@sap/eslint-plugin-cds 4.0.2 → 4.1.0

package/CHANGELOG.md

@@ -6,7 +6,18 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
-## [4.1.0] - 2025-05-27
+## [4.1.0] - 2025-08-18
+
+### Added
+- Add new rule `case-sensitive-well-known-events` to detect when a well known event is not cased correctly.
+
+### Changed
+- Adjust `no-shared-handler-variables` to also detect shared states when handler refers to a locally defined function, rather than an inline declaration.
+- Rule `use-cql-select-template-strings` now also catches offending template strings in other query parts than just `SELECT`.
+- Rule `no-shared-handler-variables` now also checks functions that are not part of a class extending `cds.ApplicationService`, if the function has an explicit type annotation `@type {import('@sap/cds').CRUDEventHandler.Before}`, `@type {import('@sap/cds').CRUDEventHandler.On}`, or `@type {import('@sap/cds').CRUDEventHandler.After}`.
+
+### Fixed
+- `no-cross-service-import` rule no longer crashes when some file has an unexpected name.
 
 
 ## [4.0.2] - 2025-05-27

package/lib/conf/js/all.js

@@ -5,4 +5,5 @@ module.exports = {
   '@sap/cds/use-cql-select-template-strings': 'error',
   '@sap/cds/no-cross-service-import': 'warn',
   '@sap/cds/no-deep-sap-cds-import': 'warn',
+  '@sap/cds/case-sensitive-well-known-events': 'warn',
 }

package/lib/conf/js/recommended.js

@@ -5,4 +5,5 @@ module.exports = {
   '@sap/cds/use-cql-select-template-strings': 'error',
   '@sap/cds/no-cross-service-import': 'warn',
   '@sap/cds/no-deep-sap-cds-import': 'warn',
+  '@sap/cds/case-sensitive-well-known-events': 'warn',
 }

package/lib/index.js

@@ -35,9 +35,12 @@ const plugin = {
   ...api
 }
 
-// Assign configs here so we can reference `plugin`
-Object.assign(plugin.configs, getConfigs(plugin))
-
 // Use commonJS entry point to ensure backwards compatibility (<eslint@v9):
 // https://eslint.org/docs/latest/extend/plugin-migration-flat-config#backwards-compatibility
-module.exports = plugin
+// spread and mix object to be able to reference plugin in getConfigs
+module.exports = {
+  ...plugin,
+  ...{
+    configs: getConfigs(plugin)
+  }
+}

package/lib/rules/js/CdsHandlerRule.js

@@ -1,9 +1,9 @@
 // TODO:
 // - class extends require('@sap/cds').ApplicationService
 // - class extends await import('@sap/cds').ApplicationService
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.Scope} Scope */
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.Variable} Variable */
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.VariableType} VariableType */
+/** @typedef {import('./types').CdsContextTracker.Scope} Scope */
+/** @typedef {import('./types').CdsContextTracker.Variable} Variable */
+/** @typedef {import('./types^').CdsContextTracker.VariableType} VariableType */
 
 'use strict'
 
@@ -42,6 +42,7 @@ class CdsHandlerRule {
   get isInsideCapHandlerRegistration() {  return this.capHandlerRegistrationStack.length > 0 }
 
   constructor (context) {
+    /** @type {import('eslint').Rule.RuleContext} */
     this.context = context
     /** @type {Scope[]} */
     this.functionScopes = [ produceScope('<global>') ]
@@ -89,6 +90,17 @@ class CdsHandlerRule {
     return info?.variable.isCdsVariable
   }
 
+  /**
+   * @param {ReturnType<typeof produceHandlerRegistration>} registration - the handler registration to add
+   */
+  addCapHandlerRegistration (registration) {
+    this.capHandlerRegistrationStack.push(registration)
+  }
+
+  removeCapHandlerRegistration () {
+    this.capHandlerRegistrationStack.pop()
+  }
+
   /**
      * @param {Variable} variable
      */
@@ -96,6 +108,17 @@ class CdsHandlerRule {
     this.functionScopes.at(-1).variables.push(variable)
   }
 
