JS-1486 Fix S7784 false positive for JSON.stringify API serialization (#6713)

sonar-nigel[bot] · Vibe Bot · web-flow · commit 339f495bff06 · 2026-03-30T07:45:14.000Z
Co-authored-by: Vibe Bot &lt;vibe-bot@sonarsource.com&gt;
diff --git a/packages/analysis/src/jsts/rules/README.md b/packages/analysis/src/jsts/rules/README.md
@@ -568,7 +568,6 @@ SonarJS uses some rules are not shipped in this ESLint plugin to avoid duplicati
 | S7780           | [unicorn/prefer-string-raw](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-string-raw.md)                                                                |
 | S7781           | [unicorn/prefer-string-replace-all](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-string-replace-all.md)                                                |
 | S7783           | [unicorn/prefer-string-trim-start-end](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-string-trim-start-end.md)                                          |
-| S7784           | [unicorn/prefer-structured-clone](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-structured-clone.md)                                                    |
 | S7786           | [unicorn/prefer-type-error](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-type-error.md)                                                                |
 | S7787           | [unicorn/require-module-specifiers](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/require-module-specifiers.md)                                                |
 
@@ -661,6 +660,7 @@ The following rules are used in SonarJS but not available in this ESLint plugin.
 | S7759           | [unicorn/prefer-date-now](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-date-now.md)                                                                                                                                                                                                                                                                |
 | S7763           | [unicorn/prefer-export-from](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-export-from.md)                                                                                                                                                                                                                                                          |
 | S7770           | [unicorn/prefer-native-coercion-functions](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-native-coercion-functions.md)                                                                                                                                                                                                                              |
+| S7784           | [unicorn/prefer-structured-clone](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-structured-clone.md)                                                                                                                                                                                                                                                |
 | S7785           | [unicorn/prefer-top-level-await](https://github.com/sindresorhus/eslint-plugin-unicorn/blob/HEAD/docs/rules/prefer-top-level-await.md)                                                                                                                                                                                                                                                  |
 
