From a1d06caa4e21bf49bbe56b471001e2ef16c7e59c Mon Sep 17 00:00:00 2001 From: A-Katopodis Date: Sat, 7 Nov 2020 22:08:00 +0200 Subject: [PATCH] Initial Commit --- .github/workflows/E2E integration.yml | 79 + .../workflows/node-version-integration.yml | 30 + .github/workflows/publish.yml | 34 + .gitignore | 4 + .npmignore | 4 + CODE_OF_CONDUCT.md | 9 + README.md | 66 + SECURITY.md | 41 + config/angular.js | 17 + config/angularjs.js | 19 + config/common.js | 30 + config/electron.js | 17 + config/node.js | 19 + config/react.js | 19 + config/recommended.js | 26 + config/required.js | 22 + config/typescript.js | 36 + docs/rules/no-angular-bypass-sanitizer.md | 7 + docs/rules/no-angularjs-bypass-sce.md | 7 + docs/rules/no-angularjs-enable-svg.md | 7 + .../no-angularjs-sanitization-whitelist.md | 7 + docs/rules/no-cookies.md | 13 + docs/rules/no-document-domain.md | 7 + docs/rules/no-document-write.md | 7 + docs/rules/no-electron-node-integration.md | 9 + docs/rules/no-html-method.md | 7 + docs/rules/no-inner-html.md | 11 + docs/rules/no-insecure-random.md | 17 + docs/rules/no-insecure-url.md | 55 + docs/rules/no-msapp-exec-unsafe.md | 3 + docs/rules/no-postmessage-star-origin.md | 3 + docs/rules/no-unsafe-alloc.md | 12 + docs/rules/no-winjs-html-unsafe.md | 3 + docs/rules/react-iframe-missing-sandbox.md | 17 + lib/ast-utils.js | 77 + lib/index.js | 31 + lib/rules/no-angular-bypass-sanitizer.js | 39 + lib/rules/no-angularjs-bypass-sce.js | 63 + lib/rules/no-angularjs-enable-svg.js | 53 + .../no-angularjs-sanitization-whitelist.js | 39 + lib/rules/no-cookies.js | 43 + lib/rules/no-document-domain.js | 44 + lib/rules/no-document-write.js | 44 + lib/rules/no-electron-node-integration.js | 38 + lib/rules/no-html-method.js | 56 + lib/rules/no-inner-html.js | 88 + lib/rules/no-insecure-random.js | 99 + lib/rules/no-insecure-url.js | 93 + lib/rules/no-msapp-exec-unsafe.js | 38 + lib/rules/no-postmessage-star-origin.js | 55 + lib/rules/no-unsafe-alloc.js | 46 + lib/rules/no-winjs-html-unsafe.js | 38 + lib/rules/react-iframe-missing-sandbox.js | 108 ++ package-lock.json | 1638 +++++++++++++++++ package.json | 33 + tests/fixtures/estree.ts | 0 tests/fixtures/tsconfig.json | 8 + .../lib/rules/no-angular-bypass-sanitizer.js | 46 + tests/lib/rules/no-angularjs-bypass-sce.js | 63 + tests/lib/rules/no-angularjs-enable-svg.js | 29 + .../no-angularjs-sanitization-whitelist.js | 43 + tests/lib/rules/no-cookies.js | 87 + tests/lib/rules/no-document-domain.js | 63 + tests/lib/rules/no-document-write.js | 86 + .../lib/rules/no-electron-node-integration.js | 63 + tests/lib/rules/no-html-method.js | 45 + tests/lib/rules/no-inner-html.js | 78 + tests/lib/rules/no-insecure-random.js | 198 ++ tests/lib/rules/no-insecure-url.js | 133 ++ tests/lib/rules/no-msapp-exec-unsafe.js | 24 + tests/lib/rules/no-postmessage-star-origin.js | 59 + tests/lib/rules/no-unsafe-alloc.js | 29 + tests/lib/rules/no-winjs-html-unsafe.js | 29 + .../lib/rules/react-iframe-missing-sandbox.js | 79 + tests/lib/test-utils.js | 23 + 75 files changed, 4612 insertions(+) create mode 100644 .github/workflows/E2E integration.yml create mode 100644 .github/workflows/node-version-integration.yml create mode 100644 .github/workflows/publish.yml create mode 100644 .gitignore create mode 100644 .npmignore create mode 100644 CODE_OF_CONDUCT.md create mode 100644 README.md create mode 100644 SECURITY.md create mode 100644 config/angular.js create mode 100644 config/angularjs.js create mode 100644 config/common.js create mode 100644 config/electron.js create mode 100644 config/node.js create mode 100644 config/react.js create mode 100644 config/recommended.js create mode 100644 config/required.js create mode 100644 config/typescript.js create mode 100644 docs/rules/no-angular-bypass-sanitizer.md create mode 100644 docs/rules/no-angularjs-bypass-sce.md create mode 100644 docs/rules/no-angularjs-enable-svg.md create mode 100644 docs/rules/no-angularjs-sanitization-whitelist.md create mode 100644 docs/rules/no-cookies.md create mode 100644 docs/rules/no-document-domain.md create mode 100644 docs/rules/no-document-write.md create mode 100644 docs/rules/no-electron-node-integration.md create mode 100644 docs/rules/no-html-method.md create mode 100644 docs/rules/no-inner-html.md create mode 100644 docs/rules/no-insecure-random.md create mode 100644 docs/rules/no-insecure-url.md create mode 100644 docs/rules/no-msapp-exec-unsafe.md create mode 100644 docs/rules/no-postmessage-star-origin.md create mode 100644 docs/rules/no-unsafe-alloc.md create mode 100644 docs/rules/no-winjs-html-unsafe.md create mode 100644 docs/rules/react-iframe-missing-sandbox.md create mode 100644 lib/ast-utils.js create mode 100644 lib/index.js create mode 100644 lib/rules/no-angular-bypass-sanitizer.js create mode 100644 lib/rules/no-angularjs-bypass-sce.js create mode 100644 lib/rules/no-angularjs-enable-svg.js create mode 100644 lib/rules/no-angularjs-sanitization-whitelist.js create mode 100644 lib/rules/no-cookies.js create mode 100644 lib/rules/no-document-domain.js create mode 100644 lib/rules/no-document-write.js create mode 100644 lib/rules/no-electron-node-integration.js create mode 100644 lib/rules/no-html-method.js create mode 100644 lib/rules/no-inner-html.js create mode 100644 lib/rules/no-insecure-random.js create mode 100644 lib/rules/no-insecure-url.js create mode 100644 lib/rules/no-msapp-exec-unsafe.js create mode 100644 lib/rules/no-postmessage-star-origin.js create mode 100644 lib/rules/no-unsafe-alloc.js create mode 100644 lib/rules/no-winjs-html-unsafe.js create mode 100644 lib/rules/react-iframe-missing-sandbox.js create mode 100644 package-lock.json create mode 100644 package.json create mode 100644 tests/fixtures/estree.ts create mode 100644 tests/fixtures/tsconfig.json create mode 100644 tests/lib/rules/no-angular-bypass-sanitizer.js create mode 100644 tests/lib/rules/no-angularjs-bypass-sce.js create mode 100644 tests/lib/rules/no-angularjs-enable-svg.js create mode 100644 tests/lib/rules/no-angularjs-sanitization-whitelist.js create mode 100644 tests/lib/rules/no-cookies.js create mode 100644 tests/lib/rules/no-document-domain.js create mode 100644 tests/lib/rules/no-document-write.js create mode 100644 tests/lib/rules/no-electron-node-integration.js create mode 100644 tests/lib/rules/no-html-method.js create mode 100644 tests/lib/rules/no-inner-html.js create mode 100644 tests/lib/rules/no-insecure-random.js create mode 100644 tests/lib/rules/no-insecure-url.js create mode 100644 tests/lib/rules/no-msapp-exec-unsafe.js create mode 100644 tests/lib/rules/no-postmessage-star-origin.js create mode 100644 tests/lib/rules/no-unsafe-alloc.js create mode 100644 tests/lib/rules/no-winjs-html-unsafe.js create mode 100644 tests/lib/rules/react-iframe-missing-sandbox.js create mode 100644 tests/lib/test-utils.js diff --git a/.github/workflows/E2E integration.yml b/.github/workflows/E2E integration.yml new file mode 100644 index 0000000..6181b60 --- /dev/null +++ b/.github/workflows/E2E integration.yml @@ -0,0 +1,79 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +name: E2E integration + +on: + push: + branches: [main] + pull_request_target: + branches: [main, release/vNext] + +env: + PROJECT: discordjs # The name of the project you want to clone. It must be on github + REPOSITORY: discord.js # The repository name + FOLDER_TO_SCAN: src # The folder under which the source code you have is contained. Relative to the repository + TS_CONFIG_PATH: tsconfig.json # The tsconfig.json path relative to the repository + +jobs: + build: + name: E2E run with sarif + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: [ubuntu-18.04, windows-2019] + + steps: + - name: Setup Node.js environment + uses: actions/setup-node@v1.4.3 + + - uses: actions/checkout@v2 + with: + repository: ${{env.PROJECT}}/${{env.REPOSITORY}} + path: ${{env.PROJECT}} + clean: true + - uses: actions/checkout@v2 + with: + path: eslint-plugin-sdl + clean: true + + # store them inside a seperate folder for performance in case of multiple projects. + # Trying to install eslint on a project with an existing package.json will install all of the package.json packages as well + - name: Create eslint directory + run: | + mkdir eslint + continue-on-error: true + + - name: Install eslint for discord library and eslint-plugin-dependencies + run: | + npm i eslint + npm i eslint-plugin-security + npm i eslint-plugin-react + npm i eslint-plugin-node + npm i typescript + npm i @microsoft/eslint-formatter-sarif + working-directory: eslint + + - name: Link the eslint-plugin-sdl + run: npm link ../eslint-plugin-sdl + working-directory: eslint + + - name: Run eslint + run: npx eslint + -c node_modules/@microsoft/eslint-plugin-sdl/config/recommended.js + ../${{env.PROJECT}}/${{env.FOLDER_TO_SCAN}}/ + --ext .js + --parser-options=project:../${{env.PROJECT}}/${{env.TS_CONFIG_PATH}} + --no-eslintrc + -f @microsoft/eslint-formatter-sarif + -o ../${{env.PROJECT}}/eslint-result-${{ matrix.os }}-${{github.run_id}}.sarif + working-directory: eslint + continue-on-error: true + + - name: Upload eslint results as artifact + uses: actions/upload-artifact@v2 + with: + name: eslint-result + path: ${{env.PROJECT}}/eslint-result-${{ matrix.os }}-${{github.run_id}}.sarif + if-no-files-found: error diff --git a/.github/workflows/node-version-integration.yml b/.github/workflows/node-version-integration.yml new file mode 100644 index 0000000..ef8659d --- /dev/null +++ b/.github/workflows/node-version-integration.yml @@ -0,0 +1,30 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +name: Node CI + +on: + push: + branches: [main] + pull_request_target: + branches: [main, release/vNext] + +jobs: + build: + + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, windows-2019, macos-10.15] + node-version: [12.x, 14.x] + + steps: + - uses: actions/checkout@v2 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + - run: npm ci + - run: npm run build --if-present + - run: npm test diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..7b31b73 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,34 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +name: Publish Package + +on: + release: + types: [created] + +jobs: + # Run one last check + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v1 + with: + node-version: 12 + - run: npm ci + - run: npm test + + publish-npm: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v1 + with: + node-version: 12 + registry-url: https://registry.npmjs.org/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.npm_token}} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fcd3dc0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +node_modules/ +.vscode/ diff --git a/.npmignore b/.npmignore new file mode 100644 index 0000000..28c5d8d --- /dev/null +++ b/.npmignore @@ -0,0 +1,4 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +tests/ +.github/ \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..f9ba8cf --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,9 @@ +# Microsoft Open Source Code of Conduct + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). + +Resources: + +- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) +- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) +- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns diff --git a/README.md b/README.md new file mode 100644 index 0000000..615c0e8 --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# eslint-plugin-sdl + +[ESLint Plugin](https://eslint.org/docs/developer-guide/working-with-plugins) focused on common security issues and misconfigurations. + +Plugin is intended as a baseline for projects that follow [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/en-us/securityengineering/sdl) and use ESLint to perform [Static Analysis Security Testing (SAST)](https://www.microsoft.com/en-us/securityengineering/sdl/practices#practice9). + +## Configs + +Plugin is shipped with following [Shareable Configs](http://eslint.org/docs/developer-guide/shareable-configs): + +- [angular](config/angular.js) - Set of rules for [Angular](https://angular.io) applications +- [angularjs](config/angularjs.js) - Set of rules for [AngularJS](https://docs.angularjs.org) applications +- [common](config/common.js) - Set of rules for common JavaScript applications +- [electron](config/electron.js) - Set of rules for Electron applications +- [node](config/node.js) - Set of rules for Node applications +- [react](config/react.js) - Set of rules for [ReactJS](https://reactjs.org) applications +- [**recommended**](config/recommended.js) - SDL Recommended rules for all applications +- [**required**](config/required.js) - SDL Required rules for all applications +- [typescript](config/typescript.js) - Set of rules for TypeScript applications + +## Rules + +Where possible, we leverage existing rules from [ESLint](https://eslint.org/docs/rules/) and community plugins such as [react](https://github.com/yannickcr/eslint-plugin-react), [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/eslint-plugin#supported-rules) or [security](https://github.com/nodesecurity/eslint-plugin-security#rules). + +We also implemented several [custom rules](./lib/rules) where we did not find sufficient alternative in the community. + +| Name | Description | +| --- | --- | +| [no-caller](https://eslint.org/docs/rules/no-caller) | Bans usage of deprecated functions `arguments.caller()` and `arguments.callee` that could potentially allow access to call stack. | +| [no-delete-var](https://eslint.org/docs/rules/no-delete-var) | Bans usage of operator `delete` on variables as it can lead to unexpected behavior. | +| [no-eval](https://eslint.org/docs/rules/no-eval) | Bans usage of [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) that allows code execution from string argument. | +| [no-implied-eval](https://eslint.org/docs/rules/no-implied-eval) | Bans usage of `setTimeout()`, `setInterval()` and `execScript()`. These functions are similar to `eval()` and prone to code execution. | +| [no-new-func](https://eslint.org/docs/rules/no-new-func) | Bans calling `new Function()` as it's similar to `eval()` and prone to code execution. | +| [node/no-deprecated-api](https://github.com/mysticatea/eslint-plugin-node/blob/master/docs/rules/no-deprecated-api.md) | Bans usage of deprecated APIs in Node. | +| [@microsoft/sdl/no-angular-bypass-sanitizer](./docs/rules/no-angular-bypass-sanitizer.md) | Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. | +| [@microsoft/sdl/no-angularjs-bypass-sce](./docs/rules/no-angularjs-bypass-sce.md) | Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. | +| [@microsoft/sdl/no-angularjs-enable-svg](./docs/rules/no-angularjs-enable-svg.md) | Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. | +| [@microsoft/sdl/no-angularjs-sanitization-whitelist](./docs/rules/no-angularjs-sanitization-whitelist.md) | Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. | +| [@microsoft/sdl/no-cookies](./docs/rules/no-cookies.md) | HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. | +| [@microsoft/sdl/no-document-domain](./docs/rules/no-document-domain.md) | Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited. | +| [@microsoft/sdl/no-document-write](./docs/rules/no-document-write.md) | Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | +| [@microsoft/sdl/no-electron-node-integration](./docs/rules/no-electron-node-integration.md) | [Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks. | +| [@microsoft/sdl/no-html-method](./docs/rules/no-html-method.md) | Direct calls to method `html()` often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | +| [@microsoft/sdl/no-inner-html](./docs/rules/no-inner-html.md) | Assignments to innerHTML or outerHTML properties manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. | +| [@microsoft/sdl/no-insecure-url](./docs/rules/no-insecure-url.md) | Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending potentially sensitive data over untrusted networks in plaintext. | +| [@microsoft/sdl/no-msapp-exec-unsafe](./docs/rules/no-msapp-exec-unsafe.md) | Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided. | +| [@microsoft/sdl/no-postmessage-star-origin](./docs/rules/no-postmessage-star-origin.md) | Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. | +| [@microsoft/sdl/no-unsafe-alloc](./docs/rules/no-unsafe-alloc.md) | When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data. | +| [@microsoft/sdl/no-winjs-html-unsafe](./docs/rules/no-winjs-html-unsafe.md) | Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. | +| [@microsoft/sdl/react-iframe-missing-sandbox](./docs/rules/react-iframe-missing-sandbox.md) | The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified. | +| [react/no-danger](https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/no-danger.md) | Bans usage of `dangerouslySetInnerHTML` property in React as it allows passing unsanitized HTML in DOM. | +| [@typescript-eslint/no-implied-eval](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/docs/rules/no-implied-eval.md) | Similar to built-in ESLint rule `no-implied-eval`. Bans usage of `setTimeout()`, `setInterval()`, `setImmediate()`, `execScript()` or `new Function()` as they are similar to `eval()` and allow code execution from string arguments. | + +## Contributing + +This project welcomes contributions and suggestions. Most contributions require you to agree to a +Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us +the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. + +When you submit a pull request, a CLA bot will automatically determine whether you need to provide +a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions +provided by the bot. You will only need to do this once across all repos using our CLA. + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or +contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f7b8998 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd). + + \ No newline at end of file diff --git a/config/angular.js b/config/angular.js new file mode 100644 index 0000000..4213670 --- /dev/null +++ b/config/angular.js @@ -0,0 +1,17 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for Angular apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl" + ], + rules: { + "@microsoft/sdl/no-angular-bypass-sanitizer": "error" + } +} \ No newline at end of file diff --git a/config/angularjs.js b/config/angularjs.js new file mode 100644 index 0000000..1e7ab4c --- /dev/null +++ b/config/angularjs.js @@ -0,0 +1,19 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for AngularJS apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl" + ], + rules: { + "@microsoft/sdl/no-angularjs-enable-svg": "error", + "@microsoft/sdl/no-angularjs-sanitization-whitelist": "error", + "@microsoft/sdl/no-angularjs-bypass-sce": "error" + } +} \ No newline at end of file diff --git a/config/common.js b/config/common.js new file mode 100644 index 0000000..d1a52b6 --- /dev/null +++ b/config/common.js @@ -0,0 +1,30 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for common JavaScript apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl" + ], + rules: { + "no-caller": "error", + "no-delete-var": "error", + "no-eval": "error", + "no-implied-eval": "error", + "no-new-func": "error", + "@microsoft/sdl/no-cookies": "error", + "@microsoft/sdl/no-document-domain": "error", + "@microsoft/sdl/no-document-write": "error", + "@microsoft/sdl/no-html-method": "error", + "@microsoft/sdl/no-inner-html": "error", + "@microsoft/sdl/no-insecure-url": "error", + "@microsoft/sdl/no-msapp-exec-unsafe": "error", + "@microsoft/sdl/no-postmessage-star-origin": "error", + "@microsoft/sdl/no-winjs-html-unsafe": "error" + } +} \ No newline at end of file diff --git a/config/electron.js b/config/electron.js new file mode 100644 index 0000000..26d398f --- /dev/null +++ b/config/electron.js @@ -0,0 +1,17 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for Electron apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl" + ], + rules: { + "@microsoft/sdl/no-electron-node-integration": "error" + } +} \ No newline at end of file diff --git a/config/node.js b/config/node.js new file mode 100644 index 0000000..a2e6d9b --- /dev/null +++ b/config/node.js @@ -0,0 +1,19 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for Node apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl", + "node" + ], + rules: { + "@microsoft/sdl/no-unsafe-alloc": "error", + "node/no-deprecated-api": "error" + } +} \ No newline at end of file diff --git a/config/react.js b/config/react.js new file mode 100644 index 0000000..b8971ef --- /dev/null +++ b/config/react.js @@ -0,0 +1,19 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for React apps. + */ + +"use strict"; + +module.exports = { + plugins: [ + "react", + "@microsoft/sdl" + ], + rules: { + "react/no-danger": "error", + "@microsoft/sdl/react-iframe-missing-sandbox": "error" + } +} \ No newline at end of file diff --git a/config/recommended.js b/config/recommended.js new file mode 100644 index 0000000..37d0af5 --- /dev/null +++ b/config/recommended.js @@ -0,0 +1,26 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Default SDL recommended config for all applications. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl", + "security" + ], + extends: [ + "plugin:@microsoft/sdl/required", + "plugin:@microsoft/sdl/typescript" + ], + // TODO: + // - Consider using SDL Recommended for identifying places in code that are often misused and can be potentially risky. + // - The action should be to review the code, not to remove it. + // - Good lists of such APIs + // - https://github.com/mozfreddyb/eslint-plugin-scanjs-rules/tree/master/lib/rules + // - https://github.com/ajinabraham/njsscan/tree/master/njsscan/rules/semantic_grep + // - Eventually we might remove detect-* rules from security plugin as they have high FP-rate. +} \ No newline at end of file diff --git a/config/required.js b/config/required.js new file mode 100644 index 0000000..46d5659 --- /dev/null +++ b/config/required.js @@ -0,0 +1,22 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Default SDL required config for all applications. + */ + +"use strict"; + +module.exports = { + plugins: [ + "@microsoft/sdl" + ], + extends: [ + "plugin:@microsoft/sdl/angular", + "plugin:@microsoft/sdl/angularjs", + "plugin:@microsoft/sdl/common", + "plugin:@microsoft/sdl/electron", + "plugin:@microsoft/sdl/node", + "plugin:@microsoft/sdl/react" + ] +} \ No newline at end of file diff --git a/config/typescript.js b/config/typescript.js new file mode 100644 index 0000000..d37cb7a --- /dev/null +++ b/config/typescript.js @@ -0,0 +1,36 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * Shareable config for TypeScript applications. + */ + +"use strict"; + +module.exports = { + parser: "@typescript-eslint/parser", + parserOptions: { + ecmaVersion: 6, + sourceType: "module", + ecmaFeatures: { + jsx: true + } + }, + plugins: [ + "@typescript-eslint" + ], + overrides: [ + { + files: [ + "**/*.{ts,tsx}" + ], + rules: { + "@typescript-eslint/no-implied-eval": "error", + // @typescript-eslint/no-implied-eval offers more accurate results for typescript. + // thus we turn the more generic rule off for ts and tsx files. + // This also avoids duplicate hits. + "no-implied-eval": "off" + } + } + ] +} \ No newline at end of file diff --git a/docs/rules/no-angular-bypass-sanitizer.md b/docs/rules/no-angular-bypass-sanitizer.md new file mode 100644 index 0000000..35d9a95 --- /dev/null +++ b/docs/rules/no-angular-bypass-sanitizer.md @@ -0,0 +1,7 @@ +# Do not bypass Angular's built-in sanitization (no-angular-bypass-sanitizer) + +Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) in Angular and need to be reviewed. + +Sanitization should be disabled only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. + +The issue is well described in official [DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer#security-risk) documentation. Also see [Angular Security Guide](https://angular.io/guide/security) for more details. diff --git a/docs/rules/no-angularjs-bypass-sce.md b/docs/rules/no-angularjs-bypass-sce.md new file mode 100644 index 0000000..0e73fdc --- /dev/null +++ b/docs/rules/no-angularjs-bypass-sce.md @@ -0,0 +1,7 @@ +# Do not bypass Strict Contextual Escaping (SCE) in AngularJS (no-angularjs-bypass-sce) + +Calls to `$sceProvider.enabled(false)`, `$sceDelegate.trustAs()`, `$sce.trustAs()` and relevant shorthand methods (e.g. `trustAsHtml` or `trustAsJs`) bypass [Strict Contextual Escaping (SCE)](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) in AngularJS and need to be reviewed. + +SCE should be bypassed only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. + +See [official documentation](https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping) for more details. \ No newline at end of file diff --git a/docs/rules/no-angularjs-enable-svg.md b/docs/rules/no-angularjs-enable-svg.md new file mode 100644 index 0000000..a5f2ad9 --- /dev/null +++ b/docs/rules/no-angularjs-enable-svg.md @@ -0,0 +1,7 @@ +# Do not enable SVG support in AngularJS (no-angularjs-enable-svg) + +Calls to [`$sanitizeProvider.enableSvg(true)`](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed. + +SVG support should be enabled only in very rare and justifiable cases after careful review so that the risk of introducing Clickjacking vulnerability is minimized. + +See [official documentation](https://docs.angularjs.org/api/ngSanitize/provider/$sanitizeProvider#enableSvg) for more details about the issue. diff --git a/docs/rules/no-angularjs-sanitization-whitelist.md b/docs/rules/no-angularjs-sanitization-whitelist.md new file mode 100644 index 0000000..ccf151a --- /dev/null +++ b/docs/rules/no-angularjs-sanitization-whitelist.md @@ -0,0 +1,7 @@ +# Do not bypass Angular's built-in sanitization (no-angularjs-sanitization-whitelist) + +Calls to [$compileProvider.aHrefSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [$compileProvider.imgSrcSanitizationWhitelist](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed. + +Sanitization should be disabled only in very rare and justifiable cases after careful review so that the risk of introducing Cross-Site-Scripting (XSS) vulnerability is minimized. + +See [official documentation](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) for more details about the issue. diff --git a/docs/rules/no-cookies.md b/docs/rules/no-cookies.md new file mode 100644 index 0000000..5949476 --- /dev/null +++ b/docs/rules/no-cookies.md @@ -0,0 +1,13 @@ +# Do not use HTTP cookies in modern applications (no-cookies) + +HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other modern methods instead. + +Cookies should be used only in rare and justifiable cases after thorough security review. + +## Further Reading + +* [Using HTTP cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) + +## Related Rules + +* [tslint-microsoft-contrib/no-cookies](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noCookiesRule.ts) \ No newline at end of file diff --git a/docs/rules/no-document-domain.md b/docs/rules/no-document-domain.md new file mode 100644 index 0000000..e16c2c1 --- /dev/null +++ b/docs/rules/no-document-domain.md @@ -0,0 +1,7 @@ +# Do not write to document.domain property (no-document-domain) + +Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited. + +## Related Rules + +* [tslint-microsoft-contrib/no-document-domain](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noDocumentDomainRule.ts) diff --git a/docs/rules/no-document-write.md b/docs/rules/no-document-write.md new file mode 100644 index 0000000..3726090 --- /dev/null +++ b/docs/rules/no-document-write.md @@ -0,0 +1,7 @@ +# Do not write to DOM directly using document.write or document.writeln methods (no-document-write) + +Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. + +## Related Rules + +* [tslint-microsoft-contrib/no-document-write](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noDocumentWriteRule.ts) diff --git a/docs/rules/no-electron-node-integration.md b/docs/rules/no-electron-node-integration.md new file mode 100644 index 0000000..91b776e --- /dev/null +++ b/docs/rules/no-electron-node-integration.md @@ -0,0 +1,9 @@ +# Do not enable Node.js Integration for Remote Content (no-electron-node-integration) + +[Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks. + +[Rule Source Code](../../lib/rules/no-electron-node-integration.js) + +## Related Rules + +* [codeql/js/enabling-electron-renderer-node-integration](https://help.semmle.com/wiki/display/JS/Enabling+Node.js+integration+for+Electron+web+content+renderers) diff --git a/docs/rules/no-html-method.md b/docs/rules/no-html-method.md new file mode 100644 index 0000000..4ee59a9 --- /dev/null +++ b/docs/rules/no-html-method.md @@ -0,0 +1,7 @@ +# Do not write to DOM directly using jQuery html() method (no-html-method) + +Direct calls to method `html()` often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead. + +## Related Rules + +* [tslint-microsoft-contrib/no-inner-html](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noInnerHtml.ts) diff --git a/docs/rules/no-inner-html.md b/docs/rules/no-inner-html.md new file mode 100644 index 0000000..15facd9 --- /dev/null +++ b/docs/rules/no-inner-html.md @@ -0,0 +1,11 @@ +# Do not write to DOM directly using innerHTML/outerHTML property (no-inner-html) + +Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead. + +* [Rule Source](../../lib/rules/no-inner-html.js) +* [Rule Test](../../tests/lib/rules/no-inner-html.js) + +## Related Rules + +* [tslint-microsoft-contrib/no-inner-html](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noInnerHtml.ts) +* [eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/docs/rules/method.md) \ No newline at end of file diff --git a/docs/rules/no-insecure-random.md b/docs/rules/no-insecure-random.md new file mode 100644 index 0000000..04bb94f --- /dev/null +++ b/docs/rules/no-insecure-random.md @@ -0,0 +1,17 @@ +# Do not use insecure random functions + +Methods such as Math.random or crypto.pseudoRandomBytes do not produce cryptographically-secure random numbers and must not be used for security purposes such as generating tokens, passwords or keys. + +Use crypto.randomBytes() or window.crypto.getRandomValues() instead. + +## Related Rules + +* [tslint-microsoft-contrib/no-insecure-random](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/insecureRandomRule.ts) +- https://help.semmle.com/wiki/display/JS/Insecure+randomness + - [source](https://github.com/github/codeql/blob/master/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll) +- https://vulncat.fortify.com/en/detail?id=desc.semantic.abap.insecure_randomness#JavaScript +- https://rules.sonarsource.com/javascript/RSPEC-2245 + - [source](https://github.com/SonarSource/SonarJS/blob/master/eslint-bridge/src/rules/pseudo-random.ts) +- https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js +- https://github.com/gkouziik/eslint-plugin-security-node/blob/master/lib/rules/detect-insecure-randomness.js + diff --git a/docs/rules/no-insecure-url.md b/docs/rules/no-insecure-url.md new file mode 100644 index 0000000..6322dd7 --- /dev/null +++ b/docs/rules/no-insecure-url.md @@ -0,0 +1,55 @@ +# Do not use insecure URLs (no-insecure-url) + +Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending potentially sensitive data over untrusted networks in plaintext. + +- [Rule Source](../../lib/rules/no-insecure-url.js) +- [Rule Test](../../tests/lib/rules/no-insecure-url.js) + +## Options +This rule comes with two [default lists](../../lib/rules/no-insecure-url.js#L13): +- **blacklist** - a RegEx list of insecure URL patterns. +- **exceptions** - a RegEx list of common false positive patterns. For example, HTTP URLs to XML schemas are usually allowed as they are used as identifiers, not for establishing actual network connections. + +These lists can be overrided by providing options. + +--- +For example, providing these options... : +```javascript +"@microsoft/sdl/no-insecure-url": ["error", { + "blacklist": ["^(http|ftp):\\/\\/", "^https:\\/\\/www\\.disallow-example\\.com"], + "exceptions": ["^http:\\/\\/schemas\\.microsoft\\.com\\/\\/?.*"] + }] +``` + +... overrides the internal blacklist, blocking the following URL patterns... : +- `http://`... +- `ftp://`... +- `https://www.disallow-example.com` + +... and also overrides the internal exceptions list, allowing the following URL patterns as exceptions.: +- `http://schemas.microsoft.com` + - `http://schemas.microsoft.com/sharepoint` + - `http://schemas.microsoft.com/path/subpath` + - ... + +URLs in neither the blacklist nor the exceptions list, are allowed: +- `telnet://`... +- `ws://`... +- ... + +--- + +**Note**: The RegEx for the lists is provided within a string in a JSON. It is without delimiting slashes `/ /` and thus users cannot pass RegEx parameters. We make it case-insensitive after user input. Do not forget to escape characters: +```javascript +let pureRegex = /^https:\/\/www\.disallow-example\.com/; +let regexInString = "^https:\\/\\/www\\.disallow-example\\.com"; +``` + +## Related Rules +* [tslint-microsoft-contrib/no-http-string](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/noHttpStringRule.ts) +* [CodeQL/InsecureDownloadCustomizations.qll](https://github.com/github/codeql/blob/master/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll#L62) +* [DevSkim/DS137138](https://github.com/microsoft/DevSkim/blob/main/guidance/DS137138.md) +* [Fortify/insecure_transport](https://vulncat.fortify.com/en/detail?id=desc.config.java.insecure_transport#JavaScript%2fTypeScript) + +## Further Reading +* [HTTPS Everywhere](https://en.wikipedia.org/wiki/HTTPS_Everywhere) diff --git a/docs/rules/no-msapp-exec-unsafe.md b/docs/rules/no-msapp-exec-unsafe.md new file mode 100644 index 0000000..4863d51 --- /dev/null +++ b/docs/rules/no-msapp-exec-unsafe.md @@ -0,0 +1,3 @@ +# Do not bypass script injection validation (no-msapp-exec-unsafe) + +Calls to `MSApp.execUnsafeLocalFunction()` bypass script injection validation and should be avoided. diff --git a/docs/rules/no-postmessage-star-origin.md b/docs/rules/no-postmessage-star-origin.md new file mode 100644 index 0000000..f756bd9 --- /dev/null +++ b/docs/rules/no-postmessage-star-origin.md @@ -0,0 +1,3 @@ +# Do not use * as target origin when sending data to other windows (no-postmessage-star-origin) + +Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary. diff --git a/docs/rules/no-unsafe-alloc.md b/docs/rules/no-unsafe-alloc.md new file mode 100644 index 0000000..21892f6 --- /dev/null +++ b/docs/rules/no-unsafe-alloc.md @@ -0,0 +1,12 @@ +# Do not allocate uninitialized buffers in Node.js (no-unsafe-alloc) + +When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data. + +These methods should be used only in justifiable cases (e.g. due to performance reasons) after thorough security review. + +* [Rule Source](../../lib/rules/no-unsafe-alloc.js) +* [Rule Test](../../tests/lib/rules/no-unsafe-alloc.js) + +## Resources + +* [Node.js - What makes Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() "unsafe"?](https://nodejs.org/api/buffer.html#buffer_what_makes_buffer_allocunsafe_and_buffer_allocunsafeslow_unsafe) diff --git a/docs/rules/no-winjs-html-unsafe.md b/docs/rules/no-winjs-html-unsafe.md new file mode 100644 index 0000000..3e9af12 --- /dev/null +++ b/docs/rules/no-winjs-html-unsafe.md @@ -0,0 +1,3 @@ +# Do not set HTML using unsafe methods from WinJS.Utilities (no-winjs-html-unsafe) + +Calls to [`setInnerHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)), [`setOuterHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211698(v=win.10)) or [`insertAdjacentHTMLUnsafe`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br229832(v=win.10)) methods from [Windows Library for JavaScript](https://docs.microsoft.com/en-us/previous-versions/windows/apps/mt502392(v=win.10)) do not perform input validation and should be avoided. Use alternate methods such as [`setInnerHTML`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead. \ No newline at end of file diff --git a/docs/rules/react-iframe-missing-sandbox.md b/docs/rules/react-iframe-missing-sandbox.md new file mode 100644 index 0000000..24dd407 --- /dev/null +++ b/docs/rules/react-iframe-missing-sandbox.md @@ -0,0 +1,17 @@ +# An iframe element is missing a sandbox attribute (react-iframe-missing-sandbox) + +The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified. + +Additional functionality such as the ability to run scripts should be enabled only in justifiable cases after thorough security review. + +* [Rule Source](../../lib/rules/react-iframe-missing-sandbox.js) +* [Rule Test](../../tests/lib/rules/react-iframe-missing-sandbox.js) + +## Related Rules + +* [tslint-microsoft-contrib/react-iframe-missing-sandbox](https://github.com/microsoft/tslint-microsoft-contrib/blob/master/src/reactIframeMissingSandboxRule.ts) + +## More Reading + +* [How to safely inject HTML in React using an iframe](https://medium.com/the-thinkmill/how-to-safely-inject-html-in-react-using-an-iframe-adc775d458bc) +* [Play safely in sandboxed IFrames](https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/) \ No newline at end of file diff --git a/lib/ast-utils.js b/lib/ast-utils.js new file mode 100644 index 0000000..df2e073 --- /dev/null +++ b/lib/ast-utils.js @@ -0,0 +1,77 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Common utils for AST. + */ + +"use strict"; + +module.exports = { + isTypeScriptParserServices(parserServices) { + // Check properties specific to @typescript-eslint/parser + return ( + parserServices && + parserServices.program && + parserServices.esTreeNodeToTSNodeMap && + parserServices.tsNodeToESTreeNodeMap + ); + }, + hasFullTypeInformation(context) { + var hasFullTypeInformation = ( + context && + this.isTypeScriptParserServices(context.parserServices) && + context.parserServices.hasFullTypeInformation === true + ); + return hasFullTypeInformation; + }, + getFullTypeChecker(context) { + return this.hasFullTypeInformation(context) ? context.parserServices.program.getTypeChecker() : null; + }, + getNodeType(node, context) { + const typeChecker = context.parserServices.program.getTypeChecker(); + const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node); + const tsType = typeChecker.getTypeAtLocation(tsNode); + return typeChecker.typeToString(tsType); + }, + getCallerType(fullTypeChecker, object, context){ + const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(object); + const tsType = fullTypeChecker.getTypeAtLocation(tsNode); + const type = fullTypeChecker.typeToString(tsType); + return type; + }, + isDocumentObject(node, context, fullTypeChecker) { + if (fullTypeChecker) { + const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node); + const tsType = fullTypeChecker.getTypeAtLocation(tsNode); + const type = fullTypeChecker.typeToString(tsType); + return (type === "Document"); + } + + // Best-effort checking without Type information + switch (node.type) { + case "Identifier": + return node != undefined && node.name == "document"; + case "MemberExpression": + return ( + node != undefined && + node.property != undefined && + node.property.name == "document" && ( + (node.object != undefined && + node.object.name == "window") || + ( + node.object != undefined && + node.object.property != undefined && + node.object.property.name == "window" && + ( + + (node.object.object != undefined && node.object.object.type == "ThisExpression") || + (node.object.object != undefined && node.object.object.name == "globalThis") + ) + ) + ) + ); + }; + return false; + } +}; \ No newline at end of file diff --git a/lib/index.js b/lib/index.js new file mode 100644 index 0000000..efb7740 --- /dev/null +++ b/lib/index.js @@ -0,0 +1,31 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview ESLint plugin that implements rules intended for static testing during SDL + * @author Antonios Katopodis + */ +"use strict"; + +//------------------------------------------------------------------------------ +// Plugin Definition +//------------------------------------------------------------------------------ +const path = require("path"); +const fs = require('fs'); + +function readFilesAsMap(relativeDir) { + var absoluteDir = path.resolve(__dirname, relativeDir); + var files = fs.readdirSync(absoluteDir); + var output = {}; + files.forEach(filename => { + var file = path.parse(filename); + var obj = require(path.join(absoluteDir, file.base)); + output[file.name] = obj; + }); + return output; +} + +module.exports = { + rules: readFilesAsMap("./rules"), + configs: readFilesAsMap("../config") +} diff --git a/lib/rules/no-angular-bypass-sanitizer.js b/lib/rules/no-angular-bypass-sanitizer.js new file mode 100644 index 0000000..3493ee9 --- /dev/null +++ b/lib/rules/no-angular-bypass-sanitizer.js @@ -0,0 +1,39 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow bypassing Angular's built-in sanitizer + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to bypassSecurityTrustHtml, bypassSecurityTrustScript and similar methods bypass DomSanitizer in Angular and need to be reviewed.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angular-bypass-sanitizer.md" + }, + messages: { + noBypass: "Do not bypass Angular's built-in sanitizer" + } + }, + create: function(context) { + return { + "CallExpression[arguments!=''][callee.property.name=/bypassSecurityTrust(Html|ResourceUrl|Script|Style|Url)/]"(node) { + context.report( + { + node: node, + messageId: "noBypass" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-angularjs-bypass-sce.js b/lib/rules/no-angularjs-bypass-sce.js new file mode 100644 index 0000000..a4e7019 --- /dev/null +++ b/lib/rules/no-angularjs-bypass-sce.js @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow bypassing Strict Contextual Escaping (SCE) in AngularJS + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to $sceProvider.enabled(false), $sceDelegate.trustAs(), $sce.trustAs() and relevant shorthand methods (e.g. trustAsHtml or trustAsJs) bypass Strict Contextual Escaping (SCE) in AngularJS and need to be reviewed.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-bypass-sce.md" + }, + messages: { + doNotBypass: "Do not bypass Strict Contextual Escaping (SCE) in AngularJS" + } + }, + create: function (context) { + + function reportIt(node) { + context.report({ + node: node, + messageId: "doNotBypass" + }); + } + + return { + "CallExpression[arguments!=''][callee.object.name='$sceProvider'][callee.property.name='enabled']"(node) { + // Known false positives + if (node.arguments == undefined || node.arguments.length != 1 || (node.arguments[0].type == "Literal" && /true|1/.test(node.arguments[0].value))){ + return; + } + return reportIt(node) + }, + "CallExpression[arguments!=''][callee.object.name='$sceDelegate'][callee.property.name='trustAs']": reportIt, + "CallExpression[arguments!=''][callee.object.name='$sce'][callee.property.name=/trustAs(Css|Html|Js|ResourceUrl|Url)?/]"(node) { + // Known false positives + if ( + node.arguments + && node.arguments.length === 1 + && node.arguments[0].type === "Literal" + && node.arguments[0].value === "" + ) { + return; + } + + return reportIt(node); + } + }; + } +}; + +// TODO: Review https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlWhitelist and https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#resourceUrlBlacklist diff --git a/lib/rules/no-angularjs-enable-svg.js b/lib/rules/no-angularjs-enable-svg.js new file mode 100644 index 0000000..d2a680d --- /dev/null +++ b/lib/rules/no-angularjs-enable-svg.js @@ -0,0 +1,53 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow enabling SVG in AngularJS apps + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-enable-svg.md" + }, + messages: { + doNotEnableSVG: "Do not enable SVG support in AngularJS" + } + }, + create: function (context) { + return { + "CallExpression[callee.object.name='$sanitizeProvider'][callee.property.name='enableSvg']"(node) { + // Known false positives + if ( + (node.arguments != undefined && + node.arguments.length != 1) || + ( + node.arguments[0].type == "Literal" && ( + node.arguments[0].value == "false" || node.arguments[0].value == "0" + ) + )) + { + return; + } + context.report( + { + node: node, + messageId: "doNotEnableSVG" + }); + } + }; + } +}; + +// TODO: Add rules for $sanitizeProvider.addValidElements() and $sanitizeProvider.addValidAttrs() \ No newline at end of file diff --git a/lib/rules/no-angularjs-sanitization-whitelist.js b/lib/rules/no-angularjs-sanitization-whitelist.js new file mode 100644 index 0000000..dcbfa98 --- /dev/null +++ b/lib/rules/no-angularjs-sanitization-whitelist.js @@ -0,0 +1,39 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow modifying sanitization whitelist in AngularJS + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to [`$compileProvider.aHrefSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationWhitelist) or [`$compileProvider.imgSrcSanitizationWhitelist`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationWhitelist) configure whitelists in AngularJS sanitizer and need to be reviewed.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-sanitization-whitelist.md" + }, + messages: { + noSanitizationWhitelist: "Do not modify sanitization whitelist in AngularJS" + } + }, + create: function(context) { + return { + "CallExpression[arguments!=''][callee.object.name='$compileProvider'][callee.property.name=/(aHref|imgSrc)SanitizationWhitelist/]"(node) { + context.report( + { + node: node, + messageId: "noSanitizationWhitelist" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-cookies.js b/lib/rules/no-cookies.js new file mode 100644 index 0000000..19fc215 --- /dev/null +++ b/lib/rules/no-cookies.js @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow usage of HTTP cookies + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "HTTP cookies are an old client-side storage mechanism with inherent risks and limitations. Use Web Storage, IndexedDB or other more modern methods instead.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-cookies.md" + }, + messages: { + doNotUseCookies: "Do not use HTTP cookies in modern applications" + } + }, + create: function (context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + "MemberExpression[property.name='cookie']"(node) { + if (astUtils.isDocumentObject(node.object, context, fullTypeChecker)) { + context.report({ + node: node, + messageId: "doNotUseCookies" + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-document-domain.js b/lib/rules/no-document-domain.js new file mode 100644 index 0000000..32af7ea --- /dev/null +++ b/lib/rules/no-document-domain.js @@ -0,0 +1,44 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow document.domain property + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Writes to [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) property must be reviewed to avoid bypass of [same-origin checks](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin). Usage of top level domains such as `azurewebsites.net` is strictly prohibited.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-document-domain.md" + }, + messages: { + default: 'Do not write to document.domain property' + } + }, + create: function(context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + "AssignmentExpression[operator='='][left.property.name='domain']"(node) { + if (astUtils.isDocumentObject(node.left.object, context, fullTypeChecker)) { + context.report( + { + node: node, + messageId: "default" + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-document-write.js b/lib/rules/no-document-write.js new file mode 100644 index 0000000..20b36b1 --- /dev/null +++ b/lib/rules/no-document-write.js @@ -0,0 +1,44 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow document.write or document.writeln method call + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-document-write.md" + }, + messages: { + default: 'Do not write to DOM directly using document.write or document.writeln methods' + } + }, + create: function(context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + "CallExpression[arguments.length=1][callee.property.name=/write|writeln/]"(node) { + if (astUtils.isDocumentObject(node.callee.object, context, fullTypeChecker)) { + context.report( + { + node: node, + messageId: "default" + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-electron-node-integration.js b/lib/rules/no-electron-node-integration.js new file mode 100644 index 0000000..5a3d1cb --- /dev/null +++ b/lib/rules/no-electron-node-integration.js @@ -0,0 +1,38 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow enabling Node.js integration in Electron apps + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "[Node.js Integration](https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content) must not be enabled in any renderer that loads remote content to avoid remote code execution attacks.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-electron-node-integration.md" + }, + messages: { + default: "Do not enable Node.js Integration for Remote Content" + } + }, + create: function(context) { + return { + "NewExpression[callee.name=/BrowserWindow|BrowserView/] > ObjectExpression.arguments > Property.properties[key.name=webPreferences] > ObjectExpression.value > Property.properties[key.name=/nodeIntegration|nodeIntegrationInWorker|nodeIntegrationInSubFrames/][value.value='true']"(node) { + context.report( + { + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-html-method.js b/lib/rules/no-html-method.js new file mode 100644 index 0000000..ef5e939 --- /dev/null +++ b/lib/rules/no-html-method.js @@ -0,0 +1,56 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow call to html() method + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs:{ + description: "Direct calls to method `html()` often (e.g. in jQuery framework) manipulate DOM without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-html-method.md" + }, + messages: { + default: 'Do not write to DOM directly using jQuery html() method' + } + }, + create: function(context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + // TODO: + // - Cover similar methods that can manipulate DOM such as append(string), jQuery(string) + // - Improve rule with type information from TypeScript parser + // - Consider ignoring all Literals? + "CallExpression[arguments.length=1] > MemberExpression.callee[property.name='html']"(node) { + // Known false positives + if ( + // element.html("") + node.parent.arguments[0].type === "Literal" + && ( + node.parent.arguments[0].value === "" + || node.parent.arguments[0].value === null + ) + ) { + return; + } + context.report( + { + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-inner-html.js b/lib/rules/no-inner-html.js new file mode 100644 index 0000000..40f4a9d --- /dev/null +++ b/lib/rules/no-inner-html.js @@ -0,0 +1,88 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow assignment to innerHTML or outerHTML properties + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + description: "Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-inner-html.md" + }, + messages: { + noInnerHtml: 'Do not write to DOM directly using innerHTML/outerHTML property', + noInsertAdjacentHTML: 'Do not write to DOM using insertAdjacentHTML method' + } + }, + create: function (context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + + function getNodeTypeAsString(node) { + if (fullTypeChecker && node) { + const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node); + const tsType = fullTypeChecker.getTypeAtLocation(tsNode); + const type = fullTypeChecker.typeToString(tsType); + return type; + } + return "any"; + } + + function mightBeHTMLElement(node) { + const type = getNodeTypeAsString(node); + return type === "HTMLElement" || type === "any"; + } + + return { + "CallExpression[arguments.length=2] > MemberExpression.callee[property.name='insertAdjacentHTML']"(node) { + // Ignore known false positives + if ( + node.parent != undefined + && node.parent.arguments != undefined + && node.parent.arguments.length >= 1 + && node.parent.arguments[1] != undefined + // element.insertAdjacentHTML('') + && node.parent.arguments[1].type === 'Literal' && node.parent.arguments[1].value === '' + ) { + return; + } + + if (mightBeHTMLElement(node.object)) { + context.report({ + node: node, + messageId: "noInsertAdjacentHTML" + }); + } + }, + "AssignmentExpression[left.type='MemberExpression'][left.property.name=/innerHTML|outerHTML/]"(node) { + // Ignore known false positives + if ( + node.right != undefined + // element.innerHTML = '' + && node.right.type === 'Literal' && node.right.value === '' + ) { + return; + } + + if (mightBeHTMLElement(node.left.object)) { + context.report({ + node: node, + messageId: "noInnerHtml" + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-insecure-random.js b/lib/rules/no-insecure-random.js new file mode 100644 index 0000000..b1a86e8 --- /dev/null +++ b/lib/rules/no-insecure-random.js @@ -0,0 +1,99 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow call to Math.random and crypto.pseudoRandomBytes functions + * @author Antonios Katopodis + */ + +"use strict"; + +const astUtils = require("../ast-utils"); +const eslint = require("eslint/lib/eslint"); +const path = require('path'); + +const bannedRandomLibraries = [ + 'chance', + 'random-number', + 'random-int', + 'random-float', + 'random-seed', + 'unique-random' +] + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs:{ + description: `Methods such as Math.random or crypto.pseudoRandomBytes do not produce cryptographically-secure random numbers and must not be used for security purposes such as generating tokens, passwords or keys. + + Use crypto.randomBytes() or window.crypto.getRandomValues() instead. + + `, + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-insecure-random.md" + }, + messages: { + default: 'Do not use pseudo-random number generators for generating secret values such as tokens, passwords or keys.' + } + }, + create: function(context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + "CallExpression > MemberExpression[property.name='pseudoRandomBytes']"(node) { + var notFalsePositive = false; + + if (fullTypeChecker) { + const type = astUtils.getCallerType(fullTypeChecker, node.object, context); + notFalsePositive = type === "any" || type === "Crypto"; + }else{ + notFalsePositive = node.object.name === 'crypto'; + } + + if(notFalsePositive){ + context.report({ + node: node, + messageId: "default" + }); + } + }, + "CallExpression > MemberExpression[property.name='random']"(node) { + var notFalsePositive = false; + if (fullTypeChecker) { + const type = astUtils.getCallerType(fullTypeChecker, node.object, context); + notFalsePositive = type === "any" || type === "Math"; + }else{ + notFalsePositive = node.object.name === 'Math'; + } + + if(notFalsePositive){ + context.report({ + node: node, + messageId: "default" + }); + } + }, + ImportDeclaration(node){ + if(bannedRandomLibraries.includes(path.basename(node.source.value))){ + context.report({ + node: node, + messageId: "default" + }); + } + }, + "CallExpression[callee.name='require'][arguments.length=1]"(node){ + var requireName = path.parse(path.basename(node.arguments[0].value)).name; + if(bannedRandomLibraries.includes(requireName)){ + context.report({ + node: node, + messageId: "default" + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-insecure-url.js b/lib/rules/no-insecure-url.js new file mode 100644 index 0000000..b15ea25 --- /dev/null +++ b/lib/rules/no-insecure-url.js @@ -0,0 +1,93 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Disallows usage of insecure protocols in URL strings + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +const DEFAULT_BLACKLIST = [ + /^(ftp|http|telnet|ws):\/\//i +]; + +const DEFAULT_EXCEPTIONS = [ // TODO: add more typical false positives such as XML schemas after more testing + /^http:(\/\/|\\u002f\\u002f)schemas\.microsoft\.com(\/\/|\\u002f\\u002f)?.*/i, + /^http:(\/\/|\\u002f\\u002f)schemas\.openxmlformats\.org(\/\/|\\u002f\\u002f)?.*/i +]; + +module.exports = { + defaultBlacklist: DEFAULT_BLACKLIST, + defaultExceptions: DEFAULT_EXCEPTIONS, + meta: { + type: "suggestion", + fixable: "code", + schema: [ + { + type: "object", + properties: { + blacklist: { + type: "array", + items: { + type: "string" + } + }, + exceptions: { + type: "array", + items: { + type: "string" + } + }, + }, + additionalProperties: false + } + ], + docs: { + category: "Security", + description: "Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending (potentially sensitive) data over untrusted network in plaintext.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-insecure-url.md" + }, + messages: { + doNotUseInsecureUrl: "Do not use insecure URLs" + } + }, + create: function (context) { + const options = context.options[0] || {}; + const blacklist = (options.blacklist || DEFAULT_BLACKLIST).map((pattern) => { return new RegExp(pattern, "i"); }); + const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); }); + + function matches(patterns, value) { + return patterns.find((re) => { return re.test(value) }) !== undefined; + } + + return { + "Literal"(node) { + if (typeof node.value === "string") { + if (matches(blacklist, node.value) && !matches(exceptions, node.value)) { + context.report({ + node: node, + messageId: "doNotUseInsecureUrl" + }); + } + } + }, + "TemplateElement"(node) { + if (typeof node.value.raw === "string" && typeof node.value.cooked === "string") { + const rawStringText = node.value.raw; + const cookedStringText = node.value.cooked; + + if ((matches(blacklist, rawStringText) && !matches(exceptions, rawStringText)) || + (matches(blacklist, cookedStringText) && !matches(exceptions, cookedStringText))) { + context.report({ + node: node, + messageId: "doNotUseInsecureUrl" + }); + } + } + } + }; + }, +}; \ No newline at end of file diff --git a/lib/rules/no-msapp-exec-unsafe.js b/lib/rules/no-msapp-exec-unsafe.js new file mode 100644 index 0000000..a6d2189 --- /dev/null +++ b/lib/rules/no-msapp-exec-unsafe.js @@ -0,0 +1,38 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow MSApp.execUnsafeLocalFunction method call + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs:{ + description: "Calls to [`MSApp.execUnsafeLocalFunction()`](https://docs.microsoft.com/en-us/previous-versions/hh772324(v=vs.85)) bypass script injection validation and should be avoided.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-msapp-exec-unsafe.md" + }, + messages: { + default: 'Do not bypass script injection validation' + } + }, + create: function(context) { + return { + "CallExpression[arguments.length=1][callee.object.name='MSApp'][callee.property.name='execUnsafeLocalFunction']"(node) { + context.report( + { + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-postmessage-star-origin.js b/lib/rules/no-postmessage-star-origin.js new file mode 100644 index 0000000..294343c --- /dev/null +++ b/lib/rules/no-postmessage-star-origin.js @@ -0,0 +1,55 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow * as target origin in window.postMessage + */ + +"use strict"; + +const astUtils = require("../ast-utils"); + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + description: "Always provide specific target origin, not * when sending data to other windows using [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns) to avoid data leakage outside of trust boundary.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-postmessage-star-origin.md" + }, + messages: { + default: 'Do not use * as target origin when sending data to other windows' + } + }, + create: function (context) { + const fullTypeChecker = astUtils.getFullTypeChecker(context); + return { + "CallExpression[arguments.length>=2][arguments.length<=3][callee.property.name=postMessage]"(node) { + + // Check that second argument (target origin) is Literal "*" + if (!(node.arguments[1].type === 'Literal' && node.arguments[1].value == '*')) { + return; + } + + // Check that object type is Window when full type information is available + if (fullTypeChecker) { + const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node.callee.object); + const tsType = fullTypeChecker.getTypeAtLocation(tsNode); + const type = fullTypeChecker.typeToString(tsType); + if (type !== "any" && type !== "Window") { + return; + } + } + + context.report({ + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-unsafe-alloc.js b/lib/rules/no-unsafe-alloc.js new file mode 100644 index 0000000..51e8a7c --- /dev/null +++ b/lib/rules/no-unsafe-alloc.js @@ -0,0 +1,46 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + description: "When calling [`Buffer.allocUnsafe`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafe_size) and [`Buffer.allocUnsafeSlow`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_allocunsafeslow_size), the allocated memory is not wiped-out and can contain old, potentially sensitive data.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-unsafe-alloc.md" + }, + messages: { + default: 'Do not allocate uninitialized buffers in Node.js' + } + }, + create: function (context) { + return { + "MemberExpression[object.name='Buffer'][property.name=/allocUnsafe|allocUnsafeSlow/]"(node) { + // Known false positives + if ( + node.parent != undefined && + node.parent.arguments != undefined && + node.parent.arguments.length != undefined && + // Buffer.allocUnsafe(0); + node.parent.type === 'CallExpression' && + node.parent.arguments.length == 1 && + node.parent.arguments[0] != undefined && + node.parent.arguments[0].type === 'Literal' && + node.parent.arguments[0].value == '0' + ) { + return; + } + context.report({ + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/no-winjs-html-unsafe.js b/lib/rules/no-winjs-html-unsafe.js new file mode 100644 index 0000000..4884469 --- /dev/null +++ b/lib/rules/no-winjs-html-unsafe.js @@ -0,0 +1,38 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to disallow WinJS.Utilities.setInnerHTMLUnsafe or WinJS.Utilities.setOuterHTMLUnsafe method call + * @author Antonios Katopodis + */ + +"use strict"; + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs:{ + description: "Calls to [`WinJS.Utilities.setInnerHTMLUnsafe()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211696(v=win.10)) and similar methods do not perform any input validation and should be avoided. Use [`WinJS.Utilities.setInnerHTML()`](https://docs.microsoft.com/en-us/previous-versions/windows/apps/br211697(v=win.10)) instead.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-winjs-html-unsafe.md" + }, + messages: { + default: 'Do not set HTML using unsafe methods from WinJS.Utilities' + } + }, + create: function(context) { + return { + "CallExpression[callee.object.object.name='WinJS'][callee.object.property.name='Utilities'][callee.property.name=/(insertAdjacent|setInner|setOuter)HTMLUnsafe/]"(node) { + context.report( + { + node: node, + messageId: "default" + }); + } + }; + } +}; \ No newline at end of file diff --git a/lib/rules/react-iframe-missing-sandbox.js b/lib/rules/react-iframe-missing-sandbox.js new file mode 100644 index 0000000..a62655b --- /dev/null +++ b/lib/rules/react-iframe-missing-sandbox.js @@ -0,0 +1,108 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +/** + * @fileoverview Rule to enforce sandbox attribute on iframe elements + */ + +"use strict"; + +// TODO: Follow-up on https://github.com/yannickcr/eslint-plugin-react/issues/2754 and try to merge rule into eslint-plugin-react + +//------------------------------------------------------------------------------ +// Rule Definition +//------------------------------------------------------------------------------ +module.exports = { + meta: { + type: "suggestion", + fixable: "code", + schema: [], + docs: { + category: "Security", + description: "The [sandbox](https://www.w3schools.com/tags/att_iframe_sandbox.asp) attribute enables an extra set of restrictions for the content in the iframe and should always be specified.", + url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/react-iframe-missing-sandbox.md" + }, + messages: { + attributeMissing: 'An iframe element is missing a sandbox attribute', + invalidValue: 'An iframe element defines a sandbox attribute with invalid value "{{ value }}"', + invalidCombination: 'An iframe element defines a sandbox attribute with both allow-scripts and allow-same-origin which is invalid' + } + }, + + create(context) { + const ALLOWED_VALUES = [ + // From https://www.w3schools.com/tags/att_iframe_sandbox.asp + '', + 'allow-forms', + 'allow-modals', + 'allow-orientation-lock', + 'allow-pointer-lock', + 'allow-popups', + 'allow-popups-to-escape-sandbox', + 'allow-presentation', + 'allow-same-origin', + 'allow-scripts', + 'allow-top-navigation', + 'allow-top-navigation-by-user-activation' + ]; + + function validateSandboxAttribute(node, attribute) { + const values = attribute.value.value.split(' '); + let allowScripts = false; + let allowSameOrigin = false; + values.forEach((attributeValue) => { + const trimmedAttributeValue = attributeValue.trim(); + if (ALLOWED_VALUES.indexOf(trimmedAttributeValue) === -1) { + context.report({ + node, + messageId: 'invalidValue', + data: { + value: trimmedAttributeValue + } + }); + } + if (trimmedAttributeValue === 'allow-scripts') { + allowScripts = true; + } + if (trimmedAttributeValue === 'allow-same-origin') { + allowSameOrigin = true; + } + }); + if (allowScripts && allowSameOrigin) { + context.report({ + node, + messageId: 'invalidCombination' + }); + } + } + + return { + 'JSXOpeningElement[name.name="iframe"]'(node) { + let sandboxAttributeFound = false; + node.attributes.forEach((attribute) => { + if (attribute.type === 'JSXAttribute' + && attribute.name + && attribute.name.type === 'JSXIdentifier' + && attribute.name.name === 'sandbox' + ) { + sandboxAttributeFound = true; + if ( + attribute.value + && attribute.value.type === 'Literal' + && attribute.value.value + ) { + // Only string literals are supported for now + validateSandboxAttribute(node, attribute); + } + } + }); + if (!sandboxAttributeFound) { + context.report({ + node, + messageId: 'attributeMissing' + }); + } + } + }; + } +}; \ No newline at end of file diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..1aac546 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,1638 @@ +{ + "name": "@microsoft/eslint-plugin-sdl", + "version": "0.1.5", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "@babel/code-frame": { + "version": "7.10.4", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.10.4.tgz", + "integrity": "sha512-vG6SvB6oYEhvgisZNFRmRCUkLz11c7rp+tbNTynGqc6mS1d5ATd/sGyV6W0KZZnXRKMTzZDRgQT3Ou9jhpAfUg==", + "dev": true, + "requires": { + "@babel/highlight": "^7.10.4" + } + }, + "@babel/helper-validator-identifier": { + "version": "7.10.4", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.10.4.tgz", + "integrity": "sha512-3U9y+43hz7ZM+rzG24Qe2mufW5KhvFg/NhnNph+i9mgCtdTCtMJuI1TMkrIUiK7Ix4PYlRF9I5dhqaLYA/ADXw==", + "dev": true + }, + "@babel/highlight": { + "version": "7.10.4", + "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.10.4.tgz", + "integrity": "sha512-i6rgnR/YgPEQzZZnbTHHuZdlE8qyoBNalD6F+q4vAFlcMEcqmkoG+mPqJYJCo63qPf74+Y1UZsl3l6f7/RIkmA==", + "dev": true, + "requires": { + "@babel/helper-validator-identifier": "^7.10.4", + "chalk": "^2.0.0", + "js-tokens": "^4.0.0" + }, + "dependencies": { + "chalk": { + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", + "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", + "dev": true, + "requires": { + "ansi-styles": "^3.2.1", + "escape-string-regexp": "^1.0.5", + "supports-color": "^5.3.0" + } + } + } + }, + "@types/color-name": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@types/color-name/-/color-name-1.1.1.tgz", + "integrity": "sha512-rr+OQyAjxze7GgWrSaJwydHStIhHq2lvY3BOC2Mj7KnzI7XK0Uw1TOOdI9lDoajEbSWLiYgoo4f1R51erQfhPQ==", + "dev": true + }, + "@types/eslint-visitor-keys": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@types/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz", + "integrity": "sha512-OCutwjDZ4aFS6PB1UZ988C4YgwlBHJd6wCeQqaLdmadZ/7e+w79+hbMUFC1QXDNCmdyoRfAFdm0RypzwR+Qpag==", + "dev": true + }, + "@types/json-schema": { + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.5.tgz", + "integrity": "sha512-7+2BITlgjgDhH0vvwZU/HZJVyk+2XUlvxXe8dFMedNX/aMkaOq++rMAFXc0tM7ij15QaWlbdQASBR9dihi+bDQ==", + "dev": true + }, + "@typescript-eslint/eslint-plugin": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-3.7.0.tgz", + "integrity": "sha512-4OEcPON3QIx0ntsuiuFP/TkldmBGXf0uKxPQlGtS/W2F3ndYm8Vgdpj/woPJkzUc65gd3iR+qi3K8SDQP/obFg==", + "dev": true, + "requires": { + "@typescript-eslint/experimental-utils": "3.7.0", + "debug": "^4.1.1", + "functional-red-black-tree": "^1.0.1", + "regexpp": "^3.0.0", + "semver": "^7.3.2", + "tsutils": "^3.17.1" + } + }, + "@typescript-eslint/experimental-utils": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-3.7.0.tgz", + "integrity": "sha512-xpfXXAfZqhhqs5RPQBfAFrWDHoNxD5+sVB5A46TF58Bq1hRfVROrWHcQHHUM9aCBdy9+cwATcvCbRg8aIRbaHQ==", + "dev": true, + "requires": { + "@types/json-schema": "^7.0.3", + "@typescript-eslint/types": "3.7.0", + "@typescript-eslint/typescript-estree": "3.7.0", + "eslint-scope": "^5.0.0", + "eslint-utils": "^2.0.0" + } + }, + "@typescript-eslint/parser": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-3.7.0.tgz", + "integrity": "sha512-2LZauVUt7jAWkcIW7djUc3kyW+fSarNEuM3RF2JdLHR9BfX/nDEnyA4/uWz0wseoWVZbDXDF7iF9Jc342flNqQ==", + "dev": true, + "requires": { + "@types/eslint-visitor-keys": "^1.0.0", + "@typescript-eslint/experimental-utils": "3.7.0", + "@typescript-eslint/types": "3.7.0", + "@typescript-eslint/typescript-estree": "3.7.0", + "eslint-visitor-keys": "^1.1.0" + } + }, + "@typescript-eslint/types": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-3.7.0.tgz", + "integrity": "sha512-reCaK+hyKkKF+itoylAnLzFeNYAEktB0XVfSQvf0gcVgpz1l49Lt6Vo9x4MVCCxiDydA0iLAjTF/ODH0pbfnpg==", + "dev": true + }, + "@typescript-eslint/typescript-estree": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-3.7.0.tgz", + "integrity": "sha512-xr5oobkYRebejlACGr1TJ0Z/r0a2/HUf0SXqPvlgUMwiMqOCu/J+/Dr9U3T0IxpE5oLFSkqMx1FE/dKaZ8KsOQ==", + "dev": true, + "requires": { + "@typescript-eslint/types": "3.7.0", + "@typescript-eslint/visitor-keys": "3.7.0", + "debug": "^4.1.1", + "glob": "^7.1.6", + "is-glob": "^4.0.1", + "lodash": "^4.17.15", + "semver": "^7.3.2", + "tsutils": "^3.17.1" + } + }, + "@typescript-eslint/visitor-keys": { + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-3.7.0.tgz", + "integrity": "sha512-k5PiZdB4vklUpUX4NBncn5RBKty8G3ihTY+hqJsCdMuD0v4jofI5xuqwnVcWxfv6iTm2P/dfEa2wMUnsUY8ODw==", + "dev": true, + "requires": { + "eslint-visitor-keys": "^1.1.0" + } + }, + "acorn": { + "version": "7.3.1", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-7.3.1.tgz", + "integrity": "sha512-tLc0wSnatxAQHVHUapaHdz72pi9KUyHjq5KyHjGg9Y8Ifdc79pTh2XvI6I1/chZbnM7QtNKzh66ooDogPZSleA==", + "dev": true + }, + "acorn-jsx": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.2.0.tgz", + "integrity": "sha512-HiUX/+K2YpkpJ+SzBffkM/AQ2YE03S0U1kjTLVpoJdhZMOWy8qvXVN9JdLqv2QsaQ6MPYQIuNmwD8zOiYUofLQ==", + "dev": true + }, + "ajv": { + "version": "6.12.2", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.2.tgz", + "integrity": "sha512-k+V+hzjm5q/Mr8ef/1Y9goCmlsK4I6Sm74teeyGvFk1XrOsbsKLjEdrvny42CZ+a8sXbk8KWpY/bDwS+FLL2UQ==", + "dev": true, + "requires": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + } + }, + "ansi-colors": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.1.tgz", + "integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==", + "dev": true + }, + "ansi-regex": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz", + "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==", + "dev": true + }, + "ansi-styles": { + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz", + "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==", + "dev": true, + "requires": { + "color-convert": "^1.9.0" + } + }, + "anymatch": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.1.tgz", + "integrity": "sha512-mM8522psRCqzV+6LhomX5wgp25YVibjh8Wj23I5RPkPppSVSjyKD2A2mBJmWGa+KN7f2D6LNh9jkBCeyLktzjg==", + "dev": true, + "requires": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + } + }, + "argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "dev": true, + "requires": { + "sprintf-js": "~1.0.2" + } + }, + "astral-regex": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-1.0.0.tgz", + "integrity": "sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg==", + "dev": true + }, + "balanced-match": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz", + "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=", + "dev": true + }, + "binary-extensions": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.1.0.tgz", + "integrity": "sha512-1Yj8h9Q+QDF5FzhMs/c9+6UntbD5MkRfRwac8DoEm9ZfUBZ7tZ55YcGVAzEe4bXsdQHEk+s9S5wsOKVdZrw0tQ==", + "dev": true + }, + "brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "requires": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "braces": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", + "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "dev": true, + "requires": { + "fill-range": "^7.0.1" + } + }, + "browser-stdout": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/browser-stdout/-/browser-stdout-1.3.1.tgz", + "integrity": "sha512-qhAVI1+Av2X7qelOfAIYwXONood6XlZE/fXaBSmW/T5SzLAmCgzi+eiWE7fUvbHaeNBQH13UftjpXxsfLkMpgw==", + "dev": true + }, + "callsites": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz", + "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==", + "dev": true + }, + "camelcase": { + "version": "5.3.1", + "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz", + "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==", + "dev": true + }, + "chalk": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.0.tgz", + "integrity": "sha512-qwx12AxXe2Q5xQ43Ac//I6v5aXTipYrSESdOgzrN+9XjgEpyjpKuvSGaN4qE93f7TQTlerQQ8S+EQ0EyDoVL1A==", + "dev": true, + "requires": { + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" + }, + "dependencies": { + "ansi-styles": { + "version": "4.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.2.1.tgz", + "integrity": "sha512-9VGjrMsG1vePxcSweQsN20KY/c4zN0h9fLjqAbwbPfahM3t+NL+M9HC8xeXG2I8pX5NoamTGNuomEUFI7fcUjA==", + "dev": true, + "requires": { + "@types/color-name": "^1.1.1", + "color-convert": "^2.0.1" + } + }, + "color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "requires": { + "color-name": "~1.1.4" + } + }, + "color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "has-flag": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz", + "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==", + "dev": true + }, + "supports-color": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.1.0.tgz", + "integrity": "sha512-oRSIpR8pxT1Wr2FquTNnGet79b3BWljqOuoW/h4oBhxJ/HUbX5nX6JSruTkvXDCFMwDPvsaTTbvMLKZWSy0R5g==", + "dev": true, + "requires": { + "has-flag": "^4.0.0" + } + } + } + }, + "chokidar": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.3.0.tgz", + "integrity": "sha512-dGmKLDdT3Gdl7fBUe8XK+gAtGmzy5Fn0XkkWQuYxGIgWVPPse2CxFA5mtrlD0TOHaHjEUqkWNyP1XdHoJES/4A==", + "dev": true, + "requires": { + "anymatch": "~3.1.1", + "braces": "~3.0.2", + "fsevents": "~2.1.1", + "glob-parent": "~5.1.0", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.2.0" + } + }, + "cliui": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-5.0.0.tgz", + "integrity": "sha512-PYeGSEmmHM6zvoef2w8TPzlrnNpXIjTipYK780YswmIP9vjxmd6Y2a3CB2Ks6/AU8NHjZugXvo8w3oWM2qnwXA==", + "dev": true, + "requires": { + "string-width": "^3.1.0", + "strip-ansi": "^5.2.0", + "wrap-ansi": "^5.1.0" + }, + "dependencies": { + "ansi-regex": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz", + "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==", + "dev": true + }, + "strip-ansi": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz", + "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==", + "dev": true, + "requires": { + "ansi-regex": "^4.1.0" + } + } + } + }, + "color-convert": { + "version": "1.9.3", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", + "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", + "dev": true, + "requires": { + "color-name": "1.1.3" + } + }, + "color-name": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", + "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", + "dev": true + }, + "concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=", + "dev": true + }, + "cross-spawn": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", + "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "dev": true, + "requires": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + } + }, + "debug": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", + "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", + "dev": true, + "requires": { + "ms": "^2.1.1" + } + }, + "decamelize": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", + "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=", + "dev": true + }, + "deep-is": { + "version": "0.1.3", + "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz", + "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=", + "dev": true + }, + "define-properties": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.1.3.tgz", + "integrity": "sha512-3MqfYKj2lLzdMSf8ZIZE/V+Zuy+BgD6f164e8K2w7dgnpKArBDerGYpM46IYYcjnkdPNMjPk9A6VFB8+3SKlXQ==", + "dev": true, + "requires": { + "object-keys": "^1.0.12" + } + }, + "diff": { + "version": "3.5.0", + "resolved": "https://registry.npmjs.org/diff/-/diff-3.5.0.tgz", + "integrity": "sha512-A46qtFgd+g7pDZinpnwiRJtxbC1hpgf0uzP3iG89scHk0AUC7A1TGxf5OiiOUv/JMZR8GOt8hL900hV0bOy5xA==", + "dev": true + }, + "doctrine": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz", + "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==", + "dev": true, + "requires": { + "esutils": "^2.0.2" + } + }, + "emoji-regex": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-7.0.3.tgz", + "integrity": "sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA==", + "dev": true + }, + "enquirer": { + "version": "2.3.6", + "resolved": "https://registry.npmjs.org/enquirer/-/enquirer-2.3.6.tgz", + "integrity": "sha512-yjNnPr315/FjS4zIsUxYguYUPP2e1NK4d7E7ZOLiyYCcbFBiTMyID+2wvm2w6+pZ/odMA7cRkjhsPbltwBOrLg==", + "dev": true, + "requires": { + "ansi-colors": "^4.1.1" + } + }, + "es-abstract": { + "version": "1.17.6", + "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.17.6.tgz", + "integrity": "sha512-Fr89bON3WFyUi5EvAeI48QTWX0AyekGgLA8H+c+7fbfCkJwRWRMLd8CQedNEyJuoYYhmtEqY92pgte1FAhBlhw==", + "dev": true, + "requires": { + "es-to-primitive": "^1.2.1", + "function-bind": "^1.1.1", + "has": "^1.0.3", + "has-symbols": "^1.0.1", + "is-callable": "^1.2.0", + "is-regex": "^1.1.0", + "object-inspect": "^1.7.0", + "object-keys": "^1.1.1", + "object.assign": "^4.1.0", + "string.prototype.trimend": "^1.0.1", + "string.prototype.trimstart": "^1.0.1" + } + }, + "es-to-primitive": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/es-to-primitive/-/es-to-primitive-1.2.1.tgz", + "integrity": "sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==", + "dev": true, + "requires": { + "is-callable": "^1.1.4", + "is-date-object": "^1.0.1", + "is-symbol": "^1.0.2" + } + }, + "escape-string-regexp": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", + "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=", + "dev": true + }, + "eslint": { + "version": "7.3.1", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-7.3.1.tgz", + "integrity": "sha512-cQC/xj9bhWUcyi/RuMbRtC3I0eW8MH0jhRELSvpKYkWep3C6YZ2OkvcvJVUeO6gcunABmzptbXBuDoXsjHmfTA==", + "dev": true, + "requires": { + "@babel/code-frame": "^7.0.0", + "ajv": "^6.10.0", + "chalk": "^4.0.0", + "cross-spawn": "^7.0.2", + "debug": "^4.0.1", + "doctrine": "^3.0.0", + "enquirer": "^2.3.5", + "eslint-scope": "^5.1.0", + "eslint-utils": "^2.0.0", + "eslint-visitor-keys": "^1.2.0", + "espree": "^7.1.0", + "esquery": "^1.2.0", + "esutils": "^2.0.2", + "file-entry-cache": "^5.0.1", + "functional-red-black-tree": "^1.0.1", + "glob-parent": "^5.0.0", + "globals": "^12.1.0", + "ignore": "^4.0.6", + "import-fresh": "^3.0.0", + "imurmurhash": "^0.1.4", + "is-glob": "^4.0.0", + "js-yaml": "^3.13.1", + "json-stable-stringify-without-jsonify": "^1.0.1", + "levn": "^0.4.1", + "lodash": "^4.17.14", + "minimatch": "^3.0.4", + "natural-compare": "^1.4.0", + "optionator": "^0.9.1", + "progress": "^2.0.0", + "regexpp": "^3.1.0", + "semver": "^7.2.1", + "strip-ansi": "^6.0.0", + "strip-json-comments": "^3.1.0", + "table": "^5.2.3", + "text-table": "^0.2.0", + "v8-compile-cache": "^2.0.3" + } + }, + "eslint-scope": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.1.0.tgz", + "integrity": "sha512-iiGRvtxWqgtx5m8EyQUJihBloE4EnYeGE/bz1wSPwJE6tZuJUtHlhqDM4Xj2ukE8Dyy1+HCZ4hE0fzIVMzb58w==", + "dev": true, + "requires": { + "esrecurse": "^4.1.0", + "estraverse": "^4.1.1" + } + }, + "eslint-utils": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-2.1.0.tgz", + "integrity": "sha512-w94dQYoauyvlDc43XnGB8lU3Zt713vNChgt4EWwhXAP2XkBvndfxF0AgIqKOOasjPIPzj9JqgwkwbCYD0/V3Zg==", + "dev": true, + "requires": { + "eslint-visitor-keys": "^1.1.0" + } + }, + "eslint-visitor-keys": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.3.0.tgz", + "integrity": "sha512-6J72N8UNa462wa/KFODt/PJ3IU60SDpC3QXC1Hjc1BXXpfL2C9R5+AU7jhe0F6GREqVMh4Juu+NY7xn+6dipUQ==", + "dev": true + }, + "espree": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/espree/-/espree-7.1.0.tgz", + "integrity": "sha512-dcorZSyfmm4WTuTnE5Y7MEN1DyoPYy1ZR783QW1FJoenn7RailyWFsq/UL6ZAAA7uXurN9FIpYyUs3OfiIW+Qw==", + "dev": true, + "requires": { + "acorn": "^7.2.0", + "acorn-jsx": "^5.2.0", + "eslint-visitor-keys": "^1.2.0" + } + }, + "esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "dev": true + }, + "esquery": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.3.1.tgz", + "integrity": "sha512-olpvt9QG0vniUBZspVRN6lwB7hOZoTRtT+jzR+tS4ffYx2mzbw+z0XCOk44aaLYKApNX5nMm+E+P6o25ip/DHQ==", + "dev": true, + "requires": { + "estraverse": "^5.1.0" + }, + "dependencies": { + "estraverse": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.1.0.tgz", + "integrity": "sha512-FyohXK+R0vE+y1nHLoBM7ZTyqRpqAlhdZHCWIWEviFLiGB8b04H6bQs8G+XTthacvT8VuwvteiP7RJSxMs8UEw==", + "dev": true + } + } + }, + "esrecurse": { + "version": "4.2.1", + "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.2.1.tgz", + "integrity": "sha512-64RBB++fIOAXPw3P9cy89qfMlvZEXZkqqJkjqqXIvzP5ezRZjW+lPWjw35UX/3EhUPFYbg5ER4JYgDw4007/DQ==", + "dev": true, + "requires": { + "estraverse": "^4.1.0" + } + }, + "estraverse": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz", + "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==", + "dev": true + }, + "esutils": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", + "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==", + "dev": true + }, + "fast-deep-equal": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", + "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", + "dev": true + }, + "fast-json-stable-stringify": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", + "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==", + "dev": true + }, + "fast-levenshtein": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz", + "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=", + "dev": true + }, + "file-entry-cache": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-5.0.1.tgz", + "integrity": "sha512-bCg29ictuBaKUwwArK4ouCaqDgLZcysCFLmM/Yn/FDoqndh/9vNuQfXRDvTuXKLxfD/JtZQGKFT8MGcJBK644g==", + "dev": true, + "requires": { + "flat-cache": "^2.0.1" + } + }, + "fill-range": { + "version": "7.0.