@datahogo/core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +661 -0
- package/README.md +17 -0
- package/dist/engines/config.d.ts +3 -0
- package/dist/engines/config.d.ts.map +1 -0
- package/dist/engines/config.js +433 -0
- package/dist/engines/config.js.map +1 -0
- package/dist/engines/dast.d.ts +3 -0
- package/dist/engines/dast.d.ts.map +1 -0
- package/dist/engines/dast.js +167 -0
- package/dist/engines/dast.js.map +1 -0
- package/dist/engines/db-rules.d.ts +3 -0
- package/dist/engines/db-rules.d.ts.map +1 -0
- package/dist/engines/db-rules.js +166 -0
- package/dist/engines/db-rules.js.map +1 -0
- package/dist/engines/dependencies.d.ts +3 -0
- package/dist/engines/dependencies.d.ts.map +1 -0
- package/dist/engines/dependencies.js +167 -0
- package/dist/engines/dependencies.js.map +1 -0
- package/dist/engines/github-actions.d.ts +3 -0
- package/dist/engines/github-actions.d.ts.map +1 -0
- package/dist/engines/github-actions.js +215 -0
- package/dist/engines/github-actions.js.map +1 -0
- package/dist/engines/gitleaks.d.ts +3 -0
- package/dist/engines/gitleaks.d.ts.map +1 -0
- package/dist/engines/gitleaks.js +107 -0
- package/dist/engines/gitleaks.js.map +1 -0
- package/dist/engines/npm-audit.d.ts +3 -0
- package/dist/engines/npm-audit.d.ts.map +1 -0
- package/dist/engines/npm-audit.js +113 -0
- package/dist/engines/npm-audit.js.map +1 -0
- package/dist/engines/patterns.d.ts +3 -0
- package/dist/engines/patterns.d.ts.map +1 -0
- package/dist/engines/patterns.js +1330 -0
- package/dist/engines/patterns.js.map +1 -0
- package/dist/engines/secrets.d.ts +4 -0
- package/dist/engines/secrets.d.ts.map +1 -0
- package/dist/engines/secrets.js +260 -0
- package/dist/engines/secrets.js.map +1 -0
- package/dist/engines/semgrep.d.ts +3 -0
- package/dist/engines/semgrep.d.ts.map +1 -0
- package/dist/engines/semgrep.js +173 -0
- package/dist/engines/semgrep.js.map +1 -0
- package/dist/engines/types.d.ts +30 -0
- package/dist/engines/types.d.ts.map +1 -0
- package/dist/engines/types.js +3 -0
- package/dist/engines/types.js.map +1 -0
- package/dist/engines/url-scanner.d.ts +3 -0
- package/dist/engines/url-scanner.d.ts.map +1 -0
- package/dist/engines/url-scanner.js +469 -0
- package/dist/engines/url-scanner.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -0
- package/dist/orchestrator.d.ts +32 -0
- package/dist/orchestrator.d.ts.map +1 -0
- package/dist/orchestrator.js +237 -0
- package/dist/orchestrator.js.map +1 -0
- package/dist/rules/.gitkeep +0 -0
- package/dist/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/api-security.yaml +489 -0
- package/dist/rules/auth-patterns.yaml +406 -0
- package/dist/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/general-security.yaml +588 -0
- package/dist/rules/injection-patterns.yaml +318 -0
- package/dist/rules/nextjs-security.yaml +532 -0
- package/dist/rules/node-security.yaml +380 -0
- package/dist/rules/rules/.gitkeep +0 -0
- package/dist/rules/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/rules/api-security.yaml +489 -0
- package/dist/rules/rules/auth-patterns.yaml +406 -0
- package/dist/rules/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/rules/general-security.yaml +588 -0
- package/dist/rules/rules/injection-patterns.yaml +318 -0
- package/dist/rules/rules/nextjs-security.yaml +532 -0
- package/dist/rules/rules/node-security.yaml +380 -0
- package/dist/rules/rules/supabase-security.yaml +387 -0
- package/dist/rules/supabase-security.yaml +387 -0
- package/dist/scanning/agents/csharp-agent.d.ts +12 -0
- package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
- package/dist/scanning/agents/csharp-agent.js +592 -0
- package/dist/scanning/agents/csharp-agent.js.map +1 -0
- package/dist/scanning/agents/go-agent.d.ts +14 -0
- package/dist/scanning/agents/go-agent.d.ts.map +1 -0
- package/dist/scanning/agents/go-agent.js +641 -0
- package/dist/scanning/agents/go-agent.js.map +1 -0
- package/dist/scanning/agents/java-agent.d.ts +8 -0
- package/dist/scanning/agents/java-agent.d.ts.map +1 -0
- package/dist/scanning/agents/java-agent.js +807 -0
- package/dist/scanning/agents/java-agent.js.map +1 -0
- package/dist/scanning/agents/javascript-agent.d.ts +8 -0
- package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
- package/dist/scanning/agents/javascript-agent.js +77 -0
- package/dist/scanning/agents/javascript-agent.js.map +1 -0
- package/dist/scanning/agents/mobile-agent.d.ts +8 -0
