forked from minio/console
-
Notifications
You must be signed in to change notification settings - Fork 0
/
semgrep.yaml
65 lines (65 loc) · 1.87 KB
/
semgrep.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
rules:
- id: js-func-encode-uri
patterns:
- pattern: encodeURI($X)
message: Use encodeURIComponent() instead of encodeURI()
languages:
- typescript
- javascript
severity: WARNING
fix: encodeURIComponent($X)
- id: js-dangerous-func-document-write
patterns:
- pattern: document.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-write
patterns:
- pattern: |
$X1 = document
...
$X1.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-document-writeln
patterns:
- pattern: document.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-writeln
patterns:
- pattern: |
$X1 = document
...
$X1.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: react-dangerouslysetinnerhtml
languages:
- typescript
- javascript
message: "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack."
pattern-either:
- pattern: |
<$X dangerouslySetInnerHTML=... />
- pattern: |
{dangerouslySetInnerHTML: ...}
- pattern: |
$X1.innerHTML=...
- pattern: |
$X1.outerHTML=...
- pattern: |
$X1.insertAdjacentHTML=...
severity: WARNING