Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: no-new-func rule catching eval case of MemberExpression #14860

Merged
merged 16 commits into from Sep 23, 2021
Merged

Update: no-new-func rule catching eval case of MemberExpression #14860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
d20c16e
Fix: no-new-fuc should catch calls to Function.apply
archmoj Jul 30, 2021
8e4f5cf
Chore: adjust ES6 syntax in no-new-func
archmoj Aug 2, 2021
81b1c60
Docs: examples for incorrect no-new-func rule
archmoj Aug 2, 2021
8dbcb44
Chore: tests for invalid no-new-func cases
archmoj Aug 2, 2021
e78dc5e
Docs: example and test for incorrect no-new-func rule
archmoj Aug 2, 2021
cc988e1
Docs: enhance documentation for no-new-func rule
archmoj Aug 3, 2021
7a83a49
Docs: improve no-new-func description
archmoj Aug 26, 2021
05e750e
Fix: revise no-new-func logic
archmoj Aug 27, 2021
885ed3a
Chore: additional test for Function.bind
archmoj Aug 27, 2021
ef39ca7
Docs: note regarding Function.bind without immediate call
archmoj Aug 27, 2021
083ad40
Fix: report CallExpression node instead of MemberExpression node
archmoj Aug 27, 2021
13f61ea
Docs: modify no-new-func docs
archmoj Sep 7, 2021
8a41cc9
Docs: add no-new-func example
archmoj Sep 7, 2021
c49f69f
Fix: use maybeCallee instead of parent in no-new-func
archmoj Sep 7, 2021
0d11a0e
add tests
mdjermanovic Sep 16, 2021
e6421b3
check method name
mdjermanovic Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 10 additions & 2 deletions docs/rules/no-new-func.md
View file
Open in desktop
@@ -1,12 +1,16 @@
# Disallow Function Constructor (no-new-func)

It's possible to create functions in JavaScript using the `Function` constructor, such as:
It's possible to create functions in JavaScript from strings at runtime using the `Function` constructor, such as:

```js
var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
```

This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions.
This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions. In addition, Content-Security-Policy (CSP) directives may disallow the use of eval() and similar methods for creating code from strings.

## Rule Details

Expand All @@ -19,6 +23,10 @@ Examples of **incorrect** code for this rule:

var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
archmoj marked this conversation as resolved.
Show resolved Hide resolved
var f = Function.bind(null, "a", "b", "return a + b"); // assuming that the result of Function.bind(...) will be eventually called.
```

Examples of **correct** code for this rule:
Expand Down
40 changes: 34 additions & 6 deletions lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -5,6 +5,18 @@

"use strict";

//------------------------------------------------------------------------------
// Requirements
//------------------------------------------------------------------------------

const astUtils = require("./utils/ast-utils");

//------------------------------------------------------------------------------
// Helpers
//------------------------------------------------------------------------------

const callMethods = new Set(["apply", "bind", "call"]);

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
Expand Down Expand Up @@ -38,14 +50,30 @@ module.exports = {
variable.references.forEach(ref => {
const node = ref.identifier;
const { parent } = node;
let evalNode;

if (parent) {
if (node === parent.callee && (
parent.type === "NewExpression" ||
parent.type === "CallExpression"
)) {
evalNode = parent;
} else if (
parent.type === "MemberExpression" &&
node === parent.object &&
callMethods.has(astUtils.getStaticPropertyName(parent))
) {
const maybeCallee = parent.parent.type === "ChainExpression" ? parent.parent : parent;

if (maybeCallee.parent.type === "CallExpression" && maybeCallee.parent.callee === maybeCallee) {
evalNode = maybeCallee.parent;
}
}
}

if (
parent &&
(parent.type === "NewExpression" || parent.type === "CallExpression") &&
node === parent.callee
) {
if (evalNode) {
context.report({
node: parent,
node: evalNode,
messageId: "noFunctionConstructor"
});
}
Expand Down
49 changes: 48 additions & 1 deletion tests/lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -38,7 +38,11 @@ ruleTester.run("no-new-func", rule, {
"var fn = function () { function Function() {}; Function() }",
"var x = function Function() { Function(); }",
"call(Function)",
"new Class(Function)"
"new Class(Function)",
"foo[Function]()",
"foo(Function.bind)",
"Function.toString()",
"Function[call]()"
],
invalid: [
{
Expand All @@ -55,6 +59,49 @@ ruleTester.run("no-new-func", rule, {
type: "CallExpression"
}]
},
{
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
code: "var a = Function.call(null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.apply(null, [\"b\", \"c\", \"return b+c\"]);",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.bind(null, \"b\", \"c\", \"return b+c\")();",
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.bind(null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function[\"call\"](null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = (Function?.call)(null, \"b\", \"c\", \"return b+c\");",
parserOptions: { ecmaVersion: 2021 },
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "const fn = () => { class Function {} }; new Function('', '')",
parserOptions: {
Expand Down