structure cleanup

Author: Ksenia Peguero

.gitignore

@@ -1,10 +1,8 @@
 # See http://help.github.com/ignore-files/ for more about ignoring files.
 
 # compiled output
-# for this project we do need the compiled version of the rules
-# /dist
-/tmp
-/rules
+# for this project we do not need the compiled version of the rules
+.js
 
 # dependencies
 /node_modules

.npmignore

@@ -1,6 +1,5 @@
-/src
 /node_modules
 .gitignore
 package.json
 tsconfig.json
-tslint.json
+tslint.json

flagLocalStorageAngularPluginRule.js

@@ -0,0 +1,66 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags access to localStorage or web storage when Angular2+ app is used
+* with plugins:
+* - @ngx-pwa/local-storage
+* - angular-webstorage-service
+* Note that angular-webstorage-service is configured at the constuctor to use either
+* LOCAL_STORAGE or SESSION_STORAGE. This rule does not take this into account and
+* may return false positives.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    }
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new FlagLocalStoragePluginWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING = "Validate that sensitive data is not written to localStorage via plugins ";
+    Rule.metadata = {
+        ruleName: 'flag-local-storage-angular-plugin',
+        type: 'functionality',
+        description: 'Sensitive data stored in localStorage may be leaked to an attacker',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+var FlagLocalStoragePluginWalker = /** @class */ (function (_super) {
+    __extends(FlagLocalStoragePluginWalker, _super);
+    function FlagLocalStoragePluginWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    FlagLocalStoragePluginWalker.prototype.visitPropertyAccessExpression = function (node) {
+        //check for @ngx-pwa/local-storage plugn API
+        if (node.expression.getText() === 'this.localStorage'
+            && node.name.text === 'setItem') {
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        }
+        //check for angular-webstorage-service plugin API
+        if (node.expression.getText() === 'this.storage'
+            && node.name.text === 'set') {
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        }
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return FlagLocalStoragePluginWalker;
+}(Lint.RuleWalker));

src/flagLocalStorageAngularPluginRule.ts renamed to flagLocalStorageAngularPluginRule.ts

@@ -0,0 +1,59 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags any call to Angular APIs bypassSecurityTrust*, which
+* when called on tainted data may result in untrusted data written into the DOM
+* which may lead to XSS.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    }
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new NoBypassSecurityWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING = "Untrusted data sent to bypassSecurityTrust* methods may result in XSS";
+    Rule.metadata = {
+        ruleName: 'no-bypass-security',
+        type: 'functionality',
+        description: 'Angular bypassSecurityTrust* methods may lead to XSS and other attacks',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+var NoBypassSecurityWalker = /** @class */ (function (_super) {
+    __extends(NoBypassSecurityWalker, _super);
+    function NoBypassSecurityWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    NoBypassSecurityWalker.prototype.visitPropertyAccessExpression = function (node) {
+        if (node.name.text === 'bypassSecurityTrustHtml'
+            || node.name.text === 'bypassSecurityTrustStyle'
+            || node.name.text === 'bypassSecurityTrustScript'
+            || node.name.text === 'bypassSecurityTrustUrl'
+            || node.name.text === 'bypassSecurityTrustResourceUrl')
+            // create a failure at the current position
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return NoBypassSecurityWalker;
+}(Lint.RuleWalker));

index.js

@@ -0,0 +1,66 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags any references to nativeElement, when DOM-modifying attributes or functions,
+* such as innerHTML, outerHTML, querySelector are called on it. The nativeElement property
+* allows access to the underlying DOM element.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    }
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new NoElementReferenceWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING_INNER = "Forbid writing innerHTML directly through element reference";
+    Rule.FAILURE_STRING_OUTER = "Forbid writing outerHTML directly through element reference";
+    Rule.FAILURE_STRING_QUERY = "Validate no tainted data is written to the element accessed directly through querySelector";
+    Rule.metadata = {
+        ruleName: 'no-element-reference',
+        type: 'functionality',
+        description: 'Directly manipulating innerHTML or outerHTML of the DOM element may lead to XSS',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+// The walker takes care of all the work.
+var NoElementReferenceWalker = /** @class */ (function (_super) {
+    __extends(NoElementReferenceWalker, _super);
+    function NoElementReferenceWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    NoElementReferenceWalker.prototype.visitPropertyAccessExpression = function (node) {
+        if (node.getText().includes('nativeElement')) {
+            if (node.name.text === 'innerHTML') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_INNER);
+            }
+            else if (node.name.text === 'outerHTML') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_OUTER);
+            }
+            else if (node.name.text === 'querySelector') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_QUERY);
+            }
+        }
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return NoElementReferenceWalker;
+}(Lint.RuleWalker));

noBypassSecurityRule.js

@@ -1,9 +1,7 @@
 {
   "compileOnSave": false,
   "compilerOptions": {
-    "outDir": "./rules",
     "sourceMap": false,
-    "declaration": true,
     "target": "es5",
     "skipLibCheck": true,
     "lib": [
@@ -12,6 +10,6 @@
     ]
   },
   "include": [
-        "src"
+        "."
    ]
  }