2020-08-25 23:57:08 +00:00
|
|
|
module.exports = {
|
|
|
|
|
meta: {
|
2022-11-10 10:43:16 +00:00
|
|
|
type: 'problem',
|
|
|
|
|
docs: {
|
|
|
|
|
description: 'disallow usage of CSRF tokens in JavaScript',
|
2024-03-28 02:00:41 +00:00
|
|
|
url: require('../url')(module),
|
2022-11-10 10:43:16 +00:00
|
|
|
},
|
2024-03-28 02:00:41 +00:00
|
|
|
schema: [],
|
2020-08-25 23:57:08 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
create(context) {
|
|
|
|
|
function checkAuthenticityTokenUsage(node, str) {
|
|
|
|
|
if (str.includes('authenticity_token')) {
|
2022-11-10 10:43:16 +00:00
|
|
|
context.report({
|
2020-08-25 23:57:08 +00:00
|
|
|
node,
|
2022-11-10 10:43:16 +00:00
|
|
|
message:
|
2024-03-28 02:00:41 +00:00
|
|
|
'Form CSRF tokens (authenticity tokens) should not be created in JavaScript and their values should not be used directly for XHR requests.',
|
2022-11-10 10:43:16 +00:00
|
|
|
})
|
2020-08-25 23:57:08 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
Literal(node) {
|
|
|
|
|
if (typeof node.value === 'string') {
|
|
|
|
|
checkAuthenticityTokenUsage(node, node.value)
|
|
|
|
|
}
|
2024-03-28 02:00:41 +00:00
|
|
|
},
|
2020-08-25 23:57:08 +00:00
|
|
|
}
|
2024-03-28 02:00:41 +00:00
|
|
|
},
|
2020-08-25 23:57:08 +00:00
|
|
|
}
|
