eslint-plugin-sql-template 3.0.0 → 3.2.0

package/index.js

@@ -1,14 +1,18 @@
 'use strict';
 
+const { name, version } = require('./package.json');
+
 /**
  * Export rules.
+ * @type {import('eslint').ESLint.Plugin}
  */
-
 module.exports = {
-  meta: {},
-  configs: {},
+  meta: {
+    name,
+    version,
+    namespace: 'sql-template'
+  },
   rules: {
     'no-unsafe-query': require('./rules/no-unsafe-query')
-  },
-  processors: {}
+  }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-sql-template",
-  "version": "3.0.0",
+  "version": "3.2.0",
   "description": "ESLint plugin with rules for using the `sql` template tag on raw SQL queries",
   "keywords": [
     "plugin",
@@ -21,9 +21,6 @@
     "type": "git",
     "url": "git+ssh://git@github.com/uphold/eslint-plugin-sql-template.git"
   },
-  "dependencies": {
-    "sql-parse": "^0.1.5"
-  },
   "engines": {
     "node": ">=20"
   },
@@ -37,17 +34,16 @@
   "scripts": {
     "lint": "eslint .",
     "release": "release-it",
-    "test": "mocha test --recursive"
+    "test": "node --test test/rules/no-unsafe-query_test.js"
   },
   "devDependencies": {
-    "@eslint/js": "^9.12.0",
-    "@uphold/github-changelog-generator": "^3.4.0",
-    "eslint": "^9.12.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-prettier": "^5.2.1",
-    "mocha": "^10.7.3",
-    "prettier": "^3.3.3",
-    "release-it": "^17.9.0"
+    "@eslint/js": "^10.0.1",
+    "@uphold/github-changelog-generator": "^4.0.2",
+    "eslint": "^10.0.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.5",
+    "prettier": "^3.8.1",
+    "release-it": "^19.2.4"
   },
   "peerDependencies": {
     "eslint": ">=9"

package/rules/no-unsafe-query.js

@@ -1,77 +1,108 @@
 'use strict';
 
 /**
- * Module dependencies.
+ * Helper function to check if an expression contains a variable.
  */
 
-const parser = require('sql-parse');
+function containsVariableExpression(expression) {
+  if (!expression) return false;
 
-/**
- * Check if `literal` is an SQL query.
- */
-
-function isSqlQuery(literal) {
-  if (!literal) {
-    return false;
+  if (['Identifier', 'CallExpression', 'MemberExpression'].includes(expression.type)) {
+    return true;
   }
 
-  try {
-    parser.parse(literal);
+  if (expression.type === 'ConditionalExpression') {
+    return containsVariableExpression(expression.consequent) || containsVariableExpression(expression.alternate);
+  }
 
-    // eslint-disable-next-line no-unused-vars
-  } catch (error) {
-    return false;
+  if (expression.type === 'TemplateLiteral') {
+    return expression.expressions.some(containsVariableExpression);
   }
 
-  return true;
+  return false;
 }
 
 /**
- * Validate node.
+ * Helper function to check if a node has a parent that is a template literal.
  */
 
-function validate(node, context) {
-  if (!node) {
-    return;
-  }
+function hasParentTemplateLiteral(node) {
+  if (!node?.parent) return false;
 
-  if (node.type === 'TaggedTemplateExpression' && node.tag.name !== 'sql') {
-    node = node.quasi;
+  if (node.parent.type === 'TemplateLiteral') {
+    return true;
   }
 
-  if (node.type === 'TemplateLiteral' && node.expressions.length) {
-    const literal = node.quasis.map(quasi => quasi.value.raw).join('x');
-
-    if (isSqlQuery(literal)) {
-      context.report({
-        node,
-        message: 'Use the `sql` tagged template literal for raw queries'
-      });
-    }
-  }
+  return hasParentTemplateLiteral(node.parent);
 }
 
 /**
- * Export `no-unsafe-query`.
+ * SQL starting keywords to detect inside the template literal.
+ */
+
+const sqlKeywords = /^`\s*(SELECT|INSERT\s+INTO|UPDATE|DELETE\s+FROM|WITH|GRANT|BEGIN|DROP)\s/i;
+
+/**
+ * Rule definition.
  */
 
 module.exports = {
   meta: {
     type: 'suggestion',
+    hasSuggestions: true,
+    fixable: 'code',
     docs: {
-      description: 'disallow unsafe SQL queries',
+      description: 'Enforce safe SQL query handling using tagged templates',
       recommended: false,
       url: 'https://github.com/uphold/eslint-plugin-sql-template#rules'
     },
-    schema: [] // no options
+    messages: {
+      missingSqlTag: 'Use the `sql` tagged template literal for raw queries'
+    },
+    schema: []
   },
   create(context) {
     return {
-      CallExpression(node) {
-        node.arguments.forEach(argument => validate(argument, context));
-      },
-      VariableDeclaration(node) {
-        node.declarations.forEach(declaration => validate(declaration.init, context));
+      TemplateLiteral(node) {
+        // Only check interpolated template literals.
+        if (node?.type !== 'TemplateLiteral' || node.expressions.length === 0) {
+          return;
+        }
+
+        // Skip if the template literal has in it's chain a parent that is a TemplateLiteral.
+        if (hasParentTemplateLiteral(node)) {
+          return;
+        }
+
+        // Skip if the template literal is already tagged with `sql`.
+        if (node.parent.type === 'TaggedTemplateExpression' && node.parent.tag.name === 'sql') {
+          return;
+        }
+
+        // Check if the template literal has SQL.
+        const hasSQL = sqlKeywords.test(context.sourceCode.getText(node));
+
+        // Recursively check if any expression is a variable (Identifier, MemberExpression, or nested TemplateLiteral)
+        const hasVariableExpression = node.expressions.some(containsVariableExpression);
+
+        if (hasSQL && hasVariableExpression) {
+          context.report({
+            node,
+            messageId: 'missingSqlTag',
+            suggest: [
+              {
+                desc: 'Wrap with sql tag',
+                fix(fixer) {
+                  if (node.parent?.type === 'TaggedTemplateExpression') {
+                    return fixer.replaceText(node.parent.tag, 'sql');
+                  }
+
+                  return fixer.insertTextBefore(node, 'sql');
+                }
+              }
+            ]
+          });
+        }
       }
     };
   }