UNPKG

eslint-plugin-sonarjs

Version:

SonarJS rules for ESLint

github.com/SonarSource/SonarJS/blob/master/packages/jsts/src/rules/README.md

SonarSource/SonarJS

55 lines (54 loc) 2.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
"use strict"; /* * SonarQube JavaScript Plugin * Copyright (C) 2011-2025 SonarSource SA * mailto:info AT sonarsource DOT com * * This program is free software; you can redistribute it and/or * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the Sonar Source-Available License for more details. * * You should have received a copy of the Sonar Source-Available License * along with this program; if not, see https://sonarsource.com/license/ssal/ */ // https://sonarsource.github.io/rspec/#/rspec/S5736/javascript Object.defineProperty(exports, "__esModule", { value: true }); exports.rule = void 0; const index_js_1 = require("../helpers/index.js"); const meta_js_1 = require("./meta.js"); const HELMET = 'helmet'; const POLICY = 'policy'; const REFERRER_POLICY = 'referrerPolicy'; const UNSAFE_REFERRER_POLICY_VALUES = ['', 'unsafe-url', 'no-referrer-when-downgrade']; exports.rule = index_js_1.Express.SensitiveMiddlewarePropertyRule(findNoReferrerPolicyPropertyFromHelmet, `Make sure disabling strict HTTP no-referrer policy is safe here.`, (0, index_js_1.generateMeta)(meta_js_1.meta, undefined, true)); function findNoReferrerPolicyPropertyFromHelmet(context, node) { let sensitive; const { callee, arguments: args } = node; if (args.length === 1) { const [options] = args; /* helmet({ referrerPolicy: false }) or helmet.referrerPolicy({ policy: <unsafe_value> }) */ const fqn = (0, index_js_1.getFullyQualifiedName)(context, callee); if (fqn === HELMET && options.type === 'ObjectExpression') { sensitive = (0, index_js_1.getPropertyWithValue)(context, options, REFERRER_POLICY, false); } else if (fqn === `${HELMET}.${REFERRER_POLICY}`) { const maybePolicy = (0, index_js_1.getProperty)(options, POLICY, context); if (maybePolicy && !isSafePolicy(maybePolicy)) { sensitive = maybePolicy; } } } return sensitive ? [sensitive] : []; } function isSafePolicy(policy) { const { value } = policy; const values = value.type === 'ArrayExpression' ? value.elements : [value]; const sensitiveValue = values.find(v => v?.type === 'Literal' && typeof v.value === 'string' && UNSAFE_REFERRER_POLICY_VALUES.includes(v.value)); return !Boolean(sensitiveValue); }