forked from microsoft/eslint-plugin-sdl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
no-insecure-url.js
133 lines (129 loc) · 5.4 KB
/
no-insecure-url.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
const path = require("path");
const ruleId = path.parse(__filename).name;
const rule = require(path.join("../../../lib/rules/", ruleId));
const RuleTester = require("eslint").RuleTester;
const testUtils = require("../test-utils");
/**
* Notes:
* - ES2015/ES6 introduced template literals (``). This is considered in parserOptions for relevant tests.
*/
let ruleTester = new RuleTester();
ruleTester.run(ruleId, rule, {
valid: [
{ // should allow https,ftps strings in variables
code: `
var x = 'https://www.example.com'
var y = 'ftps://www.example.com'
`
},
{ // should allow https,ftps template strings in variables
code: `
var x = \`https://www.template-examples.com\`
var y = \`ftps://www.template-file-examples.com\`
`,
parserOptions: testUtils.moduleParserOptions
},
{ // should allow https,ftps multipart template strings in variables
code: `
var x = \`https://www.\${multipartExample}.com\`
var y = \`ftps://www.\${multipartExample}.com\`
`,
parserOptions: testUtils.moduleParserOptions
},
{ // should allow http,ftp in middle of string
code: "var x = 'The protocol may be http://, https://, ftp:// or ftps://'"
},
{ // should allow https,ftps strings in default values
code: `
function f(x : string = 'https://www.example.com') {}
function f(y : string = 'ftps://www.example.com') {}
`,
parser: testUtils.tsParser,
parserOptions: testUtils.tsParserOptions,
},
{ // should allow user-provided exceptions matches, regardless of upper/lower-case
code: `
var a1 = 'http://www.allow-example.com'
var a2 = 'HtTp://www.allow-example.com/path'
var b1 = 'FTP://www.allow-file-example.com'
var c1 = 'LDaP://www.allow-ldap-example.com'
`,
options: [{
exceptions: ["HTTP:\/\/www\.allow-example\.com\/?.*", "FtP:\/\/www\.allow-file-example\.com", "LdaP:\/\/www\.allow-ldap-example\.com"]
}]
},
],
invalid: [
{ // should ban http,ftp strings in variables
code: `
var x1 = 'http://www.examples.com'
var x2 = 'HTTP://www.examples.com'
var y1 = 'ftp://www.file-examples.com'
var y2 = 'FTP://www.file-examples.com'
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 2},
{ messageId: "doNotUseInsecureUrl", line: 3},
{ messageId: "doNotUseInsecureUrl", line: 4},
{ messageId: "doNotUseInsecureUrl", line: 5}
],
},
{ // should ban http,ftp template strings in variables
code: `
var x1 = \`http://www.template-examples.com\`
var x2 = \`HTTP://www.template-examples.com\`
var y1 = \`ftp://www.file-examples.com\`
var y2 = \`FTP://www.file-examples.com\`
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 2},
{ messageId: "doNotUseInsecureUrl", line: 3},
{ messageId: "doNotUseInsecureUrl", line: 4},
{ messageId: "doNotUseInsecureUrl", line: 5}
],
parserOptions: testUtils.moduleParserOptions
},
{ // should ban http,ftp multipart template strings in variables
code: `
var x1 = \`http://www.\${multipartExample}.com\`;
var y1 = \`ftp://www.\${multipartExample}.com\`;
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 2},
{ messageId: "doNotUseInsecureUrl", line: 3},
],
parserOptions: testUtils.moduleParserOptions
},
{ // should ban http,ftp strings in default values
code: `
function f(x : string = 'http://www.example.com') {}
function f(y : string = 'ftp://www.example.com') {}
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 2},
{ messageId: "doNotUseInsecureUrl", line: 3},
],
parser: testUtils.tsParser,
parserOptions: testUtils.tsParserOptions,
},
{ // should ban user-provided blacklist matches, regardless of upper/lower-case
code: `
var a1 = 'http://www.ban-example.com'
var a2 = 'HTTP://www.ban-example.com/path'
var b1 = 'FtP://www.ban-file-example.com'
var c1 = 'LDAp://www.ban-ldap-example.com'
`,
errors: [
{ messageId: "doNotUseInsecureUrl", line: 2},
{ messageId: "doNotUseInsecureUrl", line: 3},
{ messageId: "doNotUseInsecureUrl", line: 4},
{ messageId: "doNotUseInsecureUrl", line: 5}
],
options: [{
blocklist: ["htTp:\/\/www\.ban-example\.com\/?.*", "fTp:\/\/www\.ban-file-example\.com\/?.*", "lDAp:\/\/www\.ban-ldap-example\.com\/?.*"]
}]
},
]
});