@activemind/scd 1.4.0

package/rules/rules-infra-leakage.json

@@ -0,0 +1,434 @@
+{
+  "schema_version": 1,
+  "rules": [
+    {
+      "id": "INFRA-001",
+      "name": "Hardcoded localhost URL in frontend code",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?://localhost(?::\\d{2,5})?(?:/[^\\s\"'`]*)?",
+      "flags": "gi",
+      "extensions": ["js", "ts", "jsx", "tsx", "mjs", "cjs", "vue", "svelte", "html"],
+      "antipatterns": [
+        "===\\s*['\"]localhost",
+        "!==\\s*['\"]localhost",
+        "\\.includes\\s*\\(\\s*['\"]localhost",
+        "in\\s*\\([^)]*['\"]localhost",
+        "hostname\\s*(?:===|==|!==|!=)\\s*['\"]localhost",
+        "_BLOCKED|_BLOCKLIST|BLOCKED_HOST|block.*localhost|localhost.*block"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A hardcoded localhost URL was found in browser-delivered frontend code. In production, localhost always resolves to the end user's own machine — this URL will always fail for real users and reveals that development configuration leaked into production code.",
+      "scenario": "A React component, Vue file, or client-side JS module contains a hardcoded http://localhost:3000/api URL. In production, every API call fails silently or with a network error because localhost resolves to the user's own machine.",
+      "fix": "Replace the hardcoded URL with an environment variable: process.env.REACT_APP_API_URL or import.meta.env.VITE_API_URL. Configure the value per environment in .env files locally and CI/CD secrets in production."
+    },
+    {
+      "id": "INFRA-001B",
+      "name": "Localhost reference in committed config file",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "localhost",
+      "flags": "gi",
+      "extensions": ["ini", "conf", "cfg", "env", "properties", "toml"],
+      "antipatterns": [
+        "expected.*localhost",
+        "#.*localhost",
+        "(?<![a-z:/])//.*localhost",
+        "Must be set if and only if",
+        "description.*localhost",
+        "comment.*localhost",
+        "localhost.*comment"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A localhost reference was found in a committed configuration file. This is typically a development default that should be replaced with environment-specific configuration before deployment. Committed dev config can expose internal service topology and cause silent failures in non-local environments.",
+      "scenario": "A docker-compose.yml or alembic.ini committed to the repository contains APP_URL=http://localhost:8000. When another developer or CI pipeline uses this file, services fail to connect because localhost refers to their own machine, not the intended service.",
+      "fix": "Use environment variables or separate config files per environment (.env.local, .env.production). Never commit files with hardcoded localhost as a service endpoint. Use docker-compose.override.yml for local-only settings."
+    },
+    {
+      "id": "INFRA-001C",
+      "name": "Localhost reference in JSON data file",
+      "severity": "LOW",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?://localhost(?::\\d{2,5})?",
+      "flags": "gi",
+      "extensions": ["json"],
+      "antipatterns": [
+        "i18n",
+        "translation",
+        "expected_failure",
+        "(?<![a-z:/])//.*localhost"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A localhost reference was found in a JSON file. This may be a hardcoded development URL in API configuration, i18n strings, or data fixtures that could cause failures in non-local environments.",
+      "scenario": "A JSON configuration file or translation file contains a hardcoded localhost URL that was copied from a development environment and never replaced.",
+      "fix": "Replace hardcoded localhost references with environment-aware configuration or placeholder values. Ensure JSON config files use environment variable substitution where supported."
+    },
+    {
+      "id": "INFRA-002",
+      "name": "Hardcoded 127.0.0.1 URL in frontend code",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:https?://)?127\\.0\\.0\\.1(?::\\d{2,5})?(?:/[^\\s\"'`]*)?",
+      "flags": "gi",
+      "extensions": ["js", "ts", "jsx", "tsx", "mjs", "cjs", "vue", "svelte", "html"],
+      "antipatterns": [
+        "===\\s*['\"]127\\.0\\.0\\.1",
+        "!==\\s*['\"]127\\.0\\.0\\.1",
+        "\\.includes\\s*\\(\\s*['\"]127\\.0\\.0\\.1",
+        "_BLOCKED|_BLOCKLIST|BLOCKED_HOST|block.*127|127.*block",
+        "expected.*127\\.0\\.0\\.1"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A hardcoded 127.0.0.1 URL was found in browser-delivered frontend code. In production, 127.0.0.1 always resolves to the end user's own machine — this URL will always fail for real users and reveals that development configuration leaked into production code.",
+      "scenario": "A React component contains a hardcoded fetch('http://127.0.0.1:7398/api/data'). In production every API call fails because 127.0.0.1 resolves to the user's own machine, not the server.",
+      "fix": "Replace the hardcoded URL with an environment variable: process.env.REACT_APP_API_URL or import.meta.env.VITE_API_URL. Configure the value per environment in .env files locally and CI/CD secrets in production."
+    },
+    {
+      "id": "INFRA-002B",
+      "name": "127.0.0.1 reference in committed config file",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "127\\.0\\.0\\.1",
+      "flags": "gi",
+      "extensions": ["ini", "conf", "cfg", "env", "properties", "toml", "php"],
+      "antipatterns": [
+        "env\\s*\\(",
+        "getenv\\s*\\(",
+        "os\\.environ",
+        "process\\.env",
+        "curl\\s+.*127\\.0\\.0\\.1",
+        "wget\\s+.*127\\.0\\.0\\.1",
+        "ping\\s+.*127\\.0\\.0\\.1",
+        "(?<![a-z:/])//.*127\\.0\\.0\\.1",
+        "#.*127\\.0\\.0\\.1",
+        "expected.*127\\.0\\.0\\.1",
+        "_BLOCKED|_BLOCKLIST|BLOCKED_HOST"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A 127.0.0.1 reference was found in a committed configuration file. This is typically a development default that should be replaced with environment-specific configuration before deployment.",
+      "scenario": "A Laravel config/database.php committed to the repository contains 'host' => env('DB_HOST', '127.0.0.1'). Other developers or CI pipelines that don't set DB_HOST will silently connect to their own machine instead of the intended database server.",
+      "fix": "Ensure all host references use environment variables without hardcoded fallbacks for production-sensitive values. Use separate config files per environment and never commit 127.0.0.1 as a service host in shared config."
+    },
+    {
+      "id": "INFRA-002C",
+      "name": "127.0.0.1 reference in JSON data file",
+      "severity": "LOW",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?://127\\.0\\.0\\.1(?::\\d{2,5})?",
+      "flags": "gi",
+      "extensions": ["json"],
+      "antipatterns": [
+        "expected.*127\\.0\\.0\\.1",
+        "(?<![a-z:/])//.*127\\.0\\.0\\.1"
+      ],
+      "antipattern_flags": "i",
+      "skip_for_file_types": ["test", "fixture"],
+      "why": "A 127.0.0.1 reference was found in a JSON file. This may be a hardcoded development address in API configuration or data fixtures that could cause failures in non-local environments.",
+      "scenario": "A JSON configuration file contains a hardcoded 127.0.0.1 address that was copied from a development environment and never replaced with a proper hostname or environment variable.",
+      "fix": "Replace hardcoded 127.0.0.1 references with environment-aware configuration or placeholder values."
+    },
+    {
+      "id": "INFRA-003",
+      "name": "IPv6 loopback address (::1)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:=\\s*[\"'`]|[\"'`])[^\\n]{0,30}::1(?::\\d{2,5})?[\"'`]",
+      "flags": "gim",
+      "antipattern": "(?:e\\.g\\.|i\\.e\\.|must include|not just|example|documentation|note:|see also|_has_ipv6|is_loopback|is_reserved|==|!=)",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "The IPv6 loopback address ::1 reveals that the system runs IPv6 internally — useful intelligence for an attacker mapping your infrastructure.",
+      "scenario": "An nginx config committed to a public repo contains `listen [::1]:8080`. This tells an attacker both the port and that IPv6 is active internally.",
+      "fix": "Move host/port bindings to environment configuration. Never commit network binding details to source control."
+    },
+    {
+      "id": "INFRA-010",
+      "name": "Hardcoded 10.x.x.x private network address",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "[\"'`\\s(=:/,]10\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})(?::\\d{2,5})?(?:[\"'`\\s)/,]|$)",
+      "flags": "gim",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "RFC 1918 addresses (10.0.0.0/8) are private internal network addresses. Their presence in source code reveals your internal network topology — subnet layout, server locations, and service architecture — to anyone who can read the code.",
+      "scenario": "A deployment script contains `DB_HOST=10.0.1.45`. An attacker who gains any level of access (even read-only to the repo) now knows an internal database server IP. Combined with other findings, this helps plan lateral movement.",
+      "fix": "Never hardcode private IP addresses. Use DNS names with environment-specific resolution, or environment variables. Internal service discovery (Consul, Kubernetes DNS) should handle routing."
+    },
+    {
+      "id": "INFRA-011",
+      "name": "Hardcoded 172.16–31.x.x private network address",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "[\"'`\\s(=:/,]172\\.(?:1[6-9]|2\\d|3[01])\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})(?::\\d{2,5})?(?:[\"'`\\s)/,]|$)",
+      "flags": "gim",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "The 172.16.0.0/12 range is a private address block commonly used for Docker networks, VPNs, and internal subnets. Exposure reveals network segmentation details.",
+      "scenario": "A Docker Compose file references `172.20.0.5` as a service IP. This reveals your Docker subnet configuration and makes container network enumeration easier if an attacker gains a foothold.",
+      "fix": "Use Docker service names or Kubernetes service DNS names instead of static IPs. Let orchestration handle IP assignment."
+    },
+    {
+      "id": "INFRA-012",
+      "name": "Hardcoded 192.168.x.x private network address",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:[=:\\s(]\\s*[\"'`]|https?:\\/\\/|[\"'`]\\s*[+]\\s*|\\$\\{)192\\.168\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})\\.(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})(?::\\d{2,5})?(?:[\"'`\\s)/,]|$)",
+      "flags": "gim",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern": "(?:==\\s*['\"`]|!=\\s*['\"`]|\\.startswith\\s*\\(|netloc\\s*==|\\.host\\s*==|is_loopback|is_private|is_reserved|_has_ipv6|check.*local|local.*check|returns\\s+(?:True|False)\\s+if|e\\.g\\.|i\\.e\\.|for\\s+example|#.*if\\s+ip\\s*=|#.*ip\\s*=|log\\.(?:debug|info|warning|error|critical)\\s*\\()",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "192.168.x.x is the most common private address range for office and home networks. References in code often come from local development and signal that proper environment abstraction is missing.",
+      "scenario": "A PHP config file has `$db_host = \"192.168.1.10\"` — likely a developer's local machine IP. If deployed, the application fails in production and exposes local network details to anyone reading the code.",
+      "fix": "Use environment variables or service discovery. If this is truly a local-only value, ensure it is in .env (which must be gitignored) rather than in committed config files."
+    },
+    {
+      "id": "INFRA-020",
+      "name": "Internal hostname pattern in URL (dev/staging/internal subdomain)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?:\\/\\/(?:dev|staging|stage|test|uat|qa|preprod|internal|intranet|corp|local|private|admin|backend|api-internal|int)\\.(?!(?:w3|mozilla|ietf|whatwg|github|google|microsoft|apple|amazon|cloudflare|fastly|example|jquery|npmjs|nodejs)\\b)",
+      "flags": "gi",
+      "antipattern": "(?:w3\\.org|mozilla\\.org|ietf\\.org|whatwg\\.org|example\\.com|jquery\\.com|draft\\.csswg|spec\\.)",
+      "antipattern_flags": "i",
+      "lookahead": 80,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "confidence_rules": [
+        { "if_file_context": ["test", "backend"], "then": "LOW"    },
+        { "if_file_context": "frontend",           "then": "HIGH"  },
+        { "if_file_context": "doc",                "then": "MEDIUM"},
+        { "default": "MEDIUM" }
+      ],
+      "why": "Internal subdomain names in source code reveal your environment structure, naming conventions, and potentially accessible internal services. This is valuable OSINT for an attacker.",
+      "scenario": "A frontend config has `API_BASE: \"https://api-internal.company.com\"`. An attacker now knows an internal API endpoint exists, its naming convention, and can probe it for access controls.",
+      "fix": "Use environment variables for all base URLs. The running environment should inject the correct URL — source code should never know whether it is dev, staging, or production."
+    },
+    {
+      "id": "INFRA-021",
+      "name": "Non-public TLD in hardcoded URL (.local, .internal, .corp, .lan)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?:\\/\\/[a-z0-9.-]+\\.(?:local|internal|corp|intranet|lan|priv|home|localdomain)(?=[:/\\s\"'`]|$)(?::\\d{2,5})?(?:\\/[^\\s\"'`]*)?",
+      "flags": "gi",
+      "antipattern_preset": "LINK_EXAMPLE",
+      "antipattern_flags": "i",
+      "lookahead": 80,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "confidence_rules": [
+        { "if_file_context": ["test", "backend"], "then": "LOW"    },
+        { "if_file_context": "frontend",           "then": "HIGH"  },
+        { "if_file_context": "doc",                "then": "MEDIUM"},
+        { "default": "MEDIUM" }
+      ],
+      "why": "Non-public TLDs (.local, .internal, .corp) are exclusively used for internal DNS resolution. Their presence in code reveals internal naming conventions and network architecture.",
+      "scenario": "A Kubernetes manifest references `http://redis.internal:6379`. This exposes the internal DNS name and port of your Redis service to anyone reading the manifest in a public repo.",
+      "fix": "Replace internal DNS names with Kubernetes service names (e.g. `redis:6379`) or inject via environment variables. Avoid committing any .internal / .local / .corp hostnames."
+    },
+    {
+      "id": "INFRA-022",
+      "name": "Possible internal server hostname (short hostname without TLD)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:mongodb|postgres|mysql|redis|amqp|http|https):\\/\\/[a-z][a-z0-9-]{2,20}(?::\\d{2,5})?\\/(?![\\/])",
+      "flags": "gi",
+      "antipattern": "(?:localhost|127\\.0\\.0|example|sample|placeholder|e\\.g\\.|i\\.e\\.|for\\s+example)",
+      "antipattern_flags": "i",
+      "lookahead": 100,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Bare hostnames in connection strings or URLs (without a domain) indicate internal server names used within a private network. These names reveal infrastructure naming conventions.",
+      "scenario": "A Node.js app config has `MONGO_URI: \"mongodb://mongo01/mydb\"`. The hostname \"mongo01\" reveals that MongoDB servers follow a numbered naming convention, helping an attacker enumerate infrastructure.",
+      "fix": "Use environment variables for all connection strings. Never commit internal server names to source control."
+    },
+    {
+      "id": "INFRA-030",
+      "name": "Database port hardcoded in connection string (PostgreSQL 5432)",
+      "severity": "HIGH",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:postgres(?:ql)?|jdbc:postgresql):\\/\\/[^\"'\\s]{3,}:5432",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 200,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "A hardcoded PostgreSQL connection string exposes both the server address and confirms PostgreSQL is used. Combined with other findings, this provides enough information to target the database directly.",
+      "scenario": "A connection string `postgresql://10.0.1.45:5432/production_db` is found in a config file. An attacker now has the server IP, port, database type, and database name — everything needed for a targeted attack.",
+      "fix": "Store the entire connection string in an environment variable: `DATABASE_URL=os.environ[\"DATABASE_URL\"]`. Never hardcode any part of a production connection string."
+    },
+    {
+      "id": "INFRA-031",
+      "name": "Database port hardcoded in connection string (MySQL/MariaDB 3306)",
+      "severity": "HIGH",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:mysql|mariadb|jdbc:mysql):\\/\\/[^\"'\\s]{3,}:3306",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 200,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "MySQL/MariaDB connection strings with hardcoded hosts and ports reveal database infrastructure. Port 3306 is the default and well-known; its presence confirms the database type.",
+      "scenario": "CI/CD pipeline config contains `mysql://admin:pass@192.168.1.20:3306/app`. This exposes credentials, internal IP, and confirms MySQL — a complete attack package.",
+      "fix": "Use environment variables for all database connection details. Treat any committed connection string as fully compromised."
+    },
+    {
+      "id": "INFRA-032",
+      "name": "Redis port hardcoded in connection string (6379)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:redis(?:s)?):\\/\\/[^\"'\\s]{3,}:6379",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Redis on its default port is a common target for attacks when exposed. Hardcoded Redis connection strings reveal server location and confirm caching/session infrastructure.",
+      "scenario": "A session config has `REDIS_URL = \"redis://10.0.2.10:6379\"`. An attacker who gains network access now has a direct target for session hijacking attacks.",
+      "fix": "Store Redis connection details in environment variables. Ensure Redis requires authentication (`requirepass`) and is not exposed outside the internal network."
+    },
+    {
+      "id": "INFRA-033",
+      "name": "MongoDB port hardcoded in connection string (27017)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "mongodb(?:\\+srv)?:\\/\\/[^\"'\\s]{3,}:27017",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "MongoDB on port 27017 has historically been a target for mass scanning attacks due to open instances. Revealing the host and port in source code increases targeted attack risk.",
+      "scenario": "An app config has `MONGO_URI = \"mongodb://mongo.internal:27017/users\"`. This reveals both the internal hostname and that MongoDB stores user data — a high-value target.",
+      "fix": "Use environment variable `MONGODB_URI`. Ensure MongoDB requires authentication and bind to non-public interfaces only."
+    },
+    {
+      "id": "INFRA-034",
+      "name": "Elasticsearch port hardcoded (9200/9300)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?:\\/\\/[^\"'\\s]{3,}:(?:9200|9300)(?:[\\/\"'\\s]|$)",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Elasticsearch is frequently misconfigured with no authentication. Exposing the host and port in source code makes it trivially easy to attempt direct data access.",
+      "scenario": "A search service config has `ES_HOST = \"http://10.0.3.15:9200\"`. An attacker with network access can directly query Elasticsearch for indexed data.",
+      "fix": "Use environment variables. Enable Elasticsearch X-Pack security and authentication. Bind to non-public interfaces."
+    },
+    {
+      "id": "INFRA-035",
+      "name": "RabbitMQ/AMQP port hardcoded (5672/15672)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "amqps?:\\/\\/[^\"'\\s]{3,}:(?:5672|15672)",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Message queue servers are critical infrastructure. Exposing AMQP connection details reveals queue topology and provides a target for message injection or eavesdropping attacks.",
+      "scenario": "A worker service config has `AMQP_URL = \"amqp://user:pass@10.0.4.20:5672\"`. An attacker can now inject malicious messages into the queue, potentially triggering unintended actions.",
+      "fix": "Store AMQP connection strings in environment variables. Use TLS (amqps://) and rotate credentials if exposed."
+    },
+    {
+      "id": "INFRA-036",
+      "name": "Internal admin/management port hardcoded (8080, 8443, 9090, 9443)",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?:\\/\\/(?:localhost|127\\.0\\.0\\.1|10\\.|172\\.(?:1[6-9]|2\\d|3[01])\\.|192\\.168\\.)[^\"'\\s]*:(?:8080|8443|9090|9443|4848|8161|8888)(?:[\\/\"'\\s]|$)",
+      "flags": "gi",
+      "antipattern": "(?:example|sample|placeholder|TODO|FIXME|NOTE|demo|mock|fake|dummy|test|spec|localhost_only|dev.only|development.only|log\\.(?:debug|info|warning|error|critical)\\s*\\(|e\\.g\\.|i\\.e\\.)",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Management and admin ports (8080, 8443, 9090 etc.) are often less protected than primary application ports. Their exposure in source code, combined with an internal IP, reveals management interfaces.",
+      "scenario": "A monitoring config contains `http://10.0.1.5:9090/metrics`. This reveals a Prometheus endpoint on an internal server — useful for mapping the monitoring infrastructure.",
+      "fix": "Move all admin/management URLs to environment variables. Restrict management interfaces to specific network segments."
+    },
+    {
+      "id": "INFRA-040",
+      "name": "Internal IP address in code comment",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?<!:)(?:\\/\\/|#|<!--|\\\/\\*)(?!.*https?:\\/\\/)[^\\n]*(?:10\\.(?:\\d{1,3}\\.){2}\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.(?:\\d{1,3}\\.)\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|127\\.0\\.0\\.1)",
+      "flags": "gim",
+      "antipattern": "(?:example|sample|placeholder|demo|mock|fake|dummy|returns\\s+(?:True|False)|e\\.g\\.|i\\.e\\.|for\\s+example|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})",
+      "antipattern_flags": "i",
+      "lookahead": 200,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Comments containing internal IP addresses are often left-over notes from development. They are never sanitised by minifiers or build processes and persist in git history forever.",
+      "scenario": "A JavaScript file has `// TODO: update endpoint – currently points to 10.0.1.45:3000 on prod`. This comment is in the production bundle, visible to anyone who opens DevTools.",
+      "fix": "Remove all infrastructure references from comments before committing. Use ticket references (e.g. \"// See INFRA-1234\") instead of IP addresses or server names."
+    },
+    {
+      "id": "INFRA-041",
+      "name": "Internal hostname or server name in code comment",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:\\/\\/|#|<!--|\\\/\\*)[^\\n]*https?:\\/\\/(?:dev|staging|internal|intranet|corp|local|admin|backend)\\.[a-z0-9.-]+",
+      "flags": "gim",
+      "antipattern": "(?:w3\\.org|mozilla\\.org|ietf\\.org|whatwg\\.org|csswg|draft\\.|spec\\.|rfc\\d|standards\\.)",
+      "antipattern_flags": "i",
+      "lookahead": 500,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Internal URLs in comments reveal the same information as hardcoded strings, but are often overlooked because they are 'just comments'. They survive minification, transpilation, and stay in git history.",
+      "scenario": "A comment says `// old API was at http://internal.company.com/api/v1`. The internal API hostname is now visible to anyone reading the committed file.",
+      "fix": "Treat comments the same as code for sensitive information. Remove server names, internal URLs, and IP addresses from all comments."
+    },
+    {
+      "id": "INFRA-042",
+      "name": "Port number with server context in comment",
+      "severity": "EXPOSURE",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:\\/\\/|#|<!--|\\\/\\*)[^\\n]{0,200}(?:port\\s+\\d{4,5}|(?:running on|listens on|connects to|forwarded to)[^\\n]{0,80}:\\d{4,5})",
+      "flags": "gim",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 150,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "Comments describing service ports and connections are developer notes that expose network architecture. They are typically accurate because developers write them as reminders.",
+      "scenario": "`// proxy forwards to backend running on port 8080` — this comment tells an attacker exactly what to look for when they gain access to the network.",
+      "fix": "Remove connection and port descriptions from comments. Architecture documentation belongs in internal wikis, not in code comments."
+    },
+    {
+      "id": "INFRA-050",
+      "name": "Database connection string with internal IP address",
+      "severity": "HIGH",
+      "category": "Infrastructure Leakage",
+      "pattern": "(?:jdbc:|mongodb(?:\\+srv)?:|postgresql:|mysql:|redis:|amqp:)\\/\\/[^\"'\\s]*(?:10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})[^\"'\\s]*",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 250,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "A complete connection string with an internal IP address reveals: the database type, exact server location, port, and potentially database name — the complete information needed to attempt a direct attack if any network access is obtained.",
+      "scenario": "A JDBC connection string `jdbc:postgresql://10.0.1.20:5432/production` is found in a config file. An attacker who gains any internal network access can immediately target this server.",
+      "fix": "This is HIGH severity. Store the entire connection string as a single environment variable. Audit git history for this value and rotate all credentials. Consider this information compromised."
+    },
+    {
+      "id": "INFRA-051",
+      "name": "Generic URL with internal IP (non-database services)",
+      "severity": "HIGH",
+      "category": "Infrastructure Leakage",
+      "pattern": "https?:\\/\\/(?:10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})(?::\\d{2,5})?(?:\\/[^\\s\"'`]*)?",
+      "flags": "gi",
+      "antipattern_preset": "DEV_CONTEXT",
+      "antipattern_flags": "i",
+      "lookahead": 200,
+      "exclude_file_types": ["md", "txt", "yml", "yaml"],
+      "why": "A full URL with an internal IP address exposes not just the IP but also the path structure and API layout of internal services. This is immediately actionable intelligence for an attacker.",
+      "scenario": "A frontend config has `INTERNAL_API: \"http://10.0.2.30:8080/api/v2/admin\"`. This reveals the internal admin API location, its version, and that it runs on port 8080.",
+      "fix": "Replace with an environment variable. Audit all configurations for similar patterns. Treat the internal service location as potentially known to attackers."
+    }
+  ]
+}