@microsoft/eslint-plugin-sdl
Advanced tools
@microsoft/eslint-plugin-sdl - npm Package Compare versions
Comparing version 0.1.5 to 0.1.6
@@ -0,0 +0,0 @@ # Microsoft Open Source Code of Conduct |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Angular apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for AngularJS apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for common JavaScript apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Electron apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for Node apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Shareable config for React apps. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Default SDL recommended config for all applications. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -2,0 +5,0 @@ * Default SDL required config for all applications. |
@@ -0,1 +1,4 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
| /** | ||
@@ -8,3 +11,2 @@ * Shareable config for TypeScript applications. | ||
| module.exports = { | ||
| parser: "@typescript-eslint/parser", | ||
| parserOptions: { | ||
@@ -25,2 +27,3 @@ ecmaVersion: 6, | ||
| ], | ||
| parser: "@typescript-eslint/parser", | ||
| rules: { | ||
@@ -27,0 +30,0 @@ "@typescript-eslint/no-implied-eval": "error", |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angular-bypass-sanitizer) |
@@ -0,0 +0,0 @@ # Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) |
@@ -0,0 +0,0 @@ # Do not enable SVG support in AngularJS (no-angularjs-enable-svg) |
@@ -0,0 +0,0 @@ # Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) |
@@ -0,0 +0,0 @@ # Do not use HTTP cookies in modern applications (no-cookies) |
@@ -0,0 +0,0 @@ # Do not write to document.domain property (no-document-domain) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using document.write or document.writeln methods (no-document-write) |
@@ -0,0 +0,0 @@ # Do not enable Node.js Integration for Remote Content (no-electron-node-integration) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using jQuery html() method (no-html-method) |
@@ -0,0 +0,0 @@ # Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html) |
@@ -0,0 +0,0 @@ # Do not use insecure random functions |
@@ -19,3 +19,3 @@ # Do not use insecure URLs (no-insecure-url) | ||
| "@microsoft/sdl/no-insecure-url": ["error", { | ||
| "blacklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"], | ||
| "blocklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"], | ||
| "exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"] | ||
@@ -25,3 +25,3 @@ }] | ||
| ... overrides the internal blacklist, blocking the following URL patterns... : | ||
| ... overrides the internal blocklist, blocking the following URL patterns... : | ||
| - `http://`... | ||
@@ -37,3 +37,3 @@ - `ftp://`... | ||
| URLs in neither the blacklist nor the exceptions list, are allowed: | ||
| URLs in neither the blocklist nor the exceptions list, are allowed: | ||
| - `telnet://`... | ||
@@ -40,0 +40,0 @@ - `ws://`... |
| # Do not bypass script injection validation (no-msapp-exec-unsafe) | ||
| Calls to `MSApp.execUnsafeLocalFunction()` bypass script injection validation and should be avoided. |
| # Do not use * as target origin when sending data to other windows (no-postmessage-star-origin) | ||
| Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. |
@@ -0,0 +0,0 @@ # Do not allocate uninitialized buffers in Node.js (no-unsafe-alloc) |
| # Do not set HTML using unsafe methods from WinJS.Utilities (no-winjs-html-unsafe) | ||
| Calls to [`setInnerHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)), [`setOuterHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211698(v=win.10)) or [`insertAdjacentHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br229832(v=win.10)) methods from [Windows Library for JavaScript](https://docs.microsoft.com/en-us/previous-versions/windows/apps/mt502392(v=win.10)) do not perform input validation and should be avoided. Use alternate methods such as [`setInnerHTML`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. |
@@ -0,0 +0,0 @@ # An iframe element is missing a sandbox attribute (react-iframe-missing-sandbox) |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -28,4 +28,4 @@ // Copyright (c) Microsoft Corporation. | ||
| }, | ||
| create: function(context) { | ||
| create: function (context) { | ||
