eslint-plugin-security 2.1.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/.github/workflows/ci.yml +8 -8
  2. package/CHANGELOG.md +16 -0
  3. package/README.md +16 -16
  4. package/docs/bypass-connect-csrf-protection-by-abusing.md +2 -2
  5. package/docs/regular-expression-dos-and-node.md +2 -2
  6. package/package.json +8 -5
  7. package/rules/detect-bidi-characters.js +1 -1
  8. package/rules/detect-buffer-noassert.js +1 -1
  9. package/rules/detect-child-process.js +6 -3
  10. package/rules/detect-disable-mustache-escape.js +1 -1
  11. package/rules/detect-new-buffer.js +1 -1
  12. package/rules/detect-no-csrf-before-method-override.js +1 -1
  13. package/rules/detect-non-literal-fs-filename.js +7 -4
  14. package/rules/detect-non-literal-regexp.js +7 -3
  15. package/rules/detect-non-literal-require.js +7 -3
  16. package/rules/detect-object-injection.js +1 -1
  17. package/rules/detect-possible-timing-attacks.js +1 -1
  18. package/rules/detect-pseudoRandomBytes.js +1 -1
  19. package/rules/detect-unsafe-regex.js +1 -1
  20. package/test/rules/detect-child-process.js +1 -6
  21. package/test/rules/detect-non-literal-fs-filename.js +21 -16
  22. package/test/rules/detect-non-literal-require.js +5 -3
  23. package/test/utils/import-utils.js +13 -7
  24. package/test/utils/is-static-expression.js +21 -11
package/.github/workflows/ci.yml CHANGED
@@ -12,12 +12,12 @@ jobs:
12
12
  permissions:
13
13
  contents: read
14
14
  steps:
15
- - uses: actions/checkout@v3
15
+ - uses: actions/checkout@v4
16
16
  with:
17
17
  persist-credentials: false
18
- - uses: actions/setup-node@v3
18
+ - uses: actions/setup-node@v4
19
19
  with:
20
- node-version: 18
20
+ node-version: lts/*
21
21
 
22
22
  - name: Install Packages
23
23
  run: npm install
@@ -30,21 +30,21 @@ jobs:
30
30
  strategy:
31
31
  matrix:
32
32
  os: [ubuntu-latest]
33
- node: [12.22.0, 12, 14, 16, 18, 20]
33
+ node: [18.18.0, 18.x, 20.x, 21.x]
34
34
  include:
35
35
  - os: windows-latest
36
- node: 18
36
+ node: lts/*
37
37
  - os: macOS-latest
38
- node: 18
38
+ node: lts/*
39
39
  runs-on: ${{ matrix.os }}
40
40
  permissions:
41
41
  contents: read
42
42
  steps:
43
- - uses: actions/checkout@v3
43
+ - uses: actions/checkout@v4
44
44
  with:
45
45
  persist-credentials: false
46
46
 
47
- - uses: actions/setup-node@v3
47
+ - uses: actions/setup-node@v4
48
48
  with:
49
49
  node-version: ${{ matrix.node }}
50
50
 
package/CHANGELOG.md CHANGED
@@ -1,5 +1,21 @@
1
1
  # Changelog
2
2
 
3
+ ## [3.0.0](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.1.1...v3.0.0) (2024-04-10)
4
+
5
+
6
+ ### ⚠ BREAKING CHANGES
7
+
8
+ * requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
9
+
10
+ ### Features
11
+
12
+ * requires node ^18.18.0 || ^20.9.0 || >=21.1.0 ([#146](https://www.github.com/eslint-community/eslint-plugin-security/issues/146)) ([df1b606](https://www.github.com/eslint-community/eslint-plugin-security/commit/df1b6063c1224e1163dfdc37c96b64bb52d816bb))
13
+
14
+
15
+ ### Bug Fixes
16
+
17
+ * Ensure everything works with ESLint v9 ([#145](https://www.github.com/eslint-community/eslint-plugin-security/issues/145)) ([ac50ab4](https://www.github.com/eslint-community/eslint-plugin-security/commit/ac50ab481ed63d7262513186136ca1429d3b8290))
18
+
3
19
  ### [2.1.1](https://www.github.com/eslint-community/eslint-plugin-security/compare/v2.1.0...v2.1.1) (2024-02-14)
4
20
 
