-
Notifications
You must be signed in to change notification settings - Fork 33
/
ruleHelper.js
443 lines (404 loc) · 18.6 KB
/
ruleHelper.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
/**
* @fileoverview ESLint helpers for checking sanitization
* @author Frederik Braun et al.
* @copyright 2015-2017 Mozilla Corporation. All rights reserved.
*/
"use strict";
// names of escaping functions that we acknowledge
const VALID_ESCAPERS = ["Sanitizer.escapeHTML", "escapeHTML"];
const VALID_UNWRAPPERS = ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"];
/** Change this to class RuleHelper when <4.2.6 is no longer an issue
*
* @constructor
* @param {Object} context ESLint configuration context
* @param {Object} defaultRuleChecks Default rules to merge with
* this.context
*
*/
function RuleHelper(context, defaultRuleChecks) {
this.context = context;
this.ruleChecks = this.combineRuleChecks(defaultRuleChecks);
}
RuleHelper.prototype = {
/**
* Returns true if the expression contains allowed syntax, otherwise false.
*
* The function will be called recursively for Template Strings with interpolation
* (e.g. `Hello ${name}`), Binary Expressions (e.g. |foo+bar|), and more.
*
* @param {Object} expression Checks whether this node is an allowed expression.
* @param {Object} escapeObject contains keys "methods" and "taggedTemplates" which are arrays of strings
* of matching escaping function names.
* @param {Object} details Additional linter violation state information, in case this function was called
* recursively.
* @returns {boolean} Returns whether the expression is allowed.
*
*/
allowedExpression(expression, escapeObject, details) {
if (!escapeObject) {
escapeObject = {};
}
/*
expression = { right-hand side of innerHTML or 2nd param to insertAdjacentHTML
*/
let allowed;
/* check the stringish-part, which is either the right-hand-side of
an inner/outerHTML assignment or the 2nd parameter to insertAdjacentTML
*/
switch(expression.type) {
case "Literal":
/* surely, someone could have an evil literal in there, but that"s malice
we can just check for unsafe coding practice, not outright malice
example literal "<script>eval(location.hash.slice(1)</script>"
(it"s the task of the tagger-function to be the gateway here.)
*/
allowed = true;
break;
case "TemplateElement":
// Raw text from a template
allowed = true;
break;
case "TemplateLiteral":
// check only the ${..} expressions
allowed = this.allowedExpression(expression.expressions, escapeObject, details);
break;
case "TaggedTemplateExpression":
allowed = this.isAllowedCallExpression(expression.tag, escapeObject.taggedTemplates || VALID_ESCAPERS);
break;
case "CallExpression":
allowed = this.isAllowedCallExpression(expression.callee, escapeObject.methods || VALID_UNWRAPPERS);
break;
case "BinaryExpression":
allowed = ((this.allowedExpression(expression.left, escapeObject, details))
&& (this.allowedExpression(expression.right, escapeObject, details)));
break;
case "TSAsExpression":
// TSAsExpressions contain the raw javascript value in 'expression'
allowed = this.allowedExpression(expression.expression, escapeObject, details);
break;
case "TypeCastExpression":
allowed = this.allowedExpression(expression.expression, escapeObject, details);
break;
case "Identifier":
allowed = this.isAllowedIdentifier(expression, escapeObject, details);
break;
default:
// everything that doesn't match is considered unsafe:
allowed = false;
break;
}
if (Array.isArray(expression)) {
allowed = expression.every((e) => this.allowedExpression(e, escapeObject, details));
}
return allowed;
},
/**
* Check if an identifier is allowed
* - only if variableTracing is enabled in the first place.
* - find its declarations and see if it's const or let
* - if so, allow if the declaring statement is an allowed expression
* - ensure that following assignments to that identifier are also allowed
*
* @param {Object} expression Identifier expression
* @param {Object} escapeObject contains keys "methods" and "taggedTemplates" which are arrays of strings
* of matching escaping function names.
* @param {Object} details Additional linter violation state information, in case this function was called
* recursively.
* @returns {boolean} Returns whether the Identifier is deemed safe.
*/
isAllowedIdentifier(expression, escapeObject, details) {
// respect the custom config property `variableTracing`:
if (!this.ruleChecks["variableTracing"]) {
return false;
}
// find declared variables and see which are literals
const scope = this.context.getScope(expression);
const variableInfo = scope.set.get(expression.name);
let allowed = false;
// If we can't get info on the variable, we just can't allow it
if (!variableInfo ||
!variableInfo.defs ||
variableInfo.defs.length == 0 ||
!variableInfo.references ||
variableInfo.references.length == 0) {
// FIXME Fix/Adjust towards a helpful message here and update tests accordingly.
