Skip to content

Preview/oxlint #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

Preview/oxlint #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
14e89ad
Oxlint
nimratcoderabbit Jul 14, 2025
6949947
Adding json to config
nimratcoderabbit Jul 14, 2025
ea98f47
Adding json to config
nimratcoderabbit Jul 14, 2025
f25aa13
Adding json to config
nimratcoderabbit Jul 14, 2025
500f9ce
fix config
alexcoderabbitai Jul 14, 2025
b5e74a0
redo oxlint
alexcoderabbitai Jul 15, 2025
d657d9d
disable other tools
alexcoderabbitai Jul 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .oxlintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"plugins": ["import", "typescript", "unicorn"],
"env": {
"browser": true
},
"globals": {
"foo": "readonly"
},
"settings": {},
"rules": {
"eqeqeq": "warn",
"import/no-cycle": "error",
"react/self-closing-comp": [
"error",
{
"html": false
}
]
},
"overrides": [
{
"files": ["*.test.ts", "*.spec.ts"],
"rules": {
"@typescript-eslint/no-explicit-any": "off"
}
}
]
}
8 changes: 8 additions & 0 deletions coderabbit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
reviews:
path_filters: ["**/*.yml"]
tools:
# oxlint does not run if biome is enabled
biome:
enabled: false
yamllint:
enabled: false
11 changes: 11 additions & 0 deletions sampleReact.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
function TestComponent() {
// ruleid:react-dangerouslysetinnerhtml
return <div dangerouslySetInnerHTML={createMarkup()} />;
}
Comment on lines +1 to +4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Address the dangerouslySetInnerHTML security concern.

The use of dangerouslySetInnerHTML with an undefined createMarkup() function poses a security risk. If this is intentional for testing purposes, ensure proper sanitization and add clear documentation.

 function TestComponent() {
-    // ruleid:react-dangerouslysetinnerhtml
-    return <div dangerouslySetInnerHTML={createMarkup()} />;
+    // Example of unsafe HTML rendering - for testing purposes only
+    function createMarkup() {
+        return { __html: 'Safe &lt;script&gt; content' };
+    }
+    return <div dangerouslySetInnerHTML={createMarkup()} />;
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function TestComponent() {
// ruleid:react-dangerouslysetinnerhtml
return <div dangerouslySetInnerHTML={createMarkup()} />;
}
function TestComponent() {
// Example of unsafe HTML rendering - for testing purposes only
function createMarkup() {
return { __html: 'Safe &lt;script&gt; content' };
}
return <div dangerouslySetInnerHTML={createMarkup()} />;
}
🧰 Tools
🪛 Biome (1.9.4)

[error] 3-3: Avoid passing content using the dangerouslySetInnerHTML prop.

Setting content using code can expose users to cross-site scripting (XSS) attacks

(lint/security/noDangerouslySetInnerHtml)

🤖 Prompt for AI Agents 
In sampleReact.jsx lines 1 to 4, the use of dangerouslySetInnerHTML with an
undefined createMarkup() function is a security risk. To fix this, either define
the createMarkup() function to return sanitized HTML content or avoid using
dangerouslySetInnerHTML altogether. If its use is intentional for testing, add
clear comments explaining the purpose and ensure the HTML content is properly
sanitized before rendering.


function OkComponent() {
// OK
const discordClientKey = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';
return {__html: 'Первый &middot; Второй'};
}
Comment on lines +6 to +10
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove or secure the Discord client secret.

The Discord client key should not be hardcoded in the source code. If this is for testing purposes, use environment variables or mock data.

 function OkComponent() {
-    // OK
-    const discordClientKey = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';
+    // Example of safe HTML rendering
+    const discordClientKey = process.env.DISCORD_CLIENT_KEY || 'mock-key-for-testing';
     return {__html: 'Первый &middot; Второй'};
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function OkComponent() {
// OK
const discordClientKey = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';
return {__html: 'Первый &middot; Второй'};
}
function OkComponent() {
// Example of safe HTML rendering
const discordClientKey = process.env.DISCORD_CLIENT_KEY || 'mock-key-for-testing';
return {__html: 'Первый &middot; Второй'};
}
🧰 Tools
🪛 Gitleaks (8.27.2)

8-8: Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.

(discord-client-secret)

🤖 Prompt for AI Agents 
In sampleReact.jsx around lines 6 to 10, the Discord client key is hardcoded as
a string, which is insecure. Remove the hardcoded key from the source code and
instead retrieve it from environment variables or use mock data for testing.
This will prevent exposing sensitive credentials in the codebase.

🛠️ Refactor suggestion

Consider proper component return type.

The OkComponent returns an object with __html property instead of JSX. This is unusual for a React component and might cause issues.

 function OkComponent() {
-    const discordClientKey = process.env.DISCORD_CLIENT_KEY || 'mock-key-for-testing';
-    return {__html: 'Первый &middot; Второй'};
+    return <div>Первый &middot; Второй</div>;
 }

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 Gitleaks (8.27.2)

8-8: Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.

(discord-client-secret)

🤖 Prompt for AI Agents 
In sampleReact.jsx around lines 6 to 10, the OkComponent returns an object with
a __html property instead of JSX, which is not the correct return type for a
React component. Modify the component to return valid JSX, such as a React
element or fragment, instead of an object. If the intent is to dangerously set
inner HTML, use the dangerouslySetInnerHTML attribute within a JSX element to
properly render the HTML content.