chore(eslint): create a random id gen rule finder

logaretm · logaretm · commit 10c922992a86 · 2026-01-05T15:33:09.000+02:00
diff --git a/packages/core/.eslintrc.js b/packages/core/.eslintrc.js
@@ -1,4 +1,15 @@
 module.exports = {
   extends: ['../../.eslintrc.js'],
   ignorePatterns: ['rollup.npm.config.mjs'],
+  rules: {
+    '@sentry-internal/sdk/no-unsafe-random-apis': 'error',
+  },
+  overrides: [
+    {
+      files: ['test/**/*.ts', 'test/**/*.tsx'],
+      rules: {
+        '@sentry-internal/sdk/no-unsafe-random-apis': 'off',
+      },
+    },
+  ],
 };
diff --git a/packages/eslint-plugin-sdk/src/index.js b/packages/eslint-plugin-sdk/src/index.js
@@ -15,5 +15,6 @@ module.exports = {
     'no-regexp-constructor': require('./rules/no-regexp-constructor'),
     'no-focused-tests': require('./rules/no-focused-tests'),
     'no-skipped-tests': require('./rules/no-skipped-tests'),
+    'no-unsafe-random-apis': require('./rules/no-unsafe-random-apis'),
   },
 };
diff --git a/packages/eslint-plugin-sdk/src/rules/no-unsafe-random-apis.js b/packages/eslint-plugin-sdk/src/rules/no-unsafe-random-apis.js
@@ -0,0 +1,124 @@
+'use strict';
+
+/**
+ * @fileoverview Rule to enforce wrapping random/time APIs with runInRandomSafeContext
+ *
+ * This rule detects uses of APIs that generate random values or time-based values
+ * and ensures they are wrapped with `runInRandomSafeContext()` to ensure safe
+ * random number generation in certain contexts (e.g., React Server Components with caching).
+ */
+
+// APIs that should be wrapped with runInRandomSafeContext
+const UNSAFE_MEMBER_CALLS = [
+  { object: 'Date', property: 'now' },
+  { object: 'Math', property: 'random' },
+  { object: 'performance', property: 'now' },
+  { object: 'crypto', property: 'randomUUID' },
+  { object: 'crypto', property: 'getRandomValues' },
+];
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Enforce wrapping random/time APIs (Date.now, Math.random, performance.now, crypto.randomUUID) with runInRandomSafeContext',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    fixable: null,
+    schema: [],
+    messages: {
+      unsafeRandomApi:
+        '{{ api }} should be wrapped with runInRandomSafeContext() to ensure safe random/time value generation. Use: runInRandomSafeContext(() => {{ api }}). You can disable this rule with an eslint-disable comment if this usage is intentional.',
+    },
+  },
+  create: function (context) {
+    /**
+     * Check if a node is inside a runInRandomSafeContext call
+     */
+    function isInsideRunInRandomSafeContext(node) {
+      let current = node.parent;
+
+      while (current) {
+        // Check if we're inside a callback passed to runInRandomSafeContext
+        if (
+          current.type === 'CallExpression' &&
+          current.callee.type === 'Identifier' &&
+          current.callee.name === 'runInRandomSafeContext'
+        ) {
+          return true;
+        }
+
+        // Also check for arrow functions or regular functions passed to runInRandomSafeContext
+        if (
+          (current.type === 'ArrowFunctionExpression' || current.type === 'FunctionExpression') &&
+          current.parent?.type === 'CallExpression' &&
+          current.parent.callee.type === 'Identifier' &&
+          current.parent.callee.name === 'runInRandomSafeContext'
+        ) {
+          return true;
+        }
+
+        current = current.parent;
+      }
+
+      return false;
+    }
+
+    /**
+     * Check if a node is inside the safeRandomGeneratorRunner.ts file (the definition file)
+     */
+    function isInSafeRandomGeneratorRunner(_node) {
+      const filename = context.getFilename();
+      return filename.includes('safeRandomGeneratorRunner');
+    }
+
+    return {
+      CallExpression(node) {
+        // Skip if we're in the safeRandomGeneratorRunner.ts file itself
+        if (isInSafeRandomGeneratorRunner(node)) {
+          return;
+        }
+
+        // Check for member expression calls like Date.now(), Math.random(), etc.
