https://github.com/millionco/react-doctor.git ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 15 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 6 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
MINED087 Js Always True If |
info | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED058 React Dangerously Set Html |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
MINED043 Http Not Https |
info | 4 |
MINED024
Js Eval Usage
CWE-95
packages/oxlint-plugin-react-doctor/src/plugin/rules/security/no-eval.ts:17
· conf 1.00
[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.MINED035
Js New Function
CWE-95
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-new-function-as-prop.fixtures.ts:35
· conf 1.00
[MINED035] Js New Function: new Function(...) compiles strings to functions.MINED035
Js New Function
CWE-95
packages/oxlint-plugin-react-doctor/src/plugin/rules/security/no-eval.ts:38
· conf 1.00
[MINED035] Js New Function: new Function(...) compiles strings to functions.SEC084
JS: require() with non-literal
packages/react-doctor/src/cli/utils/prompts.ts:24
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).MINED031
React Direct State Mutation
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-direct-mutation-state.fixtures.ts:44
· conf 1.00
[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:23
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:25
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-leaderboard.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-leaderboard.yml:20
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-leaderboard.yml:22
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/oxlint-plugin-react-doctor/src/plugin/rules/server/server-hoist-static-io.ts:85
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/rerender-defer-reads-hook.ts:58
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/react-doctor/src/cli/index.ts:36
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/oxlint-plugin-react-doctor/scripts/generate-rule-registry.mjs:162
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/oxlint-plugin-react-doctor/src/plugin/rules/bundle-size/no-barrel-import.ts:55
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-filename-extension.ts:86
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
packages/core/src/filter-diagnostics.ts:105
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/core/src/is-test-file.ts:36
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/core/src/parse-gitattributes-linguist.ts:15
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
packages/website/src/app/api/score/route.ts:58
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…AGT006
React interval is created without an explicit cleanup
packages/oxlint-plugin-react-doctor/src/plugin/constants/js.ts:239
· conf 0.78
React interval is created without an explicit cleanupAGT006
React interval is created without an explicit cleanup
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/rules-of-hooks.fixtures.ts:148
· conf 0.78
React interval is created without an explicit cleanupAGT006
React interval is created without an explicit cleanup
packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/no-effect-chain.ts:44
· conf 0.78
React interval is created without an explicit cleanupAGT006
React interval is created without an explicit cleanup
packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/rerender-functional-setstate.ts:37
· conf 0.78
React interval is created without an explicit cleanupAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-target-blank.fixtures.ts:21
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
packages/core/src/filter-diagnostics.ts:105
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/core/src/parse-gitattributes-linguist.ts:15
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/no-large-animated-blur.ts:35
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC002
Source file name looks like an AI patch artifact
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/img-redundant-alt.ts:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/no-redundant-should-component-update.ts:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
packages/core/src/utils/list-source-files.ts:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/vite.config.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/no-noninteractive-element-to-interactive-role.fixtures.ts:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts:72
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-set-state.fixtures.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-set-state.fixtures.ts:60
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-string-refs.fixtures.ts:61
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts:125
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts:356
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts:266
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts:578
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts:298
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts:326
· conf 0.86
Duplicated implementation block across source filesMINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/click-events-have-key-events.fixtures.ts:31
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/interactive-supports-focus.fixtures.ts:53
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/no-noninteractive-element-to-interactive-role.fixtures.ts:17
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
packages/api/src/diagnose.ts:122
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/core/src/calculate-score.ts:74
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/core/src/load-config.ts:10
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/calculate-score.ts:7
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/utils/match-glob-pattern.ts:79
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/control-has-associated-label.ts:163
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
packages/oxlint-plugin-react-doctor/src/plugin/utils/rule-visitors.ts:10
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED053
Placeholder Default Username
CWE-1392CWE-798
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-script-url.fixtures.ts:17
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED054
Ts As Any
CWE-704
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-constructed-context-values.fixtures.ts:91
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-react-children.fixtures.ts:83
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/only-export-components.fixtures.ts:115
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED056
React Key As Index
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-max-depth.fixtures.ts:94
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-array-index-key.fixtures.ts:111
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-multi-comp.fixtures.ts:37
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED058
React Dangerously Set Html
CWE-79
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/anchor-has-content.fixtures.ts:21
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/heading-has-content.fixtures.ts:25
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-danger-with-children.fixtures.ts:18
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED087
Js Always True If
CWE-561
[MINED087] Js Always True If (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED087
Js Always True If
CWE-561
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-mount-set-state.fixtures.ts:202
· conf 1.00
[MINED087] Js Always True If: if (true) — else branch unreachable. Likely debug residue.MINED087
Js Always True If
CWE-561
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts:224
· conf 1.00
[MINED087] Js Always True If: if (true) — else branch unreachable. Likely debug residue.MINED087
Js Always True If
CWE-561
packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts:162
· conf 1.00
[MINED087] Js Always True If: if (true) — else branch unreachable. Likely debug residue.MINED088
React Conditional Hook
CWE-682
[MINED088] React Conditional Hook (and 14 more): Same pattern found in 14 additional files. Review if needed.MINED088
React Conditional Hook
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/js-performance/js-hoist-intl.ts:56
· conf 1.00
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.MINED088
React Conditional Hook
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/nextjs/nextjs-no-client-fetch-for-server-data.ts:36
· conf 1.00
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.MINED088
React Conditional Hook
CWE-682
packages/oxlint-plugin-react-doctor/src/plugin/rules/nextjs/nextjs-no-client-side-redirect.ts:38
· conf 1.00
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/rendering-hydration-mismatch-time.ts:55
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/7f6ca8ef-edea-4b7c-ab2b-cc9007a7b658/.