// details.message = `Variable ${expression.name} considered unsafe: variable initialization not found`;
return false;
}
// look if the var was defined as allowable
let definedAsAllowed = false;
for (const def of variableInfo.defs) {
if (def.node.type !== "VariableDeclarator") {
// identifier wasn't declared as a variable
// e.g., it shows up as a parameter to an
// ArrowFunctionExpression, FunctionDeclaration or FunctionExpression
const {line, column} = def.node.loc.start;
if ((def.node.type === "FunctionDeclaration") || (def.node.type == "ArrowFunctionExpression") || (def.node.type === "FunctionExpression"))
{
details.message = `Variable '${expression.name}' declared as function parameter, which is considered unsafe. '${def.node.type}' at ${line}:${column}`;
} else {
details.message = `Variable '${expression.name}' initialized with unknown declaration '${def.node.type}' at ${line}:${column}`;
}
definedAsAllowed = false;
break;
}
if ((def.kind !== "let") && (def.kind !== "const")) {
// We do not allow for identifiers declared with "var", as they can be overridden in a
// way that is hard for us to follow (e.g., assignments to globalThis[theirNameAsString]).
definedAsAllowed = false;
break;
}
// the `init` property carries the right-hand side of the variable definition:
const varInitAs = def.node.init;
// When the variable is only declared but not initialized, `init` is `null`.
if (varInitAs && !this.allowedExpression(varInitAs, escapeObject, details)) {
// if one variable definition is considered unsafe, all are.
// NB: order of definition is unclear. See issue #168.
if (!details.message) {
const {line, column} = varInitAs.loc.start;
details.message = `Variable '${expression.name}' initialized with unsafe value at ${line}:${column}`;
}
definedAsAllowed = false;
break;
}
// keep iterating through other definitions.
definedAsAllowed = true;
}
if (definedAsAllowed) {
// the variable was declared as a safe value (e.g., literal)
// now inspect writing references to that variable
let allWritingRefsAllowed = false;
// With no write variable references, if it was defined as allowed
// then we should consider it safe.
if (variableInfo.references.filter(ref => ref.isWrite()).length === 0) {
allWritingRefsAllowed = true;
}
for (const ref of variableInfo.references) {
// only look into writing references
if (ref.isWrite()) {
const writeExpr = ref.writeExpr;
// if one is unsafe we'll consider all unsafe.
// this is because code occurring doesn't guarantee it being executed
// due to dynamic behavior if-conditions and such
if (!this.allowedExpression(writeExpr, escapeObject, details)) {
if (!details.message) {
const {line, column} = writeExpr.loc.start;
details.message = `Variable '${expression.name}' reassigned with unsafe value at ${line}:${column}`;
}
allWritingRefsAllowed = false;
break;
}
allWritingRefsAllowed = true;
}
}
// allow this variable, because all writing references to it were allowed.
allowed = allWritingRefsAllowed;
}
return allowed;
},
/**
* Check if a callee is in the list allowed sanitizers
*
* @param {Object} callee Function that is being called expression.tag
* or expression.callee
* @param {Array} allowedSanitizers List of valid wrapping expressions
* @returns {boolean} Returns whether call to the callee is allowed
*/
isAllowedCallExpression(callee, allowedSanitizers) {
const funcName = this.getCodeName(callee);
let allowed = false;
if (funcName && allowedSanitizers.indexOf(funcName) !== -1) {
allowed = true;
}
return allowed;
},
/**
* Captures safely any new node types that have been missed and throw when we don't support them
* this normalizes the passed in identifier type to return the same shape
*
* @param {Object} node A callable expression to be simplified
* @returns {Object} Method and (if applicable) object name
*/
normalizeMethodCall(node) {
let methodName;
let objectName;
switch (node.type) {
case "Identifier":
methodName = node.name;
break;
case "MemberExpression":
methodName = node.property.name;
objectName = node.object.name || this.context.getSource(node.object);
break;
case "ConditionalExpression":
case "CallExpression":
case "ArrowFunctionExpression":
methodName = "";
break;
case "AssignmentExpression":
methodName = this.normalizeMethodCall(node.right);
break;
case "Import":
methodName = "import";
break;
default:
this.reportUnsupported(node, "Unexpected callable", `unexpected ${node.type} in normalizeMethodCall`);
}
return {
objectName,
methodName
};
},
/**
* Returns functionName or objectName.methodName of an expression
*
* @param {Object} node A callable expression
* @returns {String} A nice name to expression call
*/
getCodeName(node) {
const normalizedMethodCall = this.normalizeMethodCall(node);
let codeName = normalizedMethodCall.methodName;
if (normalizedMethodCall.objectName) {
codeName = `${normalizedMethodCall.objectName}.${codeName}`;
}
return codeName;
},
/**
* Checks to see if a method or function should be called
* If objectMatches isn't present or blank array the code should not be checked
* If we do have object filters and the call is a function then it should not be checked
*
* Checks if there are objectMatches we need to apply
* @param {Object} node Call expression node
* @param {Object} objectMatches Strings that are checked as regex to
* match an object name
* @returns {Boolean} Returns whether to run checks expression
*/
shouldCheckMethodCall(node, objectMatches) {
const normalizedMethodCall = this.normalizeMethodCall(node.callee);
let matched = false;
// Allow methods named "import":
if (normalizedMethodCall.methodName === "import"
&& node.callee && node.callee.type === "MemberExpression") {
return false;
}
// If objectMatches isn't present we should match all
if (!objectMatches) {
return true;
}
// if blank array the code should not be checked, this is a quick way to disable rules
// TODO should we make this match all instead and let the $ruleCheck be false instead?
