Skip to main content
ast-guard ships with 15 built-in security rules that cover common attack vectors. Each rule can be configured and combined to match your security requirements.

NoGlobalAccessRule

Blocks access to dangerous global objects via member expressions.
Blocks:
  • window.location
  • process.env
  • global.setTimeout
Allows:
  • console.log() (if configured)

ReservedPrefixRule

Prevents user code from declaring identifiers with reserved prefixes.
Blocks:
  • const __ag_hack = 1;
  • let __safe_bypass = true;

NoCallTargetAssignmentRule

Protects critical call targets from being reassigned or shadowed.
Blocks:
  • callTool = malicious; - Direct assignment
  • const callTool = () => {}; - Variable shadowing
  • const { callTool } = obj; - Destructuring shadowing
  • function callTool() {} - Function declaration shadowing

UnicodeSecurityRule

Detects Unicode-based attacks including Trojan Source and homoglyphs.
Trojan Source attacks (CVE-2021-42574) use Unicode bidirectional control characters to make code appear different than it actually executes. Always enable blockBidi: true for untrusted code.

StaticCallTargetRule

Enforces static string literals for call targets.
Blocks:
  • callTool(dynamicName, {}) - Variable as tool name
  • callTool(getToolName(), {}) - Function call as tool name
Allows:
  • callTool('users:list', {}) - Static string literal

NoRegexLiteralRule

Blocks or analyzes regex literals for ReDoS vulnerabilities.

DisallowedIdentifierRule

Blocks specific identifier names.

ForbiddenLoopRule

Restricts which loop constructs are allowed.

RequiredFunctionCallRule

Ensures code contains required function calls.

UnknownGlobalRule

Rejects references to undeclared identifiers (whitelist mode).

NoEvalRule

Blocks eval and dynamic code execution.
Blocks:
  • eval('code')
  • new Function('return 1')
  • setTimeout('code', 100) - String form

NoAsyncRule

Restricts async/await usage.

NoUserDefinedFunctionsRule

Blocks user-defined functions (prevents recursion).
Blocks:
  • function foo() {}
  • const fn = function() {}
Allows:
  • array.map(x => x * 2) - Arrow functions (if enabled)

UnreachableCodeRule

Detects code after return/throw statements.

CallArgumentValidationRule

Validates function call arguments.

Rule Severity

All rules support severity configuration: