Initial commit

Author: bohannon-synopsys

.gitignore

@@ -0,0 +1,28 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+
+# compiled output
+# for this project we do need the compiled version of the rules
+# /dist
+/tmp
+/out-tsc
+
+# dependencies
+/node_modules
+
+# IDE - VSCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+# misc
+npm-debug.log
+
+# e2e
+/e2e/*.js
+/e2e/*.map
+
+# System Files
+.DS_Store
+Thumbs.db

.npmignore

@@ -0,0 +1,6 @@
+/src
+/node_modules
+.gitignore
+package.json
+tsconfig.json
+tslint.json

README.md

@@ -0,0 +1,74 @@
+# Angular Security Rules for TSLint
+
+These simple linting rules flag points of interest where a security problem may be present in TypeScript Angular code. These rules are to be used with [TSLint](https://palantir.github.io/tslint/).
+
+## Getting Started
+
+Use the compiled rules from `\dist\src` with your installation of TSLint. In the project that you plan to scan (target project), go to the `node_modules` folder and create a folder called `tslint-angular-security`.
+```
+git clone -q https://github.com/Synopsys-SIG/tslint-angular-security
+cd targetproject\node_modules && mkdir tslint-angular-security
+```
+
+Copy files from `\dist\src` in this project to the `node_modules\tslint-angular-security` folder in the target project.
+```
+cp tslint-angular-security\dist\src\* targetproject\node_modules\tslint-angular-security
+```
+
+## Configuration
+
+Copy the `tslint_custom_rules.json` configuration file from the root of this project to the root of the target project.
+```
+cp tslint-angular-security\tslint_custom_rules.json targetproject\
+```
+
+Alternatively, modify the `tslint.json` file in the project to include the rules you need from the tslint-angular-security package.
+
+## Prerequisites
+
+TSLint must be installed locally in the target project. And the project must have tsconfig.json file in the root folder.
+```
+cd targetproject
+npm init -y
+npm i tslint typescript
+npm i tslint-microsoft-contrib
+./node_modules/tslint/bin/tslint --init
+```
+
+## Running
+
+In the root of the target project run:
+
+```
+./node_modules/.bin/tslint --project tsconfig.json --config tslint_custom_rules.json
+```
+*Warning: this repository is a work-in-progress. Things may break while we transition this project to open source. This is not an officially supported Synopsys product.*
+
+## Rules
+
+Rule Name   | Description | Vulnerability | CWE
+:---------- | :------------ | -------------|---
+`no-bypass-security` | Flags all calls of Angular Sanitizer functions: bypassSecurityTrustHtml, bypassSecurityTrustStyle, bypassSecurityTrustScript, bypassSecurityTrustUrl, bypassSecurityTrustResourceUrl. Angular does not apply any sanitization on the passed through these functions. | Validate that the input to these functions is tainted and that the result it written into a template.| [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
+`no-element-reference` | Flags all calls to `nativeElement.innerHTML`, `nativeElement.outerHTML`, and `nativeElement.querySelector`. The `nativeElement` property of the ElementRef class allows direct access to the DOM element. | Validate that tainted data is assigned in these calls or other element manipulations, which can lead to DOM XSS.| [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
+`flag-local-storage-angular-plugin` | Flags all calls writing data to localStorage or webStorage for plugins @ngx-pwa/local-storage and angular-webstorage-service. | Validate that the data is actually written to localStorage and not sessionStorage, and that the data is sensitive.| [CWE-922](https://cwe.mitre.org/data/definitions/922.html)
+
+## Developing
+
+Feel free to update/add new rules in your local version. After you update the .ts files in `src`, compile them using the [TypeScript compiler](https://www.npmjs.com/package/typescript) from the root folder:
+
+```
+tsc
+```
+The compiled JavaScript files will be in `dist\src`. Copy them to `node_modules\tslint-angular-security` in the target project and use them there. 
+
+## Authors
+ 
+* **Ksenia Peguero**, Senior Research Lead @Synopsys
+ 
+## License
+ 
+This software is released by Synopsys under the MIT license.
+ 
+## Acknowledgments
+ 
+* Thanks to [Lewis Ardern](https://github.com/LewisArdern/) for inspiration with his security rules for AngularJS https://github.com/LewisArdern/eslint-config-angular-security

