@microsoft/eslint-plugin-sdl
Advanced tools
Comparing version 0.1.2 to 0.1.3
@@ -0,0 +0,0 @@ # Microsoft Open Source Code of Conduct |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -0,0 +0,0 @@ /** |
@@ -14,4 +14,3 @@ /** | ||
jsx: true | ||
}, | ||
project: "**/tsconfig.json" | ||
} | ||
}, | ||
@@ -18,0 +17,0 @@ plugins: [ |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angular-bypass-sanitizer) |
@@ -0,0 +0,0 @@ # Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) |
@@ -0,0 +0,0 @@ # Do not enable SVG support in AngularJS (no-angularjs-enable-svg) |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) |
@@ -0,0 +0,0 @@ # Do not use HTTP cookies in modern applications (no-cookies) |
@@ -0,0 +0,0 @@ # Do not write to document.domain property (no-document-domain) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using document.write or document.writeln methods (no-document-write) |
@@ -0,0 +0,0 @@ # Do not enable Node.js Integration for Remote Content (no-electron-node-integration) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using jQuery html() method (no-html-method) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html) |
@@ -0,0 +0,0 @@ # Do not use insecure random functions |
# Do not bypass script injection validation (no-msapp-exec-unsafe) | ||
Calls to `MSApp.execUnsafeLocalFunction()` bypass script injection validation and should be avoided. |
# Do not use * as target origin when sending data to other windows (no-postmessage-star-origin) | ||
Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. |
@@ -0,0 +0,0 @@ # Do not allocate uninitialized buffers in Node.js (no-unsafe-alloc) |
# Do not set HTML using unsafe methods from WinJS.Utilities (no-winjs-html-unsafe) | ||
Calls to [`setInnerHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)), [`setOuterHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211698(v=win.10)) or [`insertAdjacentHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br229832(v=win.10)) methods from [Windows Library for JavaScript](https://docs.microsoft.com/en-us/previous-versions/windows/apps/mt502392(v=win.10)) do not perform input validation and should be avoided. Use alternate methods such as [`setInnerHTML`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. |
@@ -0,0 +0,0 @@ # An iframe element is missing a sandbox attribute (react-iframe-missing-sandbox) |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
{ | ||
"name": "@microsoft/eslint-plugin-sdl", | ||
"version": "0.1.2", | ||
"version": "0.1.3", | ||
"description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
@@ -45,2 +45,3 @@ # eslint-plugin-sdl | ||
| [@microsoft/sdl/no-inner-html](./docs/rules/no-inner-html.md) | Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | | ||
| [@microsoft/sdl/no-insecure-url](./docs/rules/no-insecure-url.md) | Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending potentially sensitive data over untrusted networks in plaintext. | | ||
| [@microsoft/sdl/no-msapp-exec-unsafe](./docs/rules/no-msapp-exec-unsafe.md) | Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided. | | ||
@@ -47,0 +48,0 @@ | [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) | Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. | |
@@ -0,0 +0,0 @@ <!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK --> |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
73236
53
1109
67