False positive detect-non-literal-fs-filename on _.exists

[fluxsauce]

Using lodash 4.17.4 and lodash-exists 1.0.3.

const _ = require('lodash');
require('lodash-exists');

...

if (_.exists(memberId)) {
  this.memberId = memberId;
}

Found fs.exists with non literal argument at index 0 security/detect-non-literal-fs-filename

[evilpacket]

yup. This needs to be re-written to actually see if fs was used, track it's assignment and make sure that method calls are on those objects. It's not impossible, we do a hacky version of it in the child_process.exec check.

[ozsay]

@evilpacket any word on a possible fix?

[MeenaAlfons]

More false positives for security/detect-non-literal-fs-filename. Example:

Error:

Found fs.open with non literal argument at index 0
eslint(security/detect-non-literal-fs-filename)

[feenst]

Also fails for RegExp.prototype.exec():

Error:

Found fs.link with non-literal argument at index 0
eslint(security/detect-non-literal-fs-filename)

[joshuagoran]

I'm seeing similar false positives. any chance these might be resolved? for me, I'm seeing it with TestCafe assertions.

[ZuBB]

same for window.open()

[Luxcium]

same for me with exists in

// [...]
export async function some(key: string) {
  const tedis = new Tedis();
  ifThen(tedis.exists(key))
    .then(i=>i)
    .catch(error => console.error('error message:', error.message));
}
// [...]

[jbaris]

same for $uibModal.open()

[cata-on]

Same for .watch (with TS).
E.g.

const obj = {
  watch: (a: any): void => {
    console.log(a);
  },
};
obj.watch(obj);

[ota-meshi]

I believe this issue has been fixed in the latest version.
https://github.com/eslint-community/eslint-plugin-security/releases/tag/v1.6.0
It was fixed by PR #92.

[nzakas]

Agreed.

[fluxsauce]

Brilliant, thank you!