dist/src/flagLocalStorageAngularPluginRule.d.ts

@@ -0,0 +1,7 @@
+import * as ts from "typescript";
+import * as Lint from "tslint";
+export declare class Rule extends Lint.Rules.AbstractRule {
+    static FAILURE_STRING: string;
+    static metadata: Lint.IRuleMetadata;
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[];
+}

dist/src/flagLocalStorageAngularPluginRule.js

@@ -0,0 +1,63 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags access to localStorage or web storage when Angular2+ app is used
+* with plugins:
+* - @ngx-pwa/local-storage
+* - angular-webstorage-service
+* Note that angular-webstorage-service is configured at the constuctor to use either
+* LOCAL_STORAGE or SESSION_STORAGE. This rule does not take this into account and
+* may return false positives.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = Object.setPrototypeOf ||
+        ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+        function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new FlagLocalStoragePluginWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING = "Validate that sensitive data is not written to localStorage via plugins ";
+    Rule.metadata = {
+        ruleName: 'flag-local-storage-angular-plugin',
+        type: 'functionality',
+        description: 'Sensitive data stored in localStorage may be leaked to an attacker',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+var FlagLocalStoragePluginWalker = /** @class */ (function (_super) {
+    __extends(FlagLocalStoragePluginWalker, _super);
+    function FlagLocalStoragePluginWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    FlagLocalStoragePluginWalker.prototype.visitPropertyAccessExpression = function (node) {
+        //check for @ngx-pwa/local-storage plugn API
+        if (node.expression.getText() === 'this.localStorage'
+            && node.name.text === 'setItem') {
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        }
+        //check for angular-webstorage-service plugin API
+        if (node.expression.getText() === 'this.storage'
+            && node.name.text === 'set') {
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        }
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return FlagLocalStoragePluginWalker;
+}(Lint.RuleWalker));

dist/src/noBypassSecurityRule.d.ts

@@ -0,0 +1,7 @@
+import * as ts from "typescript";
+import * as Lint from "tslint";
+export declare class Rule extends Lint.Rules.AbstractRule {
+    static FAILURE_STRING: string;
+    static metadata: Lint.IRuleMetadata;
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[];
+}

dist/src/noBypassSecurityRule.js

@@ -0,0 +1,56 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags any call to Angular APIs bypassSecurityTrust*, which
+* when called on tainted data may result in untrusted data written into the DOM
+* which may lead to XSS.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = Object.setPrototypeOf ||
+        ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+        function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new NoBypassSecurityWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING = "Untrusted data sent to bypassSecurityTrust* methods may result in XSS";
+    Rule.metadata = {
+        ruleName: 'no-bypass-security',
+        type: 'functionality',
+        description: 'Angular bypassSecurityTrust* methods may lead to XSS and other attacks',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+var NoBypassSecurityWalker = /** @class */ (function (_super) {
+    __extends(NoBypassSecurityWalker, _super);
+    function NoBypassSecurityWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    NoBypassSecurityWalker.prototype.visitPropertyAccessExpression = function (node) {
+        if (node.name.text === 'bypassSecurityTrustHtml'
+            || node.name.text === 'bypassSecurityTrustStyle'
+            || node.name.text === 'bypassSecurityTrustScript'
+            || node.name.text === 'bypassSecurityTrustUrl'
+            || node.name.text === 'bypassSecurityTrustResourceUrl')
+            // create a failure at the current position
+            this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return NoBypassSecurityWalker;
+}(Lint.RuleWalker));

dist/src/noElementReferenceRule.d.ts

@@ -0,0 +1,9 @@
+import * as ts from "typescript";
+import * as Lint from "tslint";
+export declare class Rule extends Lint.Rules.AbstractRule {
+    static FAILURE_STRING_INNER: string;
+    static FAILURE_STRING_OUTER: string;
+    static FAILURE_STRING_QUERY: string;
+    static metadata: Lint.IRuleMetadata;
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[];
+}

