JS-1333 fix(S7790): Prevent references to target FQNs from raising (#6394)

loris-s-sonarsource · web-flow · commit e0c7cb066d94 · 2026-02-17T16:44:54.000+01:00
diff --git a/packages/jsts/src/rules/S7790/cb.fixture.ts b/packages/jsts/src/rules/S7790/cb.fixture.ts
@@ -101,6 +101,11 @@ const ejsRequireCompile = ejsRequire.compile(getUserInput()); // Noncompliant {{
 const ejsStaticCompile = ejs.compile('<h1>Hello <%= name %></h1>'); // Compliant - static string
 const ejsStaticRender = ejs.render('<h1>Hello</h1>'); // Compliant - static string
 
+// Test case 19: pug.compile result called
+const compiledFn = pug.compile(template); // Noncompliant {{Make sure this dynamically formatted template is safe here.}}
+//                 ^^^^^^^^^^^
+compiledFn(user); // This call should not raise, even though the FQN matches.
+
 // Helper functions for testing
 function getUserInput(): string {
   return 'user-controlled-template';
diff --git a/packages/jsts/src/rules/S7790/rule.ts b/packages/jsts/src/rules/S7790/rule.ts
@@ -18,7 +18,12 @@
 
 import type { Rule } from 'eslint';
 import type estree from 'estree';
-import { generateMeta, getFullyQualifiedName } from '../helpers/index.js';
+import {
+  generateMeta,
+  getFullyQualifiedName,
+  getUniqueWriteReference,
+  getVariableFromScope,
+} from '../helpers/index.js';
 import * as meta from './generated-meta.js';
 
 const templatingFqns: Set<string> = new Set([
@@ -41,7 +46,12 @@ export const rule: Rule.RuleModule = {
         const callExpression = node as estree.CallExpression;
         const fqn = getFullyQualifiedName(context, callExpression);
 
-        if (fqn && templatingFqns.has(fqn) && isQuestionable(callExpression)) {
+        if (
+          fqn &&
+          templatingFqns.has(fqn) &&
+          !isCallingFunctionResult(context, callExpression) &&
+          isQuestionable(callExpression)
+        ) {
           context.report({
             messageId: 'reviewDynamicTemplate',
             node: callExpression.callee,
@@ -52,6 +62,27 @@ export const rule: Rule.RuleModule = {
   },
 };
 
+/**
+ * Returns true when the callee is a variable holding the result of a prior call,
+ * e.g. `const fn = pug.compile(tpl); fn(data);` — fn(data) is not a direct
+ * templating call, so we should not flag it again.
+ */
+function isCallingFunctionResult(
+  context: Rule.RuleContext,
+  callExpression: estree.CallExpression,
+): boolean {
+  const callee = callExpression.callee;
+  if (callee.type !== 'Identifier') {
+    return false;
+  }
+  const variable = getVariableFromScope(context.sourceCode.getScope(callee), callee.name);
+  if (!variable || variable.defs.some(def => def.type === 'ImportBinding')) {
+    return false;
+  }
+  const writeRef = getUniqueWriteReference(variable);
+  return writeRef?.type === 'CallExpression';
+}
+
 function isQuestionable(node: estree.CallExpression, index = 0): boolean {
   const args = node.arguments;
   const templateString = args[index] as estree.Expression | estree.SpreadElement | undefined;
