@datahogo/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (153) hide show
  1. package/LICENSE +661 -0
  2. package/README.md +17 -0
  3. package/dist/engines/config.d.ts +3 -0
  4. package/dist/engines/config.d.ts.map +1 -0
  5. package/dist/engines/config.js +433 -0
  6. package/dist/engines/config.js.map +1 -0
  7. package/dist/engines/dast.d.ts +3 -0
  8. package/dist/engines/dast.d.ts.map +1 -0
  9. package/dist/engines/dast.js +167 -0
  10. package/dist/engines/dast.js.map +1 -0
  11. package/dist/engines/db-rules.d.ts +3 -0
  12. package/dist/engines/db-rules.d.ts.map +1 -0
  13. package/dist/engines/db-rules.js +166 -0
  14. package/dist/engines/db-rules.js.map +1 -0
  15. package/dist/engines/dependencies.d.ts +3 -0
  16. package/dist/engines/dependencies.d.ts.map +1 -0
  17. package/dist/engines/dependencies.js +167 -0
  18. package/dist/engines/dependencies.js.map +1 -0
  19. package/dist/engines/github-actions.d.ts +3 -0
  20. package/dist/engines/github-actions.d.ts.map +1 -0
  21. package/dist/engines/github-actions.js +215 -0
  22. package/dist/engines/github-actions.js.map +1 -0
  23. package/dist/engines/gitleaks.d.ts +3 -0
  24. package/dist/engines/gitleaks.d.ts.map +1 -0
  25. package/dist/engines/gitleaks.js +107 -0
  26. package/dist/engines/gitleaks.js.map +1 -0
  27. package/dist/engines/npm-audit.d.ts +3 -0
  28. package/dist/engines/npm-audit.d.ts.map +1 -0
  29. package/dist/engines/npm-audit.js +113 -0
  30. package/dist/engines/npm-audit.js.map +1 -0
  31. package/dist/engines/patterns.d.ts +3 -0
  32. package/dist/engines/patterns.d.ts.map +1 -0
  33. package/dist/engines/patterns.js +1330 -0
  34. package/dist/engines/patterns.js.map +1 -0
  35. package/dist/engines/secrets.d.ts +4 -0
  36. package/dist/engines/secrets.d.ts.map +1 -0
  37. package/dist/engines/secrets.js +260 -0
  38. package/dist/engines/secrets.js.map +1 -0
  39. package/dist/engines/semgrep.d.ts +3 -0
  40. package/dist/engines/semgrep.d.ts.map +1 -0
  41. package/dist/engines/semgrep.js +173 -0
  42. package/dist/engines/semgrep.js.map +1 -0
  43. package/dist/engines/types.d.ts +30 -0
  44. package/dist/engines/types.d.ts.map +1 -0
  45. package/dist/engines/types.js +3 -0
  46. package/dist/engines/types.js.map +1 -0
  47. package/dist/engines/url-scanner.d.ts +3 -0
  48. package/dist/engines/url-scanner.d.ts.map +1 -0
  49. package/dist/engines/url-scanner.js +469 -0
  50. package/dist/engines/url-scanner.js.map +1 -0
  51. package/dist/index.d.ts +8 -0
  52. package/dist/index.d.ts.map +1 -0
  53. package/dist/index.js +8 -0
  54. package/dist/index.js.map +1 -0
  55. package/dist/orchestrator.d.ts +32 -0
  56. package/dist/orchestrator.d.ts.map +1 -0
  57. package/dist/orchestrator.js +237 -0
  58. package/dist/orchestrator.js.map +1 -0
  59. package/dist/rules/.gitkeep +0 -0
  60. package/dist/rules/ai-llm-security.yaml +199 -0
  61. package/dist/rules/api-security.yaml +489 -0
  62. package/dist/rules/auth-patterns.yaml +406 -0
  63. package/dist/rules/crypto-patterns.yaml +227 -0
  64. package/dist/rules/database-cloud-security.yaml +169 -0
  65. package/dist/rules/general-security.yaml +588 -0
  66. package/dist/rules/injection-patterns.yaml +318 -0
  67. package/dist/rules/nextjs-security.yaml +532 -0
  68. package/dist/rules/node-security.yaml +380 -0
  69. package/dist/rules/rules/.gitkeep +0 -0
  70. package/dist/rules/rules/ai-llm-security.yaml +199 -0
  71. package/dist/rules/rules/api-security.yaml +489 -0
  72. package/dist/rules/rules/auth-patterns.yaml +406 -0
  73. package/dist/rules/rules/crypto-patterns.yaml +227 -0
  74. package/dist/rules/rules/database-cloud-security.yaml +169 -0
  75. package/dist/rules/rules/general-security.yaml +588 -0
  76. package/dist/rules/rules/injection-patterns.yaml +318 -0
  77. package/dist/rules/rules/nextjs-security.yaml +532 -0
  78. package/dist/rules/rules/node-security.yaml +380 -0
  79. package/dist/rules/rules/supabase-security.yaml +387 -0
  80. package/dist/rules/supabase-security.yaml +387 -0
  81. package/dist/scanning/agents/csharp-agent.d.ts +12 -0
  82. package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
  83. package/dist/scanning/agents/csharp-agent.js +592 -0
  84. package/dist/scanning/agents/csharp-agent.js.map +1 -0
  85. package/dist/scanning/agents/go-agent.d.ts +14 -0
  86. package/dist/scanning/agents/go-agent.d.ts.map +1 -0
  87. package/dist/scanning/agents/go-agent.js +641 -0
  88. package/dist/scanning/agents/go-agent.js.map +1 -0
  89. package/dist/scanning/agents/java-agent.d.ts +8 -0
  90. package/dist/scanning/agents/java-agent.d.ts.map +1 -0
  91. package/dist/scanning/agents/java-agent.js +807 -0
  92. package/dist/scanning/agents/java-agent.js.map +1 -0
  93. package/dist/scanning/agents/javascript-agent.d.ts +8 -0
  94. package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
  95. package/dist/scanning/agents/javascript-agent.js +77 -0
  96. package/dist/scanning/agents/javascript-agent.js.map +1 -0
  97. package/dist/scanning/agents/mobile-agent.d.ts +8 -0
  98. package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
  99. package/dist/scanning/agents/mobile-agent.js +916 -0
  100. package/dist/scanning/agents/mobile-agent.js.map +1 -0
  101. package/dist/scanning/agents/php-agent.d.ts +8 -0
  102. package/dist/scanning/agents/php-agent.d.ts.map +1 -0
  103. package/dist/scanning/agents/php-agent.js +679 -0
  104. package/dist/scanning/agents/php-agent.js.map +1 -0
  105. package/dist/scanning/agents/python-agent.d.ts +8 -0
  106. package/dist/scanning/agents/python-agent.d.ts.map +1 -0
  107. package/dist/scanning/agents/python-agent.js +701 -0
  108. package/dist/scanning/agents/python-agent.js.map +1 -0
  109. package/dist/scanning/agents/supabase-agent.d.ts +8 -0
  110. package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
  111. package/dist/scanning/agents/supabase-agent.js +484 -0
  112. package/dist/scanning/agents/supabase-agent.js.map +1 -0
  113. package/dist/scanning/orchestrator.d.ts +29 -0
  114. package/dist/scanning/orchestrator.d.ts.map +1 -0
  115. package/dist/scanning/orchestrator.js +186 -0
  116. package/dist/scanning/orchestrator.js.map +1 -0
  117. package/dist/scanning/tech-detector.d.ts +12 -0
  118. package/dist/scanning/tech-detector.d.ts.map +1 -0
  119. package/dist/scanning/tech-detector.js +252 -0
  120. package/dist/scanning/tech-detector.js.map +1 -0
  121. package/dist/scanning/types.d.ts +87 -0
  122. package/dist/scanning/types.d.ts.map +1 -0
  123. package/dist/scanning/types.js +5 -0
  124. package/dist/scanning/types.js.map +1 -0