| function reportIt(node) { | ||
@@ -47,3 +47,15 @@ context.report({ | ||
| "CallExpression[arguments!=''][callee.object.name='$sceDelegate'][callee.property.name='trustAs']": reportIt, | ||
| "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]": reportIt | ||
| "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]"(node) { | ||
| // Known false positives | ||
| if ( | ||
| node.arguments | ||
| && node.arguments.length === 1 | ||
| && node.arguments[0].type === "Literal" | ||
| && node.arguments[0].value === "" | ||
| ) { | ||
| return; | ||
| } | ||
| return reportIt(node); | ||
| } | ||
| }; | ||
@@ -53,2 +65,2 @@ } | ||
| // TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist | ||
| // TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -35,7 +35,18 @@ // Copyright (c) Microsoft Corporation. | ||
| // - Improve rule with type information from TypeScript parser | ||
| // - Consider ignoring all Literals? | ||
| "CallExpression[arguments.length=1] > MemberExpression.callee[property.name='html']"(node) { | ||
| // Known false positives | ||
| if ( | ||
| // element.html("") | ||
| node.parent.arguments[0].type === "Literal" | ||
| && ( | ||
| node.parent.arguments[0].value === "" | ||
| || node.parent.arguments[0].value === null | ||
| ) | ||
| ) { | ||
| return; | ||
| } | ||
| context.report( | ||
| { | ||
| node: node, | ||
| node: node, | ||
| messageId: "default" | ||
@@ -42,0 +53,0 @@ }); |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -70,3 +70,3 @@ // Copyright (c) Microsoft Corporation. | ||
| }else{ | ||
| notFalsePositive = node.object.name === 'Math' | ||
| notFalsePositive = node.object.name === 'Math'; | ||
| } | ||
@@ -73,0 +73,0 @@ |
@@ -13,3 +13,3 @@ // Copyright (c) Microsoft Corporation. | ||
| //------------------------------------------------------------------------------ | ||
| const DEFAULT_BLACKLIST = [ | ||
| const DEFAULT_BLOCKLIST = [ | ||
| /^(ftp|http|telnet|ws):\/\//i | ||
@@ -24,3 +24,3 @@ ]; | ||
| module.exports = { | ||
| defaultBlacklist: DEFAULT_BLACKLIST, | ||
| defaultBlocklist: DEFAULT_BLOCKLIST, | ||
| defaultExceptions: DEFAULT_EXCEPTIONS, | ||
@@ -34,3 +34,3 @@ meta: { | ||
| properties: { | ||
| blacklist: { | ||
| blocklist: { | ||
| type: "array", | ||
@@ -62,3 +62,3 @@ items: { | ||
| const options = context.options[0] || {}; | ||
| const blacklist = (options.blacklist || DEFAULT_BLACKLIST).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
| const blocklist = (options.blocklist || DEFAULT_BLOCKLIST).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
| const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); }); | ||
@@ -73,3 +73,3 @@ | ||
| if (typeof node.value === "string") { | ||
| if (matches(blacklist, node.value) && !matches(exceptions, node.value)) { | ||
| if (matches(blocklist, node.value) && !matches(exceptions, node.value)) { | ||
| context.report({ | ||
@@ -87,4 +87,4 @@ node: node, | ||
| if ((matches(blacklist, rawStringText) && !matches(exceptions, rawStringText)) || | ||
| (matches(blacklist, cookedStringText) && !matches(exceptions, cookedStringText))) { | ||
| if ((matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) || | ||
| (matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) { | ||
| context.report({ | ||
@@ -91,0 +91,0 @@ node: node, |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
@@ -0,0 +0,0 @@ // Copyright (c) Microsoft Corporation. |
| { | ||
| "name": "@microsoft/eslint-plugin-sdl", | ||
| "version": "0.1.5", | ||
| "version": "0.1.6", | ||
| "description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)", | ||
@@ -26,3 +26,3 @@ "keywords": [ | ||
| "eslint": "^7.1.0", | ||
| "mocha": "^7.2.0", | ||
| "mocha": "^8.3.2", | ||
| "typescript": "^3.9.7" | ||
@@ -29,0 +29,0 @@ }, |
| # eslint-plugin-sdl | ||
|  | ||
|  | ||
@@ -3,0 +5,0 @@ [ESLint Plugin](https://eslint.org/docs/developer-guide/working-with-plugins) focused on common security issues and misconfigurations. |
@@ -0,0 +0,0 @@ <!-- BEGIN MICROSOFT SECURITY.MD V0.0.5 BLOCK --> |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Lines of code
- increased by1.22%
1157
- Number of lines in readme file
- increased by2.99%
69
Worsened metrics
- Total package byte prevSize
- decreased by-6.47%
71400
- Number of package files
- decreased by-7.41%
50