Merge branch 'main' into dev/vflouirac/updateconfig

.github/workflows/E2E integration.yml

@@ -10,9 +10,9 @@ on:
     branches: [main, release/vNext]
   
 env:
-  PROJECT: discordjs # The name of the project you want to clone. It must be on github
+  PROJECT: nodejs # The name of the project you want to clone. It must be on github
-  REPOSITORY: discord.js # The repository name
+  REPOSITORY: node # The repository name
-  FOLDER_TO_SCAN: src # The folder under which the source code you have is contained. Relative to the repository
+  FOLDER_TO_SCAN: lib # The folder under which the source code you have is contained. Relative to the repository
   TS_CONFIG_PATH: tsconfig.json # The tsconfig.json path relative to the repository
   
 jobs:
@@ -22,7 +22,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [ubuntu-18.04, windows-2019]
+        os: [ubuntu-latest, windows-latest]
 
     steps:
       - name: Setup Node.js environment
@@ -70,7 +70,7 @@ jobs:
         
       - name: Run eslint
         run: npx eslint 
-             -c node_modules/@microsoft/eslint-plugin-sdl/config/recommended.js 
+             -c node_modules/@microsoft/eslint-plugin-sdl/config/required.js 
              ../${{env.PROJECT}}/${{env.FOLDER_TO_SCAN}}/ 
              --ext .js 
              --parser-options=project:../${{env.PROJECT}}/${{env.TS_CONFIG_PATH}} 

.github/workflows/node-version-integration.yml

@@ -16,8 +16,8 @@ jobs:
 
     strategy:
       matrix:
-        os: [ubuntu-20.04, ubuntu-18.04, windows-2019, macos-10.15]
+        os: [ubuntu-latest, windows-latest]
-        node-version: [12.x, 14.x]
+        node-version: [12.x, 14.x, 16.x]
 
     steps:
     - uses: actions/checkout@v2

config/react.js

@@ -14,6 +14,15 @@ module.exports = {
   ],
   rules: {
     "react/no-danger": "error",
-    "@microsoft/sdl/react-iframe-missing-sandbox": "error"
+    "@microsoft/sdl/react-iframe-missing-sandbox": "error",
+    "react/jsx-no-target-blank": ["error",
+     {
+      allowReferrer: false,
+      enforceDynamicLinks: 'always',
+      warnOnSpreadAttributes: true,
+      links: true,
+      forms: true    
+     }
+    ]
   }
 }

lib/ast-utils.js

@@ -28,23 +28,18 @@ module.exports = {
     getFullTypeChecker(context) {
         return this.hasFullTypeInformation(context) ? context.parserServices.program.getTypeChecker() : null;
     },
-    getNodeType(node, context) {
+    getNodeTypeAsString(fullTypeChecker, node, context) {
-        const typeChecker = context.parserServices.program.getTypeChecker();
+        if (fullTypeChecker && node) {
-        const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node);
+          const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node);
-        const tsType = typeChecker.getTypeAtLocation(tsNode);
+          const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
-        return typeChecker.typeToString(tsType);
+          const type = fullTypeChecker.typeToString(tsType);
-    },
+          return type;
-    getCallerType(fullTypeChecker, object, context){
+        }
-        const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(object);
+        return "any";
-        const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
-        const type = fullTypeChecker.typeToString(tsType);
-        return type;
     },
     isDocumentObject(node, context, fullTypeChecker) {
         if (fullTypeChecker) {
-            const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node);
+            const type = this.getNodeTypeAsString(fullTypeChecker, node, context);
-            const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
-            const type = fullTypeChecker.typeToString(tsType);
             return (type === "Document");
         }
 
@@ -58,7 +53,8 @@ module.exports = {
                     node.property != undefined &&
                     node.property.name == "document" && (
                         (node.object != undefined &&
-                        node.object.name == "window") ||
+                         typeof node.object.name === "string" &&
+                         node.object.name.toLowerCase().endsWith('window')) ||
                         (
                             node.object != undefined &&
                             node.object.property != undefined &&

lib/rules/no-inner-html.js

@@ -30,19 +30,9 @@ module.exports = {
   create: function (context) {
     const fullTypeChecker = astUtils.getFullTypeChecker(context);
 
-    function getNodeTypeAsString(node) {
-      if (fullTypeChecker && node) {
-        const tsNode = context.parserServices.esTreeNodeToTSNodeMap.get(node);
-        const tsType = fullTypeChecker.getTypeAtLocation(tsNode);
-        const type = fullTypeChecker.typeToString(tsType);
-        return type;
-      }
-      return "any";
-    }
-
     function mightBeHTMLElement(node) {
-      const type = getNodeTypeAsString(node);
+      const type = astUtils.getNodeTypeAsString(fullTypeChecker, node, context);
-      return type === "HTMLElement" || type === "any";
+      return type.match(/HTML.*Element/) || type === "any";
     }
 
     return {

lib/rules/no-insecure-random.js

@@ -47,7 +47,7 @@ module.exports = {
         var notFalsePositive = false;
 
         if (fullTypeChecker) {
-          const type = astUtils.getCallerType(fullTypeChecker, node.object, context);
+          const type = astUtils.getNodeTypeAsString(fullTypeChecker, node.object, context);
           notFalsePositive = type === "any" || type === "Crypto";
         }else{
           notFalsePositive = node.object.name === 'crypto';
@@ -63,7 +63,7 @@ module.exports = {
       "CallExpression > MemberExpression[property.name='random']"(node) {
         var notFalsePositive = false;
         if (fullTypeChecker) {
-          const type = astUtils.getCallerType(fullTypeChecker, node.object, context);
+          const type = astUtils.getNodeTypeAsString(fullTypeChecker, node.object, context);
           notFalsePositive = type === "any" || type === "Math";
         }else{
           notFalsePositive = node.object.name === 'Math';

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/eslint-plugin-sdl",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)",
   "keywords": [
     "eslint",
@@ -19,6 +19,11 @@
   "scripts": {
     "test": "mocha tests --recursive"
   },
+  "dependencies": {
+    "eslint-plugin-node": "11.1.0",
+    "eslint-plugin-security": "1.4.0",
+    "eslint-plugin-react": "7.24.0"
+  },
   "devDependencies": {
     "@typescript-eslint/eslint-plugin": "^3.7.0",
     "@typescript-eslint/parser": "^3.7.0",

tests/lib/rules/no-document-domain.js

@@ -47,6 +47,7 @@ function main() {
 var somevalue = 'somevalue'; 
 document.domain = somevalue;
 window.document.domain = somevalue;
+newWindow.document.domain = somevalue;
       `,
       errors: [
         { 
@@ -56,6 +57,10 @@ window.document.domain = somevalue;
         {
           line: 4,
           messageId: "default" 
+        },
+        {
+          line: 5,
+          messageId: "default"
         }
       ]
     }

tests/lib/rules/no-document-write.js

@@ -74,12 +74,16 @@ ruleTester.run(ruleId, rule, {
         document.writeln('...');
         window.document.write('...');
         window.document.writeln('...');
+        newWindow.document.write('...');
+        newWindow.document.writeln('...');
       `,
       errors: [
         { messageId: "default", line: 2 },
         { messageId: "default", line: 3 },
         { messageId: "default", line: 4 },
-        { messageId: "default", line: 5 }
+        { messageId: "default", line: 5 },
+        { messageId: "default", line: 6 },
+        { messageId: "default", line: 7 }
       ]
     }
   ]