1 | "use strict";
|
2 | var __extends = (this && this.__extends) || (function () {
|
3 | var extendStatics = Object.setPrototypeOf ||
|
4 | ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
|
5 | function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
|
6 | return function (d, b) {
|
7 | extendStatics(d, b);
|
8 | function __() { this.constructor = d; }
|
9 | d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
|
10 | };
|
11 | })();
|
12 | Object.defineProperty(exports, "__esModule", { value: true });
|
13 | var ts = require("typescript");
|
14 | var Lint = require("tslint");
|
15 | var ErrorTolerantWalker_1 = require("./utils/ErrorTolerantWalker");
|
16 | var FAILURE_NOT_FOUND = 'An iframe element requires a sandbox attribute';
|
17 | var FAILURE_INVALID_ENTRY = 'An iframe element defines an invalid sandbox attribute: ';
|
18 | var FAILURE_INVALID_COMBINATION = 'An iframe element defines a sandbox with both allow-scripts and allow-same-origin';
|
19 | var ALLOWED_VALUES = [
|
20 | '',
|
21 | 'allow-forms',
|
22 | 'allow-modals',
|
23 | 'allow-orientation-lock',
|
24 | 'allow-pointer-lock',
|
25 | 'allow-popups',
|
26 | 'allow-popups-to-escape-sandbox',
|
27 | 'allow-same-origin',
|
28 | 'allow-scripts',
|
29 | 'allow-top-navigation'
|
30 | ];
|
31 | var Rule = (function (_super) {
|
32 | __extends(Rule, _super);
|
33 | function Rule() {
|
34 | return _super !== null && _super.apply(this, arguments) || this;
|
35 | }
|
36 | Rule.prototype.apply = function (sourceFile) {
|
37 | if (sourceFile.languageVariant === ts.LanguageVariant.JSX) {
|
38 | return this.applyWithWalker(new ReactIframeMissingSandboxRuleWalker(sourceFile, this.getOptions()));
|
39 | }
|
40 | else {
|
41 | return [];
|
42 | }
|
43 | };
|
44 | Rule.metadata = {
|
45 | ruleName: 'react-iframe-missing-sandbox',
|
46 | type: 'functionality',
|
47 | description: 'React iframes must specify a sandbox attribute',
|
48 | options: null,
|
49 | optionsDescription: '',
|
50 | typescriptOnly: true,
|
51 | issueClass: 'SDL',
|
52 | issueType: 'Error',
|
53 | severity: 'Critical',
|
54 | level: 'Opportunity for Excellence',
|
55 | group: 'Security',
|
56 | commonWeaknessEnumeration: '915'
|
57 | };
|
58 | return Rule;
|
59 | }(Lint.Rules.AbstractRule));
|
60 | exports.Rule = Rule;
|
61 | var ReactIframeMissingSandboxRuleWalker = (function (_super) {
|
62 | __extends(ReactIframeMissingSandboxRuleWalker, _super);
|
63 | function ReactIframeMissingSandboxRuleWalker() {
|
64 | return _super !== null && _super.apply(this, arguments) || this;
|
65 | }
|
66 | ReactIframeMissingSandboxRuleWalker.prototype.visitJsxElement = function (node) {
|
67 | this.handleJsxOpeningElement(node.openingElement);
|
68 | _super.prototype.visitJsxElement.call(this, node);
|
69 | };
|
70 | ReactIframeMissingSandboxRuleWalker.prototype.visitJsxSelfClosingElement = function (node) {
|
71 | this.handleJsxOpeningElement(node);
|
72 | _super.prototype.visitJsxSelfClosingElement.call(this, node);
|
73 | };
|
74 | ReactIframeMissingSandboxRuleWalker.prototype.handleJsxOpeningElement = function (node) {
|
75 | var _this = this;
|
76 | if (node.tagName.getText() !== 'iframe') {
|
77 | return;
|
78 | }
|
79 | var sandboxAttributeFound = false;
|
80 | node.attributes.properties.forEach(function (attribute) {
|
81 | if (attribute.kind === ts.SyntaxKind.JsxAttribute) {
|
82 | var jsxAttribute = attribute;
|
83 | var attributeName = jsxAttribute.name.text;
|
84 | if (attributeName === 'sandbox') {
|
85 | sandboxAttributeFound = true;
|
86 | if (jsxAttribute.initializer != null && jsxAttribute.initializer.kind === ts.SyntaxKind.StringLiteral) {
|
87 | _this.validateSandboxValue(jsxAttribute.initializer);
|
88 | }
|
89 | }
|
90 | }
|
91 | });
|
92 | if (!sandboxAttributeFound) {
|
93 | this.addFailureAt(node.getStart(), node.getWidth(), FAILURE_NOT_FOUND);
|
94 | }
|
95 | };
|
96 | ReactIframeMissingSandboxRuleWalker.prototype.validateSandboxValue = function (node) {
|
97 | var _this = this;
|
98 | var values = node.text.split(' ');
|
99 | var allowScripts = false;
|
100 | var allowSameOrigin = false;
|
101 | values.forEach(function (attributeValue) {
|
102 | if (ALLOWED_VALUES.indexOf(attributeValue) === -1) {
|
103 | _this.addFailureAt(node.getStart(), node.getWidth(), FAILURE_INVALID_ENTRY + attributeValue);
|
104 | }
|
105 | if (attributeValue === 'allow-scripts') {
|
106 | allowScripts = true;
|
107 | }
|
108 | if (attributeValue === 'allow-same-origin') {
|
109 | allowSameOrigin = true;
|
110 | }
|
111 | });
|
112 | if (allowScripts && allowSameOrigin) {
|
113 | this.addFailureAt(node.getStart(), node.getWidth(), FAILURE_INVALID_COMBINATION);
|
114 | }
|
115 | };
|
116 | return ReactIframeMissingSandboxRuleWalker;
|
117 | }(ErrorTolerantWalker_1.ErrorTolerantWalker));
|
118 |
|
\ | No newline at end of file |