| 1 | /**
|
| 2 | * @fileoverview Rule to flag use of implied eval via setTimeout and setInterval
|
| 3 | * @author James Allardice
|
| 4 | * @copyright 2015 Mathias Schreck. All rights reserved.
|
| 5 | * @copyright 2013 James Allardice. All rights reserved.
|
| 6 | */
|
| 7 |
|
| 8 | ;
|
| 9 |
|
| 10 | //------------------------------------------------------------------------------
|
| 11 | // Rule Definition
|
| 12 | //------------------------------------------------------------------------------
|
| 13 |
|
| 14 | module.exports = function(context) {
|
| 15 | var CALLEE_RE = /set(?:Timeout|Interval)|execScript/;
|
| 16 |
|
| 17 | // Figures out if we should inspect a given binary expression. Is a stack of
|
| 18 | // stacks, where the first element in each substack is a CallExpression.
|
| 19 | var impliedEvalAncestorsStack = [];
|
| 20 |
|
| 21 | //--------------------------------------------------------------------------
|
| 22 | // Helpers
|
| 23 | //--------------------------------------------------------------------------
|
| 24 |
|
| 25 | /**
|
| 26 | * Get the last element of an array, without modifying arr, like pop(), but non-destructive.
|
| 27 | * @param {array} arr What to inspect
|
| 28 | * @returns {*} The last element of arr
|
| 29 | * @private
|
| 30 | */
|
| 31 | function last(arr) {
|
| 32 | return arr ? arr[arr.length - 1] : null;
|
| 33 | }
|
| 34 |
|
| 35 | /**
|
| 36 | * Checks if the given MemberExpression node is a potentially implied eval identifier on window.
|
| 37 | * @param {ASTNode} node The MemberExpression node to check.
|
| 38 | * @returns {boolean} Whether or not the given node is potentially an implied eval.
|
| 39 | * @private
|
| 40 | */
|
| 41 | function isImpliedEvalMemberExpression(node) {
|
| 42 | var object = node.object,
|
| 43 | property = node.property,
|
| 44 | hasImpliedEvalName = CALLEE_RE.test(property.name) || CALLEE_RE.test(property.value);
|
| 45 |
|
| 46 | return object.name === "window" && hasImpliedEvalName;
|
| 47 | }
|
| 48 |
|
| 49 | /**
|
| 50 | * Determines if a node represents a call to a potentially implied eval.
|
| 51 | *
|
| 52 | * This checks the callee name and that there's an argument, but not the type of the argument.
|
| 53 | *
|
| 54 | * @param {ASTNode} node The CallExpression to check.
|
| 55 | * @returns {boolean} True if the node matches, false if not.
|
| 56 | * @private
|
| 57 | */
|
| 58 | function isImpliedEvalCallExpression(node) {
|
| 59 | var isMemberExpression = (node.callee.type === "MemberExpression"),
|
| 60 | isIdentifier = (node.callee.type === "Identifier"),
|
| 61 | isImpliedEvalCallee =
|
| 62 | (isIdentifier && CALLEE_RE.test(node.callee.name)) ||
|
| 63 | (isMemberExpression && isImpliedEvalMemberExpression(node.callee));
|
| 64 |
|
| 65 | return isImpliedEvalCallee && node.arguments.length;
|
| 66 | }
|
| 67 |
|
| 68 | /**
|
| 69 | * Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.
|
| 70 | * @param {ASTNode} node The node to inspect the parent of.
|
| 71 | * @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?
|
| 72 | * @private
|
| 73 | */
|
| 74 | function hasImpliedEvalParent(node) {
|
| 75 | // make sure our parent is marked
|
| 76 | return node.parent === last(last(impliedEvalAncestorsStack)) &&
|
| 77 | // if our parent is a CallExpression, make sure we're the first argument
|
| 78 | (node.parent.type !== "CallExpression" || node === node.parent.arguments[0]);
|
| 79 | }
|
| 80 |
|
| 81 | /**
|
| 82 | * Checks if our parent is marked as part of an implied eval argument. If
|
| 83 | * so, collapses the top of impliedEvalAncestorsStack and reports on the
|
| 84 | * original CallExpression.
|
| 85 | * @param {ASTNode} node The CallExpression to check.
|
| 86 | * @returns {boolean} True if the node matches, false if not.
|
| 87 | * @private
|
| 88 | */
|
| 89 | function checkString(node) {
|
| 90 | if (hasImpliedEvalParent(node)) {
|
| 91 | // remove the entire substack, to avoid duplicate reports
|
| 92 | var substack = impliedEvalAncestorsStack.pop();
|
| 93 | context.report(substack[0], "Implied eval. Consider passing a function instead of a string.");
|
| 94 | }
|
| 95 | }
|
| 96 |
|
| 97 | //--------------------------------------------------------------------------
|
| 98 | // Public
|
| 99 | //--------------------------------------------------------------------------
|
| 100 |
|
| 101 | return {
|
| 102 | "CallExpression": function(node) {
|
| 103 | if (isImpliedEvalCallExpression(node)) {
|
| 104 | // call expressions create a new substack
|
| 105 | impliedEvalAncestorsStack.push([node]);
|
| 106 | }
|
| 107 | },
|
| 108 |
|
| 109 | "CallExpression:exit": function(node) {
|
| 110 | if (node === last(last(impliedEvalAncestorsStack))) {
|
| 111 | // destroys the entire sub-stack, rather than just using
|
| 112 | // last(impliedEvalAncestorsStack).pop(), as a CallExpression is
|
| 113 | // always the bottom of a impliedEvalAncestorsStack substack.
|
| 114 | impliedEvalAncestorsStack.pop();
|
| 115 | }
|
| 116 | },
|
| 117 |
|
| 118 | "BinaryExpression": function(node) {
|
| 119 | if (node.operator === "+" && hasImpliedEvalParent(node)) {
|
| 120 | last(impliedEvalAncestorsStack).push(node);
|
| 121 | }
|
| 122 | },
|
| 123 |
|
| 124 | "BinaryExpression:exit": function(node) {
|
| 125 | if (node === last(last(impliedEvalAncestorsStack))) {
|
| 126 | last(impliedEvalAncestorsStack).pop();
|
| 127 | }
|
| 128 | },
|
| 129 |
|
| 130 | "Literal": function(node) {
|
| 131 | if (typeof node.value === "string") {
|
| 132 | checkString(node);
|
| 133 | }
|
| 134 | },
|
| 135 |
|
| 136 | "TemplateLiteral": function(node) {
|
| 137 | checkString(node);
|
| 138 | }
|
| 139 | };
|
| 140 |
|
| 141 | };
|
| 142 |
|
| 143 | module.exports.schema = [];
|