 <!--- end decorated rules -->
diff --git a/packages/analysis/src/jsts/rules/S7784/decorator.ts b/packages/analysis/src/jsts/rules/S7784/decorator.ts
@@ -0,0 +1,94 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+// https://sonarsource.github.io/rspec/#/rspec/S7784/javascript
+
+import type { Rule } from 'eslint';
+import type estree from 'estree';
+import type { TSESTree } from '@typescript-eslint/utils';
+import { generateMeta } from '../helpers/generate-meta.js';
+import { interceptReport } from '../helpers/decorators/interceptor.js';
+import * as meta from './generated-meta.js';
+
+/**
+ * Decorates the unicorn/prefer-structured-clone rule to suppress reports when
+ * JSON.parse(JSON.stringify(x)) appears inside a JSON.stringify() call.
+ * In that context the intent is serialization normalization, not deep cloning.
+ */
+export function decorate(rule: Rule.RuleModule): Rule.RuleModule {
+  return interceptReport(
+    {
+      ...rule,
+      meta: generateMeta(meta, rule.meta),
+    },
+    (context, descriptor) => {
+      if (!('node' in descriptor) || !isInsideJsonStringify(descriptor.node)) {
+        context.report(descriptor);
+      }
+    },
+  );
+}
+
+/**
+ * Returns true when `node` is an argument (directly or nested in object/array/spread
+ * expressions) of a JSON.stringify() call.
+ */
+function isInsideJsonStringify(node: estree.Node): boolean {
+  let child = node as TSESTree.Node;
+  let parent = child.parent;
+
+  while (parent) {
+    const estreeParent = parent as unknown as estree.Node;
+    const estreeChild = child as unknown as estree.Node;
+    if (!isPassthroughContainer(estreeParent, estreeChild)) {
+      return isJsonStringifyCall(estreeParent);
+    }
+    child = parent;
+    parent = parent.parent;
+  }
+  return false;
+}
+
+/** Transparent containers that can appear between the reported node and JSON.stringify(). */
+function isPassthroughContainer(node: estree.Node, child: estree.Node): boolean {
+  switch (node.type) {
+    case 'ObjectExpression':
+    case 'ArrayExpression':
+    case 'SpreadElement':
+      return true;
+    case 'Property':
+      // Only passthrough when child is the value side, not the key side.
+      return (node as estree.Property).value === child;
+    default:
+      return false;
+  }
+}
+
+/** Returns true when `node` is a JSON.stringify(...) call expression. */
+function isJsonStringifyCall(node: estree.Node): boolean {
+  if (node.type !== 'CallExpression') {
+    return false;
+  }
+  const { callee } = node as estree.CallExpression;
+  return (
+    callee.type === 'MemberExpression' &&
+    !callee.computed &&
+    callee.object.type === 'Identifier' &&
+    callee.object.name === 'JSON' &&
+    callee.property.type === 'Identifier' &&
+    callee.property.name === 'stringify'
+  );
+}
diff --git a/packages/analysis/src/jsts/rules/S7784/index.ts b/packages/analysis/src/jsts/rules/S7784/index.ts
@@ -15,4 +15,6 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 import { rules } from '../external/unicorn.js';
-export const rule = rules['prefer-structured-clone'];
+import { decorate } from './decorator.js';
+
+export const rule = decorate(rules['prefer-structured-clone']);
diff --git a/packages/analysis/src/jsts/rules/S7784/meta.ts b/packages/analysis/src/jsts/rules/S7784/meta.ts
@@ -15,6 +15,8 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 // https://sonarsource.github.io/rspec/#/rspec/S7784/javascript
-export const implementation = 'external';
+export const implementation = 'decorated';
 export const eslintId = 'prefer-structured-clone';
-export const externalPlugin = 'unicorn';
+export const externalRules = [
+  { externalPlugin: 'unicorn', externalRule: 'prefer-structured-clone' },
+];
diff --git a/packages/analysis/src/jsts/rules/S7784/unit.test.ts b/packages/analysis/src/jsts/rules/S7784/unit.test.ts
@@ -0,0 +1,102 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+import { rule } from './index.js';
+import { rules } from '../external/unicorn.js';
+import { DefaultParserRuleTester } from '../../../../tests/jsts/tools/testers/rule-tester.js';
+import { describe, it } from 'node:test';
+
+const upstreamRule = rules['prefer-structured-clone'];
+
+// Sentinel: verify that the upstream ESLint rule still raises on the patterns our decorator fixes.
+// If this test starts failing (i.e., the upstream rule no longer reports these patterns),
+// it signals that the decorator can be safely removed.
+describe('S7784 upstream sentinel', () => {
+  it('upstream prefer-structured-clone raises on JSON.stringify-nested patterns that decorator suppresses', () => {
+    const ruleTester = new DefaultParserRuleTester();
+    ruleTester.run('prefer-structured-clone', upstreamRule, {
+      valid: [],
+      invalid: [
+        // direct argument to JSON.stringify() — suppressed by decorator, raised by upstream
+        { code: `const s = JSON.stringify(JSON.parse(JSON.stringify(data)));`, errors: 1 },
+        // nested in object literal inside JSON.stringify() — suppressed by decorator, raised by upstream
+        {
+          code: `const s = JSON.stringify({ items: JSON.parse(JSON.stringify(self.items)) });`,
+          errors: 1,
+        },
+        // nested in array literal inside JSON.stringify() — suppressed by decorator, raised by upstream
+        { code: `const s = JSON.stringify([JSON.parse(JSON.stringify(items[0]))]);`, errors: 1 },
+        // spread inside JSON.stringify() — suppressed by decorator, raised by upstream
+        { code: `const s = JSON.stringify({ ...JSON.parse(JSON.stringify(config)) });`, errors: 1 },
+        // computed property key, value position inside JSON.stringify() — suppressed by decorator, raised by upstream
+        {
+          code: `const s = JSON.stringify({ [key]: JSON.parse(JSON.stringify(model)) });`,
+          errors: 1,
+        },
+      ],
+    });
+  });
+});
+
+describe('S7784', () => {
+  it('S7784', () => {
+    const ruleTester = new DefaultParserRuleTester();
+    ruleTester.run('prefer-structured-clone', rule, {
+      valid: [
+        {
+          // direct argument to JSON.stringify(): serialization normalization, not deep clone
+          code: `const s = JSON.stringify(JSON.parse(JSON.stringify(data)));`,
+        },
+        {
+          // nested in object literal inside JSON.stringify() for API request body
+          code: `
+fetch('/api/save', {
+  method: 'POST',
+  body: JSON.stringify({
+    items: JSON.parse(JSON.stringify(self.items)),
+    blocks: JSON.parse(JSON.stringify(self.blocks)),
+  }),
+});
+          `,
+        },
+        {
+          // nested in array literal inside JSON.stringify()
+          code: `const s = JSON.stringify([JSON.parse(JSON.stringify(items[0]))]);`,
+        },
+        {
+          // spread inside JSON.stringify()
+          code: `const s = JSON.stringify({ ...JSON.parse(JSON.stringify(config)) });`,
+        },
+        {
+          // computed property key, value position inside JSON.stringify()
+          code: `const s = JSON.stringify({ [key]: JSON.parse(JSON.stringify(model)) });`,
+        },
+      ],
+      invalid: [
+        {
+          // genuine deep clone: not inside JSON.stringify()
+          code: `const clone = JSON.parse(JSON.stringify(original));`,
+          errors: 1,
+        },
+        {
+          // deep clone in object literal not passed to JSON.stringify()
+          code: `const obj = { copy: JSON.parse(JSON.stringify(state)) };`,
+          errors: 1,
+        },
+      ],
+    });
+  });
+});
