UNPKG

eslint/lib/rules/no-implied-eval.js

Version:

6.11 kBJavaScriptView Raw

1/**
* @fileoverview Rule to flag use of implied eval via setTimeout and setInterval
* @author James Allardice
*/
5
6"use strict";
7
8//------------------------------------------------------------------------------
9// Rule Definition
10//------------------------------------------------------------------------------
11
12module.exports = {
  meta: {
      docs: {
          description: "disallow the use of `eval()`-like methods",
          category: "Best Practices",
          recommended: false,
          url: "https://eslint.org/docs/rules/no-implied-eval"
      },
20
      schema: []
  },
23
  create(context) {
      const CALLEE_RE = /^(setTimeout|setInterval|execScript)$/;
26
      /*
       * Figures out if we should inspect a given binary expression. Is a stack
       * of stacks, where the first element in each substack is a CallExpression.
       */
      const impliedEvalAncestorsStack = [];
32
      //--------------------------------------------------------------------------
      // Helpers
      //--------------------------------------------------------------------------
36
      /**
       * Get the last element of an array, without modifying arr, like pop(), but non-destructive.
       * @param {array} arr What to inspect
       * @returns {*} The last element of arr
       * @private
       */
      function last(arr) {
          return arr ? arr[arr.length - 1] : null;
      }
46
      /**
       * Checks if the given MemberExpression node is a potentially implied eval identifier on window.
       * @param {ASTNode} node The MemberExpression node to check.
       * @returns {boolean} Whether or not the given node is potentially an implied eval.
       * @private
       */
      function isImpliedEvalMemberExpression(node) {
          const object = node.object,
              property = node.property,
              hasImpliedEvalName = CALLEE_RE.test(property.name) || CALLEE_RE.test(property.value);
57
          return object.name === "window" && hasImpliedEvalName;
      }
60
      /**
       * Determines if a node represents a call to a potentially implied eval.
       *
       * This checks the callee name and that there's an argument, but not the type of the argument.
       *
       * @param {ASTNode} node The CallExpression to check.
       * @returns {boolean} True if the node matches, false if not.
       * @private
       */
      function isImpliedEvalCallExpression(node) {
          const isMemberExpression = (node.callee.type === "MemberExpression"),
              isIdentifier = (node.callee.type === "Identifier"),
              isImpliedEvalCallee =
                  (isIdentifier && CALLEE_RE.test(node.callee.name)) ||
                  (isMemberExpression && isImpliedEvalMemberExpression(node.callee));
76
          return isImpliedEvalCallee && node.arguments.length;
      }
79
      /**
       * Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.
       * @param {ASTNode} node The node to inspect the parent of.
       * @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?
       * @private
       */
      function hasImpliedEvalParent(node) {
87
          // make sure our parent is marked
          return node.parent === last(last(impliedEvalAncestorsStack)) &&
90
              // if our parent is a CallExpression, make sure we're the first argument
              (node.parent.type !== "CallExpression" || node === node.parent.arguments[0]);
      }
94
      /**
       * Checks if our parent is marked as part of an implied eval argument. If
       * so, collapses the top of impliedEvalAncestorsStack and reports on the
       * original CallExpression.
       * @param {ASTNode} node The CallExpression to check.
       * @returns {boolean} True if the node matches, false if not.
       * @private
       */
      function checkString(node) {
          if (hasImpliedEvalParent(node)) {
105
              // remove the entire substack, to avoid duplicate reports
              const substack = impliedEvalAncestorsStack.pop();
108
              context.report({ node: substack[0], message: "Implied eval. Consider passing a function instead of a string." });
          }
      }
112
      //--------------------------------------------------------------------------
      // Public
      //--------------------------------------------------------------------------
116
      return {
          CallExpression(node) {
              if (isImpliedEvalCallExpression(node)) {
120
                  // call expressions create a new substack
                  impliedEvalAncestorsStack.push([node]);
              }
          },
125
          "CallExpression:exit"(node) {
              if (node === last(last(impliedEvalAncestorsStack))) {
128
                  /*
                   * Destroys the entire sub-stack, rather than just using
                   * last(impliedEvalAncestorsStack).pop(), as a CallExpression is
                   * always the bottom of a impliedEvalAncestorsStack substack.
                   */
                  impliedEvalAncestorsStack.pop();
              }
          },
137
          BinaryExpression(node) {
              if (node.operator === "+" && hasImpliedEvalParent(node)) {
                  last(impliedEvalAncestorsStack).push(node);
              }
          },
143
          "BinaryExpression:exit"(node) {
              if (node === last(last(impliedEvalAncestorsStack))) {
                  last(impliedEvalAncestorsStack).pop();
              }
          },
149
          Literal(node) {
              if (typeof node.value === "string") {
                  checkString(node);
              }
          },
155
          TemplateLiteral(node) {
              checkString(node);
          }
      };
160
  }
162};

