eslint-plugin-secure-coding 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +196 -0
- package/CHANGELOG.md +105 -0
- package/LICENSE +23 -0
- package/README.md +377 -0
- package/package.json +80 -0
- package/src/index.d.ts +32 -0
- package/src/index.js +345 -0
- package/src/index.js.map +1 -0
- package/src/rules/security/database-injection.d.ts +13 -0
- package/src/rules/security/database-injection.js +407 -0
- package/src/rules/security/database-injection.js.map +1 -0
- package/src/rules/security/detect-child-process.d.ts +11 -0
- package/src/rules/security/detect-child-process.js +460 -0
- package/src/rules/security/detect-child-process.js.map +1 -0
- package/src/rules/security/detect-eval-with-expression.d.ts +9 -0
- package/src/rules/security/detect-eval-with-expression.js +393 -0
- package/src/rules/security/detect-eval-with-expression.js.map +1 -0
- package/src/rules/security/detect-non-literal-fs-filename.d.ts +7 -0
- package/src/rules/security/detect-non-literal-fs-filename.js +322 -0
- package/src/rules/security/detect-non-literal-fs-filename.js.map +1 -0
- package/src/rules/security/detect-non-literal-regexp.d.ts +9 -0
- package/src/rules/security/detect-non-literal-regexp.js +387 -0
- package/src/rules/security/detect-non-literal-regexp.js.map +1 -0
- package/src/rules/security/detect-object-injection.d.ts +11 -0
- package/src/rules/security/detect-object-injection.js +411 -0
- package/src/rules/security/detect-object-injection.js.map +1 -0
- package/src/rules/security/no-buffer-overread.d.ts +14 -0
- package/src/rules/security/no-buffer-overread.js +519 -0
- package/src/rules/security/no-buffer-overread.js.map +1 -0
- package/src/rules/security/no-clickjacking.d.ts +10 -0
- package/src/rules/security/no-clickjacking.js +381 -0
- package/src/rules/security/no-clickjacking.js.map +1 -0
- package/src/rules/security/no-directive-injection.d.ts +12 -0
- package/src/rules/security/no-directive-injection.js +446 -0
- package/src/rules/security/no-directive-injection.js.map +1 -0
- package/src/rules/security/no-document-cookie.d.ts +5 -0
- package/src/rules/security/no-document-cookie.js +90 -0
- package/src/rules/security/no-document-cookie.js.map +1 -0
- package/src/rules/security/no-electron-security-issues.d.ts +10 -0
- package/src/rules/security/no-electron-security-issues.js +421 -0
- package/src/rules/security/no-electron-security-issues.js.map +1 -0
- package/src/rules/security/no-exposed-sensitive-data.d.ts +11 -0
- package/src/rules/security/no-exposed-sensitive-data.js +341 -0
- package/src/rules/security/no-exposed-sensitive-data.js.map +1 -0
- package/src/rules/security/no-format-string-injection.d.ts +17 -0
- package/src/rules/security/no-format-string-injection.js +653 -0
- package/src/rules/security/no-format-string-injection.js.map +1 -0
- package/src/rules/security/no-graphql-injection.d.ts +12 -0
- package/src/rules/security/no-graphql-injection.js +410 -0
- package/src/rules/security/no-graphql-injection.js.map +1 -0
- package/src/rules/security/no-hardcoded-credentials.d.ts +26 -0
- package/src/rules/security/no-hardcoded-credentials.js +377 -0
- package/src/rules/security/no-hardcoded-credentials.js.map +1 -0
- package/src/rules/security/no-improper-sanitization.d.ts +12 -0
- package/src/rules/security/no-improper-sanitization.js +408 -0
- package/src/rules/security/no-improper-sanitization.js.map +1 -0
- package/src/rules/security/no-improper-type-validation.d.ts +10 -0
- package/src/rules/security/no-improper-type-validation.js +420 -0
- package/src/rules/security/no-improper-type-validation.js.map +1 -0
- package/src/rules/security/no-insecure-comparison.d.ts +7 -0
- package/src/rules/security/no-insecure-comparison.js +125 -0
- package/src/rules/security/no-insecure-comparison.js.map +1 -0
- package/src/rules/security/no-insecure-cookie-settings.d.ts +9 -0
- package/src/rules/security/no-insecure-cookie-settings.js +305 -0
- package/src/rules/security/no-insecure-cookie-settings.js.map +1 -0
- package/src/rules/security/no-insecure-jwt.d.ts +10 -0
- package/src/rules/security/no-insecure-jwt.js +338 -0
- package/src/rules/security/no-insecure-jwt.js.map +1 -0
- package/src/rules/security/no-insecure-redirects.d.ts +7 -0
- package/src/rules/security/no-insecure-redirects.js +215 -0
- package/src/rules/security/no-insecure-redirects.js.map +1 -0
- package/src/rules/security/no-insufficient-postmessage-validation.d.ts +14 -0
- package/src/rules/security/no-insufficient-postmessage-validation.js +390 -0
