@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/dart-flutter.js

@@ -0,0 +1,173 @@
+// Dart / Flutter security audit.
+//
+// Coverage:
+//   1. SharedPreferences used for token / secret storage
+//   2. rawQuery / rawRawUpdate with $-interpolated user input
+//   3. Uri.parse without tryParse + allow-list (deep link unsafe)
+//   4. WebView with JavaScriptMode.unrestricted and no navigationDelegate
+//   5. Cleartext HTTP URL in Dart source
+//   6. Hardcoded API key
+//   7. http.get / Dio without timeout (resource exhaustion + slow loris)
+//   8. print(token) / debugPrint(password) (PII leak)
+
+const _DART_RE = /\.dart$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+const _CRED_RE = [
+  { re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/, label: 'Anthropic API key' },
+  { re: /\bsk-[A-Za-z0-9]{32,}\b/, label: 'OpenAI-style key' },
+  { re: /\bghp_[A-Za-z0-9]{36}\b/, label: 'GitHub PAT' },
+  { re: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS access key' },
+];
+
+export function scanDartFlutter(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_DART_RE.test(file)) return [];
+  if (raw.length > 200_000) return [];
+
+  const findings = [];
+
+  // 1. SharedPreferences for secrets — the string literal contains a secret-name substring.
+  const spSecretRe = /\bSharedPreferences\b[\s\S]{0,500}?\.\s*(?:setString|setInt|setBool)\s*\(\s*['"][\w-]*(?:[tT]oken|[pP]assword|[Aa]pi[Kk]ey|api_key|jwt|bearer|secret|sessionKey)/g;
+  for (const m of raw.matchAll(spSecretRe)) {
+    findings.push({
+      id: `dart:sharedprefs-secret:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'SharedPreferences used to store a secret (token / password / key)',
+      severity: 'high',
+      family: 'dart-insecure-storage',
+      cwe: 'CWE-922',
+      confidence: 0.85,
+      description: 'SharedPreferences stores values plaintext on Android and in NSUserDefaults-equivalent on iOS — neither is encrypted at rest. Rooted Android devices and iOS backups extract the value trivially.',
+      remediation: 'Use flutter_secure_storage (Keychain on iOS, EncryptedSharedPreferences on Android): final storage = FlutterSecureStorage(); await storage.write(key: "token", value: token).',
+    });
+  }
+
+  // 2. rawQuery / rawUpdate with $-interpolation. Outer quote can be ' or ";
+  // inner content may include the opposite quote (for SQL string literals).
+  const sqlInjectRe = /\b(?:rawQuery|rawInsert|rawUpdate|rawDelete|execute)\s*\(\s*(?:"[^"]*\$\{?[A-Za-z_]|'[^']*\$\{?[A-Za-z_])/g;
+  for (const m of raw.matchAll(sqlInjectRe)) {
+    findings.push({
+      id: `dart:sql-injection:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'sqflite/drift raw query with interpolated user input — SQL injection',
+      severity: 'critical',
+      family: 'dart-sql-injection',
+      cwe: 'CWE-89',
+      confidence: 0.9,
+      description: 'String interpolation directly into the SQL string lets the attacker rewrite the query.',
+      remediation: 'Use parameterized queries: db.query("users", where: "email = ?", whereArgs: [userInput]).',
+    });
+  }
+
+  // 3. Uri.parse without tryParse + allow-list (heuristic: Uri.parse followed by direct navigation without scheme/host check)
+  for (const m of raw.matchAll(/\bUri\.parse\s*\([^)]+\)(?![\s\S]{0,200}?\.(?:scheme|host)\s*==)/g)) {
+    // skip if next 200 chars contain allow-list pattern
+    const after = raw.slice(m.index + m[0].length, m.index + m[0].length + 400);
+    if (/\b(?:allowedHosts|allowedPaths|allowedSchemes|\.host\s*==\s*['"][a-zA-Z]|\.scheme\s*==\s*['"][a-z])/.test(after)) continue;
+    if (/context\.(?:go|push|pushNamed|pushReplacement)|Navigator\.(?:push|of\([^)]*\)\.push)/.test(after)) {
+      findings.push({
+        id: `dart:uri-parse-deeplink:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Uri.parse() output passed to navigator without scheme/host allow-list',
+        severity: 'high',
+        family: 'dart-deeplink-unsafe',
+        cwe: 'CWE-20',
+        confidence: 0.65,
+        description: 'A deep link is parsed and navigated to without validating scheme or host. Attackers can craft links that route the app to internal-only screens or pivot through a WebView.',
+        remediation: 'Use Uri.tryParse(), then check uri.scheme == "https" && allowedHosts.contains(uri.host) && allowedPaths.contains(uri.path) before navigating.',
