diff --git a/lib/rules/no-angular-sanitization-trusted-urls.js b/lib/rules/no-angular-sanitization-trusted-urls.js new file mode 100644 index 0000000..d2a7503 --- /dev/null +++ b/lib/rules/no-angular-sanitization-trusted-urls.js @@ -0,0 +1,39 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow modifying sanitization allowed url list in AngularJS. Update fron the deprecate SanitizationWhitelist + * @author Vivien Flouirac + */ + + "use strict"; + + //------------------------------------------------------------------------------ + // Rule Definition + //------------------------------------------------------------------------------ + module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to [`$compileProvider.aHrefSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList) configure allowed Url list in AngularJS sanitizer and need to be reviewed.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angular-sanitization-trusted-urls.md" + }, + messages: { + noSanitizationTrustedUrls: "Do not modify the trusted Urls list in AngularJS" + } + }, + create: function(context) { + return { + "CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationTrustedUrlList/]"(node) { + context.report( + { + node: node, + messageId: "noSanitizationTrustedUrls" + }); + } + }; + } + }; \ No newline at end of file diff --git a/lib/rules/no-angularjs-sanitization-whitelist.js b/lib/rules/no-angularjs-sanitization-whitelist.js index dcbfa98..be2fd78 100644 --- a/lib/rules/no-angularjs-sanitization-whitelist.js +++ b/lib/rules/no-angularjs-sanitization-whitelist.js @@ -25,14 +25,14 @@ module.exports = { noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS" } }, - create: function(context) { + create: function (context) { return { "CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"(node) { context.report( - { - node: node, - messageId: "noSanitizationWhitelist" - }); + { + node: node, + messageId: "noSanitizationWhitelist" + }); } }; } diff --git a/tests/lib/rules/no-angular-sanitization-trusted-urls.js b/tests/lib/rules/no-angular-sanitization-trusted-urls.js new file mode 100644 index 0000000..7d3dddc --- /dev/null +++ b/tests/lib/rules/no-angular-sanitization-trusted-urls.js @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "aHrefSanitizationTrustedUrlList ('.*')", + "x.aHrefSanitizationTrustedUrlList ('.*')", + "$compileProvider.aHrefSanitizationTrustedUrlList ()", + "$compileProvider.AHrefSanitizationTrustedUrlList ('.*')" + ], + invalid: [ + { + code: "$compileProvider.aHrefSanitizationTrustedUrlList ('.*');", + errors: [ + { + messageId: "noSanitizationTrustedUrls", + line: 1, + endLine: 1, + column: 1, + endColumn: 56 + } + ] + }, + { + code: "$compileProvider.imgSrcSanitizationTrustedUrlList('.*');", + errors: [ + { + messageId: "noSanitizationTrustedUrls", + line: 1, + endLine: 1, + column: 1, + endColumn: 56 + } + ] + } + ] +}); \ No newline at end of file