5
21
 
package/README.md CHANGED
@@ -64,21 +64,21 @@ npm test
64
64
  ⚠️ Configurations set to warn in.\
65
65
  ✅ Set in the `recommended` configuration.
66
66
 
67
- | Name                                  | Description | ⚠️ |
68
- | :------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-- |
69
- | [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
70
- | [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
71
- | [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
72
- | [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
- | [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
- | [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. ([new Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)) | ✅ |
75
- | [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
76
- | [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
- | [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
- | [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
- | [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
- | [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
- | [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
- | [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
67
+ | Name                                  | Description | ⚠️ |
68
+ | :------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------- | :-- |
69
+ | [detect-bidi-characters](docs/rules/detect-bidi-characters.md) | Detects trojan source attacks that employ unicode bidi attacks to inject malicious code. | ✅ |
70
+ | [detect-buffer-noassert](docs/rules/detect-buffer-noassert.md) | Detects calls to "buffer" with "noAssert" flag set. | ✅ |
71
+ | [detect-child-process](docs/rules/detect-child-process.md) | Detects instances of "child_process" & non-literal "exec()" calls. | ✅ |
72
+ | [detect-disable-mustache-escape](docs/rules/detect-disable-mustache-escape.md) | Detects "object.escapeMarkup = false", which can be used with some template engines to disable escaping of HTML entities. | ✅ |
73
+ | [detect-eval-with-expression](docs/rules/detect-eval-with-expression.md) | Detects "eval(variable)" which can allow an attacker to run arbitrary code inside your process. | ✅ |
74
+ | [detect-new-buffer](docs/rules/detect-new-buffer.md) | Detects instances of new Buffer(argument) where argument is any non-literal value. | ✅ |
75
+ | [detect-no-csrf-before-method-override](docs/rules/detect-no-csrf-before-method-override.md) | Detects Express "csrf" middleware setup before "method-override" middleware. | ✅ |
76
+ | [detect-non-literal-fs-filename](docs/rules/detect-non-literal-fs-filename.md) | Detects variable in filename argument of "fs" calls, which might allow an attacker to access anything on your system. | ✅ |
77
+ | [detect-non-literal-regexp](docs/rules/detect-non-literal-regexp.md) | Detects "RegExp(variable)", which might allow an attacker to DOS your server with a long-running regular expression. | ✅ |
78
+ | [detect-non-literal-require](docs/rules/detect-non-literal-require.md) | Detects "require(variable)", which might allow an attacker to load and run arbitrary code, or access arbitrary files on disk. | ✅ |
79
+ | [detect-object-injection](docs/rules/detect-object-injection.md) | Detects "variable[key]" as a left- or right-hand assignment operand. | ✅ |
80
+ | [detect-possible-timing-attacks](docs/rules/detect-possible-timing-attacks.md) | Detects insecure comparisons (`==`, `!=`, `!==` and `===`), which check input sequentially. | ✅ |
81
+ | [detect-pseudoRandomBytes](docs/rules/detect-pseudoRandomBytes.md) | Detects if "pseudoRandomBytes()" is in use, which might not give you the randomness you need and expect. | ✅ |
82
+ | [detect-unsafe-regex](docs/rules/detect-unsafe-regex.md) | Detects potentially unsafe regular expressions, which may take a very long time to run, blocking the event loop. | ✅ |
83
83
 
84
84
  <!-- end auto-generated rules list -->
package/docs/bypass-connect-csrf-protection-by-abusing.md CHANGED
@@ -18,9 +18,9 @@ Considering the following code:
18
18
 
19
19
  ```js
20
20
  ...
21
- app.use express.csrf()
21
+ app.use(express.csrf())
22
22
  ...
23
- app.use express.methodOverride()
23
+ app.use(express.methodOverride())
24
24
  ```
25
25
 
26
26
  Connect's CSRF middleware does not check csrf tokens in case of idempotent verbs (GET/HEAD/OPTIONS, see lib/middleware/csrf.js). As a result, it is possible to bypass this security control by sending a GET request with a POST MethodOverride header or key.
package/docs/regular-expression-dos-and-node.md CHANGED
@@ -2,13 +2,13 @@
2
2
 
3
3
  Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get `500 Internal Server Error`. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.
4
4
 
5
- Availability is not often treated as a security problem, which it is, and it's impacts are immediate, and deeply felt.
5
+ Availability is not often treated as a security problem, which it is, and its impacts are immediate, and deeply felt.
6
6
 
7
7
  The attack surface for Node.js in regards to loss of availability is quite large, as we are dealing with a single event loop. If an attacker can control and block that event loop, then nothing else gets done.
8
8
 
9
9
  There are many ways to block the event loop, one way an attacker can do that is with [Regular Expression Denial of Service (ReDoS)](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).
10
10
 
11
- If user provided input finds it's way into a regular expression, or a regular expression is designed with certain attributes, such as grouping with repetition, you can find yourself in a vulnerable position, as the regular expression match could take a long time to process. [OWASP](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) has a deeper explanation of why this occurs.
11
+ If user provided input finds its way into a regular expression, or a regular expression is designed with certain attributes, such as grouping with repetition, you can find yourself in a vulnerable position, as the regular expression match could take a long time to process. [OWASP](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) has a deeper explanation of why this occurs.
12
12
 
13
13
  Let's look at an vulnerable example. Below we are attempting the common task of validating an email address on the server.
14
14
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "eslint-plugin-security",
3
- "version": "2.1.1",
3
+ "version": "3.0.0",
4
4
  "description": "Security rules for eslint",
5
5
  "main": "index.js",
6
6
  "scripts": {
@@ -46,13 +46,13 @@
46
46
  "safe-regex": "^2.1.1"
47
47
  },
48
48
  "devDependencies": {
49
- "@eslint/js": "^8.51.0",
49
+ "@eslint/js": "^9.0.0",
50
50
  "changelog": "1.3.0",
51
- "eslint": "^8.51.0",
51
+ "eslint": "^9.0.0",
52
52
  "eslint-config-nodesecurity": "^1.3.1",
53
53
  "eslint-config-prettier": "^8.5.0",
54
- "eslint-doc-generator": "^1.0.2",
55
- "eslint-plugin-eslint-plugin": "^5.1.1",
54
+ "eslint-doc-generator": "^1.7.0",
55
+ "eslint-plugin-eslint-plugin": "^5.5.1",
56
56
  "lint-staged": "^12.3.7",
57
57
  "markdownlint-cli": "^0.32.2",
58
58
  "mocha": "^9.2.2",
@@ -60,5 +60,8 @@
60
60
  "prettier": "^2.6.2",
61
61
  "semantic-release": "^19.0.2",
62
62
  "yorkie": "^2.0.0"
63
+ },
64
+ "engines": {
65
+ "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
63
66
  }
64
67
  }
package/rules/detect-bidi-characters.js CHANGED
@@ -78,7 +78,7 @@ module.exports = {
78
78
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-bidi-characters.md',
79
79
  },
80
80
  },
81
- create: function (context) {
81
+ create(context) {
82
82
  return {
83
83
  Program: function (node) {
84
84
  report({
package/rules/detect-buffer-noassert.js CHANGED
@@ -61,7 +61,7 @@ module.exports = {
61
61
  write,
62
62
  },
63
63
  },
64
- create: function (context) {
64
+ create(context) {
65
65
  return {
66
66
  MemberExpression: function (node) {
67
67
  let index;
package/rules/detect-child-process.js CHANGED
@@ -23,7 +23,8 @@ module.exports = {
23
23
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-child-process.md',
24
24
  },
25
25
  },
26
- create: function (context) {
26
+ create(context) {
27
+ const sourceCode = context.sourceCode || context.getSourceCode();
27
28
  return {
28
29
  CallExpression: function (node) {
29
30
  if (node.callee.name === 'require') {
@@ -41,19 +42,21 @@ module.exports = {
41
42
  return;
42
43
  }
43
44
 