+      });
+    }
+  }
+
+  // 4. WebView with JavaScriptMode.unrestricted and no NavigationDelegate
+  if (/\bWebViewController\b/.test(raw) || /\bWebView\b/.test(raw)) {
+    if (/\bJavaScriptMode\.unrestricted\b/.test(raw) && !/\bNavigationDelegate\s*\(/.test(raw)) {
+      const m = /\bJavaScriptMode\.unrestricted\b/.exec(raw);
+      findings.push({
+        id: `dart:webview-js-no-delegate:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'WebView with JavaScriptMode.unrestricted and no NavigationDelegate',
+        severity: 'high',
+        family: 'dart-webview-unsafe',
+        cwe: 'CWE-829',
+        confidence: 0.7,
+        description: 'WebView with JS enabled and no NavigationDelegate accepts any URL. Combined with addJavaScriptChannel (or any JS-Dart bridge), this is a direct path to native code from attacker-controlled JS.',
+        remediation: 'Assign a NavigationDelegate with onNavigationRequest that returns NavigationDecision.prevent for any URL outside your allow-list.',
+      });
+    }
+  }
+
+  // 5. Cleartext HTTP URL literal
+  for (const m of raw.matchAll(/['"]http:\/\/(?!localhost|127\.0\.0\.1)[A-Za-z0-9.-]+/g)) {
+    findings.push({
+      id: `dart:cleartext-http:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Cleartext HTTP URL literal in Dart source',
+      severity: 'medium',
+      family: 'dart-cleartext-http',
+      cwe: 'CWE-319',
+      confidence: 0.8,
+      description: 'A hard-coded http:// URL ships cleartext on the wire.',
+      remediation: 'Use https://. Set up network_security_config.xml on Android to block cleartext globally.',
+      snippet: m[0].slice(0, 60),
+    });
+    break;     // one finding per file is enough — common case
+  }
+
+  // 6. Hardcoded credentials
+  for (const { re, label } of _CRED_RE) {
+    const m = re.exec(raw);
+    if (!m) continue;
+    findings.push({
+      id: `dart:hardcoded-${label.toLowerCase().replace(/\s+/g, '-')}:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: `Hardcoded ${label} in Dart source`,
+      severity: 'critical',
+      family: 'dart-hardcoded-credential',
+      cwe: 'CWE-798',
+      confidence: 0.95,
+      description: 'Flutter apps decompile easily (`flutter_extract` / `blutter`). Hardcoded credentials in source are extracted in seconds.',
+      remediation: 'Use String.fromEnvironment("API_KEY") for non-secret config, flutter_secure_storage for runtime secrets fetched from a backend.',
+    });
+  }
+
+  // 7. http.get / Dio without timeout
+  for (const m of raw.matchAll(/\b(?:http\.(?:get|post|put|delete)|Dio\s*\(\s*\))/g)) {
+    const after = raw.slice(m.index, m.index + 400);
+    if (/\b(?:connectTimeout|receiveTimeout|sendTimeout|timeout)\b/.test(after)) continue;
+    findings.push({
+      id: `dart:no-http-timeout:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'HTTP client / request without timeout',
+      severity: 'low',
+      family: 'dart-no-timeout',
+      cwe: 'CWE-400',
+      confidence: 0.6,
+      description: 'No connectTimeout / receiveTimeout set. A slow or unresponsive server will hang the request indefinitely, exhausting connection pool / blocking the UI thread.',
+      remediation: 'Set BaseOptions(connectTimeout: Duration(seconds:10), receiveTimeout: Duration(seconds:30)) on Dio. For http: wrap in Future.timeout(...).',
+    });
+    break;     // one per file
+  }
+
+  // 8. print() / debugPrint() of secret values
+  const debugLeakRe = /\b(?:print|debugPrint)\s*\([^)]*\b(?:token|password|api[kK]ey|jwt|bearer|secret)\b/g;
+  for (const m of raw.matchAll(debugLeakRe)) {
+    findings.push({
+      id: `dart:debug-print-secret:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'print() / debugPrint() of a variable named token/password/apiKey/jwt',
+      severity: 'medium',
+      family: 'dart-secret-in-log',
+      cwe: 'CWE-532',
+      confidence: 0.75,
+      description: 'Secrets sent to print/debugPrint end up in logcat (Android) / Console.app (iOS) and any crash-reporting integration. Even in release builds, debugPrint emits.',
+      remediation: 'Remove the log statement, or redact the value: debugPrint("token=${token.substring(0, 6)}...").',
+    });
+  }
+
+  return findings;
+}

package/src/sast/db-rls.js

@@ -0,0 +1,147 @@
+// Database / Supabase RLS security audit.