- package/src/rules/security/no-insufficient-postmessage-validation.js.map +1 -0
- package/src/rules/security/no-insufficient-random.d.ts +9 -0
- package/src/rules/security/no-insufficient-random.js +207 -0
- package/src/rules/security/no-insufficient-random.js.map +1 -0
- package/src/rules/security/no-ldap-injection.d.ts +10 -0
- package/src/rules/security/no-ldap-injection.js +449 -0
- package/src/rules/security/no-ldap-injection.js.map +1 -0
- package/src/rules/security/no-missing-authentication.d.ts +13 -0
- package/src/rules/security/no-missing-authentication.js +322 -0
- package/src/rules/security/no-missing-authentication.js.map +1 -0
- package/src/rules/security/no-missing-cors-check.d.ts +9 -0
- package/src/rules/security/no-missing-cors-check.js +449 -0
- package/src/rules/security/no-missing-cors-check.js.map +1 -0
- package/src/rules/security/no-missing-csrf-protection.d.ts +11 -0
- package/src/rules/security/no-missing-csrf-protection.js +183 -0
- package/src/rules/security/no-missing-csrf-protection.js.map +1 -0
- package/src/rules/security/no-missing-security-headers.d.ts +7 -0
- package/src/rules/security/no-missing-security-headers.js +217 -0
- package/src/rules/security/no-missing-security-headers.js.map +1 -0
- package/src/rules/security/no-privilege-escalation.d.ts +13 -0
- package/src/rules/security/no-privilege-escalation.js +321 -0
- package/src/rules/security/no-privilege-escalation.js.map +1 -0
- package/src/rules/security/no-redos-vulnerable-regex.d.ts +7 -0
- package/src/rules/security/no-redos-vulnerable-regex.js +307 -0
- package/src/rules/security/no-redos-vulnerable-regex.js.map +1 -0
- package/src/rules/security/no-sensitive-data-exposure.d.ts +11 -0
- package/src/rules/security/no-sensitive-data-exposure.js +251 -0
- package/src/rules/security/no-sensitive-data-exposure.js.map +1 -0
- package/src/rules/security/no-sql-injection.d.ts +10 -0
- package/src/rules/security/no-sql-injection.js +332 -0
- package/src/rules/security/no-sql-injection.js.map +1 -0
- package/src/rules/security/no-timing-attack.d.ts +10 -0
- package/src/rules/security/no-timing-attack.js +358 -0
- package/src/rules/security/no-timing-attack.js.map +1 -0
- package/src/rules/security/no-toctou-vulnerability.d.ts +7 -0
- package/src/rules/security/no-toctou-vulnerability.js +165 -0
- package/src/rules/security/no-toctou-vulnerability.js.map +1 -0
- package/src/rules/security/no-unchecked-loop-condition.d.ts +12 -0
- package/src/rules/security/no-unchecked-loop-condition.js +635 -0
- package/src/rules/security/no-unchecked-loop-condition.js.map +1 -0
- package/src/rules/security/no-unencrypted-transmission.d.ts +11 -0
- package/src/rules/security/no-unencrypted-transmission.js +237 -0
- package/src/rules/security/no-unencrypted-transmission.js.map +1 -0
- package/src/rules/security/no-unescaped-url-parameter.d.ts +9 -0
- package/src/rules/security/no-unescaped-url-parameter.js +266 -0
- package/src/rules/security/no-unescaped-url-parameter.js.map +1 -0
- package/src/rules/security/no-unlimited-resource-allocation.d.ts +12 -0
- package/src/rules/security/no-unlimited-resource-allocation.js +659 -0
- package/src/rules/security/no-unlimited-resource-allocation.js.map +1 -0
- package/src/rules/security/no-unsafe-deserialization.d.ts +10 -0
- package/src/rules/security/no-unsafe-deserialization.js +501 -0
- package/src/rules/security/no-unsafe-deserialization.js.map +1 -0
- package/src/rules/security/no-unsafe-dynamic-require.d.ts +5 -0
- package/src/rules/security/no-unsafe-dynamic-require.js +107 -0
- package/src/rules/security/no-unsafe-dynamic-require.js.map +1 -0
- package/src/rules/security/no-unsafe-regex-construction.d.ts +9 -0
- package/src/rules/security/no-unsafe-regex-construction.js +292 -0
- package/src/rules/security/no-unsafe-regex-construction.js.map +1 -0
- package/src/rules/security/no-unsanitized-html.d.ts +9 -0
- package/src/rules/security/no-unsanitized-html.js +347 -0
- package/src/rules/security/no-unsanitized-html.js.map +1 -0
- package/src/rules/security/no-unvalidated-user-input.d.ts +9 -0
- package/src/rules/security/no-unvalidated-user-input.js +418 -0
- package/src/rules/security/no-unvalidated-user-input.js.map +1 -0
- package/src/rules/security/no-weak-crypto.d.ts +11 -0
- package/src/rules/security/no-weak-crypto.js +350 -0
- package/src/rules/security/no-weak-crypto.js.map +1 -0
- package/src/rules/security/no-weak-password-recovery.d.ts +12 -0
