react-auditor 0.5.1

A blazing-fast Rust CLI to scan JS/TS/React code for best practices, quality, and security issues.
Documentation
use oxc_ast::ast::Program;
use oxc_ast_visit::Visit;
use oxc_semantic::Semantic;

use crate::rules::{Rule, RuleFinding, RuleMeta, Severity};

pub struct NoUnsafeIframe;

const RULE_META: RuleMeta = RuleMeta {
    id: "no-unsafe-iframe",
    default_severity: Severity::Warning,
    category: "security",
    description: "iframes should include `sandbox` and `title` attributes",
};

impl Rule for NoUnsafeIframe {
    fn meta(&self) -> &RuleMeta {
        &RULE_META
    }

    fn run(&self, program: &Program, _semantic: &Semantic, source_text: &str) -> Vec<RuleFinding> {
        let mut collector = UnsafeIframeCollector {
            findings: Vec::new(),
            source: source_text,
        };
        collector.visit_program(program);
        collector.findings
    }
}

struct UnsafeIframeCollector<'a> {
    findings: Vec<RuleFinding>,
    source: &'a str,
}

impl<'a> Visit<'a> for UnsafeIframeCollector<'a> {
    fn visit_jsx_opening_element(&mut self, el: &oxc_ast::ast::JSXOpeningElement<'a>) {
        let is_iframe = matches!(
            &el.name,
            oxc_ast::ast::JSXElementName::Identifier(id) if id.name.as_str() == "iframe"
        );
        if !is_iframe {
            return;
        }

        let mut has_sandbox = false;
        let mut has_title = false;

        for attr_item in &el.attributes {
            if let oxc_ast::ast::JSXAttributeItem::Attribute(attr) = attr_item
                && let oxc_ast::ast::JSXAttributeName::Identifier(ident) = &attr.name
            {
                match ident.name.as_str() {
                    "sandbox" => has_sandbox = true,
                    "title" => has_title = true,
                    _ => {}
                }
            }
        }

        let start = el.span.start as usize;
        let line = self.source[..start].lines().count().max(1);
        let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);

        if !has_sandbox {
            self.findings.push(RuleFinding {
                line,
                column: col + 1,
                message: "`<iframe>` is missing a `sandbox` attribute for security isolation"
                    .to_string(),
            });
        }
        if !has_title {
            self.findings.push(RuleFinding {
                line,
                column: col + 1,
                message: "`<iframe>` is missing a `title` attribute for accessibility".to_string(),
            });
        }
    }
}