Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: no-new-func rule catching eval case of MemberExpression #14860

Merged
merged 16 commits into from Sep 23, 2021
Merged

Update: no-new-func rule catching eval case of MemberExpression #14860

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
d20c16e
Fix: no-new-fuc should catch calls to Function.apply
archmoj Jul 30, 2021
8e4f5cf
Chore: adjust ES6 syntax in no-new-func
archmoj Aug 2, 2021
81b1c60
Docs: examples for incorrect no-new-func rule
archmoj Aug 2, 2021
8dbcb44
Chore: tests for invalid no-new-func cases
archmoj Aug 2, 2021
e78dc5e
Docs: example and test for incorrect no-new-func rule
archmoj Aug 2, 2021
cc988e1
Docs: enhance documentation for no-new-func rule
archmoj Aug 3, 2021
7a83a49
Docs: improve no-new-func description
archmoj Aug 26, 2021
05e750e
Fix: revise no-new-func logic
archmoj Aug 27, 2021
885ed3a
Chore: additional test for Function.bind
archmoj Aug 27, 2021
ef39ca7
Docs: note regarding Function.bind without immediate call
archmoj Aug 27, 2021
083ad40
Fix: report CallExpression node instead of MemberExpression node
archmoj Aug 27, 2021
13f61ea
Docs: modify no-new-func docs
archmoj Sep 7, 2021
8a41cc9
Docs: add no-new-func example
archmoj Sep 7, 2021
c49f69f
Fix: use maybeCallee instead of parent in no-new-func
archmoj Sep 7, 2021
0d11a0e
add tests
mdjermanovic Sep 16, 2021
e6421b3
check method name
mdjermanovic Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 9 additions & 2 deletions docs/rules/no-new-func.md
View file
Open in desktop
@@ -1,12 +1,16 @@
# Disallow Function Constructor (no-new-func)

It's possible to create functions in JavaScript using the `Function` constructor, such as:
It's possible to create functions in JavaScript from strings at runtime using `Function` constructors, such as:
archmoj marked this conversation as resolved.
Show resolved Hide resolved

```js
var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
```

This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions.
This is considered by many to be a bad practice due to the difficulty in debugging and reading these types of functions. In addition, Content-Security-Policy (CSP) directives may disallow the use of eval() and similar methods for creating code from strings.

## Rule Details

Expand All @@ -19,6 +23,9 @@ Examples of **incorrect** code for this rule:

var x = new Function("a", "b", "return a + b");
var x = Function("a", "b", "return a + b");
var x = Function.call(null, "a", "b", "return a + b");
var x = Function.apply(null, ["a", "b", "return a + b"]);
var x = Function.bind(null, "a", "b", "return a + b")();
archmoj marked this conversation as resolved.
Show resolved Hide resolved
```

Examples of **correct** code for this rule:
Expand Down
22 changes: 17 additions & 5 deletions lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -38,12 +38,24 @@ module.exports = {
variable.references.forEach(ref => {
const node = ref.identifier;
const { parent } = node;
let isEval = false;

if (
parent &&
(parent.type === "NewExpression" || parent.type === "CallExpression") &&
node === parent.callee
) {
if (parent) {
if (node === parent.callee && (
parent.type === "NewExpression" ||
parent.type === "CallExpression"
)) {
isEval = true;
} else if (parent.type === "MemberExpression") {
const gParent = parent.parent;

if (gParent && gParent.type === "CallExpression") {
isEval = true;
}
}
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
}

if (isEval) {
context.report({
node: parent,
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
messageId: "noFunctionConstructor"
Expand Down
21 changes: 21 additions & 0 deletions tests/lib/rules/no-new-func.js
View file
Open in desktop
Expand Up @@ -55,6 +55,27 @@ ruleTester.run("no-new-func", rule, {
type: "CallExpression"
}]
},
{
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
code: "var a = Function.call(null, \"b\", \"c\", \"return b+c\");",
errors: [{
messageId: "noFunctionConstructor",
type: "MemberExpression"
}]
},
{
code: "var a = Function.apply(null, [\"b\", \"c\", \"return b+c\"]);",
errors: [{
messageId: "noFunctionConstructor",
type: "MemberExpression"
}]
},
{
code: "var a = Function.bind(null, \"b\", \"c\", \"return b+c\")();",
mdjermanovic marked this conversation as resolved.
Show resolved Hide resolved
errors: [{
messageId: "noFunctionConstructor",
type: "MemberExpression"
}]
},
{
code: "const fn = () => { class Function {} }; new Function('', '')",
parserOptions: {
Expand Down