fix: Ensure empty eval() doesn't crash detect-eval-with-expression (#139)

nzakas · web-flow · commit 8a7c7db1e2b4 · 2024-02-14T13:23:51.000-05:00
diff --git a/rules/detect-eval-with-expression.js b/rules/detect-eval-with-expression.js
@@ -19,10 +19,10 @@ module.exports = {
       url: 'https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-eval-with-expression.md',
     },
   },
-  create: function (context) {
+  create(context) {
     return {
-      CallExpression: function (node) {
-        if (node.callee.name === 'eval' && node.arguments[0].type !== 'Literal') {
+      CallExpression(node) {
+        if (node.callee.name === 'eval' && node.arguments.length && node.arguments[0].type !== 'Literal') {
           context.report({ node: node, message: `eval with argument of type ${node.arguments[0].type}` });
         }
       },
diff --git a/test/rules/detect-eval-with-expression.js b/test/rules/detect-eval-with-expression.js
@@ -6,7 +6,7 @@ const tester = new RuleTester();
 const ruleName = 'detect-eval-with-expression';
 
 tester.run(ruleName, require(`../../rules/${ruleName}`), {
-  valid: [{ code: "eval('alert()')" }],
+  valid: [{ code: "eval('alert()')" }, { code: 'eval("some nefarious code");' }, { code: 'eval()' }],
   invalid: [
     {
       code: 'eval(a);',

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ const tester = new RuleTester();`
`6`	`6`	`const ruleName = 'detect-eval-with-expression';`
`7`	`7`
`8`	`8`	tester.run(ruleName, require(`../../rules/${ruleName}`), {
`9`		`- valid: [{ code: "eval('alert()')" }],`
	`9`	`+ valid: [{ code: "eval('alert()')" }, { code: 'eval("some nefarious code");' }, { code: 'eval()' }],`
`10`	`10`	`invalid: [`
`11`	`11`	`{`
`12`	`12`	`code: 'eval(a);',`