MyCrypto/custom_linting_rules/noExternalHttpLinkRule.js
Jack Clancy 26619e28cc Enforce HTTPS / Prevent Reverse Tabnabbing (#773)
* working version of test custom rule config

* setting no imports to false so tests will pass

* adding anchor blank noopener rule, rule currently off to allow tests to pass

* removing copied code from tslint-microsoft-contrib

* adding tslint-microsoft-contrib to dev deps

* extending tslint for external http rule

* locking tslint-microsoft-contrib version and turning on target blank noopener rule

* final fixes for pull #663

* add noopener noreferrer as needed

* fixing false positives for a tags without href

* really fix linting errors

* fix imports

* remove accidently(?) added LedgerNano duplicate file
2018-01-09 23:17:52 -06:00

96 lines
3.9 KiB
JavaScript

"use strict";
var __extends = (this && this.__extends) || (function () {
var extendStatics = Object.setPrototypeOf ||
({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
return function (d, b) {
extendStatics(d, b);
function __() { this.constructor = d; }
d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
};
})();
exports.__esModule = true;
var ts = require("typescript");
var Lint = require("tslint");
var ErrorTolerantWalker_1 = require("../node_modules/tslint-microsoft-contrib/utils/ErrorTolerantWalker");
var JsxAttribute_1 = require("../node_modules/tslint-microsoft-contrib/utils/JsxAttribute");
var FAILURE_STRING = 'Anchor tags with an external link must use https';
/**
* Implementation of the no-external-http-link rule.
*/
var Rule = /** @class */ (function (_super) {
__extends(Rule, _super);
function Rule() {
return _super !== null && _super.apply(this, arguments) || this;
}
Rule.prototype.apply = function (sourceFile) {
if (sourceFile.languageVariant === ts.LanguageVariant.JSX) {
return this.applyWithWalker(new NoExternalHttpLinkRuleWalker(sourceFile, this.getOptions()));
}
else {
return [];
}
};
Rule.metadata = {
ruleName: 'tno-external-http-link',
type: 'functionality',
description: 'Anchor tags with an external link must use https',
options: null,
optionsDescription: '',
typescriptOnly: true,
issueClass: 'SDL',
issueType: 'Error',
severity: 'Critical',
level: 'Mandatory',
group: 'Security',
commonWeaknessEnumeration: '242,676'
};
return Rule;
}(Lint.Rules.AbstractRule));
exports.Rule = Rule;
var NoExternalHttpLinkRuleWalker = /** @class */ (function (_super) {
__extends(NoExternalHttpLinkRuleWalker, _super);
function NoExternalHttpLinkRuleWalker() {
return _super !== null && _super.apply(this, arguments) || this;
}
NoExternalHttpLinkRuleWalker.prototype.visitJsxElement = function (node) {
var openingElement = node.openingElement;
this.validateOpeningElement(openingElement);
_super.prototype.visitJsxElement.call(this, node);
};
NoExternalHttpLinkRuleWalker.prototype.visitJsxSelfClosingElement = function (node) {
this.validateOpeningElement(node);
_super.prototype.visitJsxSelfClosingElement.call(this, node);
};
NoExternalHttpLinkRuleWalker.prototype.validateOpeningElement = function (openingElement) {
if (openingElement.tagName.getText() === 'a') {
var allAttributes = JsxAttribute_1.getJsxAttributesFromJsxElement(openingElement);
var href = allAttributes.href;
if (href !== null && !isSafeHrefAttributeValue(href) && JsxAttribute_1.getStringLiteral(href) !== 'undefined') {
this.addFailureAt(openingElement.getStart(), openingElement.getWidth(), FAILURE_STRING);
}
}
};
return NoExternalHttpLinkRuleWalker;
}(ErrorTolerantWalker_1.ErrorTolerantWalker));
function isSafeHrefAttributeValue(attribute) {
if (JsxAttribute_1.isEmpty(attribute)) {
return false;
}
if (attribute.initializer.kind === ts.SyntaxKind.JsxExpression) {
var expression = attribute.initializer;
if (expression.expression !== null &&
expression.expression.kind !== ts.SyntaxKind.StringLiteral) {
return true; // attribute value is not a string literal, so do not validate
}
}
var stringValue = JsxAttribute_1.getStringLiteral(attribute);
if (stringValue === '#') {
return true;
}
else if (stringValue === null || stringValue.length === 0) {
return false;
}
return stringValue.indexOf('https://') >= 0;
}