docs: Update detect-object-injection docs

nzakas · nzakas · commit 91fe935c4afa · 2024-02-14T13:37:21.000-05:00
fixes #136
diff --git a/docs/rules/detect-object-injection.md b/docs/rules/detect-object-injection.md
@@ -4,4 +4,35 @@
 
 <!-- end auto-generated rule header -->
 
+JavaScript allows you to use expressions to access object properties in addition to using dot notation. So instead of writing this:
+
+```js
+object.name = 'foo';
+```
+
+You can write this:
+
+```js
+object['name'] = 'foo';
+```
+
+Square bracket notation allows any expression to be used in place of an identifier, so you can also do this:
+
+```js
+const key = 'name';
+object[key] = 'foo';
+```
+
+By doing so, you've now obfuscated the property name from the reader, which makes it easy for a malicious actor to replace the value of `key` and change the behavior of the code.
+
+This rule flags any expression in the form of `object[expression]` no matter where it occurs. Examples of patterns this will be flagged are:
+
+```js
+object[key] = value;
+
+value = object[key];
+
+doSomething(object[key]);
+```
+
 More information: [The Dangers of Square Bracket Notation](../the-dangers-of-square-bracket-notation.md)
