eslint-plugin-sql-template 2.0.0 → 3.1.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2016 Uphold
+Copyright (c) 2024 Uphold
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,47 +1,40 @@
 # eslint-plugin-sql-template
 
-ESLint plugin with rules for using the `sql` template tag from a library such as [sql-tag](https://github.com/seegno/sql-tag) on raw SQL queries.
+ESLint plugin with rules for using the `sql` template tag from a library such as [sql-tag](https://github.com/ruimarinho/sql-tag) on raw SQL queries.
 
 That library escapes data provided to an SQL query statement via interpolation. This prevents, for instance, potential SQL injection attacks.
 
 This ESLint plugin helps teams enforce the usage of that tag, to avoid overlooked vulnerabilities from creeping into their codebases.
 
+## Status
+
+[![npm version][npm-image]][npm-url]
+[![build status][ci-image]][ci-url]
+
 ## Installation
 
 ```sh
-$ npm install eslint eslint-plugin-sql-template --save-dev
+npm install eslint eslint-plugin-sql-template --save-dev
 ```
 
 ## Usage
 
-Create an `.eslint.yml` file with the following:
-
-```yaml
-plugins:
-  - sql-template
-```
-
-Then, you can add the custom rules to the `.eslint.yml` file:
-
-```yaml
-rules:
-  - sql-template/no-unsafe-query: 2
-```
-
-To lint your project with ESLint, add the following `script` to your `package.json`:
+Add `sql-template` to both the `plugins` and `rules` sections of your `ESLint` configuration file. Example:
 
-```json
-{
-  "scripts": {
-    "lint": "eslint ."
+```js
+// eslint.config.js
+import sqlTemplate from 'eslint-plugin-sql-template';
+
+module.exports = [
+  {
+    plugins: {
+      'sql-template': sqlTemplate
+    },
+    rules: {
+      'sql-template/no-unsafe-query': 'error'
+    }
   }
-}
-```
-
-and run the linter with:
-
-```sh
-$ npm run lint
+];
 ```
 
 ## Rules
@@ -81,3 +74,32 @@ Users.query(`SELECT id, name FROM users`);
 const punctuation = '!';
 foo.bar(`Not SQL${punctuation}`);
 ```
+
+## License
+
+[MIT](https://opensource.org/licenses/MIT)
+
+## Contributing
+
+### Development
+
+Install dependencies:
+
+```sh
+npm i
+```
+
+Run tests:
+
+```sh
+npm run test
+```
+
+### Cutting a release
+
+The release process is automated via the [release](https://github.com/uphold/eslint-plugin-sql-template/actions/workflows/release.yaml) GitHub workflow. Run it by clicking the "Run workflow" button.
+
+[npm-image]: https://img.shields.io/npm/v/eslint-plugin-sql-template.svg
+[npm-url]: https://www.npmjs.com/package/eslint-plugin-sql-template
+[ci-image]: https://github.com/uphold/eslint-plugin-sql-template/actions/workflows/ci.yaml/badge.svg?branch=master
+[ci-url]: https://github.com/uphold/eslint-plugin-sql-template/actions/workflows/ci.yaml

package/index.js

@@ -4,6 +4,11 @@
  * Export rules.
  */
 
-module.exports.rules = {
-  'no-unsafe-query': require('./rules/no-unsafe-query')
+module.exports = {
+  meta: {},
+  configs: {},
+  rules: {
+    'no-unsafe-query': require('./rules/no-unsafe-query')
+  },
+  processors: {}
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-sql-template",
-  "version": "2.0.0",
+  "version": "3.1.0",
   "description": "ESLint plugin with rules for using the `sql` template tag on raw SQL queries",
   "keywords": [
     "plugin",
@@ -21,19 +21,32 @@
     "type": "git",
     "url": "git+ssh://git@github.com/uphold/eslint-plugin-sql-template.git"
   },
-  "dependencies": {
-    "sql-parse": "^0.1.5"
-  },
   "engines": {
-    "node": ">=4"
+    "node": ">=20"
+  },
+  "files": [
+    "index.js",
+    "rules"
+  ],
+  "publishConfig": {
+    "access": "public"
   },
   "scripts": {
-    "changelog": "github_changelog_generator --header-label '# Changelog' --no-issues --no-verbose --future-release=$npm_config_future_release && sed -i '' -e :a -e '$d;N;2,3ba' -e 'P;D' CHANGELOG.md",
-    "test": "mocha --recursive",
-    "version": "npm run changelog --future-release=$npm_package_version && git add -A CHANGELOG.md"
+    "lint": "eslint .",
+    "release": "release-it",
+    "test": "mocha test --recursive"
   },
   "devDependencies": {
-    "eslint": "^3.6.1",
-    "mocha": "^3.1.0"
+    "@eslint/js": "^9.12.0",
+    "@uphold/github-changelog-generator": "^3.4.0",
+    "eslint": "^9.12.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.2.1",
+    "mocha": "^10.7.3",
+    "prettier": "^3.3.3",
+    "release-it": "^17.9.0"
+  },
+  "peerDependencies": {
+    "eslint": ">=9"
   }
 }

