@microsoft/eslint-plugin-sdl
Advanced tools
Comparing version 0.1.5 to 0.1.6
@@ -0,0 +0,0 @@ # Microsoft Open Source Code of Conduct |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Angular apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for AngularJS apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for common JavaScript apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Electron apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Node apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for React apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Default SDL recommended config for all applications. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Default SDL required config for all applications. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -8,3 +11,2 @@ * Shareable config for TypeScript applications. | ||
| module.exports = { | ||
| parser: "@typescript-eslint/parser", | ||
| parserOptions: { | ||
@@ -25,2 +27,3 @@ ecmaVersion: 6, | ||
| ], | ||
| parser: "@typescript-eslint/parser", | ||
| rules: { | ||
@@ -27,0 +30,0 @@ "@typescript-eslint/no-implied-eval": "error", |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angular-bypass-sanitizer) |
@@ -0,0 +0,0 @@ # Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) |
@@ -0,0 +0,0 @@ # Do not enable SVG support in AngularJS (no-angularjs-enable-svg) |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) |
@@ -0,0 +0,0 @@ # Do not use HTTP cookies in modern applications (no-cookies) |
@@ -0,0 +0,0 @@ # Do not write to document.domain property (no-document-domain) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using document.write or document.writeln methods (no-document-write) |
@@ -0,0 +0,0 @@ # Do not enable Node.js Integration for Remote Content (no-electron-node-integration) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using jQuery html() method (no-html-method) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html) |
@@ -0,0 +0,0 @@ # Do not use insecure random functions |
@@ -19,3 +19,3 @@ # Do not use insecure URLs (no-insecure-url) | ||
| "@microsoft/sdl/no-insecure-url": ["error", { | ||
| "blacklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"], | ||
| "blocklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"], | ||
| "exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"] | ||
@@ -25,3 +25,3 @@ }] | ||
| ... overrides the internal blacklist, blocking the following URL patterns... : | ||
| ... overrides the internal blocklist, blocking the following URL patterns... : | ||
| - `http://`... | ||
@@ -37,3 +37,3 @@ - `ftp://`... | ||
| URLs in neither the blacklist nor the exceptions list, are allowed: | ||
| URLs in neither the blocklist nor the exceptions list, are allowed: | ||
| - `telnet://`... | ||
@@ -40,0 +40,0 @@ - `ws://`... |
| # Do not bypass script injection validation (no-msapp-exec-unsafe) | ||
| Calls to `MSApp.execUnsafeLocalFunction()` bypass script injection validation and should be avoided. |
| # Do not use * as target origin when sending data to other windows (no-postmessage-star-origin) | ||
| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. |
@@ -0,0 +0,0 @@ # Do not allocate uninitialized buffers in Node.js (no-unsafe-alloc) |
| # Do not set HTML using unsafe methods from WinJS.Utilities (no-winjs-html-unsafe) | ||
| Calls to [`setInnerHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)), [`setOuterHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211698(v=win.10)) or [`insertAdjacentHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br229832(v=win.10)) methods from [Windows Library for JavaScript](https://docs.microsoft.com/en-us/previous-versions/windows/apps/mt502392(v=win.10)) do not perform input validation and should be avoided. Use alternate methods such as [`setInnerHTML`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. |
@@ -0,0 +0,0 @@ # An iframe element is missing a sandbox attribute (react-iframe-missing-sandbox) |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -28,4 +28,4 @@ // Copyright (c) Microsoft Corporation. | ||
| }, | ||
| create: function(context) { | ||
| create: function (context) { | ||
| function reportIt(node) { | ||