+//
+// Vibecoders using Supabase routinely ship with Row-Level Security disabled,
+// service-role keys exposed client-side, or admin APIs called from public
+// endpoints. This module catches the static signals for those patterns.
+//
+// Findings:
+//   SUPABASE_SERVICE_KEY_CLIENT   — service_role key in NEXT_PUBLIC_* var or client-side file
+//   SUPABASE_ADMIN_CLIENT_SIDE    — supabase.auth.admin.* in browser/client code
+//   SUPABASE_BYPASS_RLS           — explicit bypassRowLevelSecurity or serviceRole in query
+//   RLS_DISABLED_SQL              — SQL CREATE TABLE without ALTER TABLE … ENABLE ROW LEVEL SECURITY
+//   SUPABASE_ANON_KEY_SERVER      — anon key used server-side with service-role semantics
+//   POSTGRES_DIRECT_NO_RLS        — raw pg/postgres connection in request handler (bypasses RLS)
+
+const _SCAN_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs|py|sql)$/i;
+const _NONPROD_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|node_modules)\//i;
+const _CLIENT_PATH_RE = /(?:^|\/)(?:app|pages|components|src\/app|src\/pages|src\/components|public|client|frontend|ui)\//i;
+
+// Service role key referenced from a NEXT_PUBLIC_ env var or hardcoded in a client-side path.
+const NEXT_PUBLIC_SERVICE_RE = /NEXT_PUBLIC_\w*(?:SERVICE|SUPABASE_SERVICE|ADMIN)\w*\s*[=:]/i;
+const SERVICE_KEY_LITERAL_RE = /(?:serviceRoleKey|service_role_key|SUPABASE_SERVICE_ROLE_KEY)\s*[:=]\s*['"`][a-zA-Z0-9._-]{20,}/;
+const SUPABASE_CLIENT_IMPORT_RE = /(?:from|require)\s*\(?\s*['"`]@supabase\/supabase-js['"`]/;
+
+// Auth admin API called in code that might be client-accessible.
+const ADMIN_API_RE = /supabase\s*\.\s*auth\s*\.\s*admin\s*\./;
+
+// Explicit RLS bypass in a Supabase query builder chain.
+const BYPASS_RLS_RE = /\.\s*(?:bypassRowLevelSecurity|serviceRole)\s*\(\s*\)/;
+
+// SQL: table created without RLS enabled in the same statement block.
+const SQL_CREATE_TABLE_RE = /CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?\s+["'`]?(\w+)["'`]?\s*\(/gi;
+const SQL_ENABLE_RLS_RE = /ALTER\s+TABLE\s+["'`]?\w+["'`]?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/i;
+
+// Raw postgres client in a request handler.
