Sunny Negi / Meteor-projects

no-implied-eval.js 5.36 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 
/**
 * @fileoverview Rule to flag use of implied eval via setTimeout and setInterval
 * @author James Allardice
 * @copyright 2015 Mathias Schreck. All rights reserved.
 * @copyright 2013 James Allardice. All rights reserved.
 */

"use strict";

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------

module.exports = function(context) {
    var CALLEE_RE = /set(?:Timeout|Interval)|execScript/;

    // Figures out if we should inspect a given binary expression. Is a stack of
    // stacks, where the first element in each substack is a CallExpression.
    var impliedEvalAncestorsStack = [];

    //--------------------------------------------------------------------------
    // Helpers
    //--------------------------------------------------------------------------

    /**
     * Get the last element of an array, without modifying arr, like pop(), but non-destructive.
     * @param {array} arr What to inspect
     * @returns {*} The last element of arr
     * @private
     */
    function last(arr) {
        return arr ? arr[arr.length - 1] : null;
    }

    /**
     * Checks if the given MemberExpression node is a potentially implied eval identifier on window.
     * @param {ASTNode} node The MemberExpression node to check.
     * @returns {boolean} Whether or not the given node is potentially an implied eval.
     * @private
     */
    function isImpliedEvalMemberExpression(node) {
        var object = node.object,
            property = node.property,
            hasImpliedEvalName = CALLEE_RE.test(property.name) || CALLEE_RE.test(property.value);

        return object.name === "window" && hasImpliedEvalName;
    }

    /**
     * Determines if a node represents a call to a potentially implied eval.
     *
     * This checks the callee name and that there's an argument, but not the type of the argument.
     *
     * @param {ASTNode} node The CallExpression to check.
     * @returns {boolean} True if the node matches, false if not.
     * @private
     */
    function isImpliedEvalCallExpression(node) {
        var isMemberExpression = (node.callee.type === "MemberExpression"),
            isIdentifier = (node.callee.type === "Identifier"),
            isImpliedEvalCallee =
                (isIdentifier && CALLEE_RE.test(node.callee.name)) ||
                (isMemberExpression && isImpliedEvalMemberExpression(node.callee));

        return isImpliedEvalCallee && node.arguments.length;
    }

    /**
     * Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.
     * @param {ASTNode} node The node to inspect the parent of.
     * @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?
     * @private
     */
    function hasImpliedEvalParent(node) {
        // make sure our parent is marked
        return node.parent === last(last(impliedEvalAncestorsStack)) &&
            // if our parent is a CallExpression, make sure we're the first argument
            (node.parent.type !== "CallExpression" || node === node.parent.arguments[0]);
    }

    /**
     * Checks if our parent is marked as part of an implied eval argument. If
     * so, collapses the top of impliedEvalAncestorsStack and reports on the
     * original CallExpression.
     * @param {ASTNode} node The CallExpression to check.
     * @returns {boolean} True if the node matches, false if not.
     * @private
     */
    function checkString(node) {
        if (hasImpliedEvalParent(node)) {
            // remove the entire substack, to avoid duplicate reports
            var substack = impliedEvalAncestorsStack.pop();
            context.report(substack[0], "Implied eval. Consider passing a function instead of a string.");
        }
    }

    //--------------------------------------------------------------------------
    // Public
    //--------------------------------------------------------------------------

    return {
        "CallExpression": function(node) {
            if (isImpliedEvalCallExpression(node)) {
                // call expressions create a new substack
                impliedEvalAncestorsStack.push([node]);
            }
        },

        "CallExpression:exit": function(node) {
            if (node === last(last(impliedEvalAncestorsStack))) {
                // destroys the entire sub-stack, rather than just using
                // last(impliedEvalAncestorsStack).pop(), as a CallExpression is
                // always the bottom of a impliedEvalAncestorsStack substack.
                impliedEvalAncestorsStack.pop();
            }
        },

        "BinaryExpression": function(node) {
            if (node.operator === "+" && hasImpliedEvalParent(node)) {
                last(impliedEvalAncestorsStack).push(node);
            }
        },

        "BinaryExpression:exit": function(node) {
            if (node === last(last(impliedEvalAncestorsStack))) {
                last(impliedEvalAncestorsStack).pop();
            }
        },

        "Literal": function(node) {
            if (typeof node.value === "string") {
                checkString(node);
            }
        },

        "TemplateLiteral": function(node) {
            checkString(node);
        }
    };

};

module.exports.schema = [];