  125. package/dist/utils/child-process.d.ts +2 -0
  126. package/dist/utils/child-process.d.ts.map +1 -0
  127. package/dist/utils/child-process.js +4 -0
  128. package/dist/utils/child-process.js.map +1 -0
  129. package/dist/utils/context-classifier.d.ts +11 -0
  130. package/dist/utils/context-classifier.d.ts.map +1 -0
  131. package/dist/utils/context-classifier.js +79 -0
  132. package/dist/utils/context-classifier.js.map +1 -0
  133. package/dist/utils/exec.d.ts +18 -0
  134. package/dist/utils/exec.d.ts.map +1 -0
  135. package/dist/utils/exec.js +51 -0
  136. package/dist/utils/exec.js.map +1 -0
  137. package/dist/utils/file-filter.d.ts +4 -0
  138. package/dist/utils/file-filter.d.ts.map +1 -0
  139. package/dist/utils/file-filter.js +68 -0
  140. package/dist/utils/file-filter.js.map +1 -0
  141. package/dist/utils/fs.d.ts +2 -0
  142. package/dist/utils/fs.d.ts.map +1 -0
  143. package/dist/utils/fs.js +5 -0
  144. package/dist/utils/fs.js.map +1 -0
  145. package/dist/utils/logger.d.ts +12 -0
  146. package/dist/utils/logger.d.ts.map +1 -0
  147. package/dist/utils/logger.js +27 -0
  148. package/dist/utils/logger.js.map +1 -0
  149. package/dist/utils/post-processor.d.ts +10 -0
  150. package/dist/utils/post-processor.d.ts.map +1 -0
  151. package/dist/utils/post-processor.js +183 -0
  152. package/dist/utils/post-processor.js.map +1 -0
  153. package/package.json +44 -0
@@ -0,0 +1,318 @@
1
+ rules:
2
+ # ID 71: LDAP Injection
3
+ - id: datahogo-ldap-injection
4
+ patterns:
5
+ - pattern-either:
6
+ - pattern: |
7
+ $CLIENT.search($BASE, { filter: `...(${$INPUT})...` }, ...)
8
+ - pattern: |
9
+ $CLIENT.search($BASE, { filter: `...(${$REQ.body.$FIELD})...` }, ...)
10
+ - pattern: |
11
+ const filter = `(&(uid=${$USERNAME})(...))`
12
+ - pattern: |
13
+ ldap.$METHOD($DN, `...${$VAR}...`, ...)
14
+ - pattern-not: |
15
+ const filter = `(&(uid=${escapeLDAP($USERNAME)})(...))`
16
+ - pattern-not: |
17
+ ldapEscape.filter($VAR)
18
+ message: "LDAP query built with unsanitized user input - use ldap-escape or equivalent sanitization"
19
+ severity: ERROR
20
+ languages: [typescript, javascript]
21
+ metadata:
22
+ datahogo_id: 71
23
+ datahogo_category: "injection"
24
+ owasp_ref: "A03:2021"
25
+
26
+ # ID 72: XXE - XML External Entity
27
+ - id: datahogo-xxe-libxml
28
+ patterns:
29
+ - pattern-either:
30
+ - pattern: libxmljs.parseXml($INPUT)
31
+ - pattern: libxmljs.parseXmlString($INPUT)
32
+ - pattern: libxmljs.parseXml($INPUT, { noent: true })
33
+ message: "libxmljs XML parsing may allow XXE - disable external entities via options"
34
+ severity: ERROR
35
+ languages: [typescript, javascript]
36
+ metadata:
37
+ datahogo_id: 72
38
+ datahogo_category: "injection"
39
+ owasp_ref: "A03:2021"
40
+
41
+ - id: datahogo-xxe-xml2js
42
+ patterns:
43
+ - pattern: xml2js.parseString($INPUT, ...)
44
+ - pattern-not: xml2js.parseString($INPUT, { explicitCharkey: ..., ignoreAttrs: ... })
45
+ message: "xml2js parsing with untrusted input may allow XXE or billion-laughs attacks"
46
+ severity: WARNING
47
+ languages: [typescript, javascript]
48
+ metadata:
49
+ datahogo_id: 72
50
+ datahogo_category: "injection"
51
+ owasp_ref: "A03:2021"
52
+
53
+ - id: datahogo-xxe-domparser
54
+ pattern: |
55
+ new DOMParser().parseFromString($INPUT, ...)
