Home Explore Help
Sign In
CocoRoboLabs
/
CocoRoboDesktop
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d6262b52a8
Branches Tags
CocoRoboDesk...
/
pdf1.js
/
node_modules
/
@microsoft
/
eslint-plugin-sdl
/
lib
/
rules
/
no-insecure-url.js

no-insecure-url.js 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. // Copyright (c) Microsoft Corporation.
    2. 

  2. // Licensed under the MIT License.
    3. 

  3. 

  4. /**
    5. 

  5.  * @fileoverview Disallows usage of insecure protocols in URL strings
    6. 

  6.  */
    7. 

  7. 

  8. "use strict";
    9. 

  9. 

  10. //------------------------------------------------------------------------------
    11. 

  11. // Rule Definition
    12. 

  12. //------------------------------------------------------------------------------
    13. 

  13. const DEFAULT_BLOCKLIST = [
    14. 

  14.     /^(ftp|http|telnet|ws):\/\//i
    15. 

  15. ];
    16. 

  16. 

  17. const DEFAULT_EXCEPTIONS = [     // TODO: add more typical false positives such as XML schemas after more testing
    18. 

  18.     /^http:(\/\/|\\u002f\\u002f)schemas\.microsoft\.com(\/\/|\\u002f\\u002f)?.*/i,
    19. 

  19.     /^http:(\/\/|\\u002f\\u002f)schemas\.openxmlformats\.org(\/\/|\\u002f\\u002f)?.*/i,
    20. 

  20.     /^http:(\/|\\u002f){2}localhost(:|\/|\\u002f)*/i,
    21. 

  21.     /^http:(\/\/)www\.w3\.org\/1999\/xhtml/i,
    22. 

  22.     /^http:(\/\/)www\.w3\.org\/2000\/svg/i
    23. 

  23. ];
    24. 

  24. 

  25. const DEFAULT_VARIABLES_EXECEPTIONS = [];
    26. 

  26. 

  27. module.exports = {
    28. 

  28.     defaultBlocklist: DEFAULT_BLOCKLIST,
    29. 

  29.     defaultExceptions: DEFAULT_EXCEPTIONS,
    30. 

  30.     defaultVarExecptions: DEFAULT_VARIABLES_EXECEPTIONS,
    31. 

  31.     meta: {
    32. 

  32.         type: "suggestion",
    33. 

  33.         fixable: "code",
    34. 

  34.         schema: [
    35. 

  35.             {
    36. 

  36.                 type: "object",
    37. 

  37.                 properties: {
    38. 

  38.                     blocklist: {
    39. 

  39.                         type: "array",
    40. 

  40.                         items: {
    41. 

  41.                             type: "string"
    42. 

  42.                         }
    43. 

  43.                     },
    44. 

  44.                     exceptions: {
    45. 

  45.                         type: "array",
    46. 

  46.                         items: {
    47. 

  47.                             type: "string"
    48. 

  48.                         }
    49. 

  49.                     },
    50. 

  50.                     varExceptions: {
    51. 

  51.                       type: "array",
    52. 

  52.                       items: {
    53. 

  53.                           type: "string"
    54. 

  54.                       }
    55. 

  55.                   },
    56. 

  56.                 },
    57. 

  57.                 additionalProperties: false
    58. 

  58.             }
    59. 

  59.         ],
    60. 

  60.         docs: {
    61. 

  61.             category: "Security",
    62. 

  62.             description: "Insecure protocols such as [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) or [FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol) should be replaced by their encrypted counterparts ([HTTPS](https://en.wikipedia.org/wiki/HTTPS), [FTPS](https://en.wikipedia.org/wiki/FTPS)) to avoid sending (potentially sensitive) data over untrusted network in plaintext.",
    63. 

  63.             url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-insecure-url.md"
    64. 

  64.         },
    65. 

  65.         messages: {
    66. 

  66.             doNotUseInsecureUrl: "Do not use insecure URLs"
    67. 

  67.         }
    68. 

  68.     },
    69. 

  69.     create: function (context) {
    70. 

  70.         const options = context.options[0] || {};
    71. 

  71.         const blocklist = (options.blocklist || DEFAULT_BLOCKLIST).map((pattern) => { return new RegExp(pattern, "i"); });
    72. 

  72.         const exceptions = (options.exceptions || DEFAULT_EXCEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });
    73. 

  73.         const varExceptions = (options.varExceptions || DEFAULT_VARIABLES_EXECEPTIONS).map((pattern) => { return new RegExp(pattern, "i"); });
    74. 

  74. 

  75.         function matches(patterns, value) {
    76. 

  76.             return patterns.find((re) => { return re.test(value) }) !== undefined;
    77. 

  77.         }
    78. 

  78. 

  79.         function shouldFix( varExceptions,context, node) {
    80. 

  80.           let sourceCode = context.getSourceCode();
    81. 

  81.           // check variable for unfixable pattern e.g. `var insecureURL = "http://..."`
    82. 

  82.           let text = node.parent
    83. 

  83.             ? sourceCode.getText(node.parent)
    84. 

  84.             : sourceCode.getText(node);
    85. 

  85.           // if no match, fix the line
    86. 

  86.           return !matches(varExceptions,text);
    87. 

  87.         }
    88. 

  88. 

  89.         return {
    90. 

  90.             "Literal"(node) {
    91. 

  91.                 if (typeof node.value === "string") {
    92. 

  92.                     // Add an exception for xmlns attributes
    93. 

  93.                     if(node.parent && node.parent.type === "JSXAttribute" && node.parent.name && node.parent.name.name === "xmlns")
    94. 

  94.                     {
    95. 

  95.                         // Do nothing
    96. 

  96.                     }
    97. 

  97.                     else if (matches(blocklist, node.value) && !matches(exceptions, node.value) && shouldFix(varExceptions,context, node)) {
    98. 

  98.                       context.report({
    99. 

  99.                         node: node,
    100. 

  100.                         messageId: "doNotUseInsecureUrl",
    101. 

  101.                         fix(fixer) {
    102. 

  102.                           // Only fix if it contains an http url
    103. 

  103.                           if (node.value.toLowerCase().includes("http")) {
    104. 

  104.                             let fixedString = node.value.replace(/http:/i, "https:");
    105. 

  105.                             //insert an "s" before ":/" to change http:/ to https:/
    106. 

  106.                             return fixer.replaceText(node, JSON.stringify(fixedString));
    107. 

  107.                           }
    108. 

  108.                         },
    109. 

  109.                       });
    110. 

  110.                     }
    111. 

  111.                 }
    112. 

  112.             },
    113. 

  113.             "TemplateElement"(node) {
    114. 

  114.                 if (typeof node.value.raw === "string" && typeof node.value.cooked === "string") {
    115. 

  115.                     const rawStringText = node.value.raw;
    116. 

  116.                     const cookedStringText = node.value.cooked;
    117. 

  117. 

  118.                   if (shouldFix(varExceptions,context, node) && (matches(blocklist, rawStringText) && !matches(exceptions, rawStringText)) ||
    119. 

  119.                       (matches(blocklist, cookedStringText) && !matches(exceptions, cookedStringText))) {
    120. 

  120.                       context.report({
    121. 

  121.                         node: node,
    122. 

  122.                         messageId: "doNotUseInsecureUrl",
    123. 

  123.                         fix(fixer) {
    124. 

  124.                           // Only fix if it contains an http url
    125. 

  125.                           if (node.value.raw.toLowerCase().includes("http")) {
    126. 

  126.                             let escapedString =  JSON.stringify(context.getSourceCode().getText(node));
    127. 

  127.                             // delete "" that JSON.stringify created and convert to `` string
    128. 

  128.                             escapedString = ``+ escapedString.substring(1, escapedString.length-1);
    129. 

  129.                             let fixedString = escapedString.replace(/http:/i, "https:");
    130. 

  130.                             //insert an "s" before ":/" to change http:/ to https:/
    131. 

  131.                             return fixer.replaceText(node, fixedString);
    132. 

  132.                           }
    133. 

  133.                         }
    134. 

  134.                       });
    135. 

  135.                   }
    136. 

  136.               }
    137. 

  137.             },
    138. 

  138.         };
    139. 

  139.     },
    140. 

  140. };
    141.