Add test to ensure security related eslint rules are applied (#151434)

2025-06-27 10:40:07 -04:00 · 2023-02-24 16:48:11 +01:00 · 2023-02-24 16:48:11 +01:00 · e3dd7227e1
commit e3dd7227e1
parent e1f73db5bf
4 changed files with 80 additions and 0 deletions
--- a/.eslintrc.js
+++ b/.eslintrc.js
@ -778,6 +778,11 @@ module.exports = {
            name: 'lodash/fp/assocPath',
            message: 'Please use @kbn/safer-lodash-set/fp/assocPath instead',
          },
+          {
+            name: 'lodash/fp/template',
+            message:
+              'lodash.template is unsafe, and not compatible with our content security policy.',
+          },
          {
            name: 'lodash/template',
            message:
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -908,6 +908,7 @@ packages/kbn-yarn-lock-validator @elastic/kibana-operations
 # Kibana Platform Security
 /.github/codeql @elastic/kibana-security
 /.github/workflows/codeql.yml @elastic/kibana-security
+/src/dev/eslint/security_eslint_rule_tests.ts @elastic/kibana-security
 /src/plugins/telemetry/server/config/telemetry_labels.ts @elastic/kibana-security
 /test/interactive_setup_api_integration/ @elastic/kibana-security
 /test/interactive_setup_functional/ @elastic/kibana-security
--- a/src/dev/eslint/security_eslint_rule_tests.ts
+++ b/src/dev/eslint/security_eslint_rule_tests.ts
@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import * as a from 'lodash'; // eslint-disable-line no-restricted-imports
+import * as b from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+
+import { set as c } from 'lodash'; // eslint-disable-line no-restricted-imports
+import { setWith as d } from 'lodash'; // eslint-disable-line no-restricted-imports
+import { template as e } from 'lodash'; // eslint-disable-line no-restricted-imports
+
+// The following import statements can't be tested because they are not in our package.json
+// import 'lodash.set'; // eslint-disable-line no-restricted-imports
+// import 'lodash.setWith'; // eslint-disable-line no-restricted-imports
+// import 'lodash.template'; // eslint-disable-line no-restricted-imports
+
+import 'lodash/set'; // eslint-disable-line no-restricted-imports
+import 'lodash/setWith'; // eslint-disable-line no-restricted-imports
+import 'lodash/template'; // eslint-disable-line no-restricted-imports
+
+import { set as f } from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+import { setWith as g } from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+import { assoc as h } from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+import { assocPath as i } from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+import { template as j } from 'lodash/fp'; // eslint-disable-line no-restricted-imports
+
+import 'lodash/fp/set'; // eslint-disable-line no-restricted-imports
+import 'lodash/fp/setWith'; // eslint-disable-line no-restricted-imports
+import 'lodash/fp/assoc'; // eslint-disable-line no-restricted-imports
+import 'lodash/fp/assocPath'; // eslint-disable-line no-restricted-imports
+import 'lodash/fp/template'; // eslint-disable-line no-restricted-imports
+
+// The following require statements can't be tested because they are not in our package.json
+// require('lodash.set'); // eslint-disable-line no-restricted-modules
+// require('lodash.setWith'); // eslint-disable-line no-restricted-modules
+// require('lodash.template'); // eslint-disable-line no-restricted-modules
+
+require('lodash/set'); // eslint-disable-line no-restricted-modules
+require('lodash/setWith'); // eslint-disable-line no-restricted-modules
+require('lodash/template'); // eslint-disable-line no-restricted-modules
+
+require('lodash/fp/set'); // eslint-disable-line no-restricted-modules
+require('lodash/fp/setWith'); // eslint-disable-line no-restricted-modules
+require('lodash/fp/assoc'); // eslint-disable-line no-restricted-modules
+require('lodash/fp/assocPath'); // eslint-disable-line no-restricted-modules
+require('lodash/fp/template'); // eslint-disable-line no-restricted-modules
+
+const lodash = {
+  set() {},
+  setWith() {},
+  assoc() {},
+  assocPath() {},
+  template() {},
+};
+lodash.set(); // eslint-disable-line no-restricted-properties
+lodash.setWith(); // eslint-disable-line no-restricted-properties
+lodash.assoc(); // eslint-disable-line no-restricted-properties
+lodash.assocPath(); // eslint-disable-line no-restricted-properties
+lodash.template(); // eslint-disable-line no-restricted-properties
+
+const _ = lodash;
+_.set(); // eslint-disable-line no-restricted-properties
+_.setWith(); // eslint-disable-line no-restricted-properties
+_.assoc(); // eslint-disable-line no-restricted-properties
+_.assocPath(); // eslint-disable-line no-restricted-properties
+_.template(); // eslint-disable-line no-restricted-properties
+
+// hack to ensure all imported variables are used
+module.exports = [a, b, c, d, e, f, g, h, i, j];
--- a/test/harden/lodash_template.js
+++ b/test/harden/lodash_template.js
@ -11,6 +11,7 @@ const _ = require('lodash');
 // eslint-disable-next-line no-restricted-modules
 const template = require('lodash/template');
 const fp = require('lodash/fp');
+// eslint-disable-next-line no-restricted-modules
 const fpTemplate = require('lodash/fp/template');
 const test = require('tape');