Skip to main content

react_auditor/rules/security/
no_unsanitized_input.rs

1use oxc_ast::ast::Program;
2use oxc_ast_visit::Visit;
3use oxc_semantic::Semantic;
4
5use crate::rules::{Rule, RuleFinding, RuleMeta, Severity};
6
7pub struct NoUnsanitizedInput;
8
9const RULE_META: RuleMeta = RuleMeta {
10    id: "no-unsanitized-input",
11    default_severity: Severity::Error,
12    category: "security",
13    description: "Sanitize user input before DOM insertion",
14};
15
16const DANGEROUS_ASSIGNMENTS: &[&str] = &["innerHTML", "outerHTML"];
17
18impl Rule for NoUnsanitizedInput {
19    fn meta(&self) -> &RuleMeta {
20        &RULE_META
21    }
22
23    fn run(&self, program: &Program, _semantic: &Semantic, source_text: &str) -> Vec<RuleFinding> {
24        let mut collector = UnsanitizedCollector {
25            findings: Vec::new(),
26            source: source_text,
27        };
28        collector.visit_program(program);
29        collector.findings
30    }
31}
32
33struct UnsanitizedCollector<'a> {
34    findings: Vec<RuleFinding>,
35    source: &'a str,
36}
37
38impl<'a> UnsanitizedCollector<'a> {
39    fn add_finding(&mut self, start: usize, msg: String) {
40        let line = self.source[..start].lines().count().max(1);
41        let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
42        self.findings.push(RuleFinding {
43            line,
44            column: col + 1,
45            message: msg,
46        });
47    }
48}
49
50impl<'a> Visit<'a> for UnsanitizedCollector<'a> {
51    fn visit_assignment_expression(&mut self, expr: &oxc_ast::ast::AssignmentExpression<'a>) {
52        let prop = match &expr.left {
53            oxc_ast::ast::AssignmentTarget::StaticMemberExpression(m) => {
54                Some(m.property.name.as_str())
55            }
56            oxc_ast::ast::AssignmentTarget::ComputedMemberExpression(_) => None,
57            _ => None,
58        };
59
60        if let Some(prop) = prop
61            && DANGEROUS_ASSIGNMENTS.contains(&prop)
62        {
63            self.add_finding(
64                expr.span.start as usize,
65                format!("Direct assignment to `.{prop}` — sanitize user input first"),
66            );
67        }
68    }
69}