-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #71 from microsoft/revert-61-dev/martinkamar/retir…
…e-eol-rules Revert "Drop support for AngularJS"
- Loading branch information
Showing
12 changed files
with
340 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
"use strict"; | ||
|
||
// Generates shareable config for legacy AngularJS (https://angularjs.org/) apps. | ||
module.exports = (pluginSdl) => { | ||
return [ | ||
{ | ||
plugins: { | ||
"@microsoft/sdl": pluginSdl | ||
}, | ||
rules: { | ||
"@microsoft/sdl/no-angularjs-enable-svg": "error", | ||
"@microsoft/sdl/no-angularjs-sanitization-whitelist": "error", | ||
"@microsoft/sdl/no-angularjs-bypass-sce": "error" | ||
} | ||
} | ||
]; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) | ||
|
||
Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. | ||
|
||
SCE should be bypassed only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. | ||
|
||
See [official documentation](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) for more details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Do not enable SVG support in AngularJS (no-angularjs-enable-svg) | ||
|
||
Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. | ||
|
||
SVG support should be enabled only in very rare and justifiable cases after careful review so that the risk of introducing Clickjacking vulnerability is minimized. | ||
|
||
See [official documentation](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) for more details about the issue. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) | ||
|
||
Calls to [$compileProvider.aHrefSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [$compileProvider.imgSrcSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. | ||
|
||
Sanitization should be disabled only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. | ||
|
||
See [official documentation](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) for more details about the issue. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
/** | ||
* @fileoverview Rule to disallow bypassing Strict Contextual Escaping (SCE) in AngularJS | ||
* @author Antonios Katopodis | ||
*/ | ||
|
||
"use strict"; | ||
|
||
module.exports = { | ||
meta: { | ||
type: "suggestion", | ||
fixable: "code", | ||
schema: [], | ||
docs: { | ||
category: "Security", | ||
description: | ||
"Calls to $sceProvider.enabled(false), $sceDelegate.trustAs(), $sce.trustAs() and relevant shorthand methods (e.g. trustAsHtml or trustAsJs) bypass Strict Contextual Escaping (SCE) in AngularJS and need to be reviewed.", | ||
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-bypass-sce.md" | ||
}, | ||
messages: { | ||
doNotBypass: "Do not bypass Strict Contextual Escaping (SCE) in AngularJS" | ||
} | ||
}, | ||
create: function (context) { | ||
function reportIt(node) { | ||
context.report({ | ||
node: node, | ||
messageId: "doNotBypass" | ||
}); | ||
} | ||
|
||
return { | ||
"CallExpression[arguments!=''][callee.object.name='$sceProvider'][callee.property.name='enabled']"( | ||
node | ||
) { | ||
// Known false positives | ||
if ( | ||
node.arguments == undefined || | ||
node.arguments.length != 1 || | ||
(node.arguments[0].type == "Literal" && /true|1/.test(node.arguments[0].value)) | ||
) { | ||
return; | ||
} | ||
return reportIt(node); | ||
}, | ||
"CallExpression[arguments!=''][callee.object.name='$sceDelegate'][callee.property.name='trustAs']": | ||
reportIt, | ||
"CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]"( | ||
node | ||
) { | ||
// Known false positives | ||
if ( | ||
node.arguments && | ||
node.arguments.length === 1 && | ||
node.arguments[0].type === "Literal" && | ||
node.arguments[0].value === "" | ||
) { | ||
return; | ||
} | ||
|
||
return reportIt(node); | ||
} | ||
}; | ||
} | ||
}; | ||
|
||
// TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
/** | ||
* @fileoverview Rule to disallow enabling SVG in AngularJS apps | ||
* @author Antonios Katopodis | ||
*/ | ||
|
||
"use strict"; | ||
|
||
module.exports = { | ||
meta: { | ||
type: "suggestion", | ||
fixable: "code", | ||
schema: [], | ||
docs: { | ||
category: "Security", | ||
description: | ||
"Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed.", | ||
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-enable-svg.md" | ||
}, | ||
messages: { | ||
doNotEnableSVG: "Do not enable SVG support in AngularJS" | ||
} | ||
}, | ||
create: function (context) { | ||
return { | ||
"CallExpression[callee.object.name='$sanitizeProvider'][callee.property.name='enableSvg']"( | ||
node | ||
) { | ||
// Known false positives | ||
if ( | ||
(node.arguments != undefined && node.arguments.length != 1) || | ||
(node.arguments[0].type == "Literal" && | ||
(node.arguments[0].value == "false" || node.arguments[0].value == "0")) | ||
) { | ||
return; | ||
} | ||
context.report({ | ||
node: node, | ||
messageId: "doNotEnableSVG" | ||
}); | ||
} | ||
}; | ||
} | ||
}; | ||
|
||
// TODO: Add rules for $sanitizeProvider.addValidElements() and $sanitizeProvider.addValidAttrs() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
/** | ||
* @fileoverview Rule to disallow modifying sanitization whitelist in AngularJS | ||
* @author Antonios Katopodis | ||
*/ | ||
|
||
"use strict"; | ||
|
||
module.exports = { | ||
meta: { | ||
type: "suggestion", | ||
fixable: "code", | ||
schema: [], | ||
docs: { | ||
category: "Security", | ||
description: | ||
"Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed.", | ||
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-sanitization-whitelist.md" | ||
}, | ||
messages: { | ||
noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS" | ||
} | ||
}, | ||
create: function (context) { | ||
return { | ||
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"( | ||
node | ||
) { | ||
context.report({ | ||
node: node, | ||
messageId: "noSanitizationWhitelist" | ||
}); | ||
} | ||
}; | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
const path = require("path"); | ||
const ruleId = path.parse(__filename).name; | ||
const rule = require(path.join("../../../lib/rules/", ruleId)); | ||
const RuleTester = require("eslint").RuleTester; | ||
var ruleTester = new RuleTester(); | ||
|
||
ruleTester.run(ruleId, rule, { | ||
valid: [ | ||
"trustAsHtml()", | ||
"$sce.trustAsHtml()", | ||
"$sce.trustAsHtml('')", | ||
"$sce.TrustAsHtml('XSS')", | ||
"x.trustAsHtml('XSS')", | ||
"$sceProvider.enabled()", | ||
"$sceProvider.enabled(true)", | ||
"$sceProvider.enabled(1)" | ||
], | ||
invalid: [ | ||
{ | ||
code: "$sceDelegate.trustAs($sce.HTML, 'XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAs($sce.HTML, 'XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAsCss('XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAsHtml('XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAsJs('XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAsResourceUrl('XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sce.trustAsUrl('XSS')", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sceProvider.enabled(false)", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sceProvider.enabled(0)", | ||
errors: [{ messageId: "doNotBypass" }] | ||
}, | ||
{ | ||
code: "$sceProvider.enabled(true != true)", | ||
errors: [{ messageId: "doNotBypass" }] | ||
} | ||
] | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
const path = require("path"); | ||
const ruleId = path.parse(__filename).name; | ||
const rule = require(path.join("../../../lib/rules/", ruleId)); | ||
const RuleTester = require("eslint").RuleTester; | ||
var ruleTester = new RuleTester(); | ||
|
||
ruleTester.run(ruleId, rule, { | ||
valid: [ | ||
"enableSvg()", | ||
"enableSvg(true)", | ||
"$sanitizeProvider.enableSvg()", | ||
"$sanitizeProvider.enableSvg(false)", | ||
"$sanitizeProvider.enableSvg(0)", | ||
"$sanitizeProvider.EnableSvg(0)" | ||
], | ||
invalid: [ | ||
{ | ||
code: "$sanitizeProvider.enableSvg(true)", | ||
errors: [{ messageId: "doNotEnableSVG" }] | ||
}, | ||
{ | ||
code: "$sanitizeProvider.enableSvg(1)", | ||
errors: [{ messageId: "doNotEnableSVG" }] | ||
} | ||
] | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the MIT License. | ||
|
||
const path = require("path"); | ||
const ruleId = path.parse(__filename).name; | ||
const rule = require(path.join("../../../lib/rules/", ruleId)); | ||
const RuleTester = require("eslint").RuleTester; | ||
var ruleTester = new RuleTester(); | ||
|
||
ruleTester.run(ruleId, rule, { | ||
valid: [ | ||
"aHrefSanitizationWhitelist('.*')", | ||
"x.aHrefSanitizationWhitelist('.*')", | ||
"$compileProvider.aHrefSanitizationWhitelist()", | ||
"$compileProvider.AHrefSanitizationWhitelist('.*')" | ||
], | ||
invalid: [ | ||
{ | ||
code: "$compileProvider.aHrefSanitizationWhitelist('.*');", | ||
errors: [ | ||
{ | ||
messageId: "noSanitizationWhitelist", | ||
line: 1, | ||
endLine: 1, | ||
column: 1, | ||
endColumn: 50 | ||
} | ||
] | ||
}, | ||
{ | ||
code: "$compileProvider.imgSrcSanitizationWhitelist('.*');", | ||
errors: [ | ||
{ | ||
messageId: "noSanitizationWhitelist", | ||
line: 1, | ||
endLine: 1, | ||
column: 1, | ||
endColumn: 51 | ||
} | ||
] | ||
} | ||
] | ||
}); |