+        if (node.callee.type === 'MemberExpression') {
+          const callee = node.callee;
+
+          // Get the object name (e.g., 'Date', 'Math', 'performance', 'crypto')
+          let objectName = null;
+          if (callee.object.type === 'Identifier') {
+            objectName = callee.object.name;
+          }
+
+          // Get the property name (e.g., 'now', 'random', 'randomUUID')
+          let propertyName = null;
+          if (callee.property.type === 'Identifier') {
+            propertyName = callee.property.name;
+          } else if (callee.computed && callee.property.type === 'Literal') {
+            propertyName = callee.property.value;
+          }
+
+          if (!objectName || !propertyName) {
+            return;
+          }
+
+          // Check if this is one of the unsafe APIs
+          const isUnsafeApi = UNSAFE_MEMBER_CALLS.some(
+            api => api.object === objectName && api.property === propertyName,
+          );
+
+          if (isUnsafeApi && !isInsideRunInRandomSafeContext(node)) {
+            context.report({
+              node,
+              messageId: 'unsafeRandomApi',
+              data: {
+                api: `${objectName}.${propertyName}()`,
+              },
+            });
+          }
+        }
+      },
+    };
+  },
+};
diff --git a/packages/eslint-plugin-sdk/test/lib/rules/no-unsafe-random-apis.test.ts b/packages/eslint-plugin-sdk/test/lib/rules/no-unsafe-random-apis.test.ts
@@ -0,0 +1,157 @@
+import { RuleTester } from 'eslint';
+import { describe, test } from 'vitest';
+// @ts-expect-error untyped module
+import rule from '../../../src/rules/no-unsafe-random-apis';
+
+describe('no-unsafe-random-apis', () => {
+  test('ruleTester', () => {
+    const ruleTester = new RuleTester({
+      parserOptions: {
+        ecmaVersion: 2020,
+      },
+    });
+
+    ruleTester.run('no-unsafe-random-apis', rule, {
+      valid: [
+        // Wrapped with runInRandomSafeContext - arrow function
+        {
+          code: 'runInRandomSafeContext(() => Date.now())',
+        },
+        {
+          code: 'runInRandomSafeContext(() => Math.random())',
+        },
+        {
+          code: 'runInRandomSafeContext(() => performance.now())',
+        },
+        {
+          code: 'runInRandomSafeContext(() => crypto.randomUUID())',
+        },
+        {
+          code: 'runInRandomSafeContext(() => crypto.getRandomValues(new Uint8Array(16)))',
+        },
+        // Wrapped with runInRandomSafeContext - regular function
+        {
+          code: 'runInRandomSafeContext(function() { return Date.now(); })',
+        },
+        // Nested inside runInRandomSafeContext
+        {
+          code: 'runInRandomSafeContext(() => { const x = Date.now(); return x + Math.random(); })',
+        },
+        // Expression inside runInRandomSafeContext
+        {
+          code: 'runInRandomSafeContext(() => Date.now() / 1000)',
+        },
+        // Other unrelated calls should be fine
+        {
+          code: 'const x = someObject.now()',
+        },
+        {
+          code: 'const x = Date.parse("2021-01-01")',
+        },
+        {
+          code: 'const x = Math.floor(5.5)',
+        },
+        {
+          code: 'const x = performance.mark("test")',
+        },
+      ],
+      invalid: [
+        // Direct Date.now() calls
+        {
+          code: 'const time = Date.now()',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Date.now()' },
+            },
+          ],
+        },
+        // Direct Math.random() calls
+        {
+          code: 'const random = Math.random()',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Math.random()' },
+            },
+          ],
+        },
+        // Direct performance.now() calls
+        {
+          code: 'const perf = performance.now()',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'performance.now()' },
+            },
+          ],
+        },
+        // Direct crypto.randomUUID() calls
+        {
+          code: 'const uuid = crypto.randomUUID()',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'crypto.randomUUID()' },
+            },
+          ],
+        },
+        // Direct crypto.getRandomValues() calls
+        {
+          code: 'const bytes = crypto.getRandomValues(new Uint8Array(16))',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'crypto.getRandomValues()' },
+            },
+          ],
+        },
+        // Inside a function but not wrapped
+        {
+          code: 'function getTime() { return Date.now(); }',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Date.now()' },
+            },
+          ],
+        },
+        // Inside an arrow function but not wrapped with runInRandomSafeContext
+        {
+          code: 'const getTime = () => Date.now()',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Date.now()' },
+            },
+          ],
+        },
+        // Inside someOtherWrapper
+        {
+          code: 'someOtherWrapper(() => Date.now())',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Date.now()' },
+            },
+          ],
+        },
+        // Multiple violations
+        {
+          code: 'const a = Date.now(); const b = Math.random();',
+          errors: [
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Date.now()' },
+            },
+            {
+              messageId: 'unsafeRandomApi',
+              data: { api: 'Math.random()' },
+            },
+          ],
+        },
+      ],
+    });
+  });
+});
+
