New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/local-rpc-native-bridge-risk

A localhost or native bridge that accepts loose origins and exposes install/update or shell commands lets a malicious web page drive native actions on the user's machine.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production source files (.js/.ts/.jsx/.tsx, etc.); test/build/doc/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when a localhost/bridge token (127.0.0.1, localhost, Access-Control-Allow-Origin, or websocket/WebSocket) is followed within ~700 chars by a native-capability command: UpdateApp, InstallApp, child_process, or a bare exec(File)(Sync)/spawn(Sync)( call (a negative lookbehind excludes method calls like regex.exec(). Comments are stripped first. FALSE POSITIVE: the localhost reference and the command are unrelated code that merely co-occur within the window, or the apparent command is a generic verb (install/update/includes/indexOf used as ordinary state updates or dev-server helpers) — those generic verbs are deliberately NOT matched, only concrete native-capability calls are.

Fix prompt

Use this once validation confirms the diagnostic is real.

Treat the local server as a trust boundary: parse the request Origin with new URL(...) and check it against an exact allowlist (never substring or includes matching, never Access-Control-Allow-Origin: *), require a per-request nonce or CSRF token, and expose only narrow, named methods. Never let a web page trigger exec/spawn or native install/update; gate any privileged command behind out-of-band user confirmation and signed payloads.