npm - eslint-plugin-sdl-2 - Versions diffs - 1.0.4 - Mend

eslint-plugin-sdl-2 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/docs/rules/no-postmessage-star-origin.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-postmessage-star-origin
+Disallow wildcard target origins in `postMessage` calls.
+## Targeted pattern scope
+This rule targets `window.postMessage(...)` style calls where the target origin
+argument is `"*"`.
+## What this rule reports
+This rule reports message sends that do not restrict target origin to a known
+trusted origin.
+## Why this rule exists
+Using `"*"` can expose sensitive messages to unintended or attacker-controlled
+origins.
+## ❌ Incorrect
+```ts
+otherWindow.postMessage({ token }, "*");
+```
+## ✅ Correct
+```ts
+otherWindow.postMessage({ token }, "https://example.com");
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-postmessage-star-origin": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only in controlled test harnesses where wildcard messaging is required.
+## Package documentation
+- [Rule source](../../src/rules/no-postmessage-star-origin.ts)
+## Further reading
+> **Rule catalog ID:** R024
+- [MDN: `Window.postMessage` security concerns](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concerns)

package/docs/rules/no-postmessage-without-origin-allowlist.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-postmessage-without-origin-allowlist
+Require explicit allowlisted origins for `postMessage` targetOrigin values.
+## Targeted pattern scope
+`postMessage` calls without strict explicit target-origin allowlists.
+## What this rule reports
+`postMessage` targetOrigin values that are wildcard or non-literal/dynamic.
+## Why this rule exists
+Weak targetOrigin control can expose cross-origin data or command channels to malicious frames.
+## ❌ Incorrect
+```ts
+target.postMessage(data, "*");
+```
+## ✅ Correct
+```ts
+target.postMessage(data, "https://example.com");
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-postmessage-without-origin-allowlist": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if the target origin is validated by a reviewed helper abstraction or a controlled embedding environment.
+## Package documentation
+- [Rule source](../../src/rules/no-postmessage-without-origin-allowlist.ts)
+## Further reading
+> **Rule catalog ID:** R044
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)

package/docs/rules/no-range-create-contextual-fragment.md ADDED Viewed

@@ -0,0 +1,64 @@
+# no-range-create-contextual-fragment
+Disallow `Range.createContextualFragment(...)` on unsanitized HTML input.
+## Targeted pattern scope
+This rule targets `range.createContextualFragment(html)` calls when the HTML
+argument is not sanitized first.
+## What this rule reports
+This rule reports `Range.createContextualFragment(...)` calls whose first
+argument is raw HTML instead of the output of a reviewed sanitizer or Trusted
+Types-producing helper.
+## Why this rule exists
+`Range.createContextualFragment(...)` parses HTML strings into live DOM
+fragments. Passing unsanitized markup into that parser recreates the same XSS
+and DOM injection problems that appear with other HTML sink APIs.
+## ❌ Incorrect
+```ts
+range.createContextualFragment(userHtml);
+```
+## ✅ Correct
+```ts
+range.createContextualFragment(sanitize(userHtml));
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-range-create-contextual-fragment": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your HTML input has already passed through a reviewed sanitizer
+or Trusted Types pipeline that this rule cannot recognize.
+## Package documentation
+- [Rule source](../../src/rules/no-range-create-contextual-fragment.ts)
+## Further reading
+> **Rule catalog ID:** R054
+- [MDN: `Range.createContextualFragment()`](https://developer.mozilla.org/en-US/docs/Web/API/Range/createContextualFragment)
+- [Trusted Types](https://web.dev/trusted-types/)
+- [OWASP Cross Site Scripting Prevention Cheat Sheet](https://owasp.org/www-community/xss-prevention)

package/docs/rules/no-script-src-data-url.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+title: no-script-src-data-url
+---
+# no-script-src-data-url
+Disallow `HTMLScriptElement.src` values that use `data:` URLs.
+## Targeted pattern scope
+This rule targets static `data:` URLs assigned to script `src` sinks such as
+`script.src = ...`, `script.setAttribute("src", ...)`, and JSX
+`<script src=...>`.
+## What this rule reports
+This rule reports `data:` URLs only when they are written into script-loading
+sinks. It does not report non-script uses such as `img.src = "data:..."`.
+## Why this rule exists
+A `data:` URL in a script-loading sink embeds executable code directly in the
+URL itself. That bypasses the usual reviewed external-script loading path and
+makes it easier to smuggle code through values that look like plain strings.
+## ❌ Incorrect
+```ts
+const script = document.createElement("script");
+script.src = "data:text/javascript,alert('owned')";
+```
+```tsx
+const loader = <script src="data:text/javascript,bootstrap()" />;
+```
+## ✅ Correct
+```ts
+const script = document.createElement("script");
+script.src = "https://cdn.example.com/app.js";
+```
+```ts
+const image = new Image();
+image.src = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA";
+```
+## Behavior and migration notes
+This rule intentionally focuses on script `src` sinks and does not attempt to
+analyze other executable loading surfaces such as workers.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-script-src-data-url": "error",
+  },
+ },
+];
+```
+## When not to use it
+If your codebase intentionally relies on `data:` script URLs and that behavior
+is acceptable in your threat model, this rule may be too strict.
+## Package documentation
+- [Rule source](../../src/rules/no-script-src-data-url.ts)
+## Further reading
+> **Rule catalog ID:** R063
+- [MDN: `HTMLScriptElement.src`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement/src)
+- [MDN: `data:` URLs](https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Schemes/data)

