UNPKG

eslint-plugin-sonarjs

Version:

SonarJS rules for ESLint

github.com/SonarSource/SonarJS/blob/master/packages/jsts/src/rules/README.md

SonarSource/SonarJS

145 lines (144 loc) 6.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.Express = void 0; const index_js_1 = require("./index.js"); /** * This modules provides utilities for writing rules about Express.js. */ var Express; (function (Express) { const EXPRESS = 'express'; /** * Checks whether the declaration looks somewhat like `<id> = express()` * and returns `<id>` if it matches. */ function attemptFindAppInstantiation(varDecl, context) { const rhs = varDecl.init; if (rhs && rhs.type === 'CallExpression' && (0, index_js_1.getFullyQualifiedName)(context, rhs) === EXPRESS) { const pattern = varDecl.id; return pattern.type === 'Identifier' ? pattern : undefined; } return undefined; } Express.attemptFindAppInstantiation = attemptFindAppInstantiation; /** * Checks whether the function injects an instantiated app and is exported like `module.exports = function(app) {}` * or `module.exports.property = function(app) {}`, and returns app if it matches. */ function attemptFindAppInjection(functionDef, context, node) { const app = functionDef.params.find(param => param.type === 'Identifier' && param.name === 'app'); if (app) { const parent = (0, index_js_1.getParent)(context, node); if (parent?.type === 'AssignmentExpression') { const { left } = parent; if (left.type === 'MemberExpression' && ((0, index_js_1.isModuleExports)(left) || (0, index_js_1.isModuleExports)(left.object))) { return app; } } } return undefined; } Express.attemptFindAppInjection = attemptFindAppInjection; /** * Checks whether the expression looks somewhat like `app.use(m1, [m2, m3], ..., mN)`, * where one of `mK`-nodes satisfies the given predicate. */ function isUsingMiddleware(context, callExpression, app, middlewareNodePredicate) { if ((0, index_js_1.isMethodInvocation)(callExpression, app.name, 'use', 1)) { const flattenedArgs = (0, index_js_1.flattenArgs)(context, callExpression.arguments); return Boolean(flattenedArgs.find(middlewareNodePredicate)); } return false; } Express.isUsingMiddleware = isUsingMiddleware; /** * Checks whether a node looks somewhat like `require('m')()` for * some middleware `m` from the list of middlewares. */ function isMiddlewareInstance(context, middlewares, n) { if (n.type === 'CallExpression') { const fqn = (0, index_js_1.getFullyQualifiedName)(context, n); return middlewares.some(middleware => middleware === fqn); } return false; } Express.isMiddlewareInstance = isMiddlewareInstance; /** * Rule factory for detecting sensitive settings that are passed to * middlewares eventually used by Express.js applications: * * app.use( * middleware(settings) * ) * * or * * app.use( * middleware.method(settings) * ) * * @param sensitivePropertyFinder - a function looking for a sensitive setting on a middleware call * @param message - the reported message when an issue is raised * @param meta - the rule metadata * @returns a rule module that raises issues when a sensitive property is found */ function SensitiveMiddlewarePropertyRule(sensitivePropertyFinder, message, meta = {}) { return { meta, create(context) { let app; let sensitiveProperties; function isExposing(middlewareNode) { return Boolean(sensitiveProperties.push(...findSensitiveProperty(middlewareNode))); } function findSensitiveProperty(middlewareNode) { if (middlewareNode.type === 'CallExpression') { return sensitivePropertyFinder(context, middlewareNode); } return []; } return { Program: () => { app = null; sensitiveProperties = []; }, CallExpression: (node) => { if (app) { const callExpr = node; const isSafe = !isUsingMiddleware(context, callExpr, app, isExposing); if (!isSafe) { for (const sensitive of sensitiveProperties) { (0, index_js_1.report)(context, { node: callExpr, message, }, [(0, index_js_1.toSecondaryLocation)(sensitive)]); } sensitiveProperties = []; } } }, VariableDeclarator: (node) => { if (!app) { const varDecl = node; const instantiatedApp = attemptFindAppInstantiation(varDecl, context); if (instantiatedApp) { app = instantiatedApp; } } }, ':function': (node) => { if (!app) { const functionDef = node; const injectedApp = attemptFindAppInjection(functionDef, context, node); if (injectedApp) { app = injectedApp; } } }, }; }, }; } Express.SensitiveMiddlewarePropertyRule = SensitiveMiddlewarePropertyRule; })(Express || (exports.Express = Express = {}));