- package/src/rules/security/no-weak-password-recovery.js +401 -0
- package/src/rules/security/no-weak-password-recovery.js.map +1 -0
- package/src/rules/security/no-xpath-injection.d.ts +10 -0
- package/src/rules/security/no-xpath-injection.js +487 -0
- package/src/rules/security/no-xpath-injection.js.map +1 -0
- package/src/rules/security/no-xxe-injection.d.ts +7 -0
- package/src/rules/security/no-xxe-injection.js +270 -0
- package/src/rules/security/no-xxe-injection.js.map +1 -0
- package/src/rules/security/no-zip-slip.d.ts +9 -0
- package/src/rules/security/no-zip-slip.js +446 -0
- package/src/rules/security/no-zip-slip.js.map +1 -0
- package/src/types/index.d.ts +131 -0
- package/src/types/index.js +18 -0
- package/src/types/index.js.map +1 -0
|
@@ -0,0 +1,381 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.noClickjacking = void 0;
|
|
4
|
+
const eslint_devkit_1 = require("@interlace/eslint-devkit");
|
|
5
|
+
const eslint_devkit_2 = require("@interlace/eslint-devkit");
|
|
6
|
+
const eslint_devkit_3 = require("@interlace/eslint-devkit");
|
|
7
|
+
exports.noClickjacking = (0, eslint_devkit_1.createRule)({
|
|
8
|
+
name: 'no-clickjacking',
|
|
9
|
+
meta: {
|
|
10
|
+
type: 'problem',
|
|
11
|
+
docs: {
|
|
12
|
+
description: 'Detects clickjacking vulnerabilities and missing frame protections',
|
|
13
|
+
},
|
|
14
|
+
fixable: 'code',
|
|
15
|
+
hasSuggestions: true,
|
|
16
|
+
messages: {
|
|
17
|
+
clickjackingVulnerability: (0, eslint_devkit_2.formatLLMMessage)({
|
|
18
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
19
|
+
issueName: 'Clickjacking Vulnerability',
|
|
20
|
+
cwe: 'CWE-1021',
|
|
21
|
+
description: 'Clickjacking protection missing',
|
|
22
|
+
severity: '{{severity}}',
|
|
23
|
+
fix: '{{safeAlternative}}',
|
|
24
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
25
|
+
}),
|
|
26
|
+
missingFrameBusting: (0, eslint_devkit_2.formatLLMMessage)({
|
|
27
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
28
|
+
issueName: 'Missing Frame Busting',
|
|
29
|
+
cwe: 'CWE-1021',
|
|
30
|
+
description: 'No frame-busting code to prevent clickjacking',
|
|
31
|
+
severity: 'HIGH',
|
|
32
|
+
fix: 'Add frame-busting JavaScript to prevent framing',
|
|
33
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
34
|
+
}),
|
|
35
|
+
unsafeIframeUsage: (0, eslint_devkit_2.formatLLMMessage)({
|
|
36
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
37
|
+
issueName: 'Unsafe iframe Usage',
|
|
38
|
+
cwe: 'CWE-1021',
|
|
39
|
+
description: 'iframe may enable clickjacking attacks',
|
|
40
|
+
severity: 'MEDIUM',
|
|
41
|
+
fix: 'Add X-Frame-Options or CSP frame-ancestors protection',
|
|
42
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
43
|
+
}),
|
|
44
|
+
missingXFrameOptions: (0, eslint_devkit_2.formatLLMMessage)({
|
|
45
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
46
|
+
issueName: 'Missing X-Frame-Options',
|
|
47
|
+
cwe: 'CWE-1021',
|
|
48
|
+
description: 'X-Frame-Options header not set',
|
|
49
|
+
severity: 'HIGH',
|
|
50
|
+
fix: 'Set X-Frame-Options: DENY or SAMEORIGIN',
|
|
51
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options',
|
|
52
|
+
}),
|
|
53
|
+
missingCspFrameAncestors: (0, eslint_devkit_2.formatLLMMessage)({
|
|
54
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
55
|
+
issueName: 'Missing CSP frame-ancestors',
|
|
56
|
+
cwe: 'CWE-1021',
|
|
57
|
+
description: 'CSP frame-ancestors directive not configured',
|
|
58
|
+
severity: 'HIGH',
|
|
59
|
+
fix: 'Add frame-ancestors to Content-Security-Policy',
|
|
60
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors',
|
|
61
|
+
}),
|
|
62
|
+
transparentFrameOverlay: (0, eslint_devkit_2.formatLLMMessage)({
|
|
63
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
64
|
+
issueName: 'Transparent Frame Overlay',
|
|
65
|
+
cwe: 'CWE-1021',
|
|
66
|
+
description: 'Transparent elements may hide clickjacking attacks',
|
|
67
|
+
severity: 'MEDIUM',
|
|
68
|
+
fix: 'Use frame-busting or CSP protections',
|
|
69
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
70
|
+
}),
|
|
71
|
+
frameManipulation: (0, eslint_devkit_2.formatLLMMessage)({
|
|
72
|
+
icon: eslint_devkit_2.MessageIcons.SECURITY,
|
|
73
|
+
issueName: 'Frame Manipulation',
|
|
74
|
+
cwe: 'CWE-1021',
|
|
75
|
+
description: 'Code attempts to manipulate parent frames',
|
|
76
|
+
severity: 'LOW',
|
|
77
|
+
fix: 'Implement proper frame communication or prevent framing',
|
|
78
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
79
|
+
}),
|
|
