From 26eaf2a9b5730d729b86c958d1d8ced32b1c8943 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Ka=C4=8Dmar?= Date: Tue, 1 Oct 2024 21:57:58 +0200 Subject: [PATCH] Drop support for AngularJS --- README.md | 4 -- config/angularjs.js | 20 ------ docs/rules/no-angularjs-bypass-sce.md | 7 -- docs/rules/no-angularjs-enable-svg.md | 7 -- .../no-angularjs-sanitization-whitelist.md | 7 -- lib/index.js | 5 -- lib/rules/no-angularjs-bypass-sce.js | 69 ------------------- lib/rules/no-angularjs-enable-svg.js | 48 ------------- .../no-angularjs-sanitization-whitelist.js | 38 ---------- tests/lib/rules/no-angularjs-bypass-sce.js | 63 ----------------- tests/lib/rules/no-angularjs-enable-svg.js | 29 -------- .../no-angularjs-sanitization-whitelist.js | 43 ------------ 12 files changed, 340 deletions(-) delete mode 100644 config/angularjs.js delete mode 100644 docs/rules/no-angularjs-bypass-sce.md delete mode 100644 docs/rules/no-angularjs-enable-svg.md delete mode 100644 docs/rules/no-angularjs-sanitization-whitelist.md delete mode 100644 lib/rules/no-angularjs-bypass-sce.js delete mode 100644 lib/rules/no-angularjs-enable-svg.js delete mode 100644 lib/rules/no-angularjs-sanitization-whitelist.js delete mode 100644 tests/lib/rules/no-angularjs-bypass-sce.js delete mode 100644 tests/lib/rules/no-angularjs-enable-svg.js delete mode 100644 tests/lib/rules/no-angularjs-sanitization-whitelist.js diff --git a/README.md b/README.md index 622c712..44eb00c 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ You can also used the below Shareable Config files using flat config model as gu Plugin is shipped with following [Shareable Configs](http://eslint.org/docs/developer-guide/shareable-configs): - [angular](config/angular.js) - Set of rules for modern [Angular](https://angular.io) applications -- [angularjs](config/angularjs.js) - Set of rules for legacy [AngularJS](https://docs.angularjs.org) applications - [common](config/common.js) - Set of rules for common JavaScript applications - [electron](config/electron.js) - Set of rules for Electron applications - [node](config/node.js) - Set of rules for Node.js applications @@ -74,9 +73,6 @@ We also implemented several [custom rules](./lib/rules) where we did not find su | [no-new-func](https://eslint.org/docs/rules/no-new-func) | Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. | | [node/no-deprecated-api](https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/no-deprecated-api.md) | Bans usage of deprecated APIs in Node. | | [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) | Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. | -| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) | Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. | -| [@microsoft/sdl/no-angularjs-enable-svg](./docs/rules/no-angularjs-enable-svg.md) | Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. | -| [@microsoft/sdl/no-angularjs-sanitization-whitelist](./docs/rules/no-angularjs-sanitization-whitelist.md) | Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. | | [@microsoft/sdl/no-cookies](./docs/rules/no-cookies.md) | HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. | | [@microsoft/sdl/no-document-domain](./docs/rules/no-document-domain.md) | Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited. | | [@microsoft/sdl/no-document-write](./docs/rules/no-document-write.md) | Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | diff --git a/config/angularjs.js b/config/angularjs.js deleted file mode 100644 index c85b518..0000000 --- a/config/angularjs.js +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -"use strict"; - -// Generates shareable config for legacy AngularJS (https://angularjs.org/) apps. -module.exports = (pluginSdl) => { - return [ - { - plugins: { - "@microsoft/sdl": pluginSdl - }, - rules: { - "@microsoft/sdl/no-angularjs-enable-svg": "error", - "@microsoft/sdl/no-angularjs-sanitization-whitelist": "error", - "@microsoft/sdl/no-angularjs-bypass-sce": "error" - } - } - ]; -}; diff --git a/docs/rules/no-angularjs-bypass-sce.md b/docs/rules/no-angularjs-bypass-sce.md deleted file mode 100644 index b43206b..0000000 --- a/docs/rules/no-angularjs-bypass-sce.md +++ /dev/null @@ -1,7 +0,0 @@ -# Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) - -Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. - -SCE should be bypassed only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. - -See [official documentation](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) for more details. diff --git a/docs/rules/no-angularjs-enable-svg.md b/docs/rules/no-angularjs-enable-svg.md deleted file mode 100644 index a5f2ad9..0000000 --- a/docs/rules/no-angularjs-enable-svg.md +++ /dev/null @@ -1,7 +0,0 @@ -# Do not enable SVG support in AngularJS (no-angularjs-enable-svg) - -Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. - -SVG support should be enabled only in very rare and justifiable cases after careful review so that the risk of introducing Clickjacking vulnerability is