Skip to content

Commit

Permalink
feat: improve detect-child-process rule (#108)
Browse files Browse the repository at this point in the history
* improve detect-child-process rule

* refactor

* add tests
  • Loading branch information
ota-meshi authored Jan 26, 2023
1 parent d699c30 commit 64ae529
Show file tree
Hide file tree
Showing 2 changed files with 123 additions and 62 deletions.
68 changes: 27 additions & 41 deletions rules/detect-child-process.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@

'use strict';

const { getImportAccessPath } = require('../utils/import-utils');
const childProcessPackageNames = ['child_process', 'node:child_process'];

//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
Expand All @@ -20,54 +23,37 @@ module.exports = {
},
},
create: function (context) {
/*
* Stores variable identifiers pointing to child_process to check (child_process).exec()
*/
const childProcessIdentifiers = new Set();

/**
* Extract identifiers assigned the expression `require("child_process")`.
* @param {Pattern} node
*/
function extractChildProcessIdentifiers(node) {
if (node.type !== 'Identifier') {
return;
}
const variable = context.getScope().set.get(node.name);
if (!variable) {
return;
}
for (const reference of variable.references) {
childProcessIdentifiers.add(reference.identifier);
}
}

return {
CallExpression: function (node) {
if (node.callee.name === 'require') {
const args = node.arguments[0];
if (args && args.type === 'Literal' && args.value === 'child_process') {
let pattern;
if (node.parent.type === 'VariableDeclarator') {
pattern = node.parent.id;
} else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
pattern = node.parent.left;
}
if (pattern) {
extractChildProcessIdentifiers(pattern);
}
if (!pattern || pattern.type === 'Identifier') {
return context.report({ node: node, message: 'Found require("child_process")' });
}
if (
args &&
args.type === 'Literal' &&
childProcessPackageNames.includes(args.value) &&
node.parent.type !== 'VariableDeclarator' &&
node.parent.type !== 'AssignmentExpression' &&
node.parent.type !== 'MemberExpression'
) {
context.report({ node: node, message: 'Found require("' + args.value + '")' });
}
return;
}
},
MemberExpression: function (node) {
if (node.property.name === 'exec' && childProcessIdentifiers.has(node.object)) {
if (node.parent && node.parent.arguments && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
return context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
}

// Reports non-literal `exec()` calls.
if (!node.arguments.length || node.arguments[0].type === 'Literal') {
return;
}
const pathInfo = getImportAccessPath({
node: node.callee,
scope: context.getScope(),
packageNames: childProcessPackageNames,
});
const fnName = pathInfo && pathInfo.path.length === 1 && pathInfo.path[0];
if (fnName !== 'exec') {
return;
}
context.report({ node: node, message: 'Found child_process.exec() with non Literal first argument' });
},
};
},
Expand Down
117 changes: 96 additions & 21 deletions test/detect-child-process.js
Original file line number Diff line number Diff line change
@@ -1,61 +1,136 @@
'use strict';

const RuleTester = require('eslint').RuleTester;
const tester = new RuleTester();
const tester = new RuleTester({
parserOptions: {
ecmaVersion: 6,
sourceType: 'module',
},
});

const ruleName = 'detect-child-process';
const rule = require(`../rules/${ruleName}`);

tester.run(ruleName, rule, {
valid: [
"child_process.exec('ls')",
{
code: `
var {} = require('child_process');
var result = /hello/.exec(str);`,
parserOptions: { ecmaVersion: 6 },
},
{
code: "var { spawn } = require('child_process'); spawn(str);",
parserOptions: { ecmaVersion: 6 },
},
`
var {} = require('child_process');
var result = /hello/.exec(str);`,
`
var {} = require('node:child_process');
var result = /hello/.exec(str);`,
`
import {} from 'child_process';
var result = /hello/.exec(str);`,
`
import {} from 'node:child_process';
var result = /hello/.exec(str);`,
"var { spawn } = require('child_process'); spawn(str);",
"var { spawn } = require('node:child_process'); spawn(str);",
"import { spawn } from 'child_process'; spawn(str);",
"import { spawn } from 'node:child_process'; spawn(str);",
`
var foo = require('child_process');
function fn () {
var foo = /hello/;
var result = foo.exec(str);
}`,
"var child = require('child_process'); child.spawn(str)",
"var child = require('node:child_process'); child.spawn(str)",
"import child from 'child_process'; child.spawn(str)",
"import child from 'node:child_process'; child.spawn(str)",
`
var foo = require('child_process');
function fn () {
var result = foo.spawn(str);
}`,
"require('child_process').spawn(str)",
`
function fn () {
require('child_process').spawn(str)
}`,
],
invalid: [
{
code: "require('child_process')",
errors: [{ message: 'Found require("child_process")' }],
},
{
code: "require('node:child_process')",
errors: [{ message: 'Found require("node:child_process")' }],
},
{
code: "var child = require('child_process'); child.exec(com)",
errors: [{ message: 'Found require("child_process")' }, { message: 'Found child_process.exec() with non Literal first argument' }],
errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
},
{
code: "var child = require('child_process'); child.exec()",
errors: [{ message: 'Found require("child_process")' }],
code: "var child = require('node:child_process'); child.exec(com)",
errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
},
{
code: "import child from 'child_process'; child.exec(com)",
errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
},
{
code: "import child from 'node:child_process'; child.exec(com)",
errors: [{ message: 'Found child_process.exec() with non Literal first argument' }],
},
{
code: "var child = sinon.stub(require('child_process')); child.exec.returns({});",
errors: [{ message: 'Found require("child_process")' }],
},
{
code: "var child = sinon.stub(require('node:child_process')); child.exec.returns({});",
errors: [{ message: 'Found require("node:child_process")' }],
},
{
code: `
var foo = require('child_process');
function fn () {
var result = foo.exec(str);
}`,
errors: [
{ message: 'Found require("child_process")', line: 2 },
{ message: 'Found child_process.exec() with non Literal first argument', line: 4 },
],
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
},
{
code: `
var foo = require('child_process');
import foo from 'child_process';
function fn () {
var result = foo.exec(str);
}`,
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
},
{
code: `
import foo from 'node:child_process';
function fn () {
var foo = /hello/;
var result = foo.exec(str);
}`,
errors: [{ message: 'Found require("child_process")', line: 2 }],
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 4 }],
},
{
code: `
require('child_process').exec(str)`,
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 2 }],
},
{
code: `
function fn () {
require('child_process').exec(str)
}`,
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
},
{
code: `
const {exec} = require('child_process');
exec(str)`,
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
},
{
code: `
const {exec} = require('node:child_process');
exec(str)`,
errors: [{ message: 'Found child_process.exec() with non Literal first argument', line: 3 }],
},
],
});

0 comments on commit 64ae529

Please sign in to comment.