[feat] added tsr-detect-unsafe-cross-origin-communication rule

Author: webschik

README.md

@@ -191,3 +191,17 @@ db.query('SELECT * FROM `books` WHERE `author` = ?', ['David'], function (error,
 ```
 
 More examples: [test/rules/tsr-detect-sql-literal-injection/default/test.ts.lint](test/rules/tsr-detect-sql-literal-injection/default/test.ts.lint)
+
+#### `tsr-detect-unsafe-cross-origin-communication`
+
+Detects when all windows & frames on your page (including ones that were injected by 3rd-party scripts)
+may receive your data.
+
+> Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site.
+> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
+
+```js
+const myWindow = document.getElementById('myIFrame').contentWindow;
+
+myWindow.postMessage(message, "*"); // Noncompliant
+```

index.js

@@ -14,6 +14,7 @@ module.exports = {
         'tsr-detect-unsafe-regexp': [true],
         'tsr-disable-mustache-escape': [true],
         'tsr-detect-html-injection': [true],
-        'tsr-detect-sql-literal-injection': [true]
+        'tsr-detect-sql-literal-injection': [true],
+        'tsr-detect-unsafe-cross-origin-communication': [true]
     }
 };

src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts

@@ -0,0 +1,26 @@
+import * as ts from 'typescript';
+import * as Lint from 'tslint';
+
+export class Rule extends Lint.Rules.AbstractRule {
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
+        return this.applyWithWalker(new RuleWalker(sourceFile, this.getOptions()));
+    }
+}
+
+class RuleWalker extends Lint.RuleWalker {
+    visitCallExpression(node: ts.CallExpression) {
+        const {name} = node.expression as ts.PropertyAccessExpression;
+        const [, targetOrigin]: ts.NodeArray<ts.Expression> = node.arguments || [];
+
+        if (
+            name &&
+            targetOrigin &&
+            name.getText() === 'postMessage' &&
+            ((targetOrigin as ts.StringLiteral).text || '').trim() === '*'
+        ) {
+            this.addFailureAtNode(node, 'Found a wildcard keyword (*) in the targetOrigin argument');
+        }
+
+        super.visitCallExpression(node);
+    }
+}

test/rules/tsr-detect-unsafe-cross-origin-communication/default/test.ts.lint

@@ -0,0 +1,11 @@
+const myWindow = document.getElementById('myIFrame').contentWindow;
+
+myWindow.postMessage(message, "*");
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found a wildcard keyword (*) in the targetOrigin argument]
+myWindow.postMessage(message, '*');
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found a wildcard keyword (*) in the targetOrigin argument]
+myWindow.postMessage(message, ' *');
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found a wildcard keyword (*) in the targetOrigin argument]
+myWindow.postMessage(message, `*`);
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found a wildcard keyword (*) in the targetOrigin argument]
+myWindow.postMessage(message, "http://example.com");

test/rules/tsr-detect-unsafe-cross-origin-communication/default/tslint.json

@@ -0,0 +1,6 @@
+{
+  "rulesDirectory": "../../../../dist/rules",
+  "rules": {
+    "tsr-detect-unsafe-cross-origin-communication": true
+  }
+}