auto-cr-rules 2.0.40 → 2.0.41

package/dist/rules/missingAsyncCleanup.js

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.missingAsyncCleanup = void 0;
+var types_1 = require("../types");
+var isIdentifier = function (node, name) {
+    return node.type === 'Identifier' && node.value === name;
+};
+var isMemberExpressionWithIdentifier = function (node, name) {
+    if (node.type !== 'MemberExpression') {
+        return false;
+    }
+    if (node.property.type === 'Identifier' && node.property.value === name) {
+        return true;
+    }
+    return false;
+};
+var createMetrics = function () { return ({
+    setInterval: {
+        api: 'setInterval',
+        cleanup: 'clearInterval',
+        calls: [],
+        cleanupCount: 0,
+        codeSample: 'setInterval(() => {/* ... */}, delay)',
+    },
+    addEventListener: {
+        api: 'addEventListener',
+        cleanup: 'removeEventListener',
+        calls: [],
+        cleanupCount: 0,
+        codeSample: 'target.addEventListener("type", handler)',
+    },
+}); };
+function isTargetedCall(callee, name) {
+    return isIdentifier(callee, name) || isMemberExpressionWithIdentifier(callee, name);
+}
+function visit(node, cb) {
+    var _a;
+    if (!node) {
+        return;
+    }
+    if (Array.isArray(node)) {
+        node.forEach(function (child) { return visit(child, cb); });
+        return;
+    }
+    if (typeof node !== 'object') {
+        return;
+    }
+    var candidate = node;
+    if (candidate.type === 'CallExpression') {
+        cb(candidate);
+        var call = candidate;
+        visit(call.callee, cb);
+        if (call.arguments) {
+            for (var _i = 0, _b = call.arguments; _i < _b.length; _i++) {
+                var arg = _b[_i];
+                visit((_a = arg.expression) !== null && _a !== void 0 ? _a : arg, cb);
+            }
+        }
+        if (call.typeArguments) {
+            visit(call.typeArguments, cb);
+        }
+        return;
+    }
+    for (var _c = 0, _d = Object.values(candidate); _c < _d.length; _c++) {
+        var value = _d[_c];
+        visit(value, cb);
+    }
+}
+exports.missingAsyncCleanup = (0, types_1.defineRule)('require-cleanup-for-async-effects', { tag: 'base', severity: types_1.RuleSeverity.Warning }, function (_a) {
+    var ast = _a.ast, helpers = _a.helpers, language = _a.language, messages = _a.messages;
+    var metrics = createMetrics();
+    visit(ast, function (call) {
+        var callee = call.callee;
+        if (isTargetedCall(callee, 'setInterval')) {
+            metrics.setInterval.calls.push(call);
+            return;
+        }
+        if (isTargetedCall(callee, 'clearInterval')) {
+            metrics.setInterval.cleanupCount += 1;
+            return;
+        }
+        if (isTargetedCall(callee, 'addEventListener')) {
+            metrics.addEventListener.calls.push(call);
+            return;
+        }
+        if (isTargetedCall(callee, 'removeEventListener')) {
+            metrics.addEventListener.cleanupCount += 1;
+            return;
+        }
+    });
+    var suggestionsByLanguage = language === 'zh'
+        ? [
+            { text: '在 useEffect 的返回函数或组件卸载时调用对应的清理函数。' },
+            { text: '确保自定义 Hook 在调用组件卸载时执行 clearInterval/removeEventListener。' },
+        ]
+        : [
+            { text: 'Return a cleanup function from useEffect to clear timers or listeners.' },
+            { text: 'Ensure custom hooks expose a teardown that calls clearInterval/removeEventListener.' },
+        ];
+    Object.values(metrics).forEach(function (metric) {
+        if (metric.calls.length === 0 || metric.cleanupCount > 0) {
+            return;
+        }
+        var description = messages.missingAsyncCleanup({ api: metric.api, cleanup: metric.cleanup });
+        var firstCall = metric.calls[0];
+        helpers.reportViolation({
+            description: description,
+            code: metric.codeSample,
+            suggestions: suggestionsByLanguage,
+            span: firstCall.span,
+        }, firstCall.span);
+    });
+});

