UNPKG

@microsoft/eslint-plugin-sdl

Version:

ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)

github.com/microsoft/eslint-plugin-sdl

microsoft/eslint-plugin-sdl

42 lines (37 loc) 1.33 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
// Copyright (c) Microsoft Corporation. // Licensed under the MIT License. /** * @fileoverview Rule to disallow document.domain property * @author Antonios Katopodis */ "use strict"; const astUtils = require("../ast-utils"); module.exports = { meta: { type: "suggestion", fixable: "code", schema: [], docs: { category: "Security", description: "Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited.", url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-document-domain.md" }, messages: { default: "Do not write to document.domain property" } }, create: function (context) { const fullTypeChecker = astUtils.getFullTypeChecker(context); return { "AssignmentExpression[operator='='][left.property.name='domain']"(node) { if (astUtils.isDocumentObject(node.left.object, context, fullTypeChecker)) { context.report({ node: node, messageId: "default" }); } } }; } };