react-auditor 0.1.6

A blazing-fast Rust CLI to scan JS/TS/React code for best practices, quality, and security issues.
Documentation
use oxc_ast::ast::Program;
use oxc_ast_visit::Visit;
use oxc_semantic::Semantic;

use crate::rules::{Rule, RuleFinding, RuleMeta, Severity};

pub struct NoEval;

const RULE_META: RuleMeta = RuleMeta {
    id: "no-eval",
    default_severity: Severity::Error,
    category: "security",
    description: "No eval, Function(), or setTimeout with string args",
};

impl Rule for NoEval {
    fn meta(&self) -> &RuleMeta {
        &RULE_META
    }

    fn run(&self, program: &Program, _semantic: &Semantic, source_text: &str) -> Vec<RuleFinding> {
        let mut collector = EvalCollector {
            findings: Vec::new(),
            source: source_text,
        };
        collector.visit_program(program);
        collector.findings
    }
}

struct EvalCollector<'a> {
    findings: Vec<RuleFinding>,
    source: &'a str,
}

impl<'a> Visit<'a> for EvalCollector<'a> {
    fn visit_call_expression(&mut self, expr: &oxc_ast::ast::CallExpression<'a>) {
        if let oxc_ast::ast::Expression::Identifier(ident) = &expr.callee {
            let name = ident.name.as_str();
            if name == "eval" {
                let start = expr.span.start as usize;
                let line = self.source[..start].lines().count().max(1);
                let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
                self.findings.push(RuleFinding {
                    line,
                    column: col + 1,
                    message: "Unexpected `eval()` — security risk".to_string(),
                });
            }
        } else if let Some(member) = expr.callee.as_member_expression() {
            let name = member.static_property_name().unwrap_or("");
            let is_dynamic = name == "Function"
                || name == "constructor"
                || name == "setTimeout"
                || name == "setInterval";
            if is_dynamic {
                let obj = member.object();
                if let oxc_ast::ast::Expression::Identifier(ident) = obj
                    && (ident.name.as_str() == "window" || ident.name.as_str() == "globalThis")
                {
                    let start = expr.span.start as usize;
                    let line = self.source[..start].lines().count().max(1);
                    let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
                    self.findings.push(RuleFinding {
                        line,
                        column: col + 1,
                        message: format!("Unexpected dynamic code execution via `{}`", name),
                    });
                }
            }
        }
    }
}