+  /**
+   * @param {Scope} scope - the scope to add
+   */
+  enterFunctionScope (scope) {
+    this.functionScopes.push(scope)
+  }
+
+  leaveFunctionScope () {
+    this.functionScopes.pop()
+  }
+
   /**
      * @abstract
      */
@@ -124,7 +147,7 @@ class CdsHandlerRule {
       // like: this.on('submitOrder', bar)
       if (['before', 'on', 'after'].some(method => method === property.name)) {
         const handler = node.arguments.at(-1)
-        this.capHandlerRegistrationStack.push(produceHandlerRegistration({
+        this.addCapHandlerRegistration(produceHandlerRegistration({
           call: node,
           handler
         }))
@@ -136,23 +159,27 @@ class CdsHandlerRule {
 
   'CallExpression:exit'(node) {
     if (this.capHandlerRegistrationStack.at(-1)?.call === node) {
-      this.capHandlerRegistrationStack.pop()
+      this.removeCapHandlerRegistration()
     }
   }
 
   BlockStatement(node) {
     if(isFunctionBody(node)) {
-      this.functionScopes.push(produceScope(
+      this.enterFunctionScope(produceScope(
         node.parent?.key?.name
                 ?? node.parent?.id?.name
                 ?? node.parent?.parent?.key?.name
+                // const f = function() { ... }
+                ?? (node.parent?.parent?.type === 'VariableDeclarator'
+                  ? node.parent.parent.id.name
+                  : undefined)
                 ?? '<anonymous>'))
     }
   }
 
   'BlockStatement:exit'(node) {
     if(isFunctionBody(node)) {
-      this.functionScopes.pop()
+      this.leaveFunctionScope()
     }
   }
 
@@ -161,10 +188,10 @@ class CdsHandlerRule {
   // determine when we are inside the body ArrowFunctionExpression from looking at the body,
   // as we'd have to add a visitor for every expression type and check if it's a child of an ArrowFunctionExpression.
   'ArrowFunctionExpression > :not(BlockStatement)'() {
-    this.functionScopes.push(produceScope('<anonymous>'))
+    this.enterFunctionScope(produceScope('<anonymous>'))
   }
   'ArrowFunctionExpression > :not(BlockStatement):exit'() {
-    this.functionScopes.pop()
+    this.leaveFunctionScope()
   }
 
   ImportDeclaration(node) {

package/lib/rules/js/case-sensitive-well-known-events.js

@@ -0,0 +1,53 @@
+'use strict'
+
+const { RULE_CATEGORIES } = require('../../constants')
+const { CdsHandlerRule } = require('./CdsHandlerRule')
+
+const WELL_KNOWN_EVENTS = [
+  'CREATE', 'READ', 'UPDATE', 'UPSERT','DELETE',
+  'INSERT','SELECT',
+  'POST','GET','PUT','PATCH',
+  'NEW', 'CANCEL', 'EDIT', 'SAVE'  // draft related
+]
+
+class CaseSensitiveWellKnownEvents extends CdsHandlerRule {
+  CAPHandlerRegistration(node) {
+    const first = node.parent?.arguments?.[0]
+    if (!first) return
+    const currentEventName = first.value ?? ''
+    const currentEventNameUpper = currentEventName.toUpperCase()
+    if (WELL_KNOWN_EVENTS.includes(currentEventNameUpper) && currentEventName !== currentEventNameUpper) {
+      const quoteType = ['"', '\'', '`'].includes(first.raw?.[0]) ? first.raw?.[0] : '"'
+      this.context.report({
+        node: first,
+        messageId: 'incorrectEventNameCase',
+        data: {
+          currentEventName: currentEventName,
+          properEventName: currentEventNameUpper
+        },
+        suggest: [{
+          desc: 'Change event casing to upper case',
+          fix: fixer => fixer.replaceText(first, `${quoteType}${currentEventNameUpper}${quoteType}`)
+        }]
+      })
+    }
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.javascript,
+      description: 'Make sure well-known events are used with proper casing.'
+    },
+    fixable: 'code',
+    schema: [],
+    messages: {
+      incorrectEventNameCase: 'Found an event registration for event "{{currentEventName}}", which is likely supposed to be "{{properEventName}}".'
+    },
+    hasSuggestions: true
+  },
+  create: context => new CaseSensitiveWellKnownEvents(context).asESLintVisitor()
+}

package/lib/rules/js/no-cross-service-import.js

@@ -18,7 +18,7 @@ function compareImportAndFilename (importPath, context, node) {
   // ignore excessively long strings
   if (importPath.length > MAX_INPUT_STRING_LENGTH || currentFile.length > MAX_INPUT_STRING_LENGTH) return
   const [, typerModuleFq, typerModule] = /^#cds-models\/.*?((\w+)Service)$/.exec(importPath) ?? []
-  const [, fileNameFq, fileName] = /((\w+)-?[sS]ervice\.m?[jt]s)$/.exec(currentFile)
+  const [, fileNameFq, fileName] = /((\w+)-?[sS]ervice\.m?[jt]s)$/.exec(currentFile) ?? []
   // typerModule === undefined -> not a service import (probably db-level-entity import)
   if (typerModule && fileName && typerModule !== fileName) {
     context.report({

package/lib/rules/js/no-shared-handler-variable.js

@@ -5,14 +5,6 @@ Use cases not yet covered:
 INLINE EXTENSION
 class FooService extends require('@sap/cds').ApplicationService { ... }
 
-//---------
-REFERENCED FUNCTION
-function bad() { ... }
-
-class ... {
-    this.on('', bad)
-}
-
 //---------
 METHOD
 class ... {
@@ -39,18 +31,164 @@ cds.services['myService'].on('READ', 'Books', () => {})
 const { RULE_CATEGORIES } = require('../../constants')
 const { CdsHandlerRule } = require('./CdsHandlerRule')
 
+/**
+ * @param {string | undefined} t
+ */
+function isHandlerType(t) {
+  // match "import('@sap/cds').CRUDEventHandler.Before" etc.
+  return ['Before', 'On', 'After'].some(handlerType => t?.match(new RegExp(`import\\s?\\(.@sap\\/cds.\\)\\.CRUDEventHandler.${handlerType}`)))
+}
+
 class NoSharedVariable extends CdsHandlerRule {
-  AssignmentExpression(node) {
-    if (!this.isInsideCapHandlerRegistration) return
-    const declaringScope = this.findDefinitionScope(node.left.name)
-    if (declaringScope?.isLocal === false) {
-      this.context.report({
-        node,
-        messageId: 'noSharedHandlerVariable',
-        data: {
-          definitionScope: declaringScope.scope.name
-        }
+  /**
+   * Functions that modify variables that are not locally declared.
+   * They are stored by name.
+   * Note: this is not fully fail proof, as the functions are stored in a flat fashion,
+   * rather than maintaining the scope they are declared in.
+   * This could lead to false positives if a function with the same name is declared in multiple scopes.
+   * @type {Record<string, Scope>}
+   */
+  #suspiciousFunctions = {}
+  /**
+   * nodes of handler registrations like:
+   * ```js
+   * this.on('READ', 'Books', handler)
+   * //                       ^^^^^^^
+   * ```
+   * as they reference the handler by name, its definition may come later in the code
+   * due to hoisting.
+   * We check them later in `Program:exit()`.
+   */
+  #pendingInspections = []
+
+  /**
+   * Typedef JSDoc to look up local aliases.
+   * ```js
+   * ＠typedef {Bar} Foo
+   * ```
+   * becomes
+   * ```js
+   * {Foo: 'Bar'}
+   * ```
+   * @type {Record<string, import('estree').Comment & { type: string }>}
+   */
+  #typeDefinitions = {}
+
+  /**
+   * Type JSDoc that matches the estree definition of a Comment,
+   * plus an additional `type` property that contains the type of the variable.
+   * Local type aliases are resolved to the actual type using #typeDefinitions.
+   *
+   * @type {Array<import('estree').Comment & { type: string }>}
+   */
+  #typeDeclarations = []
+
+  #handlerDefinitionDepth = 0
+
+  /**
+   * When we are inside a function that has explicitly been annotated as
+   * a handler function via a @type JSDoc annotation.
+   */
+  get isInsideExplicitCapHandlerDefinition() {
+    return this.#handlerDefinitionDepth > 0
+  }
+
+  addCapHandlerRegistration(registration) {
+    super.addCapHandlerRegistration(registration)
+
+    if (registration.handler.type === 'Identifier') {
+      this.#pendingInspections.push(registration)
+    }
+  }
+
+  Program() {
+    const comments = this.context.sourceCode.getAllComments()
+    this.#typeDefinitions = Object.fromEntries(comments
+      .map(comment => {
+        const [, type, name] = comment.value.match(/^\*\s?@typedef\s?\{(.*)\}\s?(\w*)/) ?? []
+        return type && name ? [ name, {...comment, type} ] : null
+      })
+      .filter(Boolean))
+    this.#typeDeclarations = comments
+      .map(comment => {
+        const match = comment.value.match(/^\*\s?@type\s?\{(.*)\}/)?.[1]
+        if (!match) return null
+        const type = this.#typeDefinitions[match]?.type ?? match
+        return type ? { ...comment, type } : null
       })
+      .filter(Boolean)
+  }
+
+  'Program:exit'() {
+    for (const node of this.#pendingInspections) {
+      const { scope } = this.#suspiciousFunctions[node.handler.name] ?? {}
+      if (scope) {
+        this.context.report({
+          node: node.handler,
+          messageId: 'noSharedHandlerVariable',
+          data: {
+            definitionScope: scope.name
+          }
+        })
+      }
+    }
+  }
+
+  #enterFunctionDefinition(node) {
+    // find a JDoc type comment, that is either on the line before, or in the same line,
+    // but up to three columns to the left. The latter condition covers three cases:
+    // 1. TYPEDEFFUNC -- (no space between the comment and start of function) -> distance = 0
+    // 2. TYPEDEF FUNC-- (one space between the comment and start of function) -> distance = 1
+    // 3. TYPEDEF(FUNC) -- (no space after typedef, followed by an opening parenthesis) -> distance = 1
+    // 3. TYPEDEF (FUNC) -- (one space after typedef and an opening parenthesis) -> distance = 2
+    // Note: this will fail if we have empty lines between the function declaration and the JSDoc.
+    // Also when users have more spaces or other outlandish formatting styles.
+    const type = this.#typeDeclarations.find(({loc}) =>
+      loc.end.line === node.loc.start.line - 1
+      || loc.end.line === node.loc.start.line && [0,1,2].includes(node.loc.start.column - loc.end.column)
+    )
+    // if the function is explicitly declared as handler, we check it.
+    // If the function is not explicitly declared as handler, but a surrounding function is (this.handlerDefinitionDepth > 0),
+    // we check it too.
+    if (isHandlerType(type?.type) || this.isInsideExplicitCapHandlerDefinition) this.#handlerDefinitionDepth++
+  }
+
+  #exitFunctionDefinition() {
+    this.#handlerDefinitionDepth = Math.max(0, this.#handlerDefinitionDepth - 1)
+  }
+
+  // () => ...
+  ArrowFunctionExpression(node) { this.#enterFunctionDefinition(node) }
+  'ArrowFunctionExpression:exit'() { this.#exitFunctionDefinition() }
+  // function() { ... }
+  FunctionExpression(node) { this.#enterFunctionDefinition(node) }
+  'FunctionExpression:exit'() { this.#exitFunctionDefinition() }
+  // function f () { ... }
+  FunctionDeclaration(node) { this.#enterFunctionDefinition(node) }
+  'FunctionDeclaration:exit'() { this.#exitFunctionDefinition()}
+
+  AssignmentExpression(node) {
+    if (this.isInsideCapHandlerRegistration || this.isInsideExplicitCapHandlerDefinition) {
+      // like: this.on('READ', 'Books', () => { variable = 42 })
+      const declaringScope = this.findDefinitionScope(node.left.name)
+      if (declaringScope?.isLocal === false) {
+        this.context.report({
+          node,
+          messageId: 'noSharedHandlerVariable',
+          data: {
+            definitionScope: declaringScope.scope.name
+          }
+        })
+      }
+    } else if (this.functionScopes.length > 0) {
+      // not inside a handler registration, but in a function that may be referenced in a handler registration
+      // like: this.on('READ', 'Books', handler)
+      // as functions are hoisted and can be referenced before their definition, we just collect the names of suspicious functions
+      // and check them in Program:exit when we have inspected all functions.
+      const declaringScope = this.findDefinitionScope(node.left.name)
+      if (declaringScope?.isLocal === false) {
+        this.#suspiciousFunctions[this.functionScopes.at(-1).name] = declaringScope
+      }
     }
   }
 }

