||
| [node/no-deprecated-api](https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/no-deprecated-api.md) | Bans usage of deprecated APIs in Node. | | ||
| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) | Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. | | ||
@@ -46,3 +49,5 @@ | [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) | Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. | | ||
| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) | Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. | | ||
| [@microsoft/sdl/no-unsafe-alloc](./docs/rules/no-unsafe-alloc.md) | When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data. | | ||
| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) | Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. | | ||
| [@microsoft/sdl/react-iframe-missing-sandbox](./docs/rules/react-iframe-missing-sandbox.md) | The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified. | | ||
| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) | Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. | | ||
@@ -49,0 +54,0 @@ | [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) | Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. | |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
No repository
Supply chain riskPackage does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
64139
49
1044
1
66
2
0