@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/python-sinks.js

@@ -0,0 +1,195 @@
+// Python sink-side SAST (FR-PY-SAST — Phase-2 G3 blocker).
+//
+// The polyglot benchmark in v0.50.0 showed Python detector coverage is the
+// single largest blocker behind the polyglot F1 gap (target 0.85, today 0.727).
+// This module fills the most-common Python sink shapes:
+//
+//   - SQLAlchemy text() with f-string concat → SQL injection
+//   - os.system / subprocess with shell=True or string concat → command injection
+//   - pickle.loads / yaml.load on request data → insecure deserialization
+//   - eval / exec on request data → code injection
+//   - flask.send_file / send_from_directory with user-controlled path → path traversal
+//   - requests with verify=False → insecure HTTPS
+//
+// Limits:
+//   - Regex-based, no Python AST today (tree-sitter integration is Phase 5).
+//   - "User-controlled" is shape-matched, not flow-traced (any `request.`
+//     reference in the same call site qualifies). This is conservative —
+//     we'll miss flows that route through helpers, and we'll false-positive
+//     when `request.` is unrelated to the sink. Calibration is the answer
+//     (FR-LEARN-5), not pre-filtering.
+
+import { blankComments } from './_comment-strip.js';
+
+const PY_EXT_RE = /\.py$/i;
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+// ─── SQLAlchemy text() with f-string ──────────────────────────────────────
+//
+// `engine.execute(text(f"SELECT ... {var}"))`
+// `connection.execute(text(f"..."))`
+// The dangerous shape is text() wrapping an f-string. Parameterized queries
+// use `text("... :name").bindparams(name=...)` — the f-string variant
+// indicates concat.
+
+const SQLA_TEXT_FSTRING_RE = /\btext\s*\(\s*f['"][^'"]*\{[^}]+\}/g;
+const SQLA_RAW_EXEC_CONCAT_RE = /\b(?:cursor|conn|connection|session)\s*\.\s*execute\s*\(\s*(?:f['"][^'"]*\{|['"][^'"]*['"]\s*[+%])/g;
+// A common shape: build the SQL in a previous line as an f-string, then pass
+// the variable to text() / execute(). We detect the f-string with SQL keywords
+// AND a `{...}` interpolation directly. The f-string body can contain inner
+// quotes (single quotes inside double-quoted f-string and vice versa) so we
+// use two parallel patterns rather than a single character class that excludes
+// both quote kinds.
+const SQLA_FSTRING_SQL_ASSIGN_RE = /(?:f"[^"]*(?:SELECT|INSERT|UPDATE|DELETE)[^"]*\{[^}]*\}|f'[^']*(?:SELECT|INSERT|UPDATE|DELETE)[^']*\{[^}]*\})/gi;
+
+// ─── Command injection ────────────────────────────────────────────────────
+//
+// `os.system(...)` with anything other than a literal
+// `subprocess.run(...,  shell=True)`
+// `subprocess.Popen(..., shell=True)`
+// `subprocess.call(..., shell=True)`
+
+// os.system is dangerous when the argument is anything but a pure quoted
+// literal. We use a negative lookahead for the "pure literal" shape:
+// `os.system("literal text")` is safe; everything else gets flagged.
+const PY_OS_SYSTEM_RE = /\bos\s*\.\s*system\s*\((?!\s*['"][^'"]*['"]\s*\))/g;
+const PY_SUBPROCESS_SHELL_TRUE_RE = /\bsubprocess\s*\.\s*(?:run|Popen|call|check_call|check_output)\s*\([^)]*shell\s*=\s*True/g;
+const PY_SHELL_EXEC_CONCAT_RE = /\bos\s*\.\s*(?:popen|exec[lv]p?)\s*\(/g;
+
+// ─── Insecure deserialization ─────────────────────────────────────────────
+
+const PY_PICKLE_LOADS_RE = /\bpickle\s*\.\s*loads?\s*\(/g;
+const PY_YAML_UNSAFE_LOAD_RE = /\byaml\s*\.\s*(?:unsafe_load|load)\s*\((?![^)]*Loader\s*=\s*(?:yaml\.SafeLoader|SafeLoader))/g;
+const PY_MARSHAL_LOADS_RE = /\bmarshal\s*\.\s*loads?\s*\(/g;
+
+// ─── Code injection ───────────────────────────────────────────────────────
+
+const PY_EVAL_USER_RE = /\b(?:eval|exec)\s*\(\s*[^)]*(?:request\.|flask\.request|input\s*\(|sys\.argv|os\.environ)/g;
+const PY_COMPILE_USER_RE = /\bcompile\s*\([^)]*(?:request\.|input\s*\(|sys\.argv)/g;
+
+// ─── Path traversal ───────────────────────────────────────────────────────
+//
+// `flask.send_file(user_path)` — known sink when path comes from request.
+// `flask.send_from_directory(dir, user_filename)` — same.
+// `open(user_path)` — generic file read with user input.
+
+// send_file with anything other than a pure literal path is dangerous.
+const PY_SEND_FILE_RE = /\b(?:flask\.)?send_file\s*\(\s*(?!['"][^'"]+['"]\s*\))/gi;
+const PY_SEND_FROM_DIR_RE = /\b(?:flask\.)?send_from_directory\s*\([^)]*,\s*(?:request\.|[a-zA-Z_]\w*)\s*[,)]/g;
+const PY_OPEN_USER_RE = /\bopen\s*\(\s*(?:request\.|f['"][^'"]*\{[^}]+\})/g;
+
+// ─── Insecure transport ───────────────────────────────────────────────────
+
+const PY_REQUESTS_VERIFY_FALSE_RE = /\brequests\s*\.\s*(?:get|post|put|delete|patch|head|request)\s*\([^)]*verify\s*=\s*False/g;
+const PY_URLLIB_NOCHECK_RE = /\bssl\s*\.\s*_create_unverified_context\s*\(/g;
+
+// ─── SSRF ─────────────────────────────────────────────────────────────────
+
+const PY_REQUESTS_USER_URL_RE = /\brequests\s*\.\s*(?:get|post|put|delete|patch|head|request)\s*\(\s*(?:request\.|f['"][^'"]*\{[^}]+\})/g;
+const PY_URLLIB_USER_URL_RE = /\b(?:urllib\.request\.urlopen|urlopen)\s*\(\s*(?:request\.|f['"][^'"]*\{[^}]+\})/g;
+
+// ─── XXE ──────────────────────────────────────────────────────────────────
+
+const PY_XML_INSECURE_RE = /\blxml\.etree\.(?:parse|fromstring)\s*\([^)]*\)(?!\s*[^.]*\bresolve_entities\s*=\s*False)/g;
+const PY_XML_ETREE_USER_RE = /\bxml\.etree\.ElementTree\.(?:parse|fromstring)\s*\(\s*(?:request\.|f['"][^'"]*\{)/g;
+
+// ─── Detector ─────────────────────────────────────────────────────────────
+
+const RULES = [
+  // Each rule: { re, vuln, severity, cwe, family, parser }
+  { re: SQLA_TEXT_FSTRING_RE,        vuln: 'SQL Injection (SQLAlchemy text() with f-string)',     severity: 'critical', cwe: 'CWE-89',  family: 'sql-injection' },
+  { re: SQLA_RAW_EXEC_CONCAT_RE,     vuln: 'SQL Injection (cursor.execute with concat)',          severity: 'critical', cwe: 'CWE-89',  family: 'sql-injection' },
+  { re: SQLA_FSTRING_SQL_ASSIGN_RE,  vuln: 'SQL Injection (f-string SQL assigned to variable)',   severity: 'high',     cwe: 'CWE-89',  family: 'sql-injection' },
+  { re: PY_OS_SYSTEM_RE,             vuln: 'Command Injection (os.system with variable arg)',     severity: 'critical', cwe: 'CWE-78',  family: 'command-injection' },
+  { re: PY_SUBPROCESS_SHELL_TRUE_RE, vuln: 'Command Injection (subprocess shell=True)',           severity: 'critical', cwe: 'CWE-78',  family: 'command-injection' },
+  { re: PY_SHELL_EXEC_CONCAT_RE,     vuln: 'Command Injection (os.popen / os.execlp)',            severity: 'high',     cwe: 'CWE-78',  family: 'command-injection' },
+  { re: PY_PICKLE_LOADS_RE,          vuln: 'Insecure Deserialization (pickle.loads on untrusted)', severity: 'critical', cwe: 'CWE-502', family: 'insecure-deserialization' },
+  { re: PY_YAML_UNSAFE_LOAD_RE,      vuln: 'Insecure Deserialization (yaml.load without SafeLoader)', severity: 'critical', cwe: 'CWE-502', family: 'insecure-deserialization' },
+  { re: PY_MARSHAL_LOADS_RE,         vuln: 'Insecure Deserialization (marshal.loads)',            severity: 'high',     cwe: 'CWE-502', family: 'insecure-deserialization' },
+  { re: PY_EVAL_USER_RE,             vuln: 'Code Injection (eval/exec on request data)',          severity: 'critical', cwe: 'CWE-94',  family: 'code-injection' },
+  { re: PY_COMPILE_USER_RE,          vuln: 'Code Injection (compile() on user input)',            severity: 'high',     cwe: 'CWE-94',  family: 'code-injection' },
+  { re: PY_SEND_FILE_RE,             vuln: 'Path Traversal (flask.send_file with user-controlled path)', severity: 'high', cwe: 'CWE-22', family: 'path-traversal' },
+  { re: PY_SEND_FROM_DIR_RE,         vuln: 'Path Traversal (flask.send_from_directory)',          severity: 'high',     cwe: 'CWE-22',  family: 'path-traversal' },
+  { re: PY_OPEN_USER_RE,             vuln: 'Path Traversal (open with user-controlled path)',     severity: 'high',     cwe: 'CWE-22',  family: 'path-traversal' },
+  { re: PY_REQUESTS_VERIFY_FALSE_RE, vuln: 'Insecure HTTPS (requests verify=False)',              severity: 'medium',   cwe: 'CWE-295', family: 'insecure-http' },
+  { re: PY_URLLIB_NOCHECK_RE,        vuln: 'Insecure HTTPS (ssl._create_unverified_context)',     severity: 'medium',   cwe: 'CWE-295', family: 'insecure-http' },
+  { re: PY_REQUESTS_USER_URL_RE,     vuln: 'SSRF (requests with user-controlled URL)',            severity: 'high',     cwe: 'CWE-918', family: 'ssrf' },
+  { re: PY_URLLIB_USER_URL_RE,       vuln: 'SSRF (urlopen with user-controlled URL)',             severity: 'high',     cwe: 'CWE-918', family: 'ssrf' },
+  { re: PY_XML_INSECURE_RE,          vuln: 'XXE (lxml without resolve_entities=False)',           severity: 'high',     cwe: 'CWE-611', family: 'xxe' },
+  { re: PY_XML_ETREE_USER_RE,        vuln: 'XXE (xml.etree.ElementTree on user input)',           severity: 'high',     cwe: 'CWE-611', family: 'xxe' },
+];
+
+export function scanPythonSinks(fp, raw) {
+  if (!PY_EXT_RE.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  // Skip test files — Python projects use `test_*.py` / `*_test.py` / `tests/`.
+  if (/(?:^|\/)(?:tests?|test_|_test\.py$)/i.test(fp) && !/fixtures?/i.test(fp)) return [];
+  const code = blankComments(raw, 'py');
+  const findings = [];
+  const seen = new Set();
+  for (const rule of RULES) {
+    const re = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const line = lineOf(raw, m.index);
+      const id = `${rule.family}:${fp}:${line}:${rule.cwe}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp,
+        line,
+        vuln: rule.vuln,
+        severity: rule.severity,
+        cwe: rule.cwe,
+        family: rule.family,
+        stride: _strideForFamily(rule.family),
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        parser: 'PY-SAST',
+        confidence: 0.7,
+        remediation: _remediationFor(rule.family, rule.vuln),
+      });
+    }
+  }
+  return findings;
+}
+
+function _strideForFamily(fam) {
+  return {
+    'sql-injection':            'Tampering',
+    'command-injection':        'Elevation of Privilege',
+    'insecure-deserialization': 'Elevation of Privilege',
+    'code-injection':           'Elevation of Privilege',
+    'path-traversal':           'Information Disclosure',
+    'insecure-http':            'Information Disclosure',
+    'ssrf':                     'Spoofing',
+    'xxe':                      'Information Disclosure',
+  }[fam] || 'Tampering';
+}
+
+function _remediationFor(fam, vuln) {
+  switch (fam) {
+    case 'sql-injection':
+      return 'Use parameterized queries: `connection.execute(text("SELECT ... WHERE id = :id"), {"id": id})` instead of f-string concat. For raw `cursor.execute`, pass the value as the second positional argument; never concatenate.';
+    case 'command-injection':
+      return 'Avoid `os.system` and `shell=True`. Use `subprocess.run([\'binary\', arg1, arg2], check=True)` with arguments as a list — the shell never sees the values, so shell metacharacters cannot be injected.';
+    case 'insecure-deserialization':
+      return 'Never `pickle.loads` untrusted bytes. Use `json.loads` for structured data. For YAML, use `yaml.safe_load`. For `marshal`, switch to JSON or a schema-validated alternative.';
+    case 'code-injection':
+      return 'Replace `eval` / `exec` with a safe parser appropriate to the input class — `ast.literal_eval` for Python literals, `json.loads` for JSON, a domain-specific parser for everything else.';
+    case 'path-traversal':
+      return 'Validate the user path is inside the intended directory: `os.path.realpath(os.path.join(base, user_path)).startswith(os.path.realpath(base))`. For `flask.send_from_directory`, ensure the filename is a known allowlisted value.';
+    case 'insecure-http':
+      return 'Remove `verify=False`. If you genuinely need to disable TLS verification for a known internal endpoint, scope it to that endpoint and document why; never broadly across `requests` calls.';
+    case 'ssrf':
+      return 'Validate the URL against an allowlist before fetching. Block private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254 / metadata IPs).';
+    case 'xxe':
+      return 'Configure the XML parser to disable external entities: lxml `etree.XMLParser(resolve_entities=False, no_network=True)`; defusedxml is the safest drop-in.';
+    default:
+      return `Address the ${vuln} finding above.`;
+  }
+}
+
+// For tests + the no-dead-modules check.
+export const _ruleCount = RULES.length;

package/src/sast/quarkus-hardening.js

@@ -0,0 +1,102 @@
+// Quarkus framework hardening.
+//
+// Coverage:
+//   1. Resource methods exposed without @Authenticated / @RolesAllowed
+//   2. application.properties: quarkus.oidc.credentials.secret literal
+//   3. quarkus.security.users.embedded.* enabled in non-dev profile
+//   4. quarkus.http.cors=true with overly broad origins
+//   5. @PermitAll on /api/admin or similar sensitive paths
+//   6. mp.jwt.verify.publickey.location missing when @Authenticated present
+
+const _JAVA_RE = /\.java$/i;
+const _PROPS_RE = /(?:^|[\\/])application(?:[-.][\w-]+)?\.(?:properties|ya?ml)$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+function _isQuarkusJava(raw) {
+  return /\bio\.quarkus\b|\bjakarta\.ws\.rs\b|\borg\.eclipse\.microprofile\b/.test(raw);
+}
+
+export function scanQuarkusHardening(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 200_000) return [];
+  const findings = [];
+
+  // Properties file checks.
+  if (_PROPS_RE.test(file) && /\bquarkus\./.test(raw)) {
+    // OIDC client secret literal
+    for (const m of raw.matchAll(/^\s*quarkus\.oidc\.credentials\.secret\s*=\s*(\S+)/gmi)) {
+      const val = m[1].trim();
+      if (val.startsWith('${') || val === '' || val === '""' || val === "''") continue;
+      findings.push({
+        id: `quarkus:oidc-secret-literal:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Quarkus OIDC client secret in plaintext config',
+        severity: 'critical',
+        family: 'quarkus-hardcoded-credential',
+        cwe: 'CWE-798',
+        confidence: 0.95,
+        description: 'quarkus.oidc.credentials.secret in source-controlled config lets anyone with repo read impersonate the application against the IdP.',
+        remediation: 'Replace with ${OIDC_CLIENT_SECRET} env-var reference and rotate the leaked secret.',
+      });
+    }
+    // Embedded user with literal password
+    for (const m of raw.matchAll(/^\s*quarkus\.security\.users\.embedded\.users\.\w+\s*=\s*(\S+)/gmi)) {
+      const val = m[1].trim();
+      if (val.startsWith('${')) continue;
+      findings.push({
+        id: `quarkus:embedded-user-password:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Quarkus embedded user with literal password (likely dev convenience leaked to prod)',
+        severity: 'critical',
+        family: 'quarkus-hardcoded-credential',
+        cwe: 'CWE-798',
+        confidence: 0.9,
+        description: 'Quarkus embedded identity is convenient for dev / smoke tests; pushing it to a non-dev profile creates a backdoor.',
+        remediation: 'Move the user/password to a real IdentityProvider (Keycloak, LDAP, DB). Quarkus dev-mode users should never ship to production.',
+      });
+    }
+    // Wildcard CORS origin
+    for (const m of raw.matchAll(/^\s*quarkus\.http\.cors\.origins\s*=\s*['"]?\*['"]?/gm)) {
+      findings.push({
+        id: `quarkus:cors-wildcard:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Quarkus CORS origins = * (wildcard)',
+        severity: 'high',
+        family: 'quarkus-cors-wildcard',
+        cwe: 'CWE-942',
+        confidence: 0.9,
+        description: 'Wildcard CORS combined with credentialed requests allows any origin to read authenticated responses.',
+        remediation: 'Set quarkus.http.cors.origins=https://app.example.com (explicit list).',
+      });
+    }
+    return findings;
+  }
+
+  if (!_JAVA_RE.test(file)) return findings;
+  if (!_isQuarkusJava(raw)) return findings;
+
+  // Mutating JAX-RS endpoint without @Authenticated / @RolesAllowed / @PermitAll
+  const verbRe = /@(?:POST|PUT|PATCH|DELETE)\b[\s\S]{0,300}?public\s+\w[\w<>,\s\[\]?]*\s+(\w+)\s*\(/g;
+  let mm;
+  while ((mm = verbRe.exec(raw))) {
+    const lineIdx = _line(raw, mm.index);
+    const above = raw.slice(Math.max(0, mm.index - 400), mm.index);
+    if (/@(?:Authenticated|RolesAllowed|PermitAll|DenyAll)\b/.test(above)) continue;
+    findings.push({
+      id: `quarkus:no-authz:${file}:${lineIdx}:${mm[1]}`,
+      file, line: lineIdx,
+      vuln: `Quarkus mutating endpoint ${mm[1]}() has no @Authenticated / @RolesAllowed annotation`,
+      severity: 'high',
+      family: 'quarkus-missing-authz',
+      cwe: 'CWE-862',
+      confidence: 0.7,
+      description: 'A POST/PUT/PATCH/DELETE handler is exposed without authentication / authorization. Unless the path is gated by a wider mechanism, this endpoint is callable by anyone reaching it.',
+      remediation: 'Add @Authenticated on the resource class (default to require auth) and @RolesAllowed("admin") on privileged methods. Use @PermitAll explicitly when a method is truly public.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/rag-poisoning.js

@@ -0,0 +1,118 @@
+// RAG Context-Poisoning Path (OWASP LLM02 — Training-Data Poisoning,
+// applied at retrieval-time rather than fine-tune time).
+//
+// Pattern: untrusted text from a user (req.body, file upload, web scrape,
+// external API) is written into a vector store / retrieval index without
+// (a) source attribution, (b) trust-level tagging, or (c) downstream
+// retrieval-side filtering. At LLM query time, the poisoned chunk is
+// retrieved with no signal that it shouldn't be trusted, and its
+// embedded instructions ride along into the model's context.
+//
+// We catch the WRITE side, not the READ — the retrieval side is too
+// generic to flag without taint context. The write-side signature is
+// strong: `<vector_store>.add(text=<user_input>)` with no metadata
+// indicating provenance / trust level.
+//
+// Vector-store libraries covered (v1):
+//   - chromadb (Python):  collection.add(documents=[...])
+//   - pinecone (Python/JS): index.upsert(vectors=[{values, metadata}])
+//   - weaviate:           client.collections.<n>.data.insert(...)
+//   - qdrant:             client.upsert(collection_name, points=[...])
+//   - langchain:          vectorstore.add_documents(...)
+//   - pgvector:           INSERT INTO embeddings (vec, content) VALUES (...)
+//
+// Suppress when:
+//   - the call includes `metadata: { source, trust_level, … }` and the
+//     trust_level is a non-trivial argument (not just '"trusted"')
+//   - a known sanitizer or denylist filter is referenced in the preceding
+//     30 lines
+
+import { blankComments } from './_comment-strip.js';
+
+const TAINT_HINT_RE =
+  /\b(?:req\.|request\.|params\.|query\.|body\.|ctx\.query|ctx\.request|reply\.query|c\.Query|r\.URL\.Query|_GET|_POST|_REQUEST|getParameter|getHeader|webhook|scrape|fetch\s*\()/;
+
+const PATTERNS = [
+  // chromadb collection.add
+  ['py', /\b(?:collection|chroma_collection)\s*\.\s*add\s*\(\s*documents\s*=\s*([^)]+?)\s*[,)]/g, 'ChromaDB'],
+  // langchain add_documents / add_texts
+  ['py', /\bvectorstore\s*\.\s*add_(?:documents|texts)\s*\(\s*([^)]+?)\s*[,)]/g, 'LangChain'],
+  ['js', /\bvectorStore\s*\.\s*add(?:Documents|Texts)\s*\(\s*([^)]+?)\s*[,)]/g, 'LangChain.js'],
+  // pinecone upsert
+  ['py', /\bindex\s*\.\s*upsert\s*\(\s*vectors\s*=\s*([^)]+?)\s*[,)]/g, 'Pinecone'],
+  ['js', /\bindex\s*\.\s*upsert\s*\(\s*([^)]+?)\s*\)/g, 'Pinecone'],
+  // weaviate insert
+  ['py', /\.\s*data\s*\.\s*insert\s*\(\s*([^)]+?)\s*[,)]/g, 'Weaviate'],
+  // qdrant upsert
+  ['py', /\bclient\s*\.\s*upsert\s*\(\s*collection_name[^,]+,\s*points\s*=\s*([^)]+?)\s*[,)]/g, 'Qdrant'],
+  // pgvector via raw INSERT
+  ['py', /\bINSERT\s+INTO\s+\w*embedding[^;]*VALUES\s*\(\s*([^)]+?)\)/gi, 'pgvector raw INSERT'],
+];
+
+const PROVENANCE_HINT_RE =
+  /\bmetadatas?\s*[=:]\s*\[?\s*\{[^}]*(?:source|trust_level|provenance|tenant_id|user_id|origin)/i;
+
+const SANITIZER_HINT_RE =
+  /\b(?:bleach\s*\.\s*clean|DOMPurify\.sanitize|stripUntrustedInstructions|detect_prompt_injection|denylist[A-Za-z0-9_]*|trustLevelOf)\b/;
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  return null;
+}
+function _hasSanitizerAbove(raw, line) {
+  const lines = raw.split('\n');
+  const lo = Math.max(0, line - 30);
+  return SANITIZER_HINT_RE.test(lines.slice(lo, line).join('\n'));
+}
+
+export function scanRAGPoisoning(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  if (!/\b(?:chromadb|chroma|pinecone|weaviate|qdrant|pgvector|langchain|vectorstore|vectorStore|embedding)\b/i.test(code)) return [];
+  const findings = [];
+  const seen = new Set();
+  for (const [plang, pat, label] of PATTERNS) {
+    if (plang !== lang) continue;
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const callArgs = (m[1] || '');
+      if (!TAINT_HINT_RE.test(callArgs)) continue;
+      // The full call may extend beyond the captured fragment; look at the
+      // rest of the line block to check for provenance metadata.
+      const lineNo = _lineOf(raw, m.index);
+      const lines = raw.split('\n');
+      const blockEnd = Math.min(lines.length, lineNo + 5);
+      const block = lines.slice(lineNo - 1, blockEnd).join('\n');
+      if (PROVENANCE_HINT_RE.test(block)) continue;
+      if (_hasSanitizerAbove(raw, lineNo)) continue;
+      const id = `rag-poisoning:${fp}:${lineNo}:${label}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp, line: lineNo,
+        vuln: `RAG Context-Poisoning Path (${label})`,
+        severity: 'high',
+        cwe: 'CWE-1336',
+        family: 'rag-poisoning',
+        stride: 'Tampering',
+        snippet: (lines[lineNo - 1] || '').trim().slice(0, 200),
+        remediation:
+          'Untrusted user content is being written to a retrieval index without a provenance/trust-level tag. At retrieval time the chunk will appear in LLM context with no signal it shouldn\'t be trusted, and any embedded instructions ride along. ' +
+          'Mitigations: ' +
+          '(1) tag every write with `metadata: { source, trust_level, tenant_id }` and FILTER on `trust_level` at retrieval time; ' +
+          '(2) keep user-generated content in a separate index from curated/admin content and never mix them in the same retrieval; ' +
+          '(3) at retrieval time, wrap user-tier chunks in rare-token delimiters and instruct the model to treat them as data, not instructions; ' +
+          '(4) reject content that contains known prompt-injection sentinels ("ignore previous instructions", role-frame strings, etc.) before insertion.',
+        parser: 'RAG-POISONING',
+        confidence: 0.75,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/rate-limit.js

@@ -0,0 +1,128 @@
+// Rate limiting & abuse prevention advisor.
+//
+// Vibecoders forget rate limiting on auth, AI, payment, and form endpoints.
+// The consequence is account brute-force, $10k+ AI API bills from a single
+// attacker, and credential-stuffing. This module detects handler files that
+// define sensitive-category routes without a recognisable rate-limit guard.
+//
+// Findings:
+//   RATE_LIMIT_AUTH      — auth endpoint (login/register/forgot) without rate limiting
+//   RATE_LIMIT_AI        — AI generation endpoint without rate limiting
+//   RATE_LIMIT_PAYMENT   — payment / checkout endpoint without rate limiting
+//   RATE_LIMIT_CONTACT   — contact / submit form endpoint without rate limiting
+//   RATE_LIMIT_MISSING   — generic API endpoint without rate limiting when no RL lib imported
+
+const _SCAN_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i;
+const _NONPROD_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|node_modules)\//i;
+
+// Rate-limit library imports / usage signals
+const RL_IMPORT_RE = /(?:from|require)\s*\(?\s*['"`](?:express-rate-limit|rate-limiter-flexible|@upstash\/ratelimit|hono-rate-limiter|next-rate-limit|bottleneck|p-throttle|@nestjs\/throttler|fastify-rate-limit|koa-ratelimit|slowDown|express-slow-down)['"`]/i;
+const RL_USAGE_RE = /\b(?:rateLimit|rateLimiter|limiter|throttle|throttler|createRateLimiter|upstashRatelimit|slidingWindow|fixedWindow|tokenBucket)\s*\(/;
+const REDIS_RL_RE = /\b(?:incr|expire|setex)\s*\([^)]*(?:rate|limit|attempt|count)/i;
+
+// Route definition patterns
+const ROUTE_DEF_RE = /(?:app|router|server|Route)\s*\.\s*(?:get|post|put|patch|delete|all)\s*\(\s*['"`]([^'"`]+)['"`]/g;
+const NEXT_HANDLER_RE = /export\s+(?:default\s+)?(?:async\s+)?function\s+(?:POST|GET|PUT|PATCH|DELETE|handler)\b/;
+const NEXT_ROUTE_FILE_RE = /(?:^|\/)(?:app|pages)\/(?:api\/)?([^/]+(?:\/[^/]+)*)\//;
+
+// Sensitive endpoint categories by URL segment
+const AUTH_PATH_RE = /\/(?:auth|login|logout|signin|signout|signup|register|forgot|reset|password|verify|otp|mfa|2fa|token|refresh)\b/i;
+const AI_PATH_RE = /\/(?:ai|chat|generate|complete|completion|embed|embedding|gpt|claude|llm|openai|anthropic|inference|predict)\b/i;
+const PAYMENT_PATH_RE = /\/(?:pay(?:ment)?|checkout|stripe|order|subscribe|billing|invoice|charge|purchase)\b/i;
+const CONTACT_PATH_RE = /\/(?:contact|submit|feedback|form|newsletter|subscribe|waitlist|signup|onboard)\b/i;
+
+function _hasRateLimit(content) {
+  return RL_IMPORT_RE.test(content) || RL_USAGE_RE.test(content) || REDIS_RL_RE.test(content);
+}
+
+function _categorise(path) {
+  if (AUTH_PATH_RE.test(path)) return 'auth';
+  if (AI_PATH_RE.test(path)) return 'ai';
+  if (PAYMENT_PATH_RE.test(path)) return 'payment';
+  if (CONTACT_PATH_RE.test(path)) return 'contact';
+  return null;
+}
+
+const CATEGORY_META = {
+  auth: {
+    severity: 'high',
+    title: 'Auth endpoint missing rate limiting',
+    description: 'Authentication endpoints without rate limiting are trivially brute-forced. An attacker can try thousands of passwords per second at zero cost.',
+    remediation: 'Add a rate limiter: max 5 attempts per IP per 15 minutes on login/register. Use express-rate-limit, @upstash/ratelimit, or your platform\'s edge middleware.',
+    cwe: 'CWE-307',
+  },
+  ai: {
+    severity: 'high',
+    title: 'AI generation endpoint missing rate limiting',
+    description: 'AI API call endpoints without rate limiting let a single attacker exhaust your entire monthly OpenAI/Anthropic budget in minutes. This is a direct financial attack vector.',
+    remediation: 'Add per-user and per-IP rate limits on AI endpoints. Use @upstash/ratelimit for serverless or express-rate-limit for Node servers. Consider per-request cost caps as well.',
+    cwe: 'CWE-400',
+  },
+  payment: {
+    severity: 'high',
+    title: 'Payment endpoint missing rate limiting',
+    description: 'Payment and checkout endpoints without rate limiting enable card-testing attacks where attackers enumerate stolen card numbers at high speed.',
+    remediation: 'Add strict rate limiting (max 3 attempts per IP per hour) on payment endpoints. Stripe also recommends enabling Radar rules in the dashboard.',
+    cwe: 'CWE-307',
+  },
+  contact: {
+    severity: 'medium',
+    title: 'Contact / form endpoint missing rate limiting',
+    description: 'Unprotected form submission endpoints are used for spam campaigns, email flooding, and enumeration of valid email addresses.',
+    remediation: 'Add rate limiting (max 3 submissions per IP per hour) and consider adding a honeypot field or CAPTCHA for public-facing forms.',
+    cwe: 'CWE-400',
+  },
+};
+
+function scanRateLimit(file, content) {
+  if (!_SCAN_EXT_RE.test(file)) return [];
+  if (_NONPROD_RE.test(file)) return [];
+  if (_hasRateLimit(content)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  // Check named route definitions
+  let m;
+  ROUTE_DEF_RE.lastIndex = 0;
+  while ((m = ROUTE_DEF_RE.exec(content)) !== null) {
+    const routePath = m[1];
+    const cat = _categorise(routePath);
+    if (cat) {
+      const lineNum = content.slice(0, m.index).split('\n').length;
+      const meta = CATEGORY_META[cat];
+      findings.push({
+        id: `rate-limit:RATE_LIMIT_${cat.toUpperCase()}:${file}:${lineNum}`,
+        title: meta.title,
+        severity: meta.severity,
+        file, line: lineNum,
+        description: meta.description,
+        remediation: meta.remediation,
+        cwe: meta.cwe,
+      });
+    }
+  }
+
+  // Next.js route handler: infer category from file path
+  if (findings.length === 0 && NEXT_HANDLER_RE.test(content)) {
+    const filePathMatch = NEXT_ROUTE_FILE_RE.exec(file);
+    const routeSegment = filePathMatch ? '/' + filePathMatch[1] : file;
+    const cat = _categorise(routeSegment) || _categorise(file);
+    if (cat) {
+      const handlerLine = lines.findIndex(l => NEXT_HANDLER_RE.test(l)) + 1;
+      const meta = CATEGORY_META[cat];
+      findings.push({
+        id: `rate-limit:RATE_LIMIT_${cat.toUpperCase()}:${file}:${handlerLine}`,
+        title: meta.title,
+        severity: meta.severity,
+        file, line: handlerLine,
+        description: meta.description,
+        remediation: meta.remediation,
+        cwe: meta.cwe,
+      });
+    }
+  }
+
+  return findings;
+}
+
+export { scanRateLimit };