Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an exception for xmlns usage, and add appropriate testing #11

Merged
merged 2 commits into from
May 11, 2021
Merged

Add an exception for xmlns usage, and add appropriate testing #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6516a6f
Add an exception for xmlns usage, and add appropriate testing
Apr 29, 2021
bb085a7
Add undefined checks
May 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
189 changes: 97 additions & 92 deletions lib/rules/no-insecure-url.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,93 +1,98 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

/**
* @fileoverview Disallows usage of insecure protocols in URL strings
*/

"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
const DEFAULT_BLOCKLIST = [
/^(ftp|http|telnet|ws):\/\//i
];

const DEFAULT_EXCEPTIONS = [ // TODO: add more typical false positives such as XML schemas after more testing
/^http:(\/\/|\\u002f\\u002f)schemas\.microsoft\.com(\/\/|\\u002f\\u002f)?.*/i,
/^http:(\/\/|\\u002f\\u002f)schemas\.openxmlformats\.org(\/\/|\\u002f\\u002f)?.*/i
];

module.exports = {
defaultBlocklist: DEFAULT_BLOCKLIST,
defaultExceptions: DEFAULT_EXCEPTIONS,
meta: {
type: "suggestion",
fixable: "code",
schema: [
{
type: "object",
properties: {
blocklist: {
type: "array",
items: {
type: "string"
}
},
exceptions: {
type: "array",
items: {
type: "string"
}
},
},
additionalProperties: false
}
],
docs: {
category: "Security",
description: "Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending (potentially sensitive) data over untrusted network in plaintext.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-insecure-url.md"
},
messages: {
doNotUseInsecureUrl: "Do not use insecure URLs"
}
},
create: function (context) {
const options = context.options[0] || {};
const blocklist = (options.blocklist || DEFAULT_BLOCKLIST).map((pattern) => { return new RegExp(pattern, "i"); });
const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });

function matches(patterns, value) {
return patterns.find((re) => { return re.test(value) }) !== undefined;
}

return {
"Literal"(node) {
if (typeof node.value === "string") {
if (matches(blocklist, node.value) && !matches(exceptions, node.value)) {
context.report({
node: node,
messageId: "doNotUseInsecureUrl"
});
}
}
},
"TemplateElement"(node) {
if (typeof node.value.raw === "string" && typeof node.value.cooked === "string") {
const rawStringText = node.value.raw;
const cookedStringText = node.value.cooked;

if ((matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) ||
(matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) {
context.report({
node: node,
messageId: "doNotUseInsecureUrl"
});
}
}
}
};
},
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

/**
* @fileoverview Disallows usage of insecure protocols in URL strings
*/

"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
const DEFAULT_BLOCKLIST = [
/^(ftp|http|telnet|ws):\/\//i
];

const DEFAULT_EXCEPTIONS = [ // TODO: add more typical false positives such as XML schemas after more testing
/^http:(\/\/|\\u002f\\u002f)schemas\.microsoft\.com(\/\/|\\u002f\\u002f)?.*/i,
/^http:(\/\/|\\u002f\\u002f)schemas\.openxmlformats\.org(\/\/|\\u002f\\u002f)?.*/i
];

module.exports = {
defaultBlocklist: DEFAULT_BLOCKLIST,
defaultExceptions: DEFAULT_EXCEPTIONS,
meta: {
type: "suggestion",
fixable: "code",
schema: [
{
type: "object",
properties: {
blocklist: {
type: "array",
items: {
type: "string"
}
},
exceptions: {
type: "array",
items: {
type: "string"
}
},
},
additionalProperties: false
}
],
docs: {
category: "Security",
description: "Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending (potentially sensitive) data over untrusted network in plaintext.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-insecure-url.md"
},
messages: {
doNotUseInsecureUrl: "Do not use insecure URLs"
}
},
create: function (context) {
const options = context.options[0] || {};
const blocklist = (options.blocklist || DEFAULT_BLOCKLIST).map((pattern) => { return new RegExp(pattern, "i"); });
const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });

function matches(patterns, value) {
return patterns.find((re) => { return re.test(value) }) !== undefined;
}

return {
"Literal"(node) {
if (typeof node.value === "string") {
// Add an exception for xmlns attributes
if(node.parent && node.parent.type === "JSXAttribute" && node.parent.name && node.parent.name.name === "xmlns")
{
// Do nothing
}
else if (matches(blocklist, node.value) && !matches(exceptions, node.value)) {
context.report({
node: node,
messageId: "doNotUseInsecureUrl"
});
}
}
},
"TemplateElement"(node) {
if (typeof node.value.raw === "string" && typeof node.value.cooked === "string") {
const rawStringText = node.value.raw;
const cookedStringText = node.value.cooked;

if ((matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) ||
(matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) {
context.report({
node: node,
messageId: "doNotUseInsecureUrl"
});
}
}
}
};
},
};
Empty file added tests/fixtures/estree.tsx
View file
Open in desktop
Empty file.
8 changes: 8 additions & 0 deletions tests/fixtures/tsconfig-react.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"compilerOptions": {
"jsx": "preserve"
},
"include": [
"estree.tsx"
]
}
29 changes: 29 additions & 0 deletions tests/lib/rules/no-insecure-url.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,19 @@ ruleTester.run(ruleId, rule, {
exceptions: ["HTTP:\/\/www\.allow-example\.com\/?.*", "FtP:\/\/www\.allow-file-example\.com", "LdaP:\/\/www\.allow-ldap-example\.com"]
}]
},
{
// should allow xml namespaces, as they are not accessed by the browser
code: `
const someSvg: React.FC = () => {
return (
<svg xmlns="http://www.w3.org/2000/svg">
</svg>
);
};
`,
parser: testUtils.tsParser,
parserOptions: testUtils.tsReactParserOptions,
},
],
invalid: [
{ // should ban http,ftp strings in variables
Expand Down Expand Up @@ -129,5 +142,21 @@ ruleTester.run(ruleId, rule, {
blocklist: ["htTp:\/\/www\.ban-example\.com\/?.*", "fTp:\/\/www\.ban-file-example\.com\/?.*", "lDAp:\/\/www\.ban-ldap-example\.com\/?.*"]
}]
},
{
// should ban any other xml attribute with urls in them
code: `
const someSvg: React.FC = () => {
return (
<svg someOtherAttribute="http://www.w3.org/2000/svg">
</svg>
);
};
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 4},
],
parser: testUtils.tsParser,
parserOptions: testUtils.tsReactParserOptions,
},
]
});
8 changes: 8 additions & 0 deletions tests/lib/test-utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,13 @@ module.exports = {
moduleParserOptions: {
ecmaVersion: 6,
sourceType: "module"
},
tsReactParserOptions: {
tsconfigRootDir: path.join(__dirname, '../fixtures'),
project: 'tsconfig-react.json',
sourceType: "module",
ecmaFeatures: {
jsx: true
}
}
};