@microsoft/eslint-plugin-sdl - npm Package Compare versions

Comparing version 0.1.2 to 0.1.3

CODE_OF_CONDUCT.md

@@ -0,0 +0,0 @@ # Microsoft Open Source Code of Conduct

config/angular.js

@@ -0,0 +0,0 @@ /**

config/angularjs.js

@@ -0,0 +0,0 @@ /**

config/common.js

@@ -0,0 +0,0 @@ /**

config/electron.js

@@ -0,0 +0,0 @@ /**

config/node.js

@@ -0,0 +0,0 @@ /**

config/react.js

@@ -0,0 +0,0 @@ /**

config/recommended.js

@@ -0,0 +0,0 @@ /**

config/required.js

@@ -0,0 +0,0 @@ /**

config/typescript.js

@@ -14,4 +14,3 @@ /**
       jsx: true
-    },
-    project: "**/tsconfig.json"
+    }
   },
@@ -18,0 +17,0 @@ plugins: [

docs/rules/no-angular-bypass-sanitizer.md

@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angular-bypass-sanitizer)

docs/rules/no-angularjs-bypass-sce.md

@@ -0,0 +0,0 @@ # Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce)

docs/rules/no-angularjs-enable-svg.md

@@ -0,0 +0,0 @@ # Do not enable SVG support in AngularJS (no-angularjs-enable-svg)

docs/rules/no-angularjs-sanitization-whitelist.md

@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist)

docs/rules/no-cookies.md

@@ -0,0 +0,0 @@ # Do not use HTTP cookies in modern applications (no-cookies)

docs/rules/no-document-domain.md

@@ -0,0 +0,0 @@ # Do not write to document.domain property (no-document-domain)

docs/rules/no-document-write.md

@@ -0,0 +0,0 @@ # Do not write to DOM directly using document.write or document.writeln methods (no-document-write)

docs/rules/no-electron-node-integration.md

@@ -0,0 +0,0 @@ # Do not enable Node.js Integration for Remote Content (no-electron-node-integration)

docs/rules/no-html-method.md

@@ -0,0 +0,0 @@ # Do not write to DOM directly using jQuery html() method (no-html-method)

docs/rules/no-inner-html.md

@@ -0,0 +0,0 @@ # Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html)

docs/rules/no-insecure-random.md

@@ -0,0 +0,0 @@ # Do not use insecure random functions

docs/rules/no-msapp-exec-unsafe.md

 # Do not bypass script injection validation (no-msapp-exec-unsafe)
 
 Calls to `MSApp.execUnsafeLocalFunction()` bypass script injection validation and should be avoided.

docs/rules/no-postmessage-star-origin.md

 # Do not use * as target origin when sending data to other windows (no-postmessage-star-origin)
 
 Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary.

docs/rules/no-unsafe-alloc.md

@@ -0,0 +0,0 @@ # Do not allocate uninitialized buffers in Node.js (no-unsafe-alloc)

docs/rules/no-winjs-html-unsafe.md

 # Do not set HTML using unsafe methods from WinJS.Utilities (no-winjs-html-unsafe)
 
 Calls to [`setInnerHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)), [`setOuterHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211698(v=win.10)) or [`insertAdjacentHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br229832(v=win.10)) methods from [Windows Library for JavaScript](https://docs.microsoft.com/en-us/previous-versions/windows/apps/mt502392(v=win.10)) do not perform input validation and should be avoided. Use alternate methods such as [`setInnerHTML`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead.

docs/rules/react-iframe-missing-sandbox.md

@@ -0,0 +0,0 @@ # An iframe element is missing a sandbox attribute (react-iframe-missing-sandbox)

lib/ast-utils.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/index.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-angular-bypass-sanitizer.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-angularjs-bypass-sce.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-angularjs-enable-svg.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-angularjs-sanitization-whitelist.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-cookies.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-document-domain.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-document-write.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-electron-node-integration.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-html-method.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-inner-html.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-insecure-random.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-msapp-exec-unsafe.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-postmessage-star-origin.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-unsafe-alloc.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/no-winjs-html-unsafe.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

lib/rules/react-iframe-missing-sandbox.js

@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation.

package.json

 {
   "name": "@microsoft/eslint-plugin-sdl",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)",
@@ -5,0 +5,0 @@ "keywords": [

README.md

@@ -45,2 +45,3 @@ # eslint-plugin-sdl
 | [@microsoft/sdl/no-inner-html](./docs/rules/no-inner-html.md) | Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. |
+| [@microsoft/sdl/no-insecure-url](./docs/rules/no-insecure-url.md) | Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending potentially sensitive data over untrusted networks in plaintext. |
 | [@microsoft/sdl/no-msapp-exec-unsafe](./docs/rules/no-msapp-exec-unsafe.md) | Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided. |
@@ -47,0 +48,0 @@ | [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) | Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. |

SECURITY.md

@@ -0,0 +0,0 @@ <!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK -->

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

73236

increased by13.51%

Number of package files

53

increased by8.16%

Lines of code

1109

increased by5.32%

Number of lines in readme file

67

increased by1.52%

No dependency changes