add security warning for anchor element (rel attribute)

sveltejs · May 3, 2021 · 10999ea · 10999ea
1 parent 341160f
commit 10999ea
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 0 deletions.
diff --git a/src/compiler/compile/nodes/Element.ts b/src/compiler/compile/nodes/Element.ts
@@ -451,6 +451,26 @@ export default class Element extends Node {
 			const href_attribute = attribute_map.get('href') || attribute_map.get('xlink:href');
 			const id_attribute = attribute_map.get('id');
 			const name_attribute = attribute_map.get('name');
+			const target_attribute = attribute_map.get('target');
+
+			if (target_attribute.get_static_value() === '_blank') {
+				const rel = attribute_map.get('rel');
+				const rel_values = rel ? rel.get_static_value().split(' ') : [];
+
+				if (!rel || rel && rel_values.indexOf('noopener') < 0) {
+					component.warn(this, {
+						code: 'security-anchor-rel-noopener',
+						message: 'Security: Anchor with "target=_blank" should have rel attribute containing the value "noopener"'
+					});
+				}
+
+				if (!rel || rel && rel_values.indexOf('noreferrer') < 0) {
+					component.warn(this, {
+						code: 'security-anchor-rel-noreferrer',
+						message: 'Security: Anchor with "target=_blank" should have rel attribute containing the value "noreferrer"'
+					});
+				}
+			}
 
 			if (href_attribute) {
 				const href_value = href_attribute.get_static_value();

diff --git a/test/validator/samples/security-anchor-rel-noopener/input.svelte b/test/validator/samples/security-anchor-rel-noopener/input.svelte
@@ -0,0 +1,8 @@
+<!-- svelte-ignore security-anchor-rel-noreferrer -->
+<a href="https://svelte.dev" target="_blank">svelte website (invalid)</a>
+<!-- svelte-ignore security-anchor-rel-noreferrer -->
+<a href="https://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
+<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
+<!-- svelte-ignore security-anchor-rel-noreferrer -->
+<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
+<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
diff --git a/test/validator/samples/security-anchor-rel-noopener/warnings.json b/test/validator/samples/security-anchor-rel-noopener/warnings.json
@@ -0,0 +1,47 @@
+[
+	{
+		"code": "security-anchor-rel-noopener",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
+		"start": {
+			"line": 2,
+			"column": 0,
+			"character": 54
+		},
+		"end": {
+			"line": 2,
+			"column": 73,
+			"character": 127
+		},
+		"pos": 54
+	},
+	{
+		"code": "security-anchor-rel-noopener",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
+		"start": {
+			"line": 4,
+			"column": 0,
+			"character": 182
+		},
+		"end": {
+			"line": 4,
+			"column": 80,
+			"character": 262
+		},
+		"pos": 182
+	},
+	{
+		"code": "security-anchor-rel-noopener",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
+		"start": {
+			"line": 5,
+			"column": 0,
+			"character": 263
+		},
+		"end": {
+			"line": 5,
+			"column": 90,
+			"character": 353
+		},
+		"pos": 263
+	}
+]
diff --git a/test/validator/samples/security-anchor-rel-noreferrer/input.svelte b/test/validator/samples/security-anchor-rel-noreferrer/input.svelte
@@ -0,0 +1,8 @@
+<!-- svelte-ignore security-anchor-rel-noopener -->
+<a href="https://svelte.dev" target="_blank">svelte website (invalid)</a>
+<!-- svelte-ignore security-anchor-rel-noopener -->
+<a href="https://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
+<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
+<!-- svelte-ignore security-anchor-rel-noopener -->
+<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
+<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
diff --git a/test/validator/samples/security-anchor-rel-noreferrer/warnings.json b/test/validator/samples/security-anchor-rel-noreferrer/warnings.json
@@ -0,0 +1,47 @@
+[
+	{
+		"code": "security-anchor-rel-noreferrer",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
+		"start": {
+			"line": 2,
+			"column": 0,
+			"character": 52
+		},
+		"end": {
+			"line": 2,
+			"column": 73,
+			"character": 125
+		},
+		"pos": 52
+	},
+	{
+		"code": "security-anchor-rel-noreferrer",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
+		"start": {
+			"line": 4,
+			"column": 0,
+			"character": 178
+		},
+		"end": {
+			"line": 4,
+			"column": 80,
+			"character": 258
+		},
+		"pos": 178
+	},
+	{
+		"code": "security-anchor-rel-noreferrer",
+		"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
+		"start": {
+			"line": 5,
+			"column": 0,
+			"character": 259
+		},
+		"end": {
+			"line": 5,
+			"column": 88,
+			"character": 347
+		},
+		"pos": 259
+	}
+]