react-doctor/import-metadata-execution-risk

Evaluating imported metadata or file contents (EXIF, manifests, presets, uploads, archives) as code lets an attacker achieve remote code execution.

• Category: Security
• Severity: error
• Source: oxlint-plugin-react-doctor
• Framework: global
• Enabled when: production source files (.js/.ts/.jsx/.tsx, etc.); test/build/doc/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when an execution sink — eval, new Function, vm.runIn…, or child_process/cp.exec/spawn (and, when the file also imports a process module like child_process/execa/subprocess/Deno.run, a bare exec(File)(Sync)/spawn(Sync)() — is followed inside the same statement (≤200 chars, no ;) by a lowercase taint word: exif, metadata, manifest, preset, plugin, upload, dropped/drops, archive, zip, unzip, or untar. Comments are stripped before matching. FALSE POSITIVE: the taint word is a quoted string-literal argument (e.g. spawnSync('claude', ['plugin', …])) — static argument values are not matched — or it is part of a SCREAMING_CASE constant (PLUGIN_ID) or camelCase type (WorkflowMetadata), which the case-sensitive match excludes; a bare spawn(/exec( with no process-module evidence (xstate/redux-saga effects) is also ignored.

Fix prompt

Use this once validation confirms the diagnostic is real.

Never pass imported or derived metadata into an execution sink. Parse EXIF, manifests, and presets with a real parser and validate them against a strict schema (for example Zod) before use; extract archives with a library that writes to a sandboxed directory and checks for path and zip-slip traversal. If a subprocess is truly required, run a fixed binary with an explicit, validated argument array (never a shell string) and pass the metadata as inert data, not as the command.