2 * @fileoverview Rule to flag use of implied eval via setTimeout and setInterval
3 * @author James Allardice
8 //------------------------------------------------------------------------------
10 //------------------------------------------------------------------------------
17 description: "disallow the use of `eval()`-like methods",
18 category: "Best Practices",
20 url: "https://eslint.org/docs/rules/no-implied-eval"
27 const CALLEE_RE = /^(setTimeout|setInterval|execScript)$/u;
30 * Figures out if we should inspect a given binary expression. Is a stack
31 * of stacks, where the first element in each substack is a CallExpression.
33 const impliedEvalAncestorsStack = [];
35 //--------------------------------------------------------------------------
37 //--------------------------------------------------------------------------
40 * Get the last element of an array, without modifying arr, like pop(), but non-destructive.
41 * @param {Array} arr What to inspect
42 * @returns {*} The last element of arr
46 return arr ? arr[arr.length - 1] : null;
50 * Checks if the given MemberExpression node is a potentially implied eval identifier on window.
51 * @param {ASTNode} node The MemberExpression node to check.
52 * @returns {boolean} Whether or not the given node is potentially an implied eval.
55 function isImpliedEvalMemberExpression(node) {
56 const object = node.object,
57 property = node.property,
58 hasImpliedEvalName = CALLEE_RE.test(property.name) || CALLEE_RE.test(property.value);
60 return object.name === "window" && hasImpliedEvalName;
64 * Determines if a node represents a call to a potentially implied eval.
66 * This checks the callee name and that there's an argument, but not the type of the argument.
67 * @param {ASTNode} node The CallExpression to check.
68 * @returns {boolean} True if the node matches, false if not.
71 function isImpliedEvalCallExpression(node) {
72 const isMemberExpression = (node.callee.type === "MemberExpression"),
73 isIdentifier = (node.callee.type === "Identifier"),
75 (isIdentifier && CALLEE_RE.test(node.callee.name)) ||
76 (isMemberExpression && isImpliedEvalMemberExpression(node.callee));
78 return isImpliedEvalCallee && node.arguments.length;
82 * Checks that the parent is a direct descendent of an potential implied eval CallExpression, and if the parent is a CallExpression, that we're the first argument.
83 * @param {ASTNode} node The node to inspect the parent of.
84 * @returns {boolean} Was the parent a direct descendent, and is the child therefore potentially part of a dangerous argument?
87 function hasImpliedEvalParent(node) {
89 // make sure our parent is marked
90 return node.parent === last(last(impliedEvalAncestorsStack)) &&
92 // if our parent is a CallExpression, make sure we're the first argument
93 (node.parent.type !== "CallExpression" || node === node.parent.arguments[0]);
97 * Checks if our parent is marked as part of an implied eval argument. If
98 * so, collapses the top of impliedEvalAncestorsStack and reports on the
99 * original CallExpression.
100 * @param {ASTNode} node The CallExpression to check.
101 * @returns {boolean} True if the node matches, false if not.
104 function checkString(node) {
105 if (hasImpliedEvalParent(node)) {
107 // remove the entire substack, to avoid duplicate reports
108 const substack = impliedEvalAncestorsStack.pop();
110 context.report({ node: substack[0], message: "Implied eval. Consider passing a function instead of a string." });
114 //--------------------------------------------------------------------------
116 //--------------------------------------------------------------------------
119 CallExpression(node) {
120 if (isImpliedEvalCallExpression(node)) {
122 // call expressions create a new substack
123 impliedEvalAncestorsStack.push([node]);
127 "CallExpression:exit"(node) {
128 if (node === last(last(impliedEvalAncestorsStack))) {
131 * Destroys the entire sub-stack, rather than just using
132 * last(impliedEvalAncestorsStack).pop(), as a CallExpression is
133 * always the bottom of a impliedEvalAncestorsStack substack.
135 impliedEvalAncestorsStack.pop();
139 BinaryExpression(node) {
140 if (node.operator === "+" && hasImpliedEvalParent(node)) {
141 last(impliedEvalAncestorsStack).push(node);
145 "BinaryExpression:exit"(node) {
146 if (node === last(last(impliedEvalAncestorsStack))) {
147 last(impliedEvalAncestorsStack).pop();
152 if (typeof node.value === "string") {
157 TemplateLiteral(node) {