New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/git-provider-url-injection-risk

Interpolating request input into a Git provider URL without encoding lets an attacker inject extra path segments or parameters and redirect the request.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production source files (.js/.ts/.jsx/.tsx, etc.); test/build/doc/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when a literal Git-provider host (api.github.com, github.com, gitlab.com, or bitbucket.org) appears and, within the next ~200 chars up to the template's closing backtick, a ${…} interpolation reads request-shaped input — a member access on params/searchParams/query/req/request/input/payload, or the markers untrusted/decodeURI… — that is NOT wrapped in encodeURIComponent(. Only the first matching host is reported. FALSE POSITIVE: the interpolated value is an internal constant or config (a commit SHA, version string, or a bare owner/repo/slug/branch identifier) rather than external input — those are deliberately not matched — or the segment is already encodeURIComponent(...)-wrapped, which suppresses the finding.

Fix prompt

Use this once validation confirms the diagnostic is real.

Validate each path component (owner, repo, org, branch) against a strict slug allowlist (letters, digits, -, _, .) and reject anything else before building the URL. Encode every interpolated segment with encodeURIComponent, or build the URL with the URL/URLSearchParams API (or the provider SDK) instead of raw template strings, so input cannot add path segments, .., or query parameters.