npm - eslint-plugin-sdl-2 - Versions diffs - 1.0.4 - Mend

eslint-plugin-sdl-2 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/docs/rules/getting-started.md ADDED Viewed

@@ -0,0 +1,70 @@
+---
+title: Getting Started
+description: Enable eslint-plugin-sdl-2 quickly in Flat Config.
+---
+# Getting Started
+Install the plugin:
+```bash
+npm install --save-dev eslint-plugin-sdl-2
+```
+Enable one preset in your Flat Config:
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [...sdl.configs.recommended];
+```
+## Layering presets
+`recommended` already includes:
+- browser/security baseline (`common`)
+- framework/runtime overlays (`angular`, `angularjs`, `electron`, `node`)
+- TypeScript parser integration (`typescript`)
+## Alternative: manual scoped setup
+If you prefer to apply plugin rules inside your own file-scoped config object, spread the preset rules manually.
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ ...sdl.configs.typescript,
+ {
+  files: ["**/*.{ts,tsx,mts,cts}"],
+  plugins: {
+   sdl,
+  },
+  rules: {
+   "sdl/no-insecure-random": "error",
+   "sdl/no-insecure-url": "error",
+  },
+ },
+];
+```
+Use this pattern only when you need strict per-glob control. In most projects,
+prefer `...sdl.configs.<preset>` directly.
+## Recommended rollout
+1. Start with `...sdl.configs.recommended`.
+2. Fix violations in small batches.
+3. Add framework/runtime presets (`angular`, `react`, `electron`, etc.) as
+   needed.
+4. Keep `typescript` enabled for TS projects.
+## Need a narrower subset?
+- Use `...sdl.configs.common` for browser-centric checks.
+- Use `...sdl.configs.node` for Node-specific checks.
+- Use `...sdl.configs.angular` / `...sdl.configs.angularjs` for framework
+  overlays.
+See [Presets](./presets/index.md) for full examples and rules per preset.

package/docs/rules/no-angular-bypass-sanitizer.md ADDED Viewed

@@ -0,0 +1,69 @@
+# no-angular-bypass-sanitizer
+Disallow Angular `DomSanitizer` bypass APIs that trust unvalidated content.
+## Targeted pattern scope
+This rule targets direct calls to Angular sanitizer bypass APIs such as:
+- `bypassSecurityTrustHtml(...)`
+- `bypassSecurityTrustScript(...)`
+- related `bypassSecurityTrust*` methods.
+## What this rule reports
+This rule reports code paths that mark untrusted input as safe using
+`DomSanitizer` bypass helpers.
+## Why this rule exists
+Bypassing Angular sanitization can convert attacker-controlled input into
+trusted content and increase XSS risk.
+## ❌ Incorrect
+```ts
+const trusted = sanitizer.bypassSecurityTrustHtml(userSuppliedHtml);
+elementRef.nativeElement.innerHTML = trusted;
+```
+## ✅ Correct
+```ts
+const sanitizedHtml = sanitizer.sanitize(
+ SecurityContext.HTML,
+ userSuppliedHtml
+);
+elementRef.nativeElement.textContent = sanitizedHtml ?? "";
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angular-bypass-sanitizer": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable this rule only when a reviewed framework integration requires a trusted
+type flow and the source is strictly controlled.
+## Package documentation
+- [Rule source](../../src/rules/no-angular-bypass-sanitizer.ts)
+## Further reading
+> **Rule catalog ID:** R001
+- [Angular `DomSanitizer` security guidance](https://angular.io/api/platform-browser/DomSanitizer#security-risk)
+- [Angular security guide](https://angular.io/guide/security)