80
|
+
implementFrameBusting: (0, eslint_devkit_2.formatLLMMessage)({
|
|
81
|
+
icon: eslint_devkit_2.MessageIcons.INFO,
|
|
82
|
+
issueName: 'Implement Frame Busting',
|
|
83
|
+
description: 'Add JavaScript to prevent framing',
|
|
84
|
+
severity: 'LOW',
|
|
85
|
+
fix: 'if (top != self) top.location = location;',
|
|
86
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
87
|
+
}),
|
|
88
|
+
useXFrameOptions: (0, eslint_devkit_2.formatLLMMessage)({
|
|
89
|
+
icon: eslint_devkit_2.MessageIcons.INFO,
|
|
90
|
+
issueName: 'Use X-Frame-Options',
|
|
91
|
+
description: 'Set X-Frame-Options HTTP header',
|
|
92
|
+
severity: 'LOW',
|
|
93
|
+
fix: 'X-Frame-Options: DENY',
|
|
94
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options',
|
|
95
|
+
}),
|
|
96
|
+
setCspFrameAncestors: (0, eslint_devkit_2.formatLLMMessage)({
|
|
97
|
+
icon: eslint_devkit_2.MessageIcons.INFO,
|
|
98
|
+
issueName: 'Set CSP frame-ancestors',
|
|
99
|
+
description: 'Configure CSP frame-ancestors directive',
|
|
100
|
+
severity: 'LOW',
|
|
101
|
+
fix: 'frame-ancestors \'self\' https://trusted.com',
|
|
102
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors',
|
|
103
|
+
}),
|
|
104
|
+
strategyFrameProtection: (0, eslint_devkit_2.formatLLMMessage)({
|
|
105
|
+
icon: eslint_devkit_2.MessageIcons.STRATEGY,
|
|
106
|
+
issueName: 'Frame Protection Strategy',
|
|
107
|
+
description: 'Implement multiple layers of frame protection',
|
|
108
|
+
severity: 'LOW',
|
|
109
|
+
fix: 'Use X-Frame-Options, CSP, and frame-busting together',
|
|
110
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
111
|
+
}),
|
|
112
|
+
strategyContentSecurity: (0, eslint_devkit_2.formatLLMMessage)({
|
|
113
|
+
icon: eslint_devkit_2.MessageIcons.STRATEGY,
|
|
114
|
+
issueName: 'Content Security Strategy',
|
|
115
|
+
description: 'Use CSP for comprehensive frame control',
|
|
116
|
+
severity: 'LOW',
|
|
117
|
+
fix: 'Implement strict CSP with frame-ancestors',
|
|
118
|
+
documentationLink: 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
|
|
119
|
+
}),
|
|
120
|
+
strategyUserInteraction: (0, eslint_devkit_2.formatLLMMessage)({
|
|
121
|
+
icon: eslint_devkit_2.MessageIcons.STRATEGY,
|
|
122
|
+
issueName: 'User Interaction Strategy',
|
|
123
|
+
description: 'Protect user interactions from framing attacks',
|
|
124
|
+
severity: 'LOW',
|
|
125
|
+
fix: 'Validate user intent for sensitive actions',
|
|
126
|
+
documentationLink: 'https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html',
|
|
127
|
+
})
|
|
128
|
+
},
|
|
129
|
+
schema: [
|
|
130
|
+
{
|
|
131
|
+
type: 'object',
|
|
132
|
+
properties: {
|
|
133
|
+
trustedSources: {
|
|
134
|
+
type: 'array',
|
|
135
|
+
items: { type: 'string' },
|
|
136
|
+
default: ['self', 'same-origin'],
|
|
137
|
+
},
|
|
138
|
+
requireFrameBusting: {
|
|
139
|
+
type: 'boolean',
|
|
140
|
+
default: true,
|
|
141
|
+
},
|
|
142
|
+
detectTransparentOverlays: {
|
|
143
|
+
type: 'boolean',
|
|
144
|
+
default: true,
|
|
145
|
+
},
|
|
146
|
+
trustedSanitizers: {
|
|
147
|
+
type: 'array',
|
|
148
|
+
items: { type: 'string' },
|
|
149
|
+
default: [],
|
|
150
|
+
description: 'Additional function names to consider as frame protectors',
|
|
151
|
+
},
|
|
152
|
+
trustedAnnotations: {
|
|
153
|
+
type: 'array',
|
|
154
|
+
items: { type: 'string' },
|
|
155
|
+
default: [],
|
|
156
|
+
description: 'Additional JSDoc annotations to consider as safe markers',
|
|
157
|
+
},
|
|
158
|
+
strictMode: {
|
|
159
|
+
type: 'boolean',
|
|
160
|
+
default: false,
|
|
161
|
+
description: 'Disable all false positive detection (strict mode)',
|
|
162
|
+
},
|
|
163
|
+
},
|
|
164
|
+
additionalProperties: false,
|
|
165
|
+
},
|
|
166
|
+
],
|
|
167
|
+
},
|
|
168
|
+
defaultOptions: [
|
|
169
|
+
{
|
|
170
|
+
trustedSources: ['self', 'same-origin'],
|
|
171
|
+
requireFrameBusting: true,
|
|
172
|
+
detectTransparentOverlays: true,
|
|
173
|
+
trustedSanitizers: [],
|
|
174
|
+
trustedAnnotations: [],
|
|
175
|
+
strictMode: false,
|
|
176
|
+
},
|
|
177
|
+
],
|
|
178
|
+
create(context) {
|
|
179
|
+
const options = context.options[0] || {};
|
|
180
|
+
const { trustedSources = ['self', 'same-origin'], requireFrameBusting = true, detectTransparentOverlays = true, trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
|
|
181
|
+
const sourceCode = context.sourceCode || context.sourceCode;
|
|
182
|
+
const filename = context.filename || context.getFilename();
|
|
183
|
+
