refacto update isrequire/isunsafecallee, remove new probe

src/probes/index.js

@@ -15,17 +15,15 @@ import isUnaryExpression from "./isUnaryExpression.js";
 import isWeakCrypto from "./isWeakCrypto.js";
 import isClassDeclaration from "./isClassDeclaration.js";
 import isMethodDefinition from "./isMethodDefinition.js";
-import isUnsafeEvalRequire from "./isUnsafeEvalRequire.js";
 
 // CONSTANTS
 const kListOfProbes = [
-  isUnsafeEvalRequire,
+  isRequire,
   isUnsafeCallee,
   isLiteral,
   isLiteralRegex,
   isRegexObject,
   isVariableDeclaration,
-  isRequire,
   isImportDeclaration,
   isMemberExpression,
   isAssignmentExpression,

src/probes/isRequire.js

@@ -11,28 +11,50 @@ import {
   getCallExpressionArguments
 } from "@nodesecure/estree-ast-utils";
 
-function validateNode(node, { tracer }) {
+function validateNode(node, option) {
   const id = getCallExpressionIdentifier(node);
+  const argument = getCallExpressionArguments(node);
+
   if (id === null) {
     return [false];
   }
 
-  const data = tracer.getDataFromIdentifier(id);
+  const data = option.tracer.getDataFromIdentifier(id);
+
+  if (data !== null && data.name === "require") {
+    return [
+      true,
+      data?.identifierOrMemberExpr ?? void 0
+    ];
+  }
+  else if (id === "eval" && argument[0] === "require") {
+    return [
+      true,
+      option?.identifiersName[0].name ?? void 0
+    ];
+  }
 
   return [
-    data !== null && data.name === "require",
-    data?.identifierOrMemberExpr ?? void 0
+    false,
+    null
   ];
 }
 
 function main(node, options) {
-  const { analysis } = options;
+  const { analysis, data: calleeName } = options;
   const { tracer } = analysis;
 
   if (node.arguments.length === 0) {
     return;
   }
   const arg = node.arguments.at(0);
+  const id = getCallExpressionIdentifier(node);
+
+
+  if (arg.value === "require" && id === "eval") {
+    analysis.addWarning("unsafe-import", calleeName, node.loc);
+    analysis.addDependency(calleeName, node.loc, true);
+  }
 
   switch (arg.type) {
     // const foo = "http"; require(foo);
@@ -48,12 +70,14 @@ function main(node, options) {
       }
       break;
 
-    // require("http")
+      // require("http")
     case "Literal":
-      analysis.addDependency(arg.value, node.loc);
+      if (arg.value !== "require") {
+        analysis.addDependency(arg.value, node.loc);
+      }
       break;
 
-    // require(["ht", "tp"])
+      // require(["ht", "tp"])
     case "ArrayExpression": {
       const value = [...arrayExpressionToString(arg, { tracer })]
         .join("")

src/probes/isUnsafeCallee.js

@@ -15,8 +15,6 @@ function main(node, options) {
   const { analysis, data: calleeName } = options;
 
   analysis.addWarning("unsafe-stmt", calleeName, node.loc);
-
-  return Symbol.for("skipWalk");
 }
 
 export default {

src/utils.js

@@ -13,7 +13,8 @@ export function isUnsafeCallee(node) {
   // For Function we are looking for this: `Function("...")();`
   // A double CallExpression
   return [
-    identifier === "eval" || (identifier === "Function" && node.callee.type === "CallExpression"),
+    (identifier === "eval" && node.callee.type === "Identifier") ||
+    (identifier === "Function" && node.callee.type === "CallExpression"),
     identifier
   ];
 }

test/issues/179-UnsafeEvalRequire.spec.js

@@ -21,4 +21,7 @@ test("should detect unsafe-import and unsafe-statement", () => {
   assert.equal(sastAnalysis.warnings.at(1).value, "eval");
   assert.equal(sastAnalysis.warnings.at(1).kind, kWarningUnsafeStatement);
   assert.equal(sastAnalysis.warnings.length, 2);
+  assert.equal(sastAnalysis.dependencies.has("stream"), true);
+  assert.equal(sastAnalysis.dependencies.get("stream").unsafe, true);
+  assert.equal(sastAnalysis.dependencies.size, 1);
 });