1 | "use strict";
|
2 | var __extends = (this && this.__extends) || (function () {
|
3 | var extendStatics = function (d, b) {
|
4 | extendStatics = Object.setPrototypeOf ||
|
5 | ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
|
6 | function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
|
7 | return extendStatics(d, b);
|
8 | }
|
9 | return function (d, b) {
|
10 | extendStatics(d, b);
|
11 | function __() { this.constructor = d; }
|
12 | d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
|
13 | };
|
14 | })();
|
15 | Object.defineProperty(exports, "__esModule", { value: true });
|
16 | var ts = require("typescript");
|
17 | var Lint = require("tslint");
|
18 | var tsutils = require("tsutils");
|
19 | var AstUtils_1 = require("./utils/AstUtils");
|
20 | var FAILURE_INNER = 'Writing a string to the innerHTML property is insecure: ';
|
21 | var FAILURE_OUTER = 'Writing a string to the outerHTML property is insecure: ';
|
22 | var FAILURE_HTML_LIB = 'Using the html() function to write a string to innerHTML is insecure: ';
|
23 | var Rule = (function (_super) {
|
24 | __extends(Rule, _super);
|
25 | function Rule() {
|
26 | return _super !== null && _super.apply(this, arguments) || this;
|
27 | }
|
28 | Rule.prototype.apply = function (sourceFile) {
|
29 | return this.applyWithFunction(sourceFile, walk, parseOptions(this.getOptions()));
|
30 | };
|
31 | Rule.metadata = {
|
32 | ruleName: 'no-inner-html',
|
33 | type: 'maintainability',
|
34 | description: 'Do not write values to innerHTML, outerHTML, or set HTML using the JQuery html() function.',
|
35 | options: null,
|
36 | optionsDescription: '',
|
37 | typescriptOnly: true,
|
38 | issueClass: 'SDL',
|
39 | issueType: 'Error',
|
40 | severity: 'Critical',
|
41 | level: 'Mandatory',
|
42 | group: 'Security',
|
43 | commonWeaknessEnumeration: '79, 85, 710'
|
44 | };
|
45 | return Rule;
|
46 | }(Lint.Rules.AbstractRule));
|
47 | exports.Rule = Rule;
|
48 | function parseOptions(options) {
|
49 | var value = /^(jquery|[$])/i;
|
50 | var args = options.ruleArguments;
|
51 | if (args && typeof args[1] === 'object' && args[1]['html-lib-matcher']) {
|
52 | value = new RegExp(args[1]['html-lib-matcher']);
|
53 | }
|
54 | else if (options instanceof Array && typeof options[1] === 'object' && options[1]['html-lib-matcher']) {
|
55 | value = new RegExp(options[1]['html-lib-matcher']);
|
56 | }
|
57 | return {
|
58 | htmlLibExpressionRegex: value
|
59 | };
|
60 | }
|
61 | function walk(ctx) {
|
62 | var htmlLibExpressionRegex = ctx.options.htmlLibExpressionRegex;
|
63 | function cb(node) {
|
64 | if (tsutils.isBinaryExpression(node)) {
|
65 | if (node.operatorToken.kind === ts.SyntaxKind.EqualsToken) {
|
66 | if (tsutils.isPropertyAccessExpression(node.left)) {
|
67 | var propAccess = node.left;
|
68 | var propName = propAccess.name.text;
|
69 | if (propName === 'innerHTML') {
|
70 | ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_INNER + node.getText());
|
71 | }
|
72 | else if (propName === 'outerHTML') {
|
73 | ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_OUTER + node.getText());
|
74 | }
|
75 | }
|
76 | }
|
77 | }
|
78 | if (tsutils.isCallExpression(node)) {
|
79 | var functionName = AstUtils_1.AstUtils.getFunctionName(node);
|
80 | if (functionName === 'html') {
|
81 | if (node.arguments.length > 0) {
|
82 | var functionTarget = AstUtils_1.AstUtils.getFunctionTarget(node);
|
83 | if (functionTarget !== undefined && htmlLibExpressionRegex.test(functionTarget)) {
|
84 | ctx.addFailureAt(node.getStart(), node.getWidth(), FAILURE_HTML_LIB + node.getText());
|
85 | }
|
86 | }
|
87 | }
|
88 | }
|
89 | return ts.forEachChild(node, cb);
|
90 | }
|
91 | return ts.forEachChild(ctx.sourceFile, cb);
|
92 | }
|
93 |
|
\ | No newline at end of file |