tslint-config-security/dist/rules/tsrDetectHtmlInjectionRule.js

TSLint security rules

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
var tslib_1 = require("tslib");
var Lint = require("tslint");
var ts = require("typescript");
var node_kind_1 = require("../node-kind");
var Rule = (function (_super) {
    tslib_1.__extends(Rule, _super);
    function Rule() {
        return _super !== null && _super.apply(this, arguments) || this;
    }
    Rule.prototype.apply = function (sourceFile) {
        return this.applyWithFunction(sourceFile, walk);
    };
    Rule.metadata = {
        ruleName: 'tsr-detect-html-injection',
        description: 'Warns when possible HTML injection is found',
        descriptionDetails: Lint.Utils.dedent(templateObject_1 || (templateObject_1 = tslib_1.__makeTemplateObject(["Any usage of unsafe DOM APIs as Element.innerHTML or document.write()\n            will trigger a warning.\n            See https://github.com/webschik/tslint-config-security#tsr-detect-html-injection"], ["Any usage of unsafe DOM APIs as Element.innerHTML or document.write()\n            will trigger a warning.\n            See https://github.com/webschik/tslint-config-security#tsr-detect-html-injection"]))),
        optionsDescription: '',
        options: null,
        type: 'functionality',
        requiresTypeInfo: false,
        typescriptOnly: false
    };
    return Rule;
}(Lint.Rules.AbstractRule));
exports.Rule = Rule;
var unsafeDocumentHtmlMethods = ['writeln', 'write'];
var unsafeElementHtmlMethods = ['insertAdjacentHTML'];
var unsafeElementHtmlProps = ['outerHTML', 'innerHTML'];
function walk(ctx) {
    function visitNode(node) {
        switch (node.kind) {
            case ts.SyntaxKind.PropertyAccessExpression: {
                var _a = node, expression = _a.expression, name = _a.name;
                var parent = node.parent;
                var firstArgument = parent && parent.arguments && parent.arguments[0];
                if (expression && name && firstArgument && !node_kind_1.stringLiteralKinds.includes(firstArgument.kind)) {
                    var method = name.text;
                    if (expression.text === 'document' &&
                        unsafeDocumentHtmlMethods.includes(method)) {
                        ctx.addFailureAtNode(parent, "Found document." + method + " with non-literal argument");
                    }
                    else if (unsafeElementHtmlMethods.includes(method)) {
                        ctx.addFailureAtNode(parent, "Found Element." + method + " with non-literal argument");
                    }
                }
                break;
            }
            case ts.SyntaxKind.BinaryExpression: {
                var _b = node, left = _b.left, right = _b.right, operatorToken = _b.operatorToken;
                var leftName = left && left.name;
                if (operatorToken &&
                    operatorToken.kind === ts.SyntaxKind.EqualsToken &&
                    left &&
                    left.kind === ts.SyntaxKind.PropertyAccessExpression &&
                    leftName &&
                    right &&
                    !node_kind_1.stringLiteralKinds.includes(right.kind) &&
                    unsafeElementHtmlProps.includes(leftName.text)) {
                    ctx.addFailureAtNode(node, "Found Element." + leftName.text + " with non-literal value");
                }
                break;
            }
            default:
        }
        return ts.forEachChild(node, visitNode);
    }
    return ts.forEachChild(ctx.sourceFile, visitNode);
}
var templateObject_1;