-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
detect-non-literal-require.js
47 lines (41 loc) · 1.39 KB
/
detect-non-literal-require.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
/**
* Tries to detect calls to require with non-literal argument
* @author Adam Baldwin
*/
'use strict';
const { isStaticExpression } = require('../utils/is-static-expression');
//------------------------------------------------------------------------------
// Rule Definition
//------------------------------------------------------------------------------
module.exports = {
meta: {
type: 'error',
docs: {
description: 'Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk.',
category: 'Possible Security Vulnerability',
recommended: true,
url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
},
},
create(context) {
const sourceCode = context.sourceCode || context.getSourceCode();
return {
CallExpression(node) {
if (node.callee.name === 'require') {
const args = node.arguments;
const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
if (
args &&
args.length > 0 &&
!isStaticExpression({
node: args[0],
scope,
})
) {
return context.report({ node: node, message: 'Found non-literal argument in require' });
}
}
},
};
},
};