react_auditor/rules/security/
no_unsanitized_input.rs1use oxc_ast::ast::Program;
2use oxc_ast_visit::Visit;
3use oxc_semantic::Semantic;
4
5use crate::rules::{Rule, RuleFinding, RuleMeta, Severity};
6
7pub struct NoUnsanitizedInput;
8
9const RULE_META: RuleMeta = RuleMeta {
10 id: "no-unsanitized-input",
11 default_severity: Severity::Error,
12 category: "security",
13 description: "Sanitize user input before DOM insertion",
14};
15
16const DANGEROUS_ASSIGNMENTS: &[&str] = &["innerHTML", "outerHTML"];
17
18impl Rule for NoUnsanitizedInput {
19 fn meta(&self) -> &RuleMeta {
20 &RULE_META
21 }
22
23 fn run(&self, program: &Program, _semantic: &Semantic, source_text: &str) -> Vec<RuleFinding> {
24 let mut collector = UnsanitizedCollector {
25 findings: Vec::new(),
26 source: source_text,
27 };
28 collector.visit_program(program);
29 collector.findings
30 }
31}
32
33struct UnsanitizedCollector<'a> {
34 findings: Vec<RuleFinding>,
35 source: &'a str,
36}
37
38impl<'a> UnsanitizedCollector<'a> {
39 fn add_finding(&mut self, start: usize, msg: String) {
40 let line = self.source[..start].lines().count().max(1);
41 let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
42 self.findings.push(RuleFinding {
43 line,
44 column: col + 1,
45 message: msg,
46 });
47 }
48}
49
50impl<'a> Visit<'a> for UnsanitizedCollector<'a> {
51 fn visit_assignment_expression(&mut self, expr: &oxc_ast::ast::AssignmentExpression<'a>) {
52 let prop = match &expr.left {
53 oxc_ast::ast::AssignmentTarget::StaticMemberExpression(m) => {
54 Some(m.property.name.as_str())
55 }
56 oxc_ast::ast::AssignmentTarget::ComputedMemberExpression(_) => None,
57 _ => None,
58 };
59
60 if let Some(prop) = prop
61 && DANGEROUS_ASSIGNMENTS.contains(&prop)
62 {
63 self.add_finding(
64 expr.span.start as usize,
65 format!("Direct assignment to `.{prop}` — sanitize user input first"),
66 );
67 }
68 }
69}