oxlint-plugin-react-doctor 0.5.5-dev.bac7c82 → 0.5.5-dev.ea3b827

package/dist/index.d.ts

@@ -1440,6 +1440,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/insecure-session-cookie";
+  readonly id: "insecure-session-cookie";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/interactive-supports-focus";
   readonly id: "interactive-supports-focus";
@@ -2238,6 +2259,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/jwt-insecure-verification";
+  readonly id: "jwt-insecure-verification";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/key-lifecycle-risk";
   readonly id: "key-lifecycle-risk";
@@ -6144,6 +6186,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/request-body-mass-assignment";
+  readonly id: "request-body-mass-assignment";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/require-render-return";
   readonly id: "require-render-return";
@@ -7173,6 +7236,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/secret-in-fallback";
+  readonly id: "secret-in-fallback";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/self-closing-comp";
   readonly id: "self-closing-comp";
@@ -7446,6 +7530,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/supabase-table-missing-rls";
+  readonly id: "supabase-table-missing-rls";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/svg-filter-clickjacking-risk";
   readonly id: "svg-filter-clickjacking-risk";
@@ -7803,6 +7908,27 @@ declare const REACT_DOCTOR_RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/unsafe-json-in-html";
+  readonly id: "unsafe-json-in-html";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/untrusted-redirect-following";
   readonly id: "untrusted-redirect-following";
@@ -9339,6 +9465,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/insecure-session-cookie";
+  readonly id: "insecure-session-cookie";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/interactive-supports-focus";
   readonly id: "interactive-supports-focus";
@@ -10137,6 +10284,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/jwt-insecure-verification";
+  readonly id: "jwt-insecure-verification";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/key-lifecycle-risk";
   readonly id: "key-lifecycle-risk";
@@ -14043,6 +14211,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/request-body-mass-assignment";
+  readonly id: "request-body-mass-assignment";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/require-render-return";
   readonly id: "require-render-return";
@@ -15072,6 +15261,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/secret-in-fallback";
+  readonly id: "secret-in-fallback";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/self-closing-comp";
   readonly id: "self-closing-comp";
@@ -15345,6 +15555,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/supabase-table-missing-rls";
+  readonly id: "supabase-table-missing-rls";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/svg-filter-clickjacking-risk";
   readonly id: "svg-filter-clickjacking-risk";
@@ -15702,6 +15933,27 @@ declare const RULES: readonly [{
     readonly recommendation?: string;
     readonly create: (context: RuleContext) => RuleVisitors;
   };
+}, {
+  readonly key: "react-doctor/unsafe-json-in-html";
+  readonly id: "unsafe-json-in-html";
+  readonly source: "react-doctor";
+  readonly originallyExternal: false;
+  readonly rule: {
+    readonly framework: "global";
+    readonly category: "Security";
+    readonly tags: readonly string[];
+    readonly id: string;
+    readonly title?: string;
+    readonly severity: RuleSeverity;
+    readonly requires?: ReadonlyArray<string>;
+    readonly disabledBy?: ReadonlyArray<string>;
+    readonly defaultEnabled?: boolean;
+    readonly lifecycle?: "retired";
+    readonly scan?: FileScan;
+    readonly committedFilesOnly?: boolean;
+    readonly recommendation?: string;
+    readonly create: (context: RuleContext) => RuleVisitors;
+  };
 }, {
   readonly key: "react-doctor/untrusted-redirect-following";
   readonly id: "untrusted-redirect-following";

package/dist/index.js

@@ -8509,6 +8509,136 @@ const insecureCryptoRisk = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/find-matching-bracket.ts
+const findMatchingBracket = (content, openIndex) => {
