1 | /**
|
2 | * @fileoverview Rule to flag use of eval() statement
|
3 | * @author Nicholas C. Zakas
|
4 | */
|
5 |
|
6 | ;
|
7 |
|
8 | //------------------------------------------------------------------------------
|
9 | // Requirements
|
10 | //------------------------------------------------------------------------------
|
11 |
|
12 | const astUtils = require("../ast-utils");
|
13 |
|
14 | //------------------------------------------------------------------------------
|
15 | // Helpers
|
16 | //------------------------------------------------------------------------------
|
17 |
|
18 | const candidatesOfGlobalObject = Object.freeze([
|
19 | "global",
|
20 | "window"
|
21 | ]);
|
22 |
|
23 | /**
|
24 | * Checks a given node is a Identifier node of the specified name.
|
25 | *
|
26 | * @param {ASTNode} node - A node to check.
|
27 | * @param {string} name - A name to check.
|
28 | * @returns {boolean} `true` if the node is a Identifier node of the name.
|
29 | */
|
30 | function isIdentifier(node, name) {
|
31 | return node.type === "Identifier" && node.name === name;
|
32 | }
|
33 |
|
34 | /**
|
35 | * Checks a given node is a Literal node of the specified string value.
|
36 | *
|
37 | * @param {ASTNode} node - A node to check.
|
38 | * @param {string} name - A name to check.
|
39 | * @returns {boolean} `true` if the node is a Literal node of the name.
|
40 | */
|
41 | function isConstant(node, name) {
|
42 | switch (node.type) {
|
43 | case "Literal":
|
44 | return node.value === name;
|
45 |
|
46 | case "TemplateLiteral":
|
47 | return (
|
48 | node.expressions.length === 0 &&
|
49 | node.quasis[0].value.cooked === name
|
50 | );
|
51 |
|
52 | default:
|
53 | return false;
|
54 | }
|
55 | }
|
56 |
|
57 | /**
|
58 | * Checks a given node is a MemberExpression node which has the specified name's
|
59 | * property.
|
60 | *
|
61 | * @param {ASTNode} node - A node to check.
|
62 | * @param {string} name - A name to check.
|
63 | * @returns {boolean} `true` if the node is a MemberExpression node which has
|
64 | * the specified name's property
|
65 | */
|
66 | function isMember(node, name) {
|
67 | return (
|
68 | node.type === "MemberExpression" &&
|
69 | (node.computed ? isConstant : isIdentifier)(node.property, name)
|
70 | );
|
71 | }
|
72 |
|
73 | //------------------------------------------------------------------------------
|
74 | // Rule Definition
|
75 | //------------------------------------------------------------------------------
|
76 |
|
77 | module.exports = {
|
78 | meta: {
|
79 | docs: {
|
80 | description: "disallow the use of `eval()`",
|
81 | category: "Best Practices",
|
82 | recommended: false,
|
83 | url: "https://eslint.org/docs/rules/no-eval"
|
84 | },
|
85 |
|
86 | schema: [
|
87 | {
|
88 | type: "object",
|
89 | properties: {
|
90 | allowIndirect: { type: "boolean" }
|
91 | },
|
92 | additionalProperties: false
|
93 | }
|
94 | ],
|
95 |
|
96 | messages: {
|
97 | unexpected: "eval can be harmful."
|
98 | }
|
99 | },
|
100 |
|
101 | create(context) {
|
102 | const allowIndirect = Boolean(
|
103 | context.options[0] &&
|
104 | context.options[0].allowIndirect
|
105 | );
|
106 | const sourceCode = context.getSourceCode();
|
107 | let funcInfo = null;
|
108 |
|
109 | /**
|
110 | * Pushs a variable scope (Program or Function) information to the stack.
|
111 | *
|
112 | * This is used in order to check whether or not `this` binding is a
|
113 | * reference to the global object.
|
114 | *
|
115 | * @param {ASTNode} node - A node of the scope. This is one of Program,
|
116 | * FunctionDeclaration, FunctionExpression, and ArrowFunctionExpression.
|
117 | * @returns {void}
|
118 | */
|
119 | function enterVarScope(node) {
|
120 | const strict = context.getScope().isStrict;
|
121 |
|
122 | funcInfo = {
|
123 | upper: funcInfo,
|
124 | node,
|
125 | strict,
|
126 | defaultThis: false,
|
127 | initialized: strict
|
128 | };
|
129 | }
|
130 |
|
131 | /**
|
132 | * Pops a variable scope from the stack.
|
133 | *
|
134 | * @returns {void}
|
135 | */
|
136 | function exitVarScope() {
|
137 | funcInfo = funcInfo.upper;
|
138 | }
|
139 |
|
140 | /**
|
141 | * Reports a given node.
|
142 | *
|
143 | * `node` is `Identifier` or `MemberExpression`.
|
144 | * The parent of `node` might be `CallExpression`.
|
145 | *
|
146 | * The location of the report is always `eval` `Identifier` (or possibly
|
147 | * `Literal`). The type of the report is `CallExpression` if the parent is
|
148 | * `CallExpression`. Otherwise, it's the given node type.
|
149 | *
|
150 | * @param {ASTNode} node - A node to report.