package/lib/rules/js/use-cql-select-template-strings.js

@@ -3,19 +3,48 @@
 const { RULE_CATEGORIES } = require('../../constants')
 const { CdsHandlerRule } = require('./CdsHandlerRule')
 
+const isCqlClauseStart = node => ['SELECT', 'UPDATE', 'INSERT', 'DELETE', 'UPSERT'].includes(node.name)
+
+/**
+ * ESLint goes through member functions in reverse order:
+ *   x.y.z -> z, y, x
+ * so we can not track when we
+ * enter a CQL clause, but instead have to check the chain of ancestors for each member
+ * recursively. If we find the topmost function call is a CQL clause (SELECT, UPDATE, etc.),
+ * none of the member functions in the chain are allowed to use untagged template strings.
+ */
+const isInCqlClause = node => {
+  if (!node) return false
+  if (node.type === 'CallExpression' && isCqlClauseStart(node.callee)) return true
+  if (node.type === 'TaggedTemplateExpression' && isCqlClauseStart(node.tag)) return true
+  // f(...) and f`...` have slightly different structure, the former has .callee, the latter has .tag
+  // -> use the first that is available to ascend through the call chain
+  return isInCqlClause(node.callee?.object ?? node.tag?.object)
+}
+
 class CqlSelectUseTemplateStrings extends CdsHandlerRule {
   CallExpression(node) {
     super.CallExpression(node)
-    if (node.callee?.name === 'SELECT' && node.arguments[0].type === 'TemplateLiteral') {
-      this.context.report({
-        node,
-        message: 'Do not use SELECT(`...`), which is prone to SQL injections.',
-        suggest: [{
-          desc: 'Use SELECT`...` instead',
-          fix: fixer => fixer.replaceText(node, `SELECT${this.context.getSourceCode().getText(node.arguments[0])}`)
-        }]
-      })
-    }
+    const [arg] = node.arguments ?? []
+    if (arg?.type !== 'TemplateLiteral') return
+    if (arg.expressions.length === 0) return  // no expressions in the template string, so no SQL injection risk
+    if (!isInCqlClause(node)) return
+
+    const [functionName, prefix] =  node.callee.type === 'MemberExpression'
+      // for ….where`...` we need to use the full preceding expression in the following replacement
+      ? [node.callee.property?.name, this.context.getSourceCode().getText(node.callee)]
+      // for SELECT`...` we can use the function name directly
+      : [node.callee.name, node.callee.name]
+    this.context.report({
+      node,
+      message: 'Do not use {{functionName}}(`...`) inside CQL statements, which is prone to SQL injections.',
+      data: { functionName },
+      suggest: [{
+        desc: 'Use {{functionName}}`...` instead of {{functionName}}(`...`)',
+        data: { functionName },
+        fix: fixer => fixer.replaceText(node, `${prefix}${this.context.getSourceCode().getText(arg)}`)
+      }]
+    })
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/eslint-plugin-cds",
-  "version": "4.0.2",
+  "version": "4.1.0",
   "description": "ESLint plugin including recommended SAP Cloud Application Programming model and environment rules",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [