Merge pull request #471 from jeremymeng/tt-compliant

Address Trusted Types compliance issue

Changelog.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.6.2 - (2022-07-28)
+
+- Address Trusted Types compliance issue.
+
 ## 2.6.1 - (2022-01-25)
 
 - Fix a security issue with [CVE-2022-0235](https://github.com/advisories/GHSA-r683-j2x4-v87g) by upgrade [node-fetch](https://www.npmjs.com/package/node-fetch) (PR [459](https://github.com/Azure/ms-rest-js/pull/459))

lib/util/constants.ts

@@ -7,7 +7,7 @@ export const Constants = {
    * @const
    * @type {string}
    */
-  msRestVersion: "2.6.1",
+  msRestVersion: "2.6.2",
 
   /**
    * Specifies HTTP.

lib/util/xml.browser.ts

@@ -2,9 +2,23 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 const parser = new DOMParser();
+
+// Policy to make our code Trusted Types compliant.
+//   https://github.com/w3c/webappsec-trusted-types
+// We are calling DOMParser.parseFromString() to parse XML payload from Azure services.
+// The parsed DOM object is not exposed to outside. Scripts are disabled when parsing
+// according to the spec.  There are no HTML/XSS security concerns on the usage of
+// parseFromString() here.
+let ttPolicy: Pick<TrustedTypePolicy, "createHTML"> | undefined;
+if (typeof self.trustedTypes !== "undefined") {
+  ttPolicy = self.trustedTypes.createPolicy("@azure/ms-rest-js#xml.browser", {
+    createHTML: (s) => s,
+  });
+}
+
 export function parseXML(str: string): Promise<any> {
   try {
-    const dom = parser.parseFromString(str, "application/xml");
+    const dom = parser.parseFromString((ttPolicy?.createHTML(str) ?? str) as string, "application/xml");
     throwIfError(dom);
 
     const obj = domToObject(dom.childNodes[0]);
@@ -16,8 +30,10 @@ export function parseXML(str: string): Promise<any> {
 
 let errorNS = "";
 try {
-  errorNS = parser.parseFromString("INVALID", "text/xml").getElementsByTagName("parsererror")[0]
-    .namespaceURI!;
+  const invalidXML = (ttPolicy?.createHTML("INVALID") ?? "INVALID") as string;
+  errorNS =
+    parser.parseFromString(invalidXML, "text/xml").getElementsByTagName("parsererror")[0]
+      .namespaceURI! ?? "";
 } catch (ignored) {
   // Most browsers will return a document containing <parsererror>, but IE will throw.
 }

lib/util/xml.ts

@@ -23,7 +23,7 @@ export function parseXML(str: string): Promise<any> {
     if (!str) {
       reject(new Error("Document is empty"));
     } else {
-      xmlParser.parseString(str, (err?: Error, res?: any) => {
+      xmlParser.parseString(str, (err: any, res: any) => {
         if (err) {
           reject(err);
         } else {

package.json

@@ -5,7 +5,7 @@
     "email": "azsdkteam@microsoft.com",
     "url": "https://github.com/Azure/ms-rest-js"
   },
-  "version": "2.6.1",
+  "version": "2.6.2",
   "description": "Isomorphic client Runtime for Typescript/node.js/browser javascript client libraries generated using AutoRest",
   "tags": [
     "isomorphic",
@@ -77,6 +77,7 @@
     "@types/semver": "^6.0.1",
     "@types/sinon": "^7.0.13",
     "@types/tough-cookie": "^2.3.5",
+    "@types/trusted-types": "^2.0.0",
     "@types/tunnel": "0.0.1",
     "@types/uuid": "^8.3.2",
     "@types/webpack": "^4.4.34",