Ban use of lodash.template

elastic · May 18, 2021 · b4d5f4a · b4d5f4a
1 parent 79c94d3
commit b4d5f4a
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 15 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -711,6 +711,33 @@ module.exports = {
                 name: 'lodash/fp/assocPath',
                 message: 'Please use @elastic/safer-lodash-set instead',
               },
+              {
+                name: 'lodash',
+                importNames: ['template'],
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
+              {
+                name: 'lodash.template',
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
+              {
+                name: 'lodash/template',
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
+              {
+                name: 'lodash/fp',
+                importNames: ['template'],
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
+              {
+                name: 'lodash/fp/template',
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
               {
                 name: 'react-use',
                 message: 'Please use react-use/lib/{method} instead.',
@@ -730,6 +757,11 @@ module.exports = {
                 name: 'lodash.setwith',
                 message: 'Please use @elastic/safer-lodash-set instead',
               },
+              {
+                name: 'lodash.template',
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
               {
                 name: 'lodash/set',
                 message: 'Please use @elastic/safer-lodash-set instead',
@@ -738,6 +770,11 @@ module.exports = {
                 name: 'lodash/setWith',
                 message: 'Please use @elastic/safer-lodash-set instead',
               },
+              {
+                name: 'lodash/template',
+                message:
+                  'lodash.template is unsafe, and not compatible with our content security policy.',
+              },
             ],
           },
         ],
@@ -753,6 +790,18 @@ module.exports = {
             property: 'set',
             message: 'Please use @elastic/safer-lodash-set instead',
           },
+          {
+            object: 'lodash',
+            property: 'template',
+            message:
+              'lodash.template is unsafe, and not compatible with our content security policy.',
+          },
+          {
+            object: '_',
+            property: 'template',
+            message:
+              'lodash.template is unsafe, and not compatible with our content security policy.',
+          },
           {
             object: 'lodash',
             property: 'setWith',
@@ -1576,20 +1625,5 @@ module.exports = {
         '@typescript-eslint/prefer-ts-expect-error': 'error',
       },
     },
-    {
-      files: [
-        '**/public/**/*.{js,mjs,ts,tsx}',
-        '**/common/**/*.{js,mjs,ts,tsx}',
-        'packages/**/*.{js,mjs,ts,tsx}',
-      ],
-      rules: {
-        'no-restricted-imports': [
-          'error',
-          {
-            patterns: ['lodash/*', '!lodash/fp', 'rxjs/internal-compatibility'],
-          },
-        ],
-      },
-    },
   ],
 };
diff --git a/src/setup_node_env/harden/lodash_template.js b/src/setup_node_env/harden/lodash_template.js
@@ -10,6 +10,8 @@ var hook = require('require-in-the-middle');
 var isIterateeCall = require('lodash/_isIterateeCall');
 
 hook(['lodash'], function (lodash) {
+  // we use lodash.template here to harden third-party usage of this otherwise banned function.
+  // eslint-disable-next-line no-restricted-properties
   lodash.template = createProxy(lodash.template);
   return lodash;
 });
@@ -52,6 +54,9 @@ function createFpProxy(template) {
       // > Iteratee arguments are capped to avoid gotchas with variadic iteratees.
       // this means that we can't specify the options in the second argument to fp.template because it's ignored.
       // Instead, we're going to use the non-FP _.template with only the first argument which has already been patched
+
+      // we use lodash.template here to harden third-party usage of this otherwise banned function.
+      // eslint-disable-next-line no-restricted-properties
       return _.template(args[0]);
     },
   });

diff --git a/test/harden/lodash_template.js b/test/harden/lodash_template.js
@@ -8,6 +8,7 @@
 
 require('../../src/setup_node_env');
 const _ = require('lodash');
+// eslint-disable-next-line no-restricted-modules
 const template = require('lodash/template');
 const fp = require('lodash/fp');
 const fpTemplate = require('lodash/fp/template');
@@ -24,6 +25,7 @@ test('test setup ok', (t) => {
   t.end();
 });
 
+// eslint-disable-next-line no-restricted-properties
 [_.template, template].forEach((fn) => {
   test(`_.template('<%= foo %>')`, (t) => {
     const output = fn('<%= foo %>')({ foo: 'bar' });