npm - @herb-tools/linter - Versions diffs - 0.8.9 → 0.9.0 - Mend

@herb-tools/linter 0.8.9 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (573) hide show

package/src/rules/erb-no-unsafe-raw.ts ADDED Viewed

@@ -0,0 +1,83 @@
+import { ParserRule } from "../types.js"
+import { BaseRuleVisitor } from "./rule-utils.js"
+import { isERBOutputNode, getTagLocalName, isHTMLOpenTagNode } from "@herb-tools/core"
+import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
+import type { ParseResult, ERBContentNode, HTMLElementNode } from "@herb-tools/core"
+const RAW_PATTERN = /\braw[\s(]/
+const HTML_SAFE_PATTERN = /\.html_safe\b/
+const RAW_TEXT_ELEMENTS = new Set([
+  "title",
+  "textarea",
+  "script",
+  "style",
+  "xmp",
+  "iframe",
+  "noembed",
+  "noframes",
+  "listing",
+  "plaintext",
+])
+class ERBNoUnsafeRawVisitor extends BaseRuleVisitor {
+  private insideRawTextElement = false
+  visitHTMLElementNode(node: HTMLElementNode): void {
+    if (!isHTMLOpenTagNode(node.open_tag)) {
+      super.visitHTMLElementNode(node)
+      return
+    }
+    const tagName = getTagLocalName(node.open_tag)
+    if (tagName && RAW_TEXT_ELEMENTS.has(tagName)) {
+      const wasInside = this.insideRawTextElement
+      this.insideRawTextElement = true
+      super.visitHTMLElementNode(node)
+      this.insideRawTextElement = wasInside
+      return
+    }
+    super.visitHTMLElementNode(node)
+  }
+  visitERBContentNode(node: ERBContentNode): void {
+    if (this.insideRawTextElement) return
+    if (!isERBOutputNode(node)) return
+    const content = node.content?.value || ""
+    if (RAW_PATTERN.test(content)) {
+      this.addOffense(
+        "Avoid `raw()` in ERB output. It bypasses HTML escaping and can cause cross-site scripting (XSS) vulnerabilities.",
+        node.location,
+      )
+    }
+    if (HTML_SAFE_PATTERN.test(content)) {
+      this.addOffense(
+        "Avoid `.html_safe` in ERB output. It bypasses HTML escaping and can cause cross-site scripting (XSS) vulnerabilities.",
+        node.location,
+      )
+    }
+  }
+}
+export class ERBNoUnsafeRawRule extends ParserRule {
+  static ruleName = "erb-no-unsafe-raw"
+  get defaultConfig(): FullRuleConfig {
+    return {
+      enabled: true,
+      severity: "error"
+    }
+  }
+  check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
+    const visitor = new ERBNoUnsafeRawVisitor(this.ruleName, context)
+    visitor.visit(result.value)
+    return visitor.offenses
+  }
+}

package/src/rules/erb-no-unsafe-script-interpolation.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import { ParserRule } from "../types.js"
+import { BaseRuleVisitor } from "./rule-utils.js"
+import {
+  getTagLocalName,
+  getAttribute,
+  getStaticAttributeValue,
+  isERBNode,
+  isERBOutputNode,
+  isHTMLOpenTagNode,
+} from "@herb-tools/core"
+import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
+import type { ParseResult, HTMLElementNode, Node } from "@herb-tools/core"
+const SAFE_PATTERN = /\.to_json\b/
+class ERBNoUnsafeScriptInterpolationVisitor extends BaseRuleVisitor {
+  visitHTMLElementNode(node: HTMLElementNode): void {
+    if (!isHTMLOpenTagNode(node.open_tag)) {
+      super.visitHTMLElementNode(node)
+      return
+    }
+    if (getTagLocalName(node.open_tag) === "script") {
+      this.checkScriptElement(node)
+    }
+    super.visitHTMLElementNode(node)
+  }
+  private checkScriptElement(node: HTMLElementNode): void {
+    if (!isHTMLOpenTagNode(node.open_tag)) return
+    const typeAttribute = getAttribute(node.open_tag, "type")
+    const typeValue = typeAttribute ? getStaticAttributeValue(typeAttribute) : null
+    if (typeValue === "text/html") return
+    if (!node.body || node.body.length === 0) return
+    this.checkNodesForUnsafeOutput(node.body)
+  }
+  private checkNodesForUnsafeOutput(nodes: Node[]): void {
+    for (const child of nodes) {
+      if (!isERBNode(child)) continue
+      if (!isERBOutputNode(child)) continue
+      const content = child.content?.value?.trim() || ""
+      if (SAFE_PATTERN.test(content)) continue
+      this.addOffense(
+        "Unsafe ERB output in `<script>` tag. Use `.to_json` to safely serialize values into JavaScript.",
+        child.location,
+      )
+    }
+  }
+}
+export class ERBNoUnsafeScriptInterpolationRule extends ParserRule {
+  static ruleName = "erb-no-unsafe-script-interpolation"
+  get defaultConfig(): FullRuleConfig {
+    return {
+      enabled: true,
+      severity: "error"
+    }
+  }
+  check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
+    const visitor = new ERBNoUnsafeScriptInterpolationVisitor(this.ruleName, context)
+    visitor.visit(result.value)
+    return visitor.offenses
+  }
+}

package/src/rules/erb-prefer-image-tag-helper.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { ParserRule } from "../types.js"
-import { BaseRuleVisitor, getTagName, findAttributeByName, getAttributes } from "./rule-utils.js"
+import { BaseRuleVisitor } from "./rule-utils.js"
+import { findAttributeByName, getAttributes, getTagLocalName } from "@herb-tools/core"
 import { ERBToRubyStringPrinter } from "@herb-tools/printer"
 import { filterNodes, ERBContentNode, LiteralNode, isNode } from "@herb-tools/core"
@@ -14,7 +15,7 @@ class ERBPreferImageTagHelperVisitor extends BaseRuleVisitor {
   }
   private checkImgTag(openTag: HTMLOpenTagNode): void {
-    const tagName = getTagName(openTag)
+    const tagName = getTagLocalName(openTag)
     if (tagName !== "img") return
@@ -90,7 +91,7 @@ class ERBPreferImageTagHelperVisitor extends BaseRuleVisitor {
 }
 export class ERBPreferImageTagHelperRule extends ParserRule {
-  name = "erb-prefer-image-tag-helper"
+  static ruleName = "erb-prefer-image-tag-helper"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -100,7 +101,7 @@ export class ERBPreferImageTagHelperRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new ERBPreferImageTagHelperVisitor(this.name, context)
+    const visitor = new ERBPreferImageTagHelperVisitor(this.ruleName, context)
     visitor.visit(result.value)
     return visitor.offenses
   }

package/src/rules/erb-require-trailing-newline.ts CHANGED Viewed

@@ -24,7 +24,7 @@ class ERBRequireTrailingNewlineVisitor extends BaseSourceRuleVisitor {
 export class ERBRequireTrailingNewlineRule extends SourceRule {
   static autocorrectable = true
-  name = "erb-require-trailing-newline"
+  static ruleName = "erb-require-trailing-newline"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -34,7 +34,7 @@ export class ERBRequireTrailingNewlineRule extends SourceRule {
   }
   check(source: string, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new ERBRequireTrailingNewlineVisitor(this.name, context)
+    const visitor = new ERBRequireTrailingNewlineVisitor(this.ruleName, context)
     visitor.visit(source)

package/src/rules/erb-require-whitespace-inside-tags.ts CHANGED Viewed

@@ -34,7 +34,28 @@ class RequireWhitespaceInsideTags extends BaseRuleVisitor<ERBRequireWhitespaceAu
   }
   private checkCommentTagWhitespace(node: ERBNode, openTag: Token, closeTag: Token, content: string): void {
-    if (!content.startsWith(" ") && !content.startsWith("\n") && !content.startsWith("=")) {
+    const commentedTagPrefix = this.getCommentedTagPrefix(content)
+    if (commentedTagPrefix) {
+      const afterPrefix = content.substring(commentedTagPrefix.length)
+      const tag = `<%#${commentedTagPrefix}`
+      if (afterPrefix.length > 0 && !afterPrefix[0].match(/\s/)) {
+        this.addOffense(
+          `Add whitespace after \`${tag}\`. This looks like a temporarily commented ERB tag.`,
+          openTag.location,
+          {
+            node,
+            openTag,
+            closeTag,
+            content,
+            fixType: "after-comment-equals",
+            unsafe: true,
+          },
+          "info"
+        )
+      }
+    } else if (!content.startsWith(" ") && !content.startsWith("\n")) {
       this.addOffense(
         `Add whitespace after \`${openTag.value}\`.`,
         openTag.location,
@@ -46,18 +67,6 @@ class RequireWhitespaceInsideTags extends BaseRuleVisitor<ERBRequireWhitespaceAu
           fixType: "after-open"
         }
       )
-    } else if (content.startsWith("=") && content.length > 1 && !content[1].match(/\s/)) {
-      this.addOffense(
-        `Add whitespace after \`<%#=\`.`,
-        openTag.location,
-        {
-          node,
-          openTag,
-          closeTag,
-          content,
-          fixType: "after-comment-equals"
-        }
-      )
     }
     if (!content.endsWith(" ") && !content.endsWith("\n")) {
@@ -93,6 +102,17 @@ class RequireWhitespaceInsideTags extends BaseRuleVisitor<ERBRequireWhitespaceAu
     )
   }
+  private getCommentedTagPrefix(content: string): string | null {
+    if (content.startsWith("graphql")) return "graphql"
+    if (content.startsWith("%=")) return "%="
+    if (content.startsWith("==")) return "=="
+    if (content.startsWith("%")) return "%"
+    if (content.startsWith("=")) return "="
+    if (content.startsWith("-")) return "-"
+    return null
+  }
   private checkCloseTagWhitespace(node: ERBNode, openTag: Token, closeTag: Token, content: string):void {
     if (content.endsWith(" ") || content.endsWith("\n")) {
       return
@@ -114,7 +134,7 @@ class RequireWhitespaceInsideTags extends BaseRuleVisitor<ERBRequireWhitespaceAu
 export class ERBRequireWhitespaceRule extends ParserRule<ERBRequireWhitespaceAutofixContext> {
   static autocorrectable = true
-  name = "erb-require-whitespace-inside-tags"
+  static ruleName = "erb-require-whitespace-inside-tags"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -124,7 +144,7 @@ export class ERBRequireWhitespaceRule extends ParserRule<ERBRequireWhitespaceAut
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense<ERBRequireWhitespaceAutofixContext>[] {
-    const visitor = new RequireWhitespaceInsideTags(this.name, context)
+    const visitor = new RequireWhitespaceInsideTags(this.ruleName, context)
     visitor.visit(result.value)
@@ -152,10 +172,14 @@ export class ERBRequireWhitespaceRule extends ParserRule<ERBRequireWhitespaceAut
       return result
     }
-    if (fixType === "after-comment-equals" && content.startsWith("=")) {
-      node.content.value = "= " + content.substring(1)
+    if (fixType === "after-comment-equals") {
+      const prefix = content.startsWith("graphql") ? "graphql" : content.startsWith("%=") ? "%=" : content.startsWith("==") ? "==" : content.startsWith("%") ? "%" : content.startsWith("=") ? "=" : content.startsWith("-") ? "-" : null
-      return result
+      if (prefix) {
+        node.content.value = prefix + " " + content.substring(prefix.length)
+        return result
+      }
     }
     return null

package/src/rules/erb-right-trim.ts CHANGED Viewed

@@ -26,7 +26,7 @@ class ERBRightTrimVisitor extends BaseRuleVisitor<ERBRightTrimAutofixContext> {
 export class ERBRightTrimRule extends ParserRule<ERBRightTrimAutofixContext> {
   static autocorrectable = true
-  name = "erb-right-trim"
+  static ruleName = "erb-right-trim"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -36,7 +36,7 @@ export class ERBRightTrimRule extends ParserRule<ERBRightTrimAutofixContext> {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense<ERBRightTrimAutofixContext>[] {
-    const visitor = new ERBRightTrimVisitor(this.name, context)
+    const visitor = new ERBRightTrimVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/erb-strict-locals-comment-syntax.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import { hasBalancedParentheses, splitByTopLevelComma } from "./string-utils.js"
 import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
 import type { ParseResult, ERBContentNode } from "@herb-tools/core"
-export const STRICT_LOCALS_PATTERN = /^locals:\s+\([^)]*\)\s*$/
+export const STRICT_LOCALS_PATTERN = /^locals:\s+\(.*\)\s*$/s
 function isValidStrictLocalsFormat(content: string): boolean {
   return STRICT_LOCALS_PATTERN.test(content)
@@ -42,7 +42,7 @@ function detectLocalsWithoutColon(content: string): boolean {
 }
 function detectSingularLocal(content: string): boolean {
-  return /^local:/.test(content)
+  return content.startsWith('local:')
 }
 function detectMissingColonBeforeParens(content: string): boolean {
@@ -50,7 +50,7 @@ function detectMissingColonBeforeParens(content: string): boolean {
 }
 function detectMissingSpaceAfterColon(content: string): boolean {
-  return /^locals:\(/.test(content)
+  return content.startsWith('locals:(')
 }
 function detectMissingParentheses(content: string): boolean {
@@ -264,7 +264,7 @@ class ERBStrictLocalsCommentSyntaxVisitor extends BaseRuleVisitor {
 }
 export class ERBStrictLocalsCommentSyntaxRule extends ParserRule {
-  name = "erb-strict-locals-comment-syntax"
+  static ruleName = "erb-strict-locals-comment-syntax"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -274,7 +274,7 @@ export class ERBStrictLocalsCommentSyntaxRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new ERBStrictLocalsCommentSyntaxVisitor(this.name, context)
+    const visitor = new ERBStrictLocalsCommentSyntaxVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/erb-strict-locals-required.ts CHANGED Viewed

@@ -29,7 +29,7 @@ class ERBStrictLocalsRequiredVisitor extends BaseSourceRuleVisitor {
 export class ERBStrictLocalsRequiredRule extends SourceRule {
   static unsafeAutocorrectable = true
-  name = "erb-strict-locals-required"
+  static ruleName = "erb-strict-locals-required"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -39,7 +39,7 @@ export class ERBStrictLocalsRequiredRule extends SourceRule {
   }
   check(source: string, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new ERBStrictLocalsRequiredVisitor(this.name, context)
+    const visitor = new ERBStrictLocalsRequiredVisitor(this.ruleName, context)
     visitor.visit(source)

package/src/rules/herb-disable-comment-malformed.ts CHANGED Viewed

@@ -47,7 +47,7 @@ class HerbDisableCommentMalformedVisitor extends HerbDisableCommentBaseVisitor {
 }
 export class HerbDisableCommentMalformedRule extends ParserRule {
-  name = "herb-disable-comment-malformed"
+  static ruleName = "herb-disable-comment-malformed"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -57,7 +57,7 @@ export class HerbDisableCommentMalformedRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new HerbDisableCommentMalformedVisitor(this.name, context)
+    const visitor = new HerbDisableCommentMalformedVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/herb-disable-comment-missing-rules.ts CHANGED Viewed

@@ -22,7 +22,7 @@ class HerbDisableCommentMissingRulesVisitor extends HerbDisableCommentBaseVisito
 }
 export class HerbDisableCommentMissingRulesRule extends ParserRule {
-  name = "herb-disable-comment-missing-rules"
+  static ruleName = "herb-disable-comment-missing-rules"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -32,7 +32,7 @@ export class HerbDisableCommentMissingRulesRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new HerbDisableCommentMissingRulesVisitor(this.name, context)
+    const visitor = new HerbDisableCommentMissingRulesVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/herb-disable-comment-no-duplicate-rules.ts CHANGED Viewed

@@ -27,7 +27,7 @@ class HerbDisableCommentNoDuplicateRulesVisitor extends HerbDisableCommentParsed
 }
 export class HerbDisableCommentNoDuplicateRulesRule extends ParserRule {
-  name = "herb-disable-comment-no-duplicate-rules"
+  static ruleName = "herb-disable-comment-no-duplicate-rules"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -37,7 +37,7 @@ export class HerbDisableCommentNoDuplicateRulesRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new HerbDisableCommentNoDuplicateRulesVisitor(this.name, context)
+    const visitor = new HerbDisableCommentNoDuplicateRulesVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/herb-disable-comment-no-redundant-all.ts CHANGED Viewed

@@ -21,7 +21,7 @@ class HerbDisableCommentNoRedundantAllVisitor extends HerbDisableCommentParsedVi
 }
 export class HerbDisableCommentNoRedundantAllRule extends ParserRule {
-  name = "herb-disable-comment-no-redundant-all"
+  static ruleName = "herb-disable-comment-no-redundant-all"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -31,7 +31,7 @@ export class HerbDisableCommentNoRedundantAllRule extends ParserRule {
   }
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new HerbDisableCommentNoRedundantAllVisitor(this.name, context)
+    const visitor = new HerbDisableCommentNoRedundantAllVisitor(this.ruleName, context)
     visitor.visit(result.value)

