@defai.digital/ax-cli 3.4.6 → 3.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +2 -6
- package/README.md +109 -2
- package/dist/analyzers/ast/index.d.ts +9 -0
- package/dist/analyzers/ast/index.js +10 -0
- package/dist/analyzers/ast/index.js.map +1 -0
- package/dist/analyzers/ast/node-helpers.d.ts +81 -0
- package/dist/analyzers/ast/node-helpers.js +128 -0
- package/dist/analyzers/ast/node-helpers.js.map +1 -0
- package/dist/analyzers/ast/parser.d.ts +59 -0
- package/dist/analyzers/ast/parser.js +293 -0
- package/dist/analyzers/ast/parser.js.map +1 -0
- package/dist/analyzers/ast/traverser.d.ts +67 -0
- package/dist/analyzers/ast/traverser.js +156 -0
- package/dist/analyzers/ast/traverser.js.map +1 -0
- package/dist/analyzers/ast/types.d.ts +107 -0
- package/dist/analyzers/ast/types.js +7 -0
- package/dist/analyzers/ast/types.js.map +1 -0
- package/dist/analyzers/best-practices/index.d.ts +10 -0
- package/dist/analyzers/best-practices/index.js +11 -0
- package/dist/analyzers/best-practices/index.js.map +1 -0
- package/dist/analyzers/code-smells/base-smell-detector.d.ts +30 -0
- package/dist/analyzers/code-smells/base-smell-detector.js +44 -0
- package/dist/analyzers/code-smells/base-smell-detector.js.map +1 -0
- package/dist/analyzers/code-smells/code-smell-analyzer.d.ts +30 -0
- package/dist/analyzers/code-smells/code-smell-analyzer.js +167 -0
- package/dist/analyzers/code-smells/code-smell-analyzer.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/data-clumps-detector.d.ts +11 -0
- package/dist/analyzers/code-smells/detectors/data-clumps-detector.js +66 -0
- package/dist/analyzers/code-smells/detectors/data-clumps-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/dead-code-detector.d.ts +11 -0
- package/dist/analyzers/code-smells/detectors/dead-code-detector.js +53 -0
- package/dist/analyzers/code-smells/detectors/dead-code-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/duplicate-code-detector.d.ts +11 -0
- package/dist/analyzers/code-smells/detectors/duplicate-code-detector.js +51 -0
- package/dist/analyzers/code-smells/detectors/duplicate-code-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/feature-envy-detector.d.ts +11 -0
- package/dist/analyzers/code-smells/detectors/feature-envy-detector.js +64 -0
- package/dist/analyzers/code-smells/detectors/feature-envy-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/inappropriate-intimacy-detector.d.ts +11 -0
- package/dist/analyzers/code-smells/detectors/inappropriate-intimacy-detector.js +56 -0
- package/dist/analyzers/code-smells/detectors/inappropriate-intimacy-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/large-class-detector.d.ts +13 -0
- package/dist/analyzers/code-smells/detectors/large-class-detector.js +58 -0
- package/dist/analyzers/code-smells/detectors/large-class-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/long-method-detector.d.ts +12 -0
- package/dist/analyzers/code-smells/detectors/long-method-detector.js +52 -0
- package/dist/analyzers/code-smells/detectors/long-method-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/long-parameter-list-detector.d.ts +12 -0
- package/dist/analyzers/code-smells/detectors/long-parameter-list-detector.js +50 -0
- package/dist/analyzers/code-smells/detectors/long-parameter-list-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/magic-numbers-detector.d.ts +12 -0
- package/dist/analyzers/code-smells/detectors/magic-numbers-detector.js +54 -0
- package/dist/analyzers/code-smells/detectors/magic-numbers-detector.js.map +1 -0
- package/dist/analyzers/code-smells/detectors/nested-conditionals-detector.d.ts +13 -0
- package/dist/analyzers/code-smells/detectors/nested-conditionals-detector.js +71 -0
- package/dist/analyzers/code-smells/detectors/nested-conditionals-detector.js.map +1 -0
- package/dist/analyzers/code-smells/index.d.ts +16 -0
- package/dist/analyzers/code-smells/index.js +19 -0
- package/dist/analyzers/code-smells/index.js.map +1 -0
- package/dist/analyzers/code-smells/types.d.ts +82 -0
- package/dist/analyzers/code-smells/types.js +30 -0
- package/dist/analyzers/code-smells/types.js.map +1 -0
- package/dist/analyzers/dependency/circular-detector.d.ts +17 -0
- package/dist/analyzers/dependency/circular-detector.js +71 -0
- package/dist/analyzers/dependency/circular-detector.js.map +1 -0
- package/dist/analyzers/dependency/coupling-calculator.d.ts +24 -0
- package/dist/analyzers/dependency/coupling-calculator.js +86 -0
- package/dist/analyzers/dependency/coupling-calculator.js.map +1 -0
- package/dist/analyzers/dependency/dependency-analyzer.d.ts +40 -0
- package/dist/analyzers/dependency/dependency-analyzer.js +214 -0
- package/dist/analyzers/dependency/dependency-analyzer.js.map +1 -0
- package/dist/analyzers/dependency/dependency-graph.d.ts +57 -0
- package/dist/analyzers/dependency/dependency-graph.js +186 -0
- package/dist/analyzers/dependency/dependency-graph.js.map +1 -0
- package/dist/analyzers/dependency/index.d.ts +8 -0
- package/dist/analyzers/dependency/index.js +8 -0
- package/dist/analyzers/dependency/index.js.map +1 -0
- package/dist/analyzers/dependency/types.d.ts +105 -0
- package/dist/analyzers/dependency/types.js +5 -0
- package/dist/analyzers/dependency/types.js.map +1 -0
- package/dist/analyzers/git/churn-calculator.d.ts +34 -0
- package/dist/analyzers/git/churn-calculator.js +214 -0
- package/dist/analyzers/git/churn-calculator.js.map +1 -0
- package/dist/analyzers/git/git-analyzer.d.ts +19 -0
- package/dist/analyzers/git/git-analyzer.js +71 -0
- package/dist/analyzers/git/git-analyzer.js.map +1 -0
- package/dist/analyzers/git/hotspot-detector.d.ts +34 -0
