0xray 2.0.0

package/dist/security/security-auditor.js

@@ -0,0 +1,584 @@
+/**
+ * Security Audit Tool
+ *
+ * Comprehensive security auditing for the framework and its components.
+ * Identifies vulnerabilities, misconfigurations, and security weaknesses.
+ *
+ * @version 1.0.0
+ * @since 2026-01-07
+ */
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join } from "path";
+import { frameworkLogger } from "../core/framework-logger.js";
+export class SecurityAuditor {
+    dangerousPatterns = [
+        // Code injection
+        {
+            pattern: /eval\s*\(/g,
+            severity: "critical",
+            category: "code-injection",
+            cwe: "CWE-95",
+        },
+        {
+            pattern: /Function\s*\(/g,
+            severity: "critical",
+            category: "code-injection",
+            cwe: "CWE-95",
+        },
+        {
+            pattern: /new\s+Function\s*\(/g,
+            severity: "critical",
+            category: "code-injection",
+            cwe: "CWE-95",
+        },
+        // Command injection
+        {
+            pattern: /child_process\.exec\s*\(/g,
+            severity: "high",
+            category: "command-injection",
+            cwe: "CWE-78",
+        },
+        {
+            pattern: /child_process\.spawn\s*\(/g,
+            severity: "high",
+            category: "command-injection",
+            cwe: "CWE-78",
+        },
+        {
+            pattern: /execSync\s*\(/g,
+            severity: "high",
+            category: "command-injection",
+            cwe: "CWE-78",
+        },
+        // SQL injection (if applicable)
+        {
+            pattern: /SELECT.*\+/g,
+            severity: "high",
+            category: "sql-injection",
+            cwe: "CWE-89",
+        },
+        {
+            pattern: /INSERT.*\+/g,
+            severity: "high",
+            category: "sql-injection",
+            cwe: "CWE-89",
+        },
+        // Path traversal
+        {
+            pattern: /\.\.[\/\\]/g,
+            severity: "high",
+            category: "path-traversal",
+            cwe: "CWE-22",
+        },
+        {
+            pattern: /path\.join\s*\(\s*\.\./g,
+            severity: "high",
+            category: "path-traversal",
+            cwe: "CWE-22",
+        },
+        // Hardcoded secrets
+        {
+            pattern: /password\s*[:=]\s*['"][^'"]*['"]/gi,
+            severity: "high",
+            category: "hardcoded-secrets",
+            cwe: "CWE-798",
+        },
+        {
+            pattern: /api[_-]?key\s*[:=]\s*['"][^'"]*['"]/gi,
+            severity: "high",
+            category: "hardcoded-secrets",
+            cwe: "CWE-798",
+        },
+        {
+            pattern: /secret\s*[:=]\s*['"][^'"]*['"]/gi,
+            severity: "high",
+            category: "hardcoded-secrets",
+            cwe: "CWE-798",
+        },
+        // Insecure random
+        {
+            pattern: /Math\.random\s*\(\)/g,
+            severity: "medium",
+            category: "weak-cryptography",
+            cwe: "CWE-338",
+        },
+        // Console logging sensitive data
+        {
+            pattern: /console\.log\s*\([^)]*password[^)]*\)/gi,
+            severity: "medium",
+            category: "information-disclosure",
+            cwe: "CWE-532",
+        },
+        {
+            pattern: /console\.log\s*\([^)]*secret[^)]*\)/gi,
+            severity: "medium",
+            category: "information-disclosure",
+            cwe: "CWE-532",
+        },
+        // Missing input validation
+        {
+            pattern: /req\.body\./g,
+            severity: "medium",
+            category: "input-validation",
+            cwe: "CWE-20",
+        },
+        {
+            pattern: /req\.query\./g,
+            severity: "medium",
+            category: "input-validation",
+            cwe: "CWE-20",
+        },
+        // Insecure deserialization
+        {
+            pattern: /JSON\.parse\s*\([^)]*req\./g,
+            severity: "medium",
+            category: "deserialization",
+            cwe: "CWE-502",
+        },
+        // Race conditions
+        {
+            pattern: /setTimeout.*0/g,
+            severity: "low",
+            category: "race-conditions",
+            cwe: "CWE-362",
+        },
+        // Information disclosure in errors
+        {
+            pattern: /throw\s+new\s+Error\s*\([^)]*stack[^)]*\)/gi,
+            severity: "low",
+            category: "information-disclosure",
+            cwe: "CWE-209",
+        },
+    ];
+    dangerousImports = [
+        "child_process",
+        "fs",
+        "net",
+        "http",
+        "https",
+        "crypto",
+        "tls",
+        "cluster",
+        "worker_threads",
+        "vm",
+    ];
+    /**
+     * Run comprehensive security audit
+     */
+    async auditProject(projectPath = ".") {
+        const jobId = `security-audit-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
+        const issues = [];
+        const files = this.getAllFiles(projectPath);
+        frameworkLogger.log("security-auditor", "scan-start", "info", {
+            jobId,
+            filesCount: files.length,
+            projectPath,
+        });
+        for (const file of files) {
+            if (this.shouldAuditFile(file)) {
+                const fileIssues = await this.auditFile(file);
+                issues.push(...fileIssues);
+            }
+        }
