1 | /**
|
2 | * @fileoverview Rule to flag use of implied eval via setTimeout and setInterval
|
3 | * @author James Allardice
|
4 | */
|
5 |
|
6 | ;
|
7 |
|
8 | //------------------------------------------------------------------------------
|
9 | // Rule Definition
|
10 | //------------------------------------------------------------------------------
|
11 |
|
12 | module.exports = {
|
13 | meta: {
|
14 | docs: {
|
15 | description: "disallow the use of `eval()`-like methods",
|
16 | category: "Best Practices",
|
17 | recommended: false,
|
18 | url: "https://eslint.org/docs/rules/no-implied-eval"
|
19 | },
|
20 |
|
21 | schema: []
|
22 | },
|
23 |
|
24 | create(context) {
|
25 | const CALLEE_RE = /^(setTimeout|setInterval|execScript)$/;
|
26 |
|
27 | /*
|
28 | * Figures out if we should inspect a given binary expression. Is a stack
|
29 | * of stacks, where the first element in each substack is a CallExpression.
|
30 | */
|
31 | const impliedEvalAncestorsStack = [];
|
32 |
|
33 | //--------------------------------------------------------------------------
|
34 | // Helpers
|
35 | //--------------------------------------------------------------------------
|
36 |
|
37 | /**
|
38 | * Get the last element of an array, without modifying arr, like pop(), but non-destructive.
|
39 | * @param {array} arr What to inspect
|
40 | * @returns {*} The last element of arr
|
41 | * @private
|
42 | */
|
43 | function last(arr) {
|
44 | return arr ? arr[arr.length - 1] : null;
|
45 | }
|
46 |
|
47 | /**
|
48 | * Checks if the given MemberExpression node is a potentially implied eval identifier on window.
|
49 | * @param {ASTNode} node The MemberExpression node to check.
|
50 | * @returns {boolean} Whether or not the given node is potentially an implied eval.
|
51 | * @private
|
52 | */
|
53 | function isImpliedEvalMemberExpression(node) {
|
54 | const object = node.object,
|
55 | property = node.property,
|
56 | hasImpliedEvalName = CALLEE_RE.test(property.name) || CALLEE_RE.test(property.value);
|
57 |
|
58 | return object.name === "window" && hasImpliedEvalName;
|
59 | }
|
60 |
|
61 | /**
|
62 | * Determines if a node represents a call to a potentially implied eval.
|
63 | *
|
64 | * This checks the callee name and that there's an argument, but not the type of the argument.
|
65 | *
|
66 | * @param {ASTNode} node The CallExpression to check.
|
67 | * @returns {boolean} True if the node matches, false if not.
|
68 | * @private
|
69 | */
|
70 | function isImpliedEvalCallExpression(node) {
|
71 | const isMemberExpression = (node.callee.type === "MemberExpression"),
|
72 | isIdentifier = (node.callee.type === "Identifier"),
|
73 | isImpliedEvalCallee =
|
74 | (isIdentifier && CALLEE_RE.test(node.callee.name)) ||
|
75 | (isMemberExpression && isImpliedEvalMemberExpression(node.callee));
|
76 |
|
77 | return isImpliedEvalCallee && node.arguments.length;
|
78 | }
|
79 |
|
80 | /**
|
81 | * Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.
|
82 | * @param {ASTNode} node The node to inspect the parent of.
|
83 | * @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?
|
84 | * @private
|
85 | */
|
86 | function hasImpliedEvalParent(node) {
|
87 |
|
88 | // make sure our parent is marked
|
89 | return node.parent === last(last(impliedEvalAncestorsStack)) &&
|
90 |
|
91 | // if our parent is a CallExpression, make sure we're the first argument
|
92 | (node.parent.type !== "CallExpression" || node === node.parent.arguments[0]);
|
93 | }
|
94 |
|
95 | /**
|
96 | * Checks if our parent is marked as part of an implied eval argument. If
|
97 | * so, collapses the top of impliedEvalAncestorsStack and reports on the
|
98 | * original CallExpression.
|
99 | * @param {ASTNode} node The CallExpression to check.
|
100 | * @returns {boolean} True if the node matches, false if not.
|
101 | * @private
|
102 | */
|
103 | function checkString(node) {
|
104 | if (hasImpliedEvalParent(node)) {
|
105 |
|
106 | // remove the entire substack, to avoid duplicate reports
|
107 | const substack = impliedEvalAncestorsStack.pop();
|
108 |
|
109 | context.report({ node: substack[0], message: "Implied eval. Consider passing a function instead of a string." });
|
110 | }
|
111 | }
|
112 |
|
113 | //--------------------------------------------------------------------------
|
114 | // Public
|
115 | //--------------------------------------------------------------------------
|
116 |
|
117 | return {
|
118 | CallExpression(node) {
|
119 | if (isImpliedEvalCallExpression(node)) {
|
120 |
|
121 | // call expressions create a new substack
|
122 | impliedEvalAncestorsStack.push([node]);
|
123 | }
|
124 | },
|
125 |
|
126 | "CallExpression:exit"(node) {
|
127 | if (node === last(last(impliedEvalAncestorsStack))) {
|
128 |
|
129 | /*
|
130 | * Destroys the entire sub-stack, rather than just using
|
131 | * last(impliedEvalAncestorsStack).pop(), as a CallExpression is
|
132 | * always the bottom of a impliedEvalAncestorsStack substack.
|
133 | */
|
134 | impliedEvalAncestorsStack.pop();
|
135 | }
|
136 | },
|
137 |
|
138 | BinaryExpression(node) {
|
139 | if (node.operator === "+" && hasImpliedEvalParent(node)) {
|
140 | last(impliedEvalAncestorsStack).push(node);
|
141 | }
|
142 | },
|
143 |
|
144 | "BinaryExpression:exit"(node) {
|
145 | if (node === last(last(impliedEvalAncestorsStack))) {
|
146 | last(impliedEvalAncestorsStack).pop();
|
147 | }
|
148 | },
|
149 |
|
150 | Literal(node) {
|
151 | if (typeof node.value === "string") {
|
152 | checkString(node);
|
153 | }
|
154 | },
|
155 |
|
156 | TemplateLiteral(node) {
|
157 | checkString(node);
|
158 | }
|
159 | };
|
160 |
|
161 | }
|
162 | };
|