+	const open = content[openIndex];
+	const close = open === "(" ? ")" : open === "{" ? "}" : open === "[" ? "]" : "";
+	if (close === "") return -1;
+	let depth = 0;
+	let stringDelimiter = null;
+	for (let index = openIndex; index < content.length; index += 1) {
+		const character = content[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === open) depth += 1;
+		else if (character === close) {
+			depth -= 1;
+			if (depth === 0) return index;
+		}
+	}
+	return -1;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/insecure-session-cookie.ts
+const AUTH_COOKIE_NAME_TOKEN = `(?<![A-Za-z0-9])(?:session|sess|sid|connect\\.sid|auth|jwt|access[_-]?token|refresh[_-]?token|id[_-]?token)(?![A-Za-z0-9])`;
+const AUTH_COOKIE_NAME_LITERAL = `[\`"'][^\`"']*?${AUTH_COOKIE_NAME_TOKEN}[^\`"']*[\`"']`;
+const AUTH_COOKIE_SET_CALL_PATTERN = new RegExp(`(?:\\.cookies\\.set|cookies\\(\\s*\\)\\.set|\\.cookie)\\s*\\(\\s*${AUTH_COOKIE_NAME_LITERAL}`, "gi");
+const HTTP_ONLY_DISABLED_PATTERN = /httpOnly\s*:\s*false\b/i;
+const STRING_LITERAL_PATTERN = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|`(?:[^`\\]|\\.)*`/g;
+const blankStringContents = (text) => {
+	const characters = text.split("");
+	let index = 0;
+	let stringDelimiter = null;
+	while (index < text.length) {
+		const character = text[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") {
+				index += 2;
+				continue;
+			}
+			if (character === stringDelimiter) stringDelimiter = null;
+			else if (character !== "\n") characters[index] = " ";
+			index += 1;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		index += 1;
+	}
+	return characters.join("");
+};
+const COOKIE_CONFIG_OPENER_PATTERN = /cookie\s*:\s*\{/gi;
+const CLIENT_AUTH_COOKIE_WRITE_PATTERN = new RegExp(`document\\.cookie\\s*=\\s*[\`"'][^\`"'=;]*?${AUTH_COOKIE_NAME_TOKEN}[^\`"'=;]*=`, "gi");
+const countTopLevelArguments = (argumentsSource) => {
+	if (argumentsSource.trim().length === 0) return 0;
+	let depth = 0;
+	let stringDelimiter = null;
+	let count = 1;
+	for (let index = 0; index < argumentsSource.length; index += 1) {
+		const character = argumentsSource[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === "(" || character === "[" || character === "{") depth += 1;
+		else if (character === ")" || character === "]" || character === "}") depth -= 1;
+		else if (character === "," && depth === 0) count += 1;
+	}
+	return count;
+};
+const addMatchFindings = (content, pattern, message, isInsecure, findings) => {
+	pattern.lastIndex = 0;
+	for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+		if (!isInsecure(match.index, match[0])) continue;
+		const location = getLocationAtIndex(content, match.index);
+		findings.push({
+			message,
+			line: location.line,
+			column: location.column
+		});
+	}
+};
+const insecureSessionCookie = defineRule({
+	id: "insecure-session-cookie",
+	title: "Auth cookie missing HttpOnly protection",
+	severity: "warn",
+	recommendation: "Set auth/session cookies server-side with `httpOnly: true`, `secure: true`, and `sameSite`. Cookies set via `document.cookie` or with `httpOnly: false` are readable by any XSS payload and can be stolen.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/cookie/i.test(content)) return [];
+		const findings = [];
+		const message = "An auth/session cookie is exposed to JavaScript (set via document.cookie, with httpOnly: false, or without cookie options), letting an XSS payload steal it.";
+		AUTH_COOKIE_SET_CALL_PATTERN.lastIndex = 0;
+		for (let match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content); match !== null; match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content)) {
+			const openParenIndex = match.index + match[0].lastIndexOf("(");
+			const closeParenIndex = findMatchingBracket(content, openParenIndex);
+			if (closeParenIndex < 0) continue;
+			const argumentsSource = content.slice(openParenIndex + 1, closeParenIndex);
+			const hasNoOptions = countTopLevelArguments(argumentsSource) < 3;
+			const argumentsWithoutStrings = argumentsSource.replace(STRING_LITERAL_PATTERN, "");
+			if (!hasNoOptions && !HTTP_ONLY_DISABLED_PATTERN.test(argumentsWithoutStrings)) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		const blankedContent = blankStringContents(content);
