New Rule: enforceSafeSpreadOrder

[randomhash]

Rule details

Rule must prevent propery injection through the payloads

Related ECMAScript feature

Object spread

What type of rule is this?

Enforces a formatting/stylistic preference

Example code

Bad:

const params = {tenantId: id, ...searchOptions}
const params = {...options, tenantId: id, ...searchOptions}
await func({tenantId: id, ...searchOptions, ...options})

In this case, tenantId may be rewritten by the searchOptions and compromise application security
To avoid such unintended situations we would want to warn developers about danger and try to rearrange the actual order of the spread
Good:

const params = {...searchOptions, tenantId: id}
const params = {...options, ...searchOptions, tenantId: id}
await func({...searchOptions, ...options, tenantId: id})

Problems around this may not be impactful in the short run, as for example searchOptions are validated, but security vulnerabilities are commonly a combination of few small ones.

### Why should this rule be in the core instead of a plugin?

I believe that this rule will improve security posture of the codebases that are using eslint

### Participation

- [ ] I am willing to submit a pull request to implement this rule.

### Additional comments

_No response_

[mdjermanovic]

Hi @randomhash, thanks for the issue!

There are many valid use cases where spread appears after other properties, so I'm not in favor of adding a core rule that generally disallows this.

If you have a specific property name that should never be possibly overwritten this way, you can configure the no-restricted-syntax rule to disallow that. For example, this is a selector for tenantId property name:

ObjectExpression > Property[key.name='tenantId'] ~ SpreadElement

Here's a playground demo with this selector and the examples you provided.