eslint-community · nzakas · Apr 10, 2024 · Apr 8, 2024 · Apr 9, 2024 · Apr 9, 2024
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -46,13 +46,13 @@
     "safe-regex": "^2.1.1"
   },
   "devDependencies": {
-    "@eslint/js": "^8.51.0",
+    "@eslint/js": "^9.0.0",
     "changelog": "1.3.0",
-    "eslint": "^8.51.0",
+    "eslint": "^9.0.0",
     "eslint-config-nodesecurity": "^1.3.1",
     "eslint-config-prettier": "^8.5.0",
     "eslint-doc-generator": "^1.7.0",
-    "eslint-plugin-eslint-plugin": "^5.1.1",
+    "eslint-plugin-eslint-plugin": "^5.5.1",
     "lint-staged": "^12.3.7",
     "markdownlint-cli": "^0.32.2",
     "mocha": "^9.2.2",

diff --git a/rules/detect-bidi-characters.js b/rules/detect-bidi-characters.js
@@ -78,7 +78,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-bidi-characters.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       Program: function (node) {
         report({

diff --git a/rules/detect-buffer-noassert.js b/rules/detect-buffer-noassert.js
@@ -61,7 +61,7 @@ module.exports = {
       write,
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         let index;

diff --git a/rules/detect-child-process.js b/rules/detect-child-process.js
@@ -23,7 +23,8 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-child-process.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
     return {
       CallExpression: function (node) {
         if (node.callee.name === 'require') {
@@ -41,19 +42,21 @@ module.exports = {
           return;
         }
 
+        const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
         // Reports non-literal `exec()` calls.
         if (
           !node.arguments.length ||
           isStaticExpression({
             node: node.arguments[0],
-            scope: context.getScope(),
+            scope,
           })
         ) {
           return;
         }
         const pathInfo = getImportAccessPath({
           node: node.callee,
-          scope: context.getScope(),
+          scope,
           packageNames: childProcessPackageNames,
         });
         const fnName = pathInfo && pathInfo.path.length === 1 && pathInfo.path[0];

diff --git a/rules/detect-disable-mustache-escape.js b/rules/detect-disable-mustache-escape.js
@@ -10,7 +10,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-disable-mustache-escape.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       AssignmentExpression: function (node) {
         if (node.operator === '=') {

diff --git a/rules/detect-new-buffer.js b/rules/detect-new-buffer.js
@@ -10,7 +10,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-new-buffer.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       NewExpression: function (node) {
         if (node.callee.name === 'Buffer' && node.arguments[0] && node.arguments[0].type !== 'Literal') {

diff --git a/rules/detect-no-csrf-before-method-override.js b/rules/detect-no-csrf-before-method-override.js
@@ -19,7 +19,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-no-csrf-before-method-override.md',
     },
   },
-  create: function (context) {
+  create(context) {
     let csrf = false;
 
     return {

diff --git a/rules/detect-non-literal-fs-filename.js b/rules/detect-non-literal-fs-filename.js
@@ -26,17 +26,19 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-fs-filename.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
     return {
-      CallExpression: function (node) {
+      CallExpression(node) {
         // don't check require. If all arguments are Literals, it's surely safe!
         if ((node.callee.type === 'Identifier' && node.callee.name === 'require') || node.arguments.every((argument) => argument.type === 'Literal')) {
           return;
         }
 
+        const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
         const pathInfo = getImportAccessPath({
           node: node.callee,
-          scope: context.getScope(),
+          scope,
           packageNames: fsPackageNames,
         });
         if (!pathInfo) {
@@ -79,7 +81,8 @@ module.exports = {
             continue;
           }
           const argument = node.arguments[index];
-          if (isStaticExpression({ node: argument, scope: context.getScope() })) {
+
+          if (isStaticExpression({ node: argument, scope })) {
             continue;
           }
           indices.push(index);

diff --git a/rules/detect-non-literal-regexp.js b/rules/detect-non-literal-regexp.js
@@ -21,17 +21,21 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-regexp.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
+
     return {
-      NewExpression: function (node) {
+      NewExpression(node) {
         if (node.callee.name === 'RegExp') {
           const args = node.arguments;
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           if (
             args &&
             args.length > 0 &&
             !isStaticExpression({
               node: args[0],
-              scope: context.getScope(),
+              scope,
             })
           ) {
             return context.report({ node: node, message: 'Found non-literal argument to RegExp Constructor' });

diff --git a/rules/detect-non-literal-require.js b/rules/detect-non-literal-require.js
@@ -21,17 +21,21 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-non-literal-require.md',
     },
   },
-  create: function (context) {
+  create(context) {
+    const sourceCode = context.sourceCode || context.getSourceCode();
+
     return {
-      CallExpression: function (node) {
+      CallExpression(node) {
         if (node.callee.name === 'require') {
           const args = node.arguments;
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           if (
             args &&
             args.length > 0 &&
             !isStaticExpression({
               node: args[0],
-              scope: context.getScope(),
+              scope,
             })
           ) {
             return context.report({ node: node, message: 'Found non-literal argument in require' });

diff --git a/rules/detect-object-injection.js b/rules/detect-object-injection.js
@@ -61,7 +61,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-object-injection.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         if (node.computed === true) {

diff --git a/rules/detect-possible-timing-attacks.js b/rules/detect-possible-timing-attacks.js
@@ -32,7 +32,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-possible-timing-attacks.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       IfStatement: function (node) {
         if (node.test && node.test.type === 'BinaryExpression') {