package/docs/rules/no-angular-bypass-security-trust-html.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-angular-bypass-security-trust-html
+Disallow Angular `bypassSecurityTrustHtml` usage that marks unvalidated HTML as trusted.
+## Targeted pattern scope
+Angular DomSanitizer bypass APIs for HTML trust.
+## What this rule reports
+Calls to `bypassSecurityTrustHtml(...)`.
+## Why this rule exists
+Bypassing Angular sanitization for HTML can introduce XSS if values are not strictly validated.
+## ❌ Incorrect
+```ts
+const trusted = sanitizer.bypassSecurityTrustHtml(userHtml);
+```
+## ✅ Correct
+```ts
+const trusted = sanitizer.sanitize(SecurityContext.HTML, userHtml);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angular-bypass-security-trust-html": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if a reviewed framework boundary must return trusted HTML and the source is strictly validated before trust conversion.
+## Package documentation
+- [Rule source](../../src/rules/no-angular-bypass-security-trust-html.ts)
+## Further reading
+> **Rule catalog ID:** R028
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-angular-innerhtml-binding.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-angular-innerhtml-binding
+Disallow Angular `[innerHTML]` bindings for raw HTML without a reviewed sanitization strategy.
+## Targeted pattern scope
+Angular template bindings that write raw HTML using `[innerHTML]`.
+## What this rule reports
+Template fragments containing `[innerHTML]=...` bindings.
+## Why this rule exists
+Raw HTML bindings are high-risk unless source content is tightly sanitized and policy-reviewed.
+## ❌ Incorrect
+```ts
+const template = `<div [innerHTML]="userHtml"></div>`;
+```
+## ✅ Correct
+```ts
+const template = `<div>{{ safeText }}</div>`;
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angular-innerhtml-binding": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only when your application has a documented, reviewed sanitization policy for the HTML source being bound.
+## Package documentation
+- [Rule source](../../src/rules/no-angular-innerhtml-binding.ts)
+## Further reading
+> **Rule catalog ID:** R029
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-angular-sanitization-trusted-urls.md ADDED Viewed

@@ -0,0 +1,64 @@
+# no-angular-sanitization-trusted-urls
+Disallow AngularJS trusted URL list mutations that weaken sanitizer defaults.
+## Targeted pattern scope
+This rule targets calls that mutate AngularJS trusted URL list settings:
+- `$compileProvider.aHrefSanitizationTrustedUrlList(...)`
+- `$compileProvider.imgSrcSanitizationTrustedUrlList(...)`.
+## What this rule reports
+This rule reports direct calls that broaden which URL patterns AngularJS treats
+as trusted for links and image sources.
+## Why this rule exists
+Relaxing trusted URL lists can enable unsafe protocols or domains and increase
+XSS and data exfiltration risk.
+## ❌ Incorrect
+```ts
+$compileProvider.aHrefSanitizationTrustedUrlList(/.*/);
+$compileProvider.imgSrcSanitizationTrustedUrlList(/.*/);
+```
+## ✅ Correct
+```ts
+// Keep framework defaults unless a narrow, reviewed allow-list is required.
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angular-sanitization-trusted-urls": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for legacy AngularJS deployments where URL list updates are
+strictly reviewed and monitored.
+## Package documentation
+- [Rule source](../../src/rules/no-angular-sanitization-trusted-urls.ts)
+## Further reading
+> **Rule catalog ID:** R002
+- [AngularJS `$compileProvider` API](https://docs.angularjs.org/api/ng/provider/%24compileProvider)
+- [AngularJS security guide](https://docs.angularjs.org/guide/security)

package/docs/rules/no-angularjs-bypass-sce.md ADDED Viewed

@@ -0,0 +1,64 @@
+# no-angularjs-bypass-sce
+Disallow AngularJS Strict Contextual Escaping (SCE) bypass operations.
+## Targeted pattern scope
+This rule targets APIs that disable or bypass SCE, including:
+- `$sceProvider.enabled(false)`
+- `$sceDelegate.trustAs(...)`
+- `$sce.trustAs(...)` and shorthand variants such as `trustAsHtml(...)`.
+## What this rule reports
+This rule reports SCE bypass usage that marks values as trusted without
+framework sanitization.
+## Why this rule exists
+SCE is a core AngularJS defense against unsafe DOM and script sinks. Bypassing
+it expands XSS attack surface.
+## ❌ Incorrect
+```ts
+$sceProvider.enabled(false);
+const trusted = $sce.trustAsHtml(userSuppliedHtml);
+```
+## ✅ Correct
+```ts
+// Keep SCE enabled and render untrusted data through AngularJS bindings.
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angularjs-bypass-sce": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only in tightly controlled migration paths where bypass calls are
+isolated and reviewed.
+## Package documentation
+- [Rule source](../../src/rules/no-angularjs-bypass-sce.ts)
+## Further reading
+> **Rule catalog ID:** R003
+- [AngularJS `$sce` strict contextual escaping](https://docs.angularjs.org/api/ng/service/%24sce#strict-contextual-escaping)

