Comments (5)
Bypass security/detect-object-injection when type safe.
What does this mean?
from eslint-plugin-security.
Given
const kfoo = Symbol('foo')
const kbar = 'bar'
const o: Partial<Record<typeof kfoo | typeof kbar, 42>> = {}
I think below code are safe, right?
// eslint-disable-next-line security/detect-object-injection
o[kfoo] = 42
// eslint-disable-next-line security/detect-object-injection
o[kbar] = 42
from eslint-plugin-security.
Again, I'm not quite sure what you're asking.
ESLint doesn't interpret code, it just looks for simple patterns. If you're implying that something in the first code block means the code in the second block shouldn't warn, that's not something this rule can do. It's not going to interpret TypeScript (which is expensive) to figure out if a later pattern would work.
from eslint-plugin-security.
Quote reply from typescript-eslint/typescript-eslint#7194
Unlike ESLint core - 3rd party plugins aren't restricted to just supporting JS and can support TS and consume types.
For this reason we do not create extension rules for 3rd party rules - we are not looking to compete with other plugins in the community.
It would be nice to let security/detect-object-injection
have better typescript support within eslint-community/eslint-plugin-security
.
It's not going to interpret TypeScript (which is expensive) to figure out if a later pattern would work.
Compare to human time, machine time is not so expensive.
Given
- typescript
obj[variable_key]
Would be nice to have option
- ignore
security/detect-object-injection
whenvariable_key
is subset ofkeyof typeof obj
from eslint-plugin-security.
As I mentioned, that type of check is expensive and not worth implementing. However, because this is an open source project, you can always copy the rule and make your own that does exactly what you want.
from eslint-plugin-security.
Related Issues (20)
- docs: maybe an error in the-dangers-of-square-bracket-notation HOT 1
- Bug: object injection not detected HOT 2
- A Suggestion for the Docs HOT 2
- New Rule: Detect invisible characters
- New Rule: disallow unicode confusable identifiers HOT 4
- Bug: `security/detect-non-literal-regexp` should ignore `escapeStringRegexp()` HOT 1
- Bug: `security/detect-object-injection` should be ignored when property is switch case discriminant. HOT 2
- Rule Change: (fill in) HOT 2
- Bug: Crashes ESLint due to circular reference in config HOT 4
- Bug: Converting circular structure to JSON when running eslint HOT 2
- Upgrade causes obscure error HOT 4
- Bug: false positive for security/detect-object-injection HOT 2
- Bug: Configuration using JSON eslintrc file HOT 2
- Bug: security/detect-eval-with-expression - "TypeError: Cannot read properties of undefined (reading: 'type') HOT 6
- Add support for flat config and types HOT 1
- ESLint v9 compatibility (TypeError: context.getScope is not a function) HOT 8
- Bug: (fill in) HOT 1
- Does This Plugin Support TypeScript? HOT 5
- Bug: no type definitions for eslint flat config HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eslint-plugin-security.