56
+ message: "DOMParser with untrusted XML input may allow XXE - validate and sanitize input"
57
+ severity: WARNING
58
+ languages: [typescript, javascript]
59
+ metadata:
60
+ datahogo_id: 72
61
+ datahogo_category: "injection"
62
+ owasp_ref: "A03:2021"
63
+
64
+ # ID 73: Header Injection (CRLF)
65
+ - id: datahogo-header-injection-crlf
66
+ patterns:
67
+ - pattern-either:
68
+ - pattern: |
69
+ $RESPONSE.setHeader($HEADER_NAME, $REQ.body.$FIELD)
70
+ - pattern: |
71
+ $RESPONSE.setHeader($HEADER_NAME, $REQ.query.$PARAM)
72
+ - pattern: |
73
+ new Headers({ $KEY: $REQ.query.$PARAM })
74
+ - pattern-not: |
75
+ $RESPONSE.setHeader($HEADER_NAME, $VAR.replace(/[\r\n]/g, ''))
76
+ - pattern-not: |
77
+ sanitizeHeader($VALUE)
78
+ message: "HTTP header set with user-controlled value - strip CRLF (\\r\\n) to prevent header injection"
79
+ severity: WARNING
80
+ languages: [typescript, javascript]
81
+ metadata:
82
+ datahogo_id: 73
83
+ datahogo_category: "injection"
84
+ owasp_ref: "A03:2021"
85
+
86
+ # ID 74: Email Header Injection
87
+ - id: datahogo-email-header-injection-to
88
+ patterns:
89
+ - pattern-either:
90
+ - pattern: |
91
+ $MAILER.sendMail({ to: $REQ.body.email, ... })
92
+ - pattern: |
93
+ $MAILER.sendMail({ from: $REQ.body.from, ... })
94
+ - pattern: |
95
+ $MAILER.sendMail({ subject: `...${ $REQ.body.subject }...`, ... })
96
+ message: "Email headers built from user input - sanitize To/From/Subject fields to prevent email header injection"
97
+ severity: WARNING
98
+ languages: [typescript, javascript]
99
+ metadata:
100
+ datahogo_id: 74
101
+ datahogo_category: "injection"
102
+ owasp_ref: "A03:2021"
103
+
104
+ - id: datahogo-email-header-injection-resend
105
+ patterns:
106
+ - pattern-either:
107
+ - pattern: |
108
+ resend.emails.send({ to: $REQ.body.$FIELD, ... })
109
+ - pattern: |
110
+ resend.emails.send({ from: $REQ.body.$FIELD, ... })
111
+ - pattern: |
112
+ resend.emails.send({ subject: `...${ $REQ.body.$FIELD }...`, ... })
113
+ message: "Resend email fields built from user input - validate email addresses and sanitize subject lines"
114
+ severity: WARNING
115
+ languages: [typescript, javascript]
116
+ metadata:
117
+ datahogo_id: 74
118
+ datahogo_category: "injection"
119
+ owasp_ref: "A03:2021"
120
+
121
+ # ID 75: Log Injection
122
+ - id: datahogo-log-injection-console
123
+ patterns:
124
+ - pattern-either:
125
+ - pattern: console.log(`...${ $REQ.body.$FIELD }...`)
126
+ - pattern: console.log(`...${ $REQ.query.$PARAM }...`)
127
+ - pattern: console.log(`...${ $REQ.params.$PARAM }...`)
128
+ - pattern: console.error(`...${ $REQ.body.$FIELD }...`)
129
+ - pattern: console.warn(`...${ $REQ.body.$FIELD }...`)
130
+ message: "User-controlled input in log statements enables log injection/forging - sanitize before logging"
131
+ severity: INFO
132
+ languages: [typescript, javascript]
133
+ metadata:
134
+ datahogo_id: 75
135
+ datahogo_category: "injection"
136
+ owasp_ref: "A09:2021"
137
+
138
+ - id: datahogo-log-injection-structured
139
+ patterns:
140
+ - pattern-either:
141
+ - pattern: logger.info(`...${ $REQ.body.$FIELD }...`)
142
+ - pattern: logger.error(`...${ $REQ.body.$FIELD }...`)
143
+ - pattern: winston.log($LEVEL, `...${ $REQ.body.$FIELD }...`)
144
+ - pattern: pino().info(`...${ $REQ.body.$FIELD }...`)
145
+ message: "User input in log messages enables log injection - pass as structured field instead of string interpolation"
146
+ severity: INFO
147
+ languages: [typescript, javascript]
148
+ metadata:
149
+ datahogo_id: 75
150
+ datahogo_category: "injection"
151
+ owasp_ref: "A09:2021"
152
+
153
+ # ID 76: Template Injection (SSTI)
154
+ - id: datahogo-template-injection-ejs
155
+ patterns:
156
+ - pattern-either:
157
+ - pattern: ejs.render($REQ.body.$TEMPLATE, ...)
158
+ - pattern: ejs.render($REQ.query.$PARAM, ...)
159
+ - pattern: ejs.renderFile($REQ.body.$PATH, ...)
160
+ message: "EJS rendering with user-controlled template enables Server-Side Template Injection (SSTI)"
161
+ severity: CRITICAL
162
+ languages: [typescript, javascript]
163
+ metadata:
164
+ datahogo_id: 76
165
+ datahogo_category: "injection"
166
+ owasp_ref: "A03:2021"
167
+
168
+ - id: datahogo-template-injection-handlebars
169
+ patterns:
170
+ - pattern-either:
171
+ - pattern: |
172
+ const template = Handlebars.compile($REQ.body.$FIELD)
173
+ - pattern: |
174
+ const template = Handlebars.compile($REQ.query.$PARAM)
175
+ message: "Handlebars compiling user-controlled templates enables SSTI - only compile static templates"
176
+ severity: CRITICAL
177
+ languages: [typescript, javascript]
178
+ metadata:
179
+ datahogo_id: 76
180
+ datahogo_category: "injection"
181
+ owasp_ref: "A03:2021"
182
+
183
+ - id: datahogo-template-injection-pug
184
+ patterns:
185
+ - pattern-either:
186
+ - pattern: pug.render($REQ.body.$FIELD, ...)
187
+ - pattern: pug.compile($REQ.body.$FIELD, ...)
188
+ message: "Pug rendering with user-controlled template content enables SSTI"
189
+ severity: CRITICAL
190
+ languages: [typescript, javascript]
191
+ metadata:
192
+ datahogo_id: 76
193
+ datahogo_category: "injection"
194
+ owasp_ref: "A03:2021"
195
+
196
+ # ID 104: Unsafe deserialization
197
+ - id: datahogo-unsafe-deserialize-node-serialize
198
+ patterns:
199
+ - pattern-either:
200
+ - pattern: serialize.unserialize($INPUT)
201
+ - pattern: nodeSerialize.unserialize($INPUT)
202
+ message: "node-serialize unserialize() is unsafe with untrusted input and allows Remote Code Execution"
203
+ severity: ERROR
204
+ languages: [typescript, javascript]
205
+ metadata:
206
+ datahogo_id: 104
207
+ datahogo_category: "injection"
208
+ owasp_ref: "A08:2021"
209
+
210
+ - id: datahogo-unsafe-yaml-load
211
+ patterns:
212
+ - pattern-either:
213
+ - pattern: yaml.load($INPUT)
214
+ - pattern: jsYaml.load($INPUT)
215
+ - pattern: require("js-yaml").load($INPUT)
216
+ message: "yaml.load() with untrusted input can execute arbitrary code. Use yaml.safeLoad() or yaml.load() with schema: CORE_SCHEMA"
217
+ severity: ERROR
218
+ languages: [typescript, javascript]
219
+ metadata:
220
+ datahogo_id: 104
221
+ datahogo_category: "injection"
222
+ owasp_ref: "A08:2021"
223
+
224
+ # ID 106: Path traversal
225
+ - id: datahogo-path-traversal-readfile
226
+ patterns:
227
+ - pattern-either:
228
+ - pattern: |
229
+ fs.readFile(`${__dirname}/${$REQ.query.$PARAM}`, ...)
