build: Enable tsec checks for critical packages. (angular#43108)

tsec is a static analyzer that discovers Trusted Types violations.
Deploy tsec to make sure there will be no TT regression in several
critical packages, including core, platform-browser, platform-server
and their dependencies. Existing violations have been reviewed and
exempted in packages/tsec-exemption.json. Future changes to the
exemption list requires security review.

PR Close angular#43108

.gitignore

@@ -52,3 +52,6 @@ baseline.json
 
 # Husky
 .husky/_
+
+# tsec
+.tsec

.pullapprove.yml

@@ -731,9 +731,13 @@ groups:
           'packages/core/test/linker/security_integration_spec.ts',
           'packages/compiler/src/schema/**',
           'packages/platform-browser/src/security/**',
+          'packages/tsconfig-tsec.json',
+          'packages/tsconfig-tsec-base.json',
+          'packages/**/tsconfig-tsec.json',
+          'packages/tsec-exemption.json'
           'aio/content/guide/security.md',
           'aio/content/examples/security/**',
-          'aio/content/images/guide/security/**'
+          'aio/content/images/guide/security/**',
           ])
     reviewers:
       users:

package.json

@@ -36,7 +36,8 @@
     "symbol-extractor:update": "node tools/symbol-extractor/run_all_symbols_extractor_tests.js accept",
     "ts-circular-deps:check": "yarn -s ng-dev ts-circular-deps check --config ./packages/circular-deps-test.conf.js",
     "ts-circular-deps:approve": "yarn -s ng-dev ts-circular-deps approve --config ./packages/circular-deps-test.conf.js",
-    "check-tooling-setup": "yarn tsc --project .ng-dev/tsconfig.json"
+    "check-tooling-setup": "yarn tsc --project .ng-dev/tsconfig.json",
+    "tsec:packages": "yarn tsec -b packages/tsconfig-tsec.json"
   },
   "// 1": "dependencies are used locally and by bazel",
   "dependencies": {
@@ -180,6 +181,7 @@
     "sauce-connect": "https://saucelabs.com/downloads/sc-4.6.2-linux.tar.gz",
     "semver": "^7.3.5",
     "ts-node": "^10.0.0",
+    "tsec": "0.1.7",
     "tslint-eslint-rules": "5.4.0",
     "tslint-no-toplevel-property-access": "0.0.2",
     "typed-graphqlify": "^3.1.1",

packages/animations/browser/tsconfig-tsec.json

@@ -0,0 +1,20 @@
+/** For building //packages/animations/browser. */
+{
+  "extends": "../../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../../core"],
+      "@angular/animations": ["../"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../../core/tsconfig-tsec.json"},
+    {"path": "../tsconfig-tsec.json"}
+  ]
+}

packages/animations/tsconfig-tsec.json

@@ -0,0 +1,18 @@
+/** For building //packages/animations. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../core"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../core/tsconfig-tsec.json"}
+  ]
+}

packages/common/http/tsconfig-tsec.json

@@ -0,0 +1,20 @@
+/** For building //packages/common/http. */
+{
+  "extends": "../../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../../core"],
+      "@angular/common": [".."]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../../core/tsconfig-tsec.json"},
+    {"path": "../tsconfig-tsec.json"}
+  ]
+}

packages/common/tsconfig-tsec.json

@@ -0,0 +1,18 @@
+/** For building //packages/common. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../core"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../core/tsconfig-tsec.json"}
+  ]
+}

packages/compiler/tsconfig-tsec.json

@@ -0,0 +1,11 @@
+/** For building //packages/compiler. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "outDir": ".tsec"
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ]
+}

packages/core/tsconfig-tsec.json

@@ -0,0 +1,15 @@
+/** For building //packages/core. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "outDir": ".tsec"
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts",
+    "../*.d.ts"
+  ],
+  "references": [
+    {"path": "../zone.js/lib/tsconfig-tsec.json"}
+  ]
+}

packages/platform-browser-dynamic/tsconfig-tsec.json

@@ -0,0 +1,25 @@
+/** For building //packages/platform-browser-dynamic. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../core"],
+      "@angular/common": ["../common"],
+      "@angular/compiler": ["../compiler"],
+      "@angular/platform-browser": ["../platform-browser"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts",
+    "../*.d.ts"
+  ],
+  "references": [
+    {"path": "../core/tsconfig-tsec.json"},
+    {"path": "../common/tsconfig-tsec.json"},
+    {"path": "../compiler/tsconfig-tsec.json"},
+    {"path": "../platform-browser/tsconfig-tsec.json"}
+  ]
+}

packages/platform-browser/animations/tsconfig-tsec.json

@@ -0,0 +1,26 @@
+/** For building //packages/platform-browser/animations. */
+{
+  "extends": "../../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../../core"],
+      "@angular/common": ["../../common"],
+      "@angular/platform-browser": ["../"],
+      "@angular/animations": ["../../animations"],
+      "@angular/animations/browser": ["../../animations/browser"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../../core/tsconfig-tsec.json"},
+    {"path": "../../common/tsconfig-tsec.json"},
+    {"path": "../tsconfig-tsec.json"},
+    {"path": "../../animations/tsconfig-tsec.json"},
+    {"path": "../../animations/browser/tsconfig-tsec.json"}
+  ]
+}

packages/platform-browser/tsconfig-tsec.json

@@ -0,0 +1,22 @@
+/** For building //packages/platform-browser. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../core"],
+      "@angular/common": ["../common"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts",
+    "../*.d.ts"
+  ],
+  "references": [
+    {"path": "../core/tsconfig-tsec.json"},
+    {"path": "../common/tsconfig-tsec.json"},
+    {"path": "../zone.js/lib/tsconfig-tsec.json"}
+  ]
+}

packages/platform-server/tsconfig-tsec.json

@@ -0,0 +1,33 @@
+/** For building //packages/platform-server. */
+{
+  "extends": "../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": ".tsec",
+    "paths": {
+      "@angular/core": ["../core"],
+      "@angular/common": ["../common"],
+      "@angular/common/http": ["../common/http"],
+      "@angular/compiler": ["../compiler"],
+      "@angular/platform-browser": ["../platform-browser"],
+      "@angular/platform-browser/animations": ["../platform-browser/animations"],
+      "@angular/platform-browser-dynamic": ["../platform-browser-dynamic"],
+      "@angular/animations/browser": ["../animations/browser"]
+    }
+  },
+  "include": [
+    "*.ts",
+    "src/**/*.ts"
+  ],
+  "references": [
+    {"path": "../core/tsconfig-tsec.json"},
+    {"path": "../common/tsconfig-tsec.json"},
+    {"path": "../common/http/tsconfig-tsec.json"},
+    {"path": "../compiler/tsconfig-tsec.json"},
+    {"path": "../platform-browser/tsconfig-tsec.json"},
+    {"path": "../platform-browser/animations/tsconfig-tsec.json"},
+    {"path": "../platform-browser-dynamic/tsconfig-tsec.json"},
+    {"path": "../zone.js/lib/tsconfig-tsec.json"},
+    {"path": "../animations/browser/tsconfig-tsec.json"}
+  ]
+}

packages/tsconfig-tsec-base.json

@@ -0,0 +1,10 @@
+/** Root tsconfig file for checking Angular packages with tsec. */
+{
+  "extends": "./tsconfig-build.json",
+  "compilerOptions": {
+    "composite": true,
+    "emitDeclarationOnly": true,
+    "lib": ["es2017", "dom"],
+    "plugins": [{"name": "tsec", "exemptionConfig": "./tsec-exemption.json"}]
+  }
+}

packages/tsconfig-tsec.json

@@ -0,0 +1,10 @@
+/** Main config for building all packages that need to be checked by tsec. */
+{
+  "extends": "./tsconfig-tsec-base.json",
+  "include": [],
+  "references": [
+    {"path": "core/tsconfig-tsec.json"},
+    {"path": "platform-browser/tsconfig-tsec.json"},
+    {"path": "platform-server/tsconfig-tsec.json"}
+  ]
+}

packages/tsec-exemption.json

@@ -0,0 +1,35 @@
+/**
+ * The central exemption list of existing tsec violations. Modifications to
+ * this list should be carefully reviewed by a security expert.
+ */
+{
+  "ban-trustedtypes-createpolicy": [
+    "core/src/util/security/trusted_types_bypass.ts",
+    "core/src/util/security/trusted_types.ts",
+    "compiler/src/output/output_jit_trusted_types.ts"
+  ],
+  "ban-element-innerhtml-assignments": [
+    "core/src/sanitization/inert_body.ts"
+  ],
+  "ban-element-setattribute": [
+    "platform-browser/src/browser/meta.ts"
+  ],
+  "ban-domparser-parsefromstring": [
+    "core/src/sanitization/inert_body.ts"
+  ],
+  "ban-script-content-assignments": [
+    "platform-server/src/transfer_state.ts"
+  ],
+  "ban-function-calls": [
+    "core/src/interface/type.ts",
+    "core/src/reflection/reflection_capabilities.ts",
+    "core/src/util/security/trusted_types.ts",
+    "core/src/render3/instructions/listener.ts",
+    "compiler/src/core.ts",
+    "compiler/src/output/output_jit_trusted_types.ts",
+    "platform-server/src/server_renderer.ts"
+  ],
+  "ban-window-stringfunctiondef": [
+    "core/src/render3/util/misc_utils.ts"
+  ]
+}

packages/zone.js/lib/tsconfig-tsec.json

@@ -0,0 +1,9 @@
+/* For building //packages/zone.js/lib:zone_d_ts. */
+{
+  "extends": "../../tsconfig-tsec-base.json",
+  "compilerOptions": {
+    "outFile": ".tsec/zone.d.ts",
+    "types": ["node"]
+  },
+  "files": ["zone.ts"]
+}

yarn.lock

@@ -9049,7 +9049,7 @@ minimalistic-assert@^1.0.0:
   resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
 
-minimatch@3.0.4, minimatch@^3.0.4:
+minimatch@3.0.4, minimatch@^3.0.3, minimatch@^3.0.4:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
   integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
@@ -13270,6 +13270,14 @@ ts-node@^10.0.0:
     make-error "^1.1.1"
     yn "3.1.1"
 
+tsec@0.1.7:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/tsec/-/tsec-0.1.7.tgz#db217a1c7a47e2c0bca07aa9cd7ae28863343b22"
+  integrity sha512-hS8VPL8RX1jPvF8dPNvgZe9j0zE7L8Lj9pPuBYDoYaXDhGtXSfCY1Qn0vKTl7TaohXnnlnvlaNtvlMjubnX0CA==
+  dependencies:
+    glob "^7.1.1"
+    minimatch "^3.0.3"
+
 tsickle@0.38.1:
   version "0.38.1"
   resolved "https://registry.yarnpkg.com/tsickle/-/tsickle-0.38.1.tgz#30762db759d40c435943093b6972c7f2efb384ef"