1	`/**`
2	`* @fileoverview Rule to flag use of implied eval via setTimeout and setInterval`
3	`* @author James Allardice`
4	`*/`
5
6	`"use strict";`
7
8	`//------------------------------------------------------------------------------`
9	`// Rule Definition`
10	`//------------------------------------------------------------------------------`
11
12	`module.exports = {`
13	`meta: {`
14	`docs: {`
15	description: "disallow the use of `eval()`-like methods",
16	`category: "Best Practices",`
17	`recommended: false,`
18	`url: "https://eslint.org/docs/rules/no-implied-eval"`
19	`},`
20
21	`schema: []`
22	`},`
23
24	`create(context) {`
25	`const CALLEE_RE = /^(setTimeout\|setInterval\|execScript)$/;`
26
27	`/*`
28	`* Figures out if we should inspect a given binary expression. Is a stack`
29	`* of stacks, where the first element in each substack is a CallExpression.`
30	`*/`
31	`const impliedEvalAncestorsStack = [];`
32
33	`//--------------------------------------------------------------------------`
34	`// Helpers`
35	`//--------------------------------------------------------------------------`
36
37	`/**`
38	`* Get the last element of an array, without modifying arr, like pop(), but non-destructive.`
39	`* @param {array} arr What to inspect`
40	`* @returns {*} The last element of arr`
41	`* @private`
42	`*/`
43	`function last(arr) {`
44	`return arr ? arr[arr.length - 1] : null;`
45	`}`
46
47	`/**`
48	`* Checks if the given MemberExpression node is a potentially implied eval identifier on window.`
49	`* @param {ASTNode} node The MemberExpression node to check.`
50	`* @returns {boolean} Whether or not the given node is potentially an implied eval.`
51	`* @private`
52	`*/`
53	`function isImpliedEvalMemberExpression(node) {`
54	`const object = node.object,`
55	`property = node.property,`
56	`hasImpliedEvalName = CALLEE_RE.test(property.name) \|\| CALLEE_RE.test(property.value);`
57
58	`return object.name === "window" && hasImpliedEvalName;`
59	`}`
60
61	`/**`
62	`* Determines if a node represents a call to a potentially implied eval.`
63	`*`
64	`* This checks the callee name and that there's an argument, but not the type of the argument.`
65	`*`
66	`* @param {ASTNode} node The CallExpression to check.`
67	`* @returns {boolean} True if the node matches, false if not.`
68	`* @private`
69	`*/`
70	`function isImpliedEvalCallExpression(node) {`
71	`const isMemberExpression = (node.callee.type === "MemberExpression"),`
72	`isIdentifier = (node.callee.type === "Identifier"),`
73	`isImpliedEvalCallee =`
74	`(isIdentifier && CALLEE_RE.test(node.callee.name)) \|\|`
75	`(isMemberExpression && isImpliedEvalMemberExpression(node.callee));`
76
77	`return isImpliedEvalCallee && node.arguments.length;`
78	`}`
79
80	`/**`
81	`* Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.`
82	`* @param {ASTNode} node The node to inspect the parent of.`
83	`* @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?`
84	`* @private`
85	`*/`
86	`function hasImpliedEvalParent(node) {`
87
88	`// make sure our parent is marked`
89	`return node.parent === last(last(impliedEvalAncestorsStack)) &&`
90
91	`// if our parent is a CallExpression, make sure we're the first argument`
92	`(node.parent.type !== "CallExpression" \|\| node === node.parent.arguments[0]);`
93	`}`
94
95	`/**`
96	`* Checks if our parent is marked as part of an implied eval argument. If`
97	`* so, collapses the top of impliedEvalAncestorsStack and reports on the`
98	`* original CallExpression.`
99	`* @param {ASTNode} node The CallExpression to check.`
100	`* @returns {boolean} True if the node matches, false if not.`
101	`* @private`
102	`*/`
103	`function checkString(node) {`
104	`if (hasImpliedEvalParent(node)) {`
105
106	`// remove the entire substack, to avoid duplicate reports`
107	`const substack = impliedEvalAncestorsStack.pop();`
108
109	`context.report({ node: substack[0], message: "Implied eval. Consider passing a function instead of a string." });`
110	`}`
111	`}`
112
113	`//--------------------------------------------------------------------------`
114	`// Public`
115	`//--------------------------------------------------------------------------`
116
117	`return {`
118	`CallExpression(node) {`
119	`if (isImpliedEvalCallExpression(node)) {`
120
121	`// call expressions create a new substack`
122	`impliedEvalAncestorsStack.push([node]);`
123	`}`
124	`},`
125
126	`"CallExpression:exit"(node) {`
127	`if (node === last(last(impliedEvalAncestorsStack))) {`
128
129	`/*`
130	`* Destroys the entire sub-stack, rather than just using`
131	`* last(impliedEvalAncestorsStack).pop(), as a CallExpression is`
132	`* always the bottom of a impliedEvalAncestorsStack substack.`
133	`*/`
134	`impliedEvalAncestorsStack.pop();`
135	`}`
136	`},`
137
138	`BinaryExpression(node) {`
139	`if (node.operator === "+" && hasImpliedEvalParent(node)) {`
140	`last(impliedEvalAncestorsStack).push(node);`
141	`}`
142	`},`
143
144	`"BinaryExpression:exit"(node) {`
145	`if (node === last(last(impliedEvalAncestorsStack))) {`
146	`last(impliedEvalAncestorsStack).pop();`
147	`}`
148	`},`
149
150	`Literal(node) {`
151	`if (typeof node.value === "string") {`
152	`checkString(node);`
153	`}`
154	`},`
155
156	`TemplateLiteral(node) {`
157	`checkString(node);`
158	`}`
159	`};`
160
161	`}`
162	`};`