Linter: Implement erb-require-script-nonce rule

markokajzer · markokajzer · commit aacd635cc1c3 · 2026-03-15T20:00:01.000+01:00
closes #543
diff --git a/javascript/packages/linter/docs/rules/README.md b/javascript/packages/linter/docs/rules/README.md
@@ -28,6 +28,7 @@ This page contains documentation for all Herb Linter rules.
 - [`erb-no-unsafe-raw`](./erb-no-unsafe-raw.md) - Disallow `raw()` and `.html_safe` in ERB output
 - [`erb-no-unsafe-script-interpolation`](./erb-no-unsafe-script-interpolation.md) - Disallow unsafe ERB output inside `<script>` tags
 - [`erb-prefer-image-tag-helper`](./erb-prefer-image-tag-helper.md) - Prefer `image_tag` helper over `<img>` with ERB expressions
+- [`erb-require-script-nonce`](./erb-require-script-nonce.md) - Require `nonce` attribute on script tags and helpers
 - [`erb-require-trailing-newline`](./erb-require-trailing-newline.md) - Enforces that all HTML+ERB template files end with exactly one trailing newline character.
 - [`erb-require-whitespace-inside-tags`](./erb-require-whitespace-inside-tags.md) - Requires whitespace around ERB tags
 - [`erb-right-trim`](./erb-right-trim.md) - Enforce consistent right-trimming syntax.
diff --git a/javascript/packages/linter/docs/rules/erb-require-script-nonce.md b/javascript/packages/linter/docs/rules/erb-require-script-nonce.md
@@ -0,0 +1,115 @@
+# Linter Rule: Require nonce attribute on script tags and helpers
+
+**Rule:** `erb-require-script-nonce`
+
+## Description
+
+Require a `nonce` attribute on inline `<script>` tags, Rails JavaScript helper methods (`javascript_tag`, `javascript_include_tag`, `javascript_pack_tag`) and tag helpers (`tag.script`). This helps enforce a Content Security Policy (CSP) that mitigates cross-site scripting (XSS) attacks.
+
+## Rationale
+
+A Content Security Policy with a nonce-based approach ensures that only scripts with a valid, server-generated nonce are executed by the browser. Without a nonce, inline scripts and dynamically included scripts may be blocked by CSP, or worse, CSP may need to be relaxed with `unsafe-inline`, defeating its purpose.
+
+Adding `nonce` attributes to all script tags and helpers ensures:
+
+- Scripts are allowed by the CSP without weakening it
+- Protection against XSS attacks that attempt to inject unauthorized scripts
+- Consistent security practices across the codebase
+
+## Examples
+
+### ✅ Good
+
+HTML script tags with a nonce:
+
+```erb
+<script nonce="<%= request.content_security_policy_nonce %>">
+  alert("Hello, world!")
+</script>
+```
+
+```erb
+<script type="text/javascript" nonce="<%= request.content_security_policy_nonce %>">
+  console.log("Hello")
+</script>
+```
+
+Rails helpers with `nonce: true`:
+
+```erb
+<%= javascript_tag nonce: true do %>
+  alert("Hello, world!")
+<% end %>
+```
+
+```erb
+<%= javascript_include_tag "application", nonce: true %>
+```
+
+```erb
+<%= javascript_pack_tag "application", nonce: true %>
+```
+
+```erb
+<%= tag.script nonce: true do %>
+  alert("Hello, world!")
+<% end %>
+```
+
+Non-JavaScript script types (not flagged):
+
+```erb
+<script type="application/json">
+  {"key": "value"}
+</script>
+```
+
+```erb
+<script type="application/ld+json">
+  {"@context": "https://schema.org"}
+</script>
+```
+
+### 🚫 Bad
+
+HTML script tags without a nonce:
+
+```erb
+<script>
+  alert("Hello, world!")
+</script>
+```
+
+```erb
+<script type="text/javascript">
+  console.log("Hello")
+</script>
+```
+
+Rails helpers without `nonce: true`:
+
+```erb
+<%= javascript_tag do %>
+  alert("Hello, world!")