package/dist/rules/noSwallowedErrors.js

@@ -2,109 +2,38 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.noSwallowedErrors = void 0;
 var types_1 = require("../types");
-var LOG_METHODS = new Set(['error', 'warn', 'info', 'log', 'fatal']);
-var isLoggingCall = function (expression) {
-    var callee = expression.callee;
-    if (callee.type === 'Identifier') {
-        var name = callee.value.toLowerCase();
-        return name.includes('log') || name.includes('error') || name.includes('report');
-    }
-    if (callee.type === 'MemberExpression') {
-        var member = callee;
-        var property = member.property;
-        if (property.type === 'Identifier' && LOG_METHODS.has(property.value)) {
-            return true;
-        }
-    }
-    return false;
-};
-var hasLoggingCall = function (statements) {
-    for (var _i = 0, statements_1 = statements; _i < statements_1.length; _i++) {
-        var statement = statements_1[_i];
-        if (statement.type === 'ExpressionStatement' && statement.expression.type === 'CallExpression') {
-            if (isLoggingCall(statement.expression)) {
-                return true;
-            }
-        }
-    }
-    return false;
-};
-var containsThrowStatement = function (node) {
-    var queue = [node];
-    while (queue.length > 0) {
-        var current = queue.pop();
-        if (!current || typeof current !== 'object') {
-            continue;
-        }
-        var candidate = current;
-        if (candidate.type === 'ThrowStatement') {
-            return true;
-        }
-        for (var _i = 0, _a = Object.values(candidate); _i < _a.length; _i++) {
-            var value = _a[_i];
-            queue.push(value);
-        }
-    }
-    return false;
-};
-var visitTryStatements = function (ast, callback) {
-    var queue = [ast];
-    while (queue.length > 0) {
-        var current = queue.pop();
-        if (!current || typeof current !== 'object') {
-            continue;
-        }
-        var candidate = current;
-        if (candidate.type === 'TryStatement') {
-            callback(candidate);
-        }
-        for (var _i = 0, _a = Object.values(candidate); _i < _a.length; _i++) {
-            var value = _a[_i];
-            queue.push(value);
-        }
-    }
-};
 exports.noSwallowedErrors = (0, types_1.defineRule)('no-swallowed-errors', { tag: 'base', severity: types_1.RuleSeverity.Warning }, function (_a) {
     var _b, _c;
     var ast = _a.ast, helpers = _a.helpers, messages = _a.messages, source = _a.source;
-    // Record the start of the module so we can normalise SWC's global byte offsets to file-local positions.
     var moduleStart = (_c = (_b = ast.span) === null || _b === void 0 ? void 0 : _b.start) !== null && _c !== void 0 ? _c : 0;
     var lineIndex = buildLineIndex(source);
-    visitTryStatements(ast, function (statement) {
-        if (statement.type !== 'TryStatement') {
-            return;
-        }
-        var handler = statement.handler;
-        if (!handler) {
-            return;
-        }
-        var body = handler.body;
-        var statements = body.stmts;
-        var report = function () {
-            // Convert the body span to a line, then fall back to the literal catch line if the maths lands in comments.
-            var charIndex = bytePosToCharIndex(source, moduleStart, body.span.start);
-            var computedLine = resolveLine(lineIndex, charIndex);
-            var fallbackLine = findCatchLine(source, computedLine);
-            var line = selectLineNumber(computedLine, fallbackLine);
-            helpers.reportViolation({
-                description: messages.swallowedError(),
-                line: line,
-                span: body.span,
-            }, body.span);
-        };
-        if (statements.length === 0) {
-            report();
+    visitTryStatements(ast, function (tryStatement) {
+        var _a, _b, _c, _d, _e;
+        var catchBlock = (_b = (_a = tryStatement.handler) === null || _a === void 0 ? void 0 : _a.body) !== null && _b !== void 0 ? _b : null;
+        var finallyBlock = (_c = tryStatement.finalizer) !== null && _c !== void 0 ? _c : null;
+        var catchHasExecutable = catchBlock ? hasExecutableStatements(catchBlock.stmts) : false;
+        var finallyHasExecutable = finallyBlock ? hasExecutableStatements(finallyBlock.stmts) : false;
+        if (catchHasExecutable || finallyHasExecutable) {
             return;
         }
-        var hasThrow = containsThrowStatement(statements);
-        var hasLogging = hasLoggingCall(statements);
-        if (!hasThrow && !hasLogging) {
-            report();
-        }
+        var reportSpan = (_e = (_d = catchBlock === null || catchBlock === void 0 ? void 0 : catchBlock.span) !== null && _d !== void 0 ? _d : finallyBlock === null || finallyBlock === void 0 ? void 0 : finallyBlock.span) !== null && _e !== void 0 ? _e : tryStatement.span;
+        var charIndex = bytePosToCharIndex(source, moduleStart, reportSpan.start);
+        var computedLine = resolveLine(lineIndex, charIndex);
+        var fallbackLine = determineFallbackLine({
+            source: source,
+            computedLine: computedLine,
+            hasCatch: Boolean(catchBlock),
+            hasFinally: Boolean(finallyBlock),
+        });
+        var line = selectLineNumber(computedLine, fallbackLine);
+        helpers.reportViolation({
+            description: messages.swallowedError(),
+            line: line,
+            span: reportSpan,
+        }, reportSpan);
     });
 });
 var buildLineIndex = function (source) {
-    // Collect every newline. We share the helper with the import rule so behaviour stays consistent across detectors.
     var offsets = [0];
     for (var index = 0; index < source.length; index += 1) {
         if (source[index] === '\n') {
@@ -165,20 +94,27 @@ var bytePosToCharIndex = function (source, moduleStart, bytePos) {
     }
     return source.length;
 };
-var findCatchLine = function (source, computedLine) {
+var determineFallbackLine = function (_a) {
+    var source = _a.source, computedLine = _a.computedLine, hasCatch = _a.hasCatch, hasFinally = _a.hasFinally;
+    if (hasCatch) {
+        return findKeywordLine(source, computedLine, /\bcatch\b/);
+    }
+    if (hasFinally) {
+        return findKeywordLine(source, computedLine, /\bfinally\b/);
+    }
+    return findKeywordLine(source, computedLine, /\btry\b/);
+};
+var findKeywordLine = function (source, computedLine, pattern) {
     var lines = source.split(/\r?\n/);
     var startIndex = Math.max((computedLine !== null && computedLine !== void 0 ? computedLine : 1) - 1, 0);
-    var catchPattern = /\bcatch\b/;
-    // Walk forward from the computed line so we land on the actual catch clause even if decorators or comments exist.
     for (var index = startIndex; index < lines.length; index += 1) {
-        if (catchPattern.test(lines[index])) {
+        if (pattern.test(lines[index])) {
             return index + 1;
         }
     }
     return undefined;
 };
 var selectLineNumber = function (computed, fallback) {
-    // Mirror the behaviour in the import rule: prefer the fallback when it is available and appears after the computed line.
     if (fallback === undefined) {
         return computed;
     }
@@ -190,3 +126,33 @@ var selectLineNumber = function (computed, fallback) {
     }
     return computed;
 };
+var visitTryStatements = function (ast, callback) {
+    var queue = [ast];
+    while (queue.length > 0) {
+        var current = queue.pop();
+        if (!current || typeof current !== 'object') {
+            continue;
+        }
+        var candidate = current;
+        if (candidate.type === 'TryStatement') {
+            callback(candidate);
+        }
+        for (var _i = 0, _a = Object.values(candidate); _i < _a.length; _i++) {
+            var value = _a[_i];
+            queue.push(value);
+        }
+    }
+};
+var hasExecutableStatements = function (statements) {
+    return statements.some(isExecutableStatement);
+};
+var isExecutableStatement = function (statement) {
+    switch (statement.type) {
+        case 'EmptyStatement':
+            return false;
+        case 'BlockStatement':
+            return hasExecutableStatements(statement.stmts);
+        default:
+            return true;
+    }
+};

package/dist/rules/noUnsafeDangerouslySetInnerHTML.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noUnsafeDangerouslySetInnerHTML = void 0;
+var types_1 = require("../types");
+var ATTRIBUTE_NAME = 'dangerouslySetInnerHTML';
+var HTML_KEY = '__html';
+var isIdentifierAttribute = function (attribute, name) {
+    return attribute.name.type === 'Identifier' && attribute.name.value === name;
+};
+var isTrustedLiteral = function (expression) {
+    if (expression.type === 'StringLiteral') {
+        return true;
+    }
+    if (expression.type === 'TemplateLiteral') {
+        var template = expression;
+        return template.expressions.length === 0;
+    }
+    return false;
+};
+var extractHtmlExpression = function (attribute) {
+    if (!attribute.value) {
+        return null;
+    }
+    if (attribute.value.type === 'StringLiteral') {
+        return attribute.value;
+    }
+    if (attribute.value.type !== 'JSXExpressionContainer') {
+        return null;
+    }
+    var container = attribute.value;
+    var expression = container.expression;
+    if (!expression || expression.type === 'JSXEmptyExpression') {
+        return null;
+    }
+    if (expression.type === 'ObjectExpression') {
+        for (var _i = 0, _a = expression.properties; _i < _a.length; _i++) {
+            var property = _a[_i];
+            if (property.type !== 'KeyValueProperty') {
+                continue;
+            }
+            var key = property.key;
+            var keyName = key.type === 'Identifier'
+                ? key.value
+                : key.type === 'StringLiteral'
+                    ? key.value
+                    : null;
+            if (keyName === HTML_KEY) {
+                return property.value;
+            }
+        }
+        return expression;
+    }
+    return expression;
+};
+var visit = function (node, callback) {
+    if (!node) {
+        return;
+    }
+    if (Array.isArray(node)) {
+        node.forEach(function (child) { return visit(child, callback); });
+        return;
+    }
+    if (typeof node !== 'object') {
+        return;
+    }
+    var candidate = node;
+    if (candidate.type === 'JSXAttribute') {
+        callback(candidate);
+    }
+    for (var _i = 0, _a = Object.values(candidate); _i < _a.length; _i++) {
+        var value = _a[_i];
+        visit(value, callback);
+    }
+};
+exports.noUnsafeDangerouslySetInnerHTML = (0, types_1.defineRule)('no-unsafe-dangerously-set-inner-html', { tag: 'security', severity: types_1.RuleSeverity.Error }, function (_a) {
+    var ast = _a.ast, helpers = _a.helpers, language = _a.language, messages = _a.messages;
+    visit(ast, function (attribute) {
+        if (!isIdentifierAttribute(attribute, ATTRIBUTE_NAME)) {
+            return;
+        }
+        var expression = extractHtmlExpression(attribute);
+        if (expression && isTrustedLiteral(expression)) {
+            return;
+        }
+        var suggestions = language === 'zh'
+            ? [
+                { text: '优先使用经过消毒的 HTML（例如 DOMPurify.sanitize）。' },
+                { text: '避免直接渲染来自外部或用户输入的字符串。' },
+            ]
+            : [
+                { text: 'Sanitize the HTML string before passing it in (e.g. DOMPurify.sanitize).' },
+                { text: 'Avoid rendering user-generated strings with dangerouslySetInnerHTML.' },
+            ];
+        helpers.reportViolation({
+            description: messages.unsafeDangerouslySetInnerHTML(),
+            code: ATTRIBUTE_NAME,
+            suggestions: suggestions,
+            span: attribute.span,
+        });
+    });
+});

package/dist/types/rules/missingAsyncCleanup.d.ts

@@ -0,0 +1 @@
+export declare const missingAsyncCleanup: import("../types").Rule;

package/dist/types/rules/noUnsafeDangerouslySetInnerHTML.d.ts

@@ -0,0 +1 @@
+export declare const noUnsafeDangerouslySetInnerHTML: import("../types").Rule;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auto-cr-rules",
-  "version": "2.0.40",
+  "version": "2.0.41",
   "description": "Extensible static analysis rule set for the auto-cr automated code review toolkit",
   "main": "dist/index.js",
   "types": "dist/types/index.d.ts",