|
151 | * @returns {void}
|
152 | */
|
153 | function report(node) {
|
154 | const parent = node.parent;
|
155 | const locationNode = node.type === "MemberExpression"
|
156 | ? node.property
|
157 | : node;
|
158 |
|
159 | const reportNode = parent.type === "CallExpression" && parent.callee === node
|
160 | ? parent
|
161 | : node;
|
162 |
|
163 | context.report({
|
164 | node: reportNode,
|
165 | loc: locationNode.loc.start,
|
166 | messageId: "unexpected"
|
167 | });
|
168 | }
|
169 |
|
170 | /**
|
171 | * Reports accesses of `eval` via the global object.
|
172 | *
|
173 | * @param {eslint-scope.Scope} globalScope - The global scope.
|
174 | * @returns {void}
|
175 | */
|
176 | function reportAccessingEvalViaGlobalObject(globalScope) {
|
177 | for (let i = 0; i < candidatesOfGlobalObject.length; ++i) {
|
178 | const name = candidatesOfGlobalObject[i];
|
179 | const variable = astUtils.getVariableByName(globalScope, name);
|
180 |
|
181 | if (!variable) {
|
182 | continue;
|
183 | }
|
184 |
|
185 | const references = variable.references;
|
186 |
|
187 | for (let j = 0; j < references.length; ++j) {
|
188 | const identifier = references[j].identifier;
|
189 | let node = identifier.parent;
|
190 |
|
191 | // To detect code like `window.window.eval`.
|
192 | while (isMember(node, name)) {
|
193 | node = node.parent;
|
194 | }
|
195 |
|
196 | // Reports.
|
197 | if (isMember(node, "eval")) {
|
198 | report(node);
|
199 | }
|
200 | }
|
201 | }
|
202 | }
|
203 |
|
204 | /**
|
205 | * Reports all accesses of `eval` (excludes direct calls to eval).
|
206 | *
|
207 | * @param {eslint-scope.Scope} globalScope - The global scope.
|
208 | * @returns {void}
|
209 | */
|
210 | function reportAccessingEval(globalScope) {
|
211 | const variable = astUtils.getVariableByName(globalScope, "eval");
|
212 |
|
213 | if (!variable) {
|
214 | return;
|
215 | }
|
216 |
|
217 | const references = variable.references;
|
218 |
|
219 | for (let i = 0; i < references.length; ++i) {
|
220 | const reference = references[i];
|
221 | const id = reference.identifier;
|
222 |
|
223 | if (id.name === "eval" && !astUtils.isCallee(id)) {
|
224 |
|
225 | // Is accessing to eval (excludes direct calls to eval)
|
226 | report(id);
|
227 | }
|
228 | }
|
229 | }
|
230 |
|
231 | if (allowIndirect) {
|
232 |
|
233 | // Checks only direct calls to eval. It's simple!
|
234 | return {
|
235 | "CallExpression:exit"(node) {
|
236 | const callee = node.callee;
|
237 |
|
238 | if (isIdentifier(callee, "eval")) {
|
239 | report(callee);
|
240 | }
|
241 | }
|
242 | };
|
243 | }
|
244 |
|
245 | return {
|
246 | "CallExpression:exit"(node) {
|
247 | const callee = node.callee;
|
248 |
|
249 | if (isIdentifier(callee, "eval")) {
|
250 | report(callee);
|
251 | }
|
252 | },
|
253 |
|
254 | Program(node) {
|
255 | const scope = context.getScope(),
|
256 | features = context.parserOptions.ecmaFeatures || {},
|
257 | strict =
|
258 | scope.isStrict ||
|
259 | node.sourceType === "module" ||
|
260 | (features.globalReturn && scope.childScopes[0].isStrict);
|
261 |
|
262 | funcInfo = {
|
263 | upper: null,
|
264 | node,
|
265 | strict,
|
266 | defaultThis: true,
|
267 | initialized: true
|
268 | };
|
269 | },
|
270 |
|
271 | "Program:exit"() {
|
272 | const globalScope = context.getScope();
|
273 |
|
274 | exitVarScope();
|
275 | reportAccessingEval(globalScope);
|
276 | reportAccessingEvalViaGlobalObject(globalScope);
|
277 | },
|
278 |
|
279 | FunctionDeclaration: enterVarScope,
|
280 | "FunctionDeclaration:exit": exitVarScope,
|
281 | FunctionExpression: enterVarScope,
|
282 | "FunctionExpression:exit": exitVarScope,
|
283 | ArrowFunctionExpression: enterVarScope,
|
284 | "ArrowFunctionExpression:exit": exitVarScope,
|
285 |
|
286 | ThisExpression(node) {
|
287 | if (!isMember(node.parent, "eval")) {
|
288 | return;
|
289 | }
|
290 |
|
291 | /*
|
292 | * `this.eval` is found.
|
293 | * Checks whether or not the value of `this` is the global object.
|
294 | */
|
295 | if (!funcInfo.initialized) {
|
296 | funcInfo.initialized = true;
|
297 | funcInfo.defaultThis = astUtils.isDefaultThisBinding(
|
298 | funcInfo.node,
|
299 | sourceCode
|
300 | );
|
301 | }
|
302 |
|
303 | if (!funcInfo.strict && funcInfo.defaultThis) {
|
304 |
|
305 | // `this.eval` is possible built-in `eval`.
|
306 | report(node.parent);
|
307 | }
|
308 | }
|
309 | };
|
310 |
|
311 | }
|
312 | };
|