@microsoft/eslint-plugin-sdl - npm Package Compare versions

@microsoft/eslint-plugin-sdl

Package Overview

Dependencies

198

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.2.0 to 0.2.2

config/react.js

		@@ -11,2 +11,7 @@ // Copyright (c) Microsoft Corporation.
		module.exports = {
		parserOptions: {
		ecmaFeatures: {
		jsx: true,
		},
		},
		plugins: [
		@@ -27,2 +32,2 @@ "react",
		}
		}
		}

docs/rules/no-insecure-url.md

		@@ -9,5 +9,6 @@ # Do not use insecure URLs (no-insecure-url)
		## Options
		This rule comes with two [default lists](../../lib/rules/no-insecure-url.js#L13):
		- blacklist - a RegEx list of insecure URL patterns.
		This rule comes with three [default lists](../../lib/rules/no-insecure-url.js#L13):
		- blocklist - a RegEx list of insecure URL patterns.
		- exceptions - a RegEx list of common false positive patterns. For example, HTTP URLs to XML schemas are usually allowed as they are used as identifiers, not for establishing actual network connections.
		- varExceptions - a RegEx list of false positive patterns which a derivated from the variable name. For example, a variable that is called "insecureURL" which is used to test HTTP explicitly.

		@@ -21,3 +22,4 @@ These lists can be overrided by providing options.
		"blocklist": ["^(http\|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"],
		"exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"]
		"exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"],
		"varExceptions": ["insecure?.*"]
		}]
		@@ -35,4 +37,8 @@ ```
		- `http://schemas.microsoft.com/path/subpath`
		- ...

		... and also overrides the internal variable exceptions list, allowing the following declaration name patterns as exceptions.:
		- `var insecureURL = "http://..."`
		- `var insecureWebsite = "http://..."`
		- ...

		URLs in neither the blocklist nor the exceptions list, are allowed:
		@@ -39,0 +45,0 @@ - `telnet://`...

lib/rules/no-insecure-url.js

		@@ -20,8 +20,13 @@ // Copyright (c) Microsoft Corporation.
		/^http:(\/\/\|\\u002f\\u002f)schemas\.openxmlformats\.org(\/\/\|\\u002f\\u002f)?.*/i,
		/^http:(\/\|\\u002f){2}localhost(:\|\/\|\\u002f)*/i
		/^http:(\/\|\\u002f){2}localhost(:\|\/\|\\u002f)*/i,
		/^http:(\/\/)www\.w3\.org\/1999\/xhtml/i,
		/^http:(\/\/)www\.w3\.org\/2000\/svg/i
		];

		const DEFAULT_VARIABLES_EXECEPTIONS = [];

		module.exports = {
		defaultBlocklist: DEFAULT_BLOCKLIST,
		defaultExceptions: DEFAULT_EXCEPTIONS,
		defaultVarExecptions: DEFAULT_VARIABLES_EXECEPTIONS,
		meta: {
		@@ -46,2 +51,8 @@ type: "suggestion",
		},
		varExceptions: {
		type: "array",
		items: {
		type: "string"
		}
		},
		},
		@@ -64,2 +75,3 @@ additionalProperties: false
		const exceptions = (options.exceptions \|\| DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });
		const varExceptions = (options.varExceptions \|\| DEFAULT_VARIABLES_EXECEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });

		@@ -70,2 +82,12 @@ function matches(patterns, value) {

		function shouldFix( varExceptions,context, node) {
		let sourceCode = context.getSourceCode();
		// check variable for unfixable pattern e.g. `var insecureURL = "http://..."`
		let text = node.parent
		? sourceCode.getText(node.parent)
		: sourceCode.getText(node);
		// if no match, fix the line
		return !matches(varExceptions,text);
		}

		return {
		@@ -79,7 +101,15 @@ "Literal"(node) {
		}
		else if (matches(blocklist, node.value) && !matches(exceptions, node.value)) {
		context.report({
		node: node,
		messageId: "doNotUseInsecureUrl"
		});
		else if (matches(blocklist, node.value) && !matches(exceptions, node.value) && shouldFix(varExceptions,context, node)) {
		context.report({
		node: node,
		messageId: "doNotUseInsecureUrl",
		fix(fixer) {
		// Only fix if it contains an http url
		if (node.value.toLowerCase().includes("http")) {
		let fixedString = node.value.replace(/http:/i, "https:");
		//insert an "s" before ":/" to change http:/ to https:/
		return fixer.replaceText(node, JSON.stringify(fixedString));
		}
		},
		});
		}
		@@ -93,13 +123,24 @@ }

		if ((matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) \|\|
		(matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) {
		context.report({
		node: node,
		messageId: "doNotUseInsecureUrl"
		});
		}
		}
		}
		if (shouldFix(varExceptions,context, node) && (matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) \|\|
		(matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) {
		context.report({
		node: node,
		messageId: "doNotUseInsecureUrl",
		fix(fixer) {
		// Only fix if it contains an http url
		if (node.value.raw.toLowerCase().includes("http")) {
		let escapedString = JSON.stringify(context.getSourceCode().getText(node));
		// delete "" that JSON.stringify created and convert to `` string
		escapedString = ``+ escapedString.substring(1, escapedString.length-1);
		let fixedString = escapedString.replace(/http:/i, "https:");
		//insert an "s" before ":/" to change http:/ to https:/
		return fixer.replaceText(node, fixedString);
		}
		}
		});
		}
		}
		},
		};
		},
		};

package.json

		{
		"name": "@microsoft/eslint-plugin-sdl",
		"version": "0.2.0",
		"version": "0.2.2",
		"description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)",
		@@ -25,3 +25,3 @@ "keywords": [
		"eslint-plugin-security": "1.4.0",
		"eslint-plugin-react": "7.24.0"
		"eslint-plugin-react": "7.33.0"
		},
		@@ -35,2 +35,5 @@ "devDependencies": {
		},
		"peerDependencies": {
		"eslint": "^4.19.1 \|\| ^5 \|\| ^6 \|\| ^7 \|\| ^8"
		},
		"engines": {
		@@ -37,0 +40,0 @@ "node": ">=0.10.0"

README.md

		@@ -9,4 +9,41 @@ # eslint-plugin-sdl

		## Installation

		```sh
		npm install microsoft/eslint-plugin-sdl
		```
		or
		```sh
		yarn add microsoft/eslint-plugin-sdl
		```

		## Usage
		When you run npm install within your project's root folder, the plugin will be added automatically to your package.json and package-lock.json files. You can also add the plugin to your package.json file manually by specifying the name and version number in the dependencies section like so:

		```sh
		"dependencies": {
		"@microsoft/eslint-plugin-sdl": "^0.1.9"
		}
		```

		Run npm install within your root folder to install everything listed in the dependencies section of package.json. If the plugin is listed in your package.json dependencies, eslint will enforce all plugin rules using default settings.

		## Configs
		Including an eslint configuration file in your project allows you to customize how eslint applies rules to your project. If you are using an .eslintrc file, you can include the plugin by adding:

		```sh
		plugins: ["@microsoft/eslint-plugin-sdl"]
		```

		Eslint will then only enforce rules you specify in the rules section of your .eslintrc file at the severity level you designate. The severity level options are 0 (no error), 1 (warning), and 2 (error). For example:

		```sh
		rules: {
		"no-eval": 2,
		"@microsoft/sdl/no-inner-html": 2
		}
		```

		You can also used the below Shareable config files as guidelines depending on the type of project.

		Plugin is shipped with following [Shareable Configs](http://eslint.org/docs/developer-guide/shareable-configs):
		@@ -13,0 +50,0 @@

Improved metrics

Worsened metrics

Dependency changes