Restrict loading of workspace versions of TSLint

Do not load the workspace version of TSLint by default

Author: mjbvz

.vscode/launch.json

@@ -6,18 +6,12 @@
     "configurations": [
         {
             "type": "node",
-            "request": "launch",
-            "name": "Mocha Tests",
-            "program": "${workspaceFolder}/node_modules/mocha/bin/_mocha",
-            "args": [
-                "-u",
-                "tdd",
-                "--timeout",
-                "999999",
-                "--colors",
-                "${workspaceFolder}/out/runner/test"
-            ],
-            "internalConsoleOptions": "openOnSessionStart"
+            "request": "attach",
+            "name": "Attach",
+            "port": 9999,
+            "skipFiles": [
+                "<node_internals>/**"
+            ]
         }
     ]
 }

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 1.0.0 - November 30, 2020
+- Restricts when tslint is loaded from the workspace.
+    - Global TSLint versions can always be loaded.
+    - TSLint versions installed next to the plugin can always be loaded.
+    - Otherwise, the consumer of the plugin must use `onConfigurationChanged` and explicitly enable `allowWorkspaceLibraryExecution`.
+    - You can also force allow workspace versions of TSLint to be loaded by setting a `TS_TSLINT_ENABLE_WORKSPACE_LIBRARY_EXECUTION`  environment variable.
+
 ## 0.5.5 - November 11, 2019
 - Restore old cwd after linting finishes.
 

README.md

@@ -10,9 +10,9 @@ TypeScript [language service plugin](https://blogs.msdn.microsoft.com/typescript
 
 To use the plugin:
 
-* Install TSLint 5+ in your workspace or globally.
+* Install TSLint 5+ in your workspace or globally (if you are using a local TSLint, see [workspace library execution](#workspace-library-execution))
 
-* Install the plugin with `npm install typescript-tslint-plugin`
+* Install the plugin with `npm install typescript-tslint-plugin` 
 
 * Enable the plugin in your `tsconfig.json` file:
 
@@ -28,6 +28,20 @@ To use the plugin:
 
 See [editor support](#editor-support) for more detailed setup instructions.
 
+## Workspace Library Execution
+
+By default this plugin will not load TSLint or custom rules from the workspace if you are using a global version of TypeScript. This is done for security reasons. The plugin always allows using the global version of TSLint.
+
+To use enable using a local TSLint install and custom rules from the workspace, you must either:
+
+- Use a workspace version of TypeScript that is installed alongside TSLint.
+
+- Enable workspace library execution in your editor of choice. This must be done through an editor and cannot be configured in a `tsconfig`.
+
+    In VS Code for example, you can run the `TSLint: Manage Workspace Library Execution` command to enable using the TSLint for the current workspace or for all workspaces.
+
+- Set a `TS_TSLINT_ENABLE_WORKSPACE_LIBRARY_EXECUTION=1` environment variable and make sure the TypeScript server is run in an environment where this variable is set to true.
+
 ## Configuration options
 
 **Notice**: This configuration settings allow you to configure the behavior of the typescript-tslint-plugin itself. To configure rules and tslint options you should use the `tslint.json` file.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "typescript-tslint-plugin",
-  "version": "0.5.5",
+  "version": "1.0.0",
   "description": "TypeScript tslint language service plugin",
   "main": "out/index.js",
   "author": "Microsoft",

package.json

@@ -3,10 +3,14 @@ import * as ts_module from 'typescript/lib/tsserverlibrary';
 import { Logger } from './logger';
 import { ConfigurationManager } from './settings';
 import * as mockRequire from 'mock-require';
+import { WorkspaceLibraryExecution } from './runner';
+
+const enableWorkspaceLibraryExecutionEnvVar = 'TS_TSLINT_ENABLE_WORKSPACE_LIBRARY_EXECUTION';
 
 export = function init({ typescript }: { typescript: typeof ts_module }) {
     const configManager = new ConfigurationManager(typescript);
     let logger: Logger | undefined;
+    let plugin: TSLintPlugin | undefined;
 
     // Make sure TS Lint imports the correct version of TS
     mockRequire('typescript', typescript);
@@ -24,13 +28,26 @@ export = function init({ typescript }: { typescript: typeof ts_module }) {
                 return info.languageService;
             }
 
-            return new TSLintPlugin(typescript, info.languageServiceHost, logger, info.project, configManager)
-                .decorate(info.languageService);
+            plugin = new TSLintPlugin(typescript, info.languageServiceHost, logger, info.project, configManager);
+
+            // Allow clients that don't use onConfigurationChanged to still securely enable
+            // workspace library execution with an env var.
+            const workspaceLibraryFromEnv = process.env[enableWorkspaceLibraryExecutionEnvVar] ? WorkspaceLibraryExecution.Allow : WorkspaceLibraryExecution.Unknown;
+            plugin.updateWorkspaceTrust(workspaceLibraryFromEnv);
+
+            return plugin.decorate(info.languageService);
         },
         onConfigurationChanged(config: any) {
             if (logger) {
                 logger.info('onConfigurationChanged');
             }
+
+            if (plugin) {
+                if ('allowWorkspaceLibraryExecution' in config) {
+                    plugin.updateWorkspaceTrust(config.allowWorkspaceLibraryExecution ? WorkspaceLibraryExecution.Allow : WorkspaceLibraryExecution.Disallow);
+                }
+            }
+
             configManager.updateFromPluginConfig(config);
         },
     };

src/index.ts

@@ -4,7 +4,7 @@ import * as ts_module from 'typescript/lib/tsserverlibrary';
 import { TSLINT_ERROR_CODE, TSLINT_ERROR_SOURCE } from './config';
 import { ConfigFileWatcher } from './configFileWatcher';
 import { Logger } from './logger';
-import { RunResult, TsLintRunner, toPackageManager } from './runner';
+import { RunResult, TsLintRunner, toPackageManager, WorkspaceLibraryExecution } from './runner';
 import { ConfigurationManager } from './settings';
 import { getNonOverlappingReplacements, filterProblemsForFile, getReplacements } from './runner/failures';
 
@@ -52,7 +52,10 @@ class ProblemMap {
 export class TSLintPlugin {
     private readonly codeFixActions = new Map<string, ProblemMap>();
     private readonly configFileWatcher: ConfigFileWatcher;
-    private readonly runner: TsLintRunner;
+
+    private runner: TsLintRunner;
+
+    private workspaceTrust = WorkspaceLibraryExecution.Unknown;
 
     public constructor(
         private readonly ts: typeof ts_module,
@@ -118,6 +121,13 @@ export class TSLintPlugin {
         });
     }
 
+    public updateWorkspaceTrust(workspaceTrust: WorkspaceLibraryExecution) {
+        this.workspaceTrust = workspaceTrust;
+
+        // Reset the runner
+        this.runner = new TsLintRunner(message => { this.logger.info(message); });
+    }
+
     private getSemanticDiagnostics(
         delegate: (fileName: string) => ts_module.Diagnostic[],
         fileName: string,
@@ -150,6 +160,7 @@ export class TSLintPlugin {
                         ? Array.isArray(config.exclude) ? config.exclude : [config.exclude]
                         : [],
                     packageManager: toPackageManager(config.packageManager),
+                    workspaceLibraryExecution: this.workspaceTrust,
                 });
                 if (result.configFilePath) {
                     this.configFileWatcher.ensureWatching(result.configFilePath);