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", + "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "dev": true, + "requires": { + "to-regex-range": "^5.0.1" + } + }, + "find-up": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz", + "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==", + "dev": true, + "requires": { + "locate-path": "^3.0.0" + } + }, + "flat": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/flat/-/flat-4.1.0.tgz", + "integrity": "sha512-Px/TiLIznH7gEDlPXcUD4KnBusa6kR6ayRUVcnEAbreRIuhkqow/mun59BuRXwoYk7ZQOLW1ZM05ilIvK38hFw==", + "dev": true, + "requires": { + "is-buffer": "~2.0.3" + } + }, + "flat-cache": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-2.0.1.tgz", + "integrity": "sha512-LoQe6yDuUMDzQAEH8sgmh4Md6oZnc/7PjtwjNFSzveXqSHt6ka9fPBuso7IGf9Rz4uqnSnWiFH2B/zj24a5ReA==", + "dev": true, + "requires": { + "flatted": "^2.0.0", + "rimraf": "2.6.3", + "write": "1.0.3" + } + }, + "flatted": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-2.0.2.tgz", + "integrity": "sha512-r5wGx7YeOwNWNlCA0wQ86zKyDLMQr+/RB8xy74M4hTphfmjlijTSSXGuH8rnvKZnfT9i+75zmd8jcKdMR4O6jA==", + "dev": true + }, + "fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=", + "dev": true + }, + "fsevents": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.1.3.tgz", + "integrity": "sha512-Auw9a4AxqWpa9GUfj370BMPzzyncfBABW8Mab7BGWBYDj4Isgq+cDKtx0i6u9jcX9pQDnswsaaOTgTmA5pEjuQ==", + "dev": true, + "optional": true + }, + "function-bind": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz", + "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==", + "dev": true + }, + "functional-red-black-tree": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/functional-red-black-tree/-/functional-red-black-tree-1.0.1.tgz", + "integrity": "sha1-GwqzvVU7Kg1jmdKcDj6gslIHgyc=", + "dev": true + }, + "get-caller-file": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", + "dev": true + }, + "glob": { + "version": "7.1.6", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz", + "integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==", + "dev": true, + "requires": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.0.4", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + } + }, + "glob-parent": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz", + "integrity": "sha512-FnI+VGOpnlGHWZxthPGR+QhR78fuiK0sNLkHQv+bL9fQi57lNNdquIbna/WrfROrolq8GK5Ek6BiMwqL/voRYQ==", + "dev": true, + "requires": { + "is-glob": "^4.0.1" + } + }, + "globals": { + "version": "12.4.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-12.4.0.tgz", + "integrity": "sha512-BWICuzzDvDoH54NHKCseDanAhE3CeDorgDL5MT6LMXXj2WCnd9UC2szdk4AWLfjdgNBCXLUanXYcpBBKOSWGwg==", + "dev": true, + "requires": { + "type-fest": "^0.8.1" + } + }, + "growl": { + "version": "1.10.5", + "resolved": "https://registry.npmjs.org/growl/-/growl-1.10.5.tgz", + "integrity": "sha512-qBr4OuELkhPenW6goKVXiv47US3clb3/IbuWF9KNKEijAy9oeHxU9IgzjvJhHkUzhaj7rOUD7+YGWqUjLp5oSA==", + "dev": true + }, + "has": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", + "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==", + "dev": true, + "requires": { + "function-bind": "^1.1.1" + } + }, + "has-flag": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", + "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=", + "dev": true + }, + "has-symbols": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.1.tgz", + "integrity": "sha512-PLcsoqu++dmEIZB+6totNFKq/7Do+Z0u4oT0zKOJNl3lYK6vGwwu2hjHs+68OEZbTjiUE9bgOABXbP/GvrS0Kg==", + "dev": true + }, + "he": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/he/-/he-1.2.0.tgz", + "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==", + "dev": true + }, + "ignore": { + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-4.0.6.tgz", + "integrity": "sha512-cyFDKrqc/YdcWFniJhzI42+AzS+gNwmUzOSFcRCQYwySuBBBy/KjuxWLZ/FHEH6Moq1NizMOBWyTcv8O4OZIMg==", + "dev": true + }, + "import-fresh": { + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.2.1.tgz", + "integrity": "sha512-6e1q1cnWP2RXD9/keSkxHScg508CdXqXWgWBaETNhyuBFz+kUZlKboh+ISK+bU++DmbHimVBrOz/zzPe0sZ3sQ==", + "dev": true, + "requires": { + "parent-module": "^1.0.0", + "resolve-from": "^4.0.0" + } + }, + "imurmurhash": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", + "integrity": "sha1-khi5srkoojixPcT7a21XbyMUU+o=", + "dev": true + }, + "inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", + "dev": true, + "requires": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "requires": { + "binary-extensions": "^2.0.0" + } + }, + "is-buffer": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.4.tgz", + "integrity": "sha512-Kq1rokWXOPXWuaMAqZiJW4XxsmD9zGx9q4aePabbn3qCRGedtH7Cm+zV8WETitMfu1wdh+Rvd6w5egwSngUX2A==", + "dev": true + }, + "is-callable": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.2.0.tgz", + "integrity": "sha512-pyVD9AaGLxtg6srb2Ng6ynWJqkHU9bEM087AKck0w8QwDarTfNcpIYoU8x8Hv2Icm8u6kFJM18Dag8lyqGkviw==", + "dev": true + }, + "is-date-object": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/is-date-object/-/is-date-object-1.0.2.tgz", + "integrity": "sha512-USlDT524woQ08aoZFzh3/Z6ch9Y/EWXEHQ/AaRN0SkKq4t2Jw2R2339tSXmwuVoY7LLlBCbOIlx2myP/L5zk0g==", + "dev": true + }, + "is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=", + "dev": true + }, + "is-fullwidth-code-point": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz", + "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8=", + "dev": true + }, + "is-glob": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz", + "integrity": "sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==", + "dev": true, + "requires": { + "is-extglob": "^2.1.1" + } + }, + "is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true + }, + "is-regex": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/is-regex/-/is-regex-1.1.0.tgz", + "integrity": "sha512-iI97M8KTWID2la5uYXlkbSDQIg4F6o1sYboZKKTDpnDQMLtUL86zxhgDet3Q2SriaYsyGqZ6Mn2SjbRKeLHdqw==", + "dev": true, + "requires": { + "has-symbols": "^1.0.1" + } + }, + "is-symbol": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/is-symbol/-/is-symbol-1.0.3.tgz", + "integrity": "sha512-OwijhaRSgqvhm/0ZdAcXNZt9lYdKFpcRDT5ULUuYXPoT794UNOdU+gpT6Rzo7b4V2HUl/op6GqY894AZwv9faQ==", + "dev": true, + "requires": { + "has-symbols": "^1.0.1" + } + }, + "isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=", + "dev": true + }, + "js-tokens": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", + "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==", + "dev": true + }, + "js-yaml": { + "version": "3.14.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.0.tgz", + "integrity": "sha512-/4IbIeHcD9VMHFqDR/gQ7EdZdLimOvW2DdcxFjdyyZ9NsbS+ccrXqVWDtab/lRl5AlUqmpBx8EhPaWR+OtY17A==", + "dev": true, + "requires": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + } + }, + "json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "dev": true + }, + "json-stable-stringify-without-jsonify": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz", + "integrity": "sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=", + "dev": true + }, + "levn": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz", + "integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==", + "dev": true, + "requires": { + "prelude-ls": "^1.2.1", + "type-check": "~0.4.0" + } + }, + "locate-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz", + "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==", + "dev": true, + "requires": { + "p-locate": "^3.0.0", + "path-exists": "^3.0.0" + } + }, + "lodash": { + "version": "4.17.15", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz", + "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==", + "dev": true + }, + "log-symbols": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-3.0.0.tgz", + "integrity": "sha512-dSkNGuI7iG3mfvDzUuYZyvk5dD9ocYCYzNU6CYDE6+Xqd+gwme6Z00NS3dUh8mq/73HaEtT7m6W+yUPtU6BZnQ==", + "dev": true, + "requires": { + "chalk": "^2.4.2" + }, + "dependencies": { + "chalk": { + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", + "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", + "dev": true, + "requires": { + "ansi-styles": "^3.2.1", + "escape-string-regexp": "^1.0.5", + "supports-color": "^5.3.0" + } + } + } + }, + "minimatch": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", + "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "dev": true, + "requires": { + "brace-expansion": "^1.1.7" + } + }, + "minimist": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", + "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "dev": true + }, + "mkdirp": { + "version": "0.5.5", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.5.tgz", + "integrity": "sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==", + "dev": true, + "requires": { + "minimist": "^1.2.5" + } + }, + "mocha": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/mocha/-/mocha-7.2.0.tgz", + "integrity": "sha512-O9CIypScywTVpNaRrCAgoUnJgozpIofjKUYmJhiCIJMiuYnLI6otcb1/kpW9/n/tJODHGZ7i8aLQoDVsMtOKQQ==", + "dev": true, + "requires": { + "ansi-colors": "3.2.3", + "browser-stdout": "1.3.1", + "chokidar": "3.3.0", + "debug": "3.2.6", + "diff": "3.5.0", + "escape-string-regexp": "1.0.5", + "find-up": "3.0.0", + "glob": "7.1.3", + "growl": "1.10.5", + "he": "1.2.0", + "js-yaml": "3.13.1", + "log-symbols": "3.0.0", + "minimatch": "3.0.4", + "mkdirp": "0.5.5", + "ms": "2.1.1", + "node-environment-flags": "1.0.6", + "object.assign": "4.1.0", + "strip-json-comments": "2.0.1", + "supports-color": "6.0.0", + "which": "1.3.1", + "wide-align": "1.1.3", + "yargs": "13.3.2", + "yargs-parser": "13.1.2", + "yargs-unparser": "1.6.0" + }, + "dependencies": { + "ansi-colors": { + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-3.2.3.tgz", + "integrity": "sha512-LEHHyuhlPY3TmuUYMh2oz89lTShfvgbmzaBcxve9t/9Wuy7Dwf4yoAKcND7KFT1HAQfqZ12qtc+DUrBMeKF9nw==", + "dev": true + }, + "debug": { + "version": "3.2.6", + "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz", + "integrity": "sha512-mel+jf7nrtEl5Pn1Qx46zARXKDpBbvzezse7p7LqINmdoIk8PYP5SySaxEmYv6TZ0JyEKA1hsCId6DIhgITtWQ==", + "dev": true, + "requires": { + "ms": "^2.1.1" + } + }, + "glob": { + "version": "7.1.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.3.tgz", + "integrity": "sha512-vcfuiIxogLV4DlGBHIUOwI0IbrJ8HWPc4MU7HzviGeNho/UJDfi6B5p3sHeWIQ0KGIU0Jpxi5ZHxemQfLkkAwQ==", + "dev": true, + "requires": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.0.4", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + } + }, + "js-yaml": { + "version": "3.13.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz", + "integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==", + "dev": true, + "requires": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + } + }, + "ms": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz", + "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg==", + "dev": true + }, + "strip-json-comments": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz", + "integrity": "sha1-PFMZQukIwml8DsNEhYwobHygpgo=", + "dev": true + }, + "supports-color": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.0.0.tgz", + "integrity": "sha512-on9Kwidc1IUQo+bQdhi8+Tijpo0e1SS6RoGo2guUwn5vdaxw8RXOF9Vb2ws+ihWOmh4JnCJOvaziZWP1VABaLg==", + "dev": true, + "requires": { + "has-flag": "^3.0.0" + } + }, + "which": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz", + "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==", + "dev": true, + "requires": { + "isexe": "^2.0.0" + } + } + } + }, + "ms": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "dev": true + }, + "natural-compare": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz", + "integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=", + "dev": true + }, + "node-environment-flags": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/node-environment-flags/-/node-environment-flags-1.0.6.tgz", + "integrity": "sha512-5Evy2epuL+6TM0lCQGpFIj6KwiEsGh1SrHUhTbNX+sLbBtjidPZFAnVK9y5yU1+h//RitLbRHTIMyxQPtxMdHw==", + "dev": true, + "requires": { + "object.getownpropertydescriptors": "^2.0.3", + "semver": "^5.7.0" + }, + "dependencies": { + "semver": { + "version": "5.7.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz", + "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==", + "dev": true + } + } + }, + "normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true + }, + "object-inspect": { + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.8.0.tgz", + "integrity": "sha512-jLdtEOB112fORuypAyl/50VRVIBIdVQOSUUGQHzJ4xBSbit81zRarz7GThkEFZy1RceYrWYcPcBFPQwHyAc1gA==", + "dev": true + }, + "object-keys": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/object-keys/-/object-keys-1.1.1.tgz", + "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==", + "dev": true + }, + "object.assign": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/object.assign/-/object.assign-4.1.0.tgz", + "integrity": "sha512-exHJeq6kBKj58mqGyTQ9DFvrZC/eR6OwxzoM9YRoGBqrXYonaFyGiFMuc9VZrXf7DarreEwMpurG3dd+CNyW5w==", + "dev": true, + "requires": { + "define-properties": "^1.1.2", + "function-bind": "^1.1.1", + "has-symbols": "^1.0.0", + "object-keys": "^1.0.11" + } + }, + "object.getownpropertydescriptors": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/object.getownpropertydescriptors/-/object.getownpropertydescriptors-2.1.0.tgz", + "integrity": "sha512-Z53Oah9A3TdLoblT7VKJaTDdXdT+lQO+cNpKVnya5JDe9uLvzu1YyY1yFDFrcxrlRgWrEFH0jJtD/IbuwjcEVg==", + "dev": true, + "requires": { + "define-properties": "^1.1.3", + "es-abstract": "^1.17.0-next.1" + } + }, + "once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=", + "dev": true, + "requires": { + "wrappy": "1" + } + }, + "optionator": { + "version": "0.9.1", + "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.1.tgz", + "integrity": "sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==", + "dev": true, + "requires": { + "deep-is": "^0.1.3", + "fast-levenshtein": "^2.0.6", + "levn": "^0.4.1", + "prelude-ls": "^1.2.1", + "type-check": "^0.4.0", + "word-wrap": "^1.2.3" + } + }, + "p-limit": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz", + "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==", + "dev": true, + "requires": { + "p-try": "^2.0.0" + } + }, + "p-locate": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz", + "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==", + "dev": true, + "requires": { + "p-limit": "^2.0.0" + } + }, + "p-try": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz", + "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==", + "dev": true + }, + "parent-module": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz", + "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==", + "dev": true, + "requires": { + "callsites": "^3.0.0" + } + }, + "path-exists": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz", + "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=", + "dev": true + }, + "path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=", + "dev": true + }, + "path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true + }, + "picomatch": { + "version": "2.2.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.2.2.tgz", + "integrity": "sha512-q0M/9eZHzmr0AulXyPwNfZjtwZ/RBZlbN3K3CErVrk50T2ASYI7Bye0EvekFY3IP1Nt2DHu0re+V2ZHIpMkuWg==", + "dev": true + }, + "prelude-ls": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz", + "integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==", + "dev": true + }, + "progress": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz", + "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==", + "dev": true + }, + "punycode": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz", + "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==", + "dev": true + }, + "readdirp": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.2.0.tgz", + "integrity": "sha512-crk4Qu3pmXwgxdSgGhgA/eXiJAPQiX4GMOZZMXnqKxHX7TaoL+3gQVo/WeuAiogr07DpnfjIMpXXa+PAIvwPGQ==", + "dev": true, + "requires": { + "picomatch": "^2.0.4" + } + }, + "regexpp": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.1.0.tgz", + "integrity": "sha512-ZOIzd8yVsQQA7j8GCSlPGXwg5PfmA1mrq0JP4nGhh54LaKN3xdai/vHUDu74pKwV8OxseMS65u2NImosQcSD0Q==", + "dev": true + }, + "require-directory": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", + "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=", + "dev": true + }, + "require-main-filename": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz", + "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==", + "dev": true + }, + "resolve-from": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz", + "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==", + "dev": true + }, + "rimraf": { + "version": "2.6.3", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.3.tgz", + "integrity": "sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==", + "dev": true, + "requires": { + "glob": "^7.1.3" + } + }, + "semver": { + "version": "7.3.