Bug: object injection not detected

[FizzBuzz791]

What version of eslint-plugin-security are you using?

1.6.0

ESLint Environment

Node version: 16.19.0
npm version: 8.19.3
Local ESLint version: 8.0.1
Global ESLint version: 8.0.1
Operating System: Windows WSL2 running Ubuntu 20 LTS

What parser are you using?

@typescript-eslint/parser

What did you do?

Configuration

{
  "env": {
    "browser": true,
    "es2021": true
  },
  "extends": [
    "standard-with-typescript",
    "plugin:security/recommended", 
    "prettier"
  ],
  "overrides": [],
  "parserOptions": {
    "ecmaVersion": "latest",
    "sourceType": "module",
    "project": "tsconfig.json"
  },
  "rules": {}
}

private readonly stateValueToEmoji: {
  readonly [stateValue in CloudWatch.StateValue]: string;
} = {
  ALARM: "🔥",
  INSUFFICIENT_DATA: "🤷‍♂️",
  OK: "👌",
};

public sendAlam = (alarm:CloudWatchAlarm) => {
    const previousEmoji = this.stateValueToEmoji[alarm.OldStateValue];
    ...
}

What did you expect to happen?

I expected an "object injection" error to be highlight for this code: const previousEmoji = this.stateValueToEmoji[alarm.OldStateValue];

What actually happened?

Code passed.

Participation

• I am willing to submit a pull request for this issue.

Additional comments

I'm a total security noob, just trying to get my local configuration to match GitLab so that I can improve the feedback loop. GitLab highlights const previousEmoji = this.stateValueToEmoji[alarm.OldStateValue]; as an "Object Injection" issue.

[nzakas]

Can you explain a little bit more about your situation? Is GitLab running ESLint or something else? What is the actual output?

FWIW: I'm not sure how well our rules work with TypeScript as it's a different parsing tree.

[nzakas]

No response, so closing.