+		COOKIE_CONFIG_OPENER_PATTERN.lastIndex = 0;
+		for (let match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent); match !== null; match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent)) {
+			const braceIndex = match.index + match[0].length - 1;
+			const closeBraceIndex = findMatchingBracket(blankedContent, braceIndex);
+			const block = closeBraceIndex >= 0 ? blankedContent.slice(braceIndex, closeBraceIndex) : blankedContent.slice(braceIndex, braceIndex + 400);
+			if (!HTTP_ONLY_DISABLED_PATTERN.test(block)) continue;
+			const location = getLocationAtIndex(blankedContent, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		addMatchFindings(content, CLIENT_AUTH_COOKIE_WRITE_PATTERN, message, () => true, findings);
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/constants/event-handlers.ts
 const MOUSE_EVENT_HANDLERS = [
 	"onClick",
@@ -12714,6 +12844,64 @@ const jsxPropsNoSpreading = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/jwt-insecure-verification.ts
+const NONE_ALGORITHM_PATTERN = /\b(?:alg|algorithms?)\s*:\s*\[?\s*["'`]none["'`]/gi;
+const isIndexInsideStringLiteral = (content, index) => {
+	let stringDelimiter = null;
+	const templateExpressionDepths = [];
+	for (let cursor = 0; cursor < index; cursor += 1) {
+		const character = content[cursor];
+		if (stringDelimiter === "`") {
+			if (character === "\\") cursor += 1;
+			else if (character === "`") stringDelimiter = null;
+			else if (character === "$" && content[cursor + 1] === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				cursor += 1;
+			}
+			continue;
+		}
+		if (stringDelimiter !== null) {
+			if (character === "\\") cursor += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (templateExpressionDepths.length > 0) {
+			const top = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[top] += 1;
+			else if (character === "}") if (templateExpressionDepths[top] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+			} else templateExpressionDepths[top] -= 1;
+		}
+	}
+	return stringDelimiter !== null;
+};
+const jwtInsecureVerification = defineRule({
+	id: "jwt-insecure-verification",
+	title: "JWT verified with the 'none' algorithm",
+	severity: "error",
+	recommendation: "Never accept the `none` algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (`jwt.verify(token, key, { algorithms: ['RS256'] })`).",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/\bjwt\b|jsonwebtoken|\bjose\b/i.test(content)) return [];
+		const findings = [];
+		NONE_ALGORITHM_PATTERN.lastIndex = 0;
+		for (let noneMatch = NONE_ALGORITHM_PATTERN.exec(content); noneMatch !== null; noneMatch = NONE_ALGORITHM_PATTERN.exec(content)) {
+			if (isIndexInsideStringLiteral(content, noneMatch.index)) continue;
+			const location = getLocationAtIndex(content, noneMatch.index);
+			findings.push({
+				message: "JWT is configured with the 'none' algorithm, which disables signature verification, so any forged token is accepted.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/key-lifecycle-risk.ts
 const keyLifecycleRisk = defineRule({
 	id: "key-lifecycle-risk",
@@ -27925,6 +28113,20 @@ const repositorySecretFile = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/request-body-mass-assignment.ts
+const REQUEST_INPUT_SOURCE = "(?:req|request|ctx\\.req|ctx\\.request)\\.(?:body|query|params)|await\\s+(?:req|request)\\.json\\(\\s*\\)";
+const requestBodyMassAssignment = defineRule({
+	id: "request-body-mass-assignment",
+	title: "Request input spread without field allowlist",
+	severity: "warn",
+	recommendation: "Assign explicit, allowlisted fields (or validate with a strict schema and no `.passthrough()`) instead of spreading/merging request input. Otherwise the client can set ownership, role, or price columns (mass assignment) or pollute the prototype.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: [new RegExp(`\\.\\.\\.\\s*(?:${REQUEST_INPUT_SOURCE})`, "i"), new RegExp(`(?:Object\\.assign\\s*\\(|_\\.(?:merge|mergeWith|defaultsDeep)\\s*\\(|(?:^|[^.\\w])(?:merge|defaultsDeep)\\s*\\()[\\s\\S]{0,80}?(?:${REQUEST_INPUT_SOURCE})`, "i")],
+		message: "Request input is spread or merged into an object without a field allowlist, enabling mass assignment (client-set owner/role/price fields) or prototype pollution."
