eslint-plugin-security 1.2.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/.eslintrc +13 -0
  2. package/.github/workflows/ci.yml +47 -0
  3. package/.github/workflows/pr.yml +15 -0
  4. package/.prettierrc.json +7 -0
  5. package/CHANGELOG.md +65 -0
  6. package/README.md +97 -16
  7. package/docs/avoid-command-injection-node.md +85 -0
  8. package/docs/bypass-connect-csrf-protection-by-abusing.md +42 -0
  9. package/docs/regular-expression-dos-and-node.md +83 -0
  10. package/docs/the-dangers-of-square-bracket-notation.md +107 -0
  11. package/index.js +20 -0
  12. package/package.json +29 -4
  13. package/rules/data/fsFunctionData.json +49 -49
  14. package/rules/detect-buffer-noassert.js +66 -60
  15. package/rules/detect-child-process.js +37 -32
  16. package/rules/detect-disable-mustache-escape.js +24 -14
  17. package/rules/detect-eval-with-expression.js +19 -9
  18. package/rules/detect-new-buffer.js +17 -21
  19. package/rules/detect-no-csrf-before-method-override.js +34 -23
  20. package/rules/detect-non-literal-fs-filename.js +38 -37
  21. package/rules/detect-non-literal-regexp.js +24 -21
  22. package/rules/detect-non-literal-require.js +25 -21
  23. package/rules/detect-object-injection.js +61 -59
  24. package/rules/detect-possible-timing-attacks.js +39 -45
  25. package/rules/detect-pseudoRandomBytes.js +18 -15
  26. package/rules/detect-unsafe-regex.js +36 -23
  27. package/test/detect-buffer-noassert.js +30 -0
  28. package/test/detect-child-process.js +25 -0
  29. package/test/detect-disable-mustache-escape.js +16 -0
  30. package/test/detect-eval-with-expression.js +16 -0
  31. package/test/detect-new-buffer.js +17 -0
  32. package/test/detect-no-csrf-before-method-override.js +16 -0
  33. package/test/detect-non-literal-fs-filename.js +18 -0
  34. package/test/detect-non-literal-regexp.js +17 -0
  35. package/test/detect-non-literal-require.js +21 -0
  36. package/test/detect-object-injection.js +45 -0
  37. package/test/detect-possible-timing-attacks.js +34 -0
  38. package/test/detect-pseudoRandomBytes.js +17 -0
  39. package/test/detect-unsafe-regexp.js +27 -0
  40. package/.npmignore +0 -1
package/package.json CHANGED
@@ -1,10 +1,16 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "1.2.0",
3
+ "version": "1.5.0",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "scripts": {
7
- "test": "echo \"Error: no test specified\" && exit 1"
7
+ "changelog": "changelog eslint-plugin-security all > CHANGELOG.md",
8
+ "release": "npx semantic-release",
9
+ "test": "mocha test/**/*",
10
+ "format": "prettier --write **/*.{md,js,yml}",
11
+ "lint": "eslint .",
12
+ "lint:fix": "eslint --fix .",
13
+ "cont-int": "npm test && npm run lint"
8
14
  },
9
15
  "repository": {
10
16
  "type": "git",
@@ -21,10 +27,29 @@
21
27
  "url": "https://github.com/nodesecurity/eslint-plugin-security/issues"
22
28
  },
23
29
  "homepage": "https://github.com/nodesecurity/eslint-plugin-security#readme",
30
+ "gitHooks": {
31
+ "pre-commit": "lint-staged"
32
+ },
33
+ "lint-staged": {
34
+ "*.js": [
35
+ "prettier --write",
36
+ "eslint --fix"
37
+ ],
38
+ "*.md": "prettier --write",
39
+ "*.yml": "prettier --write"
40
+ },
24
41
  "dependencies": {
25
- "safe-regex": "^1.1.0"
42
+ "safe-regex": "^2.1.1"
26
43
  },
27
44
  "devDependencies": {
28
- "eslint": "^1.8.0"
45
+ "changelog": "1.3.0",
46
+ "eslint": "^8.11.0",
47
+ "eslint-config-nodesecurity": "^1.3.1",
48
+ "eslint-config-prettier": "^8.5.0",
49
+ "lint-staged": "^12.3.7",
50
+ "mocha": "^9.2.2",
51
+ "prettier": "^2.6.2",
52
+ "semantic-release": "^19.0.2",
53
+ "yorkie": "^2.0.0"
29
54
  }
30
55
  }
package/rules/data/fsFunctionData.json CHANGED
@@ -1,51 +1,51 @@
1
1
  {
2
- "appendFile": [0],
3
- "appendFileSync": [0],
4
- "chmod": [0],
5
- "chmodSync": [0],
6
- "chown": [0],
7
- "chownSync": [0],
8
- "createReadStream": [0],
9
- "createWriteStream": [0],
10
- "exists": [0],
11
- "existsSync": [0],
12
- "lchmod": [0],
13
- "lchmodSync": [0],
14
- "lchown": [0],
15
- "lchownSync": [0],
16
- "link": [0,1],
17
- "linkSync": [0,1],
18
- "lstat": [0],
19
- "lstatSync": [0],
20
- "mkdir": [0],
21
- "mkdirSync": [0],
22
- "open": [0],
23
- "openSync": [0],
24
- "readdir": [0],
25
- "readdirSync": [0],
26
- "readFile": [0],
27
- "readFileSync": [0],
28
- "readlink": [0],
29
- "readlinkSync": [0],
30
- "realpath": [0],
31
- "realpathSync": [0],
32
- "rename": [0,1],
33
- "renameSync": [0,1],
34
- "rmdir": [0],
35
- "rmdirSync": [0],
36
- "stat": [0],
37
- "statSync": [0],
38
- "symlink": [0,1],
39
- "symlinkSync": [0,1],
40
- "truncate": [0],
41
- "truncateSync": [0],
42
- "unlink": [0],
43
- "unlinkSync": [0],
44
- "unwatchFile": [0],
45
- "utimes": [0],
46
- "utimesSync": [0],
47
- "watch": [0],
48
- "watchFile": [0],
49
- "writeFile": [0],
50
- "writeFileSync": [0]
2
+ "appendFile": [0],
3
+ "appendFileSync": [0],
4
+ "chmod": [0],
5
+ "chmodSync": [0],
6
+ "chown": [0],
7
+ "chownSync": [0],
8
+ "createReadStream": [0],
9
+ "createWriteStream": [0],
10
+ "exists": [0],
11
+ "existsSync": [0],
12
+ "lchmod": [0],
13
+ "lchmodSync": [0],
14
+ "lchown": [0],
15
+ "lchownSync": [0],
16
+ "link": [0, 1],
17
+ "linkSync": [0, 1],
18
+ "lstat": [0],
19
+ "lstatSync": [0],
20
+ "mkdir": [0],
21
+ "mkdirSync": [0],
22
+ "open": [0],
23
+ "openSync": [0],
24
+ "readdir": [0],
25
+ "readdirSync": [0],
26
+ "readFile": [0],
27
+ "readFileSync": [0],
28
+ "readlink": [0],
29
+ "readlinkSync": [0],
30
+ "realpath": [0],
31
+ "realpathSync": [0],
32
+ "rename": [0, 1],
33
+ "renameSync": [0, 1],
34
+ "rmdir": [0],
35
+ "rmdirSync": [0],
36
+ "stat": [0],
37
+ "statSync": [0],
38
+ "symlink": [0, 1],
39
+ "symlinkSync": [0, 1],
40
+ "truncate": [0],
41
+ "truncateSync": [0],
42
+ "unlink": [0],
43
+ "unlinkSync": [0],
44
+ "unwatchFile": [0],
45
+ "utimes": [0],
46
+ "utimesSync": [0],
47
+ "watch": [0],
48
+ "watchFile": [0],
49
+ "writeFile": [0],
50
+ "writeFileSync": [0]
51
51
  }
package/rules/detect-buffer-noassert.js CHANGED
@@ -1,74 +1,80 @@
1
1
  /**
2
2
  * Tries to detect buffer read / write calls that use noAssert set to true
3
- * @author Adam Baldwin
3
+ * @author Adam Baldwin
4
4
  */
5
5
 
6
- //------------------------------------------------------------------------------
7
- // Rule Definition
8
- //------------------------------------------------------------------------------
9
-
10
- var names = [];
6
+ 'use strict';
11
7
 
12
- module.exports = function(context) {
8
+ //-----------------------------------------------------------------------------
9
+ // Helpers
10
+ //-----------------------------------------------------------------------------
13
11
 
14
- "use strict";
12
+ const read = [
13
+ 'readUInt8',
14
+ 'readUInt16LE',
15
+ 'readUInt16BE',
16
+ 'readUInt32LE',
17
+ 'readUInt32BE',
18
+ 'readInt8',
19
+ 'readInt16LE',
20
+ 'readInt16BE',
21
+ 'readInt32LE',
22
+ 'readInt32BE',
23
+ 'readFloatLE',
24
+ 'readFloatBE',
25
+ 'readDoubleLE',
26
+ 'readDoubleBE',
27
+ ];
15
28
 
16
- var read = [
17
- "readUInt8",
18
- "readUInt16LE",
19
- "readUInt16BE",
20
- "readUInt32LE",
21
- "readUInt32BE",
22
- "readInt8",
23
- "readInt16LE",
24
- "readInt16BE",
25
- "readInt32LE",
26
- "readInt32BE",
27
- "readFloatLE",
28
- "readFloatBE",
29
- "readDoubleL",
30
- "readDoubleBE"
31
- ];
29
+ const write = [
30
+ 'writeUInt8',
31
+ 'writeUInt16LE',
32
+ 'writeUInt16BE',
33
+ 'writeUInt32LE',
34
+ 'writeUInt32BE',
35
+ 'writeInt8',
36
+ 'writeInt16LE',
37
+ 'writeInt16BE',
38
+ 'writeInt32LE',
39
+ 'writeInt32BE',
40
+ 'writeFloatLE',
41
+ 'writeFloatBE',
42
+ 'writeDoubleLE',
43
+ 'writeDoubleBE',
44
+ ];
32
45
 
33
- var write = [
34
- "writeUInt8",
35
- "writeUInt16LE",
36
- "writeUInt16BE",
37
- "writeUInt32LE",
38
- "writeUInt32BE",
39
- "writeInt8",
40
- "writeInt16LE",
41
- "writeInt16BE",
42
- "writeInt32LE",
43
- "writeInt32BE",
44
- "writeFloatLE",
45
- "writeFloatBE",
46
- "writeDoubleLE",
47
- "writeDoubleBE"
48
- ];
49
-
50
-
51
- var getSource = function (token) {
52
- return token.loc.start.line+ ': ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
53
- }
46
+ //------------------------------------------------------------------------------
47
+ // Rule Definition
48
+ //------------------------------------------------------------------------------
54
49
 
50
+ module.exports = {
51
+ meta: {
52
+ type: 'error',
53
+ docs: {
54
+ description: 'Detect calls to "buffer" with "noAssert" flag set.',
55
+ category: 'Possible Security Vulnerability',
56
+ recommended: true,
57
+ url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-buffer-noassert',
58
+ },
59
+ __methodsToCheck: {
60
+ read,
61
+ write,
62
+ },
63
+ },
64
+ create: function (context) {
55
65
  return {
56
- "MemberExpression": function (node) {
57
- var index;
58
- if (read.indexOf(node.property.name) !== -1) {
59
- index = 1;
60
- } else if (write.indexOf(node.property.name) !== -1) {
61
- index = 2;
62
- }
63
-
64
- if (index && node.parent && node.parent.arguments && node.parent.arguments[index] && node.parent.arguments[index].value) {
65
- var token = context.getTokens(node)[0];
66
- return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
67
-
68
- }
66
+ MemberExpression: function (node) {
67
+ let index;
68
+ if (read.indexOf(node.property.name) !== -1) {
69
+ index = 1;
70
+ } else if (write.indexOf(node.property.name) !== -1) {
71
+ index = 2;
69
72
  }
70
73
 
74
+ if (index && node.parent && node.parent.arguments && node.parent.arguments[index] && node.parent.arguments[index].value) {
75
+ return context.report(node, `Found Buffer.${node.property.name} with noAssert flag set true`);
76
+ }
77
+ },
71
78
  };
72
-
79
+ },
73
80
  };
74
-
package/rules/detect-child-process.js CHANGED
@@ -3,44 +3,49 @@
3
3
  * @author Adam Baldwin
4
4
  */
5
5
 
6
+ 'use strict';
7
+
6
8
  //------------------------------------------------------------------------------
7
9
  // Rule Definition
8
10
  //------------------------------------------------------------------------------
9
11
 
10
- var names = [];
11
-
12
- module.exports = function(context) {
13
-
14
- "use strict";
15
-
16
- var getSource = function (token) {
17
- return token.loc.start.line+ ': ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
18
- }
19
-
12
+ /*
13
+ * Stores variable names pointing to child_process to check (child_process).exec()
14
+ */
15
+ const names = [];
16
+
17
+ module.exports = {
18
+ meta: {
19
+ type: 'error',
20
+ docs: {
21
+ description: 'Detect instances of "child_process" & non-literal "exec()" calls.',
22
+ category: 'Possible Security Vulnerability',
23
+ recommended: true,
24
+ url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/avoid-command-injection-node.md',
25
+ },
26
+ },
27
+ create: function (context) {
20
28
  return {
21
- "CallExpression": function (node) {
22
- var token = context.getTokens(node)[0];
23
- if (node.callee.name === 'require') {
24
- var args = node.arguments[0];
25
- if (args && args.type === 'Literal' && args.value === 'child_process') {
26
- if (node.parent.type === 'VariableDeclarator') {
27
- names.push(node.parent.id.name);
28
- } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
29
- names.push(node.parent.left.name);
30
- }
31
- return context.report(node, 'found require("child_process")\n\t' + getSource(token));
32
- }
33
- }
34
- },
35
- "MemberExpression": function (node) {
36
- var token = context.getTokens(node)[0];
37
- if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
38
- if (node.parent && node.parent.arguments && node.parent.arguments[0].type !== 'Literal') {
39
- return context.report(node, 'found child_process.exec() with non Literal first argument\n\t' + getSource(token));
40
- }
29
+ CallExpression: function (node) {
30
+ if (node.callee.name === 'require') {
31
+ const args = node.arguments[0];
32
+ if (args && args.type === 'Literal' && args.value === 'child_process') {
33
+ if (node.parent.type === 'VariableDeclarator') {
34
+ names.push(node.parent.id.name);
35
+ } else if (node.parent.type === 'AssignmentExpression' && node.parent.operator === '=') {
36
+ names.push(node.parent.left.name);
41
37
  }
38
+ return context.report(node, 'Found require("child_process")');
39
+ }
42
40
  }
43
-
41
+ },
42
+ MemberExpression: function (node) {
43
+ if (node.property.name === 'exec' && names.indexOf(node.object.name) > -1) {
44
+ if (node.parent && node.parent.arguments.length && node.parent.arguments[0].type !== 'Literal') {
45
+ return context.report(node, 'Found child_process.exec() with non Literal first argument');
46
+ }
47
+ }
48
+ },
44
49
  };
45
-
50
+ },
46
51
  };
package/rules/detect-disable-mustache-escape.js CHANGED
@@ -1,18 +1,28 @@
1
- module.exports = function(context) {
1
+ 'use strict';
2
2
 
3
- "use strict";
3
+ module.exports = {
4
+ meta: {
5
+ type: 'error',
6
+ docs: {
7
+ description: 'Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities.',
8
+ category: 'Possible Security Vulnerability',
9
+ recommended: true,
10
+ url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-disable-mustache-escape'
11
+ }
12
+ },
13
+ create: function (context) {
4
14
  return {
5
- "AssignmentExpression": function(node) {
6
- if (node.operator === '=') {
7
- if (node.left.property) {
8
- if (node.left.property.name == 'escapeMarkup') {
9
- if (node.right.value == false) {
10
- context.report(node, 'Markup escaping disabled.')
11
- }
12
- }
13
- }
15
+ AssignmentExpression: function (node) {
16
+ if (node.operator === '=') {
17
+ if (node.left.property) {
18
+ if (node.left.property.name === 'escapeMarkup') {
19
+ if (node.right.value === false) {
20
+ context.report(node, 'Markup escaping disabled.');
21
+ }
14
22
  }
23
+ }
15
24
  }
16
- }
17
-
18
- }
25
+ }
26
+ };
27
+ }
28
+ };
package/rules/detect-eval-with-expression.js CHANGED
@@ -1,21 +1,31 @@
1
1
  /**
2
- * Idnetifies eval with expression
2
+ * Identifies eval with expression
3
3
  * @author Adam Baldwin
4
4
  */
5
5
 
