Skip to content

Commit

Permalink
Merge pull request #31 from microsoft/dev/vflouirac/update-no-angular…
Browse files Browse the repository at this point in the history
…js-sanitization-whitelist

Dev/vflouirac/update no angularjs sanitization whitelist
  • Loading branch information
Vflouirac authored Mar 29, 2022
2 parents 6a3c294 + 37665cb commit 059c5f2
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 5 deletions.
39 changes: 39 additions & 0 deletions lib/rules/no-angular-sanitization-trusted-urls.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

/**
* @fileoverview Rule to disallow modifying sanitization allowed url list in AngularJS. Update fron the deprecate SanitizationWhitelist
* @author Vivien Flouirac
*/

"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description: "Calls to [`$compileProvider.aHrefSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList) configure allowed Url list in AngularJS sanitizer and need to be reviewed.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angular-sanitization-trusted-urls.md"
},
messages: {
noSanitizationTrustedUrls: "Do not modify the trusted Urls list in AngularJS"
}
},
create: function(context) {
return {
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationTrustedUrlList/]"(node) {
context.report(
{
node: node,
messageId: "noSanitizationTrustedUrls"
});
}
};
}
};
10 changes: 5 additions & 5 deletions lib/rules/no-angularjs-sanitization-whitelist.js
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@ module.exports = {
noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS"
}
},
create: function(context) {
create: function (context) {
return {
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"(node) {
context.report(
{
node: node,
messageId: "noSanitizationWhitelist"
});
{
node: node,
messageId: "noSanitizationWhitelist"
});
}
};
}
Expand Down
43 changes: 43 additions & 0 deletions tests/lib/rules/no-angular-sanitization-trusted-urls.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

const path = require("path");
const ruleId = path.parse(__filename).name;
const rule = require(path.join('../../../lib/rules/', ruleId));
const RuleTester = require("eslint").RuleTester;
var ruleTester = new RuleTester();

ruleTester.run(ruleId, rule, {
valid: [
"aHrefSanitizationTrustedUrlList ('.*')",
"x.aHrefSanitizationTrustedUrlList ('.*')",
"$compileProvider.aHrefSanitizationTrustedUrlList ()",
"$compileProvider.AHrefSanitizationTrustedUrlList ('.*')"
],
invalid: [
{
code: "$compileProvider.aHrefSanitizationTrustedUrlList ('.*');",
errors: [
{
messageId: "noSanitizationTrustedUrls",
line: 1,
endLine: 1,
column: 1,
endColumn: 56
}
]
},
{
code: "$compileProvider.imgSrcSanitizationTrustedUrlList('.*');",
errors: [
{
messageId: "noSanitizationTrustedUrls",
line: 1,
endLine: 1,
column: 1,
endColumn: 56
}
]
}
]
});

0 comments on commit 059c5f2

Please sign in to comment.