45
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
46
+
44
47
  // Reports non-literal `exec()` calls.
45
48
  if (
46
49
  !node.arguments.length ||
47
50
  isStaticExpression({
48
51
  node: node.arguments[0],
49
- scope: context.getScope(),
52
+ scope,
50
53
  })
51
54
  ) {
52
55
  return;
53
56
  }
54
57
  const pathInfo = getImportAccessPath({
55
58
  node: node.callee,
56
- scope: context.getScope(),
59
+ scope,
57
60
  packageNames: childProcessPackageNames,
58
61
  });
59
62
  const fnName = pathInfo && pathInfo.path.length === 1 && pathInfo.path[0];
package/rules/detect-disable-mustache-escape.js CHANGED
@@ -10,7 +10,7 @@ module.exports = {
10
10
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-disable-mustache-escape.md',
11
11
  },
12
12
  },
13
- create: function (context) {
13
+ create(context) {
14
14
  return {
15
15
  AssignmentExpression: function (node) {
16
16
  if (node.operator === '=') {
package/rules/detect-new-buffer.js CHANGED
@@ -10,7 +10,7 @@ module.exports = {
10
10
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-new-buffer.md',
11
11
  },
12
12
  },
13
- create: function (context) {
13
+ create(context) {
14
14
  return {
15
15
  NewExpression: function (node) {
16
16
  if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {
package/rules/detect-no-csrf-before-method-override.js CHANGED
@@ -19,7 +19,7 @@ module.exports = {
19
19
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
20
20
  },
21
21
  },
22
- create: function (context) {
22
+ create(context) {
23
23
  let csrf = false;
24
24
 
25
25
  return {
package/rules/detect-non-literal-fs-filename.js CHANGED
@@ -26,17 +26,19 @@ module.exports = {
26
26
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-fs-filename.md',
27
27
  },
28
28
  },
29
- create: function (context) {
29
+ create(context) {
30
+ const sourceCode = context.sourceCode || context.getSourceCode();
30
31
  return {
31
- CallExpression: function (node) {
32
+ CallExpression(node) {
32
33
  // don't check require. If all arguments are Literals, it's surely safe!
33
34
  if ((node.callee.type === 'Identifier' && node.callee.name === 'require') || node.arguments.every((argument) => argument.type === 'Literal')) {
34
35
  return;
35
36
  }
36
37
 
38
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
37
39
  const pathInfo = getImportAccessPath({
38
40
  node: node.callee,
39
- scope: context.getScope(),
41
+ scope,
40
42
  packageNames: fsPackageNames,
41
43
  });
42
44
  if (!pathInfo) {
@@ -79,7 +81,8 @@ module.exports = {
79
81
  continue;
80
82
  }
81
83
  const argument = node.arguments[index];
82
- if (isStaticExpression({ node: argument, scope: context.getScope() })) {
84
+
85
+ if (isStaticExpression({ node: argument, scope })) {
83
86
  continue;
84
87
  }
85
88
  indices.push(index);
package/rules/detect-non-literal-regexp.js CHANGED
@@ -21,17 +21,21 @@ module.exports = {
21
21
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-regexp.md',
22
22
  },
23
23
  },
24
- create: function (context) {
24
+ create(context) {
25
+ const sourceCode = context.sourceCode || context.getSourceCode();
26
+
25
27
  return {
26
- NewExpression: function (node) {
28
+ NewExpression(node) {
27
29
  if (node.callee.name === 'RegExp') {
28
30
  const args = node.arguments;
31
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
32
+
29
33
  if (
30
34
  args &&
31
35
  args.length > 0 &&
32
36
  !isStaticExpression({
33
37
  node: args[0],
34
- scope: context.getScope(),
38
+ scope,
35
39
  })
36
40
  ) {
37
41
  return context.report({ node: node, message: 'Found non-literal argument to RegExp Constructor' });
package/rules/detect-non-literal-require.js CHANGED
@@ -21,17 +21,21 @@ module.exports = {
21
21
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
22
22
  },
23
23
  },
24
- create: function (context) {
24
+ create(context) {
25
+ const sourceCode = context.sourceCode || context.getSourceCode();
26
+
25
27
  return {
26
- CallExpression: function (node) {
28
+ CallExpression(node) {
27
29
  if (node.callee.name === 'require') {
28
30
  const args = node.arguments;
31
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
32
+
29
33
  if (
30
34
  args &&
31
35
  args.length > 0 &&
32
36
  !isStaticExpression({
33
37
  node: args[0],
34
- scope: context.getScope(),
38
+ scope,
35
39
  })
36
40
  ) {
37
41
  return context.report({ node: node, message: 'Found non-literal argument in require' });
package/rules/detect-object-injection.js CHANGED
@@ -61,7 +61,7 @@ module.exports = {
61
61
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-object-injection.md',
62
62
  },
63
63
  },
64
- create: function (context) {
64
+ create(context) {
65
65
  return {
66
66
  MemberExpression: function (node) {
67
67
  if (node.computed === true) {
package/rules/detect-possible-timing-attacks.js CHANGED
@@ -32,7 +32,7 @@ module.exports = {
32
32
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-possible-timing-attacks.md',
33
33
  },
34
34
  },
35
- create: function (context) {
35
+ create(context) {
36
36
  return {
37
37
  IfStatement: function (node) {
38
38
  if (node.test && node.test.type === 'BinaryExpression') {
package/rules/detect-pseudoRandomBytes.js CHANGED
@@ -19,7 +19,7 @@ module.exports = {
19
19
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-pseudoRandomBytes.md',
20
20
  },
21
21
  },
22
- create: function (context) {
22
+ create(context) {
23
23
  return {
24
24
  MemberExpression: function (node) {
25
25
  if (node.property.name === 'pseudoRandomBytes') {
package/rules/detect-unsafe-regex.js CHANGED
@@ -25,7 +25,7 @@ module.exports = {
25
25
  url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-unsafe-regex.md',
26
26
  },
27
27
  },
28
- create: function (context) {
28
+ create(context) {
29
29
  return {
30
30
  Literal: function (node) {
31
31
  const token = context.getSourceCode().getTokens(node)[0];
package/test/rules/detect-child-process.js CHANGED
@@ -1,12 +1,7 @@
1
1
  'use strict';
2
2
 