- package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
- package/dist/scanning/agents/mobile-agent.js +916 -0
- package/dist/scanning/agents/mobile-agent.js.map +1 -0
- package/dist/scanning/agents/php-agent.d.ts +8 -0
- package/dist/scanning/agents/php-agent.d.ts.map +1 -0
- package/dist/scanning/agents/php-agent.js +679 -0
- package/dist/scanning/agents/php-agent.js.map +1 -0
- package/dist/scanning/agents/python-agent.d.ts +8 -0
- package/dist/scanning/agents/python-agent.d.ts.map +1 -0
- package/dist/scanning/agents/python-agent.js +701 -0
- package/dist/scanning/agents/python-agent.js.map +1 -0
- package/dist/scanning/agents/supabase-agent.d.ts +8 -0
- package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
- package/dist/scanning/agents/supabase-agent.js +484 -0
- package/dist/scanning/agents/supabase-agent.js.map +1 -0
- package/dist/scanning/orchestrator.d.ts +29 -0
- package/dist/scanning/orchestrator.d.ts.map +1 -0
- package/dist/scanning/orchestrator.js +186 -0
- package/dist/scanning/orchestrator.js.map +1 -0
- package/dist/scanning/tech-detector.d.ts +12 -0
- package/dist/scanning/tech-detector.d.ts.map +1 -0
- package/dist/scanning/tech-detector.js +252 -0
- package/dist/scanning/tech-detector.js.map +1 -0
- package/dist/scanning/types.d.ts +87 -0
- package/dist/scanning/types.d.ts.map +1 -0
- package/dist/scanning/types.js +5 -0
- package/dist/scanning/types.js.map +1 -0
- package/dist/utils/child-process.d.ts +2 -0
- package/dist/utils/child-process.d.ts.map +1 -0
- package/dist/utils/child-process.js +4 -0
- package/dist/utils/child-process.js.map +1 -0
- package/dist/utils/context-classifier.d.ts +11 -0
- package/dist/utils/context-classifier.d.ts.map +1 -0
- package/dist/utils/context-classifier.js +79 -0
- package/dist/utils/context-classifier.js.map +1 -0
- package/dist/utils/exec.d.ts +18 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +51 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/file-filter.d.ts +4 -0
- package/dist/utils/file-filter.d.ts.map +1 -0
- package/dist/utils/file-filter.js +68 -0
- package/dist/utils/file-filter.js.map +1 -0
- package/dist/utils/fs.d.ts +2 -0
- package/dist/utils/fs.d.ts.map +1 -0
- package/dist/utils/fs.js +5 -0
- package/dist/utils/fs.js.map +1 -0
- package/dist/utils/logger.d.ts +12 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +27 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/post-processor.d.ts +10 -0
- package/dist/utils/post-processor.d.ts.map +1 -0
- package/dist/utils/post-processor.js +183 -0
- package/dist/utils/post-processor.js.map +1 -0
- package/package.json +44 -0
|
@@ -0,0 +1,588 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
# =============================================
|
|
3
|
+
# OWASP A01:2021 - Broken Access Control
|
|
4
|
+
# =============================================
|
|
5
|
+
|
|
6
|
+
- id: datahogo-api-route-no-auth
|
|
7
|
+
patterns:
|
|
8
|
+
- pattern-inside: |
|
|
9
|
+
export async function $METHOD(...) {
|
|
10
|
+
...
|
|
11
|
+
}
|
|
12
|
+
- metavariable-regex:
|
|
13
|
+
metavariable: $METHOD
|
|
14
|
+
regex: ^(GET|POST|PUT|PATCH|DELETE|HEAD)$
|
|
15
|
+
- pattern-not-inside: |
|
|
16
|
+
export async function $METHOD(...) {
|
|
17
|
+
...
|
|
18
|
+
$AUTH.getUser(...)
|
|
19
|
+
...
|
|
20
|
+
}
|
|
21
|
+
- pattern-not-inside: |
|
|
22
|
+
export async function $METHOD(...) {
|
|
23
|
+
...
|
|
24
|
+
$AUTH.auth.getUser(...)
|
|
25
|
+
...
|
|
26
|
+
}
|
|
27
|
+
- pattern-not-inside: |
|
|
28
|
+
export async function $METHOD(...) {
|
|
29
|
+
...
|
|
30
|
+
await getUser(...)
|
|
31
|
+
...
|
|
32
|
+
}
|
|
33
|
+
- pattern-not-inside: |
|
|
34
|
+
export async function $METHOD(...) {
|
|
35
|
+
...
|
|
36
|
+
verifyAuth(...)
|
|
37
|
+
...
|
|
38
|
+
}
|
|
39
|
+
message: "API route handler does not verify authentication. Every API endpoint must check user session before processing requests."
|
|
40
|
+
severity: ERROR
|
|
41
|
+
languages: [typescript, javascript]
|
|
42
|
+
metadata:
|
|
43
|
+
datahogo_id: 1
|
|
44
|
+
datahogo_category: "web-owasp"
|
|
45
|
+
owasp_ref: "A01:2021"
|
|
46
|
+
|
|
47
|
+
- id: datahogo-open-redirect
|
|
48
|
+
patterns:
|
|
49
|
+
- pattern-either:
|
|
50
|
+
- pattern: redirect($URL)
|
|
51
|
+
- pattern: $RES.redirect($URL)
|
|
52
|
+
- pattern: NextResponse.redirect($URL)
|
|
53
|
+
- pattern-either:
|
|
54
|
+
- pattern-inside: |
|
|
55
|
+
$URL = $REQ.query.$PARAM
|
|
56
|
+
...
