From 29f61fbbcd87c07f2542a656d2d0840dc4728ce5 Mon Sep 17 00:00:00 2001 From: webschik Date: Sat, 13 Apr 2019 12:47:41 +0200 Subject: [PATCH] [feat] added metadata for the each rule (#17) --- README.md | 2 +- src/rules/tsrDetectBufferNoassertRule.ts | 13 +++++++++++++ src/rules/tsrDetectChildProcessRule.ts | 13 +++++++++++++ src/rules/tsrDetectEvalWithExpressionRule.ts | 13 +++++++++++++ src/rules/tsrDetectHtmlInjectionRule.ts | 13 +++++++++++++ .../tsrDetectNoCsrfBeforeMethodOverrideRule.ts | 13 +++++++++++++ src/rules/tsrDetectNonLiteralBufferRule.ts | 13 +++++++++++++ src/rules/tsrDetectNonLiteralFsFilenameRule.ts | 13 +++++++++++++ src/rules/tsrDetectNonLiteralRegexpRule.ts | 13 +++++++++++++ src/rules/tsrDetectNonLiteralRequireRule.ts | 13 +++++++++++++ src/rules/tsrDetectPossibleTimingAttacksRule.ts | 13 +++++++++++++ src/rules/tsrDetectPseudoRandomBytesRule.ts | 12 ++++++++++++ src/rules/tsrDetectSqlLiteralInjectionRule.ts | 13 +++++++++++++ .../tsrDetectUnsafeCrossOriginCommunicationRule.ts | 12 ++++++++++++ src/rules/tsrDetectUnsafePropertiesAccessRule.ts | 13 +++++++++++++ src/rules/tsrDetectUnsafeRegexpRule.ts | 12 ++++++++++++ src/rules/tsrDisableMustacheEscapeRule.ts | 12 ++++++++++++ 17 files changed, 205 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 085e6f1..891fa76 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ Examples: [test/rules/tsr-disable-mustache-escape/default/test.ts.lint](test/rul #### `tsr-detect-eval-with-expression` -Detects `eval(variable)` which can allow an attacker to run arbitary code inside your process. +Detects `eval(variable)` which can allow an attacker to run arbitrary code inside your process. More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript diff --git a/src/rules/tsrDetectBufferNoassertRule.ts b/src/rules/tsrDetectBufferNoassertRule.ts index c68d506..e6109a3 100644 --- a/src/rules/tsrDetectBufferNoassertRule.ts +++ b/src/rules/tsrDetectBufferNoassertRule.ts @@ -36,6 +36,19 @@ const writeMethods: string[] = [ ]; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-buffer-noassert', + description: 'Warns when Buffer with noAssert flag is used', + descriptionDetails: Lint.Utils.dedent`Any usage of Buffer + with noAssert flag will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-buffer-noassert`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectChildProcessRule.ts b/src/rules/tsrDetectChildProcessRule.ts index cd2224a..a0aeb0e 100644 --- a/src/rules/tsrDetectChildProcessRule.ts +++ b/src/rules/tsrDetectChildProcessRule.ts @@ -3,6 +3,19 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-child-process', + description: 'Warns when child_process.exec() with non-literal first argument is used', + descriptionDetails: Lint.Utils.dedent`Any usage of child_process.exec() + with non-literal first argument will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-child-process`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectEvalWithExpressionRule.ts b/src/rules/tsrDetectEvalWithExpressionRule.ts index 7a55c10..a62d9c0 100644 --- a/src/rules/tsrDetectEvalWithExpressionRule.ts +++ b/src/rules/tsrDetectEvalWithExpressionRule.ts @@ -4,6 +4,19 @@ import {stringLiteralKinds} from '../node-kind'; import syntaxKindToName from '../syntax-kind-to-name'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-eval-with-expression', + description: 'Warns when eval() with non-literal argument is used', + descriptionDetails: Lint.Utils.dedent`Any usage of eval() + with non-literal argument will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-eval-with-expression`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectHtmlInjectionRule.ts b/src/rules/tsrDetectHtmlInjectionRule.ts index 56fb290..51342f4 100644 --- a/src/rules/tsrDetectHtmlInjectionRule.ts +++ b/src/rules/tsrDetectHtmlInjectionRule.ts @@ -3,6 +3,19 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-html-injection', + description: 'Warns when possible HTML injection is found', + descriptionDetails: Lint.Utils.dedent`Any usage of unsafe DOM APIs as Element.innerHTML or document.write() + will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-html-injection`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts b/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts index a6d7953..46aaf33 100644 --- a/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts +++ b/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts @@ -2,6 +2,19 @@ import * as Lint from 'tslint'; import * as ts from 'typescript'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-no-csrf-before-method-override', + description: 'Warns when csrf middleware for Express.js is setup before method-override middleware', + descriptionDetails: Lint.Utils.dedent`Any usage of express.csrf() middleware before + express.methodOverride() will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-no-csrf-before-method-override`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectNonLiteralBufferRule.ts b/src/rules/tsrDetectNonLiteralBufferRule.ts index 845f382..9267ca9 100644 --- a/src/rules/tsrDetectNonLiteralBufferRule.ts +++ b/src/rules/tsrDetectNonLiteralBufferRule.ts @@ -3,6 +3,19 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-non-literal-buffer', + description: 'Warns when Buffer constructor with non-literal argument is used', + descriptionDetails: Lint.Utils.dedent`Any usage of new Buffer() + with non-literal argument will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-buffer`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectNonLiteralFsFilenameRule.ts b/src/rules/tsrDetectNonLiteralFsFilenameRule.ts index 057e9f3..a57b4fe 100644 --- a/src/rules/tsrDetectNonLiteralFsFilenameRule.ts +++ b/src/rules/tsrDetectNonLiteralFsFilenameRule.ts @@ -4,6 +4,19 @@ import fsModuleMethodsArgumentsInfo from '../fs-module-methods-arguments-info'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-non-literal-fs-filename', + description: 'Warns when methods of Node.js FileSystem API are used with non-literal argument as a filename', + descriptionDetails: Lint.Utils.dedent`Any usage of Node.js FileSystem methods + with non-literal argument as a filename will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-fs-filename`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectNonLiteralRegexpRule.ts b/src/rules/tsrDetectNonLiteralRegexpRule.ts index e2df665..5878c76 100644 --- a/src/rules/tsrDetectNonLiteralRegexpRule.ts +++ b/src/rules/tsrDetectNonLiteralRegexpRule.ts @@ -3,6 +3,19 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-non-literal-regexp', + description: 'Warns when RegExp constructor with non-literal argument is used', + descriptionDetails: Lint.Utils.dedent`Any usage of new RegExp() + with non-literal argument will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-regexp`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectNonLiteralRequireRule.ts b/src/rules/tsrDetectNonLiteralRequireRule.ts index e98ce59..af187b4 100644 --- a/src/rules/tsrDetectNonLiteralRequireRule.ts +++ b/src/rules/tsrDetectNonLiteralRequireRule.ts @@ -3,6 +3,19 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-non-literal-require', + description: 'Warns when require() function is used with non-literal argument', + descriptionDetails: Lint.Utils.dedent`Any usage of require() + with non-literal argument will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-require`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectPossibleTimingAttacksRule.ts b/src/rules/tsrDetectPossibleTimingAttacksRule.ts index 95993bd..4f6fda5 100644 --- a/src/rules/tsrDetectPossibleTimingAttacksRule.ts +++ b/src/rules/tsrDetectPossibleTimingAttacksRule.ts @@ -76,6 +76,19 @@ function isVulnerablePropertyAccessExpression(node: ts.PropertyAccessExpression) } export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-possible-timing-attacks', + description: 'Warns when possible timing attack is found', + descriptionDetails: Lint.Utils.dedent`Any usage of unsafe comparisons ('==', '!=', '!