New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New: Rule class-methods-use-this option exceptMethods accepts regex #12305
Closed
Closed
Changes from 6 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
de4c13f
Allow RegExp for exceptMethods rule definition
derjones b43cb82
Update doc for rule class-methods-use-this
derjones 0892104
Fix: use array instead of set
derjones 9a810c7
Fix: use array correctly...
derjones 4be2532
Fix lint error: Add unicode flag to regex
derjones 07c525d
Fix lint issue: use doublequotes
derjones 2d5c98d
Add useRegExp flag to avoid breaking change
derjones 8495f2a
Fix lint errors
derjones d960d11
Use own array to define exceptions regex instead of flag
derjones da6bb73
Fix: docu
derjones af1cef8
Fix: Rule and exception logic
derjones 5bc2530
Fix: exception logic
derjones d191617
Fix: test cases
derjones File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
accepting a regex opens the rule up to a bunch of CVEs. is there a reason this can’t be simple globs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm okay, in my case globs would be enough. But other rules also use RegExp for exceptions: camelcase, lines-around-comment e.g.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is a security issue if the regexes come from a config. If someone has the ability to edit a config file and add malicious regexes, they probably also have the ability to create a JS file and do worse things anyway.
If inline config comments are enabled, someone could maybe create a piece of code that takes a very long time to lint, but I think that's an accepted risk at this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s true, but that won’t stop tons of false positive CVEs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With an exception or two, it seems to have stopped them so far. False-positive CVEs are sometimes a problem, but it seems silly to not use a feature for fear of false positive security reports. (Maybe someone can convince V8 to use linear-time regex matching for regexes that don't have backreferences, and then we stop tons of real CVEs.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's a general question if regex is allowed in a rule config or not. Since some rules use a regex in the config already you would have to remove either all or allow in general