UNPKG

eslint/lib/rules/no-eval.js

Version:

9.36 kBJavaScriptView Raw

1/**
* @fileoverview Rule to flag use of eval() statement
* @author Nicholas C. Zakas
*/
5
6"use strict";
7
8//------------------------------------------------------------------------------
9// Requirements
10//------------------------------------------------------------------------------
11
12const astUtils = require("../ast-utils");
13
14//------------------------------------------------------------------------------
15// Helpers
16//------------------------------------------------------------------------------
17
18const candidatesOfGlobalObject = Object.freeze([
  "global",
  "window"
21]);
22
23/**
* Checks a given node is a Identifier node of the specified name.
*
* @param {ASTNode} node - A node to check.
* @param {string} name - A name to check.
* @returns {boolean} `true` if the node is a Identifier node of the name.
*/
30function isIdentifier(node, name) {
  return node.type === "Identifier" && node.name === name;
32}
33
34/**
* Checks a given node is a Literal node of the specified string value.
*
* @param {ASTNode} node - A node to check.
* @param {string} name - A name to check.
* @returns {boolean} `true` if the node is a Literal node of the name.
*/
41function isConstant(node, name) {
  switch (node.type) {
      case "Literal":
          return node.value === name;
45
      case "TemplateLiteral":
          return (
              node.expressions.length === 0 &&
              node.quasis[0].value.cooked === name
          );
51
      default:
          return false;
  }
55}
56
57/**
* Checks a given node is a MemberExpression node which has the specified name's
* property.
*
* @param {ASTNode} node - A node to check.
* @param {string} name - A name to check.
* @returns {boolean} `true` if the node is a MemberExpression node which has
*      the specified name's property
*/
66function isMember(node, name) {
  return (
      node.type === "MemberExpression" &&
      (node.computed ? isConstant : isIdentifier)(node.property, name)
  );
71}
72
73//------------------------------------------------------------------------------
74// Rule Definition
75//------------------------------------------------------------------------------
76
77module.exports = {
  meta: {
      docs: {
          description: "disallow the use of `eval()`",
          category: "Best Practices",
          recommended: false
      },
84
      schema: [
          {
              type: "object",
              properties: {
                  allowIndirect: { type: "boolean" }
              },
              additionalProperties: false
          }
      ]
  },
95
  create(context) {
      const allowIndirect = Boolean(
          context.options[0] &&
          context.options[0].allowIndirect
      );
      const sourceCode = context.getSourceCode();
      let funcInfo = null;
103
      /**
       * Pushs a variable scope (Program or Function) information to the stack.
       *
       * This is used in order to check whether or not `this` binding is a
       * reference to the global object.
       *
       * @param {ASTNode} node - A node of the scope. This is one of Program,
       *      FunctionDeclaration, FunctionExpression, and ArrowFunctionExpression.
       * @returns {void}
       */
      function enterVarScope(node) {
          const strict = context.getScope().isStrict;
116
          funcInfo = {
              upper: funcInfo,
              node,
              strict,
              defaultThis: false,
              initialized: strict
          };
      }
125
      /**
       * Pops a variable scope from the stack.
       *
       * @returns {void}
       */
      function exitVarScope() {
          funcInfo = funcInfo.upper;
      }
134
      /**
       * Reports a given node.
       *
       * `node` is `Identifier` or `MemberExpression`.
       * The parent of `node` might be `CallExpression`.
       *
       * The location of the report is always `eval` `Identifier` (or possibly
       * `Literal`). The type of the report is `CallExpression` if the parent is
       * `CallExpression`. Otherwise, it's the given node type.
       *
       * @param {ASTNode} node - A node to report.
       * @returns {void}
       */
      function report(node) {
          let locationNode = node;
          const parent = node.parent;
151
          if (node.type === "MemberExpression") {
              locationNode = node.property;
          }
          if (parent.type === "CallExpression" && parent.callee === node) {
              node = parent;
          }
158
          context.report({
              node,
              loc: locationNode.loc.start,
              message: "eval can be harmful."
          });
      }
165
      /**
       * Reports accesses of `eval` via the global object.
       *
       * @param {eslint-scope.Scope} globalScope - The global scope.
       * @returns {void}
       */
      function reportAccessingEvalViaGlobalObject(globalScope) {
          for (let i = 0; i < candidatesOfGlobalObject.length; ++i) {
              const name = candidatesOfGlobalObject[i];
              const variable = astUtils.getVariableByName(globalScope, name);
176
              if (!variable) {
                  continue;
              }
180
              const references = variable.references;
182
              for (let j = 0; j < references.length; ++j) {
                  const identifier = references[j].identifier;
                  let node = identifier.parent;
186
                  // To detect code like `window.window.eval`.
                  while (isMember(node, name)) {
                      node = node.parent;
                  }
191
                  // Reports.
                  if (isMember(node, "eval")) {
                      report(node);
                  }
              }
          }
      }
199
      /**
       * Reports all accesses of `eval` (excludes direct calls to eval).
       *
       * @param {eslint-scope.Scope} globalScope - The global scope.
       * @returns {void}
       */
      function reportAccessingEval(globalScope) {
          const variable = astUtils.getVariableByName(globalScope, "eval");
208
          if (!variable) {
              return;
          }
212
          const references = variable.references;
214
          for (let i = 0; i < references.length; ++i) {
              const reference = references[i];
              const id = reference.identifier;
218
              if (id.name === "eval" && !astUtils.isCallee(id)) {
220
                  // Is accessing to eval (excludes direct calls to eval)
                  report(id);
              }
          }
      }
226
      if (allowIndirect) {
228
          // Checks only direct calls to eval. It's simple!
          return {
              "CallExpression:exit"(node) {
                  const callee = node.callee;
233
                  if (isIdentifier(callee, "eval")) {
                      report(callee);
                  }
              }
          };
      }
240
      return {
          "CallExpression:exit"(node) {
              const callee = node.callee;
244
              if (isIdentifier(callee, "eval")) {
                  report(callee);
              }
          },
249
          Program(node) {
              const scope = context.getScope(),
                  features = context.parserOptions.ecmaFeatures || {},
                  strict =
                      scope.isStrict ||
                      node.sourceType === "module" ||
                      (features.globalReturn && scope.childScopes[0].isStrict);
257
              funcInfo = {
                  upper: null,
                  node,
                  strict,
                  defaultThis: true,
                  initialized: true
              };
          },
266
          "Program:exit"() {
              const globalScope = context.getScope();
269
              exitVarScope();
              reportAccessingEval(globalScope);
              reportAccessingEvalViaGlobalObject(globalScope);
          },
274
          FunctionDeclaration: enterVarScope,
          "FunctionDeclaration:exit": exitVarScope,
          FunctionExpression: enterVarScope,
          "FunctionExpression:exit": exitVarScope,
          ArrowFunctionExpression: enterVarScope,
          "ArrowFunctionExpression:exit": exitVarScope,
281
          ThisExpression(node) {
              if (!isMember(node.parent, "eval")) {
                  return;
              }
286
              /*
               * `this.eval` is found.
               * Checks whether or not the value of `this` is the global object.
               */
              if (!funcInfo.initialized) {
                  funcInfo.initialized = true;
                  funcInfo.defaultThis = astUtils.isDefaultThisBinding(
                      funcInfo.node,
                      sourceCode
                  );
              }
298
              if (!funcInfo.strict && funcInfo.defaultThis) {
300
                  // `this.eval` is possible built-in `eval`.
                  report(node.parent);
              }
          }
      };
306
  }
308};

1	`/**`
2	`* @fileoverview Rule to flag use of eval() statement`
3	`* @author Nicholas C. Zakas`
4	`*/`
5
6	`"use strict";`
7
8	`//------------------------------------------------------------------------------`
9	`// Requirements`
10	`//------------------------------------------------------------------------------`
11
12	`const astUtils = require("../ast-utils");`
13
14	`//------------------------------------------------------------------------------`
15	`// Helpers`
16	`//------------------------------------------------------------------------------`
17
18	`const candidatesOfGlobalObject = Object.freeze([`
19	`"global",`
20	`"window"`
21	`]);`
22
23	`/**`
24	`* Checks a given node is a Identifier node of the specified name.`
25	`*`
26	`* @param {ASTNode} node - A node to check.`
27	`* @param {string} name - A name to check.`
28	* @returns {boolean} `true` if the node is a Identifier node of the name.
