1 | "use strict";
|
2 | var __extends = (this && this.__extends) || (function () {
|
3 | var extendStatics = function (d, b) {
|
4 | extendStatics = Object.setPrototypeOf ||
|
5 | ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
|
6 | function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
|
7 | return extendStatics(d, b);
|
8 | }
|
9 | return function (d, b) {
|
10 | extendStatics(d, b);
|
11 | function __() { this.constructor = d; }
|
12 | d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
|
13 | };
|
14 | })();
|
15 | Object.defineProperty(exports, "__esModule", { value: true });
|
16 | var ts = require("typescript");
|
17 | var Utils_1 = require("./utils/Utils");
|
18 | var Lint = require("tslint");
|
19 | var tsutils = require("tsutils");
|
20 | var Rule = (function (_super) {
|
21 | __extends(Rule, _super);
|
22 | function Rule() {
|
23 | return _super !== null && _super.apply(this, arguments) || this;
|
24 | }
|
25 | Rule.prototype.apply = function (sourceFile) {
|
26 | return this.applyWithFunction(sourceFile, walk, this.parseOptions(this.getOptions()));
|
27 | };
|
28 | Rule.prototype.parseOptions = function (options) {
|
29 | var parsed = {};
|
30 | if (options.ruleArguments instanceof Array) {
|
31 | parsed.exceptions = options.ruleArguments[0];
|
32 | }
|
33 | else if (options instanceof Array) {
|
34 | parsed.exceptions = options;
|
35 | }
|
36 | return parsed;
|
37 | };
|
38 | Rule.metadata = {
|
39 | ruleName: 'react-no-dangerous-html',
|
40 | type: 'maintainability',
|
41 | description: "Do not use React's dangerouslySetInnerHTML API.",
|
42 | options: null,
|
43 | optionsDescription: '',
|
44 | typescriptOnly: true,
|
45 | issueClass: 'SDL',
|
46 | issueType: 'Error',
|
47 | severity: 'Critical',
|
48 | level: 'Mandatory',
|
49 | group: 'Security',
|
50 | commonWeaknessEnumeration: '79, 85, 710'
|
51 | };
|
52 | return Rule;
|
53 | }(Lint.Rules.AbstractRule));
|
54 | exports.Rule = Rule;
|
55 | function walk(ctx) {
|
56 | var currentMethodName = '<unknown>';
|
57 | function handleJsxOpeningElement(node) {
|
58 | node.attributes.properties.forEach(function (attribute) {
|
59 | if (attribute.kind === ts.SyntaxKind.JsxAttribute) {
|
60 | var jsxAttribute = attribute;
|
61 | var attributeName = jsxAttribute.name.text;
|
62 | if (attributeName === 'dangerouslySetInnerHTML') {
|
63 | addFailureIfNotSuppressed(node, jsxAttribute.name);
|
64 | }
|
65 | }
|
66 | });
|
67 | }
|
68 | function addFailureIfNotSuppressed(parent, node) {
|
69 | if (!isSuppressed(currentMethodName)) {
|
70 | var failureString = 'Invalid call to dangerouslySetInnerHTML in method "' +
|
71 | currentMethodName +
|
72 | '".\n' +
|
73 | ' Do *NOT* add a suppression for this warning. If you absolutely must use this API then you need\n' +
|
74 | ' to review the usage with a security expert/QE representative. If they decide that this is an\n' +
|
75 | ' acceptable usage then add the exception to xss_exceptions.json';
|
76 | var position = parent.getStart();
|
77 | ctx.addFailureAt(position, node.text.length, failureString);
|
78 | }
|
79 | }
|
80 | function isSuppressed(methodName) {
|
81 | if (ctx.options.exceptions === undefined || ctx.options.exceptions.length === 0) {
|
82 | return false;
|
83 | }
|
84 | var found = false;
|
85 | ctx.options.exceptions.forEach(function (exception) {
|
86 | if (Utils_1.Utils.absolutePath(exception.file) === ctx.sourceFile.fileName) {
|
87 | if (exception.method === methodName) {
|
88 | if (exception.comment !== undefined) {
|
89 | found = true;
|
90 | }
|
91 | }
|
92 | }
|
93 | });
|
94 | return found;
|
95 | }
|
96 | function cb(node) {
|
97 | if (tsutils.isMethodDeclaration(node)) {
|
98 | currentMethodName = node.name.getText();
|
99 | ts.forEachChild(node, cb);
|
100 | currentMethodName = '<unknown>';
|
101 | return;
|
102 | }
|
103 | if (tsutils.isPropertyAssignment(node)) {
|
104 | var keyNode = node.name;
|
105 | if (keyNode.kind === ts.SyntaxKind.Identifier) {
|
106 | if (keyNode.text === 'dangerouslySetInnerHTML') {
|
107 | addFailureIfNotSuppressed(node, keyNode);
|
108 | }
|
109 | }
|
110 | }
|
111 | else if (tsutils.isJsxElement(node)) {
|
112 | handleJsxOpeningElement(node.openingElement);
|
113 | }
|
114 | else if (tsutils.isJsxSelfClosingElement(node)) {
|
115 | handleJsxOpeningElement(node);
|
116 | }
|
117 | return ts.forEachChild(node, cb);
|
118 | }
|
119 | return ts.forEachChild(ctx.sourceFile, cb);
|
120 | }
|
121 |
|
\ | No newline at end of file |