@@ -47,3 +47,15 @@ context.report({ | ||
| "CallExpression[arguments!=''][callee.object.name='$sceDelegate'][callee.property.name='trustAs']": reportIt, | ||
| "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]": reportIt | ||
| "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]"(node) { | ||
| // Known false positives | ||
| if ( | ||
| node.arguments | ||
| && node.arguments.length === 1 | ||
| && node.arguments[0].type === "Literal" | ||
| && node.arguments[0].value === "" | ||
| ) { | ||
| return; | ||
| } | ||
| return reportIt(node); | ||
| } | ||
| }; | ||
@@ -53,2 +65,2 @@ } | ||
| // TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist | ||
| // TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -35,7 +35,18 @@ // Copyright (c) Microsoft Corporation. | ||
| // - Improve rule with type information from TypeScript parser | ||
| // - Consider ignoring all Literals? | ||
| "CallExpression[arguments.length=1] > MemberExpression.callee[property.name='html']"(node) { | ||
| // Known false positives | ||
| if ( | ||
| // element.html("") | ||
| node.parent.arguments[0].type === "Literal" | ||
| && ( | ||
| node.parent.arguments[0].value === "" | ||
| || node.parent.arguments[0].value === null | ||
| ) | ||
| ) { | ||
| return; | ||
| } | ||
| context.report( | ||
| { | ||
| node: node, | ||
| node: node, | ||
| messageId: "default" | ||
@@ -42,0 +53,0 @@ }); |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -70,3 +70,3 @@ // Copyright (c) Microsoft Corporation. | ||
| }else{ | ||
| notFalsePositive = node.object.name === 'Math' | ||
| notFalsePositive = node.object.name === 'Math'; | ||
| } | ||
@@ -73,0 +73,0 @@ |
@@ -13,3 +13,3 @@ // Copyright (c) Microsoft Corporation. | ||
| //------------------------------------------------------------------------------ | ||
| const DEFAULT_BLACKLIST = [ | ||
| const DEFAULT_BLOCKLIST = [ | ||
| /^(ftp|http|telnet|ws):\/\//i | ||
@@ -24,3 +24,3 @@ ]; | ||
| module.exports = { | ||
| defaultBlacklist: DEFAULT_BLACKLIST, | ||
| defaultBlocklist: DEFAULT_BLOCKLIST, | ||
| defaultExceptions: DEFAULT_EXCEPTIONS, | ||
@@ -34,3 +34,3 @@ meta: { | ||
| properties: { | ||
| blacklist: { | ||
| blocklist: { | ||
| type: "array", | ||
@@ -62,3 +62,3 @@ items: { | ||
| const options = context.options[0] || {}; | ||
| const blacklist = (options.blacklist || DEFAULT_BLACKLIST).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
| const blocklist = (options.blocklist || DEFAULT_BLOCKLIST).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
| const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
@@ -73,3 +73,3 @@ | ||
| if (typeof node.value === "string") { | ||
| if (matches(blacklist, node.value) && !matches(exceptions, node.value)) { | ||
| if (matches(blocklist, node.value) && !matches(exceptions, node.value)) { | ||
| context.report({ | ||
@@ -87,4 +87,4 @@ node: node, | ||
| if ((matches(blacklist, rawStringText) && !matches(exceptions, rawStringText)) || | ||
| (matches(blacklist, cookedStringText) && !matches(exceptions, cookedStringText))) { | ||
| if ((matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) || | ||
| (matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) { | ||
| context.report({ | ||
@@ -91,0 +91,0 @@ node: node, |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
| { | ||
| "name": "@microsoft/eslint-plugin-sdl", | ||
| "version": "0.1.5", | ||
| "version": "0.1.6", | ||
| "description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)", | ||
@@ -26,3 +26,3 @@ "keywords": [ | ||
| "eslint": "^7.1.0", | ||
| "mocha": "^7.2.0", | ||
| "mocha": "^8.3.2", | ||
| "typescript": "^3.9.7" | ||
@@ -29,0 +29,0 @@ }, |
| # eslint-plugin-sdl | ||
|  | ||
|  | ||
@@ -3,0 +5,0 @@ [ESLint Plugin](https://eslint.org/docs/developer-guide/working-with-plugins) focused on common security issues and misconfigurations. |
@@ -0,0 +0,0 @@ <!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK --> |
Sorry, the diff of this file is not supported yet
Improved metrics
- Lines of code
- increased by1.22%
1157
- Number of lines in readme file
- increased by2.99%
69
Worsened metrics
- Total package byte prevSize
- decreased by-6.47%
71400
- Number of package files
- decreased by-7.41%
50