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.2.tgz", + "integrity": "sha512-OrOb32TeeambH6UrhtShmF7CRDqhL6/5XpPNp2DuRH6+9QLw/orhp72j87v8Qa1ScDkvrrBNpZcDejAirJmfXQ==", + "dev": true + }, + "set-blocking": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", + "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", + "dev": true + }, + "shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "dev": true, + "requires": { + "shebang-regex": "^3.0.0" + } + }, + "shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "dev": true + }, + "slice-ansi": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-2.1.0.tgz", + "integrity": "sha512-Qu+VC3EwYLldKa1fCxuuvULvSJOKEgk9pi8dZeCVK7TqBfUNTH4sFkk4joj8afVSfAYgJoSOetjx9QWOJ5mYoQ==", + "dev": true, + "requires": { + "ansi-styles": "^3.2.0", + "astral-regex": "^1.0.0", + "is-fullwidth-code-point": "^2.0.0" + } + }, + "sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=", + "dev": true + }, + "string-width": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-3.1.0.tgz", + "integrity": "sha512-vafcv6KjVZKSgz06oM/H6GDBrAtz8vdhQakGjFIvNrHA6y3HCF1CInLy+QLq8dTJPQ1b+KDUqDFctkdRW44e1w==", + "dev": true, + "requires": { + "emoji-regex": "^7.0.1", + "is-fullwidth-code-point": "^2.0.0", + "strip-ansi": "^5.1.0" + }, + "dependencies": { + "ansi-regex": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz", + "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==", + "dev": true + }, + "strip-ansi": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz", + "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==", + "dev": true, + "requires": { + "ansi-regex": "^4.1.0" + } + } + } + }, + "string.prototype.trimend": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.1.tgz", + "integrity": "sha512-LRPxFUaTtpqYsTeNKaFOw3R4bxIzWOnbQ837QfBylo8jIxtcbK/A/sMV7Q+OAV/vWo+7s25pOE10KYSjaSO06g==", + "dev": true, + "requires": { + "define-properties": "^1.1.3", + "es-abstract": "^1.17.5" + } + }, + "string.prototype.trimstart": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/string.prototype.trimstart/-/string.prototype.trimstart-1.0.1.tgz", + "integrity": "sha512-XxZn+QpvrBI1FOcg6dIpxUPgWCPuNXvMD72aaRaUQv1eD4e/Qy8i/hFTe0BUmD60p/QA6bh1avmuPTfNjqVWRw==", + "dev": true, + "requires": { + "define-properties": "^1.1.3", + "es-abstract": "^1.17.5" + } + }, + "strip-ansi": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", + "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "dev": true, + "requires": { + "ansi-regex": "^5.0.0" + } + }, + "strip-json-comments": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.0.tgz", + "integrity": "sha512-e6/d0eBu7gHtdCqFt0xJr642LdToM5/cN4Qb9DbHjVx1CP5RyeM+zH7pbecEmDv/lBqb0QH+6Uqq75rxFPkM0w==", + "dev": true + }, + "supports-color": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", + "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", + "dev": true, + "requires": { + "has-flag": "^3.0.0" + } + }, + "table": { + "version": "5.4.6", + "resolved": "https://registry.npmjs.org/table/-/table-5.4.6.tgz", + "integrity": "sha512-wmEc8m4fjnob4gt5riFRtTu/6+4rSe12TpAELNSqHMfF3IqnA+CH37USM6/YR3qRZv7e56kAEAtd6nKZaxe0Ug==", + "dev": true, + "requires": { + "ajv": "^6.10.2", + "lodash": "^4.17.14", + "slice-ansi": "^2.1.0", + "string-width": "^3.0.0" + } + }, + "text-table": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", + "integrity": "sha1-f17oI66AUgfACvLfSoTsP8+lcLQ=", + "dev": true + }, + "to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "requires": { + "is-number": "^7.0.0" + } + }, + "tslib": { + "version": "1.13.0", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.13.0.tgz", + "integrity": "sha512-i/6DQjL8Xf3be4K/E6Wgpekn5Qasl1usyw++dAA35Ue5orEn65VIxOA+YvNNl9HV3qv70T7CNwjODHZrLwvd1Q==", + "dev": true + }, + "tsutils": { + "version": "3.17.1", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.17.1.tgz", + "integrity": "sha512-kzeQ5B8H3w60nFY2g8cJIuH7JDpsALXySGtwGJ0p2LSjLgay3NdIpqq5SoOBe46bKDW2iq25irHCr8wjomUS2g==", + "dev": true, + "requires": { + "tslib": "^1.8.1" + } + }, + "type-check": { + "version": "0.4.0", + "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz", + "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==", + "dev": true, + "requires": { + "prelude-ls": "^1.2.1" + } + }, + "type-fest": { + "version": "0.8.1", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.8.1.tgz", + "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==", + "dev": true + }, + "typescript": { + "version": "3.9.7", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.7.tgz", + "integrity": "sha512-BLbiRkiBzAwsjut4x/dsibSTB6yWpwT5qWmC2OfuCg3GgVQCSgMs4vEctYPhsaGtd0AeuuHMkjZ2h2WG8MSzRw==", + "dev": true + }, + "uri-js": { + "version": "4.2.2", + "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.2.2.tgz", + "integrity": "sha512-KY9Frmirql91X2Qgjry0Wd4Y+YTdrdZheS8TFwvkbLWf/G5KNJDCh6pKL5OZctEW4+0Baa5idK2ZQuELRwPznQ==", + "dev": true, + "requires": { + "punycode": "^2.1.0" + } + }, + "v8-compile-cache": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.1.1.tgz", + "integrity": "sha512-8OQ9CL+VWyt3JStj7HX7/ciTL2V3Rl1Wf5OL+SNTm0yK1KvtReVulksyeRnCANHHuUxHlQig+JJDlUhBt1NQDQ==", + "dev": true + }, + "which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "requires": { + "isexe": "^2.0.0" + } + }, + "which-module": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.0.tgz", + "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=", + "dev": true + }, + "wide-align": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.3.tgz", + "integrity": "sha512-QGkOQc8XL6Bt5PwnsExKBPuMKBxnGxWWW3fU55Xt4feHozMUhdUMaBCk290qpm/wG5u/RSKzwdAC4i51YigihA==", + "dev": true, + "requires": { + "string-width": "^1.0.2 || 2" + }, + "dependencies": { + "ansi-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz", + "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=", + "dev": true + }, + "string-width": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz", + "integrity": "sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==", + "dev": true, + "requires": { + "is-fullwidth-code-point": "^2.0.0", + "strip-ansi": "^4.0.0" + } + }, + "strip-ansi": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz", + "integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=", + "dev": true, + "requires": { + "ansi-regex": "^3.0.0" + } + } + } + }, + "word-wrap": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz", + "integrity": "sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==", + "dev": true + }, + "wrap-ansi": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-5.1.0.tgz", + "integrity": "sha512-QC1/iN/2/RPVJ5jYK8BGttj5z83LmSKmvbvrXPNCLZSEb32KKVDJDl/MOt2N01qU2H/FkzEa9PKto1BqDjtd7Q==", + "dev": true, + "requires": { + "ansi-styles": "^3.2.0", + "string-width": "^3.0.0", + "strip-ansi": "^5.0.0" + }, + "dependencies": { + "ansi-regex": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz", + "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==", + "dev": true + }, + "strip-ansi": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz", + "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==", + "dev": true, + "requires": { + "ansi-regex": "^4.1.0" + } + } + } + }, + "wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=", + "dev": true + }, + "write": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/write/-/write-1.0.3.tgz", + "integrity": "sha512-/lg70HAjtkUgWPVZhZcm+T4hkL8Zbtp1nFNOn3lRrxnlv50SRBv7cR7RqR+GMsd3hUXy9hWBo4CHTbFTcOYwig==", + "dev": true, + "requires": { + "mkdirp": "^0.5.1" + } + }, + "y18n": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz", + "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==", + "dev": true + }, + "yargs": { + "version": "13.3.2", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-13.3.2.tgz", + "integrity": "sha512-AX3Zw5iPruN5ie6xGRIDgqkT+ZhnRlZMLMHAs8tg7nRruy2Nb+i5o9bwghAogtM08q1dpr2LVoS8KSTMYpWXUw==", + "dev": true, + "requires": { + "cliui": "^5.0.0", + "find-up": "^3.0.0", + "get-caller-file": "^2.0.1", + "require-directory": "^2.1.1", + "require-main-filename": "^2.0.0", + "set-blocking": "^2.0.0", + "string-width": "^3.0.0", + "which-module": "^2.0.0", + "y18n": "^4.0.0", + "yargs-parser": "^13.1.2" + } + }, + "yargs-parser": { + "version": "13.1.2", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz", + "integrity": "sha512-3lbsNRf/j+A4QuSZfDRA7HRSfWrzO0YjqTJd5kjAq37Zep1CEgaYmrH9Q3GwPiB9cHyd1Y1UwggGhJGoxipbzg==", + "dev": true, + "requires": { + "camelcase": "^5.0.0", + "decamelize": "^1.2.0" + } + }, + "yargs-unparser": { + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/yargs-unparser/-/yargs-unparser-1.6.0.tgz", + "integrity": "sha512-W9tKgmSn0DpSatfri0nx52Joq5hVXgeLiqR/5G0sZNDoLZFOr/xjBUDcShCOGNsBnEMNo1KAMBkTej1Hm62HTw==", + "dev": true, + "requires": { + "flat": "^4.1.0", + "lodash": "^4.17.15", + "yargs": "^13.3.0" + } + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..62ba9b6 --- /dev/null +++ b/package.json @@ -0,0 +1,33 @@ +{ + "name": "@microsoft/eslint-plugin-sdl", + "version": "0.1.5", + "description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)", + "keywords": [ + "eslint", + "eslintplugin", + "eslint-plugin", + "sdl" + ], + "author": "Microsoft", + "repository": { + "type": "git", + "url": "https://github.com/microsoft/eslint-plugin-sdl" + }, + "homepage": "https://github.com/microsoft/eslint-plugin-sdl", + "bugs": "https://github.com/microsoft/eslint-plugin-sdl/issues", + "main": "lib/index.js", + "scripts": { + "test": "mocha tests --recursive" + }, + "devDependencies": { + "@typescript-eslint/eslint-plugin": "^3.7.0", + "@typescript-eslint/parser": "^3.7.0", + "eslint": "^7.1.0", + "mocha": "^7.2.0", + "typescript": "^3.9.7" + }, + "engines": { + "node": ">=0.10.0" + }, + "license": "ISC" +} diff --git a/tests/fixtures/estree.ts b/tests/fixtures/estree.ts new file mode 100644 index 0000000..e69de29 diff --git a/tests/fixtures/tsconfig.json b/tests/fixtures/tsconfig.json new file mode 100644 index 0000000..5ffdb29 --- /dev/null +++ b/tests/fixtures/tsconfig.json @@ -0,0 +1,8 @@ +{ + "compilerOptions": { + "jsx": "preserve" + }, + "include": [ + "estree.ts" + ] +} \ No newline at end of file diff --git a/tests/lib/rules/no-angular-bypass-sanitizer.js b/tests/lib/rules/no-angular-bypass-sanitizer.js new file mode 100644 index 0000000..58bfb53 --- /dev/null +++ b/tests/lib/rules/no-angular-bypass-sanitizer.js @@ -0,0 +1,46 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "bypassSecurityTrustHtml('XSS')", + "x.bypassSecurityTrustHtml()", + "x.BypassSecurityTrustHtml('XSS')" + ], + invalid: [ + { + code: "$('p').bypassSecurityTrustHtml('XSS');", + errors: [ + { + messageId: "noBypass", + line: 1, + endLine: 1, + column: 1, + endColumn: 38 + } + ] + }, + { + code: "$('p').bypassSecurityTrustResourceUrl('XSS')", + errors: [{ messageId: "noBypass"}] + }, + { + code: "$('p').bypassSecurityTrustScript('XSS')", + errors: [{ messageId: "noBypass"}] + }, + { + code: "$('p').bypassSecurityTrustStyle('XSS')", + errors: [{ messageId: "noBypass"}] + }, + { + code: "$('p').bypassSecurityTrustUrl('XSS')", + errors: [{ messageId: "noBypass"}] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-angularjs-bypass-sce.js b/tests/lib/rules/no-angularjs-bypass-sce.js new file mode 100644 index 0000000..dbb1eab --- /dev/null +++ b/tests/lib/rules/no-angularjs-bypass-sce.js @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "trustAsHtml()", + "$sce.trustAsHtml()", + "$sce.trustAsHtml('')", + "$sce.TrustAsHtml('XSS')", + "x.trustAsHtml('XSS')", + "$sceProvider.enabled()", + "$sceProvider.enabled(true)", + "$sceProvider.enabled(1)", + ], + invalid: [ + { + code: "$sceDelegate.trustAs($sce.HTML, 'XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAs($sce.HTML, 'XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAsCss('XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAsHtml('XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAsJs('XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAsResourceUrl('XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sce.trustAsUrl('XSS')", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sceProvider.enabled(false)", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sceProvider.enabled(0)", + errors: [{ messageId: "doNotBypass" }] + }, + { + code: "$sceProvider.enabled(true != true)", + errors: [{ messageId: "doNotBypass" }] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-angularjs-enable-svg.js b/tests/lib/rules/no-angularjs-enable-svg.js new file mode 100644 index 0000000..e41d3ac --- /dev/null +++ b/tests/lib/rules/no-angularjs-enable-svg.js @@ -0,0 +1,29 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "enableSvg()", + "enableSvg(true)", + "$sanitizeProvider.enableSvg()", + "$sanitizeProvider.enableSvg(false)", + "$sanitizeProvider.enableSvg(0)", + "$sanitizeProvider.EnableSvg(0)" + ], + invalid: [ + { + code: "$sanitizeProvider.enableSvg(true)", + errors: [{ messageId: "doNotEnableSVG" }] + }, + { + code: "$sanitizeProvider.enableSvg(1)", + errors: [{ messageId: "doNotEnableSVG" }] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-angularjs-sanitization-whitelist.js b/tests/lib/rules/no-angularjs-sanitization-whitelist.js new file mode 100644 index 0000000..b391eeb --- /dev/null +++ b/tests/lib/rules/no-angularjs-sanitization-whitelist.js @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "aHrefSanitizationWhitelist('.*')", + "x.aHrefSanitizationWhitelist('.*')", + "$compileProvider.aHrefSanitizationWhitelist()", + "$compileProvider.AHrefSanitizationWhitelist('.*')" + ], + invalid: [ + { + code: "$compileProvider.aHrefSanitizationWhitelist('.*');", + errors: [ + { + messageId: "noSanitizationWhitelist", + line: 1, + endLine: 1, + column: 1, + endColumn: 50 + } + ] + }, + { + code: "$compileProvider.imgSrcSanitizationWhitelist('.*');", + errors: [ + { + messageId: "noSanitizationWhitelist", + line: 1, + endLine: 1, + column: 1, + endColumn: 51 + } + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-cookies.js b/tests/lib/rules/no-cookies.js new file mode 100644 index 0000000..f2e1c8e --- /dev/null +++ b/tests/lib/rules/no-cookies.js @@ -0,0 +1,87 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +const typescriptParserPath = require.resolve("@typescript-eslint/parser"); +const testUtils = require("../test-utils"); + +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + ` +function documentLikeAPIFunction(){ + return { + cookie:'fake.cookie' + } +} +var document2 = documentLikeAPIFunction(); +document2.cookie = '...'; +document2.cookie = '...'; +documentLikeAPIFunction().cookie = '...' + `, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` +interface DocumentLikeAPI { + cookie: string; +} +function documentLikeAPIFunction(): DocumentLikeAPI { + return null; +} +function X() { + // These usages are OK because they are not on the DOM document + var document: DocumentLikeAPI = documentLikeAPIFunction(); + document.cookie = '...'; + document.cookie = '...'; +} + +documentLikeAPIFunction().cookie = '...'; +` + } + ], + invalid: [ + { + code: "document.cookie = '...'", + errors: [{ messageId: "doNotUseCookies" }] + }, + { + code: "window.document.cookie = '...'", + errors: [{ messageId: "doNotUseCookies" }] + }, + { + code: "this.window.document.cookie = '...'", + errors: [{ messageId: "doNotUseCookies" }] + }, + { + code: "globalThis.window.document.cookie = '...'", + errors: [{ messageId: "doNotUseCookies" }] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` +function documentFunction(): Document { + return window.document; +} +documentFunction().cookie = '...'; + `, + errors: [{ messageId: "doNotUseCookies" }] + }, + { + parser: typescriptParserPath, + code: ` +namespace Sample { + function method() { + return document.cookie; + } +} + `, + errors: [{ messageId: "doNotUseCookies" }] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-document-domain.js b/tests/lib/rules/no-document-domain.js new file mode 100644 index 0000000..c832429 --- /dev/null +++ b/tests/lib/rules/no-document-domain.js @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const testUtils = require("../test-utils"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` +interface DocumentLikeAPI { + domain: string; +} +function documentLikeAPIFunction(): DocumentLikeAPI { + return null; +} +function main() { + var document: DocumentLikeAPI = documentLikeAPIFunction(); + document.domain = 'somevalue'; +} + ` + } + ], + invalid: [ + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: "var doc = window.document; doc.domain = 'somevalue';", + errors: [{ messageId: "default" }] + }, + { + code: "document.domain = 'somevalue'", + errors: [{ messageId: "default" }] + }, + { + code: "window.document.domain = 'somevalue'", + errors: [{ messageId: "default" }] + }, + { + code: ` +var somevalue = 'somevalue'; +document.domain = somevalue; +window.document.domain = somevalue; + `, + errors: [ + { + line: 3, + messageId: "default" + }, + { + line: 4, + messageId: "default" + } + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-document-write.js b/tests/lib/rules/no-document-write.js new file mode 100644 index 0000000..4be2092 --- /dev/null +++ b/tests/lib/rules/no-document-write.js @@ -0,0 +1,86 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const testUtils = require("../test-utils"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + interface DocumentLikeAPI { + write: ((arg : string) => void); + writeln: ((arg : string) => void); + } + function documentLikeAPIFunction() : DocumentLikeAPI { + return { + write: () => {}, + writeln: () => {}, + }; + } + ` + }, + { + code: ` + function documentLikeAPIFunction() { + return { + write: function(){}, + writeln: function(){} + }; + } + var documentAPI = documentLikeAPIFunction(); + documentAPI.write('...'); + documentAPI.writeln('...'); + documentLikeAPIFunction().write('...'); + documentLikeAPIFunction().writeln('...'); + // wrong # of args + document.write(); + document.write('', ''); + document.writeln(); + document.writeln('', ''); + ` + } + ], + invalid: [ + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + var doc = document; + doc.write('...'); + doc.writeln('...'); + function documentFunction() : Document { + return window.document; + } + documentFunction().write('...'); + documentFunction().writeln('...'); + `, + errors: [ + { messageId: "default", line: 3 }, + { messageId: "default", line: 4 }, + { messageId: "default", line: 8 }, + { messageId: "default", line: 9 } + ] + }, + { + code: ` + document.write('...'); + document.writeln('...'); + window.document.write('...'); + window.document.writeln('...'); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 }, + { messageId: "default", line: 4 }, + { messageId: "default", line: 5 } + ] + } + ] +}); diff --git a/tests/lib/rules/no-electron-node-integration.js b/tests/lib/rules/no-electron-node-integration.js new file mode 100644 index 0000000..a17fd01 --- /dev/null +++ b/tests/lib/rules/no-electron-node-integration.js @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + { + code: ` + var mainWindow = new BrowserWindow({ + webPreferences: { + nodeIntegration: false, + nodeIntegrationInWorker: false, + nodeIntegrationInSubFrames: false + } + }); + var view = new BrowserView({ + webPreferences: { + nodeIntegration: false + } + }); + ` + } + ], + invalid: [ + { + code: ` + var mainWindow = new BrowserWindow({ + webPreferences: { + nodeIntegration: true, + nodeIntegrationInWorker: true, + nodeIntegrationInSubFrames: true + } + }); + `, + errors: [ + { messageId: "default", line: 4}, + { messageId: "default", line: 5}, + { messageId: "default", line: 6} + ] + }, + { + code: ` + var view = new BrowserView({ + webPreferences: { + nodeIntegration: true, + nodeIntegrationInWorker: true, + nodeIntegrationInSubFrames: true + } + }); + `, + errors: [ + { messageId: "default", line: 4}, + { messageId: "default", line: 5}, + { messageId: "default", line: 6} + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-html-method.js b/tests/lib/rules/no-html-method.js new file mode 100644 index 0000000..47ba7d2 --- /dev/null +++ b/tests/lib/rules/no-html-method.js @@ -0,0 +1,45 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); +const testUtils = require("../test-utils"); + +ruleTester.run(ruleId, rule, { + valid: [ + "test.html = 'test'", + "test.html()", + "test.html('','')", + "element.html('');", + "element.html(null);" + ], + invalid: [ + { + code: "$('p').html('XSS')", + errors: [{ messageId: "default", line: 1 }] + }, + { + code: "$(selector).html(sample_function())", + errors: [{ messageId: "default", line: 1 }] + }, + { + parser: testUtils.tsParser, + parserOptions: { + ecmaVersion: 6, + sourceType: "module" + }, + env: { + }, + code: ` + import $ from "jquery"; + test.html('XSS'); + `, + errors: [ + { messageId: "default", line: 3 } + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-inner-html.js b/tests/lib/rules/no-inner-html.js new file mode 100644 index 0000000..5ad1758 --- /dev/null +++ b/tests/lib/rules/no-inner-html.js @@ -0,0 +1,78 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); +const testUtils = require("../test-utils"); + +ruleTester.run(ruleId, rule, { + valid: [ + "var test = element.innerHTML", + "var test = element.outerHTML", + "document.body.innerHTML = ''", + "document.test", + "element.insertAdjacentHTML()", + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + class Test { + innerHTML: string; + outerHTML: string; + constructor(test: string) { + this.innerHTML = test; + this.outerHTML = test; + } + }; + let test = new Test("test"); + test.innerHTML = test; + test.outerHTML = test; + ` + } + ], + invalid: [ + // TypeScript with full type information + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + var element = document.getElementById(id); + element.innerHTML = 'test'; + element.outerHTML = 'test'; + element.insertAdjacentHTML('beforebegin', 'foo'); + `, + errors: [ + { messageId: "noInnerHtml", line: 3 }, + { messageId: "noInnerHtml", line: 4 }, + { messageId: "noInsertAdjacentHTML", line: 5 } + ] + }, + { + code: ` + element.innerHTML = 'test'; + parent.child.innerHTML += 'test'; + `, + errors: [ + { messageId: "noInnerHtml", line: 2 }, + { messageId: "noInnerHtml", line: 3 } + ] + }, + { + code: ` + element.outerHTML = 'test'; + parent.child.outerHTML += 'test'; + `, + errors: [ + { messageId: "noInnerHtml", line: 2 }, + { messageId: "noInnerHtml", line: 3 } + ] + }, + { + code: "element.insertAdjacentHTML('beforebegin', 'foo')", + errors: [{ messageId: "noInsertAdjacentHTML", line: 1 }] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-insecure-random.js b/tests/lib/rules/no-insecure-random.js new file mode 100644 index 0000000..59a401c --- /dev/null +++ b/tests/lib/rules/no-insecure-random.js @@ -0,0 +1,198 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); +const testUtils = require("../test-utils"); + +ruleTester.run(ruleId, rule, { + valid: [ + "Math.Random;", + "Math.random;", + "math.random();", + "random();", + { + code: ` + Math.Random; + Math.random; + math.random(); + random(); + ` + }, + { + + code:` + require('./node_modules/not-unsafe-random'); + require('eslint'); + require('test'); + require('random-package'); + require('random-float2'); + require('random2-seed'); + ` + }, + { + parserOptions: testUtils.moduleParserOptions, + code:` + import './node_modules/untest'; + import 'random'; + import 'random-3'; + import 'eslint'; + import 'eslint-plugin-sdl'; + import 'testing'; + ` + }, + { + + code:` + cryptos.pseudoRandomBytes(); + pseudoRandomBytes(); + pseudoRandomByte(); + cryptos.pseudoRondomBytes(); + ` + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + function random(){} + + random(); + + Math.Random; + Math.random; + ` + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code:` + function pseudoRandomBytes(){} + function pseudoRandomByte(){} + + pseudoRandomBytes(); + pseudoRandomByte(); + cryptos.pseudoRondomBytes(); + cryptos.pseudoRondomBytes(); + ` + } + ], + invalid: [ + { + code: ` + Math.random(); + crypto.pseudoRandomBytes(); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 } + ] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + Math.random(); + this.Math.random(); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 } + ] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + function notMath() : Math{ + return Math; + } + + notMath().random(); + `, + errors: [ + { messageId: "default", line: 6 } + ] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + crypto.pseudoRandomBytes(); + `, + errors: [ + { messageId: "default", line: 2 } + ] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + function notCrypto() : Crypto{ + return crypto; + } + + notCrypto().pseudoRandomBytes(); + `, + errors: [ + { messageId: "default", line: 6 } + ] + }, + { + parserOptions: testUtils.moduleParserOptions, + code:` + import './node_modules/unique-random'; + import 'chance'; + import 'random-number'; + import 'random-int'; + import 'random-float'; + import 'random-seed'; + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 }, + { messageId: "default", line: 4 }, + { messageId: "default", line: 5 }, + { messageId: "default", line: 6 }, + { messageId: "default", line: 7 } + ] + }, + { + parserOptions: testUtils.moduleParserOptions, + code:` + import * as chance1 from 'chance'; + import defaultExport from 'chance'; + import { chance } from 'chance'; + import { chance as chance2 } from 'chance'; + import { chance3, chance4 } from 'chance'; + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 }, + { messageId: "default", line: 4 }, + { messageId: "default", line: 5 }, + { messageId: "default", line: 6 } + ] + }, + { + code:` + require('./node_modules/unique-random'); + require('**/chance.js'); + require('random-number'); + require('random-int'); + require('random-float'); + require('random-seed'); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 }, + { messageId: "default", line: 4 }, + { messageId: "default", line: 5 }, + { messageId: "default", line: 6 }, + { messageId: "default", line: 7 } + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-insecure-url.js b/tests/lib/rules/no-insecure-url.js new file mode 100644 index 0000000..bc52f98 --- /dev/null +++ b/tests/lib/rules/no-insecure-url.js @@ -0,0 +1,133 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join("../../../lib/rules/", ruleId)); +const RuleTester = require("eslint").RuleTester; +const testUtils = require("../test-utils"); + +/** + * Notes: + * - ES2015/ES6 introduced template literals (``). This is considered in parserOptions for relevant tests. + */ + +let ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + { // should allow https,ftps strings in variables + code: ` + var x = 'https://www.example.com' + var y = 'ftps://www.example.com' + ` + }, + { // should allow https,ftps template strings in variables + code: ` + var x = \`https://www.template-examples.com\` + var y = \`ftps://www.template-file-examples.com\` + `, + parserOptions: testUtils.moduleParserOptions + }, + { // should allow https,ftps multipart template strings in variables + code: ` + var x = \`https://www.\${multipartExample}.com\` + var y = \`ftps://www.\${multipartExample}.com\` + `, + parserOptions: testUtils.moduleParserOptions + }, + { // should allow http,ftp in middle of string + code: "var x = 'The protocol may be http://, https://, ftp:// or ftps://'" + }, + { // should allow https,ftps strings in default values + code: ` + function f(x : string = 'https://www.example.com') {} + function f(y : string = 'ftps://www.example.com') {} + `, + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + }, + { // should allow user-provided exceptions matches, regardless of upper/lower-case + code: ` + var a1 = 'http://www.allow-example.com' + var a2 = 'HtTp://www.allow-example.com/path' + var b1 = 'FTP://www.allow-file-example.com' + var c1 = 'LDaP://www.allow-ldap-example.com' + `, + options: [{ + exceptions: ["HTTP:\/\/www\.allow-example\.com\/?.*", "FtP:\/\/www\.allow-file-example\.com", "LdaP:\/\/www\.allow-ldap-example\.com"] + }] + }, + ], + invalid: [ + { // should ban http,ftp strings in variables + code: ` + var x1 = 'http://www.examples.com' + var x2 = 'HTTP://www.examples.com' + var y1 = 'ftp://www.file-examples.com' + var y2 = 'FTP://www.file-examples.com' + `, + errors: [ + { messageId: "doNotUseInsecureUrl", line: 2}, + { messageId: "doNotUseInsecureUrl", line: 3}, + { messageId: "doNotUseInsecureUrl", line: 4}, + { messageId: "doNotUseInsecureUrl", line: 5} + ], + }, + { // should ban http,ftp template strings in variables + code: ` + var x1 = \`http://www.template-examples.com\` + var x2 = \`HTTP://www.template-examples.com\` + var y1 = \`ftp://www.file-examples.com\` + var y2 = \`FTP://www.file-examples.com\` + `, + errors: [ + { messageId: "doNotUseInsecureUrl", line: 2}, + { messageId: "doNotUseInsecureUrl", line: 3}, + { messageId: "doNotUseInsecureUrl", line: 4}, + { messageId: "doNotUseInsecureUrl", line: 5} + ], + parserOptions: testUtils.moduleParserOptions + }, + { // should ban http,ftp multipart template strings in variables + code: ` + var x1 = \`http://www.\${multipartExample}.com\`; + var y1 = \`ftp://www.\${multipartExample}.com\`; + `, + errors: [ + { messageId: "doNotUseInsecureUrl", line: 2}, + { messageId: "doNotUseInsecureUrl", line: 3}, + ], + parserOptions: testUtils.moduleParserOptions + }, + { // should ban http,ftp strings in default values + code: ` + function f(x : string = 'http://www.example.com') {} + function f(y : string = 'ftp://www.example.com') {} + `, + errors: [ + { messageId: "doNotUseInsecureUrl", line: 2}, + { messageId: "doNotUseInsecureUrl", line: 3}, + ], + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + }, + { // should ban user-provided blacklist matches, regardless of upper/lower-case + code: ` + var a1 = 'http://www.ban-example.com' + var a2 = 'HTTP://www.ban-example.com/path' + var b1 = 'FtP://www.ban-file-example.com' + var c1 = 'LDAp://www.ban-ldap-example.com' + `, + errors: [ + { messageId: "doNotUseInsecureUrl", line: 2}, + { messageId: "doNotUseInsecureUrl", line: 3}, + { messageId: "doNotUseInsecureUrl", line: 4}, + { messageId: "doNotUseInsecureUrl", line: 5} + ], + options: [{ + blacklist: ["htTp:\/\/www\.ban-example\.com\/?.*", "fTp:\/\/www\.ban-file-example\.com\/?.*", "lDAp:\/\/www\.ban-ldap-example\.com\/?.*"] + }] + }, + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-msapp-exec-unsafe.js b/tests/lib/rules/no-msapp-exec-unsafe.js new file mode 100644 index 0000000..4aa4d90 --- /dev/null +++ b/tests/lib/rules/no-msapp-exec-unsafe.js @@ -0,0 +1,24 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); +const testUtils = require("../test-utils"); + +ruleTester.run(ruleId, rule, { + valid: [ + "test.execUnsafeLocalFunction = 'test'", + "MSApp.execUnsafeLocalFunction()" + ], + invalid: [ + { + code: "MSApp.execUnsafeLocalFunction(testfunc)", + errors: [ + { messageId: "default", line: 1, type: 'CallExpression' } + ] + } + ] +}); diff --git a/tests/lib/rules/no-postmessage-star-origin.js b/tests/lib/rules/no-postmessage-star-origin.js new file mode 100644 index 0000000..b40c5ec --- /dev/null +++ b/tests/lib/rules/no-postmessage-star-origin.js @@ -0,0 +1,59 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const testUtils = require("../test-utils"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "window.postMessage()", + "window.postMessage = ''", + "window.postMessage(1)", + "window.postMessage(1, 2, 3, 4)", + "window.postMessage('data', 'https://target.domain')", + "window.postMessage('data', 'https://target.domain', 'menubar=yes')", + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` +class WindowLike { + postMessage(): void { + }; +} +function main() { + var w: WindowLike = new WindowLike(); + w.postMessage('test', '*'); +} + ` + } + ], + invalid: [ + { + code: ` + any.postMessage(message, "*"); + any.postMessage(message, "*", "menubar=yes"); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 } + ] + }, + { + parser: testUtils.tsParser, + parserOptions: testUtils.tsParserOptions, + code: ` + window.frames[0].postMessage(message, "*"); + var w1 = window.open(url); + w1.postMessage(message, "*"); + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 4 } + ] + }, + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-unsafe-alloc.js b/tests/lib/rules/no-unsafe-alloc.js new file mode 100644 index 0000000..bd99f37 --- /dev/null +++ b/tests/lib/rules/no-unsafe-alloc.js @@ -0,0 +1,29 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +"use strict"; +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); + +ruleTester.run(ruleId, rule, { + valid: [ + "foo.allocUnsafe", + "Buffer.allocUnsafe(0)", + "Buffer.allocUnsafeSlow(0)" + ], + invalid: [ + { + code: ` + var buf1 = Buffer.allocUnsafe(10); + var buf2 = Buffer.allocUnsafeSlow(10) + `, + errors: [ + { messageId: "default", line: 2 }, + { messageId: "default", line: 3 } + ] + } + ] +}); \ No newline at end of file diff --git a/tests/lib/rules/no-winjs-html-unsafe.js b/tests/lib/rules/no-winjs-html-unsafe.js new file mode 100644 index 0000000..bbcf3dc --- /dev/null +++ b/tests/lib/rules/no-winjs-html-unsafe.js @@ -0,0 +1,29 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; +var ruleTester = new RuleTester(); +const testUtils = require("../test-utils"); + +ruleTester.run(ruleId, rule, { + valid: [ + 'element.insertAdjacentHTMLUnsafe = "test";' + ], + invalid: [ + { + code: ` + WinJS.Utilities.insertAdjacentHTMLUnsafe(element, position, text); + WinJS.Utilities.setInnerHTMLUnsafe(element, text); + WinJS.Utilities.setOuterHTMLUnsafe(element, text); + `, + errors: [ + { messageId: "default", line: 2, type: 'CallExpression' }, + { messageId: "default", line: 3, type: 'CallExpression' }, + { messageId: "default", line: 4, type: 'CallExpression' } + ] + } + ] +}); diff --git a/tests/lib/rules/react-iframe-missing-sandbox.js b/tests/lib/rules/react-iframe-missing-sandbox.js new file mode 100644 index 0000000..377de5b --- /dev/null +++ b/tests/lib/rules/react-iframe-missing-sandbox.js @@ -0,0 +1,79 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +'use strict'; + +const path = require("path"); +const ruleId = path.parse(__filename).name; +const rule = require(path.join('../../../lib/rules/', ruleId)); +const RuleTester = require("eslint").RuleTester; + +var ruleTester = new RuleTester({ + parserOptions: { + ecmaVersion: 2018, + sourceType: 'module', + ecmaFeatures: { + jsx: true + } + } +}); + +ruleTester.run(ruleId, rule, { + valid: [ + { code: '
;' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' }, + { code: '' } + ], + invalid: [ + { + code: ';', + errors: [{ messageId: 'attributeMissing' }] + }, + { + code: '', + errors: [{ messageId: 'invalidValue', data: { value: '__unknown__' } }] + }, + { + code: ';', + errors: [{ messageId: 'invalidCombination' }] + }, + { + code: '