Update: no-new-func rule catching eval case of MemberExpression

[archmoj]

• I have read the contributing guidelines.

What is the purpose of this pull request? (put an "X" next to an item)

[x] Bug fix (template)
[x] Include tests for this change
[x] Update documentation for this change

What changes did you make? (Give an overview)

The no-new-func rule should be able to catch calls to Function.apply (see the example below) concerning dynamic Function() constructor in the form of eval().

var fn = Function.apply('sum', ['a', 'b', 'return a+b;']);
fn(1, 2);

Is there anything you'd like reviewers to focus on?

This would allow testing libraries to comply with CSP as demonstrated in plotly/plotly.js#5868

cc: @alexcjohnson

[eslint-github-bot]

Hi @archmoj!, thanks for the Pull Request

The first commit message isn't properly formatted. We ask that you update the message to match this format, as we use it to generate changelogs and automate releases.

• The commit message tag must be one of the following:

  The Tag is one of the following:

  • Fix - for a bug fix.
  • Update - either for a backwards-compatible enhancement or for a rule change that adds reported problems.
  • New - implements a new feature.
  • Breaking - for a backwards-incompatible enhancement or feature.
  • Docs - changes to documentation only.
  • Build - changes to build process only.
  • Upgrade - for a dependency upgrade.
  • Chore - for anything that isn't user-facing (for example, refactoring, adding tests, etc.).

  You can use the labels of the issue you are working on to determine the best tag.

• There should be a space following the initial tag and colon, for example 'New: Message'.

• The first letter of the tag should be in uppercase

Read more about contributing to ESLint here

[eslint-github-bot]

Hi @archmoj!, thanks for the Pull Request

The pull request title isn't properly formatted. We ask that you update the message to match this format, as we use it to generate changelogs and automate releases.

• The length of the commit message must be less than or equal to 72

Read more about contributing to ESLint here

[mdjermanovic]

Hi @archmoj, thanks for the PR!

This change makes sense to me 👍, but I think we should treat it as an enhancement, so I'd like to hear more opinions from the team before accepting and reviewing the PR.

[nzakas]

I’m okay with the change, but the docs need to be updated to explain that these forms are akin to “new Function”.

[archmoj]

I’m okay with the change, but the docs need to be updated to explain that these forms are akin to “new Function”.

Good call. Addressed in cc988e1.

[archmoj]

Is there any remaining item(s) on this PR?

[nzakas]

We just need time to review it. A lot of people are away, so it may take some time. We'll update if we need any further changes.

[archmoj]

We just need time to review it. A lot of people are away, so it may take some time. We'll update if we need any further changes.

Thanks very much for the info @nzakas

[mdjermanovic]

Do we have a consensus? I'm willing to champion this enhancement, but it needs one more 👍

Or, shall we treat it as a bug fix?

[btmills]

I agree the rule should catch this case. Thanks for adding the check! Since it’s improving the rule’s ability to detect eval-like calls, I’d lean toward this being a semver-minor change.

[mdjermanovic]

Sorry for the delay! This looks very good, I left several comments about certain details.

[mdjermanovic]

I think we should also check if the property name is one of "call", "apply" or "bind", as this looks like a false positive:

/* eslint no-new-func: error */

Function.toString(); // false positive

For this check, we can use astUtils.getStaticPropertyName() so that it covers code such as Function["call"]()

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Mojtaba Samimi (d20c16e, 8e4f5cf, 81b1c60, 8dbcb44, e78dc5e, cc988e1, 7a83a49, 05e750e, 885ed3a, ef39ca7, 083ad40, 13f61ea, 8a41cc9, c49f69f)

[mdjermanovic]

@archmoj I think #14860 (comment) is the last remaining issue, let us know if you need any help with that.

[archmoj]

@archmoj I think #14860 (comment) is the last remaining issue, let us know if you need any help with that.

I would appreciate if you could possibly push a commit to address that.

[mdjermanovic]

@archmoj I think #14860 (comment) is the last remaining issue, let us know if you need any help with that.

I would appreciate if you could possibly push a commit to address that.

Done e6421b3

[mdjermanovic]

LGTM, thanks!

[snitin315]

Looks good. Thanks for contributing.

[mdjermanovic]

Merged, thanks for contributing! This will be included in ESLint v8.0.0-rc.0 release, scheduled for tomorrow (#15059)

[archmoj]

Merged, thanks for contributing! This will be included in ESLint v8.0.0-rc.0 release, scheduled for tomorrow (#15059)

Thanks very much @mdjermanovic for taking over this PR as well as the note.
I'll try v8.0.0-rc.0 once published :)

[nzakas]

@archmoj we'd like to thank you for your work on this. Can you drop us an email at contact (at) eslint (dot) org?

[archmoj]

@archmoj we'd like to thank you for your work on this. Can you drop us an email at contact (at) eslint (dot) org?

It was not really a big deal to kick start a PR like this one.
But yeah thanks to @mdjermanovic who helped with the hard work of finishing it. 🥇 🏆

[nzakas]

We’d like to pay you from our contributor pool, but we need an email address to do that. :)