+	})
+});
+//#endregion
 //#region src/plugin/utils/function-body-has-return-with-value.ts
 const functionBodyHasReturnWithValue = (functionNode) => {
 	if (functionNode.type === "ArrowFunctionExpression" && "body" in functionNode) {
@@ -34350,6 +34552,17 @@ const scope = defineRule({
 		});
 	} })
 });
+const secretInFallback = defineRule({
+	id: "secret-in-fallback",
+	title: "Hardcoded secret fallback for env var",
+	severity: "error",
+	recommendation: "Remove the literal fallback and fail closed (throw when the variable is unset). The hardcoded value is a committed secret, and the `??`/`||` default makes the app run with it in any environment that forgot to set the var.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\bprocess\.env\.(?![A-Z0-9_]*(?:PUBLIC|PUBLISHABLE|ANON)\b)[A-Z][A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|PRIVATE_KEY|API_?KEY|APIKEY|ACCESS_KEY|CLIENT_SECRET|CREDENTIAL|SIGNING_KEY|ENCRYPTION_KEY|WEBHOOK_SECRET|SERVICE_ROLE)[A-Z0-9_]*(?<!_(?:NAME|HEADER|ENDPOINT|URL|URI|ID|PREFIX|SUFFIX|PARAM|PARAMS|FIELD|ISSUER|AUDIENCE|ALGORITHM|ALG|REGION|BUCKET|HOST|HOSTNAME|PORT|PATH|VERSION|SCOPE|TYPE|FORMAT|EXPIRY|TTL))\s*(?:\?\?|\|\|)\s*(["'`])(?!(?:changeme|change[_-]?me|placeholder|your[_-]|example|sample|dummy|development|local|todo|replace[_-]?me|https?:\/\/|x{3,}|\*{3,}))[^"'`\n]{8,}\1/i,
+		message: "A secret env var has a hardcoded string fallback: the literal is a committed secret and the app fails open (uses it) when the variable is unset."
+	})
+});
 //#endregion
 //#region src/plugin/rules/react-builtins/self-closing-comp.ts
 const MESSAGE$2 = "This tag has no children, so the closing tag adds noise without changing output.";
@@ -35159,8 +35372,11 @@ const supabaseClientOwnedAuthzField = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-supabase-migration-path.ts
+const isSupabaseMigrationPath = (relativePath) => /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+//#endregion
 //#region src/plugin/rules/security-scan/utils/is-sql-path.ts
-const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || isSupabaseMigrationPath(relativePath);
 const supabaseRlsPolicyRisk = defineRule({
 	id: "supabase-rls-policy-risk",
 	title: "Permissive Supabase RLS policy",
@@ -35178,6 +35394,210 @@ const supabaseRlsPolicyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/sanitize-sql-for-scan.ts
+const DOLLAR_QUOTE_TAG_PATTERN = /^\$[A-Za-z_]?\w*\$/;
+const CODE_BODY_KEYWORDS = new Set([
+	"do",
+	"plpgsql",
+	"sql",
+	"plpython3u",
+	"plpythonu",
+	"plperl",
+	"plperlu",
+	"plv8"
+]);
+const precedingKeyword = (content, beforeIndex) => {
+	let lookBack = beforeIndex - 1;
+	while (lookBack >= 0 && /\s/.test(content[lookBack] ?? "")) lookBack -= 1;
+	let wordStart = lookBack;
+	while (wordStart >= 0 && /[A-Za-z0-9_]/.test(content[wordStart] ?? "")) wordStart -= 1;
+	return content.slice(wordStart + 1, lookBack + 1).toLowerCase();
+};
+const blankCodeBodyInterior = (content, characters, start, end) => {
+	let index = start;
+	let inExecuteStatement = false;
+	while (index < end) {
+		const character = content[index];
+		if (character === ";") {
+			inExecuteStatement = false;
+			index += 1;
+			continue;
+		}
+		if (/[A-Za-z_]/.test(character)) {
+			let wordEnd = index;
+			while (wordEnd < end && /[A-Za-z0-9_]/.test(content[wordEnd] ?? "")) wordEnd += 1;
+			if (content.slice(index, wordEnd).toLowerCase() === "execute") inExecuteStatement = true;
+			index = wordEnd;
+			continue;
+		}
+		if (character === "'") {
+			const keepVisible = inExecuteStatement;
+			if (!keepVisible) characters[index] = " ";
+			index += 1;
+			while (index < end) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						if (!keepVisible) {
+							characters[index] = " ";
+							characters[index + 1] = " ";
+						}
+						index += 2;
+						continue;
+					}
+					if (!keepVisible) characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (!keepVisible && content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < end) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < end && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < end) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+};
+const sanitizeSqlForScan = (content) => {
+	const characters = content.split("");
+	let index = 0;
+	while (index < content.length) {
+		const character = content[index];
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < content.length && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < content.length) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "'") {
+			characters[index] = " ";
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						characters[index] = " ";
+						characters[index + 1] = " ";
+						index += 2;
+						continue;
+					}
+					characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "$") {
+			const tagMatch = DOLLAR_QUOTE_TAG_PATTERN.exec(content.slice(index));
+			if (tagMatch !== null) {
+				const tag = tagMatch[0];
+				const closeIndex = content.indexOf(tag, index + tag.length);
+				const endIndex = closeIndex < 0 ? content.length : closeIndex + tag.length;
+				const keyword = precedingKeyword(content, index);
+				if (CODE_BODY_KEYWORDS.has(keyword)) blankCodeBodyInterior(content, characters, index + tag.length, endIndex);
+				else for (let blankIndex = index; blankIndex < endIndex; blankIndex += 1) if (content[blankIndex] !== "\n") characters[blankIndex] = " ";
+				index = endIndex;
+				continue;
+			}
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+	return characters.join("");
+};
+//#endregion
+//#region src/plugin/rules/security-scan/supabase-table-missing-rls.ts
+const CREATE_PUBLIC_TABLE_PATTERN = /create\s+(?:unlogged\s+)?table\s+(?:if\s+not\s+exists\s+)?(?!(?:auth|storage|realtime|vault|extensions|graphql|graphql_public|pgbouncer|net|supabase_functions|supabase_migrations|cron|pgsodium|pgmq|information_schema|pg_catalog|pg_temp|private|internal)\s*\.)(?:public\s*\.\s*)?["`]?([A-Za-z_][\w$]*)["`]?(?:\s*\(|\s+as\b)/gi;
+const enableRlsForTablePattern = (tableName) => new RegExp(`alter\\s+table\\s+(?:if\\s+exists\\s+)?(?:only\\s+)?(?:public\\s*\\.\\s*)?["\`]?${escapeRegExp(tableName)}["\`]?\\s+(?:force\\s+)?enable\\s+row\\s+level\\s+security`, "i");
+const supabaseTableMissingRls = defineRule({
+	id: "supabase-table-missing-rls",
+	title: "Supabase table created without Row Level Security",
+	severity: "error",
+	recommendation: "Enable RLS in the same migration (`alter table <name> enable row level security;`) and add `auth.uid()`-scoped policies for select/insert/update/delete. A public table without RLS is fully readable and writable with the public anon key.",
+	scan: (file) => {
+		if (!isSupabaseMigrationPath(file.relativePath)) return [];
+		const content = sanitizeSqlForScan(file.content);
+		if (!/create\s+(?:unlogged\s+)?table/i.test(content)) return [];
+		const findings = [];
+		CREATE_PUBLIC_TABLE_PATTERN.lastIndex = 0;
+		for (let match = CREATE_PUBLIC_TABLE_PATTERN.exec(content); match !== null; match = CREATE_PUBLIC_TABLE_PATTERN.exec(content)) {
+			const tableName = match[1];
+			if (tableName === void 0) continue;
+			if (enableRlsForTablePattern(tableName).test(content.slice(match.index))) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message: "Supabase migration creates a public table but never enables Row Level Security, leaving every row exposed to the anon key.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/svg-filter-clickjacking-risk.ts
 const svgFilterClickjackingRisk = defineRule({
 	id: "svg-filter-clickjacking-risk",
@@ -35876,6 +36296,47 @@ const tenantStaticProxyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/unsafe-json-in-html.ts
+const SINK_JSON_STRINGIFY_PATTERNS = [/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:[\s\S]{0,300}?\bJSON\.stringify\s*\(/gi, /<script\b[^>]*>(?:(?!<\/script>)[\s\S]){0,300}?\bJSON\.stringify\s*\(/gi];
+const RETURN_ESCAPE_PATTERN = /^[\s)]*\.replace\s*\([^)]*(?:\\u003[cC]|&lt;|<)/;
+const ESCAPE_WRAPPER_PATTERN = /(?:\b(?:escapeHtml|escapeJSON|escapeJson|htmlEscape|jsesc)|(?<![.\w])(?:serialize|serializeJavascript|devalue|uneval|superjson))\s*\(\s*$/i;
+const JSON_STRINGIFY_TOKEN_PATTERN = /\bJSON\.stringify\s*\($/i;
+const RETURN_LOOKAHEAD_CHARS = 160;
+const unsafeJsonInHtml = defineRule({
+	id: "unsafe-json-in-html",
+	title: "Unescaped JSON in HTML or script sink",
+	severity: "warn",
+	recommendation: "JSON.stringify does not HTML-escape, so a `<\/script>` (or `<`) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape `<`, `>`, and `&`, or pass data via a JSON `<script type=\"application/json\">` read with JSON.parse.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!content.includes("JSON.stringify")) return [];
+		const findings = [];
+		const seenIndices = /* @__PURE__ */ new Set();
+		for (const pattern of SINK_JSON_STRINGIFY_PATTERNS) {