minimized. - -See [official documentation](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) for more details about the issue. diff --git a/docs/rules/no-angularjs-sanitization-whitelist.md b/docs/rules/no-angularjs-sanitization-whitelist.md deleted file mode 100644 index ccf151a..0000000 --- a/docs/rules/no-angularjs-sanitization-whitelist.md +++ /dev/null @@ -1,7 +0,0 @@ -# Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) - -Calls to [$compileProvider.aHrefSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [$compileProvider.imgSrcSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. - -Sanitization should be disabled only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. - -See [official documentation](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) for more details about the issue. diff --git a/lib/index.js b/lib/index.js index 60b3433..d918dd5 100644 --- a/lib/index.js +++ b/lib/index.js @@ -16,9 +16,6 @@ const plugin = { rules: { "no-angular-bypass-sanitizer": require("./rules/no-angular-bypass-sanitizer"), "no-angular-sanitization-trusted-urls": require("./rules/no-angular-sanitization-trusted-urls"), - "no-angularjs-bypass-sce": require("./rules/no-angularjs-bypass-sce"), - "no-angularjs-enable-svg": require("./rules/no-angularjs-enable-svg"), - "no-angularjs-sanitization-whitelist": require("./rules/no-angularjs-sanitization-whitelist"), "no-cookies": require("./rules/no-cookies"), "no-document-domain": require("./rules/no-document-domain"), "no-document-write": require("./rules/no-document-write"), @@ -38,7 +35,6 @@ const plugin = { }; plugin.configs["angular"] = require("../config/angular")(plugin); -plugin.configs["angularjs"] = require("../config/angularjs")(plugin); plugin.configs["common"] = require("../config/common")(plugin); plugin.configs["electron"] = require("../config/electron")(plugin); plugin.configs["node"] = require("../config/node")(plugin); @@ -47,7 +43,6 @@ plugin.configs["typescript"] = require("../config/react")(plugin); plugin.configs["required"] = [ ...plugin.configs["angular"], - ...plugin.configs["angularjs"], ...plugin.configs["common"], ...plugin.configs["electron"], ...plugin.configs["node"], diff --git a/lib/rules/no-angularjs-bypass-sce.js b/lib/rules/no-angularjs-bypass-sce.js deleted file mode 100644 index 74bad0a..0000000 --- a/lib/rules/no-angularjs-bypass-sce.js +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -/** - * @fileoverview Rule to disallow bypassing Strict Contextual Escaping (SCE) in AngularJS - * @author Antonios Katopodis - */ - -"use strict"; - -module.exports = { - meta: { - type: "suggestion", - fixable: "code", - schema: [], - docs: { - category: "Security", - description: - "Calls to $sceProvider.enabled(false), $sceDelegate.trustAs(), $sce.trustAs() and relevant shorthand methods (e.g. trustAsHtml or trustAsJs) bypass Strict Contextual Escaping (SCE) in AngularJS and need to be reviewed.", - url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-bypass-sce.md" - }, - messages: { - doNotBypass: "Do not bypass Strict Contextual Escaping (SCE) in AngularJS" - } - }, - create: function (context) { - function reportIt(node) { - context.report({ - node: node, - messageId: "doNotBypass" - }); - } - - return { - "CallExpression[arguments!=''][callee.object.name='$sceProvider'][callee.property.name='enabled']"( - node - ) { - // Known false positives - if ( - node.arguments == undefined || - node.arguments.length != 1 || - (node.arguments[0].type == "Literal" && /true|1/.test(node.arguments[0].value)) - ) { - return; - } - return reportIt(node); - }, - "CallExpression[arguments!=''][callee.object.name='$sceDelegate'][callee.property.name='trustAs']": - reportIt, - "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]"( - node - ) { - // Known false positives - if ( - node.arguments && - node.arguments.length === 1 && - node.arguments[0].type === "Literal" && - node.arguments[0].value === "" - ) { - return; - } - - return reportIt(node); - } - }; - } -}; - -// TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist diff --git a/lib/rules/no-angularjs-enable-svg.js b/lib/rules/no-angularjs-enable-svg.js deleted file mode 100644 index 7405601..0000000 --- a/lib/rules/no-angularjs-enable-svg.js +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -/** - * @fileoverview Rule to disallow enabling SVG in AngularJS apps - * @author Antonios Katopodis - */ - -"use strict"; - -module.exports = { - meta: { - type: "suggestion", - fixable: "code", - schema: [], - docs: { - category: "Security", - description: - "Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed.", - url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-enable-svg.md" - }, - messages: { - doNotEnableSVG: "Do not enable SVG support in AngularJS" - } - }, - create: function (context) { - return { - "CallExpression[callee.object.name='$sanitizeProvider'][callee.property.name='enableSvg']"( - node - ) { - // Known false positives - if ( - (node.arguments != undefined && node.arguments.length != 1) || - (node.arguments[0].type == "Literal" && - (node.arguments[0].value == "false" || node.arguments[0].value == "0")) - ) { - return; - } - context.report({ - node: node, - messageId: "doNotEnableSVG" - }); - } - }; - } -}; - -// TODO: Add rules for $sanitizeProvider.addValidElements() and $sanitizeProvider.addValidAttrs() diff --git a/lib/rules/no-angularjs-sanitization-whitelist.js b/lib/rules/no-angularjs-sanitization-whitelist.js deleted file mode 100644 index c92e1f4..0000000 --- a/lib/rules/no-angularjs-sanitization-whitelist.js +++ /dev/null @@ -1,38 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -/** - * @fileoverview Rule to disallow modifying sanitization whitelist in AngularJS - * @author Antonios Katopodis - */ - -"use strict"; - -module.exports = { - meta: { - type: "suggestion", - fixable: "code", - schema: [], - docs: { - category: "Security", - description: - "Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed.", - url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-sanitization-whitelist.md" - }, - messages: { - noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS" - } - }, - create: function (context) { - return { - "CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"( - node - ) { - context.report({ - node: node, - messageId: "noSanitizationWhitelist" - }); - } - }; - } -}; diff --git a/tests/lib/rules/no-angularjs-bypass-sce.js b/tests/lib/rules/no-angularjs-bypass-sce.js deleted file mode 100644 index 4fbe281..0000000 --- a/tests/lib/rules/no-angularjs-bypass-sce.js +++ /dev/null @@ -1,63 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -const path = require("path"); -const ruleId = path.parse(__filename).name; -const rule = require(path.join("../../../lib/rules/", ruleId)); -const RuleTester = require("eslint").RuleTester; -var ruleTester = new RuleTester(); - -ruleTester.run(ruleId, rule, { - valid: [ - "trustAsHtml()", - "$sce.trustAsHtml()", - "$sce.trustAsHtml('')", - "$sce.TrustAsHtml('XSS')", - "x.trustAsHtml('XSS')", - "$sceProvider.enabled()", - "$sceProvider.enabled(true)", - "$sceProvider.enabled(1)" - ], - invalid: [ - { - code: "$sceDelegate.trustAs($sce.HTML, 'XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAs($sce.HTML, 'XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAsCss('XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAsHtml('XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAsJs('XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAsResourceUrl('XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sce.trustAsUrl('XSS')", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sceProvider.enabled(false)", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sceProvider.enabled(0)", - errors: [{ messageId: "doNotBypass" }] - }, - { - code: "$sceProvider.enabled(true != true)", - errors: [{ messageId: "doNotBypass" }] - } - ] -}); diff --git a/tests/lib/rules/no-angularjs-enable-svg.js b/tests/lib/rules/no-angularjs-enable-svg.js deleted file mode 100644 index ffc2922..0000000 --- a/tests/lib/rules/no-angularjs-enable-svg.js +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -const path = require("path"); -const ruleId = path.parse(__filename).name; -const rule = require(path.join("../../../lib/rules/", ruleId)); -const RuleTester = require("eslint").RuleTester; -var ruleTester = new RuleTester(); - -ruleTester.run(ruleId, rule, { - valid: [ - "enableSvg()", - "enableSvg(true)", - "$sanitizeProvider.enableSvg()", - "$sanitizeProvider.enableSvg(false)", - "$sanitizeProvider.enableSvg(0)", - "$sanitizeProvider.EnableSvg(0)" - ], - invalid: [ - { - code: "$sanitizeProvider.enableSvg(true)", - errors: [{ messageId: "doNotEnableSVG" }] - }, - { - code: "$sanitizeProvider.enableSvg(1)", - errors: [{ messageId: "doNotEnableSVG" }] - } - ] -}); diff --git a/tests/lib/rules/no-angularjs-sanitization-whitelist.js b/tests/lib/rules/no-angularjs-sanitization-whitelist.js deleted file mode 100644 index 728d342..0000000 --- a/tests/lib/rules/no-angularjs-sanitization-whitelist.js +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright (c) Microsoft Corporation. -// Licensed under the MIT License. - -const path = require("path"); -const ruleId = path.parse(__filename).name; -const rule = require(path.join("../../../lib/rules/", ruleId)); -const RuleTester = require("eslint").RuleTester; -var ruleTester = new RuleTester(); - -ruleTester.run(ruleId, rule, { - valid: [ - "aHrefSanitizationWhitelist('.*')", - "x.aHrefSanitizationWhitelist('.*')", - "$compileProvider.aHrefSanitizationWhitelist()", - "$compileProvider.AHrefSanitizationWhitelist('.*')" - ], - invalid: [ - { - code: "$compileProvider.aHrefSanitizationWhitelist('.*');", - errors: [ - { - messageId: "noSanitizationWhitelist", - line: 1, - endLine: 1, - column: 1, - endColumn: 50 - } - ] - }, - { - code: "$compileProvider.imgSrcSanitizationWhitelist('.*');", - errors: [ - { - messageId: "noSanitizationWhitelist", - line: 1, - endLine: 1, - column: 1, - endColumn: 51 - } - ] - } - ] -});