Whitelist Function("return this") from DANGEROUS_EVAL

[Juraj-Masiar]

Describe the problem and steps to reproduce it:

There is a huge bunch of libraries that uses this technique to "do something", although I can't tell for sure what it does:

Function("return this")
// returns global this??? This must be some legacy crap.

Example search of my "node_modules" folder with 44 matches:

(and some more that uses single quotes)

What happened?

DANGEROUS_EVAL          The Function constructor is eval.

The problem is that linter marks all these as DANGEROUS_EVAL, which is obviously not true, maybe SAFE_EVAL would be better :).

What did you expect to happen?

It would be nice to whitelist these from the detection.

┆Issue is synchronized with this Jira Task

[Rob--W]

In general the Function constructor with a fixed string is safe.

[Rob--W]

We decided to accept this given the harmlessness of this, along with the prevalence of this pattern.

While a fixed string is safe from the perspective of not offering remote code execution, we are only allowing known-safe strings (e.g. return this) instead of arbitrary strings, because allowing arbitrary strings can make it easier to obfuscate code with string escapes.

Patches are welcome :)