ci: Add tsec_test for all ng_module targets. (#24066)

uraj · web-flow · commit d93d9a3ae083 · 2022-01-06T06:59:47.000-08:00
* ci: Add tsec_test for all ng_module targets.

Instead of modifying ~250 BUILD.bazel files, instrument the ng_module
macro to conveniently create tsec_test for all modules. The ts_library
macro is not instrumented since most of them are about testing,
schematics and examples, which are not relevant to XSS. For those that
are indeed security sensitive, tsec_test is manually added into
individual BUILD.bazel files.

* fixup! ci: Add tsec_test for all ng_module targets.

* fixup! ci: Add tsec_test for all ng_module targets.
diff --git a/goldens/BUILD.bazel b/goldens/BUILD.bazel
@@ -1,3 +1,4 @@
 exports_files([
     "size-test.yaml",
+    "tsec-exemption.json",
 ])
diff --git a/goldens/tsec-exemption.json b/goldens/tsec-exemption.json
@@ -0,0 +1,17 @@
+{
+  "ban-trustedtypes-createpolicy": [
+    "../src/material/icon/trusted-types.ts"
+  ],
+  "ban-element-innerhtml-assignments": [
+    "../src/material/icon/icon-registry.ts"
+  ],
+  "ban-element-setattribute": [
+    "../src/cdk/a11y/aria-describer/aria-reference.ts",
+    "../src/material-experimental/mdc-checkbox/checkbox.ts",
+    "../src/material-experimental/mdc-list/interactive-list-base.ts",
+    "../src/material-experimental/mdc-progress-spinner/progress-spinner.ts",
+    "../src/material-experimental/mdc-slide-toggle/slide-toggle.ts",
+    "../src/material/icon/icon-registry.ts",
+    "../src/material/icon/icon.ts"
+  ]
+}
diff --git a/package.json b/package.json
@@ -22,6 +22,7 @@
     "test": "node ./scripts/run-component-tests.js",
     "test-local": "yarn -s test --local",
     "test-firefox": "yarn -s test --firefox",
+    "test-tsec": "yarn bazelisk test //... --build_tag_filters=tsec --test_tag_filters=tsec",
     "lint": "yarn -s tslint && yarn -s stylelint && yarn -s ownerslint && yarn -s ng-dev format changed --check",
     "e2e": "bazel test //src/... --build_tag_filters=e2e --test_tag_filters=e2e --build_tests_only",
     "deploy-dev-app": "node ./scripts/deploy-dev-app.js",
@@ -211,6 +212,7 @@
     "stylelint": "^14.0.1",
     "terser": "^5.9.0",
     "ts-node": "^10.2.1",
+    "tsec": "0.2.1",
     "tsickle": "0.39.1",
     "tslint": "^6.1.3",
     "tsutils": "^3.21.0",
diff --git a/src/BUILD.bazel b/src/BUILD.bazel
@@ -49,3 +49,12 @@ ts_library(
     name = "dev_mode_types",
     srcs = ["dev-mode-types.d.ts"],
 )
+
+ts_config(
+    name = "tsec_config",
+    src = "tsconfig-tsec.json",
+    deps = [
+        ":bazel-tsconfig-build.json",
+        "//goldens:tsec-exemption.json",
+    ],
+)
diff --git a/src/cdk/a11y/focus-monitor/focus-monitor.ts b/src/cdk/a11y/focus-monitor/focus-monitor.ts
@@ -134,7 +134,7 @@ export class FocusMonitor implements OnDestroy {
     // Make a note of when the window regains focus, so we can
     // restore the origin info for the focused element.
     this._windowFocused = true;
-    this._windowFocusTimeoutId = setTimeout(() => (this._windowFocused = false));
+    this._windowFocusTimeoutId = window.setTimeout(() => (this._windowFocused = false));
   };
 
   /** Used to reference correct document/window */
diff --git a/src/material-experimental/mdc-chips/chip-row.ts b/src/material-experimental/mdc-chips/chip-row.ts
@@ -167,7 +167,7 @@ export class MatChipRow
     }
 
