@lipemat/eslint-config 4.0.5 → 5.0.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/helpers/config.js +11 -11
  2. package/index.js +111 -115
  3. package/package.json +22 -7
  4. package/plugins/security/index.js +51 -0
  5. package/plugins/security/rules/dangerously-set-inner-html.js +62 -0
  6. package/plugins/security/rules/html-executing-assignment.js +67 -0
  7. package/plugins/security/rules/html-executing-function.js +130 -0
  8. package/plugins/security/rules/html-sinks.js +122 -0
  9. package/plugins/security/rules/html-string-concat.js +63 -0
  10. package/plugins/security/rules/jquery-executing.js +105 -0
  11. package/plugins/security/rules/vulnerable-tag-stripping.js +76 -0
  12. package/plugins/security/rules/window-escaping.js +180 -0
  13. package/plugins/security/utils/shared.js +78 -0
  14. package/types/helpers/config.d.ts +22 -0
  15. package/types/index.d.ts +3 -0
  16. package/types/plugins/security/index.d.ts +8 -0
  17. package/types/plugins/security/rules/dangerously-set-inner-html.d.ts +3 -0
  18. package/types/plugins/security/rules/html-executing-assignment.d.ts +4 -0
  19. package/types/plugins/security/rules/html-executing-function.d.ts +6 -0
  20. package/types/plugins/security/rules/html-sinks.d.ts +4 -0
  21. package/types/plugins/security/rules/html-string-concat.d.ts +9 -0
  22. package/types/plugins/security/rules/jquery-executing.d.ts +17 -0
  23. package/types/plugins/security/rules/vulnerable-tag-stripping.d.ts +4 -0
  24. package/types/plugins/security/rules/window-escaping.d.ts +5 -0
  25. package/types/plugins/security/utils/shared.d.ts +39 -0
package/types/plugins/security/rules/html-executing-function.d.ts ADDED
@@ -0,0 +1,6 @@
1
+ import { type TSESLint } from '@typescript-eslint/utils';
2
+ type HtmlExecutingFunctions = 'document.write' | 'document.writeln';
3
+ type UnsafeCalls = 'after' | 'append' | 'before' | 'insertAdjacentHTML' | 'prepend' | 'replaceWith' | 'setAttribute';
4
+ type Messages = HtmlExecutingFunctions | UnsafeCalls | 'sanitize' | 'domPurify';
5
+ declare const plugin: TSESLint.RuleModule<Messages>;
6
+ export default plugin;
package/types/plugins/security/rules/html-sinks.d.ts ADDED
@@ -0,0 +1,4 @@
1
+ import { type TSESLint } from '@typescript-eslint/utils';
2
+ type Messages = 'setTimeoutString' | 'setIntervalString' | 'windowOpenUnsanitized' | 'cssTextUnsanitized' | 'sanitize' | 'domPurify';
3
+ declare const plugin: TSESLint.RuleModule<Messages>;
4
+ export default plugin;
package/types/plugins/security/rules/html-string-concat.d.ts ADDED
@@ -0,0 +1,9 @@
1
+ import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
2
+ /**
3
+ * Check if an expression contains any HTML-like strings.
4
+ * - Looks for `<` or `>` characters in string literals and template literals.
5
+ * - Recursively checks binary expressions with the ` + ` operator.
6
+ */
7
+ export declare function hasHtmlLikeStrings(node: TSESTree.Expression | TSESTree.PrivateIdentifier): boolean;
8
+ declare const plugin: TSESLint.RuleModule<'htmlStringConcat'>;
9
+ export default plugin;
package/types/plugins/security/rules/jquery-executing.d.ts ADDED
@@ -0,0 +1,17 @@
1
+ import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
2
+ type UnsafeCalls = 'after' | 'append' | 'appendTo' | 'before' | 'html' | 'insertAfter' | 'insertBefore' | 'prepend' | 'prependTo' | 'replaceAll' | 'replaceWith';
3
+ type Messages = 'needsEscaping' | 'sanitize' | 'domPurify';
4
+ type Context = TSESLint.RuleContext<Messages, []>;
5
+ /**
6
+ * Is the type of variable being passed a jQuery element?
7
+ *
8
+ * - jQuery elements are of type `JQuery`.
9
+ * - jQuery elements do not require sanitization.
10
+ *
11
+ * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
12
+ */
13
+ export declare function isJQueryElementType(arg: TSESTree.CallExpressionArgument, context: Context): boolean;
14
+ export declare function isJQueryCall(node: TSESTree.CallExpression): boolean;
15
+ export declare function getJQueryCall(node: TSESTree.CallExpression): UnsafeCalls | null;
16
+ declare const plugin: TSESLint.RuleModule<Messages>;
17
+ export default plugin;
package/types/plugins/security/rules/vulnerable-tag-stripping.d.ts ADDED
@@ -0,0 +1,4 @@
1
+ import { type TSESLint } from '@typescript-eslint/utils';
2
+ type Messages = 'vulnerableTagStripping' | 'useTextOnly';
3
+ declare const plugin: TSESLint.RuleModule<Messages>;
4
+ export default plugin;
package/types/plugins/security/rules/window-escaping.d.ts ADDED
@@ -0,0 +1,5 @@
1
+ import { type TSESLint } from '@typescript-eslint/utils';
2
+ type Messages = 'unsafeWindow' | 'unsafeRead' | 'unsafeWindowLocation' | 'domPurify' | 'sanitize';
3
+ export declare function isSafeUrlString(value: string): boolean;
4
+ declare const plugin: TSESLint.RuleModule<Messages>;
5
+ export default plugin;
package/types/plugins/security/utils/shared.d.ts ADDED
@@ -0,0 +1,39 @@
1
+ import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
2
+ import { type Type } from 'typescript';
3
+ /**
4
+ * Is the node of type string.
5
+ * - String literals.
6
+ * - constants of type string.
7
+ * - template literals.
8
+ * - intrinsic type string.
9
+ */
10
+ export declare function isStringLike(node: TSESTree.CallExpressionArgument, context: Readonly<TSESLint.RuleContext<string, readonly []>>): boolean;
11
+ /**
12
+ * Get the TypeScript type of node.
13
+ */
14
+ export declare function getType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): Type;
15
+ /**
16
+ * Is the type of variable being passed a DOM element?
17
+ *
18
+ * - DOM elements are of the type `HTML{*}Element`.
19
+ * - DOM elements do not require sanitization.
20
+ *
21
+ * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
22
+ */
23
+ export declare function isDomElementType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): boolean;
24
+ /**
25
+ * Check if a node is a call to a known sanitization function.
26
+ * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
27
+ */
28
+ export declare function isSanitized(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;
29
+ /**
30
+ * Check if a node is a literal string
31
+ */
32
+ export declare function isLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): node is TSESTree.StringLiteral;
33
+ /**
34
+ * Check if a node is a literal string that is safe to use in an HTML context.
35
+ * - Must be a literal string.
36
+ * - Must not contain `<script`.
37
+ * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
38
+ */
39
+ export declare function isSafeLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;