package/docs/rules/no-script-text.md ADDED Viewed

@@ -0,0 +1,80 @@
+# no-script-text
+Disallow assigning executable code through `<script>` text sinks.
+## Targeted pattern scope
+This rule targets assignments to the following `HTMLScriptElement` properties:
+- `script.text = ...`
+- `script.textContent = ...`
+- `script.innerText = ...`
+The rule uses type information when available and otherwise falls back to narrow
+syntax heuristics such as `document.createElement("script")` or identifiers like
+`scriptElement`.
+## What this rule reports
+This rule reports non-empty assignments that inject code directly into script
+text sinks.
+## Why this rule exists
+Writing source code directly into a `<script>` element turns data flow into code
+execution. That creates an obvious XSS/code-injection sink and bypasses safer
+patterns such as loading reviewed static modules or script URLs.
+## ❌ Incorrect
+```ts
+const scriptElement = document.createElement("script");
+scriptElement.textContent = userCode;
+```
+## ✅ Correct
+```ts
+const scriptElement = document.createElement("script");
+scriptElement.src = "/assets/app.js";
+```
+## Behavior and migration notes
+This rule allows empty-string resets such as `script.text = ""`.
+It intentionally does not autofix because there is no universally safe rewrite
+for executable inline script injection.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-script-text": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your application intentionally emits inline script bodies,
+those script bodies are tightly controlled, and the surrounding trust boundary
+is reviewed outside this rule.
+## Package documentation
+- [Rule source](../../src/rules/no-script-text.ts)
+## Further reading
+> **Rule catalog ID:** R057
+- [MDN: `HTMLScriptElement.textContent`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement/textContent)
+- [MDN: `HTMLScriptElement.text`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement/text)
+- [Trusted Types API](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API)

package/docs/rules/no-service-worker-unsafe-script-url.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+title: no-service-worker-unsafe-script-url
+---
+# no-service-worker-unsafe-script-url
+Disallow unsafe service worker script URLs such as `data:`, `blob:`, `javascript:`, and direct `URL.createObjectURL(...)` registrations.
+## Targeted pattern scope
+This rule targets `navigator.serviceWorker.register(...)` when the script URL is
+one of the following direct expressions:
+- a static `data:` URL
+- a static `blob:` URL
+- a static `javascript:` URL
+- a direct `URL.createObjectURL(...)` call
+The rule also covers `window.navigator`, `self.navigator`, and
+`globalThis.navigator` access forms.
+## What this rule reports
+This rule reports direct unsafe service worker registration URLs only. Indirect
+variables and broader registration policies are out of scope.
+## Why this rule exists
+`ServiceWorkerContainer.register()` is an executable script-loading sink. Using
+non-reviewable or dynamically generated script URLs for service workers makes
+registration paths harder to audit and can undermine SDL expectations around
+trusted worker code.
+## ❌ Incorrect
+```ts
+navigator.serviceWorker.register("data:text/javascript,bootstrap()");
+```
+```ts
+globalThis.navigator.serviceWorker.register(URL.createObjectURL(workerBlob));
+```
+## ✅ Correct
+```ts
+navigator.serviceWorker.register("/sw.js");
+```
+## Behavior and migration notes
+This rule intentionally focuses on direct unsafe script URL expressions. Dynamic
+variables, Trusted Types policies, and broader origin-validation strategies are
+out of scope.
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-service-worker-unsafe-script-url": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable this rule only if your project intentionally relies on these service
+worker registration forms and that design has been reviewed and approved.
+## Package documentation
+- [Rule source](../../src/rules/no-service-worker-unsafe-script-url.ts)
+## Further reading
+> **Rule catalog ID:** R069
+- [MDN: `ServiceWorkerContainer.register()`](https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerContainer/register)
+- [Trusted Types: injection sinks](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API)

package/docs/rules/no-set-html-unsafe.md ADDED Viewed

@@ -0,0 +1,64 @@
+# no-set-html-unsafe
+Disallow `setHTMLUnsafe()` calls that bypass the safer HTML Sanitizer API path.
+## Targeted pattern scope
+This rule targets direct `.setHTMLUnsafe(...)` calls.
+## What this rule reports
+This rule reports calls to `setHTMLUnsafe()` because that API is the explicit
+unsafe escape hatch for injecting HTML content.
+## Why this rule exists
+`setHTMLUnsafe()` makes dangerous HTML parsing look deceptively close to the
+safer `setHTML()` API. Standardizing on the safe API path reduces accidental use
+of the unsafe variant and keeps security review focused on fewer HTML sink
+surfaces.
+## ❌ Incorrect
+```ts
+element.setHTMLUnsafe(userHtml);
+```
+## ✅ Correct
+```ts
+element.setHTML(userHtml);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-set-html-unsafe": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if you have an explicit requirement to use the unsafe HTML setter,
+its inputs are tightly controlled, and the surrounding review process documents
+why the safe `setHTML()` path is not sufficient.
+## Package documentation
+- [Rule source](../../src/rules/no-set-html-unsafe.ts)
+## Further reading
+> **Rule catalog ID:** R055
+- [MDN: `Element.setHTMLUnsafe()`](https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTMLUnsafe)
+- [MDN: `Element.setHTML()`](https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML)
+- [HTML Sanitizer API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API)

package/docs/rules/no-trusted-types-policy-pass-through.md ADDED Viewed

@@ -0,0 +1,68 @@
+# no-trusted-types-policy-pass-through
+Disallow Trusted Types policies that return unvalidated input unchanged.
+## Targeted pattern scope
+This rule targets `trustedTypes.createPolicy(...)` calls whose `createHTML`,
+`createScript`, or `createScriptURL` callbacks simply return the first input
+parameter unchanged.
+## What this rule reports
+This rule reports pass-through Trusted Types policy factories such as
+`createHTML: (value) => value`.
+## Why this rule exists
+Trusted Types policies are supposed to narrow unsafe string flows. Pass-through
+policies defeat that goal by rebranding untrusted input as trusted output
+without any sanitization or validation.
+## ❌ Incorrect
+```ts
+trustedTypes.createPolicy("default", {
+ createHTML: (value) => value,
+});
+```
+## ✅ Correct
+```ts
+trustedTypes.createPolicy("default", {
+ createHTML: (value) => sanitize(value),
+});
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-trusted-types-policy-pass-through": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if your Trusted Types policy wraps a reviewed validation layer that
+this rule cannot observe and the pass-through shape is intentional.
+## Package documentation
+- [Rule source](../../src/rules/no-trusted-types-policy-pass-through.ts)
+## Further reading
+> **Rule catalog ID:** R052
+- [Trusted Types](https://web.dev/trusted-types/)
+- [MDN: Trusted Types API](https://developer.mozilla.org/docs/Web/API/Trusted_Types_API)

package/docs/rules/no-unsafe-alloc.md ADDED Viewed

@@ -0,0 +1,62 @@
+# no-unsafe-alloc
+Disallow unsafe uninitialized buffer allocation APIs in Node.js.
+## Targeted pattern scope
+This rule targets:
+- `Buffer.allocUnsafe(...)`
+- `Buffer.allocUnsafeSlow(...)`.
+## What this rule reports
+This rule reports calls to unsafe buffer constructors that may expose stale
+memory data.
+## Why this rule exists
+Unsafe buffer allocation can leak sensitive process memory contents if buffers
+are consumed before full initialization.
+## ❌ Incorrect
+```ts
+const payload = Buffer.allocUnsafe(64);
+```
+## ✅ Correct
+```ts
+const payload = Buffer.alloc(64);
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-unsafe-alloc": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only for profiled performance hotspots that guarantee complete buffer
+initialization before use.
+## Package documentation
+- [Rule source](../../src/rules/no-unsafe-alloc.ts)
+## Further reading
+> **Rule catalog ID:** R025
+- [Node.js buffer security note](https://nodejs.org/api/buffer.html#what-makes-bufferallocunsafe-and-bufferallocunsafeslow-unsafe)

package/docs/rules/no-unsafe-cast-to-trusted-types.md ADDED Viewed

@@ -0,0 +1,59 @@
+# no-unsafe-cast-to-trusted-types
+Disallow unsafe casts to Trusted Types without using trusted factory creation.
+## Targeted pattern scope
+Type assertions/casts to Trusted Types without trusted factory creation.
+## What this rule reports
+Unsafe casts/as-assertions to `TrustedHTML`/`TrustedScript`/`TrustedScriptURL`.
+## Why this rule exists
+Type-only casts do not sanitize data and can bypass Trusted Types enforcement intent.
+## ❌ Incorrect
+```ts
+const trusted = userHtml as TrustedHTML;
+```
+## ✅ Correct
+```ts
+const trusted = policy.createHTML(userHtml) as TrustedHTML;
+```
+## ESLint flat config example
+```ts
+import sdl from "eslint-plugin-sdl-2";
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-unsafe-cast-to-trusted-types": "error",
+  },
+ },
+];
+```
+## When not to use it
+Disable only if Trusted Type objects are guaranteed by a reviewed factory or policy wrapper that this rule cannot observe.
+## Package documentation
+- [Rule source](../../src/rules/no-unsafe-cast-to-trusted-types.ts)
+## Further reading
+> **Rule catalog ID:** R045
+- [OWASP Top 10: Injection](https://owasp.org/www-project-top-ten/)
+- [OWASP Top 10: Security Misconfiguration](https://owasp.org/www-project-top-ten/)