UNPKG

eslint-plugin-sonarjs

Version:

SonarJS rules for ESLint

github.com/SonarSource/SonarJS/blob/master/packages/jsts/src/rules/README.md

SonarSource/SonarJS

94 lines (93 loc) 4.09 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
"use strict"; /* * SonarQube JavaScript Plugin * Copyright (C) 2011-2025 SonarSource SA * mailto:info AT sonarsource DOT com * * This program is free software; you can redistribute it and/or * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the Sonar Source-Available License for more details. * * You should have received a copy of the Sonar Source-Available License * along with this program; if not, see https://sonarsource.com/license/ssal/ */ // https://sonarsource.github.io/rspec/#/rspec/S4502/javascript Object.defineProperty(exports, "__esModule", { value: true }); exports.rule = void 0; const index_js_1 = require("../helpers/index.js"); const meta_js_1 = require("./meta.js"); const CSURF_MODULE = 'csurf'; const SAFE_METHODS = ['GET', 'HEAD', 'OPTIONS']; exports.rule = { meta: (0, index_js_1.generateMeta)(meta_js_1.meta, undefined, true), create(context) { let globalCsrfProtection = false; let importedCsrfMiddleware = false; function checkIgnoredMethods(node) { if (node.value.type === 'ArrayExpression') { const arrayExpr = node.value; const unsafeMethods = arrayExpr.elements .filter(index_js_1.isLiteral) .filter(e => typeof e.value === 'string' && !SAFE_METHODS.includes(e.value)); if (unsafeMethods.length > 0) { const [first, ...rest] = unsafeMethods; (0, index_js_1.report)(context, { message: 'Make sure disabling CSRF protection is safe here.', node: first, }, rest.map(node => (0, index_js_1.toSecondaryLocation)(node))); } } } function isCsurfMiddleware(node) { return node && (0, index_js_1.getFullyQualifiedName)(context, node) === CSURF_MODULE; } function checkCallExpression(callExpression) { const { callee } = callExpression; // require('csurf') if ((0, index_js_1.isRequireModule)(callExpression, CSURF_MODULE)) { importedCsrfMiddleware = true; } // csurf(...) if ((0, index_js_1.getFullyQualifiedName)(context, callee) === CSURF_MODULE) { const [args] = callExpression.arguments; const ignoredMethods = (0, index_js_1.getProperty)(args, 'ignoreMethods', context); if (ignoredMethods) { checkIgnoredMethods(ignoredMethods); } } // app.use(csurf(...)) if (callee.type === 'MemberExpression') { if ((0, index_js_1.isIdentifier)(callee.property, 'use') && (0, index_js_1.flattenArgs)(context, callExpression.arguments).find(isCsurfMiddleware)) { globalCsrfProtection = true; } if ((0, index_js_1.isIdentifier)(callee.property, 'post', 'put', 'delete', 'patch') && !globalCsrfProtection && importedCsrfMiddleware && !callExpression.arguments.some(arg => isCsurfMiddleware(arg))) { (0, index_js_1.report)(context, { message: 'Make sure not using CSRF protection is safe here.', node: callee, }); } } } return { Program() { globalCsrfProtection = false; }, CallExpression(node) { checkCallExpression(node); }, ImportDeclaration(node) { if (node.source.value === CSURF_MODULE) { importedCsrfMiddleware = true; } }, }; }, };