UNPKG

@locker/eslint-plugin-unsafe-types

Version:

Detect usage of unsigned unsafe types.

github.com/salesforce-experience-platform-emu/locker

salesforce-experience-platform-emu/locker

152 lines (139 loc) 7.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
/** Original file https://github.com/eslint/eslint/blob/main/tests/lib/rules/no-eval.js * @fileoverview Detect usage of unsigned eval calls. * @author Lightning Web Security Team */ 'use strict'; //------------------------------------------------------------------------------ // Requirements //------------------------------------------------------------------------------ const RuleTester = require('eslint').RuleTester; const rule = require('../../../lib/rules/unsafe-eval'); //------------------------------------------------------------------------------ // Tests //------------------------------------------------------------------------------ const env = { browser: true, commonjs: true, es2024: true, jquery: true }; const ruleTester = new RuleTester(); ruleTester.run('unsafe-eval', rule, { valid: [ 'Eval(foo)', "setTimeout('foo')", "setInterval('foo')", "window.setTimeout('foo')", "window.setInterval('foo')", "window.noeval('foo')", "function foo() { var eval = 'foo'; window[eval]('foo') }", "globalThis.noneval('foo')", "function foo() { var eval = 'foo'; globalThis[eval]('foo') }", "this.noeval('foo');", "function foo() { 'use strict'; this.eval('foo'); }", "var obj = {foo: function() { this.eval('foo'); }}", "var obj = {}; obj.foo = function() { this.eval('foo'); }", "function f() { 'use strict'; () => { this.eval('foo') } }", "(function f() { 'use strict'; () => { this.eval('foo') } })", 'class A { foo() { this.eval(); } }', 'class A { static foo() { this.eval(); } }', 'class A { field = this.eval(); }', 'class A { field = () => this.eval(); }', 'class A { static { this.eval(); } }', // User-defined this.eval in callbacks "array.findLast(function (x) { return this.eval.includes(x); }, { eval: ['foo', 'bar'] });", 'callbacks.findLastIndex(function (cb) { return cb(this.eval); }, this);', "['1+1'].flatMap(function (str) { return this.eval(str); }, new Evaluator);", // Signed direct eval "eval($A.lockerService.trusted.createScript('foo'))", "eval($A.$lockerService$.$trusted$.$createScript$('foo'))", "eval($A.lockerService.restricted.createScript('foo'))", "eval($A.$lockerService$.$restricted$.$createScript$('foo'))", 'eval($A.lockerService.trusted.createScript(foo))', "this.eval($A.lockerService.trusted.createScript('foo'));", "'use strict'; this.eval($A.lockerService.trusted.createScript('foo'));", "function foo(eval) { eval($A.lockerService.trusted.createScript('foo')) }", "function foo() { this.eval($A.lockerService.trusted.createScript('foo')); }", "() => { this.eval($A.lockerService.trusted.createScript('foo')) }", 'eval($A.lockerService.trusted.createScript(foo))', "eval($A.lockerService.trusted.createScript('foo'))", "window.eval($A.lockerService.trusted.createScript('foo'))", "global.eval($A.lockerService.trusted.createScript('foo'))", "globalThis.eval($A.lockerService.trusted.createScript('foo'))", // Signed indirect eval "(0, eval)($A.lockerService.trusted.createScript('foo'))", "(0, window.eval)($A.lockerService.trusted.createScript('foo'))", "(0, window['eval'])($A.lockerService.trusted.createScript('foo'))", "() => { this.eval($A.lockerService.trusted.createScript('foo')); }", "() => { 'use strict'; this.eval($A.lockerService.trusted.createScript('foo')); }", "'use strict'; () => { this.eval($A.lockerService.trusted.createScript('foo')); }", "() => { 'use strict'; () => { this.eval($A.lockerService.trusted.createScript('foo')); } }", "window.window.eval($A.lockerService.trusted.createScript('foo'))", "window.window['eval']($A.lockerService.trusted.createScript('foo'))", "global.global.eval($A.lockerService.trusted.createScript('foo'))", "global.global[`eval`]($A.lockerService.trusted.createScript('foo'))", "this.eval($A.lockerService.trusted.createScript('foo'))", "'use strict'; this.eval($A.lockerService.trusted.createScript('foo'))", "function foo() { this.eval($A.lockerService.trusted.createScript('foo')) }", "globalThis.globalThis.eval($A.lockerService.trusted.createScript('foo'))", "globalThis.globalThis['eval']($A.lockerService.trusted.createScript('foo'))", "(0, globalThis.eval)($A.lockerService.trusted.createScript('foo'))", "(0, globalThis['eval'])($A.lockerService.trusted.createScript('foo'))", "var EVAL = eval; EVAL($A.lockerService.trusted.createScript('foo'))", ].map((code) => ({ code, env })), invalid: [ // Direct eval "eval(foo);eval($A.lockerService.trusted.createScript('foo'))", 'eval(foo)', "eval('foo')", "function foo(eval) { eval('foo') }", "function foo() { this.eval('foo'); }", "() => { this.eval('foo') }", 'eval(foo)', "eval('foo')", "function foo(eval) { eval('foo') }", "window.eval('foo')", "global.eval('foo')", // Indirect eval "(0, eval)('foo')", "(0, window.eval)('foo')", "(0, window['eval'])('foo')", "var EVAL = eval; EVAL('foo')", "var EVAL = this.eval; EVAL('foo')", "var EVAL = this.eval; EVAL($A.lockerService.trusted.createScript('foo'))", "'use strict'; var EVAL = this.eval; EVAL('foo')", "'use strict'; var EVAL = this.eval; EVAL($A.lockerService.trusted.createScript('foo'))", "() => { this.eval('foo'); }", "() => { 'use strict'; this.eval('foo'); }", "'use strict'; () => { this.eval('foo'); }", "() => { 'use strict'; () => { this.eval('foo'); } }", "(function(exe){ exe('foo') })(eval);", "(function(exe){ exe($A.lockerService.trusted.createScript('foo')) })(eval);", "window.eval('foo')", "window.window.eval('foo')", "window.window['eval']('foo')", "global.eval('foo')", "global.global.eval('foo')", "global.global[`eval`]('foo')", "this.eval('foo')", "'use strict'; this.eval('foo')", "function foo() { this.eval('foo') }", "var EVAL = globalThis.eval; EVAL('foo')", "globalThis.eval('foo')", "globalThis.globalThis.eval('foo')", "globalThis.globalThis['eval']('foo')", "(0, globalThis.eval)('foo')", "(0, globalThis['eval'])('foo')", // Optional chaining "window?.eval('foo')", "(window?.eval)('foo')", "(window?.window).eval('foo')", // Class fields "class C { [this.eval('foo')] }", "'use strict'; class C { [this.eval('foo')] }", 'class A { static {} [this.eval()]; }', // this.eval in callbacks (not user-defined) "array.findLast(x => this.eval.includes(x), { eval: 'abc' });", 'callbacks.findLastIndex(function (cb) { return cb(eval); }, this);', "['1+1'].flatMap(function (str) { return this.eval(str); });", "['1'].reduce(function (a, b) { return this.eval(a) ? a : b; }, '0');", // Signed using wrong syntax "eval($A.lockerService.trusted['createScript']('foo'))", "eval($A.lockerService.trusted.createScript.call($A.lockerService.trusted, 'foo'))", ].map((code) => ({ code, env, errors: [{ messageId: 'unexpected' }] })), });