npm - @dailephd/my-dev-kit-lab - Versions diffs - 0.2.0 - Mend

@dailephd/my-dev-kit-lab 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/dist/src/securityValidation/dependencies/runDependencyChecks.js ADDED Viewed

@@ -0,0 +1,239 @@
+import path from "node:path";
+import { runSecurityCommand, resolveNpmCommand } from "../commandRunner.js";
+import { writeCheckResult } from "../artifacts.js";
+import { parseNpmAudit } from "./parseNpmAudit.js";
+import { parseNpmLs } from "./parseNpmLs.js";
+import { parseNpmOutdated } from "./parseNpmOutdated.js";
+import { runOsvScanner } from "./runOsvScanner.js";
+// Orchestrate all dependency checks and write structured results to reportDir.
+// npm audit, npm ls, and npm outdated require network/lockfile access;
+// OSV-Scanner is optional and marked skipped if not installed.
+export async function runDependencyChecks(options) {
+    const { cwd, config } = options;
+    const { reportDir, rawOutputDir, commandTimeoutMs, requireOsvScanner } = config;
+    const allFindings = [];
+    const checks = [];
+    const npm = resolveNpmCommand();
+    // npm audit --json (full audit including devDependencies)
+    {
+        const startedAt = new Date().toISOString();
+        const cmd = await runSecurityCommand({
+            command: npm,
+            args: ["audit", "--json"],
+            cwd,
+            timeoutMs: commandTimeoutMs,
+        });
+        const finishedAt = new Date().toISOString();
+        const parsed = parseNpmAudit(cmd.stdout, "npm-audit-full");
+        const findings = parsed.findings;
+        allFindings.push(...findings);
+        const check = {
+            id: "npm-audit-full",
+            name: "npm audit (including devDependencies)",
+            category: "dependency-audit",
+            status: cmd.timedOut
+                ? "failed"
+                : parsed.parseError
+                    ? "warning"
+                    : parsed.ok
+                        ? "passed"
+                        : parsed.severityCounts.critical > 0 || parsed.severityCounts.high > 0
+                            ? "failed"
+                            : "warning",
+            severity: parsed.ok
+                ? "informational"
+                : parsed.severityCounts.critical > 0 || parsed.severityCounts.high > 0
+                    ? "blocker"
+                    : parsed.severityCounts.moderate > 0
+                        ? "major"
+                        : "minor",
+            startedAt,
+            finishedAt,
+            durationMs: cmd.durationMs,
+            findings,
+            skippedReason: undefined,
+            command: "npm audit --json",
+        };
+        await writeCheckResult({
+            result: check,
+            outputPath: path.join(reportDir, "npm-audit-full.json"),
+            rawDir: rawOutputDir,
+            rawStdout: cmd.stdout,
+            rawStderr: cmd.stderr,
+        });
+        checks.push(check);
+    }
+    // npm audit --omit=dev --json (runtime dependencies only)
+    {
+        const startedAt = new Date().toISOString();
+        const cmd = await runSecurityCommand({
+            command: npm,
+            args: ["audit", "--omit=dev", "--json"],
+            cwd,
+            timeoutMs: commandTimeoutMs,
+        });
+        const finishedAt = new Date().toISOString();
+        const parsed = parseNpmAudit(cmd.stdout, "npm-audit-runtime");
+        const findings = parsed.findings;
+        allFindings.push(...findings);
+        const check = {
+            id: "npm-audit-runtime",
+            name: "npm audit --omit=dev (runtime dependencies only)",
+            category: "dependency-audit",
+            status: cmd.timedOut
+                ? "failed"
+                : parsed.parseError
+                    ? "warning"
+                    : parsed.ok
+                        ? "passed"
+                        : parsed.severityCounts.critical > 0 || parsed.severityCounts.high > 0
+                            ? "failed"
+                            : "warning",
+            severity: parsed.ok
+                ? "informational"
+                : parsed.severityCounts.critical > 0 || parsed.severityCounts.high > 0
+                    ? "blocker"
+                    : parsed.severityCounts.moderate > 0
+                        ? "major"
+                        : "minor",
+            startedAt,
+            finishedAt,
+            durationMs: cmd.durationMs,
+            findings,
+            skippedReason: undefined,
+            command: "npm audit --omit=dev --json",
+        };
+        await writeCheckResult({
+            result: check,
+            outputPath: path.join(reportDir, "npm-audit-runtime.json"),
+            rawDir: rawOutputDir,
+            rawStdout: cmd.stdout,
+            rawStderr: cmd.stderr,
+        });
+        checks.push(check);
+    }
+    // npm outdated --json
+    {
+        const startedAt = new Date().toISOString();
+        const cmd = await runSecurityCommand({
+            command: npm,
+            args: ["outdated", "--json"],
+            cwd,
+            timeoutMs: commandTimeoutMs,
+        });
+        const finishedAt = new Date().toISOString();
+        const parsed = parseNpmOutdated(cmd.stdout, "npm-outdated");
+        const findings = parsed.findings;
+        allFindings.push(...findings);
+        const check = {
+            id: "npm-outdated",
+            name: "npm outdated",
+            category: "dependency-audit",
+            status: cmd.timedOut ? "failed" : parsed.outdatedCount > 0 ? "warning" : "passed",
+            severity: "informational",
+            startedAt,
+            finishedAt,
+            durationMs: cmd.durationMs,
+            findings,
+            skippedReason: undefined,
+            command: "npm outdated --json",
+        };
+        await writeCheckResult({
+            result: check,
+            outputPath: path.join(reportDir, "npm-outdated.json"),
+            rawDir: rawOutputDir,
+            rawStdout: cmd.stdout,
+            rawStderr: cmd.stderr,
+        });
+        checks.push(check);
+    }
+    // npm ls --all --json
+    {
+        const startedAt = new Date().toISOString();
+        const cmd = await runSecurityCommand({
+            command: npm,
+            args: ["ls", "--all", "--json"],
+            cwd,
+            timeoutMs: commandTimeoutMs,
+        });
+        const finishedAt = new Date().toISOString();
+        const parsed = parseNpmLs(cmd.stdout, "npm-ls");
+        const findings = parsed.findings;
+        allFindings.push(...findings);
+        const check = {
+            id: "npm-ls",
+            name: "npm ls --all (dependency tree resolution)",
+            category: "dependency-audit",
+            status: cmd.timedOut
+                ? "failed"
+                : parsed.parseError
+                    ? "warning"
+                    : parsed.ok
+                        ? "passed"
+                        : "warning",
+            severity: parsed.missingCount > 0 ? "major" : "informational",
+            startedAt,
+            finishedAt,
+            durationMs: cmd.durationMs,
+            findings,
+            skippedReason: undefined,
+            command: "npm ls --all --json",
+        };
+        await writeCheckResult({
+            result: check,
+            outputPath: path.join(reportDir, "npm-ls.json"),
+            rawDir: rawOutputDir,
+            rawStdout: cmd.stdout,
+            rawStderr: cmd.stderr,
+        });
+        checks.push(check);
+    }
+    // OSV-Scanner (optional)
+    {
+        const startedAt = new Date().toISOString();
+        const cmd = await runOsvScanner({ cwd, timeoutMs: commandTimeoutMs, requireOsvScanner });
+        const finishedAt = new Date().toISOString();
+        const check = {
+            id: "osv-scanner",
+            name: "OSV-Scanner",
+            category: "dependency-audit",
+            status: cmd.skipped ? "skipped" : cmd.timedOut || cmd.exitCode === null ? "failed" : cmd.exitCode === 0 ? "passed" : "warning",
+            severity: cmd.skipped ? "skipped" : "informational",
+            startedAt,
+            finishedAt,
+            durationMs: cmd.durationMs,
+            findings: [],
+            skippedReason: cmd.skippedReason,
+            command: "osv-scanner --lockfile package-lock.json --format json",
+        };
+        await writeCheckResult({
+            result: check,
+            outputPath: path.join(reportDir, "osv-scanner.json"),
+            rawDir: rawOutputDir,
+            rawStdout: cmd.stdout,
+            rawStderr: cmd.stderr,
+        });
+        checks.push(check);
+    }
+    // Write combined dependency checks summary
+    const combined = {
+        id: "dependency-checks",
+        name: "Dependency checks summary",
+        category: "dependency-audit",
+        status: checks.some((c) => c.status === "failed") ? "failed" : checks.some((c) => c.status === "warning") ? "warning" : "passed",
+        severity: allFindings.reduce((worst, f) => {
+            const order = { blocker: 4, major: 3, minor: 2, informational: 1, skipped: 0 };
+            return (order[f.severity] ?? 0) > (order[worst] ?? 0) ? f.severity : worst;
+        }, "informational"),
+        startedAt: checks[0]?.startedAt ?? new Date().toISOString(),
+        finishedAt: checks[checks.length - 1]?.finishedAt ?? new Date().toISOString(),
+        durationMs: checks.reduce((sum, c) => sum + c.durationMs, 0),
+        findings: allFindings,
+    };
+    await writeCheckResult({
+        result: combined,
+        outputPath: path.join(reportDir, "dependency-checks.json"),
+        rawDir: rawOutputDir,
+    });
+    return { checks, findings: allFindings };
+}

package/dist/src/securityValidation/dependencies/runOsvScanner.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { spawnSync } from "node:child_process";
+import { runSecurityCommand, skippedResult } from "../commandRunner.js";
+// Detect whether osv-scanner is accessible by probing for its version flag.
+function isOsvScannerAvailable() {
+    try {
+        const result = spawnSync("osv-scanner", ["--version"], { shell: false, encoding: "utf8" });
+        return result.error === undefined && result.status !== null;
+    }
+    catch {
+        return false;
+    }
+}
+// Run OSV-Scanner on the lockfile if the tool is available.
+// When not available and requireOsvScanner is false, returns a skipped result.
+export async function runOsvScanner(options) {
+    if (!isOsvScannerAvailable()) {
+        if (options.requireOsvScanner) {
+            return {
+                command: "osv-scanner",
+                args: ["--lockfile", "package-lock.json", "--format", "json"],
+                cwd: options.cwd,
+                exitCode: null,
+                durationMs: 0,
+                stdout: "",
+                stderr: "osv-scanner not found on PATH",
+                timedOut: false,
+                skipped: false,
+            };
+        }
+        return skippedResult({
+            command: "osv-scanner",
+            args: ["--lockfile", "package-lock.json", "--format", "json"],
+            cwd: options.cwd,
+            reason: "osv-scanner is not installed or not on PATH; check skipped",
+        });
+    }
+    return runSecurityCommand({
+        command: "osv-scanner",
+        args: ["--lockfile", "package-lock.json", "--format", "json"],
+        cwd: options.cwd,
+        timeoutMs: options.timeoutMs,
+    });
+}

package/dist/src/securityValidation/fuzz/fuzzHarness.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { createPrng } from "./randomInput.js";
+export async function runFuzzTarget(target, options = {}) {
+    const seed = options.seed ?? 0xdeadbeef;
+    const iterations = options.iterations ?? 50;
+    const maxCrashes = options.maxCrashesPerTarget ?? 10;
+    const prng = createPrng(seed);
+    const crashes = [];
+    const started = Date.now();
+    for (let i = 0; i < iterations && crashes.length < maxCrashes; i++) {
+        const input = target.generateInput(prng, i);
+        try {
+            target.run(input);
+        }
+        catch (err) {
+            const errorMessage = err instanceof Error ? err.message : String(err);
+            const stack = err instanceof Error ? err.stack : undefined;
+            crashes.push({ iteration: i, input: input.slice(0, 200), errorMessage, stack });
+        }
+    }
+    return {
+        targetId: target.id,
+        targetName: target.name,
+        iterations,
+        crashes,
+        durationMs: Date.now() - started,
+    };
+}
+export async function runAllFuzzTargets(targets, options = {}) {
+    const startedAt = new Date().toISOString();
+    const started = Date.now();
+    const allResults = [];
+    for (const target of targets) {
+        const result = await runFuzzTarget(target, options);
+        allResults.push(result);
+    }
+    const finishedAt = new Date().toISOString();
+    const durationMs = Date.now() - started;
+    const allCrashes = allResults.flatMap((r) => r.crashes.map((c) => ({ targetId: r.targetId, targetName: r.targetName, ...c })));
+    const findings = allCrashes.map((c) => ({
+        id: `fuzz-crash-${c.targetId}-iter-${c.iteration}`,
+        title: `Fuzz crash in ${c.targetName} (iteration ${c.iteration})`,
+        severity: "major",
+        category: "fuzz-smoke",
+        description: c.errorMessage,
+        evidence: `Input (first 200 chars): ${c.input}${c.stack ? `\nStack: ${c.stack.slice(0, 300)}` : ""}`,
+        recommendation: "Investigate and add defensive input validation in the parser.",
+        releaseImpact: "Should fix before release",
+    }));
+    const totalIterations = allResults.reduce((sum, r) => sum + r.iterations, 0);
+    return {
+        id: "fuzz-smoke",
+        name: `Fuzz smoke (${targets.length} targets, ${totalIterations} total iterations)`,
+        category: "fuzz-smoke",
+        status: findings.length === 0 ? "passed" : "failed",
+        severity: findings.length === 0 ? "informational" : "major",
+        startedAt,
+        finishedAt,
+        durationMs,
+        findings,
+    };
+}

package/dist/src/securityValidation/fuzz/fuzzTargets.js ADDED Viewed

@@ -0,0 +1,204 @@
+import path from "node:path";
+import { ALL_MUTATION_STRATEGIES, PATH_TRAVERSAL_INPUTS, mutateJson, randomChoice, randomInt, randomJsonString, randomString, validCodeGraphJson, validManifestJson, } from "./randomInput.js";
+import { parseNpmAudit } from "../dependencies/parseNpmAudit.js";
+import { parseNpmLs } from "../dependencies/parseNpmLs.js";
+import { parseNpmOutdated } from "../dependencies/parseNpmOutdated.js";
+import { parseNpmPackDryRun } from "../packageChecks/parseNpmPackDryRun.js";
+import { escapeDotLabel } from "../cliAdversarial/subprocessSafetyChecks.js";
+// ---------------------------------------------------------------------------
+// Fuzz targets — parsers, helpers, and path normalization
+//
+// Each target must not crash on any input. Expected validation errors are OK.
+// Targets are designed to be pure functions — no filesystem, no network.
+// ---------------------------------------------------------------------------
+// Manifest reader — expects JSON with schemaVersion, generatedAt, rootDir, files
+export const manifestReaderTarget = {
+    id: "manifest-reader",
+    name: "Manifest JSON parser",
+    generateInput(prng, iteration) {
+        if (iteration % 3 === 0)
+            return validManifestJson();
+        const strategy = randomChoice(prng, ALL_MUTATION_STRATEGIES);
+        return mutateJson(prng, validManifestJson(), strategy);
+    },
+    run(input) {
+        // The manifest reader is the JSON.parse step that produces structured data.
+        // We replicate minimal parsing logic (same shape as what runAdversarialCheck does).
+        try {
+            JSON.parse(input);
+        }
+        catch {
+            return "expected: invalid JSON";
+        }
+        return undefined;
+    },
+};
+// Code-graph reader — expects JSON with nodes/edges arrays
+export const codeGraphReaderTarget = {
+    id: "code-graph-reader",
+    name: "Code-graph JSON parser",
+    generateInput(prng, iteration) {
+        if (iteration % 3 === 0)
+            return validCodeGraphJson();
+        const strategy = randomChoice(prng, ALL_MUTATION_STRATEGIES);
+        return mutateJson(prng, validCodeGraphJson(), strategy);
+    },
+    run(input) {
+        try {
+            const parsed = JSON.parse(input);
+            if (!Array.isArray(parsed["nodes"]))
+                return "expected: missing nodes array";
+            if (!Array.isArray(parsed["edges"]))
+                return "expected: missing edges array";
+        }
+        catch {
+            return "expected: invalid JSON";
+        }
+        return undefined;
+    },
+};
+// npm audit JSON parser
+export const npmAuditParserTarget = {
+    id: "npm-audit-parser",
+    name: "npm audit JSON parser",
+    generateInput(prng, iteration) {
+        if (iteration % 5 === 0) {
+            return JSON.stringify({
+                auditReportVersion: 2,
+                vulnerabilities: {},
+                metadata: { vulnerabilities: { total: 0 } },
+            });
+        }
+        const strategy = randomChoice(prng, ALL_MUTATION_STRATEGIES);
+        return mutateJson(prng, randomJsonString(prng, 3), strategy);
+    },
+    run(input) {
+        parseNpmAudit(input, "fuzz-test");
+        return undefined;
+    },
+};
+// npm ls JSON parser
+export const npmLsParserTarget = {
+    id: "npm-ls-parser",
+    name: "npm ls JSON parser",
+    generateInput(prng, iteration) {
+        if (iteration % 5 === 0) {
+            return JSON.stringify({
+                name: "my-dev-kit-lab",
+                version: "0.1.2",
+                dependencies: {},
+            });
+        }
+        const strategy = randomChoice(prng, ALL_MUTATION_STRATEGIES);
+        return mutateJson(prng, randomJsonString(prng, 2), strategy);
+    },
+    run(input) {
+        parseNpmLs(input, "fuzz-test");
+        return undefined;
+    },
+};
+// npm outdated JSON parser
+export const npmOutdatedParserTarget = {
+    id: "npm-outdated-parser",
+    name: "npm outdated JSON parser",
+    generateInput(prng, iteration) {
+        if (iteration % 5 === 0) {
+            return JSON.stringify({});
+        }
+        const strategy = randomChoice(prng, ALL_MUTATION_STRATEGIES);
+        return mutateJson(prng, randomJsonString(prng, 2), strategy);
+    },
+    run(input) {
+        parseNpmOutdated(input, "fuzz-test");
+        return undefined;
+    },
+};
+// npm pack --dry-run output parser
+export const npmPackDryRunParserTarget = {
+    id: "npm-pack-dry-run-parser",
+    name: "npm pack --dry-run output parser",
+    generateInput(prng, iteration) {
+        if (iteration % 3 === 0) {
+            return JSON.stringify([{
+                    id: "my-dev-kit-lab@0.1.2",
+                    name: "my-dev-kit-lab",
+                    version: "0.1.2",
+                    filename: "my-dev-kit-lab-0.1.2.tgz",
+                    files: [],
+                    entryCount: 0,
+                    bundled: [],
+                }]);
+        }
+        return randomChoice(prng, ALL_MUTATION_STRATEGIES) === "replace-with-empty"
+            ? ""
+            : randomJsonString(prng, 2);
+    },
+    run(input) {
+        parseNpmPackDryRun(input);
+        return undefined;
+    },
+};
+// DOT label escaping — must never crash on any input
+export const dotLabelEscapingTarget = {
+    id: "dot-label-escaping",
+    name: "DOT label escaping",
+    generateInput(prng, _iteration) {
+        return randomString(prng, 256);
+    },
+    run(input) {
+        escapeDotLabel(input);
+        return undefined;
+    },
+};
+// Path normalization — path inputs must not produce unexpected crashes
+export const pathNormalizationTarget = {
+    id: "path-normalization",
+    name: "Path normalization (traversal inputs)",
+    generateInput(prng, iteration) {
+        if (iteration < PATH_TRAVERSAL_INPUTS.length) {
+            return PATH_TRAVERSAL_INPUTS[iteration];
+        }
+        return randomChoice(prng, PATH_TRAVERSAL_INPUTS);
+    },
+    run(input) {
+        path.normalize(input);
+        path.resolve("/base", input);
+        return undefined;
+    },
+};
+// Source windowing — negative, zero, huge, out-of-range window sizes
+export const sourceWindowingTarget = {
+    id: "source-windowing",
+    name: "Source retrieval windowing (window size edge cases)",
+    generateInput(prng, _iteration) {
+        const windowSizes = [-1, 0, 1, 5, 100, 10_000, Number.MAX_SAFE_INTEGER, NaN, Infinity];
+        const size = randomChoice(prng, windowSizes);
+        return JSON.stringify({ startLine: randomInt(prng, -10, 1000), windowSize: size });
+    },
+    run(input) {
+        try {
+            const parsed = JSON.parse(input);
+            const startLine = Number(parsed["startLine"]);
+            const windowSize = Number(parsed["windowSize"]);
+            // Simulate windowing math — must not throw
+            const safeStart = Math.max(0, isFinite(startLine) ? startLine : 0);
+            const safeWindow = isFinite(windowSize) && windowSize > 0 ? Math.min(windowSize, 10_000) : 50;
+            void (safeStart + safeWindow);
+        }
+        catch {
+            return "expected: invalid input";
+        }
+        return undefined;
+    },
+};
+export const ALL_FUZZ_TARGETS = [
+    manifestReaderTarget,
+    codeGraphReaderTarget,
+    npmAuditParserTarget,
+    npmLsParserTarget,
+    npmOutdatedParserTarget,
+    npmPackDryRunParserTarget,
+    dotLabelEscapingTarget,
+    pathNormalizationTarget,
+    sourceWindowingTarget,
+];

package/dist/src/securityValidation/fuzz/randomInput.js ADDED Viewed

Binary file

package/dist/src/securityValidation/index.js ADDED Viewed

@@ -0,0 +1,34 @@
+export { SECURITY_SEVERITIES, RELEASE_VERDICTS, SECURITY_CHECK_STATUSES, SECURITY_CHECK_CATEGORIES, } from "./types.js";
+export { DEFAULT_SECURITY_CONFIG } from "./config.js";
+export { SECURITY_TEST_MATRIX } from "./testMatrix.js";
+export { runSecurityCommand, skippedResult, resolveNpmCommand } from "./commandRunner.js";
+export { writeCheckResult } from "./artifacts.js";
+export { parseNpmAudit } from "./dependencies/parseNpmAudit.js";
+export { parseNpmLs } from "./dependencies/parseNpmLs.js";
+export { parseNpmOutdated } from "./dependencies/parseNpmOutdated.js";
+export { runOsvScanner } from "./dependencies/runOsvScanner.js";
+export { runDependencyChecks } from "./dependencies/runDependencyChecks.js";
+export { parseNpmPackDryRun } from "./packageChecks/parseNpmPackDryRun.js";
+export { detectForbiddenContents } from "./packageChecks/forbiddenPackageContents.js";
+export { runPackageChecks } from "./packageChecks/runPackageChecks.js";
+export { createTempWorkspace, snapshotDir, diffSnapshots, findWritesOutside, findNewFiles } from "./cliAdversarial/tempWorkspace.js";
+export { getAdversarialCliTarget, buildCliCommand } from "./cliAdversarial/adversarialCliConfig.js";
+export { ALL_PATH_TEST_INPUTS, PATH_TRAVERSAL_CASES, ABSOLUTE_PATH_CASES, SPACES_PATH_CASES, METACHAR_PATH_CASES, UNICODE_PATH_CASES, LONG_NAME_CASES, MISSING_PATH_CASES } from "./cliAdversarial/pathCases.js";
+export { runAdversarialCheck, skippedCheck, makeFinding } from "./cliAdversarial/runAdversarialCheck.js";
+export { checkRootPathTraversal, checkOutPathTraversal, checkIndexPathTraversal, checkPathWithSpaces, checkUnicodePath, checkSafeAbsolutePath, checkHarnessEscapeDetection } from "./cliAdversarial/pathBoundaryChecks.js";
+export { checkSourceFilesNotModified, checkWritesLimitedToOutput, checkIndexWriteContainment, checkArtifactCleanupSafe } from "./cliAdversarial/readOnlyBoundaryChecks.js";
+export { MALFORMED_MANIFEST_CASES, MALFORMED_CODE_GRAPH_CASES, UNSUPPORTED_SCHEMA_VERSION_CASES, placeMalformedArtifact, placeMalformedManifest, placeMalformedCodeGraph, placeUnsupportedSchemaManifest } from "./cliAdversarial/malformedArtifactFixtures.js";
+export { checkMalformedManifest, checkAllMalformedManifestCases, checkMalformedCodeGraph, checkUnsupportedSchemaVersion, checkMissingIndexDirectory } from "./cliAdversarial/malformedArtifactChecks.js";
+export { checkJsonOutputIsParseable, checkStderrNotInStdout, checkFailureProducesJsonError, checkProgressNotInJsonStdout } from "./cliAdversarial/jsonStdoutChecks.js";
+export { DOT_LABEL_TEST_CASES, escapeDotLabel, checkSubprocessNoShellInterpolation, checkDotLabelEscaping } from "./cliAdversarial/subprocessSafetyChecks.js";
+export { checkHugeSourceFile, checkManyFiles, checkDeeplyNestedSource } from "./cliAdversarial/dataVolumeChecks.js";
+export { runCodeqlCheck } from "./staticScans/codeql.js";
+export { runSemgrepCheck, parseSemgrepJson } from "./staticScans/semgrep.js";
+export { createPrng, randomInt, randomChoice, randomString, randomJsonValue, randomJsonString, mutateJson, validManifestJson, validCodeGraphJson } from "./fuzz/randomInput.js";
+export { ALL_MUTATION_STRATEGIES, PATH_TRAVERSAL_INPUTS } from "./fuzz/randomInput.js";
+export { runFuzzTarget, runAllFuzzTargets } from "./fuzz/fuzzHarness.js";
+export { ALL_FUZZ_TARGETS, manifestReaderTarget, codeGraphReaderTarget, dotLabelEscapingTarget, pathNormalizationTarget, sourceWindowingTarget } from "./fuzz/fuzzTargets.js";
+export { calculateVerdict, verdictToHumanLabel } from "./validate/verdict.js";
+export { resolveValidationTarget, reportFilenamePrefix, targetDescription } from "./validate/resolveTarget.js";
+export { runSecurityValidation } from "./validate/runSecurityValidation.js";
+export { renderTextReport, renderJsonReport } from "./report/renderSecurityReport.js";

package/dist/src/securityValidation/packageChecks/forbiddenPackageContents.js ADDED Viewed

@@ -0,0 +1,67 @@
+// Normalize a tarball path for pattern matching.
+// npm pack prefixes files with "package/", which we strip.
+function normalizeTarballPath(p) {
+    const normalized = p.replace(/\\/g, "/");
+    return normalized.startsWith("package/") ? normalized.slice("package/".length) : normalized;
+}
+// Check whether a file path matches a forbidden pattern.
+// Patterns ending with "/" match directory prefixes.
+// Patterns starting with "*" are suffix matches.
+// Exact string matches are also supported.
+function matchesForbiddenPattern(normalizedPath, pattern) {
+    const p = pattern.toLowerCase();
+    const f = normalizedPath.toLowerCase();
+    if (p.endsWith("/")) {
+        return f.startsWith(p) || f === p.slice(0, -1);
+    }
+    if (p.startsWith("*.")) {
+        return f.endsWith(p.slice(1));
+    }
+    if (p.includes("*")) {
+        // Simple glob: split on * and check prefix/suffix
+        const parts = p.split("*").filter(Boolean);
+        if (parts.length === 1)
+            return f.includes(parts[0]);
+        return f.startsWith(parts[0]) && f.endsWith(parts[parts.length - 1]);
+    }
+    return f === p || f.startsWith(p + "/");
+}
+// Detect files in the tarball file list that match forbidden patterns.
+export function detectForbiddenContents(options) {
+    const matches = [];
+    for (const rawFile of options.files) {
+        const normalized = normalizeTarballPath(rawFile);
+        const isException = options.allowedExceptions.some((ex) => matchesForbiddenPattern(normalized, ex));
+        if (isException)
+            continue;
+        for (const pattern of options.forbiddenPatterns) {
+            if (matchesForbiddenPattern(normalized, pattern)) {
+                matches.push({ file: normalized, pattern });
+                break;
+            }
+        }
+    }
+    const findings = matches.map((m, i) => ({
+        id: `${options.checkId}-forbidden-${i}`,
+        title: `Forbidden file in npm tarball: ${m.file}`,
+        severity: isCriticalForbidden(m.file) ? "blocker" : "major",
+        category: "package-content",
+        description: `The file '${m.file}' matches the forbidden pattern '${m.pattern}' and must not be included in the published package`,
+        evidence: `File: ${m.file}, Matched pattern: ${m.pattern}`,
+        affectedFiles: [m.file],
+        recommendation: `Add '${m.file}' to the .npmignore file or remove it from the 'files' field in package.json`,
+        releaseImpact: isCriticalForbidden(m.file)
+            ? "Blocker: this file must not be published"
+            : "Major: this file should not be in the published package",
+    }));
+    return { matches, findings };
+}
+function isCriticalForbidden(file) {
+    const f = file.toLowerCase();
+    return (f.includes(".env") ||
+        f.endsWith(".pem") ||
+        f.endsWith(".key") ||
+        f.endsWith(".p12") ||
+        f.startsWith("lab-output/") ||
+        f.startsWith(".my-dev-kit/"));
+}