Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dev/vflouirac/update no angularjs sanitization whitelist #31

Merged
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions lib/rules/no-angular-sanitization-trusted-urls.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

/**
* @fileoverview Rule to disallow modifying sanitization allowed url list in AngularJS. Update fron the deprecate SanitizationWhitelist
* @author Vivien Flouirac
*/

"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description: "Calls to [`$compileProvider.aHrefSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList) configure allowed Url list in AngularJS sanitizer and need to be reviewed.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angular-sanitization-trusted-urls.md"
},
messages: {
noSanitizationTrustedUrls: "Do not modify the trusted Urls list in AngularJS"
}
},
create: function(context) {
return {
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationTrustedUrlList/]"(node) {
context.report(
{
node: node,
messageId: "noSanitizationTrustedUrls"
});
}
};
}
};
60 changes: 30 additions & 30 deletions lib/rules/no-angularjs-sanitization-whitelist.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,34 @@
* @author Antonios Katopodis
*/

"use strict";
"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description: "Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-sanitization-whitelist.md"
},
messages: {
noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS"
}
},
create: function(context) {
return {
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"(node) {
context.report(
{
node: node,
messageId: "noSanitizationWhitelist"
});
}
};
}
};
//------------------------------------------------------------------------------
Vflouirac marked this conversation as resolved.
Show resolved Hide resolved
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description: "Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-sanitization-whitelist.md"
},
messages: {
noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS"
}
},
create: function(context) {
return {
"CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"(node) {
context.report(
{
node: node,
messageId: "noSanitizationWhitelist"
});
}
};
}
};
43 changes: 43 additions & 0 deletions tests/lib/rules/no-angular-sanitization-trusted-urls.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

const path = require("path");
const ruleId = path.parse(__filename).name;
const rule = require(path.join('../../../lib/rules/', ruleId));
const RuleTester = require("eslint").RuleTester;
var ruleTester = new RuleTester();

ruleTester.run(ruleId, rule, {
valid: [
"aHrefSanitizationTrustedUrlList ('.*')",
"x.aHrefSanitizationTrustedUrlList ('.*')",
"$compileProvider.aHrefSanitizationTrustedUrlList ()",
"$compileProvider.aHrefSanitizationTrustedUrlList ('.*')"
],
invalid: [
{
code: "$compileProvider.aHrefSanitizationTrustedUrlList ('.*');",
errors: [
{
messageId: "noSanitizationTrustedUrls",
line: 1,
endLine: 1,
column: 1,
endColumn: 50
}
]
},
{
code: "$compileProvider.imgSrcSanitizationTrustedUrlList('.*');",
errors: [
{
messageId: "noSanitizationTrustedUrls",
line: 1,
endLine: 1,
column: 1,
endColumn: 51
}
]
}
]
});