Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transform arrow functions without block #108

Merged
merged 7 commits into from
Dec 12, 2024
Merged

Transform arrow functions without block #108

merged 7 commits into from
Dec 12, 2024

Conversation

iunanua
Copy link
Collaborator

@iunanua iunanua commented Dec 11, 2024
edited
Loading

What does this PR do?

Transform arrow function bodies with a expression to a body with a block returning the original expression.

Motivation

Fix #101

Additional Notes

Describe how to test your changes

Checklist

  • The CHANGELOG.md has been updated
  • Unit tests have been updated and pass
  • If known, an appropriate milestone has been selected

datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Dec 11, 2024
View reviewed changes
test/template_literal.spec.js
const rewritten = rewriteAst(js)

// eslint-disable-next-line no-eval
const rewrittenIssue101 = eval(rewritten)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

'eval' with argument of type Identifier (...read more)

The eval function could execute malicious code if used with non-literal values. The argument provided to the eval method could be used to execute malicious code. If an attacker manages to control the eval argument they can execute arbitrary code.

In JavaScript, the eval() function evaluates or executes an argument if it's a string of JavaScript code. If this argument is influenced by user input or other external sources, it can lead to security vulnerabilities. Specifically, if an attacker can control or manipulate the value of the variable in eval(variable), they can execute arbitrary code.

You should avoid using eval at all costs, but if you face an advanced use case, use literal values that are under your control or sanitize the input. However, even then it is still recommended to avoid the use of eval as it has led to security breaches before.

View in Datadog  Leave us feedback  Documentation

test/template_literal.spec.js
const js = readFileSync(path.join(__dirname, 'resources/issue-101.js')).toString()

// eslint-disable-next-line no-eval
const issue101 = eval(js)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

'eval' with argument of type Identifier (...read more)

The eval function could execute malicious code if used with non-literal values. The argument provided to the eval method could be used to execute malicious code. If an attacker manages to control the eval argument they can execute arbitrary code.

In JavaScript, the eval() function evaluates or executes an argument if it's a string of JavaScript code. If this argument is influenced by user input or other external sources, it can lead to security vulnerabilities. Specifically, if an attacker can control or manipulate the value of the variable in eval(variable), they can execute arbitrary code.

You should avoid using eval at all costs, but if you face an advanced use case, use literal values that are under your control or sanitize the input. However, even then it is still recommended to avoid the use of eval as it has led to security breaches before.

View in Datadog  Leave us feedback  Documentation

@iunanua iunanua changed the title Do not reset context after visiting paren expressions Transform arrow functions without block Dec 11, 2024
@iunanua iunanua marked this pull request as ready for review December 12, 2024 08:40
@iunanua iunanua requested a review from a team as a code owner December 12, 2024 08:40
uurien
uurien reviewed Dec 12, 2024
View reviewed changes
test/resources/issue-101.js Outdated
@@ -0,0 +1,112 @@
'use strict'

function names(arg) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For all the methods (why is not failing the linter?)

Suggested change
function names(arg) {
function names (arg) {

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test/resources is ignored

But i'm going to rename the methods

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@iunanua iunanua merged commit 47a9281 into main Dec 12, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@uurien uurien uurien approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generated JS code behaves differently from original source code
2 participants
@iunanua @uurien