+<% end %>
+```
+
+```erb
+<%= javascript_include_tag "application" %>
+```
+
+```erb
+<%= javascript_pack_tag "application" %>
+```
+
+```erb
+<%= tag.script do %>
+  alert("Hello, world!")
+<% end %>
+```
+
+## References
+
+- [Inspiration: ERB Lint `RequireScriptNonce` rule](https://github.com/Shopify/erb_lint/blob/main/lib/erb_lint/linters/require_script_nonce.rb)
+- [MDN: Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+- [Rails: `content_security_policy_nonce`](https://api.rubyonrails.org/classes/ActionDispatch/ContentSecurityPolicy/Request.html)
diff --git a/javascript/packages/linter/src/rules.ts b/javascript/packages/linter/src/rules.ts
@@ -26,6 +26,7 @@ import { ERBNoUnsafeJSAttributeRule } from "./rules/erb-no-unsafe-js-attribute.j
 import { ERBNoUnsafeRawRule } from "./rules/erb-no-unsafe-raw.js"
 import { ERBNoUnsafeScriptInterpolationRule } from "./rules/erb-no-unsafe-script-interpolation.js"
 import { ERBPreferImageTagHelperRule } from "./rules/erb-prefer-image-tag-helper.js"
+import { ERBRequireScriptNonceRule } from "./rules/erb-require-script-nonce.js"
 import { ERBRequireTrailingNewlineRule } from "./rules/erb-require-trailing-newline.js"
 import { ERBRequireWhitespaceRule } from "./rules/erb-require-whitespace-inside-tags.js"
 import { ERBRightTrimRule } from "./rules/erb-right-trim.js"
@@ -51,8 +52,8 @@ import { HTMLAttributeEqualsSpacingRule } from "./rules/html-attribute-equals-sp
 import { HTMLAttributeValuesRequireQuotesRule } from "./rules/html-attribute-values-require-quotes.js"
 import { HTMLAvoidBothDisabledAndAriaDisabledRule } from "./rules/html-avoid-both-disabled-and-aria-disabled.js"
 import { HTMLBodyOnlyElementsRule } from "./rules/html-body-only-elements.js"
-import { HTMLDetailsHasSummaryRule } from "./rules/html-details-has-summary.js"
 import { HTMLBooleanAttributesNoValueRule } from "./rules/html-boolean-attributes-no-value.js"
+import { HTMLDetailsHasSummaryRule } from "./rules/html-details-has-summary.js"
 import { HTMLHeadOnlyElementsRule } from "./rules/html-head-only-elements.js"
 import { HTMLIframeHasTitleRule } from "./rules/html-iframe-has-title.js"
 import { HTMLImgRequireAltRule } from "./rules/html-img-require-alt.js"
@@ -97,6 +98,7 @@ export const rules: RuleClass[] = [
   ERBNoInstanceVariablesInPartialsRule,
   ERBNoInterpolatedClassNamesRule,
   ERBNoJavascriptTagHelperRule,
+  ERBRequireScriptNonceRule,
   ERBNoOutputControlFlowRule,
   ERBNoOutputInAttributeNameRule,
   ERBNoOutputInAttributePositionRule,
diff --git a/javascript/packages/linter/src/rules/erb-require-script-nonce.ts b/javascript/packages/linter/src/rules/erb-require-script-nonce.ts
@@ -0,0 +1,142 @@
+import { PrismVisitor, PrismNodes } from "@herb-tools/core"
+import { ParserRule } from "../types.js"
+import { BaseRuleVisitor } from "./rule-utils.js"
+import { getTagLocalName, getAttribute, getStaticAttributeValue, hasAttributeValue } from "@herb-tools/core"
+
+import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
+import type { ParseResult, ParserOptions, ERBContentNode, ERBBlockNode, HTMLOpenTagNode } from "@herb-tools/core"
+
+const JAVASCRIPT_HELPERS = new Set([
+  "javascript_tag",
+  "javascript_include_tag",
+  "javascript_pack_tag",
+])
+
+interface JavaScriptHelperCall {
+  name: string
+  nonce: "unknown" | "missing" | "present";
+}
+
+class JavaScriptTagHelperCallCollector extends PrismVisitor {
+  public readonly javascriptTags: JavaScriptHelperCall[] = []
+  private currentCall: JavaScriptHelperCall | null = null
+
+  visitCallNode(node: PrismNodes.CallNode): void {
+    const isJavaScriptHelper = JAVASCRIPT_HELPERS.has(node.name) || this.isTagScriptCall(node)
+
+    if (isJavaScriptHelper) {
+      this.currentCall = { name: node.name, nonce: "unknown" }
+      this.javascriptTags.push(this.currentCall)
+    }
+
+    super.visitCallNode(node)
+
+    if (isJavaScriptHelper && this.currentCall) {
+      if (this.currentCall.nonce === "unknown") {
+        this.currentCall.nonce = "missing"
+      }
+
+      this.currentCall = null
+    }
+  }
+
+  visitAssocNode(node: PrismNodes.AssocNode): void {
+    if (this.currentCall &&
+        node.key.constructor.name === "SymbolNode" &&
+        (node.key as PrismNodes.SymbolNode).unescaped.value === "nonce") {
+      this.currentCall.nonce = "present"
+    }
+
+    super.visitAssocNode(node)
+  }
+
+  private isTagScriptCall(node: PrismNodes.CallNode): boolean {
+    return node.name === "script" &&
+      node.receiver !== null &&
+      node.receiver.constructor.name === "CallNode" &&
+      (node.receiver as PrismNodes.CallNode).name === "tag"
+  }
+}
+
+class RequireScriptNonceVisitor extends BaseRuleVisitor {
+  visitHTMLOpenTagNode(node: HTMLOpenTagNode): void {
+    if (getTagLocalName(node) === "script") {
+      this.checkScriptNonce(node)
+    }
+  }
+
+  visitERBContentNode(node: ERBContentNode): void {
+    this.checkPrismNode(node)
+  }
+
+  visitERBBlockNode(node: ERBBlockNode): void {
+    this.checkPrismNode(node)
+
+    super.visitERBBlockNode(node)
+  }
+
+  private checkScriptNonce(node: HTMLOpenTagNode): void {
+    if (!this.isJavaScriptTag(node)) return
+
+    const nonceAttribute = getAttribute(node, "nonce")
+
+    if (!nonceAttribute || !hasAttributeValue(nonceAttribute)) {
+      this.addOffense(
+        "Missing a `nonce` attribute on `<script>` tag. Use `request.content_security_policy_nonce`.",
+        node.tag_name!.location,
+      )
+    }
+  }
+
+  private isJavaScriptTag(node: HTMLOpenTagNode): boolean {
+    const typeAttribute = getAttribute(node, "type")
+    if (!typeAttribute) return true
+
+    const typeValue = getStaticAttributeValue(typeAttribute)
+    if (typeValue === null) return true
+
+    return typeValue === "text/javascript" || typeValue === "application/javascript"
+  }
+
+  private checkPrismNode(node: ERBContentNode | ERBBlockNode): void {
+    const prismNode = node.prismNode
+    if (!prismNode) return
+
+    const collector = new JavaScriptTagHelperCallCollector()
+    collector.visit(prismNode)
+
+    collector.javascriptTags
+      .filter(call => call.nonce === "missing")
+      .forEach(() => {
+        this.addOffense(
+          "Missing a `nonce` attribute. Use `nonce: true`.",
+          node.location,
+        )
+      })
+    }
+  }
+
+export class ERBRequireScriptNonceRule extends ParserRule {
+  static ruleName = "erb-require-script-nonce"
+
+  get defaultConfig(): FullRuleConfig {
+    return {
+      enabled: true,
+      severity: "warning"
+    }
+  }
+
+  get parserOptions(): Partial<ParserOptions> {
+    return {
+      prism_nodes: true,
+    }
+  }
+
+  check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
+    const visitor = new RequireScriptNonceVisitor(this.ruleName, context)
+
+    visitor.visit(result.value)
+
+    return visitor.offenses
+  }
+}
diff --git a/javascript/packages/linter/src/rules/index.ts b/javascript/packages/linter/src/rules/index.ts
@@ -5,38 +5,39 @@ export * from "./herb-disable-comment-base.js"
 
 export * from "./erb-comment-syntax.js"
 export * from "./erb-no-case-node-children.js"
-export * from "./erb-no-inline-case-conditions.js"
 export * from "./erb-no-conditional-open-tag.js"
 export * from "./erb-no-duplicate-branch-elements.js"
 export * from "./erb-no-empty-tags.js"
 export * from "./erb-no-extra-newline.js"
 export * from "./erb-no-extra-whitespace-inside-tags.js"
-export * from "./erb-no-output-control-flow.js"
-export * from "./erb-no-then-in-control-flow.js"
-export * from "./erb-no-silent-tag-in-attribute-name.js"
-export * from "./erb-no-trailing-whitespace.js"
-export * from "./erb-prefer-image-tag-helper.js"
-export * from "./erb-require-trailing-newline.js"
-export * from "./erb-require-whitespace-inside-tags.js"
+export * from "./erb-no-inline-case-conditions.js"
+export * from "./erb-no-instance-variables-in-partials.js"
 export * from "./erb-no-javascript-tag-helper.js"
+export * from "./erb-no-output-control-flow.js"
+export * from "./erb-no-output-in-attribute-name.js"
+export * from "./erb-no-output-in-attribute-position.js"
 export * from "./erb-no-raw-output-in-attribute-value.js"
+export * from "./erb-no-silent-tag-in-attribute-name.js"
 export * from "./erb-no-statement-in-script.js"
+export * from "./erb-no-then-in-control-flow.js"
+export * from "./erb-no-trailing-whitespace.js"
 export * from "./erb-no-unsafe-js-attribute.js"
 export * from "./erb-no-unsafe-raw.js"
 export * from "./erb-no-unsafe-script-interpolation.js"
+export * from "./erb-prefer-image-tag-helper.js"
+export * from "./erb-require-script-nonce.js"
+export * from "./erb-require-trailing-newline.js"
+export * from "./erb-require-whitespace-inside-tags.js"
 export * from "./erb-right-trim.js"
-export * from "./erb-no-output-in-attribute-position.js"
-export * from "./erb-no-output-in-attribute-name.js"
-export * from "./erb-no-instance-variables-in-partials.js"
 export * from "./erb-strict-locals-comment-syntax.js"
 export * from "./erb-strict-locals-required.js"
 
-export * from "./herb-disable-comment-valid-rule-name.js"
-export * from "./herb-disable-comment-no-redundant-all.js"
-export * from "./herb-disable-comment-no-duplicate-rules.js"
-export * from "./herb-disable-comment-missing-rules.js"
 export * from "./herb-disable-comment-malformed.js"
+export * from "./herb-disable-comment-missing-rules.js"
+export * from "./herb-disable-comment-no-duplicate-rules.js"
+export * from "./herb-disable-comment-no-redundant-all.js"
 export * from "./herb-disable-comment-unnecessary.js"
+export * from "./herb-disable-comment-valid-rule-name.js"
 
 export * from "./html-allowed-script-type.js"
 export * from "./html-anchor-require-href.js"
@@ -49,8 +50,8 @@ export * from "./html-attribute-equals-spacing.js"
 export * from "./html-attribute-values-require-quotes.js"
 export * from "./html-avoid-both-disabled-and-aria-disabled.js"
 export * from "./html-body-only-elements.js"
-export * from "./html-details-has-summary.js"
 export * from "./html-boolean-attributes-no-value.js"
+export * from "./html-details-has-summary.js"
 export * from "./html-head-only-elements.js"
 export * from "./html-iframe-has-title.js"
 export * from "./html-img-require-alt.js"
diff --git a/javascript/packages/linter/test/__snapshots__/cli.test.ts.snap b/javascript/packages/linter/test/__snapshots__/cli.test.ts.snap
diff --git a/javascript/packages/linter/test/rules/erb-require-script-nonce.test.ts b/javascript/packages/linter/test/rules/erb-require-script-nonce.test.ts