// Create safety checker for false positive detection
|
|
184
|
+
const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
|
|
185
|
+
trustedSanitizers,
|
|
186
|
+
trustedAnnotations,
|
|
187
|
+
trustedOrmPatterns: [],
|
|
188
|
+
strictMode,
|
|
189
|
+
});
|
|
190
|
+
// Track if frame-busting code is present
|
|
191
|
+
let hasFrameBusting = false;
|
|
192
|
+
/**
|
|
193
|
+
* Check if source is trusted
|
|
194
|
+
*/
|
|
195
|
+
const isTrustedSource = (source) => {
|
|
196
|
+
return trustedSources.some(trusted => source.includes(trusted) ||
|
|
197
|
+
(trusted === 'self' && (source === 'self' || source.startsWith('/'))) ||
|
|
198
|
+
(trusted === 'same-origin' && source === 'same-origin'));
|
|
199
|
+
};
|
|
200
|
+
/**
|
|
201
|
+
* Check if this is frame-busting code
|
|
202
|
+
*/
|
|
203
|
+
const isFrameBustingCode = (node) => {
|
|
204
|
+
const test = node.test;
|
|
205
|
+
const testText = sourceCode.getText(test).toLowerCase();
|
|
206
|
+
// Look for common frame-busting patterns
|
|
207
|
+
return testText.includes('top != self') ||
|
|
208
|
+
testText.includes('top !== self') ||
|
|
209
|
+
testText.includes('window.top !== window.self') ||
|
|
210
|
+
testText.includes('parent != self') ||
|
|
211
|
+
testText.includes('top.location') ||
|
|
212
|
+
testText.includes('self.location');
|
|
213
|
+
};
|
|
214
|
+
/**
|
|
215
|
+
* Check for transparent/invisible elements that could hide clickjacking
|
|
216
|
+
*/
|
|
217
|
+
const hasTransparentStyles = (styleText) => {
|
|
218
|
+
const styles = styleText.toLowerCase();
|
|
219
|
+
return styles.includes('opacity: 0') ||
|
|
220
|
+
styles.includes('opacity:0') ||
|
|
221
|
+
styles.includes('visibility: hidden') ||
|
|
222
|
+
styles.includes('display: none') ||
|
|
223
|
+
styles.includes('z-index: -1') ||
|
|
224
|
+
styles.includes('position: absolute') && styles.includes('top: 0') && styles.includes('left: 0');
|
|
225
|
+
};
|
|
226
|
+
return {
|
|
227
|
+
// Check for frame-busting code
|
|
228
|
+
IfStatement(node) {
|
|
229
|
+
if (isFrameBustingCode(node)) {
|
|
230
|
+
hasFrameBusting = true;
|
|
231
|
+
}
|
|
232
|
+
},
|
|
233
|
+
// Check iframe elements (in JSX/TSX)
|
|
234
|
+
JSXElement(node) {
|
|
235
|
+
if (node.openingElement.name.type === 'JSXIdentifier' &&
|
|
236
|
+
node.openingElement.name.name === 'iframe') {
|
|
237
|
+
// Check iframe attributes
|
|
238
|
+
const attributes = node.openingElement.attributes;
|
|
239
|
+
let hasSrc = false;
|
|
240
|
+
let srcValue = '';
|
|
241
|
+
for (const attr of attributes) {
|
|
242
|
+
if (attr.type === 'JSXAttribute' &&
|
|
243
|
+
attr.name.type === 'JSXIdentifier' &&
|
|
244
|
+
attr.name.name === 'src' &&
|
|
245
|
+
attr.value) {
|
|
246
|
+
hasSrc = true;
|
|
247
|
+
if (attr.value.type === 'Literal' && typeof attr.value.value === 'string') {
|
|
248
|
+
srcValue = attr.value.value;
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
if (hasSrc && srcValue && !isTrustedSource(srcValue)) {
|
|
253
|
+
// FALSE POSITIVE REDUCTION
|
|
254
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
255
|
+
return;
|
|
256
|
+
}
|
|
257
|
+
context.report({
|
|
258
|
+
node: node.openingElement,
|
|
259
|
+
messageId: 'unsafeIframeUsage',
|
|
260
|
+
data: {
|
|
261
|
+
filePath: filename,
|
|
262
|
+
line: String(node.loc?.start.line ?? 0),
|
|
263
|
+
},
|
|
264
|
+
});
|
|
265
|
+
}
|
|
266
|
+
}
|
|
267
|
+
},
|
|
268
|
+
// Check for frame manipulation code
|
|
269
|
+
MemberExpression(node) {
|
|
270
|
+
// Look for top.location or window.top manipulation
|
|
271
|
+
if (node.object.type === 'Identifier' &&
|
|
272
|
+
(node.object.name === 'top' || node.object.name === 'window')) {
|
|
273
|
+
if (node.property.type === 'Identifier' &&
|
|
274
|
+
(node.property.name === 'location' || node.property.name === 'top')) {
|
|
275
|
+
// Check if this is being assigned or compared
|
|
276
|
+
let current = node;
|
|
277
|
+
let isFrameManipulation = false;
|
|
278
|
+
// Walk up to see if this is an assignment or comparison
|
|
279
|
+
while (current && !isFrameManipulation) {
|
|
280
|
+
if (current.type === 'AssignmentExpression' &&
|
|
281
|
+
current.left === node) {
|
|
282
|
+
isFrameManipulation = true;
|
|
283
|
+
break;
|
|
284
|
+
}
|
|
285
|
+
if (current.type === 'BinaryExpression' &&
|
|
286
|
+
(current.left === node || current.right === node)) {
|
|
287
|
+
// Comparison like top != self
|
|
288
|
+
const operator = current.operator;
|
|
289
|
+
if (operator === '!=' || operator === '!==' ||
|
|
290
|
+
operator === '==' || operator === '===') {
|
|
291
|
+
// This might be frame-busting code
|
|
292
|
+
break;
|
|
293
|
+
}
|
|
294
|
+
isFrameManipulation = true;
|
|
295
|
+
break;
|
|
296
|
+
}
|
|
297
|
+
current = current.parent;
|
|
298
|
+
}
|
|
299
|
+
if (isFrameManipulation) {
|
|
300
|
+
// FALSE POSITIVE REDUCTION
|
|
301
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
302
|
+
return;
|
|
303
|
+
}
|
|
304
|
+
context.report({
|
|
305
|
+
node,
|
|
306
|
+
messageId: 'frameManipulation',
|
|
307
|
+
data: {
|
|
308
|
+
filePath: filename,
|
|
309
|
+
line: String(node.loc?.start.line ?? 0),
|
|
310
|
+
},
|
|
311
|
+
});
|
|
312
|
+
}
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
},
|
|
316
|
+
// Check for CSS that could hide clickjacking attacks
|
|
317
|
+
Literal(node) {
|
|
318
|
+
if (typeof node.value === 'string' && detectTransparentOverlays) {
|
|
319
|
+
// Check if this looks like CSS
|
|
320
|
+
const text = node.value.toLowerCase();
|
|
321
|
+
if ((text.includes('style=') || text.includes('css')) &&
|
|
322
|
+
hasTransparentStyles(text)) {
|
|
323
|
+
// FALSE POSITIVE REDUCTION
|
|
324
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
325
|
+
return;
|
|
326
|
+
}
|
|
327
|
+
context.report({
|
|
328
|
+
node,
|
|
329
|
+
messageId: 'transparentFrameOverlay',
|
|
330
|
+
data: {
|
|
331
|
+
filePath: filename,
|
|
332
|
+
line: String(node.loc?.start.line ?? 0),
|
|
333
|
+
},
|
|
334
|
+
});
|
|
335
|
+
}
|
|
336
|
+
}
|
|
337
|
+
},
|
|
338
|
+
// Check template literals for CSS
|
|
339
|
+
TemplateLiteral(node) {
|
|
340
|
+
if (detectTransparentOverlays) {
|
|
341
|
+
const text = sourceCode.getText(node).toLowerCase();
|
|
342
|
+
if (text.includes('style') && hasTransparentStyles(text)) {
|
|
343
|
+
// FALSE POSITIVE REDUCTION
|
|
344
|
+
if (safetyChecker.isSafe(node, context)) {
|
|
345
|
+
return;
|
|
346
|
+
}
|
|
347
|
+
context.report({
|
|
348
|
+
node,
|
|
349
|
+
messageId: 'transparentFrameOverlay',
|
|
350
|
+
data: {
|
|
351
|
+
filePath: filename,
|
|
352
|
+
line: String(node.loc?.start.line ?? 0),
|
|
353
|
+
},
|
|
354
|
+
});
|
|
355
|
+
}
|
|
356
|
+
}
|
|
357
|
+
},
|
|
358
|
+
// At the end of the file, check if frame-busting is required but missing
|
|
359
|
+
'Program:exit'() {
|
|
360
|
+
if (requireFrameBusting && !hasFrameBusting) {
|
|
361
|
+
// Check if this file likely needs frame protection (has UI elements)
|
|
362
|
+
const fileContent = sourceCode.getText();
|
|
363
|
+
const hasUIElements = /\b(button|input|form|a|div)\b/i.test(fileContent) ||
|
|
364
|
+
fileContent.includes('onClick') ||
|
|
365
|
+
fileContent.includes('onSubmit');
|
|
366
|
+
if (hasUIElements) {
|
|
367
|
+
context.report({
|
|
368
|
+
node: context.sourceCode.ast,
|
|
369
|
+
messageId: 'missingFrameBusting',
|
|
370
|
+
data: {
|
|
371
|
+
filePath: filename,
|
|
372
|
+
line: '1',
|
|
373
|
+
},
|
|
374
|
+
});
|
|
375
|
+
}
|
|
376
|
+
}
|
|
377
|
+
}
|
|
378
|
+
};
|
|
379
|
+
},
|
|
380
|
+
});
|
|
381
|
+
//# sourceMappingURL=no-clickjacking.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"no-clickjacking.js","sourceRoot":"","sources":["../../../../../../packages/eslint-plugin-secure-coding/src/rules/security/no-clickjacking.ts"],"names":[],"mappings":";;;AAgBA,4DAAsD;AACtD,4DAA0E;AAC1E,4DAGkC;AA8BrB,QAAA,cAAc,GAAG,IAAA,0BAAU,EAA0B;IAChE,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE;QACJ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,oEAAoE;SAClF;QACD,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACR,yBAAyB,EAAE,IAAA,gCAAgB,EAAC;gBAC1C,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,4BAA4B;gBACvC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,iCAAiC;gBAC9C,QAAQ,EAAE,cAAc;gBACxB,GAAG,EAAE,qBAAqB;gBAC1B,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,mBAAmB,EAAE,IAAA,gCAAgB,EAAC;gBACpC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,uBAAuB;gBAClC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,iDAAiD;gBACtD,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,qBAAqB;gBAChC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,wCAAwC;gBACrD,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,uDAAuD;gBAC5D,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,yBAAyB;gBACpC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,gCAAgC;gBAC7C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,yCAAyC;gBAC9C,iBAAiB,EAAE,2EAA2E;aAC/F,CAAC;YACF,wBAAwB,EAAE,IAAA,gCAAgB,EAAC;gBACzC