|
|
57
|
+
- pattern-inside: |
|
|
58
|
+
$URL = $PARAMS.get(...)
|
|
59
|
+
...
|
|
60
|
+
- pattern-inside: |
|
|
61
|
+
$URL = $REQ.body.$FIELD
|
|
62
|
+
...
|
|
63
|
+
message: "Open redirect vulnerability. User-controlled redirect targets can be abused for phishing attacks. Validate redirect URLs against an allowlist."
|
|
64
|
+
severity: WARNING
|
|
65
|
+
languages: [typescript, javascript]
|
|
66
|
+
metadata:
|
|
67
|
+
datahogo_id: 119
|
|
68
|
+
datahogo_category: "logic"
|
|
69
|
+
owasp_ref: "A01:2021"
|
|
70
|
+
|
|
71
|
+
# =============================================
|
|
72
|
+
# OWASP A02:2021 - Cryptographic Failures
|
|
73
|
+
# =============================================
|
|
74
|
+
|
|
75
|
+
- id: datahogo-weak-hash-md5
|
|
76
|
+
patterns:
|
|
77
|
+
- pattern-either:
|
|
78
|
+
- pattern: crypto.createHash("md5")
|
|
79
|
+
- pattern: crypto.createHash('md5')
|
|
80
|
+
message: "MD5 is cryptographically broken and unsuitable for security purposes. Use SHA-256, SHA-3, or bcrypt for password hashing."
|
|
81
|
+
severity: ERROR
|
|
82
|
+
languages: [typescript, javascript]
|
|
83
|
+
metadata:
|
|
84
|
+
datahogo_id: 2
|
|
85
|
+
datahogo_category: "web-owasp"
|
|
86
|
+
owasp_ref: "A02:2021"
|
|
87
|
+
|
|
88
|
+
- id: datahogo-weak-hash-sha1
|
|
89
|
+
patterns:
|
|
90
|
+
- pattern-either:
|
|
91
|
+
- pattern: crypto.createHash("sha1")
|
|
92
|
+
- pattern: crypto.createHash('sha1')
|
|
93
|
+
message: "SHA-1 is deprecated due to collision vulnerabilities. Use SHA-256, SHA-3, or bcrypt for password hashing."
|
|
94
|
+
severity: ERROR
|
|
95
|
+
languages: [typescript, javascript]
|
|
96
|
+
metadata:
|
|
97
|
+
datahogo_id: 2
|
|
98
|
+
datahogo_category: "web-owasp"
|
|
99
|
+
owasp_ref: "A02:2021"
|
|
100
|
+
|
|
101
|
+
- id: datahogo-hardcoded-encryption-key
|
|
102
|
+
patterns:
|
|
103
|
+
- pattern-either:
|
|
104
|
+
- pattern: crypto.createCipheriv($ALG, "...", ...)
|
|
105
|
+
- pattern: crypto.createCipheriv($ALG, '...', ...)
|
|
106
|
+
- pattern: crypto.createDecipheriv($ALG, "...", ...)
|
|
107
|
+
- pattern: crypto.createDecipheriv($ALG, '...', ...)
|
|
108
|
+
- metavariable-regex:
|
|
109
|
+
metavariable: $ALG
|
|
110
|
+
regex: .*
|
|
111
|
+
message: "Hardcoded encryption key detected. Keys must be stored in environment variables or secure key management systems."
|
|
112
|
+
severity: ERROR
|
|
113
|
+
languages: [typescript, javascript]
|
|
114
|
+
metadata:
|
|
115
|
+
datahogo_id: 121
|
|
116
|
+
datahogo_category: "cryptography"
|
|
117
|
+
owasp_ref: "A02:2021"
|
|
118
|
+
|
|
119
|
+
- id: datahogo-math-random-security
|
|
120
|
+
patterns:
|
|
121
|
+
- pattern-either:
|
|
122
|
+
- pattern: |
|
|
123
|
+
$TOKEN = ... Math.random() ...
|
|
124
|
+
- pattern: |
|
|
125
|
+
$SECRET = ... Math.random() ...
|
|
126
|
+
- pattern: |
|
|
127
|
+
$KEY = ... Math.random() ...
|
|
128
|
+
- pattern: |
|
|
129
|
+
$SESSION = ... Math.random() ...
|
|
130
|
+
- pattern: |
|
|
131
|
+
$NONCE = ... Math.random() ...
|
|
132
|
+
message: "Math.random() is not cryptographically secure. Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive random values."
|
|
133
|
+
severity: ERROR
|
|
134
|
+
languages: [typescript, javascript]
|
|
135
|
+
metadata:
|
|
136
|
+
datahogo_id: 125
|
|
137
|
+
datahogo_category: "cryptography"
|
|
138
|
+
owasp_ref: "A02:2021"
|
|
139
|
+
|
|
140
|
+
- id: datahogo-tls-reject-unauthorized
|
|
141
|
+
patterns:
|
|
142
|
+
- pattern-either:
|
|
143
|
+
- pattern: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
|
|
144
|
+
- pattern: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
|
|
145
|
+
- pattern: $OPTS.rejectUnauthorized = false
|
|
146
|
+
message: "TLS certificate validation is disabled. This makes the application vulnerable to man-in-the-middle attacks."
|
|
147
|
+
severity: ERROR
|
|
148
|
+
languages: [typescript, javascript]
|
|
149
|
+
metadata:
|
|
150
|
+
datahogo_id: 124
|
|
151
|
+
datahogo_category: "cryptography"
|
|
152
|
+
owasp_ref: "A02:2021"
|
|
153
|
+
|
|
154
|
+
- id: datahogo-plaintext-password
|
|
155
|
+
patterns:
|
|
156
|
+
- pattern-either:
|
|
157
|
+
- pattern: |
|
|
158
|
+
const $VAR = "..."
|
|
159
|
+
- pattern: |
|
|
160
|
+
let $VAR = "..."
|
|
161
|
+
- pattern: |
|
|
162
|
+
var $VAR = "..."
|
|
163
|
+
- metavariable-regex:
|
|
164
|
+
metavariable: $VAR
|
|
165
|
+
regex: (password|passwd|pwd|pass)
|
|
166
|
+
- pattern-not: const $VAR = ""
|
|
167
|
+
- pattern-not: const $VAR = process.env.$_
|
|
168
|
+
message: "Hardcoded password detected. Store passwords securely in environment variables and hash them with bcrypt or Argon2."
|
|
169
|
+
severity: ERROR
|
|
170
|
+
languages: [typescript, javascript]
|
|
171
|
+
metadata:
|
|
172
|
+
datahogo_id: 55
|
|
173
|
+
datahogo_category: "vibecoding"
|
|
174
|
+
owasp_ref: "A02:2021"
|
|
175
|
+
|
|
176
|
+
# =============================================
|
|
177
|
+
# OWASP A03:2021 - Injection
|
|
178
|
+
# =============================================
|
|
179
|
+
|
|
180
|
+
- id: datahogo-sql-injection-template-literal
|
|
181
|
+
patterns:
|
|
182
|
+
- pattern-either:
|
|
183
|
+
- pattern: $DB.query(`... ${$VAR} ...`)
|
|
184
|
+
- pattern: $DB.execute(`... ${$VAR} ...`)
|
|
185
|
+
- pattern: $DB.$queryRaw(`... ${$VAR} ...`)
|
|
186
|
+
- pattern: sequelize.query(`... ${$VAR} ...`)
|
|
187
|
+
message: "Possible SQL injection via string interpolation in database query. Use parameterized queries or prepared statements."
|
|
188
|
+
severity: ERROR
|
|
189
|
+
languages: [typescript, javascript]
|
|
190
|
+
metadata:
|
|
191
|
+
datahogo_id: 5
|
|
192
|
+
datahogo_category: "web-owasp"
|
|
193
|
+
owasp_ref: "A03:2021"
|
|
194
|
+
|
|
195
|
+
- id: datahogo-sql-injection-concatenation
|
|
196
|
+
patterns:
|
|
197
|
+
- pattern-either:
|
|
198
|
+
- pattern: $DB.query($STR + $VAR + ...)
|
|
199
|
+
- pattern: $DB.execute($STR + $VAR + ...)
|
|
200
|
+
- pattern: $DB.query($STR + $VAR)
|
|
201
|
+
message: "SQL injection via string concatenation. Use parameterized queries instead of concatenating user input into SQL statements."
|
|
202
|
+
severity: ERROR
|
|
203
|
+
languages: [typescript, javascript]
|
|
204
|
+
metadata:
|
|
205
|
+
datahogo_id: 5
|
|
206
|
+
datahogo_category: "web-owasp"
|
|
207
|
+
owasp_ref: "A03:2021"
|
|
208
|
+
|
|
209
|
+
- id: datahogo-eval-usage
|
|
210
|
+
patterns:
|
|
211
|
+
- pattern-either:
|
|
212
|
+
- pattern: eval($CODE)
|
|
213
|
+
- pattern: new Function($CODE)
|
|
214
|
+
- pattern: Function($CODE)
|
|
215
|
+
message: "eval() or Function() constructor can execute arbitrary code and lead to code injection. Avoid dynamic code execution entirely."
|
|
216
|
+
severity: ERROR
|
|
217
|
+
languages: [typescript, javascript]
|
|
218
|
+
metadata:
|
|
219
|
+
datahogo_id: 61
|
|
220
|
+
datahogo_category: "vibecoding"
|
|
221
|
+
owasp_ref: "A03:2021"
|
|
222
|
+
|
|
223
|
+
- id: datahogo-command-injection
|
|
224
|
+
patterns:
|
|
225
|
+
- pattern-either:
|
|
226
|
+
- pattern: child_process.exec(`... ${$VAR} ...`)
|
|
227
|
+
- pattern: child_process.execSync(`... ${$VAR} ...`)
|
|
228
|
+
- pattern: exec(`... ${$VAR} ...`)
|
|
229
|
+
- pattern: execSync(`... ${$VAR} ...`)
|
|
230
|
+
- pattern-not: child_process.exec(`$STATIC`)
|
|
231
|
+
message: "Command injection vulnerability. User input is interpolated into shell command. Use execFile() with argument array instead."
|
|
232
|
+
severity: ERROR
|
|
233
|
+
languages: [typescript, javascript]
|
|
234
|
+
metadata:
|
|
235
|
+
datahogo_id: 75
|
|
236
|
+
datahogo_category: "injection"
|
|
237
|
+
owasp_ref: "A03:2021"
|
|
238
|
+
|
|
239
|
+
- id: datahogo-nosql-injection
|
|
240
|
+
patterns:
|
|
241
|
+
- pattern-either:
|
|
242
|
+
- pattern: $DB.find($REQ.body)
|
|
243
|
+
- pattern: $DB.find($REQ.query)
|
|
244
|
+
- pattern: $DB.findOne($REQ.body)
|
|
245
|
+
- pattern: $DB.findOne($REQ.query)
|
|
246
|
+
- pattern: $COLLECTION.find($REQ.body)
|
|
247
|
+
message: "NoSQL injection risk. Request data is passed directly to database query. Validate and sanitize input before using in queries."
|
|
248
|
+
severity: ERROR
|
|
249
|
+
languages: [typescript, javascript]
|
|
250
|
+
metadata:
|
|
251
|
+
datahogo_id: 102
|
|
252
|
+
datahogo_category: "database"
|
|
253
|
+
owasp_ref: "A03:2021"
|
|
254
|
+
|
|
255
|
+
# =============================================
|
|
256
|
+
# OWASP A05:2021 - Security Misconfiguration
|
|
257
|
+
# =============================================
|
|
258
|
+
|
|
259
|
+
- id: datahogo-cors-wildcard
|
|
260
|
+
patterns:
|
|
261
|
+
- pattern-either:
|
|
262
|
+
- pattern: |
|
|
263
|
+
$HEADERS.set("Access-Control-Allow-Origin", "*")
|
|
264
|
+
- pattern: |
|
|
265
|
+
$RES.setHeader("Access-Control-Allow-Origin", "*")
|
|
266
|
+
- pattern: |
|
|
267
|
+
{ ..., "Access-Control-Allow-Origin": "*", ... }
|
|
268
|
+
message: "CORS wildcard allows any origin to access the API. Restrict to specific trusted domains."
|
|
269
|
+
severity: WARNING
|
|
270
|
+
languages: [typescript, javascript]
|
|
271
|
+
metadata:
|
|
272
|
+
datahogo_id: 4
|
|
273
|
+
datahogo_category: "web-owasp"
|
|
274
|
+
owasp_ref: "A05:2021"
|
|
275
|
+
|
|
276
|
+
- id: datahogo-debug-mode-production
|
|
277
|
+
patterns:
|
|
278
|
+
- pattern-either:
|
|
279
|
+
- pattern: |
|
|
280
|
+
{ ..., debug: true, ... }
|
|
281
|
+
- pattern: process.env.NODE_ENV = "development"
|
|
282
|
+
- pattern: app.set("env", "development")
|
|
283
|
+
message: "Debug mode enabled. This can expose sensitive information in production. Ensure debug mode is disabled in production environments."
|
|
284
|
+
severity: WARNING
|
|
285
|
+
languages: [typescript, javascript]
|
|
286
|
+
metadata:
|
|
287
|
+
datahogo_id: 4
|
|
288
|
+
datahogo_category: "web-owasp"
|
|
289
|
+
owasp_ref: "A05:2021"
|
|
290
|
+
|
|
291
|
+
# =============================================
|
|
292
|
+
# OWASP A06:2021 - Vulnerable Components
|
|
293
|
+
# =============================================
|
|
294
|
+
# (Handled by dependencies.ts engine - npm audit)
|
|
295
|
+
|
|
296
|
+
# =============================================
|
|
297
|
+
# OWASP A07:2021 - Identification & Auth Failures
|
|
298
|
+
# =============================================
|
|
299
|
+
|
|
300
|
+
- id: datahogo-jwt-no-expiry
|
|
301
|
+
patterns:
|
|
302
|
+
- pattern: jwt.sign($PAYLOAD, $SECRET, ...)
|
|
303
|
+
- pattern-not: jwt.sign($PAYLOAD, $SECRET, { ..., expiresIn: ..., ... })
|
|
304
|
+
- pattern-not: jwt.sign($PAYLOAD, $SECRET, { ..., exp: ..., ... })
|
|
305
|
+
message: "JWT token issued without expiration time. Always set expiresIn to limit token lifetime and reduce attack window."
|
|
306
|
+
severity: ERROR
|
|
307
|
+
languages: [typescript, javascript]
|
|
308
|
+
metadata:
|
|
309
|
+
datahogo_id: 7
|
|
310
|
+
datahogo_category: "web-owasp"
|
|
311
|
+
owasp_ref: "A07:2021"
|
|
312
|
+
|
|
313
|
+
- id: datahogo-jwt-algorithm-none
|
|
314
|
+
patterns:
|
|
315
|
+
- pattern: |
|
|
316
|
+
jwt.sign($PAYLOAD, $SECRET, { ..., algorithm: "none", ... })
|
|
317
|
+
message: "JWT with algorithm 'none' bypasses signature verification. Always use a secure algorithm like HS256, RS256, or ES256."
|
|
318
|
+
severity: ERROR
|
|
319
|
+
languages: [typescript, javascript]
|
|
320
|
+
metadata:
|
|
321
|
+
datahogo_id: 126
|
|
322
|
+
datahogo_category: "cryptography"
|
|
323
|
+
owasp_ref: "A07:2021"
|
|
324
|
+
|
|
325
|
+
- id: datahogo-tokens-in-localstorage
|
|
326
|
+
patterns:
|
|
327
|
+
- pattern-either:
|
|
328
|
+
- pattern: localStorage.setItem("token", ...)
|
|
329
|
+
- pattern: localStorage.setItem("jwt", ...)
|
|
330
|
+
- pattern: localStorage.setItem("access_token", ...)
|
|
331
|
+
- pattern: localStorage.setItem("refresh_token", ...)
|
|
332
|
+
- pattern: localStorage.setItem("auth", ...)
|
|
333
|
+
- pattern: localStorage.setItem("session", ...)
|
|
334
|
+
- pattern-not: localStorage.setItem($KEY, $NONTOK)
|
|
335
|
+
message: "Authentication tokens stored in localStorage are vulnerable to XSS attacks. Use httpOnly cookies for secure token storage."
|
|
336
|
+
severity: ERROR
|
|
337
|
+
languages: [typescript, javascript]
|
|
338
|
+
metadata:
|
|
339
|
+
datahogo_id: 47
|
|
340
|
+
datahogo_category: "react-nextjs"
|
|
341
|
+
owasp_ref: "A07:2021"
|
|
342
|
+
|
|
343
|
+
# =============================================
|
|
344
|
+
# OWASP A08:2021 - Software & Data Integrity
|
|
345
|
+
# =============================================
|
|
346
|
+
|
|
347
|
+
- id: datahogo-unsafe-deserialization
|
|
348
|
+
patterns:
|
|
349
|
+
- pattern-either:
|
|
350
|
+
- pattern: unserialize($INPUT)
|
|
351
|
+
- pattern: deserialize($INPUT)
|
|
352
|
+
- pattern: $PKG.unserialize($INPUT)
|
|
353
|
+
- pattern: $PKG.deserialize($INPUT)
|
|
354
|
+
- pattern-either:
|
|
355
|
+
- pattern-inside: |
|
|
356
|
+
$INPUT = $REQ.body
|
|
357
|
+
...
|
|
358
|
+
- pattern-inside: |
|
|
359
|
+
$INPUT = $REQ.query
|
|
360
|
+
...
|
|
361
|
+
- pattern-inside: |
|
|
362
|
+
$INPUT = await $REQ.json()
|
|
363
|
+
...
|
|
364
|
+
message: "Insecure deserialization of user input can lead to remote code execution. Validate and sanitize before deserializing."
|
|
365
|
+
severity: ERROR
|
|
366
|
+
languages: [typescript, javascript]
|
|
367
|
+
metadata:
|
|
368
|
+
datahogo_id: 8
|
|
369
|
+
datahogo_category: "web-owasp"
|
|
370
|
+
owasp_ref: "A08:2021"
|
|
371
|
+
|
|
372
|
+
# =============================================
|
|
373
|
+
# OWASP A09:2021 - Security Logging Failures
|
|
374
|
+
# =============================================
|
|
375
|
+
|
|
376
|
+
- id: datahogo-console-log-sensitive-data
|
|
377
|
+
patterns:
|
|
378
|
+
- pattern-either:
|
|
379
|
+
- pattern: console.log(..., $REQ.headers, ...)
|
|
380
|
+
- pattern: console.log(..., process.env, ...)
|
|
381
|
+
- pattern: console.log(..., $TOKEN, ...)
|
|
382
|
+
- pattern: console.log(..., $PASSWORD, ...)
|
|
383
|
+
- pattern: console.log(..., $SECRET, ...)
|
|
384
|
+
- metavariable-pattern:
|
|
385
|
+
metavariable: $TOKEN
|
|
386
|
+
patterns:
|
|
387
|
+
- pattern-regex: .*(token|jwt|key|apikey).*
|
|
388
|
+
- metavariable-pattern:
|
|
389
|
+
metavariable: $PASSWORD
|
|
390
|
+
patterns:
|
|
391
|
+
- pattern-regex: .*(password|passwd|pwd).*
|
|
392
|
+
- metavariable-pattern:
|
|
393
|
+
metavariable: $SECRET
|
|
394
|
+
patterns:
|
|
395
|
+
- pattern-regex: .*(secret|credential).*
|
|
396
|
+
message: "Logging sensitive data (credentials, tokens, environment variables). Never log secrets, use structured logging with sanitization."
|
|
397
|
+
severity: ERROR
|
|
398
|
+
languages: [typescript, javascript]
|
|
399
|
+
metadata:
|
|
400
|
+
datahogo_id: 9
|
|
401
|
+
datahogo_category: "web-owasp"
|
|
402
|
+
owasp_ref: "A09:2021"
|
|
403
|
+
|
|
404
|
+
- id: datahogo-env-vars-logged
|
|
405
|
+
patterns:
|
|
406
|
+
- pattern-either:
|
|
407
|
+
- pattern: console.log(process.env)
|
|
408
|
+
- pattern: console.log(..., process.env, ...)
|
|
409
|
+
- pattern: console.info(process.env)
|
|
410
|
+
- pattern: console.error(process.env)
|
|
411
|
+
- pattern: logger.info(process.env)
|
|
412
|
+
- pattern: logger.debug(process.env)
|
|
413
|
+
message: "Environment variables contain sensitive configuration. Never log the entire process.env object."
|
|
414
|
+
severity: ERROR
|
|
415
|
+
languages: [typescript, javascript]
|
|
416
|
+
metadata:
|
|
417
|
+
datahogo_id: 134
|
|
418
|
+
datahogo_category: "serverless"
|
|
419
|
+
owasp_ref: "A09:2021"
|
|
420
|
+
|
|
421
|
+
# =============================================
|
|
422
|
+
# OWASP A10:2021 - Server-Side Request Forgery
|
|
423
|
+
# =============================================
|
|
424
|
+
|
|
425
|
+
- id: datahogo-ssrf-fetch-user-input
|
|
426
|
+
patterns:
|
|
427
|
+
- pattern-either:
|
|
428
|
+
- pattern: fetch($URL, ...)
|
|
429
|
+
- pattern: axios.get($URL, ...)
|
|
430
|
+
- pattern: axios.post($URL, ...)
|
|
431
|
+
- pattern: $HTTP.get($URL, ...)
|
|
432
|
+
- pattern: $HTTP.request($URL, ...)
|
|
433
|
+
- pattern-either:
|
|
434
|
+
- pattern-inside: |
|
|
435
|
+
$URL = $REQ.body.$FIELD
|
|
436
|
+
...
|
|
437
|
+
- pattern-inside: |
|
|
438
|
+
$URL = $REQ.query.$PARAM
|
|
439
|
+
...
|
|
440
|
+
- pattern-inside: |
|
|
441
|
+
$URL = $PARAMS.get(...)
|
|
442
|
+
...
|
|
443
|
+
message: "SSRF vulnerability: User-controlled URL in HTTP request. Validate URLs against an allowlist of domains and protocols."
|
|
444
|
+
severity: ERROR
|
|
445
|
+
languages: [typescript, javascript]
|
|
446
|
+
metadata:
|
|
447
|
+
datahogo_id: 10
|
|
448
|
+
datahogo_category: "web-owasp"
|
|
449
|
+
owasp_ref: "A10:2021"
|
|
450
|
+
|
|
451
|
+
# =============================================
|
|
452
|
+
# Client-Side Validation Only
|
|
453
|
+
# =============================================
|
|
454
|
+
|
|
455
|
+
- id: datahogo-client-side-auth-check
|
|
456
|
+
patterns:
|
|
457
|
+
- pattern-inside: |
|
|
458
|
+
"use client"
|
|
459
|
+
...
|
|
460
|
+
- pattern-either:
|
|
461
|
+
- pattern: if ($USER.isAdmin) { ... }
|
|
462
|
+
- pattern: if ($USER.role === "admin") { ... }
|
|
463
|
+
- pattern: if (isAuthenticated) { ... }
|
|
464
|
+
message: "Authorization logic in client component. Auth checks must be performed on the server-side, not in client code."
|
|
465
|
+
severity: ERROR
|
|
466
|
+
languages: [typescript, javascript]
|
|
467
|
+
metadata:
|
|
468
|
+
datahogo_id: 6
|
|
469
|
+
datahogo_category: "web-owasp"
|
|
470
|
+
owasp_ref: "A04:2021"
|
|
471
|
+
|
|
472
|
+
# =============================================
|
|
473
|
+
# Path Traversal
|
|
474
|
+
# =============================================
|
|
475
|
+
|
|
476
|
+
- id: datahogo-path-traversal
|
|
477
|
+
patterns:
|
|
478
|
+
- pattern-either:
|
|
479
|
+
- pattern: fs.readFile($PATH, ...)
|
|
480
|
+
- pattern: fs.readFileSync($PATH, ...)
|
|
481
|
+
- pattern: fs.writeFile($PATH, ...)
|
|
482
|
+
- pattern: fs.createReadStream($PATH, ...)
|
|
483
|
+
- pattern: fs.unlink($PATH, ...)
|
|
484
|
+
- pattern-either:
|
|
485
|
+
- pattern-inside: |
|
|
486
|
+
$PATH = ... + $REQ.query.$PARAM
|
|
487
|
+
...
|
|
488
|
+
- pattern-inside: |
|
|
489
|
+
$PATH = ... + $REQ.body.$FIELD
|
|
490
|
+
...
|
|
491
|
+
- pattern-inside: |
|
|
492
|
+
$PATH = ... + $PARAMS.get(...)
|
|
493
|
+
...
|
|
494
|
+
- pattern-inside: |
|
|
495
|
+
$PATH = `... ${$REQ.query.$PARAM} ...`
|
|
496
|
+
...
|
|
497
|
+
message: "Path traversal vulnerability. User input is used in file path without validation. Sanitize paths and restrict to allowed directories."
|
|
498
|
+
severity: ERROR
|
|
499
|
+
languages: [typescript, javascript]
|
|
500
|
+
metadata:
|
|
501
|
+
datahogo_id: 106
|
|
502
|
+
datahogo_category: "files"
|
|
503
|
+
owasp_ref: "A01:2021"
|
|
504
|
+
|
|
505
|
+
# =============================================
|
|
506
|
+
# React / Frontend Specific
|
|
507
|
+
# =============================================
|
|
508
|
+
|
|
509
|
+
- id: datahogo-dangerouslysetinnerhtml
|
|
510
|
+
patterns:
|
|
511
|
+
- pattern: <$EL dangerouslySetInnerHTML={{__html: $HTML}} />
|
|
512
|
+
- pattern-not: <$EL dangerouslySetInnerHTML={{__html: DOMPurify.sanitize($HTML)}} />
|
|
513
|
+
message: "dangerouslySetInnerHTML without sanitization can lead to XSS attacks. Use DOMPurify to sanitize HTML before rendering."
|
|
514
|
+
severity: ERROR
|
|
515
|
+
languages: [typescript, javascript]
|
|
516
|
+
metadata:
|
|
517
|
+
datahogo_id: 46
|
|
518
|
+
datahogo_category: "react-nextjs"
|
|
519
|
+
owasp_ref: "A03:2021"
|
|
520
|
+
|
|
521
|
+
# =============================================
|
|
522
|
+
# Mass Assignment
|
|
523
|
+
# =============================================
|
|
524
|
+
|
|
525
|
+
- id: datahogo-mass-assignment
|
|
526
|
+
patterns:
|
|
527
|
+
- pattern-either:
|
|
528
|
+
- pattern: $DB.update($REQ.body)
|
|
529
|
+
- pattern: $DB.create($REQ.body)
|
|
530
|
+
- pattern: $DB.insert($REQ.body)
|
|
531
|
+
- pattern: $MODEL.update($REQ.body)
|
|
532
|
+
- pattern: $MODEL.create($REQ.body)
|
|
533
|
+
- pattern-not-inside: |
|
|
534
|
+
const $VALIDATED = $SCHEMA.parse($REQ.body)
|
|
535
|
+
...
|
|
536
|
+
message: "Mass assignment vulnerability. Request body is passed directly to database without validation. Use Zod or similar to validate input."
|
|
537
|
+
severity: ERROR
|
|
538
|
+
languages: [typescript, javascript]
|
|
539
|
+
metadata:
|
|
540
|
+
datahogo_id: 98
|
|
541
|
+
datahogo_category: "api"
|
|
542
|
+
owasp_ref: "A01:2021"
|
|
543
|
+
|
|
544
|
+
# =============================================
|
|
545
|
+
# Prototype Pollution
|
|
546
|
+
# =============================================
|
|
547
|
+
|
|
548
|
+
- id: datahogo-prototype-pollution-assign
|
|
549
|
+
patterns:
|
|
550
|
+
- pattern-either:
|
|
551
|
+
- pattern: Object.assign($TARGET, $REQ.body)
|
|
552
|
+
- pattern: Object.assign($TARGET, $REQ.query)
|
|
553
|
+
- pattern: |
|
|
554
|
+
{ ...$REQ.body }
|
|
555
|
+
- pattern: |
|
|
556
|
+
{ ...$REQ.query }
|
|
557
|
+
message: "Prototype pollution risk. Spreading or assigning request data can pollute Object.prototype. Validate input structure first."
|
|
558
|
+
severity: ERROR
|
|
559
|
+
languages: [typescript, javascript]
|
|
560
|
+
metadata:
|
|
561
|
+
datahogo_id: 128
|
|
562
|
+
datahogo_category: "javascript"
|
|
563
|
+
owasp_ref: "A03:2021"
|
|
564
|
+
|
|
565
|
+
# =============================================
|
|
566
|
+
# Price/Amount from Client
|
|
567
|
+
# =============================================
|
|
568
|
+
|
|
569
|
+
- id: datahogo-client-controlled-price
|
|
570
|
+
patterns:
|
|
571
|
+
- pattern-either:
|
|
572
|
+
- pattern: |
|
|
573
|
+
$PRICE = $REQ.body.price
|
|
574
|
+
- pattern: |
|
|
575
|
+
$AMOUNT = $REQ.body.amount
|
|
576
|
+
- pattern: |
|
|
577
|
+
$TOTAL = $REQ.body.total
|
|
578
|
+
- pattern: |
|
|
579
|
+
const { price: $PRICE, ... } = $REQ.body
|
|
580
|
+
- pattern: |
|
|
581
|
+
const { amount: $AMOUNT, ... } = $REQ.body
|
|
582
|
+
message: "Critical business logic flaw: Price or amount controlled by client input. Always calculate prices server-side based on product IDs."
|
|
583
|
+
severity: ERROR
|
|
584
|
+
languages: [typescript, javascript]
|
|
585
|
+
metadata:
|
|
586
|
+
datahogo_id: 114
|
|
587
|
+
datahogo_category: "logic"
|
|
588
|
+
owasp_ref: "A04:2021"
|