==' and '===') + that check input sequentially will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-possible-timing-attacks`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectPseudoRandomBytesRule.ts b/src/rules/tsrDetectPseudoRandomBytesRule.ts index 08cce7b..7b2999d 100644 --- a/src/rules/tsrDetectPseudoRandomBytesRule.ts +++ b/src/rules/tsrDetectPseudoRandomBytesRule.ts @@ -2,6 +2,18 @@ import * as Lint from 'tslint'; import * as ts from 'typescript'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-pseudo-random-bytes', + description: 'Warns when crypto.pseudoRandomBytes() function is used', + descriptionDetails: Lint.Utils.dedent`Any usage of crypto.pseudoRandomBytes() will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-pseudo-random-bytes`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectSqlLiteralInjectionRule.ts b/src/rules/tsrDetectSqlLiteralInjectionRule.ts index e383a80..3c8329a 100644 --- a/src/rules/tsrDetectSqlLiteralInjectionRule.ts +++ b/src/rules/tsrDetectSqlLiteralInjectionRule.ts @@ -6,6 +6,19 @@ import {stringLiteralKinds} from '../node-kind'; const generalErrorMessage: string = 'Found possible SQL injection'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-sql-literal-injection', + description: 'Warns when possible SQL injection is found', + descriptionDetails: Lint.Utils.dedent`Any usage of the unsafe string concatenation in SQL queries + will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-sql-literal-injection`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts b/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts index 2d90698..f0935ec 100644 --- a/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts +++ b/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts @@ -2,6 +2,18 @@ import * as Lint from 'tslint'; import * as ts from 'typescript'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-unsafe-cross-origin-communication', + description: 'Warns when postMessage() API is used with the target "*" (no preference)', + descriptionDetails: Lint.Utils.dedent`Any usage of postMessage() API with target "*" will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-cross-origin-communication`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectUnsafePropertiesAccessRule.ts b/src/rules/tsrDetectUnsafePropertiesAccessRule.ts index e5d8820..4d903b5 100644 --- a/src/rules/tsrDetectUnsafePropertiesAccessRule.ts +++ b/src/rules/tsrDetectUnsafePropertiesAccessRule.ts @@ -2,6 +2,19 @@ import * as Lint from 'tslint'; import * as ts from 'typescript'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-unsafe-properties-access', + description: 'Warns when potential unsafe access to the object properties is found', + descriptionDetails: Lint.Utils.dedent`Any potential unsafe access to the object properties + will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-properties-access`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDetectUnsafeRegexpRule.ts b/src/rules/tsrDetectUnsafeRegexpRule.ts index 889ebab..aa3afdc 100644 --- a/src/rules/tsrDetectUnsafeRegexpRule.ts +++ b/src/rules/tsrDetectUnsafeRegexpRule.ts @@ -5,6 +5,18 @@ import * as ts from 'typescript'; import {stringLiteralKinds} from '../node-kind'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-detect-unsafe-regexp', + description: 'Warns when potential unsafe regular expression is found', + descriptionDetails: Lint.Utils.dedent`Any usage of potential unsafe regular expression will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-regexp`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); } diff --git a/src/rules/tsrDisableMustacheEscapeRule.ts b/src/rules/tsrDisableMustacheEscapeRule.ts index e15467e..5a11a02 100644 --- a/src/rules/tsrDisableMustacheEscapeRule.ts +++ b/src/rules/tsrDisableMustacheEscapeRule.ts @@ -2,6 +2,18 @@ import * as Lint from 'tslint'; import * as ts from 'typescript'; export class Rule extends Lint.Rules.AbstractRule { + static metadata: Lint.IRuleMetadata = { + ruleName: 'tsr-disable-mustache-escape', + description: 'Warns when escapeMarkup=false property with some template engines is used', + descriptionDetails: Lint.Utils.dedent`Any usage of escapeMarkup=false property will trigger a warning. + See https://github.com/webschik/tslint-config-security#tsr-disable-mustache-escape`, + optionsDescription: '', + options: null, + type: 'functionality', + requiresTypeInfo: false, + typescriptOnly: false + }; + apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] { return this.applyWithFunction(sourceFile, walk); }