+        // Additional checks
+        issues.push(...this.auditPackageJson(projectPath));
+        issues.push(...this.auditConfiguration(projectPath));
+        issues.push(...this.auditDependencies(projectPath));
+        const summary = this.generateSummary(issues);
+        const score = this.calculateSecurityScore(issues, files.length);
+        return {
+            totalFiles: files.length,
+            issues,
+            summary,
+            score,
+        };
+    }
+    getAllFiles(dirPath) {
+        const files = [];
+        const traverse = (currentPath) => {
+            const items = readdirSync(currentPath);
+            for (const item of items) {
+                const fullPath = join(currentPath, item);
+                const stat = statSync(fullPath);
+                if (stat.isDirectory() && !this.shouldSkipDirectory(item)) {
+                    traverse(fullPath);
+                }
+                else if (stat.isFile()) {
+                    files.push(fullPath);
+                }
+            }
+        };
+        traverse(dirPath);
+        return files;
+    }
+    shouldSkipDirectory(dirName) {
+        const skipDirs = [
+            "node_modules",
+            ".git",
+            "dist",
+            "build",
+            ".next",
+            ".nuxt",
+            "coverage",
+        ];
+        return skipDirs.includes(dirName);
+    }
+    shouldAuditFile(filePath) {
+        const auditExtensions = [".ts", ".tsx", ".js", ".jsx", ".json", ".md"];
+        const excludePatterns = [/__tests__/, /test\.ts$/, /spec\.ts$/];
+        // Check if file should be excluded from security audit
+        if (excludePatterns.some((pattern) => pattern.test(filePath))) {
+            return false;
+        }
+        return auditExtensions.some((ext) => filePath.endsWith(ext));
+    }
+    async auditFile(filePath) {
+        const issues = [];
+        try {
+            const content = readFileSync(filePath, "utf-8");
+            const lines = content.split("\n");
+            // Pattern-based security checks
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                const lineNumber = i + 1;
+                for (const { pattern, severity, category, cwe } of this
+                    .dangerousPatterns) {
+                    const matches = line?.match(pattern);
+                    if (matches && line) {
+                        // Skip false positives in security validation and test code
+                        if (this.isFalsePositive(filePath, line, category)) {
+                            continue;
+                        }
+                        issues.push({
+                            severity,
+                            category,
+                            file: filePath,
+                            line: lineNumber,
+                            description: `Potentially dangerous pattern detected: ${pattern}`,
+                            recommendation: this.getRecommendationForCategory(category),
+                            cwe,
+                        });
+                    }
+                }
+            }
+            // Import security checks
+            if (filePath.endsWith(".ts") || filePath.endsWith(".js")) {
+                issues.push(...this.auditImports(content, filePath));
+            }
+            // File permission checks
+            issues.push(...this.auditFilePermissions(filePath));
+        }
+        catch (error) {
+            issues.push({
+                severity: "medium",
+                category: "file-access",
+                file: filePath,
+                description: `Failed to audit file: ${error}`,
+                recommendation: "Ensure file is readable and not corrupted",
+            });
+        }
+        return issues;
+    }
+    isFalsePositive(filePath, line, category) {
+        if (!line)
+            return false;
+        const safeLine = line;
+        // Security validation code that legitimately uses dangerous patterns for detection
+        if (filePath.includes("security-auditor.ts") &&
+            category === "code-injection") {
+            return true;
+        }
+        // Test code that uses eval in string literals for testing purposes
+        if (filePath.includes("__tests__") &&
+            category === "code-injection" &&
+            safeLine.includes("eval(")) {
+            return (safeLine.includes("'eval('") ||
+                safeLine.includes('"eval(') ||
+                safeLine.includes("`eval("));
+        }
+        // Security validation modules that check for dangerous patterns
+        if (filePath.includes("codex-parser.ts") && category === "code-injection") {
+            return (safeLine.includes("content.includes('eval(')") ||
+                safeLine.includes("content.includes('Function(')"));
+        }
+        return false;
+    }
+    auditImports(content, filePath) {
+        const issues = [];
+        for (const dangerousImport of this.dangerousImports) {
+            const importPatterns = [
+                new RegExp(`import.*from.*['"]${dangerousImport}['"]`, "g"),
+                new RegExp(`require\\s*\\(\\s*['"]${dangerousImport}['"]\\s*\\)`, "g"),
+                new RegExp(`import.*${dangerousImport}`, "g"),
+            ];
+            for (const pattern of importPatterns) {
+                if (pattern.test(content)) {
+                    issues.push({
+                        severity: "medium",
