[feat] added tsr-detect-unsafe-properties-access rule; optimized imports in source files

Author: webschik

README.md

@@ -31,6 +31,7 @@ By default `tslint-config-security` enables [all rules](#rules), but you may dis
     "tsr-detect-html-injection": false,
     "tsr-detect-unsafe-regexp": false
   }
+}
 ```
 
 
@@ -209,3 +210,34 @@ const myWindow = document.getElementById('myIFrame').contentWindow;
 
 myWindow.postMessage(message, "*"); // Noncompliant
 ```
+
+#### tsr-detect-unsafe-properties-access
+
+Detects a potential unsafe access to the object properties
+
+```js
+/* 
+
+It equals to `new Function(prop3)`
+
+const a = {};
+
+a["constructor"]["constructor"]("alert(1)")()
+ */
+ 
+// unsafe
+obj[prop1][prop2](prop3)
+
+// unsafe
+obj[prop1][prop2](prop3)()  
+ 
+```
+
+More information:
+* [Web Puzzlers - Securing Dynamic Systems](https://youtu.be/SkNWAjDRLDY)
+* [Defensive JavaScript](https://www.javascriptjanuary.com/blog/defensive-javascript)
+
+Solutions:
+* use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)
+* use `.hasOwnProperty` check
+* use `Content-Security-Policy` on your page

index.js

@@ -15,6 +15,7 @@ module.exports = {
         'tsr-disable-mustache-escape': [true],
         'tsr-detect-html-injection': [true],
         'tsr-detect-sql-literal-injection': [true],
-        'tsr-detect-unsafe-cross-origin-communication': [true]
+        'tsr-detect-unsafe-cross-origin-communication': [true],
+        'tsr-detect-unsafe-properties-access': [true]
     }
 };

npm-shrinkwrap.json

@@ -1,6 +1,6 @@
 {
   "name": "tslint-config-security",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "description": "TSLint security rules",
   "main": "./index.js",
   "files": [

package.json

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 
 const readMethods: string[] = [
     'readUInt8',

src/rules/tsrDetectBufferNoassertRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {StringLiteral, stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {

src/rules/tsrDetectChildProcessRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 import syntaxKindToName from '../syntax-kind-to-name';
 

src/rules/tsrDetectEvalWithExpressionRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {

src/rules/tsrDetectHtmlInjectionRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {

src/rules/tsrDetectNoCsrfBeforeMethodOverrideRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {

src/rules/tsrDetectNonLiteralBufferRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {

src/rules/tsrDetectNonLiteralRegexpRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {stringLiteralKinds} from '../node-kind';
 
 export class Rule extends Lint.Rules.AbstractRule {

src/rules/tsrDetectNonLiteralRequireRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {StringLiteral, stringLiteralKinds} from '../node-kind';
 
 const keywordMask = new RegExp(

src/rules/tsrDetectPossibleTimingAttacksRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {

src/rules/tsrDetectPseudoRandomBytesRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {isSqlQuery} from '../is-sql-query';
 import {stringLiteralKinds} from '../node-kind';
 

src/rules/tsrDetectSqlLiteralInjectionRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {

src/rules/tsrDetectUnsafeCrossOriginCommunicationRule.ts

@@ -0,0 +1,25 @@
+import * as Lint from 'tslint';
+import * as ts from 'typescript';
+
+export class Rule extends Lint.Rules.AbstractRule {
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
+        return this.applyWithWalker(new RuleWalker(sourceFile, this.getOptions()));
+    }
+}
+
+class RuleWalker extends Lint.RuleWalker {
+    visitCallExpression(node: ts.CallExpression) {
+        const {expression, arguments: args} = node;
+
+        if (
+            expression &&
+            args &&
+            expression.kind === ts.SyntaxKind.ElementAccessExpression &&
+            args.find(ts.isIdentifier)
+        ) {
+            this.addFailureAtNode(node, 'Found unsafe properties access');
+        }
+
+        super.visitCallExpression(node);
+    }
+}

src/rules/tsrDetectUnsafePropertiesAccessRule.ts

@@ -1,9 +1,9 @@
-import * as ts from 'typescript';
+// @ts-ignore
+import * as isSafeRegexp from 'safe-regex';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 import {StringLiteral, stringLiteralKinds} from '../node-kind';
 
-const isSafeRegexp = require('safe-regex');
-
 export class Rule extends Lint.Rules.AbstractRule {
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
         return this.applyWithWalker(new RuleWalker(sourceFile, this.getOptions()));

src/rules/tsrDetectUnsafeRegexpRule.ts

@@ -1,5 +1,5 @@
-import * as ts from 'typescript';
 import * as Lint from 'tslint';
+import * as ts from 'typescript';
 
 export class Rule extends Lint.Rules.AbstractRule {
     apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {

src/rules/tsrDisableMustacheEscapeRule.ts

@@ -0,0 +1,8 @@
+obj[prop1][prop2](prop3)
+~~~~~~~~~~~~~~~~~~~~~~~~    [Found unsafe properties access]
+
+obj[prop1][prop2](prop3)()
+~~~~~~~~~~~~~~~~~~~~~~~~    [Found unsafe properties access]
+
+obj[prop1][prop2].knownApiMethod()
+obj.prop1.prop2(prop3)

test/rules/tsr-detect-unsafe-properties-access/default/test.ts.lint

@@ -0,0 +1,6 @@
+{
+  "rulesDirectory": "../../../../dist/rules",
+  "rules": {
+    "tsr-detect-unsafe-properties-access": true
+  }
+}