     // Wait to see if focus moves to the other gridcell
-    this._focusoutTimeout = setTimeout(() => {
+    this._focusoutTimeout = window.setTimeout(() => {
       this._hasFocusInternal = false;
       this._onBlur.next({chip: this});
       this._handleInteraction(event);
diff --git a/src/tsconfig-tsec.json b/src/tsconfig-tsec.json
@@ -0,0 +1,9 @@
+{
+  "extends": "./bazel-tsconfig-build.json",
+  "compilerOptions": {
+    "plugins": [
+      {"name": "tsec", "exemptionConfig": "../goldens/tsec-exemption.json"}
+    ]
+  }
+}
+
diff --git a/tools/defaults.bzl b/tools/defaults.bzl
@@ -12,6 +12,7 @@ load("@npm//@bazel/jasmine:index.bzl", _jasmine_node_test = "jasmine_node_test")
 load("@npm//@bazel/concatjs:index.bzl", _karma_web_test = "karma_web_test", _karma_web_test_suite = "karma_web_test_suite")
 load("@npm//@bazel/protractor:index.bzl", _protractor_web_test_suite = "protractor_web_test_suite")
 load("@npm//@bazel/typescript:index.bzl", _ts_library = "ts_library")
+load("@npm//tsec:index.bzl", _tsec_test = "tsec_test")
 load("//:packages.bzl", "NO_STAMP_NPM_PACKAGE_SUBSTITUTIONS", "NPM_PACKAGE_SUBSTITUTIONS")
 load("//:pkg-externals.bzl", "PKG_EXTERNALS")
 load("//tools/markdown-to-html:index.bzl", _markdown_to_html = "markdown_to_html")
@@ -31,6 +32,17 @@ integration_test = _integration_test
 esbuild = _esbuild
 esbuild_config = _esbuild_config
 
+def _make_tsec_test(target):
+    package_name = native.package_name()
+    if not package_name.startswith("src/components-examples") and \
+       not package_name.endswith("/testing") and \
+       not package_name.endswith("/schematics"):
+        _tsec_test(
+            name = target + "_tsec_test",
+            target = target,
+            tsconfig = "//src:tsec_config",
+        )
+
 def _compute_module_name(testonly):
     current_pkg = native.package_name()
 
@@ -109,6 +121,9 @@ def ts_library(
         **kwargs
     )
 
+    if module_name and not testonly:
+        _make_tsec_test(kwargs["name"])
+
 def ng_module(
         deps = [],
         srcs = [],
@@ -147,6 +162,9 @@ def ng_module(
         **kwargs
     )
 
+    if module_name and not testonly:
+        _make_tsec_test(kwargs["name"])
+
 def ng_package(name, data = [], deps = [], externals = PKG_EXTERNALS, readme_md = None, visibility = None, **kwargs):
     # If no readme file has been specified explicitly, use the default readme for
     # release packages from "src/README.md".
diff --git a/yarn.lock b/yarn.lock
@@ -11272,7 +11272,7 @@ minimalistic-assert@^1.0.0, minimalistic-assert@^1.0.1:
   resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
 
-"minimatch@2 || 3", minimatch@3.0.4, minimatch@^3.0.2, minimatch@^3.0.4:
+"minimatch@2 || 3", minimatch@3.0.4, minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
   integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
@@ -15658,6 +15658,14 @@ ts-node@^10.2.1:
     make-error "^1.1.1"
     yn "3.1.1"
 
+tsec@0.2.1:
+  version "0.2.1"
+  resolved "https://registry.yarnpkg.com/tsec/-/tsec-0.2.1.tgz#017423174b2be54f26da5cb7591dc7035996086b"
+  integrity sha512-RP9vhbRbRI9VH4CfOlQvo5W9HdfiPKq0gdiUOWI5oKmLaZKNFN8CsPwBfT5ySmhnKNwmmAS/BtY3WoTfABwwig==
+  dependencies:
+    glob "^7.1.1"
+    minimatch "^3.0.3"
+
 tsickle@0.39.1:
   version "0.39.1"
   resolved "https://registry.yarnpkg.com/tsickle/-/tsickle-0.39.1.tgz#7ccf672cde5b430f5dd0b281ee49e170ef390ff9"

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ export class MatChipRow`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`// Wait to see if focus moves to the other gridcell`
`170`		`- this._focusoutTimeout = setTimeout(() => {`
	`170`	`+ this._focusoutTimeout = window.setTimeout(() => {`
`171`	`171`	`this._hasFocusInternal = false;`
`172`	`172`	`this._onBlur.next({chip: this});`
`173`	`173`	`this._handleInteraction(event);`