[feat] added metadata for the each rule (#17)

webschik · webschik · commit 29f61fbbcd87 · 2019-04-13T12:47:41.000+02:00
diff --git a/README.md b/README.md
@@ -80,7 +80,7 @@ Examples: [test/rules/tsr-disable-mustache-escape/default/test.ts.lint](test/rul
 
 #### `tsr-detect-eval-with-expression`
 
-Detects `eval(variable)` which can allow an attacker to run arbitary code inside your process.
+Detects `eval(variable)` which can allow an attacker to run arbitrary code inside your process.
 
 More information: http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript
 
diff --git a/src/rules/tsrDetectBufferNoassertRule.ts b/src/rules/tsrDetectBufferNoassertRule.ts
@@ -36,6 +36,19 @@ const writeMethods: string[] = [
 ];
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-buffer-noassert',
+        description: 'Warns when Buffer with noAssert flag is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of Buffer
+            with noAssert flag will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-buffer-noassert`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectChildProcessRule.ts b/src/rules/tsrDetectChildProcessRule.ts
@@ -3,6 +3,19 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-child-process',
+        description: 'Warns when child_process.exec() with non-literal first argument is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of child_process.exec()
+            with non-literal first argument will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-child-process`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectEvalWithExpressionRule.ts b/src/rules/tsrDetectEvalWithExpressionRule.ts
@@ -4,6 +4,19 @@ import {stringLiteralKinds} from '../node-kind';
 import syntaxKindToName from '../syntax-kind-to-name';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-eval-with-expression',
+        description: 'Warns when eval() with non-literal argument is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of eval()
+            with non-literal argument will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-eval-with-expression`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectHtmlInjectionRule.ts b/src/rules/tsrDetectHtmlInjectionRule.ts
@@ -3,6 +3,19 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-html-injection',
+        description: 'Warns when possible HTML injection is found',
+        descriptionDetails: Lint.Utils.dedent`Any usage of unsafe DOM APIs as Element.innerHTML or document.write()
+            will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-html-injection`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts b/src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts
@@ -2,6 +2,19 @@ import * as Lint from 'tslint';
 import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-no-csrf-before-method-override',
+        description: 'Warns when csrf middleware for Express.js is setup before method-override middleware',
+        descriptionDetails: Lint.Utils.dedent`Any usage of express.csrf() middleware before
+            express.methodOverride() will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-no-csrf-before-method-override`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectNonLiteralBufferRule.ts b/src/rules/tsrDetectNonLiteralBufferRule.ts
@@ -3,6 +3,19 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-non-literal-buffer',
+        description: 'Warns when Buffer constructor with non-literal argument is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of new Buffer()
+            with non-literal argument will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-buffer`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectNonLiteralFsFilenameRule.ts b/src/rules/tsrDetectNonLiteralFsFilenameRule.ts
@@ -4,6 +4,19 @@ import fsModuleMethodsArgumentsInfo from '../fs-module-methods-arguments-info';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-non-literal-fs-filename',
+        description: 'Warns when methods of Node.js FileSystem API are used with non-literal argument as a filename',
+        descriptionDetails: Lint.Utils.dedent`Any usage of Node.js FileSystem methods
+            with non-literal argument as a filename will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-fs-filename`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectNonLiteralRegexpRule.ts b/src/rules/tsrDetectNonLiteralRegexpRule.ts
@@ -3,6 +3,19 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-non-literal-regexp',
+        description: 'Warns when RegExp constructor with non-literal argument is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of new RegExp()
+            with non-literal argument will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-regexp`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectNonLiteralRequireRule.ts b/src/rules/tsrDetectNonLiteralRequireRule.ts
@@ -3,6 +3,19 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-non-literal-require',
+        description: 'Warns when require() function is used with non-literal argument',
+        descriptionDetails: Lint.Utils.dedent`Any usage of require()
+            with non-literal argument will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-non-literal-require`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectPossibleTimingAttacksRule.ts b/src/rules/tsrDetectPossibleTimingAttacksRule.ts
@@ -76,6 +76,19 @@ function isVulnerablePropertyAccessExpression(node: ts.PropertyAccessExpression)
 }
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-possible-timing-attacks',
+        description: 'Warns when possible timing attack is found',
+        descriptionDetails: Lint.Utils.dedent`Any usage of unsafe comparisons ('==', '!=', '!==' and '===')
+            that check input sequentially will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-possible-timing-attacks`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectPseudoRandomBytesRule.ts b/src/rules/tsrDetectPseudoRandomBytesRule.ts
@@ -2,6 +2,18 @@ import * as Lint from 'tslint';
 import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-pseudo-random-bytes',
+        description: 'Warns when crypto.pseudoRandomBytes() function is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of crypto.pseudoRandomBytes() will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-pseudo-random-bytes`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectSqlLiteralInjectionRule.ts b/src/rules/tsrDetectSqlLiteralInjectionRule.ts
@@ -6,6 +6,19 @@ import {stringLiteralKinds} from '../node-kind';
 const generalErrorMessage: string = 'Found possible SQL injection';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-sql-literal-injection',
+        description: 'Warns when possible SQL injection is found',
+        descriptionDetails: Lint.Utils.dedent`Any usage of the unsafe string concatenation in SQL queries
+            will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-sql-literal-injection`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts b/src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts
@@ -2,6 +2,18 @@ import * as Lint from 'tslint';
 import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-unsafe-cross-origin-communication',
+        description: 'Warns when postMessage() API is used with the target "*" (no preference)',
+        descriptionDetails: Lint.Utils.dedent`Any usage of postMessage() API with target "*" will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-cross-origin-communication`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectUnsafePropertiesAccessRule.ts b/src/rules/tsrDetectUnsafePropertiesAccessRule.ts
@@ -2,6 +2,19 @@ import * as Lint from 'tslint';
 import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-unsafe-properties-access',
+        description: 'Warns when potential unsafe access to the object properties is found',
+        descriptionDetails: Lint.Utils.dedent`Any potential unsafe access to the object properties
+            will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-properties-access`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDetectUnsafeRegexpRule.ts b/src/rules/tsrDetectUnsafeRegexpRule.ts
@@ -5,6 +5,18 @@ import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-detect-unsafe-regexp',
+        description: 'Warns when potential unsafe regular expression is found',
+        descriptionDetails: Lint.Utils.dedent`Any usage of potential unsafe regular expression will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-detect-unsafe-regexp`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
diff --git a/src/rules/tsrDisableMustacheEscapeRule.ts b/src/rules/tsrDisableMustacheEscapeRule.ts
@@ -2,6 +2,18 @@ import * as Lint from 'tslint';
 import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
+    static metadata: Lint.IRuleMetadata = {
+        ruleName: 'tsr-disable-mustache-escape',
+        description: 'Warns when escapeMarkup=false property with some template engines is used',
+        descriptionDetails: Lint.Utils.dedent`Any usage of escapeMarkup=false property will trigger a warning.
+            See https://github.com/webschik/tslint-config-security#tsr-disable-mustache-escape`,
+        optionsDescription: '',
+        options: null,
+        type: 'functionality',
+        requiresTypeInfo: false,
+        typescriptOnly: false
+    };
+
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithFunction(sourceFile, walk);
     }