29	`*/`
30	`function isIdentifier(node, name) {`
31	`return node.type === "Identifier" && node.name === name;`
32	`}`
33
34	`/**`
35	`* Checks a given node is a Literal node of the specified string value.`
36	`*`
37	`* @param {ASTNode} node - A node to check.`
38	`* @param {string} name - A name to check.`
39	* @returns {boolean} `true` if the node is a Literal node of the name.
40	`*/`
41	`function isConstant(node, name) {`
42	`switch (node.type) {`
43	`case "Literal":`
44	`return node.value === name;`
45
46	`case "TemplateLiteral":`
47	`return (`
48	`node.expressions.length === 0 &&`
49	`node.quasis[0].value.cooked === name`
50	`);`
51
52	`default:`
53	`return false;`
54	`}`
55	`}`
56
57	`/**`
58	`* Checks a given node is a MemberExpression node which has the specified name's`
59	`* property.`
60	`*`
61	`* @param {ASTNode} node - A node to check.`
62	`* @param {string} name - A name to check.`
63	* @returns {boolean} `true` if the node is a MemberExpression node which has
64	`* the specified name's property`
65	`*/`
66	`function isMember(node, name) {`
67	`return (`
68	`node.type === "MemberExpression" &&`
69	`(node.computed ? isConstant : isIdentifier)(node.property, name)`
70	`);`
71	`}`
72
73	`//------------------------------------------------------------------------------`
74	`// Rule Definition`
75	`//------------------------------------------------------------------------------`
76
77	`module.exports = {`
78	`meta: {`
79	`docs: {`
80	description: "disallow the use of `eval()`",
81	`category: "Best Practices",`
82	`recommended: false`
83	`},`
84
85	`schema: [`
86	`{`
87	`type: "object",`
88	`properties: {`
89	`allowIndirect: { type: "boolean" }`
90	`},`
91	`additionalProperties: false`
92	`}`
93	`]`
94	`},`
95
96	`create(context) {`
97	`const allowIndirect = Boolean(`
98	`context.options[0] &&`
99	`context.options[0].allowIndirect`
100	`);`
101	`const sourceCode = context.getSourceCode();`
102	`let funcInfo = null;`
103
104	`/**`
105	`* Pushs a variable scope (Program or Function) information to the stack.`
106	`*`
107	* This is used in order to check whether or not `this` binding is a
108	`* reference to the global object.`
109	`*`
110	`* @param {ASTNode} node - A node of the scope. This is one of Program,`
111	`* FunctionDeclaration, FunctionExpression, and ArrowFunctionExpression.`
112	`* @returns {void}`
113	`*/`
114	`function enterVarScope(node) {`
115	`const strict = context.getScope().isStrict;`
116
117	`funcInfo = {`
118	`upper: funcInfo,`
119	`node,`
120	`strict,`
121	`defaultThis: false,`
122	`initialized: strict`
123	`};`
124	`}`
125
126	`/**`
127	`* Pops a variable scope from the stack.`
128	`*`
129	`* @returns {void}`
130	`*/`
131	`function exitVarScope() {`
132	`funcInfo = funcInfo.upper;`
133	`}`
134
135	`/**`
136	`* Reports a given node.`
137	`*`
138	* `node` is `Identifier` or `MemberExpression`.
139	* The parent of `node` might be `CallExpression`.
140	`*`
141	* The location of the report is always `eval` `Identifier` (or possibly
142	* `Literal`). The type of the report is `CallExpression` if the parent is
143	* `CallExpression`. Otherwise, it's the given node type.
144	`*`
145	`* @param {ASTNode} node - A node to report.`
146	`* @returns {void}`
147	`*/`
148	`function report(node) {`
149	`let locationNode = node;`
150	`const parent = node.parent;`
151
152	`if (node.type === "MemberExpression") {`
153	`locationNode = node.property;`
154	`}`
155	`if (parent.type === "CallExpression" && parent.callee === node) {`
156	`node = parent;`
157	`}`
158
159	`context.report({`
160	`node,`
161	`loc: locationNode.loc.start,`
162	`message: "eval can be harmful."`
163	`});`
164	`}`
165
166	`/**`
167	* Reports accesses of `eval` via the global object.
168	`*`
169	`* @param {eslint-scope.Scope} globalScope - The global scope.`
170	`* @returns {void}`
171	`*/`
172	`function reportAccessingEvalViaGlobalObject(globalScope) {`
173	`for (let i = 0; i < candidatesOfGlobalObject.length; ++i) {`
174	`const name = candidatesOfGlobalObject[i];`
175	`const variable = astUtils.getVariableByName(globalScope, name);`
176
177	`if (!variable) {`
178	`continue;`
179	`}`
180
181	`const references = variable.references;`
182
183	`for (let j = 0; j < references.length; ++j) {`
184	`const identifier = references[j].identifier;`
185	`let node = identifier.parent;`
186
187	// To detect code like `window.window.eval`.
188	`while (isMember(node, name)) {`
189	`node = node.parent;`
190	`}`
191
192	`// Reports.`
193	`if (isMember(node, "eval")) {`
194	`report(node);`
195	`}`
196	`}`
197	`}`
198	`}`
199
200	`/**`
201	* Reports all accesses of `eval` (excludes direct calls to eval).
202	`*`
203	`* @param {eslint-scope.Scope} globalScope - The global scope.`
204	`* @returns {void}`
205	`*/`
206	`function reportAccessingEval(globalScope) {`
207	`const variable = astUtils.getVariableByName(globalScope, "eval");`
208
209	`if (!variable) {`
210	`return;`
211	`}`
212
213	`const references = variable.references;`
214
215	`for (let i = 0; i < references.length; ++i) {`
216	`const reference = references[i];`
217	`const id = reference.identifier;`
218
219	`if (id.name === "eval" && !astUtils.isCallee(id)) {`
220
221	`// Is accessing to eval (excludes direct calls to eval)`
222	`report(id);`
223	`}`
224	`}`
225	`}`
226
227	`if (allowIndirect) {`
228
229	`// Checks only direct calls to eval. It's simple!`
230	`return {`
231	`"CallExpression:exit"(node) {`
232	`const callee = node.callee;`
233
234	`if (isIdentifier(callee, "eval")) {`
235	`report(callee);`
236	`}`
237	`}`
238	`};`
239	`}`
240
241	`return {`
242	`"CallExpression:exit"(node) {`
243	`const callee = node.callee;`
244
245	`if (isIdentifier(callee, "eval")) {`
246	`report(callee);`
247	`}`
248	`},`
249
250	`Program(node) {`
251	`const scope = context.getScope(),`
252	`features = context.parserOptions.ecmaFeatures \|\| {},`
253	`strict =`
254	`scope.isStrict \|\|`
255	`node.sourceType === "module" \|\|`
256	`(features.globalReturn && scope.childScopes[0].isStrict);`
257
258	`funcInfo = {`
259	`upper: null,`
260	`node,`
261	`strict,`
262	`defaultThis: true,`
263	`initialized: true`
264	`};`
265	`},`
266
267	`"Program:exit"() {`
268	`const globalScope = context.getScope();`
269
270	`exitVarScope();`
271	`reportAccessingEval(globalScope);`
272	`reportAccessingEvalViaGlobalObject(globalScope);`
273	`},`
274
275	`FunctionDeclaration: enterVarScope,`
276	`"FunctionDeclaration:exit": exitVarScope,`
277	`FunctionExpression: enterVarScope,`
278	`"FunctionExpression:exit": exitVarScope,`
279	`ArrowFunctionExpression: enterVarScope,`
280	`"ArrowFunctionExpression:exit": exitVarScope,`
281
282	`ThisExpression(node) {`
283	`if (!isMember(node.parent, "eval")) {`
284	`return;`
285	`}`
286
287	`/*`
288	* `this.eval` is found.
289	* Checks whether or not the value of `this` is the global object.
290	`*/`
291	`if (!funcInfo.initialized) {`
292	`funcInfo.initialized = true;`
293	`funcInfo.defaultThis = astUtils.isDefaultThisBinding(`
294	`funcInfo.node,`
295	`sourceCode`
296	`);`
297	`}`
298
299	`if (!funcInfo.strict && funcInfo.defaultThis) {`
300
301	// `this.eval` is possible built-in `eval`.
302	`report(node.parent);`
303	`}`
304	`}`
305	`};`
306
307	`}`
308	`};`