New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor avoidCapture
function
#1399
Conversation
On second thought, it's not safe anyway, running ESLint with specific ecma version, doesn't mean scripts always run on the same environment. I always use my shared config with |
My implementation tried to match the target ecma version closely with regards to reserved words and allowed If original approach is not a valuable enough feature, this PR provides a more practical approach that will be easier to maintain and should be merged. Yet it seems original code could have been fixed to support |
I also found potential threat, for example we used it in "unicorn/catch-error-name": [
"error",
{
"name": "){} evilCode; if(false"
}
] try {} catch (e) {} will fix to try {} catch (){} evilCode; if(false) {} And it may run into infinity loop in all used rules, for example: "unicorn/prevent-abbreviations": [
"error",
{
"replacements": {
"a" : {
123: true
}
}
}
] current implementation will not find a usable variable name and hang forever, I'll fix. |
I wouldn't consider that a vulnerability. It applies to a lot of ESLint rules. Rules make no guarantee about being resistant to evil config, nor should they. |
But the infinity one, people may config it by mistake, for example, added a space after the replacement. |
The infinity case I agree we should fix. |
Reason behind this change, the new version of ESLint allows
ecmaVersion: "latest"
, and this part don't understand it.Let's not care about
ecmaVersion
and strict mode, just use the safest strategy.WDYT? @futpib