package/src/rules/herb-disable-comment-unnecessary.ts CHANGED Viewed

@@ -72,7 +72,7 @@ class HerbDisableCommentUnnecessaryVisitor extends HerbDisableCommentParsedVisit
 }
 export class HerbDisableCommentUnnecessaryRule extends ParserRule {
-  name = "herb-disable-comment-unnecessary"
+  static ruleName = "herb-disable-comment-unnecessary"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -90,7 +90,7 @@ export class HerbDisableCommentUnnecessaryRule extends ParserRule {
     if (!ignoredOffensesByLine) return []
     const visitor = new HerbDisableCommentUnnecessaryVisitor(
-      this.name,
+      this.ruleName,
       ignoredOffensesByLine,
       validRuleNames,
       context

package/src/rules/herb-disable-comment-valid-rule-name.ts CHANGED Viewed

@@ -34,7 +34,7 @@ class HerbDisableCommentValidRuleNameVisitor extends HerbDisableCommentParsedVis
 }
 export class HerbDisableCommentValidRuleNameRule extends ParserRule {
-  name = "herb-disable-comment-valid-rule-name"
+  static ruleName = "herb-disable-comment-valid-rule-name"
   get defaultConfig(): FullRuleConfig {
     return {
@@ -50,7 +50,7 @@ export class HerbDisableCommentValidRuleNameRule extends ParserRule {
     if (validRuleNames.length === 0) return []
     const visitor = new HerbDisableCommentValidRuleNameVisitor(
-      this.name,
+      this.ruleName,
       validRuleNames,
       context
     )

package/src/rules/html-allowed-script-type.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import { ParserRule } from "../types.js"
+import { BaseRuleVisitor } from "./rule-utils.js"
+import { getTagLocalName, getAttribute, getStaticAttributeValue, hasAttributeValue } from "@herb-tools/core"
+import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
+import type { HTMLAttributeNode, HTMLOpenTagNode, ParseResult } from "@herb-tools/core"
+const ALLOWED_TYPES = ["text/javascript"]
+// NOTE: Rules are not configurable for now, keep some sane defaults
+//   See https://github.com/marcoroth/herb/issues/1204
+const ALLOW_BLANK = true
+class AllowedScriptTypeVisitor extends BaseRuleVisitor {
+  visitHTMLOpenTagNode(node: HTMLOpenTagNode): void {
+    if (getTagLocalName(node) === "script") {
+      this.visitScriptNode(node)
+    }
+  }
+  private visitScriptNode(node: HTMLOpenTagNode): void {
+    const typeAttribute = getAttribute(node, "type")
+    if (!typeAttribute) {
+      if (!ALLOW_BLANK) {
+        this.addOffense("`type` attribute required for `<script>` tag.", node.location)
+      }
+      return
+    }
+    if (!hasAttributeValue(typeAttribute)) {
+      this.addOffense(
+        "Avoid using an empty `type` attribute on the `<script>` tag. Either set a valid type or remove the attribute entirely.",
+        typeAttribute.location
+      )
+      return
+    }
+    this.validateTypeAttribute(typeAttribute)
+  }
+  private validateTypeAttribute(typeAttribute: HTMLAttributeNode): void {
+    const typeValue = getStaticAttributeValue(typeAttribute)
+    if (typeValue === null) return
+    if (typeValue === "") {
+      this.addOffense(
+        "Avoid using an empty `type` attribute on the `<script>` tag. Either set a valid type or remove the attribute entirely.",
+        typeAttribute.location
+      )
+      return
+    }
+    if (ALLOWED_TYPES.includes(typeValue)) return
+    this.addOffense(
+      `Avoid using \`${typeValue}\` as the \`type\` attribute for the \`<script>\` tag. ` +
+      `Must be one of: ${ALLOWED_TYPES.map(t => `\`${t}\``).join(", ")}` +
+      `${ALLOW_BLANK ? " or blank" : ""}.`,
+      typeAttribute.location
+    )
+  }
+}
+export class HTMLAllowedScriptTypeRule extends ParserRule {
+  static ruleName = "html-allowed-script-type"
+  get defaultConfig(): FullRuleConfig {
+    return {
+      enabled: true,
+      severity: "error"
+    }
+  }
+  check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
+    const visitor = new AllowedScriptTypeVisitor(this.ruleName, context)
+    visitor.visit(result.value)
+    return visitor.offenses
+  }
+}