+			pattern.lastIndex = 0;
+			for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+				const beforeStringify = match[0].replace(JSON_STRINGIFY_TOKEN_PATTERN, "");
+				if (ESCAPE_WRAPPER_PATTERN.test(beforeStringify)) continue;
+				const closeParenIndex = findMatchingBracket(content, match.index + match[0].length - 1);
+				if (closeParenIndex >= 0) {
+					const afterReturn = content.slice(closeParenIndex + 1, closeParenIndex + 1 + RETURN_LOOKAHEAD_CHARS);
+					if (RETURN_ESCAPE_PATTERN.test(afterReturn)) continue;
+				}
+				if (seenIndices.has(match.index)) continue;
+				seenIndices.add(match.index);
+				const location = getLocationAtIndex(content, match.index);
+				findings.push({
+					message: "JSON.stringify is embedded in HTML/script markup without HTML-escaping; data containing `<\/script>` or `<` breaks out and becomes XSS.",
+					line: location.line,
+					column: location.column
+				});
+			}
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/untrusted-redirect-following.ts
 const OUTBOUND_FETCH_CALL_PATTERN = /(?:(?<![.\w$])fetch|\baxios\.\s*(?:get|post|put|delete|head)|\bgot|\bgot\.\s*(?:get|post))\s*\(\s*([^,)]+)/;
 const CALLER_STYLE_URL_NAME_PATTERN = /\b(?:url|targetUrl|callbackUrl|redirectUrl|webhookUrl|companyUrl|websiteUrl|domainUrl|imageUrl|fetchUrl|next|return_to|returnTo|destination|location)\b/i;
@@ -37184,6 +37645,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...insecureCryptoRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/insecure-session-cookie",
+		id: "insecure-session-cookie",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...insecureSessionCookie,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...insecureSessionCookie.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/interactive-supports-focus",
 		id: "interactive-supports-focus",
@@ -37626,6 +38099,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...jsxPropsNoSpreading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/jwt-insecure-verification",
+		id: "jwt-insecure-verification",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...jwtInsecureVerification,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...jwtInsecureVerification.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/key-lifecycle-risk",
 		id: "key-lifecycle-risk",
@@ -39776,6 +40261,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...repositorySecretFile.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/request-body-mass-assignment",
+		id: "request-body-mass-assignment",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...requestBodyMassAssignment,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...requestBodyMassAssignment.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/require-render-return",
 		id: "require-render-return",
@@ -40364,6 +40861,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...scope.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/secret-in-fallback",
+		id: "secret-in-fallback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...secretInFallback,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...secretInFallback.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/self-closing-comp",
 		id: "self-closing-comp",
@@ -40520,6 +41029,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...supabaseRlsPolicyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/supabase-table-missing-rls",
+		id: "supabase-table-missing-rls",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseTableMissingRls,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseTableMissingRls.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/svg-filter-clickjacking-risk",
 		id: "svg-filter-clickjacking-risk",
@@ -40710,6 +41231,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...tenantStaticProxyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/unsafe-json-in-html",
+		id: "unsafe-json-in-html",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...unsafeJsonInHtml,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...unsafeJsonInHtml.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/untrusted-redirect-following",
 		id: "untrusted-redirect-following",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oxlint-plugin-react-doctor",
-  "version": "0.5.5-dev.bac7c82",
+  "version": "0.5.5-dev.ea3b827",
   "description": "oxlint plugin for React Doctor: diagnose React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",