230
+ - pattern: |
231
+ fs.readFile(`${$BASE_PATH}/${$REQ.body.$FIELD}`, ...)
232
+ - pattern: |
233
+ fs.readFileSync(`${$DIR}/${$REQ.params.$PARAM}`)
234
+ - pattern: |
235
+ path.join($BASE_DIR, $REQ.query.$PARAM)
236
+ - pattern-not: |
237
+ path.join($BASE_DIR, path.basename($VAR))
238
+ - pattern-not: |
239
+ $PATH.includes('..')
240
+ message: "File path built with user input - use path.basename() and validate to prevent path traversal"
241
+ severity: ERROR
242
+ languages: [typescript, javascript]
243
+ metadata:
244
+ datahogo_id: 106
245
+ datahogo_category: "files-media"
246
+ owasp_ref: "A01:2021"
247
+
248
+ - id: datahogo-path-traversal-send
249
+ patterns:
250
+ - pattern-either:
251
+ - pattern: |
252
+ res.sendFile(`${__dirname}/${$REQ.params.$PARAM}`)
253
+ - pattern: |
254
+ res.sendFile(path.join($DIR, $REQ.query.$PARAM))
255
+ message: "Dynamic file serving with user-controlled path - validate against allowed file list"
256
+ severity: ERROR
257
+ languages: [typescript, javascript]
258
+ metadata:
259
+ datahogo_id: 106
260
+ datahogo_category: "files-media"
261
+ owasp_ref: "A01:2021"
262
+
263
+ # ID 111: Zip Slip
264
+ - id: datahogo-zip-slip
265
+ patterns:
266
+ - pattern-either:
267
+ - pattern: |
268
+ $ENTRY.extract($DEST_PATH)
269
+ - pattern: |
270
+ fs.writeFile(`${$OUTPUT_DIR}/${$ENTRY.fileName}`, ...)
271
+ - pattern: |
272
+ const targetPath = path.join($OUTPUT, $ENTRY.entryName)
273
+ - pattern-not: |
274
+ if (!targetPath.startsWith($OUTPUT))
275
+ - pattern-not: |
276
+ if (targetPath.includes('..'))
277
+ message: "ZIP extraction without path validation allows Zip Slip - verify extracted path is within target directory"
278
+ severity: ERROR
279
+ languages: [typescript, javascript]
280
+ metadata:
281
+ datahogo_id: 111
282
+ datahogo_category: "files-media"
283
+ owasp_ref: "A01:2021"
284
+
285
+ # ID 110: PDF generation injection
286
+ - id: datahogo-pdf-html-injection-puppeteer
287
+ patterns:
288
+ - pattern-either:
289
+ - pattern: |
290
+ $PAGE.setContent(`...${ $REQ.body.$FIELD }...`)
291
+ - pattern: |
292
+ $PAGE.setContent(`...${ $INPUT }...`)
293
+ - pattern-not: |
294
+ DOMPurify.sanitize($INPUT)
295
+ - pattern-not: |
296
+ sanitizeHtml($INPUT)
297
+ message: "User-controlled HTML in PDF generation (Puppeteer) allows script injection - sanitize HTML before passing to setContent()"
298
+ severity: WARNING
299
+ languages: [typescript, javascript]
300
+ metadata:
301
+ datahogo_id: 110
302
+ datahogo_category: "files-media"
303
+ owasp_ref: "A03:2021"
304
+
305
+ - id: datahogo-pdf-html-injection-pdfkit
306
+ patterns:
307
+ - pattern-either:
308
+ - pattern: |
309
+ $DOC.text($REQ.body.$FIELD, ...)
310
+ - pattern: |
311
+ $PDF.text(`...${ $REQ.body.$FIELD }...`)
312
+ message: "User-controlled content passed directly to PDF generator - sanitize to prevent content injection"
313
+ severity: INFO
314
+ languages: [typescript, javascript]
315
+ metadata:
316
+ datahogo_id: 110
317
+ datahogo_category: "files-media"
318
+ owasp_ref: "A03:2021"