+const PG_CLIENT_RE = /new\s+(?:Pool|Client)\s*\(\s*\{/;
+const REQUEST_HANDLER_RE = /(?:req|request|ctx|context)\s*[,)]/;
+
+function scanDatabaseRLS(file, content) {
+  if (!_SCAN_EXT_RE.test(file)) return [];
+  if (_NONPROD_RE.test(file)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+  const isClientPath = _CLIENT_PATH_RE.test(file);
+  const isSql = /\.sql$/i.test(file);
+
+  // --- NEXT_PUBLIC_ service key ---
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (NEXT_PUBLIC_SERVICE_RE.test(line)) {
+      findings.push({
+        id: `db-rls:SUPABASE_SERVICE_KEY_CLIENT:${file}:${i + 1}`,
+        title: 'Supabase service-role key exposed via NEXT_PUBLIC_ variable',
+        severity: 'critical',
+        file, line: i + 1,
+        description: 'A NEXT_PUBLIC_ environment variable referencing a service-role key is visible to every browser client. Any visitor can extract it from the page source and bypass Row-Level Security entirely.',
+        remediation: 'Never prefix service-role keys with NEXT_PUBLIC_. Use them only in server-side code (API routes, Server Actions, edge functions). Rotate the key immediately if it was already deployed.',
+        cwe: 'CWE-522',
+      });
+    }
+
+    // Hardcoded service role key literal
+    if (SERVICE_KEY_LITERAL_RE.test(line)) {
+      findings.push({
+        id: `db-rls:SERVICE_KEY_LITERAL:${file}:${i + 1}`,
+        title: 'Supabase service-role key hardcoded in source',
+        severity: 'critical',
+        file, line: i + 1,
+        description: 'A Supabase service-role key is embedded directly in source code. This key bypasses Row-Level Security on every table and is now permanently stored in git history.',
+        remediation: 'Move to SUPABASE_SERVICE_ROLE_KEY env var, add it to .gitignore, and rotate via the Supabase dashboard → Settings → API.',
+        cwe: 'CWE-798',
+      });
+    }
+
+    // Auth admin API in client-side path
+    if (isClientPath && ADMIN_API_RE.test(line)) {
+      findings.push({
+        id: `db-rls:SUPABASE_ADMIN_CLIENT_SIDE:${file}:${i + 1}`,
+        title: 'Supabase auth.admin API called in client-side code',
+        severity: 'critical',
+        file, line: i + 1,
+        description: 'supabase.auth.admin.* requires the service-role key and must only be called server-side. Calling it in client code means the service-role key is bundled into the browser JavaScript.',
+        remediation: 'Move all auth.admin calls to a Server Action, API route, or edge function. Never import the service-role supabase client in client components.',
+        cwe: 'CWE-285',
+      });
+    }
+
+    // Explicit RLS bypass
+    if (BYPASS_RLS_RE.test(line)) {
+      findings.push({
+        id: `db-rls:SUPABASE_BYPASS_RLS:${file}:${i + 1}`,
+        title: 'Explicit Supabase RLS bypass in query',
+        severity: 'high',
+        file, line: i + 1,
+        description: 'bypassRowLevelSecurity() or serviceRole() is used in a query, disabling all RLS policies for that request. If this code is reachable from a user-controlled path, any user can read or modify other users\' data.',
+        remediation: 'Remove bypassRowLevelSecurity() from user-facing query paths. If admin operations are required, gate them behind a server-side role check and audit log.',
+        cwe: 'CWE-284',
+      });
+    }
+
+    // Raw pg client in request handler
+    if (PG_CLIENT_RE.test(line)) {
+      const ctx = lines.slice(Math.max(0, i - 5), i + 10).join('\n');
+      if (REQUEST_HANDLER_RE.test(ctx)) {
+        findings.push({
+          id: `db-rls:POSTGRES_DIRECT_NO_RLS:${file}:${i + 1}`,
+          title: 'Direct PostgreSQL connection in request handler bypasses RLS',
+          severity: 'high',
+          file, line: i + 1,
+          description: 'A raw pg Pool/Client connection used inside a request handler connects as a privileged database role, bypassing all Supabase Row-Level Security policies. Any data returned is not filtered by the authenticated user\'s context.',
+          remediation: 'Use the Supabase client with the user\'s JWT for RLS-filtered queries. If raw SQL is required, set SET LOCAL role to the authenticated user\'s role and pass the JWT claims via set_config.',
+          cwe: 'CWE-284',
+        });
+      }
+    }
+  }
+
+  // --- SQL file: CREATE TABLE without RLS ---
+  if (isSql) {
+    const tablesWithRLS = new Set();
+    let m;
+    if (SQL_ENABLE_RLS_RE.test(content)) {
+      // collect which tables have RLS
+      const rlsRe = /ALTER\s+TABLE\s+["'`]?(\w+)["'`]?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
+      while ((m = rlsRe.exec(content)) !== null) tablesWithRLS.add(m[1].toLowerCase());
+    }
+    SQL_CREATE_TABLE_RE.lastIndex = 0;
+    while ((m = SQL_CREATE_TABLE_RE.exec(content)) !== null) {
+      const tableName = m[1].toLowerCase();
+      if (!tablesWithRLS.has(tableName)) {
+        const lineNum = content.slice(0, m.index).split('\n').length;
+        findings.push({
+          id: `db-rls:RLS_DISABLED_SQL:${file}:${lineNum}`,
+          title: `Table "${m[1]}" created without Row-Level Security`,
+          severity: 'high',
+          file, line: lineNum,
+          description: `The table "${m[1]}" is created but no ALTER TABLE … ENABLE ROW LEVEL SECURITY statement is present in this file. Without RLS, any authenticated user can read and write every row regardless of ownership.`,
+          remediation: `Add after the CREATE TABLE:\n  ALTER TABLE "${m[1]}" ENABLE ROW LEVEL SECURITY;\n  CREATE POLICY "owner_only" ON "${m[1]}" USING (user_id = auth.uid());`,
+          cwe: 'CWE-284',
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+export { scanDatabaseRLS };

package/src/sast/db-taint.js

@@ -0,0 +1,215 @@
+// Database-aware taint (v0.70 #10).
+//
+// When `user.bio = req.body.bio` writes tainted text to a DB column, then
+// later `display(getUser(id).bio)` reads it and feeds it to an HTML
+// renderer, that's stored-XSS — but our forward-taint analysis loses the
+// flow at the DB boundary because the engine doesn't model storage as a
+// memory channel.
+//
+// This module fills the gap as a SAST detector. It walks file content
+// looking for two patterns in the same file (v1 scope; cross-file in v2):
+//   1. WRITE:  ORM write/create/update of a model field FROM a user source
+//   2. READ:   ORM read of the SAME model field, used in a render/HTML sink
+//
+// When both patterns match, emit a stored-XSS-class finding with the
+// trace pointing to both sites.
+//
+// ORM frameworks recognized (v1):
+//   - Sequelize:    Model.create({ field: x })            / .save()
+//   - Prisma:       prisma.<model>.create({ data: { field: x } })
+//   - TypeORM:      repo.save({ field: x })               / repo.update(...)
+//   - Mongoose:     new Model({ field: x }).save()
+//   - SQLAlchemy:   model.field = x; session.add; session.commit
+//   - Django ORM:   Model.objects.create(field=x)         / Model(field=x).save()
+//
+// Render sinks recognized: res.send / res.render / res.write / res.json,
+// ctx.body, template helpers (template literals, dangerouslySetInnerHTML).
+
+import { blankComments } from './_comment-strip.js';
+
+const TAINT_HINT_RE =
+  /\b(?:req\.|request\.|params\.|query\.|body\.|ctx\.query|ctx\.request|c\.Query|r\.URL\.Query|_GET|_POST|_REQUEST|getParameter)\b/;
+
+// Patterns that capture (model, field, value) where value is a user source.
+const WRITE_PATTERNS_JS = [
+  // Sequelize Model.create({ field: req.body.x })
+  // We capture: model, then any field initializer with a user source.
+  /\b([A-Z][\w]*)\s*\.\s*create\s*\(\s*\{[^}]*?\b([a-z_][\w]*)\s*:\s*([^,}]+)/g,
+  // Prisma prisma.<model>.create({ data: { field: req.body.x }})
+  /\bprisma\s*\.\s*([a-z][\w]*)\s*\.\s*(?:create|update)\s*\(\s*\{[^}]*?data\s*:\s*\{[^}]*?\b([a-z_][\w]*)\s*:\s*([^,}]+)/g,
+  // TypeORM repo.save({ field: req.body.x })
+  /\b([a-zA-Z_][\w]*)\s*\.\s*save\s*\(\s*\{[^}]*?\b([a-z_][\w]*)\s*:\s*([^,}]+)/g,
+];
+
+const WRITE_PATTERNS_PY = [
+  // Django Model.objects.create(field=req.POST['x'])
+  /\b([A-Z][\w]*)\s*\.\s*objects\s*\.\s*create\s*\(([^)]*?)\b([a-z_]\w*)\s*=\s*([^,)]+)/g,
+  // SQLAlchemy: instance.field = request.x; followed by session.commit()
+  /\b([a-z_]\w*)\s*\.\s*([a-z_]\w*)\s*=\s*([^\n;]*?(?:request|req|params|query|body|_GET|_POST)[^\n;]*)/g,
+];
+
+// Read sites: any `.find / findOne / findByPk / findById / query / get`
+// call. We collect those + the captured-variable name (when `const x = ...`)
+// + the model name. Then in a separate pass we look for `<var>.<field>`
+// access AND for direct `.find(...).<field>` chains.
+const READ_CALL_RE_JS =
+  /(?:(?:const|let|var)\s+([a-zA-Z_$][\w$]*)\s*=\s*(?:await\s+)?)?\b([A-Z][\w]*|[a-z_][\w]*|prisma\s*\.\s*[a-z][\w]*)\s*\.\s*(?:find|findOne|findByPk|findById|findUnique|findFirst|get|query)\s*\(/g;
+
+const READ_CALL_RE_PY =
+  /(?:([a-z_]\w*)\s*=\s*)?\b([A-Z][\w]*)\s*\.\s*objects\s*\.\s*(?:get|filter|first|all)\s*\(/g;
+
+const RENDER_SINK_RE_JS =
+  /\b(?:res\.send|res\.write|res\.render|res\.json|ctx\.body\s*=|dangerouslySetInnerHTML|innerHTML\s*=)\b/;
+
+const RENDER_SINK_RE_PY =
+  /\b(?:render_template_string|HttpResponse\s*\(|response\.write|HttpResponseHtml)\b/;
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  return null;
+}
+
+/**
+ * Walk the file once collecting WRITE pairs (model, field, line) where the
+ * written value is a user source.
+ */
+function _findTaintedWrites(code, lang) {
+  const writes = [];
+  const patterns = lang === 'js' ? WRITE_PATTERNS_JS : WRITE_PATTERNS_PY;
+  for (const pat of patterns) {
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      // The capture indices vary by pattern. Inspect groups 1..4.
+      // For JS Sequelize: m[1]=model, m[2]=field, m[3]=value
+      // For Prisma: m[1]=model, m[2]=field, m[3]=value
+      // For Python: m[1]=model, m[3]=field, m[4]=value (Django) or
+      //            m[1]=instance, m[2]=field, m[3]=value (SQLA assign)
+      let model, field, value;
+      if (lang === 'js') {
+        model = m[1]; field = m[2]; value = m[3];
+      } else {
+        // Django: 4 groups; SQLA-style assign: 3 groups
+        if (m.length >= 5 && m[4] !== undefined) {
+          model = m[1]; field = m[3]; value = m[4];
+        } else {
+          model = m[1]; field = m[2]; value = m[3];
+        }
+      }
+      if (!value || !TAINT_HINT_RE.test(value)) continue;
+      writes.push({ model, field, line: _lineOf(code, m.index) });
+    }
+  }
+  return writes;
+}
+
+/**
+ * Walk the file collecting READ sites: any ORM read call, optionally
+ * captured into a local variable, where THAT variable's `.field` is
+ * accessed within a render-sink window in the following ~20 lines.
+ *
+ * Handles two indirection levels:
+ *   (1) `const x = await Model.findOne({...}); res.send('<p>' + x.bio + '</p>')`
+ *   (2) `res.send(Model.findOne({...}).bio)`  (direct chain)
+ */
+function _findRendersOfReads(code, lang) {
+  const reads = [];
+  const callRe = lang === 'js' ? new RegExp(READ_CALL_RE_JS.source, READ_CALL_RE_JS.flags)
+                                : new RegExp(READ_CALL_RE_PY.source, READ_CALL_RE_PY.flags);
+  const sinkRe = lang === 'js' ? RENDER_SINK_RE_JS : RENDER_SINK_RE_PY;
+  const lines = code.split('\n');
+  let m;
+  while ((m = callRe.exec(code))) {
+    // JS groups: 1=varName (maybe undefined), 2=model.  PY: 1=varName, 2=model.
+    const varName = m[1] || null;
+    const modelToken = (m[2] || '').trim();
+    // Pull a clean model name out of `prisma.user` → `user` style.
+    const model = modelToken.includes('.') ? modelToken.split('.').pop() : modelToken;
+    const line = _lineOf(code, m.index);
+    // Look ahead up to 25 lines for any field access + a render sink in the
+    // same window.
+    const lo = line - 1;
+    const hi = Math.min(lines.length, line + 25);
+    const window = lines.slice(lo, hi).join('\n');
+    if (!sinkRe.test(window)) continue;
+    // Collect every `.<field>` access in the window — they're the read
+    // candidates. We try BOTH shapes:
+    //   (a) <varName>.<field>  when the call was assigned
+    //   (b) .find(...).<field> inline-chain
+    const FRAMEWORK_NOISE = new Set(['then', 'catch', 'finally', 'where',
+      'select', 'data', 'create', 'update', 'delete', 'save', 'find',
+      'findOne', 'findFirst', 'findUnique', 'findByPk', 'findById', 'all',
+      'first', 'get', 'query', 'count', 'objects']);
+    const fieldRegexes = [];
+    if (varName) {
+      fieldRegexes.push(new RegExp(`\\b${_escapeRegex(varName)}\\.([a-zA-Z_]\\w*)`, 'g'));
+    }
+    fieldRegexes.push(new RegExp(
+      `\\.\\s*(?:find|findOne|findByPk|findById|findUnique|findFirst|get|query|first|all)\\s*\\([^)]*\\)\\s*\\.\\s*([a-zA-Z_]\\w*)`, 'g'));
+    for (const fieldRe of fieldRegexes) {
+      let fm;
+      while ((fm = fieldRe.exec(window))) {
+        const field = fm[1];
+        if (FRAMEWORK_NOISE.has(field)) continue;
+        const fieldLineLocal = window.slice(0, fm.index).split('\n').length;
+        reads.push({ model, field, line: line + fieldLineLocal - 1 });
+      }
+    }
+  }
+  return reads;
+}
+
+function _escapeRegex(s) { return String(s).replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); }
+
+export function scanDbTaint(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  // Pre-filter: file must mention both an ORM-write and a render sink.
+  if (!/\bcreate\s*\(|\.\s*save\s*\(|\.\s*objects\s*\.|prisma\s*\./.test(code)) return [];
+  const writes = _findTaintedWrites(code, lang);
+  if (writes.length === 0) return [];
+  const reads = _findRendersOfReads(code, lang);
+  if (reads.length === 0) return [];
+
+  const findings = [];
+  const seen = new Set();
+  for (const w of writes) {
+    for (const r of reads) {
+      // Match on field name (column). Model-name matching is best-effort —
+      // many codebases pass model classes around through variables.
+      if (w.field !== r.field) continue;
+      const id = `db-taint:${fp}:${w.line}->${r.line}:${w.model}.${w.field}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp, line: r.line,
+        vuln: `Stored XSS via DB round-trip (${w.model}.${w.field})`,
+        severity: 'high',
+        cwe: 'CWE-79',
+        family: 'stored-xss',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[r.line - 1] || '').trim().slice(0, 200),
+        remediation:
+          `User content written to ${w.model}.${w.field} at line ${w.line} is later read at line ${r.line} and fed to a render sink. ` +
+          'Mitigations: ' +
+          '(1) sanitize at WRITE time (HTML-escape before storage) and tag the column as "html-safe stored", OR ' +
+          '(2) escape at READ time inside the render (use the framework\'s auto-escape), OR ' +
+          '(3) use a content-security-policy that blocks inline scripts on rendered pages. ' +
+          'Defense in depth: do BOTH (1) and (2).',
+        parser: 'DB-TAINT',
+        confidence: 0.7,
+        trace: [
+          { line: w.line, kind: 'db-write', sourceLabel: `${w.model}.${w.field} ← user source` },
+          { line: r.line, kind: 'db-read',  sourceLabel: `${w.model}.${w.field} → render` },
+        ],
+      });
+    }
+  }
+  return findings;
+}