dist/src/noElementReferenceRule.js

@@ -0,0 +1,63 @@
+"use strict";
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags any references to nativeElement, when DOM-modifying attributes or functions,
+* such as innerHTML, outerHTML, querySelector are called on it. The nativeElement property
+* allows access to the underlying DOM element.
+*/
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = Object.setPrototypeOf ||
+        ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+        function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+var Lint = require("tslint");
+var Rule = /** @class */ (function (_super) {
+    __extends(Rule, _super);
+    function Rule() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    Rule.prototype.apply = function (sourceFile) {
+        return this.applyWithWalker(new NoElementReferenceWalker(sourceFile, this.getOptions()));
+    };
+    Rule.FAILURE_STRING_INNER = "Forbid writing innerHTML directly through element reference";
+    Rule.FAILURE_STRING_OUTER = "Forbid writing outerHTML directly through element reference";
+    Rule.FAILURE_STRING_QUERY = "Validate no tainted data is written to the element accessed directly through querySelector";
+    Rule.metadata = {
+        ruleName: 'no-element-reference',
+        type: 'functionality',
+        description: 'Directly manipulating innerHTML or outerHTML of the DOM element may lead to XSS',
+        options: null,
+        optionsDescription: '',
+        typescriptOnly: true,
+    };
+    return Rule;
+}(Lint.Rules.AbstractRule));
+exports.Rule = Rule;
+// The walker takes care of all the work.
+var NoElementReferenceWalker = /** @class */ (function (_super) {
+    __extends(NoElementReferenceWalker, _super);
+    function NoElementReferenceWalker() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    NoElementReferenceWalker.prototype.visitPropertyAccessExpression = function (node) {
+        if (node.getText().includes('nativeElement')) {
+            if (node.name.text === 'innerHTML') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_INNER);
+            }
+            else if (node.name.text === 'outerHTML') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_OUTER);
+            }
+            else if (node.name.text === 'querySelector') {
+                this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING_QUERY);
+            }
+        }
+        // call the base version of this visitor to actually parse this node
+        _super.prototype.visitPropertyAccessExpression.call(this, node);
+    };
+    return NoElementReferenceWalker;
+}(Lint.RuleWalker));

package.json

@@ -0,0 +1,24 @@
+{
+  "name": "tslint-angular-security",
+  "description": "Angular security rules for TSLint",
+  "version": "0.0.1",
+  "dependencies": {
+    "tslint": "^5.10.0"
+  },
+  "devDependencies": {
+    "typescript": "^2.9.2"
+  },
+  "scripts" : {
+    "build" : "tsc",
+
+    "prepare" : "npm run build",
+    "version" : "git add -A src",
+    "postversion" : "git push && git push --tags"
+  } ,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/synopsys-SIG/tslint-angular-security.git"
+  },
+  "keywords": ["TSLint", "Angular", "Security", "TypeScript"],
+  "author": "Ksenia Peguero"
+}

src/flagLocalStorageAngularPluginRule.ts

@@ -0,0 +1,51 @@
+// Copyright (c) 2018 Synopsys, Inc. All rights reserved worldwide.
+/* The rule flags access to localStorage or web storage when Angular2+ app is used
+* with plugins:
+* - @ngx-pwa/local-storage
+* - angular-webstorage-service
+* Note that angular-webstorage-service is configured at the constuctor to use either
+* LOCAL_STORAGE or SESSION_STORAGE. This rule does not take this into account and
+* may return false positives.
+*/
+
+
+import * as ts from "typescript";
+import * as Lint from "tslint";
+
+export class Rule extends Lint.Rules.AbstractRule {
+
+    public static FAILURE_STRING = "Validate that sensitive data is not written to localStorage via plugins ";
+
+    public static metadata: Lint.IRuleMetadata = {
+            ruleName: 'flag-local-storage-angular-plugin',
+            type: 'functionality',
+            description: 'Sensitive data stored in localStorage may be leaked to an attacker',
+            options: null,
+            optionsDescription: '',
+            typescriptOnly: true,
+        };
+
+    public apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
+        return this.applyWithWalker(new FlagLocalStoragePluginWalker(sourceFile, this.getOptions()));
+    }
+}
+
+class FlagLocalStoragePluginWalker extends Lint.RuleWalker {
+
+    public visitPropertyAccessExpression(node: ts.PropertyAccessExpression): void {
+
+      //check for @ngx-pwa/local-storage plugn API
+      if (node.expression.getText() === 'this.localStorage'
+        && node.name.text === 'setItem') {
+        this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+      }
+
+      //check for angular-webstorage-service plugin API
+      if (node.expression.getText() === 'this.storage'
+        && node.name.text === 'set') {
+        this.addFailureAt(node.getStart(), node.getWidth(), Rule.FAILURE_STRING);
+      }
+      // call the base version of this visitor to actually parse this node
+      super.visitPropertyAccessExpression(node);
+    }
+}