Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: no-new-func rule catching eval case of MemberExpression #14860

Merged
merged 16 commits into from Sep 23, 2021
Merged

Update: no-new-func rule catching eval case of MemberExpression #14860

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
d20c16e
Fix: no-new-fuc should catch calls to Function.apply
archmoj Jul 30, 2021
8e4f5cf
Chore: adjust ES6 syntax in no-new-func
archmoj Aug 2, 2021
81b1c60
Docs: examples for incorrect no-new-func rule
archmoj Aug 2, 2021
8dbcb44
Chore: tests for invalid no-new-func cases
archmoj Aug 2, 2021
e78dc5e
Docs: example and test for incorrect no-new-func rule
archmoj Aug 2, 2021
cc988e1
Docs: enhance documentation for no-new-func rule
archmoj Aug 3, 2021
7a83a49
Docs: improve no-new-func description
archmoj Aug 26, 2021
05e750e
Fix: revise no-new-func logic
archmoj Aug 27, 2021
885ed3a
Chore: additional test for Function.bind
archmoj Aug 27, 2021
ef39ca7
Docs: note regarding Function.bind without immediate call
archmoj Aug 27, 2021
083ad40
Fix: report CallExpression node instead of MemberExpression node
archmoj Aug 27, 2021
13f61ea
Docs: modify no-new-func docs
archmoj Sep 7, 2021
8a41cc9
Docs: add no-new-func example
archmoj Sep 7, 2021
c49f69f
Fix: use maybeCallee instead of parent in no-new-func
archmoj Sep 7, 2021
0d11a0e
add tests
mdjermanovic Sep 16, 2021
e6421b3
check method name
mdjermanovic Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 10 additions & 2 deletions docs/rules/no-new-func.md
View file
Open in desktop
@@ -1,12 +1,17 @@
# Disallow Function Constructor (no-new-func)

It's possible to create functions in JavaScript using the `Function` constructor, such as:
It's possible to create functions in JavaScript from strings at runtime using the `Function` constructor, such as:

```js
var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
var f = Function.bind(null, "a", "b", "return a + b"); // assuming that the result of Function.bind(...) will be eventually called.
archmoj marked this conversation as resolved.
Show resolved Hide resolved
```

This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions.
This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions. In addition, Content-Security-Policy (CSP) directives may disallow the use of eval() and similar methods for creating code from strings.

## Rule Details

Expand All @@ -19,6 +24,9 @@ Examples of **incorrect** code for this rule:

var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
archmoj marked this conversation as resolved.
Show resolved Hide resolved
```

Examples of **correct** code for this rule:
Expand Down
24 changes: 18 additions & 6 deletions lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -38,14 +38,26 @@ module.exports = {
variable.references.forEach(ref => {
const node = ref.identifier;
const { parent } = node;
let evalNode;

if (
parent &&
(parent.type === "NewExpression" || parent.type === "CallExpression") &&
node === parent.callee
) {
if (parent) {
if (node === parent.callee && (
parent.type === "NewExpression" ||
parent.type === "CallExpression"
)) {
evalNode = parent;
} else if (parent.type === "MemberExpression" && node === parent.object) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also check if the property name is one of "call", "apply" or "bind", as this looks like a false positive:

/* eslint no-new-func: error */

Function.toString(); // false positive

For this check, we can use astUtils.getStaticPropertyName() so that it covers code such as Function["call"]()

const maybeCallee = parent.parent.type === "ChainExpression" ? parent.parent : parent;

if (maybeCallee.parent.type === "CallExpression" && maybeCallee.parent.callee === maybeCallee) {
evalNode = parent.parent;
archmoj marked this conversation as resolved.
Show resolved Hide resolved
}
}
}

if (evalNode) {
context.report({
node: parent,
node: evalNode,
messageId: "noFunctionConstructor"
});
}
Expand Down
28 changes: 28 additions & 0 deletions tests/lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -55,6 +55,34 @@ ruleTester.run("no-new-func", rule, {
type: "CallExpression"
}]
},
{
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
code: "var a = Function.call(null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.apply(null, [\"b\", \"c\", \"return b+c\"]);",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.bind(null, \"b\", \"c\", \"return b+c\")();",
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "var a = Function.bind(null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "CallExpression"
}]
},
{
code: "const fn = () => { class Function {} }; new Function('', '')",
parserOptions: {
Expand Down