+                        category: "dangerous-imports",
+                        file: filePath,
+                        description: `Potentially dangerous import detected: ${dangerousImport}`,
+                        recommendation: "Review usage and ensure proper sandboxing/validation",
+                        cwe: "CWE-350",
+                    });
+                    break; // Only report once per import per file
+                }
+            }
+        }
+        return issues;
+    }
+    auditFilePermissions(filePath) {
+        const issues = [];
+        try {
+            const stat = statSync(filePath);
+            const mode = stat.mode;
+            // Check for world-writable files
+            if (mode & parseInt("2", 8)) {
+                issues.push({
+                    severity: "high",
+                    category: "file-permissions",
+                    file: filePath,
+                    description: "File is world-writable",
+                    recommendation: "Restrict file permissions to prevent unauthorized modification",
+                    cwe: "CWE-732",
+                });
+            }
+            // Check for executable scripts in sensitive directories
+            if (mode & parseInt("111", 8) && filePath.includes("config")) {
+                issues.push({
+                    severity: "medium",
+                    category: "file-permissions",
+                    file: filePath,
+                    description: "Executable file in configuration directory",
+                    recommendation: "Review if this file needs execute permissions",
+                    cwe: "CWE-732",
+                });
+            }
+        }
+        catch (error) {
+            // File permission check failed
+        }
+        return issues;
+    }
+    auditPackageJson(projectPath) {
+        const issues = [];
+        try {
+            const packagePath = join(projectPath, "package.json");
+            const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
+            // Check for vulnerable dependencies
+            const allDeps = {
+                ...packageJson.dependencies,
+                ...packageJson.devDependencies,
+            };
+            for (const [dep, version] of Object.entries(allDeps)) {
+                if (typeof version === "string" &&
+                    (version.includes("*") || version.includes("latest"))) {
+                    issues.push({
+                        severity: "medium",
+                        category: "dependency-management",
+                        file: packagePath,
+                        description: `Insecure version constraint for ${dep}: ${version}`,
+                        recommendation: "Use specific version ranges to avoid vulnerable versions",
+                        cwe: "CWE-1104",
+                    });
+                }
+            }
+            // Check for missing security scripts
+            const scripts = packageJson.scripts || {};
+            if (!scripts["audit"] || !scripts["security-audit"]) {
+                issues.push({
+                    severity: "low",
+                    category: "security-practices",
+                    file: packagePath,
+                    description: "Missing security audit scripts",
+                    recommendation: "Add npm audit and security audit scripts to package.json",
+                });
+            }
+        }
+        catch (error) {
+            issues.push({
+                severity: "medium",
+                category: "configuration",
+                file: join(projectPath, "package.json"),
+                description: "Failed to audit package.json",
+                recommendation: "Ensure package.json is valid and accessible",
+            });
+        }
+        return issues;
+    }
+    auditConfiguration(projectPath) {
+        const issues = [];
+        const configFiles = ["opencode.json", "config.json", ".env"];
+        for (const configFile of configFiles) {
+            const configPath = join(projectPath, configFile);
+            try {
+                const content = readFileSync(configPath, "utf-8");
+                // Check for hardcoded secrets
+                const secretPatterns = [
+                    /password\s*[:=]\s*['"][^'"]*['"]/gi,
+                    /api[_-]?key\s*[:=]\s*['"][^'"]*['"]/gi,
+                    /secret\s*[:=]\s*['"][^'"]*['"]/gi,
+                    /token\s*[:=]\s*['"][^'"]*['"]/gi,
+                ];
+                for (const pattern of secretPatterns) {
+                    if (pattern.test(content)) {
+                        issues.push({
+                            severity: "high",
+                            category: "hardcoded-secrets",
+                            file: configPath,
+                            description: "Potential hardcoded secrets detected in configuration",
+                            recommendation: "Move secrets to environment variables or secure vault",
+                            cwe: "CWE-798",
+                        });
+                        break;
+                    }
+                }
+            }
+            catch (error) {
+                // Config file doesn't exist or can't be read
+            }
+        }
+        return issues;
+    }
+    auditDependencies(projectPath) {
+        const issues = [];
+        try {