3
3
  const RuleTester = require('eslint').RuleTester;
4
- const tester = new RuleTester({
5
- parserOptions: {
6
- ecmaVersion: 6,
7
- sourceType: 'module',
8
- },
9
- });
4
+ const tester = new RuleTester();
10
5
 
11
6
  const ruleName = 'detect-child-process';
12
7
  const rule = require(`../../rules/${ruleName}`);
package/test/rules/detect-non-literal-fs-filename.js CHANGED
@@ -1,12 +1,7 @@
1
1
  'use strict';
2
2
 
3
3
  const RuleTester = require('eslint').RuleTester;
4
- const tester = new RuleTester({
5
- parserOptions: {
6
- ecmaVersion: 13,
7
- sourceType: 'module',
8
- },
9
- });
4
+ const tester = new RuleTester();
10
5
 
11
6
  const ruleName = 'detect-non-literal-fs-filename';
12
7
 
@@ -33,8 +28,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
33
28
  const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
34
29
  const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
35
30
  await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,
36
- globals: {
37
- __dirname: 'readonly',
31
+ languageOptions: {
32
+ globals: {
33
+ __dirname: 'readonly',
34
+ },
38
35
  },
39
36
  },
40
37
  {
@@ -43,16 +40,20 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
43
40
  import path from 'path';
44
41
  const dirname = path.dirname(__filename)
45
42
  const key = fs.readFileSync(path.resolve(dirname, './index.html'));`,
46
- globals: {
47
- __filename: 'readonly',
43
+ languageOptions: {
44
+ globals: {
45
+ __filename: 'readonly',
46
+ },
48
47
  },
49
48
  },
50
49
  {
51
50
  code: `
52
51
  import fs from 'fs';
53
52
  const key = fs.readFileSync(\`\${process.cwd()}/path/to/foo.json\`);`,
54
- globals: {
55
- process: 'readonly',
53
+ languageOptions: {
54
+ globals: {
55
+ process: 'readonly',
56
+ },
56
57
  },
57
58
  },
58
59
  `
@@ -65,8 +66,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
65
66
  code: `
66
67
  import fs from 'fs';
67
68
  const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');`,
68
- globals: {
69
- require: 'readonly',
69
+ languageOptions: {
70
+ globals: {
71
+ require: 'readonly',
72
+ },
70
73
  },
71
74
  },
72
75
  ],
@@ -191,8 +194,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
191
194
  import fs from 'fs';
192
195
  import path from 'path';
193
196
  const key = fs.readFileSync(path.resolve(__dirname, foo));`,
194
- globals: {
195
- __filename: 'readonly',
197
+ languageOptions: {
198
+ globals: {
199
+ __filename: 'readonly',
200
+ },
196
201
  },
197
202
  errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
198
203
  },
package/test/rules/detect-non-literal-require.js CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  const RuleTester = require('eslint').RuleTester;
4
4
 