package/rules/no-unsafe-query.js

@@ -1,60 +1,109 @@
 'use strict';
 
 /**
- * Module dependencies.
+ * Helper function to check if an expression contains a variable.
  */
 
-const parser = require('sql-parse');
+function containsVariableExpression(expression) {
+  if (!expression) return false;
 
-/**
- * Check if `literal` is an SQL query.
- */
+  if (['Identifier', 'CallExpression', 'MemberExpression'].includes(expression.type)) {
+    return true;
+  }
 
-function isSqlQuery(literal) {
-  if (!literal) {
-    return false;
+  if (expression.type === 'ConditionalExpression') {
+    return containsVariableExpression(expression.consequent) || containsVariableExpression(expression.alternate);
   }
 
-  try {
-    parser.parse(literal);
-  } catch (error) {
-    return false;
+  if (expression.type === 'TemplateLiteral') {
+    return expression.expressions.some(containsVariableExpression);
   }
 
-  return true;
+  return false;
 }
 
 /**
- * Validate node.
+ * Helper function to check if a node has a parent that is a template literal.
  */
 
-function validate(node, context) {
-  if (!node) {
-    return;
-  }
+function hasParentTemplateLiteral(node) {
+  if (!node?.parent) return false;
 
-  if (node.type === 'TaggedTemplateExpression' && node.tag.name !== 'sql') {
-    node = node.quasi;
+  if (node.parent.type === 'TemplateLiteral') {
+    return true;
   }
 
-  if (node.type === 'TemplateLiteral' && node.expressions.length) {
-    const literal = node.quasis.map(quasi => quasi.value.raw).join('x');
-
-    if (isSqlQuery(literal)) {
-      context.report(node, 'Use the `sql` tagged template literal for raw queries');
-    }
-  }
+  return hasParentTemplateLiteral(node.parent);
 }
 
 /**
- * Export `no-unsafe-query`.
+ * SQL starting keywords to detect inside the template literal.
+ */
+
+const sqlKeywords = /^`\s*(SELECT|INSERT\s+INTO|UPDATE|DELETE\s+FROM|WITH|GRANT|BEGIN|DROP)\s/i;
+
+/**
+ * Rule definition.
  */
 
-module.exports = context => ({
-  CallExpression(node) {
-    node.arguments.forEach(argument => validate(argument, context));
+module.exports = {
+  meta: {
+    type: 'suggestion',
+    hasSuggestions: true,
+    fixable: 'code',
+    docs: {
+      description: 'Enforce safe SQL query handling using tagged templates',
+      recommended: false,
+      url: 'https://github.com/uphold/eslint-plugin-sql-template#rules'
+    },
+    messages: {
+      missingSqlTag: 'Use the `sql` tagged template literal for raw queries'
+    },
+    schema: []
   },
-  VariableDeclaration(node) {
-    node.declarations.forEach(declaration => validate(declaration.init, context));
+  create(context) {
+    return {
+      TemplateLiteral(node) {
+        // Only check interpolated template literals.
+        if (node?.type !== 'TemplateLiteral' || node.expressions.length === 0) {
+          return;
+        }
+
+        // Skip if the template literal has in it's chain a parent that is a TemplateLiteral.
+        if (hasParentTemplateLiteral(node)) {
+          return;
+        }
+
+        // Skip if the template literal is already tagged with `sql`.
+        if (node.parent.type === 'TaggedTemplateExpression' && node.parent.tag.name === 'sql') {
+          return;
+        }
+
+        // Check if the template literal has SQL.
+        const hasSQL = sqlKeywords.test(context.sourceCode.getText(node));
+
+        // Recursively check if any expression is a variable (Identifier, MemberExpression, or nested TemplateLiteral)
+        const hasVariableExpression = node.expressions.some(containsVariableExpression);
+
+        if (hasSQL && hasVariableExpression) {
+          context.report({
+            node,
+            messageId: 'missingSqlTag',
+            suggest: [
+              {
+                desc: 'Wrap with sql tag',
+                fix(fixer) {
+                  if (node.parent?.type === 'TaggedTemplateExpression') {
+                    return fixer.replaceText(node.parent.tag, 'sql');
+                  }
+
+                  return fixer.insertTextBefore(node, 'sql');
+                }
+              }
+            ]
+          });
+        }
+      }
+    };
   }
-});
+};

package/.npmignore

@@ -1,37 +0,0 @@
-# Logs
-logs
-*.log
-npm-debug.log*
-
-# Runtime data
-pids
-*.pid
-*.seed
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (http://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules
-jspm_packages
-
-# Optional npm cache directory
-.npm
-
-# Optional REPL history
-.node_repl_history

package/.travis.yml

@@ -1,7 +0,0 @@
-language: node_js
-
-node_js:
-  - 4
-  - 6
-
-sudo: false

package/CHANGELOG.md

@@ -1,10 +0,0 @@
-# Changelog
-
-## [2.0.0](https://github.com/uphold/eslint-plugin-sql-template/tree/2.0.0) (2016-10-03)
-**Merged pull requests:**
-
-- Remove lodash dependency [\#4](https://github.com/uphold/eslint-plugin-sql-template/pull/4) ([kurayama](https://github.com/kurayama))
-- Use mocha --recursive flag [\#3](https://github.com/uphold/eslint-plugin-sql-template/pull/3) ([kurayama](https://github.com/kurayama))
-- Update README [\#2](https://github.com/uphold/eslint-plugin-sql-template/pull/2) ([kurayama](https://github.com/kurayama))
-- Create project with `no-unsafe-query` rule [\#1](https://github.com/uphold/eslint-plugin-sql-template/pull/1) ([rplopes](https://github.com/rplopes))
-

package/test/rules/no-unsafe-query_test.js

@@ -1,54 +0,0 @@
-'use strict';
-
-/**
- * Module dependencies.
- */
-
-const RuleTester = require('eslint').RuleTester;
-const rule = require('../../rules/no-unsafe-query');
-
-RuleTester.setDefaultConfig({
-  parserOptions: {
-    ecmaVersion: 6
-  }
-});
-
-/**
- * Test `no-unsafe-query`.
- */
-
-const ruleTester = new RuleTester();
-
-ruleTester.run('no-unsafe-query', rule, {
-  invalid: [{
-    code: 'const column = "*"; foo.query(`SELECT ${column} FROM foobar`);',
-    errors: [{
-      message: 'Use the `sql` tagged template literal for raw queries'
-    }]
-  }, {
-    code: 'const column = "*"; const query = `SELECT ${column} FROM foobar`; foo.query(query);',
-    errors: [{
-      message: 'Use the `sql` tagged template literal for raw queries'
-    }]
-  }, {
-    code: 'const column = "*"; foo.query(foobar`SELECT ${column} FROM foobar`);',
-    errors: [{
-      message: 'Use the `sql` tagged template literal for raw queries'
-    }]
-  }, {
-    code: 'const column = "*"; const query = foobar`SELECT ${column} FROM foobar`; foo.query(query);',
-    errors: [{
-      message: 'Use the `sql` tagged template literal for raw queries'
-    }]
-  }],
-  valid: [
-    'const column = "*"; foo.query(sql`SELECT ${column} FROM foobar`);',
-    'const column = "*"; const query = sql`SELECT ${column} FROM foobar`; foo.query(query);',
-    'foo.query(`SELECT column FROM foobar`);',
-    'const query = `SELECT column FROM foobar`; foo.query(query);',
-    'const foo = "bar"; baz.greet(`hello ${foo}`);',
-    'const foo = "bar"; const baz = `hello ${foo}`; qux.greet(baz);',
-    'foo.greet(`hello`);',
-    'const foo = `bar`; baz.greet(foo);'
-  ]
-});