Nutella Peanut-Butter Marshmallow

    tslint-angular-security

    0.0.5 • Public • Published

    Angular Security Rules for TSLint

    These simple linting rules flag points of interest where a security problem may be present in TypeScript Angular code. These rules are to be used with TSLint.

    Getting Started

    TSLint must be installed locally in the target project. And the project must have tsconfig.json file in the root folder. Install tslint-angular-security from npm.

    cd targetproject
    npm init -y
    npm i tslint typescript
    npm i tslint-angular-security
    ./node_modules/tslint/bin/tslint --init
    

    Configuration

    Configure the target project tslint.json file to include the needed rules from the tslint-angular-security package.

    {
      "rulesDirectory": [
        "node_modules/tslint-angular-security"
      ],
    
      "rules": {
        "flag-local-storage-angular-plugin": true,
        "no-bypass-security": true,
        "no-element-reference": true
      }
    }
    

    See example configuration in tslint_custom_rules.json.

    Running

    In the root of the target project run:

    ./node_modules/.bin/tslint --project tsconfig.json --config tslint.json
    

    Warning: This repository is a work-in-progress. Things may break while we transition this project to open source. This is not an officially supported Synopsys product.

    Rules

    Rule Name Description Vulnerability CWE
    no-bypass-security Flags all calls of Angular Sanitizer functions: bypassSecurityTrustHtml, bypassSecurityTrustStyle, bypassSecurityTrustScript, bypassSecurityTrustUrl, bypassSecurityTrustResourceUrl. Angular does not apply any sanitization on the passed through these functions. Validate that the input to these functions is tainted and that the result it written into a template. CWE-79
    no-element-reference Flags all calls to nativeElement.innerHTML, nativeElement.outerHTML, and nativeElement.querySelector. The nativeElement property of the ElementRef class allows direct access to the DOM element. Validate that tainted data is assigned in these calls or other element manipulations, which can lead to DOM XSS. CWE-79
    flag-local-storage-angular-plugin Flags all calls writing data to localStorage or webStorage for plugins @ngx-pwa/local-storage and angular-webstorage-service. Validate that the data is actually written to localStorage and not sessionStorage, and that the data is sensitive. CWE-922

    Developing

    Feel free to update/add new rules in your local version. After you add/update the .ts, compile them using the TypeScript compiler from the root folder:

    tsc
    

    The compiled JavaScript files will be in the root directory. Copy them to node_modules\tslint-angular-security in the target project and use them.

    Authors

    • Ksenia Peguero, Senior Research Lead @Synopsys

    License

    This software is released by Synopsys under the MIT license.

    Acknowledgments

    Install

    npm i tslint-angular-security

    DownloadsWeekly Downloads

    178

    Version

    0.0.5

    License

    MIT

    Unpacked Size

    18.9 kB

    Total Files

    9

    Last publish

    Collaborators

    • synopsys-sig