5
- const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
5
+ const tester = new RuleTester({ languageOptions: { sourceType: 'commonjs' } });
6
6
 
7
7
  const ruleName = 'detect-non-literal-require';
8
8
 
@@ -17,8 +17,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
17
17
  },
18
18
  {
19
19
  code: "const utils = require(__dirname + '/utils');",
20
- globals: {
21
- __dirname: 'readonly',
20
+ languageOptions: {
21
+ globals: {
22
+ __dirname: 'readonly',
23
+ },
22
24
  },
23
25
  },
24
26
  ],
package/test/utils/import-utils.js CHANGED
@@ -8,17 +8,20 @@ const Linter = require('eslint').Linter;
8
8
  function getGetImportAccessPathResult(code) {
9
9
  const linter = new Linter();
10
10
  const result = [];
11
- linter.defineRule('test-rule', {
11
+ const testRule = {
12
12
  create(context) {
13
+ const sourceCode = context.sourceCode || context.getSourceCode();
13
14
  return {
14
15
  'Identifier[name = target]'(node) {
15
16
  let expr = node;
16
17
  if (node.parent.type === 'MemberExpression' && node.parent.property === node) {
17
18
  expr = node.parent;
18
19
  }
20
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
21
+
19
22
  const info = getImportAccessPath({
20
23
  node: expr,
21
- scope: context.getScope(),
24
+ scope,
22
25
  packageNames: ['target', 'target-foo', 'target-bar'],
23
26
  });
24
27
  if (!info) return;
@@ -30,15 +33,18 @@ function getGetImportAccessPathResult(code) {
30
33
  },
31
34
  };
32
35
  },
33
- });
36
+ };
34
37
 
35
38
  const linterResult = linter.verify(code, {
36
- parserOptions: {
37
- ecmaVersion: 6,
38
- sourceType: 'module',
39
+ plugins: {
40
+ test: {
41
+ rules: {
42
+ 'test-rule': testRule,
43
+ },
44
+ },
39
45
  },
40
46
  rules: {
41
- 'test-rule': 'error',
47
+ 'test/test-rule': 'error',
42
48
  },
43
49
  });
44
50
  deepStrictEqual(linterResult, []);
package/test/utils/is-static-expression.js CHANGED
@@ -12,35 +12,45 @@ const Linter = require('eslint').Linter;
12
12
  function getIsStaticExpressionResult(code) {
13
13
  const linter = new Linter();
14
14
  const result = [];
15
- linter.defineRule('test-rule', {
15
+ const testRule = {
16
16
  create(context) {
17
+ const sourceCode = context.sourceCode || context.getSourceCode();
18
+
17
19
  return {
18
20
  'CallExpression[callee.name = target]'(node) {
21
+ const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
22
+
19
23
  result.push(
20
24
  ...node.arguments.map((expr) =>
21
25
  isStaticExpression({
22
26
  node: expr,
23
- scope: context.getScope(),
27
+ scope,
24
28
  })
25
29
  )
26
30
  );
27
31
  },
28
32
  };
29
33
  },
30
- });
34
+ };
31
35
 
32
36
  const linterResult = linter.verify(code, {
33
- parserOptions: {
34
- ecmaVersion: 11,
35
- sourceType: 'module',
37
+ plugins: {
38
+ test: {
39
+ rules: {
40
+ 'test-rule': testRule,
41
+ },
42
+ },
36
43
  },
37
- globals: {
38
- __dirname: 'readonly',
39
- __filename: 'readonly',
40
- require: 'readonly',
44
+ languageOptions: {
45
+ sourceType: 'module',
46
+ globals: {
47
+ __dirname: 'readonly',
48
+ __filename: 'readonly',
49
+ require: 'readonly',
50
+ },
41
51
  },
42
52
  rules: {
43
- 'test-rule': 'error',
53
+ 'test/test-rule': 'error',
44
54
  },
45
55
  });
46
56
  deepStrictEqual(linterResult, []);