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,6BAA6B;gBACxC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,8CAA8C;gBAC3D,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,gDAAgD;gBACrD,iBAAiB,EAAE,mGAAmG;aACvH,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,oDAAoD;gBACjE,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,sCAAsC;gBAC3C,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,iBAAiB,EAAE,IAAA,gCAAgB,EAAC;gBAClC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,oBAAoB;gBAC/B,GAAG,EAAE,UAAU;gBACf,WAAW,EAAE,2CAA2C;gBACxD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,yDAAyD;gBAC9D,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,qBAAqB,EAAE,IAAA,gCAAgB,EAAC;gBACtC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,mCAAmC;gBAChD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,2CAA2C;gBAChD,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,gBAAgB,EAAE,IAAA,gCAAgB,EAAC;gBACjC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,WAAW,EAAE,iCAAiC;gBAC9C,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,uBAAuB;gBAC5B,iBAAiB,EAAE,2EAA2E;aAC/F,CAAC;YACF,oBAAoB,EAAE,IAAA,gCAAgB,EAAC;gBACrC,IAAI,EAAE,4BAAY,CAAC,IAAI;gBACvB,SAAS,EAAE,yBAAyB;gBACpC,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,8CAA8C;gBACnD,iBAAiB,EAAE,mGAAmG;aACvH,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,WAAW,EAAE,+CAA+C;gBAC5D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,sDAAsD;gBAC3D,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,WAAW,EAAE,yCAAyC;gBACtD,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,2CAA2C;gBAChD,iBAAiB,EAAE,uDAAuD;aAC3E,CAAC;YACF,uBAAuB,EAAE,IAAA,gCAAgB,EAAC;gBACxC,IAAI,EAAE,4BAAY,CAAC,QAAQ;gBAC3B,SAAS,EAAE,2BAA2B;gBACtC,WAAW,EAAE,gDAAgD;gBAC7D,QAAQ,EAAE,KAAK;gBACf,GAAG,EAAE,4CAA4C;gBACjD,iBAAiB,EAAE,sFAAsF;aAC1G,CAAC;SACH;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,cAAc,EAAE;wBACd,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC;qBACjC;oBACD,mBAAmB,EAAE;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;oBACD,yBAAyB,EAAE;wBACzB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,IAAI;qBACd;oBACD,iBAAiB,EAAE;wBACjB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,2DAA2D;qBACzE;oBACD,kBAAkB,EAAE;wBAClB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,OAAO,EAAE,EAAE;wBACX,WAAW,EAAE,0DAA0D;qBACxE;oBACD,UAAU,EAAE;wBACV,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,KAAK;wBACd,WAAW,EAAE,oDAAoD;qBAClE;iBACF;gBACD,oBAAoB,EAAE,KAAK;aAC5B;SACF;KACF;IACD,cAAc,EAAE;QACd;YACE,cAAc,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC;YACvC,mBAAmB,EAAE,IAAI;YACzB,yBAAyB,EAAE,IAAI;YAC/B,iBAAiB,EAAE,EAAE;YACrB,kBAAkB,EAAE,EAAE;YACtB,UAAU,EAAE,KAAK;SAClB;KACF;IACD,MAAM,CAAC,OAAsD;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EACJ,cAAc,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EACxC,mBAAmB,GAAG,IAAI,EAC1B,yBAAyB,GAAG,IAAI,EAChC,iBAAiB,GAAG,EAAE,EACtB,kBAAkB,GAAG,EAAE,EACvB,UAAU,GAAG,KAAK,GACnB,GAAY,OAAO,CAAC;QAErB,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3D,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAA,mCAAmB,EAAC;YACxC,iBAAiB;YACjB,kBAAkB;YAClB,kBAAkB,EAAE,EAAE;YACtB,UAAU;SACX,CAAC,CAAC;QAEH,yCAAyC;QACzC,IAAI,eAAe,GAAG,KAAK,CAAC;QAE5B;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,MAAc,EAAW,EAAE;YAClD,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACnC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACxB,CAAC,OAAO,KAAK,MAAM,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;gBACrE,CAAC,OAAO,KAAK,aAAa,IAAI,MAAM,KAAK,aAAa,CAAC,CACxD,CAAC;QACJ,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,CAAC,IAA0B,EAAW,EAAE;YACjE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAExD,yCAAyC;YACzC,OAAO,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAChC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACjC,QAAQ,CAAC,QAAQ,CAAC,4BAA4B,CAAC;gBAC/C,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACjC,QAAQ,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QAC5C,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,oBAAoB,GAAG,CAAC,SAAiB,EAAW,EAAE;YAC1D,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;YACvC,OAAO,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC7B,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC5B,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC;gBACrC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC;gBAChC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC9B,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1G,CAAC,