package/docs/rules/no-angularjs-enable-svg.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-angularjs-enable-svg
+Disallow enabling AngularJS sanitizer SVG support without strict review.
+## Targeted pattern scope
+This rule targets `$sanitizeProvider.enableSvg(true)` calls.
+## What this rule reports
+This rule reports code that enables SVG support in AngularJS sanitization
+configuration.
+## Why this rule exists
+SVG content can introduce scriptable surfaces and raise injection risk when
+enabled in sanitizers.
+## ❌ Incorrect
+```ts
+$sanitizeProvider.enableSvg(true);
+```
+## ✅ Correct
+```ts
+$sanitizeProvider.enableSvg(false);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angularjs-enable-svg": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only when SVG rendering is mandatory and guarded by a reviewed
+sanitization strategy.
+## Package documentation
+- [Rule source](../../src/rules/no-angularjs-enable-svg.ts)
+## Further reading
+> **Rule catalog ID:** R004
+- [AngularJS `$sanitizeProvider.enableSvg` docs](https://docs.angularjs.org/api/ngSanitize/provider/%24sanitizeProvider#enableSvg)

package/docs/rules/no-angularjs-ng-bind-html-without-sanitize.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-angularjs-ng-bind-html-without-sanitize
+Disallow AngularJS `ng-bind-html` usage when sanitization is not explicit.
+## Targeted pattern scope
+AngularJS templates using `ng-bind-html` without explicit sanitize context.
+## What this rule reports
+`ng-bind-html` usage in template strings that do not indicate sanitize support.
+## Why this rule exists
+Unsafe HTML binding in AngularJS can lead to reflected or stored XSS.
+## ❌ Incorrect
+```ts
+const template = `<div ng-bind-html="unsafeHtml"></div>`;
+```
+## ✅ Correct
+```ts
+const template = `<div ng-bind-html="trustedHtml" ngSanitize></div>`;
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angularjs-ng-bind-html-without-sanitize": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if the project has explicit AngularJS sanitization controls and a reviewed HTML trust pipeline.
+## Package documentation
+- [Rule source](../../src/rules/no-angularjs-ng-bind-html-without-sanitize.ts)
+## Further reading
+> **Rule catalog ID:** R030
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-angularjs-sanitization-whitelist.md ADDED Viewed

@@ -0,0 +1,63 @@
+# no-angularjs-sanitization-whitelist
+Disallow AngularJS sanitization whitelist mutations that expand trusted inputs.
+## Targeted pattern scope
+This rule targets writes and calls that configure:
+- `$compileProvider.aHrefSanitizationWhitelist(...)`
+- `$compileProvider.imgSrcSanitizationWhitelist(...)`.
+## What this rule reports
+This rule reports allow-list mutations that broaden URL patterns accepted by
+the AngularJS sanitizer.
+## Why this rule exists
+Overly broad sanitizer allow-lists can permit unsafe protocols or payloads and
+increase XSS risk.
+## ❌ Incorrect
+```ts
+$compileProvider.aHrefSanitizationWhitelist(/.*/);
+$compileProvider.imgSrcSanitizationWhitelist(/.*/);
+```
+## ✅ Correct
+```ts
+// Keep default AngularJS sanitizer allow-lists.
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angularjs-sanitization-whitelist": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only when a migration requires temporary allow-list expansion that is
+strictly bounded and reviewed.
+## Package documentation
+- [Rule source](../../src/rules/no-angularjs-sanitization-whitelist.ts)
+## Further reading
+> **Rule catalog ID:** R005
+- [AngularJS `$compileProvider` API](https://docs.angularjs.org/api/ng/provider/%24compileProvider)

package/docs/rules/no-angularjs-sce-resource-url-wildcard.md ADDED Viewed

@@ -0,0 +1,62 @@
+# no-angularjs-sce-resource-url-wildcard
+Disallow wildcard AngularJS SCE resource URL whitelist entries.
+## Targeted pattern scope
+AngularJS SCE whitelist configurations using wildcard entries.
+## What this rule reports
+`resourceUrlWhitelist([...])` entries that contain wildcard values.
+## Why this rule exists
+Wildcard resource URL allowlists can over-trust unreviewed remote origins.
+## ❌ Incorrect
+```ts
+$sceDelegateProvider.resourceUrlWhitelist(["self", "*"]);
+```
+## ✅ Correct
+```ts
+$sceDelegateProvider.resourceUrlWhitelist([
+ "self",
+ "https://cdn.example.com/app",
+]);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-angularjs-sce-resource-url-wildcard": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if wildcard resource URLs are part of a reviewed legacy exception with strong compensating controls.
+## Package documentation
+- [Rule source](../../src/rules/no-angularjs-sce-resource-url-wildcard.ts)
+## Further reading
+> **Rule catalog ID:** R031
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)