[bug] fixed tsr-detect-non-literal-fs-filename rule (#13)

webschik · Dec 29, 2018 · da4138a · da4138a
1 parent 8bcde56
commit da4138a
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 5 deletions.
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "tslint-config-security",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "description": "TSLint security rules",
   "main": "./index.js",
   "files": [

diff --git a/src/rules/tsrDetectNonLiteralFsFilenameRule.ts b/src/rules/tsrDetectNonLiteralFsFilenameRule.ts
@@ -9,7 +9,8 @@ export class Rule extends Lint.Rules.AbstractRule {
     }
 }
 
-const expressionsToCheck: string[] = ['fs', `require('fs')`, `require("fs")`];
+const expressionsToCheck: string[] = ['fs', `require('fs')`, 'require("fs")', 'require(`fs`)'];
+const reservedIdentifiers: string[] = ['__dirname'];
 
 class RuleWalker extends Lint.RuleWalker {
     visitPropertyAccessExpression(node: ts.PropertyAccessExpression) {
@@ -25,7 +26,48 @@ class RuleWalker extends Lint.RuleWalker {
                 const invalidArgumentIndices: number[] = fsArgsInfo.filter((index: number) => {
                     const arg: ts.Expression = methodArguments[index];
 
-                    return Boolean(arg && !stringLiteralKinds.includes(arg.kind));
+                    if (!arg) {
+                        return false;
+                    }
+                    const {kind} = arg;
+
+                    if (kind === ts.SyntaxKind.BinaryExpression) {
+                        const {left, right} = arg as ts.BinaryExpression;
+
+                        if (
+                            left &&
+                            left.kind === ts.SyntaxKind.Identifier &&
+                            reservedIdentifiers.includes(left.getText())
+                        ) {
+                            return Boolean(right && !stringLiteralKinds.includes(right.kind));
+                        }
+
+                        if (
+                            right &&
+                            right.kind === ts.SyntaxKind.Identifier &&
+                            reservedIdentifiers.includes(right.getText())
+                        ) {
+                            return Boolean(left && !stringLiteralKinds.includes(left.kind));
+                        }
+                    }
+
+                    if (kind === ts.SyntaxKind.TemplateExpression) {
+                        const {templateSpans = []} = arg as ts.TemplateExpression;
+                        const [firstTemplateSpan] = templateSpans;
+                        const firstTemplateSpanExpr: ts.Expression | void =
+                            firstTemplateSpan && firstTemplateSpan.expression;
+
+                        if (
+                            firstTemplateSpanExpr &&
+                            firstTemplateSpanExpr.kind === ts.SyntaxKind.Identifier &&
+                            reservedIdentifiers.includes(firstTemplateSpanExpr.getText()) &&
+                            !templateSpans[1]
+                        ) {
+                            return false;
+                        }
+                    }
+
+                    return !stringLiteralKinds.includes(kind);
                 });
 
                 if (invalidArgumentIndices[0] !== undefined) {

diff --git a/test/rules/tsr-detect-non-literal-fs-filename/default/test.ts.lint b/test/rules/tsr-detect-non-literal-fs-filename/default/test.ts.lint
@@ -33,4 +33,9 @@ require('lodash-exists');
 
 if (_.exists(memberId)) {
   this.memberId = memberId;
-}
+}
+
+fs.readFileSync(__dirname + 'filename.txt', 'utf-8')
+fs.readFileSync(`${__dirname}filename.txt`, 'utf-8')
+fs.readFileSync(`${__dirname}${path1}.txt`, 'utf-8')
+~~~~~~~~~~~~~~~                                      [Found fs.readFileSync with non-literal argument at index 0]