diff --git a/rules/detect-pseudoRandomBytes.js b/rules/detect-pseudoRandomBytes.js
@@ -19,7 +19,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-pseudoRandomBytes.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       MemberExpression: function (node) {
         if (node.property.name === 'pseudoRandomBytes') {

diff --git a/rules/detect-unsafe-regex.js b/rules/detect-unsafe-regex.js
@@ -25,7 +25,7 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-unsafe-regex.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
       Literal: function (node) {
         const token = context.getSourceCode().getTokens(node)[0];

diff --git a/test/rules/detect-child-process.js b/test/rules/detect-child-process.js
@@ -1,12 +1,7 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester({
-  parserOptions: {
-    ecmaVersion: 6,
-    sourceType: 'module',
-  },
-});
+const tester = new RuleTester();
 
 const ruleName = 'detect-child-process';
 const rule = require(`../../rules/${ruleName}`);

diff --git a/test/rules/detect-non-literal-fs-filename.js b/test/rules/detect-non-literal-fs-filename.js
@@ -1,12 +1,7 @@
 'use strict';
 
 const RuleTester = require('eslint').RuleTester;
-const tester = new RuleTester({
-  parserOptions: {
-    ecmaVersion: 13,
-    sourceType: 'module',
-  },
-});
+const tester = new RuleTester();
 
 const ruleName = 'detect-non-literal-fs-filename';
 
@@ -33,8 +28,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             const index = await fsp.readFile(path.resolve(__dirname, './index.html'), 'utf-8');
             const key = fs.readFileSync(path.join(__dirname, './ssl.key'));
             await fsp.writeFile(path.resolve(__dirname, './sitemap.xml'), sitemap);`,
-      globals: {
-        __dirname: 'readonly',
+      languageOptions: {
+        globals: {
+          __dirname: 'readonly',
+        },
       },
     },
     {
@@ -43,16 +40,20 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             import path from 'path';
             const dirname = path.dirname(__filename)
             const key = fs.readFileSync(path.resolve(dirname, './index.html'));`,
-      globals: {
-        __filename: 'readonly',
+      languageOptions: {
+        globals: {
+          __filename: 'readonly',
+        },
       },
     },
     {
       code: `
             import fs from 'fs';
             const key = fs.readFileSync(\`\${process.cwd()}/path/to/foo.json\`);`,
-      globals: {
-        process: 'readonly',
+      languageOptions: {
+        globals: {
+          process: 'readonly',
+        },
       },
     },
     `
@@ -65,8 +66,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
       code: `
       import fs from 'fs';
       const pkg = fs.readFileSync(require.resolve('eslint/package.json'), 'utf-8');`,
-      globals: {
-        require: 'readonly',
+      languageOptions: {
+        globals: {
+          require: 'readonly',
+        },
       },
     },
   ],
@@ -191,8 +194,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
             import fs from 'fs';
             import path from 'path';
             const key = fs.readFileSync(path.resolve(__dirname, foo));`,
-      globals: {
-        __filename: 'readonly',
+      languageOptions: {
+        globals: {
+          __filename: 'readonly',
+        },
       },
       errors: [{ message: 'Found readFileSync from package "fs" with non literal argument at index 0' }],
     },

diff --git a/test/rules/detect-non-literal-require.js b/test/rules/detect-non-literal-require.js
@@ -2,7 +2,7 @@
 
 const RuleTester = require('eslint').RuleTester;
 
-const tester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
+const tester = new RuleTester({ languageOptions: { sourceType: 'commonjs' } });
 
 const ruleName = 'detect-non-literal-require';
 
@@ -17,8 +17,10 @@ tester.run(ruleName, require(`../../rules/${ruleName}`), {
     },
     {
       code: "const utils = require(__dirname + '/utils');",
-      globals: {
-        __dirname: 'readonly',
+      languageOptions: {
+        globals: {
+          __dirname: 'readonly',
+        },
       },
     },
   ],

diff --git a/test/utils/import-utils.js b/test/utils/import-utils.js
@@ -8,17 +8,20 @@ const Linter = require('eslint').Linter;
 function getGetImportAccessPathResult(code) {
   const linter = new Linter();
   const result = [];
-  linter.defineRule('test-rule', {
+  const testRule = {
     create(context) {
+      const sourceCode = context.sourceCode || context.getSourceCode();
       return {
         'Identifier[name = target]'(node) {
           let expr = node;
           if (node.parent.type === 'MemberExpression' && node.parent.property === node) {
             expr = node.parent;
           }
+          const scope = sourceCode.getScope ? sourceCode.getScope(node) : context.getScope();
+
           const info = getImportAccessPath({
             node: expr,
-            scope: context.getScope(),
+            scope,
             packageNames: ['target', 'target-foo', 'target-bar'],
           });
           if (!info) return;
@@ -30,15 +33,18 @@ function getGetImportAccessPathResult(code) {
         },
       };
     },
-  });
+  };
 
   const linterResult = linter.verify(code, {
-    parserOptions: {
-      ecmaVersion: 6,
-      sourceType: 'module',
+    plugins: {
+      test: {
+        rules: {
+          'test-rule': testRule,
+        },
+      },
     },
     rules: {
-      'test-rule': 'error',
+      'test/test-rule': 'error',
     },
   });
   deepStrictEqual(linterResult, []);