Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
lib
 
 
 
 
 
 
 
 
 
 
 
 

README.md

AngularJS Security Rules For ESLint

These rules are to supplement the security issues documented in my talks at OWASP London and FluentConf around AngularJS Security.

They are currently used as points of interest that would need to be investigate further, but in the upcoming releases they will be a lot more useful when developers write code.

Usage

These rules can be used by downloading the Config which includes the installation settings.

Rules

The current ruleset supports only Angular 1.x issues, and can be noisy, but they are a work in progress.

Current rules are:

  • detect-angular-element-methods
  • detect-angular-open-redirect
  • detect-angular-orderBy-expressions
  • detect-angular-resource-loading
  • detect-angular-sce-disabled
  • detect-angular-scope-expressions
  • detect-angular-service-expressions
  • detect-angular-trustAs-methods
  • detect-angular-trustAsCss-method
  • detect-angular-trustAsHtml-method
  • detect-angular-sce-disabled
  • detect-angular-trustAsJs-method
  • detect-angular-trustAsResourceUrl-method
  • detect-angular-trustAsUrl-method
  • detect-third-party-angular-translate

TODO:

  • Each rule needs better detection, and possibly taint analysis
  • Add more rules related to Angular 1.0 - 5 in mind.
  • Add Angular 2/4 security issues such as bypassSecurityTrustHtml

If you feel anything is missing or would like to see additional rules added, feel free to write an issue

About

Rules for detecting security issues in Angular 1.x

Resources

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •