@datahogo/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (153) hide show
  1. package/LICENSE +661 -0
  2. package/README.md +17 -0
  3. package/dist/engines/config.d.ts +3 -0
  4. package/dist/engines/config.d.ts.map +1 -0
  5. package/dist/engines/config.js +433 -0
  6. package/dist/engines/config.js.map +1 -0
  7. package/dist/engines/dast.d.ts +3 -0
  8. package/dist/engines/dast.d.ts.map +1 -0
  9. package/dist/engines/dast.js +167 -0
  10. package/dist/engines/dast.js.map +1 -0
  11. package/dist/engines/db-rules.d.ts +3 -0
  12. package/dist/engines/db-rules.d.ts.map +1 -0
  13. package/dist/engines/db-rules.js +166 -0
  14. package/dist/engines/db-rules.js.map +1 -0
  15. package/dist/engines/dependencies.d.ts +3 -0
  16. package/dist/engines/dependencies.d.ts.map +1 -0
  17. package/dist/engines/dependencies.js +167 -0
  18. package/dist/engines/dependencies.js.map +1 -0
  19. package/dist/engines/github-actions.d.ts +3 -0
  20. package/dist/engines/github-actions.d.ts.map +1 -0
  21. package/dist/engines/github-actions.js +215 -0
  22. package/dist/engines/github-actions.js.map +1 -0
  23. package/dist/engines/gitleaks.d.ts +3 -0
  24. package/dist/engines/gitleaks.d.ts.map +1 -0
  25. package/dist/engines/gitleaks.js +107 -0
  26. package/dist/engines/gitleaks.js.map +1 -0
  27. package/dist/engines/npm-audit.d.ts +3 -0
  28. package/dist/engines/npm-audit.d.ts.map +1 -0
  29. package/dist/engines/npm-audit.js +113 -0
  30. package/dist/engines/npm-audit.js.map +1 -0
  31. package/dist/engines/patterns.d.ts +3 -0
  32. package/dist/engines/patterns.d.ts.map +1 -0
  33. package/dist/engines/patterns.js +1330 -0
  34. package/dist/engines/patterns.js.map +1 -0
  35. package/dist/engines/secrets.d.ts +4 -0
  36. package/dist/engines/secrets.d.ts.map +1 -0
  37. package/dist/engines/secrets.js +260 -0
  38. package/dist/engines/secrets.js.map +1 -0
  39. package/dist/engines/semgrep.d.ts +3 -0
  40. package/dist/engines/semgrep.d.ts.map +1 -0
  41. package/dist/engines/semgrep.js +173 -0
  42. package/dist/engines/semgrep.js.map +1 -0
  43. package/dist/engines/types.d.ts +30 -0
  44. package/dist/engines/types.d.ts.map +1 -0
  45. package/dist/engines/types.js +3 -0
  46. package/dist/engines/types.js.map +1 -0
  47. package/dist/engines/url-scanner.d.ts +3 -0
  48. package/dist/engines/url-scanner.d.ts.map +1 -0
  49. package/dist/engines/url-scanner.js +469 -0
  50. package/dist/engines/url-scanner.js.map +1 -0
  51. package/dist/index.d.ts +8 -0
  52. package/dist/index.d.ts.map +1 -0
  53. package/dist/index.js +8 -0
  54. package/dist/index.js.map +1 -0
  55. package/dist/orchestrator.d.ts +32 -0
  56. package/dist/orchestrator.d.ts.map +1 -0
  57. package/dist/orchestrator.js +237 -0
  58. package/dist/orchestrator.js.map +1 -0
  59. package/dist/rules/.gitkeep +0 -0
  60. package/dist/rules/ai-llm-security.yaml +199 -0
  61. package/dist/rules/api-security.yaml +489 -0
  62. package/dist/rules/auth-patterns.yaml +406 -0
  63. package/dist/rules/crypto-patterns.yaml +227 -0
  64. package/dist/rules/database-cloud-security.yaml +169 -0
  65. package/dist/rules/general-security.yaml +588 -0
  66. package/dist/rules/injection-patterns.yaml +318 -0
  67. package/dist/rules/nextjs-security.yaml +532 -0
  68. package/dist/rules/node-security.yaml +380 -0
  69. package/dist/rules/rules/.gitkeep +0 -0
  70. package/dist/rules/rules/ai-llm-security.yaml +199 -0
  71. package/dist/rules/rules/api-security.yaml +489 -0
  72. package/dist/rules/rules/auth-patterns.yaml +406 -0
  73. package/dist/rules/rules/crypto-patterns.yaml +227 -0
  74. package/dist/rules/rules/database-cloud-security.yaml +169 -0
  75. package/dist/rules/rules/general-security.yaml +588 -0
  76. package/dist/rules/rules/injection-patterns.yaml +318 -0
  77. package/dist/rules/rules/nextjs-security.yaml +532 -0
  78. package/dist/rules/rules/node-security.yaml +380 -0
  79. package/dist/rules/rules/supabase-security.yaml +387 -0
  80. package/dist/rules/supabase-security.yaml +387 -0
  81. package/dist/scanning/agents/csharp-agent.d.ts +12 -0
  82. package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
  83. package/dist/scanning/agents/csharp-agent.js +592 -0
  84. package/dist/scanning/agents/csharp-agent.js.map +1 -0
  85. package/dist/scanning/agents/go-agent.d.ts +14 -0
  86. package/dist/scanning/agents/go-agent.d.ts.map +1 -0
  87. package/dist/scanning/agents/go-agent.js +641 -0
  88. package/dist/scanning/agents/go-agent.js.map +1 -0
  89. package/dist/scanning/agents/java-agent.d.ts +8 -0
  90. package/dist/scanning/agents/java-agent.d.ts.map +1 -0
  91. package/dist/scanning/agents/java-agent.js +807 -0
  92. package/dist/scanning/agents/java-agent.js.map +1 -0
  93. package/dist/scanning/agents/javascript-agent.d.ts +8 -0
  94. package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
  95. package/dist/scanning/agents/javascript-agent.js +77 -0
  96. package/dist/scanning/agents/javascript-agent.js.map +1 -0
  97. package/dist/scanning/agents/mobile-agent.d.ts +8 -0
  98. package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
  99. package/dist/scanning/agents/mobile-agent.js +916 -0
  100. package/dist/scanning/agents/mobile-agent.js.map +1 -0
  101. package/dist/scanning/agents/php-agent.d.ts +8 -0
  102. package/dist/scanning/agents/php-agent.d.ts.map +1 -0
  103. package/dist/scanning/agents/php-agent.js +679 -0
  104. package/dist/scanning/agents/php-agent.js.map +1 -0
  105. package/dist/scanning/agents/python-agent.d.ts +8 -0
  106. package/dist/scanning/agents/python-agent.d.ts.map +1 -0
  107. package/dist/scanning/agents/python-agent.js +701 -0
  108. package/dist/scanning/agents/python-agent.js.map +1 -0
  109. package/dist/scanning/agents/supabase-agent.d.ts +8 -0
  110. package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
  111. package/dist/scanning/agents/supabase-agent.js +484 -0
  112. package/dist/scanning/agents/supabase-agent.js.map +1 -0
  113. package/dist/scanning/orchestrator.d.ts +29 -0
  114. package/dist/scanning/orchestrator.d.ts.map +1 -0
  115. package/dist/scanning/orchestrator.js +186 -0
  116. package/dist/scanning/orchestrator.js.map +1 -0
  117. package/dist/scanning/tech-detector.d.ts +12 -0
  118. package/dist/scanning/tech-detector.d.ts.map +1 -0
  119. package/dist/scanning/tech-detector.js +252 -0
  120. package/dist/scanning/tech-detector.js.map +1 -0
  121. package/dist/scanning/types.d.ts +87 -0
  122. package/dist/scanning/types.d.ts.map +1 -0
  123. package/dist/scanning/types.js +5 -0
  124. package/dist/scanning/types.js.map +1 -0
  125. package/dist/utils/child-process.d.ts +2 -0
  126. package/dist/utils/child-process.d.ts.map +1 -0
  127. package/dist/utils/child-process.js +4 -0
  128. package/dist/utils/child-process.js.map +1 -0
  129. package/dist/utils/context-classifier.d.ts +11 -0
  130. package/dist/utils/context-classifier.d.ts.map +1 -0
  131. package/dist/utils/context-classifier.js +79 -0
  132. package/dist/utils/context-classifier.js.map +1 -0
  133. package/dist/utils/exec.d.ts +18 -0
  134. package/dist/utils/exec.d.ts.map +1 -0
  135. package/dist/utils/exec.js +51 -0
  136. package/dist/utils/exec.js.map +1 -0
  137. package/dist/utils/file-filter.d.ts +4 -0
  138. package/dist/utils/file-filter.d.ts.map +1 -0
  139. package/dist/utils/file-filter.js +68 -0
  140. package/dist/utils/file-filter.js.map +1 -0
  141. package/dist/utils/fs.d.ts +2 -0
  142. package/dist/utils/fs.d.ts.map +1 -0
  143. package/dist/utils/fs.js +5 -0
  144. package/dist/utils/fs.js.map +1 -0
  145. package/dist/utils/logger.d.ts +12 -0
  146. package/dist/utils/logger.d.ts.map +1 -0
  147. package/dist/utils/logger.js +27 -0
  148. package/dist/utils/logger.js.map +1 -0
  149. package/dist/utils/post-processor.d.ts +10 -0
  150. package/dist/utils/post-processor.d.ts.map +1 -0
  151. package/dist/utils/post-processor.js +183 -0
  152. package/dist/utils/post-processor.js.map +1 -0
  153. package/package.json +44 -0
@@ -0,0 +1,588 @@
1
+ rules:
2
+ # =============================================
3
+ # OWASP A01:2021 - Broken Access Control
4
+ # =============================================
5
+
6
+ - id: datahogo-api-route-no-auth
7
+ patterns:
8
+ - pattern-inside: |
9
+ export async function $METHOD(...) {
10
+ ...
11
+ }
12
+ - metavariable-regex:
13
+ metavariable: $METHOD
14
+ regex: ^(GET|POST|PUT|PATCH|DELETE|HEAD)$
15
+ - pattern-not-inside: |
16
+ export async function $METHOD(...) {
17
+ ...
18
+ $AUTH.getUser(...)
19
+ ...
20
+ }
21
+ - pattern-not-inside: |
22
+ export async function $METHOD(...) {
23
+ ...
24
+ $AUTH.auth.getUser(...)
25
+ ...
26
+ }
27
+ - pattern-not-inside: |
28
+ export async function $METHOD(...) {
29
+ ...
30
+ await getUser(...)
31
+ ...
32
+ }
33
+ - pattern-not-inside: |
34
+ export async function $METHOD(...) {
35
+ ...
36
+ verifyAuth(...)
37
+ ...
38
+ }
39
+ message: "API route handler does not verify authentication. Every API endpoint must check user session before processing requests."
40
+ severity: ERROR
41
+ languages: [typescript, javascript]
42
+ metadata:
43
+ datahogo_id: 1
44
+ datahogo_category: "web-owasp"
45
+ owasp_ref: "A01:2021"
46
+
47
+ - id: datahogo-open-redirect
48
+ patterns:
49
+ - pattern-either:
50
+ - pattern: redirect($URL)
51
+ - pattern: $RES.redirect($URL)
52
+ - pattern: NextResponse.redirect($URL)
53
+ - pattern-either:
54
+ - pattern-inside: |
55
+ $URL = $REQ.query.$PARAM
56
+ ...
57
+ - pattern-inside: |
58
+ $URL = $PARAMS.get(...)
59
+ ...
60
+ - pattern-inside: |
61
+ $URL = $REQ.body.$FIELD
62
+ ...
63
+ message: "Open redirect vulnerability. User-controlled redirect targets can be abused for phishing attacks. Validate redirect URLs against an allowlist."
64
+ severity: WARNING
65
+ languages: [typescript, javascript]
66
+ metadata:
67
+ datahogo_id: 119
68
+ datahogo_category: "logic"
69
+ owasp_ref: "A01:2021"
70
+
71
+ # =============================================
72
+ # OWASP A02:2021 - Cryptographic Failures
73
+ # =============================================
74
+
75
+ - id: datahogo-weak-hash-md5
76
+ patterns:
77
+ - pattern-either:
78
+ - pattern: crypto.createHash("md5")
79
+ - pattern: crypto.createHash('md5')
80
+ message: "MD5 is cryptographically broken and unsuitable for security purposes. Use SHA-256, SHA-3, or bcrypt for password hashing."
81
+ severity: ERROR
82
+ languages: [typescript, javascript]
83
+ metadata:
84
+ datahogo_id: 2
85
+ datahogo_category: "web-owasp"
86
+ owasp_ref: "A02:2021"
87
+
88
+ - id: datahogo-weak-hash-sha1
89
+ patterns:
90
+ - pattern-either:
91
+ - pattern: crypto.createHash("sha1")
92
+ - pattern: crypto.createHash('sha1')
93
+ message: "SHA-1 is deprecated due to collision vulnerabilities. Use SHA-256, SHA-3, or bcrypt for password hashing."
94
+ severity: ERROR
95
+ languages: [typescript, javascript]
96
+ metadata:
97
+ datahogo_id: 2
98
+ datahogo_category: "web-owasp"
99
+ owasp_ref: "A02:2021"
100
+
101
+ - id: datahogo-hardcoded-encryption-key
102
+ patterns:
103
+ - pattern-either:
104
+ - pattern: crypto.createCipheriv($ALG, "...", ...)
105
+ - pattern: crypto.createCipheriv($ALG, '...', ...)
106
+ - pattern: crypto.createDecipheriv($ALG, "...", ...)
107
+ - pattern: crypto.createDecipheriv($ALG, '...', ...)
108
+ - metavariable-regex:
109
+ metavariable: $ALG
110
+ regex: .*
111
+ message: "Hardcoded encryption key detected. Keys must be stored in environment variables or secure key management systems."
112
+ severity: ERROR
113
+ languages: [typescript, javascript]
114
+ metadata:
115
+ datahogo_id: 121
116
+ datahogo_category: "cryptography"
117
+ owasp_ref: "A02:2021"
118
+
119
+ - id: datahogo-math-random-security
120
+ patterns:
121
+ - pattern-either:
122
+ - pattern: |
123
+ $TOKEN = ... Math.random() ...
124
+ - pattern: |
125
+ $SECRET = ... Math.random() ...
126
+ - pattern: |
127
+ $KEY = ... Math.random() ...
128
+ - pattern: |
129
+ $SESSION = ... Math.random() ...
130
+ - pattern: |
131
+ $NONCE = ... Math.random() ...
132
+ message: "Math.random() is not cryptographically secure. Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive random values."
133
+ severity: ERROR
134
+ languages: [typescript, javascript]
135
+ metadata:
136
+ datahogo_id: 125
137
+ datahogo_category: "cryptography"
138
+ owasp_ref: "A02:2021"
139
+
140
+ - id: datahogo-tls-reject-unauthorized
141
+ patterns:
142
+ - pattern-either:
143
+ - pattern: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
144
+ - pattern: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
145
+ - pattern: $OPTS.rejectUnauthorized = false
146
+ message: "TLS certificate validation is disabled. This makes the application vulnerable to man-in-the-middle attacks."
147
+ severity: ERROR
148
+ languages: [typescript, javascript]
149
+ metadata:
150
+ datahogo_id: 124
151
+ datahogo_category: "cryptography"
152
+ owasp_ref: "A02:2021"
153
+
154
+ - id: datahogo-plaintext-password
155
+ patterns:
156
+ - pattern-either:
157
+ - pattern: |
158
+ const $VAR = "..."
159
+ - pattern: |
160
+ let $VAR = "..."
161
+ - pattern: |
162
+ var $VAR = "..."
163
+ - metavariable-regex:
164
+ metavariable: $VAR
165
+ regex: (password|passwd|pwd|pass)
166
+ - pattern-not: const $VAR = ""
167
+ - pattern-not: const $VAR = process.env.$_
168
+ message: "Hardcoded password detected. Store passwords securely in environment variables and hash them with bcrypt or Argon2."
169
+ severity: ERROR
170
+ languages: [typescript, javascript]
171
+ metadata:
172
+ datahogo_id: 55
173
+ datahogo_category: "vibecoding"
174
+ owasp_ref: "A02:2021"
175
+
176
+ # =============================================
177
+ # OWASP A03:2021 - Injection
178
+ # =============================================
179
+
180
+ - id: datahogo-sql-injection-template-literal
181
+ patterns:
182
+ - pattern-either:
183
+ - pattern: $DB.query(`... ${$VAR} ...`)
184
+ - pattern: $DB.execute(`... ${$VAR} ...`)
185
+ - pattern: $DB.$queryRaw(`... ${$VAR} ...`)
186
+ - pattern: sequelize.query(`... ${$VAR} ...`)
187
+ message: "Possible SQL injection via string interpolation in database query. Use parameterized queries or prepared statements."
188
+ severity: ERROR
189
+ languages: [typescript, javascript]
190
+ metadata:
191
+ datahogo_id: 5
192
+ datahogo_category: "web-owasp"
193
+ owasp_ref: "A03:2021"
194
+
195
+ - id: datahogo-sql-injection-concatenation
196
+ patterns:
197
+ - pattern-either:
198
+ - pattern: $DB.query($STR + $VAR + ...)
199
+ - pattern: $DB.execute($STR + $VAR + ...)
200
+ - pattern: $DB.query($STR + $VAR)
201
+ message: "SQL injection via string concatenation. Use parameterized queries instead of concatenating user input into SQL statements."
202
+ severity: ERROR
203
+ languages: [typescript, javascript]
204
+ metadata:
205
+ datahogo_id: 5
206
+ datahogo_category: "web-owasp"
207
+ owasp_ref: "A03:2021"
208
+
209
+ - id: datahogo-eval-usage
210
+ patterns:
211
+ - pattern-either:
212
+ - pattern: eval($CODE)
213
+ - pattern: new Function($CODE)
214
+ - pattern: Function($CODE)
215
+ message: "eval() or Function() constructor can execute arbitrary code and lead to code injection. Avoid dynamic code execution entirely."
216
+ severity: ERROR
217
+ languages: [typescript, javascript]
218
+ metadata:
219
+ datahogo_id: 61
220
+ datahogo_category: "vibecoding"
221
+ owasp_ref: "A03:2021"
222
+
223
+ - id: datahogo-command-injection
224
+ patterns:
225
+ - pattern-either:
226
+ - pattern: child_process.exec(`... ${$VAR} ...`)
227
+ - pattern: child_process.execSync(`... ${$VAR} ...`)
228
+ - pattern: exec(`... ${$VAR} ...`)
229
+ - pattern: execSync(`... ${$VAR} ...`)
230
+ - pattern-not: child_process.exec(`$STATIC`)
231
+ message: "Command injection vulnerability. User input is interpolated into shell command. Use execFile() with argument array instead."
232
+ severity: ERROR
233
+ languages: [typescript, javascript]
234
+ metadata:
235
+ datahogo_id: 75
236
+ datahogo_category: "injection"
237
+ owasp_ref: "A03:2021"
238
+
239
+ - id: datahogo-nosql-injection
240
+ patterns:
241
+ - pattern-either:
242
+ - pattern: $DB.find($REQ.body)
243
+ - pattern: $DB.find($REQ.query)
244
+ - pattern: $DB.findOne($REQ.body)
245
+ - pattern: $DB.findOne($REQ.query)
246
+ - pattern: $COLLECTION.find($REQ.body)
247
+ message: "NoSQL injection risk. Request data is passed directly to database query. Validate and sanitize input before using in queries."
248
+ severity: ERROR
249
+ languages: [typescript, javascript]
250
+ metadata:
251
+ datahogo_id: 102
252
+ datahogo_category: "database"
253
+ owasp_ref: "A03:2021"
254
+
255
+ # =============================================
256
+ # OWASP A05:2021 - Security Misconfiguration
257
+ # =============================================
258
+
259
+ - id: datahogo-cors-wildcard
260
+ patterns:
261
+ - pattern-either:
262
+ - pattern: |
263
+ $HEADERS.set("Access-Control-Allow-Origin", "*")
264
+ - pattern: |
265
+ $RES.setHeader("Access-Control-Allow-Origin", "*")
266
+ - pattern: |
267
+ { ..., "Access-Control-Allow-Origin": "*", ... }
268
+ message: "CORS wildcard allows any origin to access the API. Restrict to specific trusted domains."
269
+ severity: WARNING
270
+ languages: [typescript, javascript]
271
+ metadata:
272
+ datahogo_id: 4
273
+ datahogo_category: "web-owasp"
274
+ owasp_ref: "A05:2021"
275
+
276
+ - id: datahogo-debug-mode-production
277
+ patterns:
278
+ - pattern-either:
279
+ - pattern: |
280
+ { ..., debug: true, ... }
281
+ - pattern: process.env.NODE_ENV = "development"
282
+ - pattern: app.set("env", "development")
283
+ message: "Debug mode enabled. This can expose sensitive information in production. Ensure debug mode is disabled in production environments."
284
+ severity: WARNING
285
+ languages: [typescript, javascript]
286
+ metadata:
287
+ datahogo_id: 4
288
+ datahogo_category: "web-owasp"
289
+ owasp_ref: "A05:2021"
290
+
291
+ # =============================================
292
+ # OWASP A06:2021 - Vulnerable Components
293
+ # =============================================
294
+ # (Handled by dependencies.ts engine - npm audit)
295
+
296
+ # =============================================
297
+ # OWASP A07:2021 - Identification & Auth Failures
298
+ # =============================================
299
+
300
+ - id: datahogo-jwt-no-expiry
301
+ patterns:
302
+ - pattern: jwt.sign($PAYLOAD, $SECRET, ...)
303
+ - pattern-not: jwt.sign($PAYLOAD, $SECRET, { ..., expiresIn: ..., ... })
304
+ - pattern-not: jwt.sign($PAYLOAD, $SECRET, { ..., exp: ..., ... })
305
+ message: "JWT token issued without expiration time. Always set expiresIn to limit token lifetime and reduce attack window."
306
+ severity: ERROR
307
+ languages: [typescript, javascript]
308
+ metadata:
309
+ datahogo_id: 7
310
+ datahogo_category: "web-owasp"
311
+ owasp_ref: "A07:2021"
312
+
313
+ - id: datahogo-jwt-algorithm-none
314
+ patterns:
315
+ - pattern: |
316
+ jwt.sign($PAYLOAD, $SECRET, { ..., algorithm: "none", ... })
317
+ message: "JWT with algorithm 'none' bypasses signature verification. Always use a secure algorithm like HS256, RS256, or ES256."
318
+ severity: ERROR
319
+ languages: [typescript, javascript]
320
+ metadata:
321
+ datahogo_id: 126
322
+ datahogo_category: "cryptography"
323
+ owasp_ref: "A07:2021"
324
+
325
+ - id: datahogo-tokens-in-localstorage
326
+ patterns:
327
+ - pattern-either:
328
+ - pattern: localStorage.setItem("token", ...)
329
+ - pattern: localStorage.setItem("jwt", ...)
330
+ - pattern: localStorage.setItem("access_token", ...)
331
+ - pattern: localStorage.setItem("refresh_token", ...)
332
+ - pattern: localStorage.setItem("auth", ...)
333
+ - pattern: localStorage.setItem("session", ...)
334
+ - pattern-not: localStorage.setItem($KEY, $NONTOK)
335
+ message: "Authentication tokens stored in localStorage are vulnerable to XSS attacks. Use httpOnly cookies for secure token storage."
336
+ severity: ERROR
337
+ languages: [typescript, javascript]
338
+ metadata:
339
+ datahogo_id: 47
340
+ datahogo_category: "react-nextjs"
341
+ owasp_ref: "A07:2021"
342
+
343
+ # =============================================
344
+ # OWASP A08:2021 - Software & Data Integrity
345
+ # =============================================
346
+
347
+ - id: datahogo-unsafe-deserialization
348
+ patterns:
349
+ - pattern-either:
350
+ - pattern: unserialize($INPUT)
351
+ - pattern: deserialize($INPUT)
352
+ - pattern: $PKG.unserialize($INPUT)
353
+ - pattern: $PKG.deserialize($INPUT)
354
+ - pattern-either:
355
+ - pattern-inside: |
356
+ $INPUT = $REQ.body
357
+ ...
358
+ - pattern-inside: |
359
+ $INPUT = $REQ.query
360
+ ...
361
+ - pattern-inside: |
362
+ $INPUT = await $REQ.json()
363
+ ...
364
+ message: "Insecure deserialization of user input can lead to remote code execution. Validate and sanitize before deserializing."
365
+ severity: ERROR
366
+ languages: [typescript, javascript]
367
+ metadata:
368
+ datahogo_id: 8
369
+ datahogo_category: "web-owasp"
370
+ owasp_ref: "A08:2021"
371
+
372
+ # =============================================
373
+ # OWASP A09:2021 - Security Logging Failures
374
+ # =============================================
375
+
376
+ - id: datahogo-console-log-sensitive-data
377
+ patterns:
378
+ - pattern-either:
379
+ - pattern: console.log(..., $REQ.headers, ...)
380
+ - pattern: console.log(..., process.env, ...)
381
+ - pattern: console.log(..., $TOKEN, ...)
382
+ - pattern: console.log(..., $PASSWORD, ...)
383
+ - pattern: console.log(..., $SECRET, ...)
384
+ - metavariable-pattern:
385
+ metavariable: $TOKEN
386
+ patterns:
387
+ - pattern-regex: .*(token|jwt|key|apikey).*
388
+ - metavariable-pattern:
389
+ metavariable: $PASSWORD
390
+ patterns:
391
+ - pattern-regex: .*(password|passwd|pwd).*
392
+ - metavariable-pattern:
393
+ metavariable: $SECRET
394
+ patterns:
395
+ - pattern-regex: .*(secret|credential).*
396
+ message: "Logging sensitive data (credentials, tokens, environment variables). Never log secrets, use structured logging with sanitization."
397
+ severity: ERROR
398
+ languages: [typescript, javascript]
399
+ metadata:
400
+ datahogo_id: 9
401
+ datahogo_category: "web-owasp"
402
+ owasp_ref: "A09:2021"
403
+
404
+ - id: datahogo-env-vars-logged
405
+ patterns:
406
+ - pattern-either:
407
+ - pattern: console.log(process.env)
408
+ - pattern: console.log(..., process.env, ...)
409
+ - pattern: console.info(process.env)
410
+ - pattern: console.error(process.env)
411
+ - pattern: logger.info(process.env)
412
+ - pattern: logger.debug(process.env)
413
+ message: "Environment variables contain sensitive configuration. Never log the entire process.env object."
414
+ severity: ERROR
415
+ languages: [typescript, javascript]
416
+ metadata:
417
+ datahogo_id: 134
418
+ datahogo_category: "serverless"
419
+ owasp_ref: "A09:2021"
420
+
421
+ # =============================================
422
+ # OWASP A10:2021 - Server-Side Request Forgery
423
+ # =============================================
424
+
425
+ - id: datahogo-ssrf-fetch-user-input
426
+ patterns:
427
+ - pattern-either:
428
+ - pattern: fetch($URL, ...)
429
+ - pattern: axios.get($URL, ...)
430
+ - pattern: axios.post($URL, ...)
431
+ - pattern: $HTTP.get($URL, ...)
432
+ - pattern: $HTTP.request($URL, ...)
433
+ - pattern-either:
434
+ - pattern-inside: |
435
+ $URL = $REQ.body.$FIELD
436
+ ...
437
+ - pattern-inside: |
438
+ $URL = $REQ.query.$PARAM
439
+ ...
440
+ - pattern-inside: |
441
+ $URL = $PARAMS.get(...)
442
+ ...
443
+ message: "SSRF vulnerability: User-controlled URL in HTTP request. Validate URLs against an allowlist of domains and protocols."
444
+ severity: ERROR
445
+ languages: [typescript, javascript]
446
+ metadata:
447
+ datahogo_id: 10
448
+ datahogo_category: "web-owasp"
449
+ owasp_ref: "A10:2021"
450
+
451
+ # =============================================
452
+ # Client-Side Validation Only
453
+ # =============================================
454
+
455
+ - id: datahogo-client-side-auth-check
456
+ patterns:
457
+ - pattern-inside: |
458
+ "use client"
459
+ ...
460
+ - pattern-either:
461
+ - pattern: if ($USER.isAdmin) { ... }
462
+ - pattern: if ($USER.role === "admin") { ... }
463
+ - pattern: if (isAuthenticated) { ... }
464
+ message: "Authorization logic in client component. Auth checks must be performed on the server-side, not in client code."
465
+ severity: ERROR
466
+ languages: [typescript, javascript]
467
+ metadata:
468
+ datahogo_id: 6
469
+ datahogo_category: "web-owasp"
470
+ owasp_ref: "A04:2021"
471
+
472
+ # =============================================
473
+ # Path Traversal
474
+ # =============================================
475
+
476
+ - id: datahogo-path-traversal
477
+ patterns:
478
+ - pattern-either:
479
+ - pattern: fs.readFile($PATH, ...)
480
+ - pattern: fs.readFileSync($PATH, ...)
481
+ - pattern: fs.writeFile($PATH, ...)
482
+ - pattern: fs.createReadStream($PATH, ...)
483
+ - pattern: fs.unlink($PATH, ...)