6
+ 'use strict';
7
+
6
8
  //------------------------------------------------------------------------------
7
9
  // Rule Definition
8
10
  //------------------------------------------------------------------------------
9
11
 
10
- module.exports = function(context) {
11
-
12
- "use strict";
13
-
12
+ module.exports = {
13
+ meta: {
14
+ type: 'error',
15
+ docs: {
16
+ description: 'Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process.',
17
+ category: 'Possible Security Vulnerability',
18
+ recommended: true,
19
+ url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-eval-with-expression'
20
+ }
21
+ },
22
+ create: function (context) {
14
23
  return {
15
- "CallExpression": function(node) {
16
- if (node.callee.name === "eval" && node.arguments[0].type !== 'Literal') {
17
- context.report(node, "eval with argument of type " + node.arguments[0].type);
18
- }
24
+ CallExpression: function (node) {
25
+ if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
26
+ context.report(node, `eval with argument of type ${node.arguments[0].type}`);
19
27
  }
28
+ }
20
29
  };
30
+ }
21
31
  };
package/rules/detect-new-buffer.js CHANGED
@@ -1,26 +1,22 @@
1
- module.exports = function (context) {
2
-
3
- var getSource = function (node) {
4
- var token = context.getTokens(node)[0];
5
- return token.loc.start.line+ ': ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
1
+ 'use strict';
2
+
3
+ module.exports = {
4
+ meta: {
5
+ type: 'error',
6
+ docs: {
7
+ description: 'Detect instances of new Buffer(argument) where argument is any non-literal value.',
8
+ category: 'Possible Security Vulnerability',
9
+ recommended: true,
10
+ url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/README.md'
6
11
  }
7
-
8
-
9
- // Detects instances of new Buffer(argument)
10
- // where argument is any non literal value.
12
+ },
13
+ create: function (context) {
11
14
  return {
12
- "NewExpression": function (node) {
13
- if (node.callee.name === 'Buffer' &&
14
- node.arguments[0] &&
15
- node.arguments[0].type != 'Literal') {
16
-
17
- return context.report(node, "Found new Buffer\n\t" + getSource(node));
15
+ NewExpression: function (node) {
16
+ if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {
17
+ return context.report(node, 'Found new Buffer');
18
18
  }
19
-
20
-
21
-
22
19
  }
23
20
  };
24
-
25
- }
26
-
21
+ }
22
+ };
package/rules/detect-no-csrf-before-method-override.js CHANGED
@@ -1,35 +1,46 @@
1
1
  /**
2
- * Check and see if CSRF middleware is before methodOverride
3
- * @author Adam Baldwin
2
+ * Check and see if CSRF middleware is before methodOverride
3
+ * @author Adam Baldwin
4
4
  */
5
5
 
6
+ 'use strict';
7
+
6
8
  //------------------------------------------------------------------------------
7
9
  // Rule Definition
8
10
  //------------------------------------------------------------------------------
9
11
 
10
-
11
- module.exports = function(context) {
12
-
13
- "use strict";
14
- var csrf = false;
12
+ module.exports = {
13
+ meta: {
14
+ type: 'error',
15
+ docs: {
16
+ description: 'Detects Express "csrf" middleware setup before "method-override" middleware.',
17
+ category: 'Possible Security Vulnerability',
18
+ recommended: true,
19
+ url: 'https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/bypass-connect-csrf-protection-by-abusing.md',
20
+ },
21
+ },
22
+ create: function (context) {
23
+ let csrf = false;
15
24
 
16
25
  return {
17
- "CallExpression": function(node) {
18
- var token = context.getTokens(node)[0],
19
- nodeType = token.type,
20
- nodeValue = token.value;
21
-
22
- if (nodeValue === "express") {
23
- if (node.callee.property.name === "methodOverride" && csrf) {
24
- context.report(node, "express.csrf() middleware found before express.methodOverride()");
25
- }
26
- if (node.callee.property.name === "csrf") {
27
- // Keep track of found CSRF
28
- csrf = true;
29
- }
30
- }
26
+ CallExpression: function (node) {
27
+ const token = context.getTokens(node)[0];
28
+ const nodeValue = token.value;
29
+
30
+ if (nodeValue === 'express') {
31
+ if (!node.callee || !node.callee.property) {
32
+ return;
33
+ }
34
+
35
+ if (node.callee.property.name === 'methodOverride' && csrf) {
36
+ context.report(node, 'express.csrf() middleware found before express.methodOverride()');
37
+ }
38
+ if (node.callee.property.name === 'csrf') {
39
+ // Keep track of found CSRF
40
+ csrf = true;
41
+ }
31
42
  }
43
+ },
32
44
  };
33
-
45
+ },
34
46
  };
35
-
package/rules/detect-non-literal-fs-filename.js CHANGED
@@ -3,51 +3,52 @@
3
3
  * @author Adam Baldwin
4
4
  */
5
5
 
6
+ 'use strict';
7
+
6
8
  //------------------------------------------------------------------------------
7
9
  // Rule Definition
8
10
  //------------------------------------------------------------------------------
9
11
 
10
- var names = [];
11
- var fsMetaData = require('./data/fsFunctionData.json');
12
- var funcNames = Object.keys(fsMetaData);
13
-
14
- module.exports = function(context) {
15
-
16
- "use strict";
17
-
18
- var getSource = function (token) {
19
- return token.loc.start.line+ ': ' + context.getSourceLines().slice(token.loc.start.line-1, token.loc.end.line).join('\n\t');
20
- }
21
-
12
+ const fsMetaData = require('./data/fsFunctionData.json');
13
+ const funcNames = Object.keys(fsMetaData);
14
+
15
+ module.exports = {
16
+ meta: {
17
+ type: 'error',
18
+ docs: {
19
+ description: 'Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system.',
20
+ category: 'Possible Security Vulnerability',
21
+ recommended: true,
22
+ url: 'https://github.com/nodesecurity/eslint-plugin-security#detect-non-literal-fs-filename',
23
+ },
24
+ },
25
+ create: function (context) {
22
26
  return {
23
- "MemberExpression": function (node) {
24
- var result = [];
25
- if (funcNames.indexOf(node.property.name) !== -1) {
26
- var meta = fsMetaData[node.property.name];
27
- var args = node.parent.arguments;
28
- meta.forEach(function (i) {
29
- if (args && args.length > i) {
30
- if (args[i].type !== 'Literal') {
31
- result.push(i);
32
- }
33
- }
34
- });
35
- }
36
-
37
- if (result.length > 0) {
38
- var token = context.getTokens(node)[0];
39
- return context.report(node, 'found fs.' + node.property.name + ' with non literal argument at index ' + result.join(',') + '\n\t' + getSource(token));
27
+ MemberExpression: function (node) {
28
+ const result = [];
29
+ if (funcNames.indexOf(node.property.name) !== -1) {
30
+ const meta = fsMetaData[node.property.name];
31
+ const args = node.parent.arguments;
32
+ meta.forEach((i) => {
33
+ if (args && args.length > i) {
34
+ if (args[i].type !== 'Literal') {
35
+ result.push(i);
36
+ }
40
37
  }
38
+ });
39
+ }
41
40
 
42
-
43
- /*
44
- if (node.parent && node.parent.arguments && node.parent.arguments[index].value) {
45
- return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true:\n\t' + getSource(token));
46
-
47
- }
48
- */
41
+ if (result.length > 0) {
42
+ return context.report(node, `Found fs.${node.property.name} with non literal argument at index ${result.join(',')}`);
49
43
  }
50
44
 
51
- };
45
+ /*
46
+ if (node.parent && node.parent.arguments && node.parent.arguments[index].value) {
47
+ return context.report(node, 'found Buffer.' + node.property.name + ' with noAssert flag set true');
52
48
 
49
+ }
50
+ */
51
+ },
52
+ };
53
+ },
53
54
  };