if (objectMatches.length === 0) {
return false;
}
// If we do have object filters and the call is a function then it should not be checked
if ("objectName" in normalizedMethodCall && normalizedMethodCall.objectName) {
for (const objectMatch of objectMatches) {
const match = new RegExp(objectMatch, "gi");
if (normalizedMethodCall.objectName.match(match)) {
matched = true;
break;
}
}
}
// if we don't have a objectName return false as bare function call
// if we didn't match also return false
return matched;
},
/**
* Algorithm used to decide on merging ruleChecks with this.context
* @param {Object} defaultRuleChecks Object containing default rules
* @returns {Object} The merged ruleChecks
*/
combineRuleChecks(defaultRuleChecks) {
const parentRuleChecks = this.context.options[0] || {};
let childRuleChecks = Object.assign({}, this.context.options[1]);
const ruleCheckOutput = {};
if (!("defaultDisable" in parentRuleChecks)
|| !parentRuleChecks.defaultDisable) {
childRuleChecks = Object.assign({}, defaultRuleChecks, childRuleChecks);
}
// default to variable back tracing enabled.
ruleCheckOutput["variableTracing"] = true;
if ("variableTracing" in parentRuleChecks) {
ruleCheckOutput["variableTracing"] = !!parentRuleChecks["variableTracing"];
}
// If we have defined child rules lets ignore default rules
Object.keys(childRuleChecks).forEach((ruleCheckKey) => {
// However if they have missing keys merge with default
const ruleCheck = Object.assign(
"defaultDisable" in parentRuleChecks ? {} :
{
escape: {
taggedTemplates: ["Sanitizer.escapeHTML", "escapeHTML"],
methods: ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"]
}
},
defaultRuleChecks[ruleCheckKey],
parentRuleChecks,
childRuleChecks[ruleCheckKey]);
ruleCheckOutput[ruleCheckKey] = ruleCheck;
});
return ruleCheckOutput;
},
/**
* Runs the checks against a CallExpression
* @param {Object} node Call expression node
* @returns {undefined} Does not return
*/
checkMethod(node) {
const normalizeMethodCall = this.normalizeMethodCall(node.callee);
const methodName = normalizeMethodCall.methodName;
if (Object.prototype.hasOwnProperty.call(this.ruleChecks, methodName)) {
const ruleCheck = this.ruleChecks[methodName];
if (!Array.isArray(ruleCheck.properties)) {
this.context.report(node, `Method check requires properties array in eslint rule ${methodName}`);
return;
}
ruleCheck.properties.forEach((propertyId) => {
const argument = node.arguments[propertyId];
if (!argument) {
// We bail out if arguments is supplied as a SpreadElement like `...args`
// It would be better if we tried a bit harder. That's #214
return;
}
const details = {};
if (this.shouldCheckMethodCall(node, ruleCheck.objectMatches)
&& !this.allowedExpression(argument, ruleCheck.escape, details)) {
// Include the additional details if available (e.g. name of a disallowed variable
// and the position of the expression that made it disallowed).
if (details.message) {
this.context.report(node, `Unsafe call to ${this.getCodeName(node.callee)} for argument ${propertyId} (${details.message})`);
return;
}
this.context.report(node, `Unsafe call to ${this.getCodeName(node.callee)} for argument ${propertyId}`);
}
});
}
},
/**
* Runs the checks against an assignment expression
* @param {Object} node Assignment expression node
* @returns {undefined} Does not return
*/
checkProperty(node) {
if (Object.prototype.hasOwnProperty.call(this.ruleChecks, node.left.property.name)) {
const ruleCheck = this.ruleChecks[node.left.property.name];
const details = {};
if (!this.allowedExpression(node.right, ruleCheck.escape, details)) {
// Include the additional details if available (e.g. name of a disallowed variable
// and the position of the expression that made it disallowed).
if (details.message) {
this.context.report(node, `Unsafe assignment to ${node.left.property.name} (${details.message})`);
return;
}
this.context.report(node, `Unsafe assignment to ${node.left.property.name}`);
}
}
},
reportUnsupported(node, reason, errorTitle) {
const bugPath = `https://github.com/mozilla/eslint-plugin-no-unsanitized/issues/new?title=${encodeURIComponent(errorTitle)}`;
this.context.report(node, `Error in no-unsanitized: ${reason}. Please report a minimal code snippet to the developers at ${bugPath}`);
}
};
module.exports = RuleHelper;