484
+ - pattern-either:
485
+ - pattern-inside: |
486
+ $PATH = ... + $REQ.query.$PARAM
487
+ ...
488
+ - pattern-inside: |
489
+ $PATH = ... + $REQ.body.$FIELD
490
+ ...
491
+ - pattern-inside: |
492
+ $PATH = ... + $PARAMS.get(...)
493
+ ...
494
+ - pattern-inside: |
495
+ $PATH = `... ${$REQ.query.$PARAM} ...`
496
+ ...
497
+ message: "Path traversal vulnerability. User input is used in file path without validation. Sanitize paths and restrict to allowed directories."
498
+ severity: ERROR
499
+ languages: [typescript, javascript]
500
+ metadata:
501
+ datahogo_id: 106
502
+ datahogo_category: "files"
503
+ owasp_ref: "A01:2021"
504
+
505
+ # =============================================
506
+ # React / Frontend Specific
507
+ # =============================================
508
+
509
+ - id: datahogo-dangerouslysetinnerhtml
510
+ patterns:
511
+ - pattern: <$EL dangerouslySetInnerHTML={{__html: $HTML}} />
512
+ - pattern-not: <$EL dangerouslySetInnerHTML={{__html: DOMPurify.sanitize($HTML)}} />
513
+ message: "dangerouslySetInnerHTML without sanitization can lead to XSS attacks. Use DOMPurify to sanitize HTML before rendering."
514
+ severity: ERROR
515
+ languages: [typescript, javascript]
516
+ metadata:
517
+ datahogo_id: 46
518
+ datahogo_category: "react-nextjs"
519
+ owasp_ref: "A03:2021"
520
+
521
+ # =============================================
522
+ # Mass Assignment
523
+ # =============================================
524
+
525
+ - id: datahogo-mass-assignment
526
+ patterns:
527
+ - pattern-either:
528
+ - pattern: $DB.update($REQ.body)
529
+ - pattern: $DB.create($REQ.body)
530
+ - pattern: $DB.insert($REQ.body)
531
+ - pattern: $MODEL.update($REQ.body)
532
+ - pattern: $MODEL.create($REQ.body)
533
+ - pattern-not-inside: |
534
+ const $VALIDATED = $SCHEMA.parse($REQ.body)
535
+ ...
536
+ message: "Mass assignment vulnerability. Request body is passed directly to database without validation. Use Zod or similar to validate input."
537
+ severity: ERROR
538
+ languages: [typescript, javascript]
539
+ metadata:
540
+ datahogo_id: 98
541
+ datahogo_category: "api"
542
+ owasp_ref: "A01:2021"
543
+
544
+ # =============================================
545
+ # Prototype Pollution
546
+ # =============================================
547
+
548
+ - id: datahogo-prototype-pollution-assign
549
+ patterns:
550
+ - pattern-either:
551
+ - pattern: Object.assign($TARGET, $REQ.body)
552
+ - pattern: Object.assign($TARGET, $REQ.query)
553
+ - pattern: |
554
+ { ...$REQ.body }
555
+ - pattern: |
556
+ { ...$REQ.query }
557
+ message: "Prototype pollution risk. Spreading or assigning request data can pollute Object.prototype. Validate input structure first."
558
+ severity: ERROR
559
+ languages: [typescript, javascript]
560
+ metadata:
561
+ datahogo_id: 128
562
+ datahogo_category: "javascript"
563
+ owasp_ref: "A03:2021"
564
+
565
+ # =============================================
566
+ # Price/Amount from Client
567
+ # =============================================
568
+
569
+ - id: datahogo-client-controlled-price
570
+ patterns:
571
+ - pattern-either:
572
+ - pattern: |
573
+ $PRICE = $REQ.body.price
574
+ - pattern: |
575
+ $AMOUNT = $REQ.body.amount
576
+ - pattern: |
577
+ $TOTAL = $REQ.body.total
578
+ - pattern: |
579
+ const { price: $PRICE, ... } = $REQ.body
580
+ - pattern: |
581
+ const { amount: $AMOUNT, ... } = $REQ.body
582
+ message: "Critical business logic flaw: Price or amount controlled by client input. Always calculate prices server-side based on product IDs."
583
+ severity: ERROR
584
+ languages: [typescript, javascript]
585
+ metadata:
586
+ datahogo_id: 114
587
+ datahogo_category: "logic"
588
+ owasp_ref: "A04:2021"