CAAC;QAEF,OAAO;YACL,+BAA+B;YAC/B,WAAW,CAAC,IAA0B;gBACpC,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;YAED,qCAAqC;YACrC,UAAU,CAAC,IAAyB;gBAClC,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe;oBACjD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAE/C,0BAA0B;oBAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC;oBAClD,IAAI,MAAM,GAAG,KAAK,CAAC;oBACnB,IAAI,QAAQ,GAAG,EAAE,CAAC;oBAElB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;wBAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc;4BAC5B,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe;4BAClC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,KAAK;4BACxB,IAAI,CAAC,KAAK,EAAE,CAAC;4BAEf,MAAM,GAAG,IAAI,CAAC;4BACd,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gCAC1E,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;4BAC9B,CAAC;wBACH,CAAC;oBACH,CAAC;oBAED,IAAI,MAAM,IAAI,QAAQ,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACrD,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,IAAI,CAAC,cAAc;4BACzB,SAAS,EAAE,mBAAmB;4BAC9B,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,oCAAoC;YACpC,gBAAgB,CAAC,IAA+B;gBAC9C,mDAAmD;gBACnD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACjC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;oBAElE,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wBACnC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;wBAExE,8CAA8C;wBAC9C,IAAI,OAAO,GAA8B,IAAI,CAAC;wBAC9C,IAAI,mBAAmB,GAAG,KAAK,CAAC;wBAEhC,wDAAwD;wBACxD,OAAO,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC;4BACvC,IAAI,OAAO,CAAC,IAAI,KAAK,sBAAsB;gCACvC,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gCAC1B,mBAAmB,GAAG,IAAI,CAAC;gCAC3B,MAAM;4BACR,CAAC;4BACD,IAAI,OAAO,CAAC,IAAI,KAAK,kBAAkB;gCACnC,CAAC,OAAO,CAAC,IAAI,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE,CAAC;gCACtD,8BAA8B;gCAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;gCAClC,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,KAAK;oCACvC,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;oCAC5C,mCAAmC;oCACnC,MAAM;gCACR,CAAC;gCACD,mBAAmB,GAAG,IAAI,CAAC;gCAC3B,MAAM;4BACR,CAAC;4BACD,OAAO,GAAG,OAAO,CAAC,MAAuB,CAAC;wBAC5C,CAAC;wBAED,IAAI,mBAAmB,EAAE,CAAC;4BACxB,2BAA2B;4BAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gCACxC,OAAO;4BACT,CAAC;4BAED,OAAO,CAAC,MAAM,CAAC;gCACb,IAAI;gCACJ,SAAS,EAAE,mBAAmB;gCAC9B,IAAI,EAAE;oCACJ,QAAQ,EAAE,QAAQ;oCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;iCACxC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,qDAAqD;YACrD,OAAO,CAAC,IAAsB;gBAC5B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,yBAAyB,EAAE,CAAC;oBAChE,+BAA+B;oBAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;oBAEtC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;wBACjD,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAE/B,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,yBAAyB;4BACpC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,kCAAkC;YAClC,eAAe,CAAC,IAA8B;gBAC5C,IAAI,yBAAyB,EAAE,CAAC;oBAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;oBAEpD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;wBACzD,2BAA2B;wBAC3B,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;4BACxC,OAAO;wBACT,CAAC;wBAED,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI;4BACJ,SAAS,EAAE,yBAAyB;4BACpC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;6BACxC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,yEAAyE;YACzE,cAAc;gBACZ,IAAI,mBAAmB,IAAI,CAAC,eAAe,EAAE,CAAC;oBAC5C,qEAAqE;oBACrE,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC;oBACzC,MAAM,aAAa,GAAG,gCAAgC,CAAC,IAAI,CAAC,WAAW,CAAC;wBACnD,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;wBAC/B,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;oBAEtD,IAAI,aAAa,EAAE,CAAC;wBAClB,OAAO,CAAC,MAAM,CAAC;4BACb,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG;4BAC5B,SAAS,EAAE,qBAAqB;4BAChC,IAAI,EAAE;gCACJ,QAAQ,EAAE,QAAQ;gCAClB,IAAI,EAAE,GAAG;6BACV;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
|
|
2
|
+
export interface Options extends SecurityRuleOptions {
|
|
3
|
+
/** Trusted directive/component names */
|
|
4
|
+
trustedDirectives?: string[];
|
|
5
|
+
/** Variables that contain user input */
|
|
6
|
+
userInputVariables?: string[];
|
|
7
|
+
/** Frameworks to check for */
|
|
8
|
+
frameworks?: string[];
|
|
9
|
+
/** Allow dynamic directives in specific contexts */
|
|
10
|
+
allowDynamicInComponents?: boolean;
|
|
11
|
+
}
|
|
12
|
+
export declare const noDirectiveInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;
|