build(docs-infra): enable tsec security checker (angular#42800)

tsec is a TypeScript compiler wrapper for restricting use of security-sensitive DOM APIs, in particular those that could lead to XSS or Trusted Types violations. Add it as a linter to aio to prevent future Trusted Types regressions on angular.io. Also introduces security_exemptions.json, which lists the known, security-reviewed tsec security violations. New entries can only be added to this file after a security review, in particular making sure that the corresponding code does not cause XSS vulnerabilities or Trusted Types violations. PR Close angular#42800
saeidi-dev · Sep 9, 2021 · 672dfd0 · 672dfd0
1 parent 025cf93
commit 672dfd0
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 1 deletion.
diff --git a/aio/package.json b/aio/package.json
@@ -19,7 +19,7 @@
     "prebuild-local-ci": "yarn setup-local-ci",
     "build-local-ci": "yarn ~~build --progress=false",
     "extract-cli-command-docs": "node tools/transforms/cli-docs-package/extract-cli-commands.js 2621e1d39",
-    "lint": "yarn check-env && yarn docs-lint && ng lint && yarn example-lint && yarn tools-lint",
+    "lint": "yarn check-env && yarn docs-lint && ng lint && yarn example-lint && yarn tools-lint && yarn security-lint",
     "test": "yarn check-env && ng test",
     "pree2e": "yarn check-env && yarn update-webdriver",
     "e2e": "ng e2e --no-webdriver-update",
@@ -68,6 +68,7 @@
     "create-example": "node ./tools/examples/create-example.js",
     "build-404-page": "node scripts/build-404-page",
     "update-webdriver": "node ../scripts/webdriver-manager-update.js",
+    "security-lint": "tsec -p tsconfig.app.json",
     "~~audit-web-app": "node scripts/audit-web-app",
     "~~check-env": "node scripts/check-environment",
     "~~clean-generated": "node --eval \"require('shelljs').rm('-rf', 'src/generated')\"",
@@ -178,6 +179,7 @@
     "timezone-mock": "^1.1.3",
     "tree-kill": "^1.1.0",
     "ts-node": "^10.0.0",
+    "tsec": "^0.1.5",
     "tslint": "~6.1.3",
     "typescript": "~4.3.4",
     "uglify-js": "^3.13.3",

diff --git a/aio/security-exemptions.json b/aio/security-exemptions.json
@@ -0,0 +1,11 @@
+{
+  "ban-reviewed-conversions": [
+    "src/app/custom-elements/code/code.component.ts",
+    "src/app/custom-elements/code/pretty-printer.service.ts",
+    "src/app/documents/document.service.ts",
+    "src/app/shared/security.ts"
+  ],
+  "ban-worker-calls": [
+    "src/app/search/search.service.ts"
+  ]
+}
diff --git a/aio/tsconfig.app.json b/aio/tsconfig.app.json
@@ -4,6 +4,12 @@
     "outDir": "./out-tsc/app",
     "types": [
       "trusted-types"
+    ],
+    "plugins": [
+      {
+        "name": "tsec",
+        "exemptionConfig": "./security-exemptions.json"
+      }
     ]
   },
   "files": [

diff --git a/aio/yarn.lock b/aio/yarn.lock
@@ -12711,6 +12711,14 @@ tsconfig-paths@^3.9.0:
     minimist "^1.2.0"
     strip-bom "^3.0.0"
 
+tsec@^0.1.5:
+  version "0.1.5"
+  resolved "https://registry.yarnpkg.com/tsec/-/tsec-0.1.5.tgz#ef8fc0e06af40de43b3774806ca0b994123cc33c"
+  integrity sha512-mJ8yN/8uyJ4H0cFKshjWrfIeI3mI6Bz/TCX5pvgnuHPZvHjMCDUf2z923gFzqTpXjKMZWZO+zSdD8JoLT/o6OQ==
+  dependencies:
+    glob "^7.1.1"
+    minimatch "^3.0.3"
+
 [email protected]:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.3.0.tgz#803b8cdab3e12ba581a4ca41c8839bbb0dacb09e"