diff --git a/.gitignore b/.gitignore index 140aed39fc014..43dc8355e072f 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,6 @@ baseline.json # Husky .husky/_ + +# tsec +.tsec diff --git a/.pullapprove.yml b/.pullapprove.yml index 25cfd6b1db040..15a63e1bd3c87 100644 --- a/.pullapprove.yml +++ b/.pullapprove.yml @@ -731,9 +731,13 @@ groups: 'packages/core/test/linker/security_integration_spec.ts', 'packages/compiler/src/schema/**', 'packages/platform-browser/src/security/**', + 'packages/tsconfig-tsec.json', + 'packages/tsconfig-tsec-base.json', + 'packages/**/tsconfig-tsec.json', + 'packages/tsec-exemption.json' 'aio/content/guide/security.md', 'aio/content/examples/security/**', - 'aio/content/images/guide/security/**' + 'aio/content/images/guide/security/**', ]) reviewers: users: diff --git a/package.json b/package.json index 8f054d144593e..76e6f734043ae 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,8 @@ "symbol-extractor:update": "node tools/symbol-extractor/run_all_symbols_extractor_tests.js accept", "ts-circular-deps:check": "yarn -s ng-dev ts-circular-deps check --config ./packages/circular-deps-test.conf.js", "ts-circular-deps:approve": "yarn -s ng-dev ts-circular-deps approve --config ./packages/circular-deps-test.conf.js", - "check-tooling-setup": "yarn tsc --project .ng-dev/tsconfig.json" + "check-tooling-setup": "yarn tsc --project .ng-dev/tsconfig.json", + "tsec:packages": "yarn tsec -b packages/tsconfig-tsec.json" }, "// 1": "dependencies are used locally and by bazel", "dependencies": { @@ -180,6 +181,7 @@ "sauce-connect": "https://saucelabs.com/downloads/sc-4.6.2-linux.tar.gz", "semver": "^7.3.5", "ts-node": "^10.0.0", + "tsec": "0.1.7", "tslint-eslint-rules": "5.4.0", "tslint-no-toplevel-property-access": "0.0.2", "typed-graphqlify": "^3.1.1", diff --git a/packages/animations/browser/tsconfig-tsec.json b/packages/animations/browser/tsconfig-tsec.json new file mode 100644 index 0000000000000..65f9e28b17e5e --- /dev/null +++ b/packages/animations/browser/tsconfig-tsec.json @@ -0,0 +1,20 @@ +/** For building //packages/animations/browser. */ +{ + "extends": "../../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../../core"], + "@angular/animations": ["../"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../../core/tsconfig-tsec.json"}, + {"path": "../tsconfig-tsec.json"} + ] +} diff --git a/packages/animations/tsconfig-tsec.json b/packages/animations/tsconfig-tsec.json new file mode 100644 index 0000000000000..d43c2ca84443b --- /dev/null +++ b/packages/animations/tsconfig-tsec.json @@ -0,0 +1,18 @@ +/** For building //packages/animations. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../core"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../core/tsconfig-tsec.json"} + ] +} diff --git a/packages/common/http/tsconfig-tsec.json b/packages/common/http/tsconfig-tsec.json new file mode 100644 index 0000000000000..e0dc44681a1c6 --- /dev/null +++ b/packages/common/http/tsconfig-tsec.json @@ -0,0 +1,20 @@ +/** For building //packages/common/http. */ +{ + "extends": "../../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../../core"], + "@angular/common": [".."] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../../core/tsconfig-tsec.json"}, + {"path": "../tsconfig-tsec.json"} + ] +} diff --git a/packages/common/tsconfig-tsec.json b/packages/common/tsconfig-tsec.json new file mode 100644 index 0000000000000..8f96fb839c16c --- /dev/null +++ b/packages/common/tsconfig-tsec.json @@ -0,0 +1,18 @@ +/** For building //packages/common. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../core"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../core/tsconfig-tsec.json"} + ] +} diff --git a/packages/compiler/tsconfig-tsec.json b/packages/compiler/tsconfig-tsec.json new file mode 100644 index 0000000000000..6f67a1b9bd8e6 --- /dev/null +++ b/packages/compiler/tsconfig-tsec.json @@ -0,0 +1,11 @@ +/** For building //packages/compiler. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "outDir": ".tsec" + }, + "include": [ + "*.ts", + "src/**/*.ts" + ] +} diff --git a/packages/core/tsconfig-tsec.json b/packages/core/tsconfig-tsec.json new file mode 100644 index 0000000000000..aab35fef5f9f0 --- /dev/null +++ b/packages/core/tsconfig-tsec.json @@ -0,0 +1,15 @@ +/** For building //packages/core. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "outDir": ".tsec" + }, + "include": [ + "*.ts", + "src/**/*.ts", + "../*.d.ts" + ], + "references": [ + {"path": "../zone.js/lib/tsconfig-tsec.json"} + ] +} diff --git a/packages/platform-browser-dynamic/tsconfig-tsec.json b/packages/platform-browser-dynamic/tsconfig-tsec.json new file mode 100644 index 0000000000000..5a2fa5fdba811 --- /dev/null +++ b/packages/platform-browser-dynamic/tsconfig-tsec.json @@ -0,0 +1,25 @@ +/** For building //packages/platform-browser-dynamic. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../core"], + "@angular/common": ["../common"], + "@angular/compiler": ["../compiler"], + "@angular/platform-browser": ["../platform-browser"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts", + "../*.d.ts" + ], + "references": [ + {"path": "../core/tsconfig-tsec.json"}, + {"path": "../common/tsconfig-tsec.json"}, + {"path": "../compiler/tsconfig-tsec.json"}, + {"path": "../platform-browser/tsconfig-tsec.json"} + ] +} diff --git a/packages/platform-browser/animations/tsconfig-tsec.json b/packages/platform-browser/animations/tsconfig-tsec.json new file mode 100644 index 0000000000000..e55934d259736 --- /dev/null +++ b/packages/platform-browser/animations/tsconfig-tsec.json @@ -0,0 +1,26 @@ +/** For building //packages/platform-browser/animations. */ +{ + "extends": "../../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../../core"], + "@angular/common": ["../../common"], + "@angular/platform-browser": ["../"], + "@angular/animations": ["../../animations"], + "@angular/animations/browser": ["../../animations/browser"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../../core/tsconfig-tsec.json"}, + {"path": "../../common/tsconfig-tsec.json"}, + {"path": "../tsconfig-tsec.json"}, + {"path": "../../animations/tsconfig-tsec.json"}, + {"path": "../../animations/browser/tsconfig-tsec.json"} + ] +} diff --git a/packages/platform-browser/tsconfig-tsec.json b/packages/platform-browser/tsconfig-tsec.json new file mode 100644 index 0000000000000..2912fcce184ea --- /dev/null +++ b/packages/platform-browser/tsconfig-tsec.json @@ -0,0 +1,22 @@ +/** For building //packages/platform-browser. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../core"], + "@angular/common": ["../common"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts", + "../*.d.ts" + ], + "references": [ + {"path": "../core/tsconfig-tsec.json"}, + {"path": "../common/tsconfig-tsec.json"}, + {"path": "../zone.js/lib/tsconfig-tsec.json"} + ] +} diff --git a/packages/platform-server/tsconfig-tsec.json b/packages/platform-server/tsconfig-tsec.json new file mode 100644 index 0000000000000..b231f88e09df1 --- /dev/null +++ b/packages/platform-server/tsconfig-tsec.json @@ -0,0 +1,33 @@ +/** For building //packages/platform-server. */ +{ + "extends": "../tsconfig-tsec-base.json", + "compilerOptions": { + "baseUrl": ".", + "outDir": ".tsec", + "paths": { + "@angular/core": ["../core"], + "@angular/common": ["../common"], + "@angular/common/http": ["../common/http"], + "@angular/compiler": ["../compiler"], + "@angular/platform-browser": ["../platform-browser"], + "@angular/platform-browser/animations": ["../platform-browser/animations"], + "@angular/platform-browser-dynamic": ["../platform-browser-dynamic"], + "@angular/animations/browser": ["../animations/browser"] + } + }, + "include": [ + "*.ts", + "src/**/*.ts" + ], + "references": [ + {"path": "../core/tsconfig-tsec.json"}, + {"path": "../common/tsconfig-tsec.json"}, + {"path": "../common/http/tsconfig-tsec.json"}, + {"path": "../compiler/tsconfig-tsec.json"}, + {"path": "../platform-browser/tsconfig-tsec.json"}, + {"path": "../platform-browser/animations/tsconfig-tsec.json"}, + {"path": "../platform-browser-dynamic/tsconfig-tsec.json"}, + {"path": "../zone.js/lib/tsconfig-tsec.json"}, + {"path": "../animations/browser/tsconfig-tsec.json"} + ] +} diff --git a/packages/tsconfig-tsec-base.json b/packages/tsconfig-tsec-base.json new file mode 100644 index 0000000000000..c774e37bfe36c --- /dev/null +++ b/packages/tsconfig-tsec-base.json @@ -0,0 +1,10 @@ +/** Root tsconfig file for checking Angular packages with tsec. */ +{ + "extends": "./tsconfig-build.json", + "compilerOptions": { + "composite": true, + "emitDeclarationOnly": true, + "lib": ["es2017", "dom"], + "plugins": [{"name": "tsec", "exemptionConfig": "./tsec-exemption.json"}] + } +} diff --git a/packages/tsconfig-tsec.json b/packages/tsconfig-tsec.json new file mode 100644 index 0000000000000..dd177800777f5 --- /dev/null +++ b/packages/tsconfig-tsec.json @@ -0,0 +1,10 @@ +/** Main config for building all packages that need to be checked by tsec. */ +{ + "extends": "./tsconfig-tsec-base.json", + "include": [], + "references": [ + {"path": "core/tsconfig-tsec.json"}, + {"path": "platform-browser/tsconfig-tsec.json"}, + {"path": "platform-server/tsconfig-tsec.json"} + ] +} diff --git a/packages/tsec-exemption.json b/packages/tsec-exemption.json new file mode 100644 index 0000000000000..8bbaaf0d4ed44 --- /dev/null +++ b/packages/tsec-exemption.json @@ -0,0 +1,35 @@ +/** + * The central exemption list of existing tsec violations. Modifications to + * this list should be carefully reviewed by a security expert. + */ +{ + "ban-trustedtypes-createpolicy": [ + "core/src/util/security/trusted_types_bypass.ts", + "core/src/util/security/trusted_types.ts", + "compiler/src/output/output_jit_trusted_types.ts" + ], + "ban-element-innerhtml-assignments": [ + "core/src/sanitization/inert_body.ts" + ], + "ban-element-setattribute": [ + "platform-browser/src/browser/meta.ts" + ], + "ban-domparser-parsefromstring": [ + "core/src/sanitization/inert_body.ts" + ], + "ban-script-content-assignments": [ + "platform-server/src/transfer_state.ts" + ], + "ban-function-calls": [ + "core/src/interface/type.ts", + "core/src/reflection/reflection_capabilities.ts", + "core/src/util/security/trusted_types.ts", + "core/src/render3/instructions/listener.ts", + "compiler/src/core.ts", + "compiler/src/output/output_jit_trusted_types.ts", + "platform-server/src/server_renderer.ts" + ], + "ban-window-stringfunctiondef": [ + "core/src/render3/util/misc_utils.ts" + ] +} diff --git a/packages/zone.js/lib/tsconfig-tsec.json b/packages/zone.js/lib/tsconfig-tsec.json new file mode 100644 index 0000000000000..7596e9c3cfdd2 --- /dev/null +++ b/packages/zone.js/lib/tsconfig-tsec.json @@ -0,0 +1,9 @@ +/* For building //packages/zone.js/lib:zone_d_ts. */ +{ + "extends": "../../tsconfig-tsec-base.json", + "compilerOptions": { + "outFile": ".tsec/zone.d.ts", + "types": ["node"] + }, + "files": ["zone.ts"] +} diff --git a/yarn.lock b/yarn.lock index 0c618d93c3af1..0115cd689818d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9049,7 +9049,7 @@ minimalistic-assert@^1.0.0: resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7" integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A== -minimatch@3.0.4, minimatch@^3.0.4: +minimatch@3.0.4, minimatch@^3.0.3, minimatch@^3.0.4: version "3.0.4" resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== @@ -13270,6 +13270,14 @@ ts-node@^10.0.0: make-error "^1.1.1" yn "3.1.1" +tsec@0.1.7: + version "0.1.7" + resolved "https://registry.yarnpkg.com/tsec/-/tsec-0.1.7.tgz#db217a1c7a47e2c0bca07aa9cd7ae28863343b22" + integrity sha512-hS8VPL8RX1jPvF8dPNvgZe9j0zE7L8Lj9pPuBYDoYaXDhGtXSfCY1Qn0vKTl7TaohXnnlnvlaNtvlMjubnX0CA== + dependencies: + glob "^7.1.1" + minimatch "^3.0.3" + tsickle@0.38.1: version "0.38.1" resolved "https://registry.yarnpkg.com/tsickle/-/tsickle-0.38.1.tgz#30762db759d40c435943093b6972c7f2efb384ef"