+            const packageLockPath = join(projectPath, "package-lock.json");
+            const yarnLockPath = join(projectPath, "yarn.lock");
+            if (!statSync(packageLockPath).isFile() &&
+                !statSync(yarnLockPath).isFile()) {
+                issues.push({
+                    severity: "medium",
+                    category: "dependency-management",
+                    file: join(projectPath, "package.json"),
+                    description: "Missing lockfile (package-lock.json or yarn.lock)",
+                    recommendation: "Use lockfiles to ensure reproducible and secure dependency versions",
+                    cwe: "CWE-1104",
+                });
+            }
+        }
+        catch (error) {
+            // Lockfile check failed
+        }
+        return issues;
+    }
+    getRecommendationForCategory(category) {
+        const recommendations = {
+            "code-injection": "Use static code analysis and avoid dynamic code execution",
+            "command-injection": "Validate and sanitize all user inputs, use parameterized commands",
+            "sql-injection": "Use parameterized queries or ORM with built-in protection",
+            "path-traversal": "Validate paths, use allowlists, resolve to absolute paths",
+            "hardcoded-secrets": "Use environment variables or secure credential management",
+            "weak-cryptography": "Use cryptographically secure random number generators",
+            "information-disclosure": "Avoid logging sensitive information, use proper log levels",
+            "input-validation": "Implement comprehensive input validation and sanitization",
+            deserialization: "Validate serialized data, use safe deserialization libraries",
+            "race-conditions": "Use proper synchronization primitives",
+            "dangerous-imports": "Review usage and implement proper access controls",
+            "file-permissions": "Restrict file permissions to minimum required access",
+        };
+        return (recommendations[category] ||
+            "Review and implement appropriate security measures");
+    }
+    generateSummary(issues) {
+        const summary = {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            info: 0,
+        };
+        for (const issue of issues) {
+            summary[issue.severity]++;
+        }
+        return summary;
+    }
+    calculateSecurityScore(issues, totalFiles) {
+        let score = 100;
+        // Weight issues by severity
+        const weights = {
+            critical: 20,
+            high: 10,
+            medium: 5,
+            low: 2,
+            info: 1,
+        };
+        for (const issue of issues) {
+            score -= weights[issue.severity];
+        }
+        // Bonus for having many files (indicates thorough codebase)
+        if (totalFiles > 50) {
+            score += 5;
+        }
+        return Math.max(0, Math.min(100, score));
+    }
+    /**
+     * Generate security audit report
+     */
+    generateReport(result) {
+        let report = `# 🔒 0xRay Framework Security Audit Report
+
+**Audit Date:** ${new Date().toISOString()}
+**Framework Version:** v1.3.4
+**Files Scanned:** ${result.totalFiles}
+**Security Score:** ${result.score}/100
+
+## 📊 Summary
+
+- **Critical Issues:** ${result.summary.critical}
+- **High Severity:** ${result.summary.high}
+- **Medium Severity:** ${result.summary.medium}
+- **Low Severity:** ${result.summary.low}
+- **Informational:** ${result.summary.info}
+
+## 🚨 Issues Found
+
+`;
+        if (result.issues.length === 0) {
+            report += "✅ No security issues found!\n\n";
+        }
+        else {
+            // Group issues by severity
+            const groupedIssues = result.issues.reduce((groups, issue) => {
+                if (!groups[issue.severity])
+                    groups[issue.severity] = [];
+                groups[issue.severity].push(issue);
+                return groups;
+            }, {});
+            for (const [severity, issues] of Object.entries(groupedIssues)) {
+                report += `### ${severity.toUpperCase()} SEVERITY (${issues.length})\n\n`;
+                for (const issue of issues) {
+                    report += `**${issue.category.toUpperCase()}** in \`${issue.file}\`${issue.line ? `:${issue.line}` : ""}\n`;
+                    report += `${issue.description}\n`;
+                    report += `💡 ${issue.recommendation}\n`;
+                    if (issue.cwe) {
+                        report += `🔗 CWE: ${issue.cwe}\n`;
+                    }
+                    report += "\n";
+                }
+            }
+        }
+        report += `## 🛡️ Security Recommendations
+
+1. **Address all Critical and High severity issues immediately**
+2. **Implement automated security scanning in CI/CD pipeline**
+3. **Regular security audits and dependency updates**
+4. **Use security headers and secure coding practices**
+5. **Monitor for new vulnerabilities in dependencies**
+
+## 📈 Score Interpretation
+
+- **90-100:** Excellent security posture
+- **80-89:** Good security with minor issues
+- **70-79:** Adequate security, address high-priority issues
+- **60-69:** Security concerns present, immediate action required
+- **<60:** Critical security issues, immediate remediation needed
+
+---
+*Generated by 0xRay v1.2.0*
+`;
+        return report;
+    }
+}
+// Export singleton instance
+export const securityAuditor = new SecurityAuditor();