- package/dist/analyzers/git/hotspot-detector.js +170 -0
- package/dist/analyzers/git/hotspot-detector.js.map +1 -0
- package/dist/analyzers/git/index.d.ts +7 -0
- package/dist/analyzers/git/index.js +7 -0
- package/dist/analyzers/git/index.js.map +1 -0
- package/dist/analyzers/git/types.d.ts +88 -0
- package/dist/analyzers/git/types.js +5 -0
- package/dist/analyzers/git/types.js.map +1 -0
- package/dist/analyzers/metrics/halstead-calculator.d.ts +30 -0
- package/dist/analyzers/metrics/halstead-calculator.js +150 -0
- package/dist/analyzers/metrics/halstead-calculator.js.map +1 -0
- package/dist/analyzers/metrics/index.d.ts +9 -0
- package/dist/analyzers/metrics/index.js +9 -0
- package/dist/analyzers/metrics/index.js.map +1 -0
- package/dist/analyzers/metrics/maintainability-calculator.d.ts +17 -0
- package/dist/analyzers/metrics/maintainability-calculator.js +46 -0
- package/dist/analyzers/metrics/maintainability-calculator.js.map +1 -0
- package/dist/analyzers/metrics/metrics-analyzer.d.ts +32 -0
- package/dist/analyzers/metrics/metrics-analyzer.js +140 -0
- package/dist/analyzers/metrics/metrics-analyzer.js.map +1 -0
- package/dist/analyzers/metrics/types.d.ts +67 -0
- package/dist/analyzers/metrics/types.js +5 -0
- package/dist/analyzers/metrics/types.js.map +1 -0
- package/dist/analyzers/security/base-detector.d.ts +58 -0
- package/dist/analyzers/security/base-detector.js +104 -0
- package/dist/analyzers/security/base-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/command-injection-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/command-injection-detector.js +84 -0
- package/dist/analyzers/security/detectors/command-injection-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/hardcoded-secrets-detector.d.ts +16 -0
- package/dist/analyzers/security/detectors/hardcoded-secrets-detector.js +140 -0
- package/dist/analyzers/security/detectors/hardcoded-secrets-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/insecure-deserialization-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/insecure-deserialization-detector.js +109 -0
- package/dist/analyzers/security/detectors/insecure-deserialization-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/insecure-random-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/insecure-random-detector.js +61 -0
- package/dist/analyzers/security/detectors/insecure-random-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/path-traversal-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/path-traversal-detector.js +82 -0
- package/dist/analyzers/security/detectors/path-traversal-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/sql-injection-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/sql-injection-detector.js +88 -0
- package/dist/analyzers/security/detectors/sql-injection-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/weak-crypto-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/weak-crypto-detector.js +104 -0
- package/dist/analyzers/security/detectors/weak-crypto-detector.js.map +1 -0
- package/dist/analyzers/security/detectors/xss-detector.d.ts +12 -0
- package/dist/analyzers/security/detectors/xss-detector.js +90 -0
- package/dist/analyzers/security/detectors/xss-detector.js.map +1 -0
- package/dist/analyzers/security/index.d.ts +16 -0
- package/dist/analyzers/security/index.js +18 -0
- package/dist/analyzers/security/index.js.map +1 -0
- package/dist/analyzers/security/security-analyzer.d.ts +38 -0
- package/dist/analyzers/security/security-analyzer.js +215 -0
- package/dist/analyzers/security/security-analyzer.js.map +1 -0
- package/dist/analyzers/security/types.d.ts +95 -0
- package/dist/analyzers/security/types.js +7 -0
- package/dist/analyzers/security/types.js.map +1 -0
- package/dist/hooks/use-enhanced-input.d.ts +0 -1
- package/dist/hooks/use-enhanced-input.js.map +1 -1
- package/dist/index.js +0 -0
- package/dist/mcp/validation.js +12 -6
- package/dist/mcp/validation.js.map +1 -1
- package/dist/tools/analysis-tools.d.ts +73 -0
- package/dist/tools/analysis-tools.js +422 -0
- package/dist/tools/analysis-tools.js.map +1 -0
- package/dist/tools/bash.js +2 -1
- package/dist/tools/bash.js.map +1 -1
- package/dist/ui/components/toast-notification.js +0 -1
- package/dist/ui/components/toast-notification.js.map +1 -1
- package/dist/ui/components/welcome-panel.js +1 -1
- package/dist/ui/components/welcome-panel.js.map +1 -1
- package/dist/ui/hooks/use-input-history.d.ts +9 -0
- package/dist/ui/hooks/use-input-history.js +117 -0
- package/dist/ui/hooks/use-input-history.js.map +1 -0
- package/dist/utils/parallel-analyzer.js +30 -17
- package/dist/utils/parallel-analyzer.js.map +1 -1
- package/eslint.config.js +3 -0
- package/package.json +5 -5
- package/vitest.config.ts +1 -0
- package/.ax-cli/checkpoints/2025-11-20/checkpoint-11e9e0ba-c39d-4fd2-aa77-bc818811c921.json +0 -69
- package/.ax-cli/checkpoints/2025-11-20/checkpoint-2b260b98-b418-4c7c-9694-e2b94967e662.json +0 -24
- package/.ax-cli/checkpoints/2025-11-20/checkpoint-7e03601e-e8ab-4cd7-9841-a74b66adf78f.json +0 -69
- package/.ax-cli/checkpoints/2025-11-20/checkpoint-7f9c6562-771f-4fd0-adcf-9e7e9ac34ae8.json +0 -44
- package/.ax-cli/checkpoints/2025-11-20/checkpoint-e1ebe666-4c3a-4367-ba5c-27fe512a9c70.json +0 -24
- package/.ax-cli/checkpoints/2025-11-21/checkpoint-15743e7d-430c-4d76-b6fc-955d7a5c250c.json +0 -44
- package/.ax-cli/checkpoints/2025-11-21/checkpoint-25cf7679-0b3f-4988-83d7-704548fbba91.json +0 -69
- package/.ax-cli/checkpoints/2025-11-21/checkpoint-54aedbac-6db0-464e-8ebb-dbb3979e6dca.json +0 -24
- package/.ax-cli/checkpoints/2025-11-21/checkpoint-7658aed8-fe5d-4222-903f-1a7c63717ea7.json +0 -24
- package/.ax-cli/checkpoints/2025-11-21/checkpoint-c9c13497-40dc-4294-a327-6a5fc854eaa1.json +0 -69
- package/automatosx.config.json +0 -333
- package/config/messages.yaml +0 -75
- package/config/models.yaml +0 -66
- package/config/prompts.yaml +0 -156
- package/config/settings.yaml +0 -86
- package/dist/commands/weather.d.ts +0 -8
- package/dist/commands/weather.js +0 -160
- package/dist/commands/weather.js.map +0 -1
- package/dist/grok/client.d.ts +0 -144
- package/dist/grok/client.js +0 -237
- package/dist/grok/client.js.map +0 -1
- package/dist/grok/tools.d.ts +0 -8
- package/dist/grok/tools.js +0 -318
- package/dist/grok/tools.js.map +0 -1
- package/dist/grok/types.d.ts +0 -291
- package/dist/grok/types.js +0 -127
- package/dist/grok/types.js.map +0 -1
- package/dist/tools/morph-editor.d.ts +0 -36
- package/dist/tools/morph-editor.js +0 -308
- package/dist/tools/morph-editor.js.map +0 -1
- package/dist/ui/components/session-recovery.d.ts +0 -12
- package/dist/ui/components/session-recovery.js +0 -93
- package/dist/ui/components/session-recovery.js.map +0 -1
- package/dist/utils/model-config.d.ts +0 -28
- package/dist/utils/model-config.js +0 -43
- package/dist/utils/model-config.js.map +0 -1
- package/dist/utils/tool-helpers.d.ts +0 -25
- package/dist/utils/tool-helpers.js +0 -79
- package/dist/utils/tool-helpers.js.map +0 -1
- package/packages/schemas/dist/index.d.ts +0 -14
- package/packages/schemas/dist/index.d.ts.map +0 -1
- package/packages/schemas/dist/index.js +0 -19
- package/packages/schemas/dist/index.js.map +0 -1
- package/packages/schemas/dist/public/core/brand-types.d.ts +0 -308
- package/packages/schemas/dist/public/core/brand-types.d.ts.map +0 -1
- package/packages/schemas/dist/public/core/brand-types.js +0 -243
- package/packages/schemas/dist/public/core/brand-types.js.map +0 -1
- package/packages/schemas/dist/public/core/enums.d.ts +0 -227
- package/packages/schemas/dist/public/core/enums.d.ts.map +0 -1
- package/packages/schemas/dist/public/core/enums.js +0 -222
- package/packages/schemas/dist/public/core/enums.js.map +0 -1
- package/packages/schemas/dist/public/core/id-types.d.ts +0 -286
- package/packages/schemas/dist/public/core/id-types.d.ts.map +0 -1
- package/packages/schemas/dist/public/core/id-types.js +0 -136
- package/packages/schemas/dist/public/core/id-types.js.map +0 -1
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Hardcoded Secrets Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects hardcoded passwords, API keys, tokens, and other secrets
|
|
5
|
+
* OWASP A02:2021 - Cryptographic Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
export class HardcodedSecretsDetector extends BaseSecurityDetector {
|
|
9
|
+
constructor() {
|
|
10
|
+
super({
|
|
11
|
+
id: 'hardcoded-secrets',
|
|
12
|
+
name: 'Hardcoded Secrets',
|
|
13
|
+
description: 'Detects hardcoded passwords, API keys, and tokens',
|
|
14
|
+
severity: 'critical',
|
|
15
|
+
owaspCategory: 'A02:2021 - Cryptographic Failures',
|
|
16
|
+
cweId: 'CWE-798',
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
async scan(content, filePath) {
|
|
20
|
+
if (!this.appliesTo(filePath)) {
|
|
21
|
+
return [];
|
|
22
|
+
}
|
|
23
|
+
const vulnerabilities = [];
|
|
24
|
+
// Pattern 1: Common secret variable names with hardcoded values
|
|
25
|
+
const secretVarPatterns = [
|
|
26
|
+
{
|
|
27
|
+
pattern: /(?:password|passwd|pwd|secret|token|apikey|api_key|private_key|privatekey)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/gi,
|
|
28
|
+
type: 'password/token',
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
pattern: /(?:auth|authorization|bearer)\s*[:=]\s*['"`]([^'"`]{20,})['"`]/gi,
|
|
32
|
+
type: 'auth token',
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
pattern: /(?:access_token|accesstoken|refresh_token|refreshtoken)\s*[:=]\s*['"`]([^'"`]{20,})['"`]/gi,
|
|
36
|
+
type: 'access token',
|
|
37
|
+
},
|
|
38
|
+
];
|
|
39
|
+
for (const { pattern, type } of secretVarPatterns) {
|
|
40
|
+
let match;
|
|
41
|
+
const regex = new RegExp(pattern);
|
|
42
|
+
while ((match = regex.exec(content)) !== null) {
|
|
43
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
44
|
+
continue;
|
|
45
|
+
}
|
|
46
|
+
// Skip if it looks like a placeholder
|
|
47
|
+
const value = match[1];
|
|
48
|
+
if (this.isPlaceholder(value)) {
|
|
49
|
+
continue;
|
|
50
|
+
}
|
|
51
|
+
const line = this.findLineNumber(content, match.index);
|
|
52
|
+
const code = this.extractCodeSnippet(content, match.index, 0);
|
|
53
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, `Hardcoded ${type} detected in source code`, 'Use environment variables or secure secret management systems (e.g., AWS Secrets Manager, HashiCorp Vault)', [
|
|
54
|
+
'https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password',
|
|
55
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html',
|
|
56
|
+
]));
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
// Pattern 2: AWS Access Keys
|
|
60
|
+
const awsKeyPattern = /(?:AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}/g;
|
|
61
|
+
let match;
|
|
62
|
+
while ((match = awsKeyPattern.exec(content)) !== null) {
|
|
63
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
64
|
+
continue;
|
|
65
|
+
}
|
|
66
|
+
const line = this.findLineNumber(content, match.index);
|
|
67
|
+
const code = this.extractCodeSnippet(content, match.index, 0);
|
|
68
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'AWS Access Key ID detected in source code', 'Remove hardcoded AWS credentials. Use IAM roles or environment variables', [
|
|
69
|
+
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html',
|
|
70
|
+
]));
|
|
71
|
+
}
|
|
72
|
+
// Pattern 3: Generic API key patterns
|
|
73
|
+
const apiKeyPattern = /['"`]([a-zA-Z0-9_-]{32,})['"`]/g;
|
|
74
|
+
while ((match = apiKeyPattern.exec(content)) !== null) {
|
|
75
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
76
|
+
continue;
|
|
77
|
+
}
|
|
78
|
+
// Check if preceded by key-related variable names
|
|
79
|
+
const beforeMatch = content.substring(Math.max(0, match.index - 50), match.index);
|
|
80
|
+
if (/(?:key|token|secret|api)/i.test(beforeMatch)) {
|
|
81
|
+
const value = match[1];
|
|
82
|
+
if (this.isPlaceholder(value)) {
|
|
83
|
+
continue;
|
|
84
|
+
}
|
|
85
|
+
const line = this.findLineNumber(content, match.index);
|
|
86
|
+
const code = this.extractCodeSnippet(content, match.index, 0);
|
|
87
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Potential API key or token detected in source code', 'Use environment variables to store sensitive credentials', [
|
|
88
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html',
|
|
89
|
+
]));
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
// Pattern 4: JWT tokens
|
|
93
|
+
const jwtPattern = /eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g;
|
|
94
|
+
while ((match = jwtPattern.exec(content)) !== null) {
|
|
95
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
96
|
+
continue;
|
|
97
|
+
}
|
|
98
|
+
const line = this.findLineNumber(content, match.index);
|
|
99
|
+
const code = this.extractCodeSnippet(content, match.index, 0);
|
|
100
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'JWT token detected in source code', 'Never hardcode JWT tokens. Generate them at runtime', [
|
|
101
|
+
'https://jwt.io/introduction',
|
|
102
|
+
]));
|
|
103
|
+
}
|
|
104
|
+
// Pattern 5: Database connection strings
|
|
105
|
+
const dbConnectionPattern = /(?:mongodb|mysql|postgresql|postgres|redis):\/\/[^\s;'"]+:[^\s;'"]+@/gi;
|
|
106
|
+
while ((match = dbConnectionPattern.exec(content)) !== null) {
|
|
107
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
108
|
+
continue;
|
|
109
|
+
}
|
|
110
|
+
const line = this.findLineNumber(content, match.index);
|
|
111
|
+
const code = this.extractCodeSnippet(content, match.index, 0);
|
|
112
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Database connection string with credentials detected in source code', 'Use environment variables for database credentials', [
|
|
113
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html',
|
|
114
|
+
]));
|
|
115
|
+
}
|
|
116
|
+
return vulnerabilities;
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Check if value looks like a placeholder
|
|
120
|
+
*/
|
|
121
|
+
isPlaceholder(value) {
|
|
122
|
+
const placeholders = [
|
|
123
|
+
/^[xX]+$/,
|
|
124
|
+
/^[*]+$/,
|
|
125
|
+
/^your[_-]?/i,
|
|
126
|
+
/^test[_-]?/i,
|
|
127
|
+
/^example/i,
|
|
128
|
+
/^placeholder/i,
|
|
129
|
+
/^dummy/i,
|
|
130
|
+
/^fake/i,
|
|
131
|
+
/^sample/i,
|
|
132
|
+
/^xxx/i,
|
|
133
|
+
/^todo/i,
|
|
134
|
+
/^changeme/i,
|
|
135
|
+
/^replace/i,
|
|
136
|
+
];
|
|
137
|
+
return placeholders.some(pattern => pattern.test(value));
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
//# sourceMappingURL=hardcoded-secrets-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hardcoded-secrets-detector.js","sourceRoot":"","sources":["../../../../src/analyzers/security/detectors/hardcoded-secrets-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,OAAO,wBAAyB,SAAQ,oBAAoB;IAChE;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,mBAAmB;YACvB,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,mDAAmD;YAChE,QAAQ,EAAE,UAAU;YACpB,aAAa,EAAE,mCAAmC;YAClD,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,gEAAgE;QAChE,MAAM,iBAAiB,GAAG;YACxB;gBACE,OAAO,EAAE,8GAA8G;gBACvH,IAAI,EAAE,gBAAgB;aACvB;YACD;gBACE,OAAO,EAAE,kEAAkE;gBAC3E,IAAI,EAAE,YAAY;aACnB;YACD;gBACE,OAAO,EAAE,4FAA4F;gBACrG,IAAI,EAAE,cAAc;aACrB;SACF,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,iBAAiB,EAAE,CAAC;YAClD,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,sCAAsC;gBACtC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9B,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,aAAa,IAAI,0BAA0B,EAC3C,4GAA4G,EAC5G;oBACE,4EAA4E;oBAC5E,oFAAoF;iBACrF,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,aAAa,GAAG,8DAA8D,CAAC;QACrF,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,2CAA2C,EAC3C,0EAA0E,EAC1E;gBACE,kFAAkF;aACnF,CACF,CACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,MAAM,aAAa,GAAG,iCAAiC,CAAC;QACxD,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAClF,IAAI,2BAA2B,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9B,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,oDAAoD,EACpD,0DAA0D,EAC1D;oBACE,oFAAoF;iBACrF,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,MAAM,UAAU,GAAG,uDAAuD,CAAC;QAC3E,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,mCAAmC,EACnC,qDAAqD,EACrD;gBACE,6BAA6B;aAC9B,CACF,CACF,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,MAAM,mBAAmB,GAAG,wEAAwE,CAAC;QACrG,OAAO,CAAC,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,qEAAqE,EACrE,oDAAoD,EACpD;gBACE,mFAAmF;aACpF,CACF,CACF,CAAC;QACJ,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,KAAa;QACjC,MAAM,YAAY,GAAG;YACnB,SAAS;YACT,QAAQ;YACR,aAAa;YACb,aAAa;YACb,WAAW;YACX,eAAe;YACf,SAAS;YACT,QAAQ;YACR,UAAU;YACV,OAAO;YACP,QAAQ;YACR,YAAY;YACZ,WAAW;SACZ,CAAC;QAEF,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3D,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Insecure Deserialization Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects insecure deserialization vulnerabilities
|
|
5
|
+
* OWASP A08:2021 - Software and Data Integrity Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
import type { SecurityVulnerability } from '../types.js';
|
|
9
|
+
export declare class InsecureDeserializationDetector extends BaseSecurityDetector {
|
|
10
|
+
constructor();
|
|
11
|
+
scan(content: string, filePath: string): Promise<SecurityVulnerability[]>;
|
|
12
|
+
}
|
|
@@ -0,0 +1,109 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Insecure Deserialization Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects insecure deserialization vulnerabilities
|
|
5
|
+
* OWASP A08:2021 - Software and Data Integrity Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
export class InsecureDeserializationDetector extends BaseSecurityDetector {
|
|
9
|
+
constructor() {
|
|
10
|
+
super({
|
|
11
|
+
id: 'insecure-deserialization',
|
|
12
|
+
name: 'Insecure Deserialization',
|
|
13
|
+
description: 'Detects insecure deserialization vulnerabilities',
|
|
14
|
+
severity: 'high',
|
|
15
|
+
owaspCategory: 'A08:2021 - Software and Data Integrity Failures',
|
|
16
|
+
cweId: 'CWE-502',
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
async scan(content, filePath) {
|
|
20
|
+
if (!this.appliesTo(filePath)) {
|
|
21
|
+
return [];
|
|
22
|
+
}
|
|
23
|
+
const vulnerabilities = [];
|
|
24
|
+
// Pattern 1: JSON.parse with user input without validation
|
|
25
|
+
const jsonParsePattern = /JSON\.parse\((?:req\.|params\.|query\.|input|user)[^)]+\)/gi;
|
|
26
|
+
let match;
|
|
27
|
+
while ((match = jsonParsePattern.exec(content)) !== null) {
|
|
28
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
29
|
+
continue;
|
|
30
|
+
}
|
|
31
|
+
const line = this.findLineNumber(content, match.index);
|
|
32
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
33
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'JSON.parse with user input without validation may lead to prototype pollution', 'Validate JSON structure after parsing and use Object.create(null) to avoid prototype pollution', [
|
|
34
|
+
'https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data',
|
|
35
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html',
|
|
36
|
+
]));
|
|
37
|
+
}
|
|
38
|
+
// Pattern 2: eval() with JSON (extremely dangerous)
|
|
39
|
+
const evalJsonPattern = /eval\([^)]*(?:JSON|json|parse)/gi;
|
|
40
|
+
while ((match = evalJsonPattern.exec(content)) !== null) {
|
|
41
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
42
|
+
continue;
|
|
43
|
+
}
|
|
44
|
+
const line = this.findLineNumber(content, match.index);
|
|
45
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
46
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Using eval() for JSON parsing is extremely dangerous', 'Use JSON.parse() instead of eval()', [
|
|
47
|
+
'https://owasp.org/www-community/attacks/Code_Injection',
|
|
48
|
+
]));
|
|
49
|
+
}
|
|
50
|
+
// Pattern 3: Node.js serialize packages with user input
|
|
51
|
+
const serializePackages = ['node-serialize', 'serialize-javascript', 'funcster'];
|
|
52
|
+
for (const pkg of serializePackages) {
|
|
53
|
+
const pattern = new RegExp(`require\\(['"\`]${pkg}['"\`]\\)`, 'gi');
|
|
54
|
+
let pkgMatch;
|
|
55
|
+
while ((pkgMatch = pattern.exec(content)) !== null) {
|
|
56
|
+
// Check if there's deserialization with user input nearby
|
|
57
|
+
const contextStart = pkgMatch.index;
|
|
58
|
+
const contextEnd = Math.min(content.length, pkgMatch.index + 500);
|
|
59
|
+
const context = content.substring(contextStart, contextEnd);
|
|
60
|
+
if (/(?:unserialize|deserialize|parse)\([^)]*(?:req\.|params\.|query\.|input|user)/i.test(context)) {
|
|
61
|
+
const line = this.findLineNumber(content, pkgMatch.index);
|
|
62
|
+
const code = this.extractCodeSnippet(content, pkgMatch.index, 2);
|
|
63
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, `Package ${pkg} used for deserialization of user input is dangerous`, 'Avoid deserializing untrusted data. Use JSON.parse() with validation', [
|
|
64
|
+
'https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data',
|
|
65
|
+
]));
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
// Pattern 4: Object.assign with user input (prototype pollution)
|
|
70
|
+
const objectAssignPattern = /Object\.assign\([^,)]*,\s*(?:req\.|params\.|query\.|input|user)/gi;
|
|
71
|
+
while ((match = objectAssignPattern.exec(content)) !== null) {
|
|
72
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
73
|
+
continue;
|
|
74
|
+
}
|
|
75
|
+
const line = this.findLineNumber(content, match.index);
|
|
76
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
77
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Object.assign with user input may lead to prototype pollution', 'Validate and sanitize user input before using Object.assign. Consider using Object.create(null)', [
|
|
78
|
+
'https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data',
|
|
79
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html',
|
|
80
|
+
]));
|
|
81
|
+
}
|
|
82
|
+
// Pattern 5: Spread operator with user input
|
|
83
|
+
const spreadPattern = /\{\.\.\.(?:req\.|params\.|query\.|input|user)[^}]*\}/gi;
|
|
84
|
+
while ((match = spreadPattern.exec(content)) !== null) {
|
|
85
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
86
|
+
continue;
|
|
87
|
+
}
|
|
88
|
+
const line = this.findLineNumber(content, match.index);
|
|
89
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
90
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Spread operator with user input may lead to prototype pollution', 'Validate user input before spreading. Use allowlist of permitted fields', [
|
|
91
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html',
|
|
92
|
+
]));
|
|
93
|
+
}
|
|
94
|
+
// Pattern 6: vm module with user input
|
|
95
|
+
const vmPattern = /(?:runInContext|runInNewContext|runInThisContext)\([^)]*(?:req\.|params\.|query\.|input|user)/gi;
|
|
96
|
+
while ((match = vmPattern.exec(content)) !== null) {
|
|
97
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
98
|
+
continue;
|
|
99
|
+
}
|
|
100
|
+
const line = this.findLineNumber(content, match.index);
|
|
101
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
102
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'vm module with user input is extremely dangerous', 'Never execute user-provided code. Find alternative solutions', [
|
|
103
|
+
'https://nodejs.org/api/vm.html#vm_vm_executing_javascript',
|
|
104
|
+
]));
|
|
105
|
+
}
|
|
106
|
+
return vulnerabilities;
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
//# sourceMappingURL=insecure-deserialization-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"insecure-deserialization-detector.js","sourceRoot":"","sources":["../../../../src/analyzers/security/detectors/insecure-deserialization-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,OAAO,+BAAgC,SAAQ,oBAAoB;IACvE;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,0BAA0B;YAC9B,IAAI,EAAE,0BAA0B;YAChC,WAAW,EAAE,kDAAkD;YAC/D,QAAQ,EAAE,MAAM;YAChB,aAAa,EAAE,iDAAiD;YAChE,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,2DAA2D;QAC3D,MAAM,gBAAgB,GAAG,6DAA6D,CAAC;QACvF,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,+EAA+E,EAC/E,gGAAgG,EAChG;gBACE,mFAAmF;gBACnF,iFAAiF;aAClF,CACF,CACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,eAAe,GAAG,kCAAkC,CAAC;QAC3D,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,sDAAsD,EACtD,oCAAoC,EACpC;gBACE,wDAAwD;aACzD,CACF,CACF,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,UAAU,CAAC,CAAC;QACjF,KAAK,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,mBAAmB,GAAG,WAAW,EAAE,IAAI,CAAC,CAAC;YACpE,IAAI,QAAQ,CAAC;YAEb,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,0DAA0D;gBAC1D,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC;gBACpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;gBAClE,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;gBAE5D,IAAI,gFAAgF,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnG,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;oBAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;oBAEjE,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,WAAW,GAAG,sDAAsD,EACpE,sEAAsE,EACtE;wBACE,mFAAmF;qBACpF,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,MAAM,mBAAmB,GAAG,mEAAmE,CAAC;QAChG,OAAO,CAAC,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,+DAA+D,EAC/D,iGAAiG,EACjG;gBACE,mFAAmF;gBACnF,gGAAgG;aACjG,CACF,CACF,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,MAAM,aAAa,GAAG,wDAAwD,CAAC;QAC/E,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,iEAAiE,EACjE,yEAAyE,EACzE;gBACE,gGAAgG;aACjG,CACF,CACF,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,MAAM,SAAS,GAAG,iGAAiG,CAAC;QACpH,OAAO,CAAC,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,kDAAkD,EAClD,8DAA8D,EAC9D;gBACE,2DAA2D;aAC5D,CACF,CACF,CAAC;QACJ,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Insecure Random Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects use of cryptographically weak random number generators
|
|
5
|
+
* OWASP A02:2021 - Cryptographic Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
import type { SecurityVulnerability } from '../types.js';
|
|
9
|
+
export declare class InsecureRandomDetector extends BaseSecurityDetector {
|
|
10
|
+
constructor();
|
|
11
|
+
scan(content: string, filePath: string): Promise<SecurityVulnerability[]>;
|
|
12
|
+
}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Insecure Random Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects use of cryptographically weak random number generators
|
|
5
|
+
* OWASP A02:2021 - Cryptographic Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
export class InsecureRandomDetector extends BaseSecurityDetector {
|
|
9
|
+
constructor() {
|
|
10
|
+
super({
|
|
11
|
+
id: 'insecure-random',
|
|
12
|
+
name: 'Insecure Random Number Generation',
|
|
13
|
+
description: 'Detects use of Math.random() for security-sensitive operations',
|
|
14
|
+
severity: 'medium',
|
|
15
|
+
owaspCategory: 'A02:2021 - Cryptographic Failures',
|
|
16
|
+
cweId: 'CWE-338',
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
async scan(content, filePath) {
|
|
20
|
+
if (!this.appliesTo(filePath)) {
|
|
21
|
+
return [];
|
|
22
|
+
}
|
|
23
|
+
const vulnerabilities = [];
|
|
24
|
+
// Pattern: Math.random() used in security contexts
|
|
25
|
+
const securityContextKeywords = [
|
|
26
|
+
'token',
|
|
27
|
+
'secret',
|
|
28
|
+
'password',
|
|
29
|
+
'salt',
|
|
30
|
+
'key',
|
|
31
|
+
'nonce',
|
|
32
|
+
'session',
|
|
33
|
+
'csrf',
|
|
34
|
+
'auth',
|
|
35
|
+
'crypto',
|
|
36
|
+
];
|
|
37
|
+
const mathRandomPattern = /Math\.random\(\)/gi;
|
|
38
|
+
let match;
|
|
39
|
+
while ((match = mathRandomPattern.exec(content)) !== null) {
|
|
40
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
41
|
+
continue;
|
|
42
|
+
}
|
|
43
|
+
// Check surrounding context (100 characters before and after)
|
|
44
|
+
const contextStart = Math.max(0, match.index - 100);
|
|
45
|
+
const contextEnd = Math.min(content.length, match.index + 100);
|
|
46
|
+
const context = content.substring(contextStart, contextEnd).toLowerCase();
|
|
47
|
+
// Check if in security-sensitive context
|
|
48
|
+
const isSecurityContext = securityContextKeywords.some(keyword => context.includes(keyword));
|
|
49
|
+
if (isSecurityContext) {
|
|
50
|
+
const line = this.findLineNumber(content, match.index);
|
|
51
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
52
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Math.random() is not cryptographically secure and should not be used for security-sensitive operations', 'Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) for cryptographic randomness', [
|
|
53
|
+
'https://owasp.org/www-community/vulnerabilities/Insecure_Randomness',
|
|
54
|
+
'https://nodejs.org/api/crypto.html#cryptorandombytessize-callback',
|
|
55
|
+
]));
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
return vulnerabilities;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
//# sourceMappingURL=insecure-random-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"insecure-random-detector.js","sourceRoot":"","sources":["../../../../src/analyzers/security/detectors/insecure-random-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,OAAO,sBAAuB,SAAQ,oBAAoB;IAC9D;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,iBAAiB;YACrB,IAAI,EAAE,mCAAmC;YACzC,WAAW,EAAE,gEAAgE;YAC7E,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,mCAAmC;YAClD,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,mDAAmD;QACnD,MAAM,uBAAuB,GAAG;YAC9B,OAAO;YACP,QAAQ;YACR,UAAU;YACV,MAAM;YACN,KAAK;YACL,OAAO;YACP,SAAS;YACT,MAAM;YACN,MAAM;YACN,QAAQ;SACT,CAAC;QAEF,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;QAC/C,IAAI,KAAK,CAAC;QAEV,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1D,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,8DAA8D;YAC9D,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YAE1E,yCAAyC;YACzC,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAC/D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1B,CAAC;YAEF,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,wGAAwG,EACxG,uGAAuG,EACvG;oBACE,qEAAqE;oBACrE,mEAAmE;iBACpE,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Path Traversal Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects potential path traversal vulnerabilities
|
|
5
|
+
* OWASP A01:2021 - Broken Access Control
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
import type { SecurityVulnerability } from '../types.js';
|
|
9
|
+
export declare class PathTraversalDetector extends BaseSecurityDetector {
|
|
10
|
+
constructor();
|
|
11
|
+
scan(content: string, filePath: string): Promise<SecurityVulnerability[]>;
|
|
12
|
+
}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Path Traversal Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects potential path traversal vulnerabilities
|
|
5
|
+
* OWASP A01:2021 - Broken Access Control
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
export class PathTraversalDetector extends BaseSecurityDetector {
|
|
9
|
+
constructor() {
|
|
10
|
+
super({
|
|
11
|
+
id: 'path-traversal',
|
|
12
|
+
name: 'Path Traversal',
|
|
13
|
+
description: 'Detects potential path traversal vulnerabilities',
|
|
14
|
+
severity: 'high',
|
|
15
|
+
owaspCategory: 'A01:2021 - Broken Access Control',
|
|
16
|
+
cweId: 'CWE-22',
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
async scan(content, filePath) {
|
|
20
|
+
if (!this.appliesTo(filePath)) {
|
|
21
|
+
return [];
|
|
22
|
+
}
|
|
23
|
+
const vulnerabilities = [];
|
|
24
|
+
// Pattern 1: File operations with user input
|
|
25
|
+
const fileOpPatterns = [
|
|
26
|
+
{
|
|
27
|
+
pattern: /(?:readFile|writeFile|unlink|stat|access|open)\([^)]*(?:req\.|params\.|query\.|input|user)/gi,
|
|
28
|
+
operation: 'file operation',
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
pattern: /(?:fs\.|promises\.)(?:readFile|writeFile|unlink|stat|access|open)\([^)]*(?:req\.|params\.|query\.|input|user)/gi,
|
|
32
|
+
operation: 'file system operation',
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
pattern: /path\.join\([^)]*(?:req\.|params\.|query\.|input|user)/gi,
|
|
36
|
+
operation: 'path concatenation',
|
|
37
|
+
},
|
|
38
|
+
];
|
|
39
|
+
for (const { pattern, operation } of fileOpPatterns) {
|
|
40
|
+
let match;
|
|
41
|
+
const regex = new RegExp(pattern);
|
|
42
|
+
while ((match = regex.exec(content)) !== null) {
|
|
43
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
44
|
+
continue;
|
|
45
|
+
}
|
|
46
|
+
const line = this.findLineNumber(content, match.index);
|
|
47
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
48
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, `${operation} uses user input which may lead to path traversal attacks`, 'Validate and sanitize file paths. Use path.resolve() and check if resolved path is within allowed directory', [
|
|
49
|
+
'https://owasp.org/www-community/attacks/Path_Traversal',
|
|
50
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
|
|
51
|
+
]));
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
// Pattern 2: Direct string concatenation for file paths
|
|
55
|
+
const pathConcatPattern = /['"`][./\\]*['"`]\s*\+\s*(?:req\.|params\.|query\.|input|user)/gi;
|
|
56
|
+
let match;
|
|
57
|
+
while ((match = pathConcatPattern.exec(content)) !== null) {
|
|
58
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
59
|
+
continue;
|
|
60
|
+
}
|
|
61
|
+
const line = this.findLineNumber(content, match.index);
|
|
62
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
63
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'File path constructed using string concatenation with user input', 'Never concatenate user input directly into file paths. Use path.join() with validation', [
|
|
64
|
+
'https://owasp.org/www-community/attacks/Path_Traversal',
|
|
65
|
+
]));
|
|
66
|
+
}
|
|
67
|
+
// Pattern 3: Template literals with user input in file paths
|
|
68
|
+
const templatePathPattern = /(?:readFile|writeFile|unlink|stat|access|open)\([`'][^`']*\$\{(?:req\.|params\.|query\.|input|user)/gi;
|
|
69
|
+
while ((match = templatePathPattern.exec(content)) !== null) {
|
|
70
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
71
|
+
continue;
|
|
72
|
+
}
|
|
73
|
+
const line = this.findLineNumber(content, match.index);
|
|
74
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
75
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'File path uses template literal with user input', 'Validate and sanitize file paths. Ensure path stays within allowed directory', [
|
|
76
|
+
'https://owasp.org/www-community/attacks/Path_Traversal',
|
|
77
|
+
]));
|
|
78
|
+
}
|
|
79
|
+
return vulnerabilities;
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
//# sourceMappingURL=path-traversal-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"path-traversal-detector.js","sourceRoot":"","sources":["../../../../src/analyzers/security/detectors/path-traversal-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,OAAO,qBAAsB,SAAQ,oBAAoB;IAC7D;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,gBAAgB;YACtB,WAAW,EAAE,kDAAkD;YAC/D,QAAQ,EAAE,MAAM;YAChB,aAAa,EAAE,kCAAkC;YACjD,KAAK,EAAE,QAAQ;SAChB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,6CAA6C;QAC7C,MAAM,cAAc,GAAG;YACrB;gBACE,OAAO,EAAE,8FAA8F;gBACvG,SAAS,EAAE,gBAAgB;aAC5B;YACD;gBACE,OAAO,EAAE,iHAAiH;gBAC1H,SAAS,EAAE,uBAAuB;aACnC;YACD;gBACE,OAAO,EAAE,0DAA0D;gBACnE,SAAS,EAAE,oBAAoB;aAChC;SACF,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,cAAc,EAAE,CAAC;YACpD,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,GAAG,SAAS,2DAA2D,EACvE,6GAA6G,EAC7G;oBACE,wDAAwD;oBACxD,kFAAkF;iBACnF,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,kEAAkE,CAAC;QAC7F,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1D,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,kEAAkE,EAClE,wFAAwF,EACxF;gBACE,wDAAwD;aACzD,CACF,CACF,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,MAAM,mBAAmB,GAAG,uGAAuG,CAAC;QACpI,OAAO,CAAC,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC5D,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,iDAAiD,EACjD,8EAA8E,EAC9E;gBACE,wDAAwD;aACzD,CACF,CACF,CAAC;QACJ,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SQL Injection Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects potential SQL injection vulnerabilities
|
|
5
|
+
* OWASP A03:2021 - Injection
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
import type { SecurityVulnerability } from '../types.js';
|
|
9
|
+
export declare class SQLInjectionDetector extends BaseSecurityDetector {
|
|
10
|
+
constructor();
|
|
11
|
+
scan(content: string, filePath: string): Promise<SecurityVulnerability[]>;
|
|
12
|
+
}
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SQL Injection Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects potential SQL injection vulnerabilities
|
|
5
|
+
* OWASP A03:2021 - Injection
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
export class SQLInjectionDetector extends BaseSecurityDetector {
|
|
9
|
+
constructor() {
|
|
10
|
+
super({
|
|
11
|
+
id: 'sql-injection',
|
|
12
|
+
name: 'SQL Injection',
|
|
13
|
+
description: 'Detects potential SQL injection vulnerabilities',
|
|
14
|
+
severity: 'critical',
|
|
15
|
+
owaspCategory: 'A03:2021 - Injection',
|
|
16
|
+
cweId: 'CWE-89',
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
async scan(content, filePath) {
|
|
20
|
+
if (!this.appliesTo(filePath)) {
|
|
21
|
+
return [];
|
|
22
|
+
}
|
|
23
|
+
const vulnerabilities = [];
|
|
24
|
+
// Pattern 1: String concatenation in SQL queries
|
|
25
|
+
const concatPatterns = [
|
|
26
|
+
/(?:query|sql|execute|exec)\s*(?:=|:)\s*['"`][\s\S]*?\$\{[^}]+\}/gi,
|
|
27
|
+
/(?:query|sql|execute|exec)\s*(?:=|:)\s*['"`][\s\S]*?\+\s*\w+/gi,
|
|
28
|
+
/(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE)[\s\S]*?\+\s*\w+/gi,
|
|
29
|
+
];
|
|
30
|
+
for (const pattern of concatPatterns) {
|
|
31
|
+
let match;
|
|
32
|
+
const regex = new RegExp(pattern);
|
|
33
|
+
while ((match = regex.exec(content)) !== null) {
|
|
34
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
35
|
+
continue;
|
|
36
|
+
}
|
|
37
|
+
const line = this.findLineNumber(content, match.index);
|
|
38
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
39
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'SQL query uses string concatenation which may lead to SQL injection', 'Use parameterized queries or prepared statements instead of string concatenation', [
|
|
40
|
+
'https://owasp.org/www-community/attacks/SQL_Injection',
|
|
41
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html',
|
|
42
|
+
]));
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
// Pattern 2: Direct use of user input in queries
|
|
46
|
+
const userInputPatterns = [
|
|
47
|
+
/(?:query|sql|execute|exec)\s*(?:=|:)\s*['"`][\s\S]*?(?:req\.body|req\.query|req\.params|params|input|userInput)/gi,
|
|
48
|
+
/(?:SELECT|INSERT|UPDATE|DELETE)[\s\S]{0,100}(?:req\.body|req\.query|req\.params|params|input)/gi,
|
|
49
|
+
];
|
|
50
|
+
for (const pattern of userInputPatterns) {
|
|
51
|
+
let match;
|
|
52
|
+
const regex = new RegExp(pattern);
|
|
53
|
+
while ((match = regex.exec(content)) !== null) {
|
|
54
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
55
|
+
continue;
|
|
56
|
+
}
|
|
57
|
+
const line = this.findLineNumber(content, match.index);
|
|
58
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
59
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'SQL query directly uses user input without sanitization', 'Always sanitize and validate user input. Use parameterized queries or ORM methods', [
|
|
60
|
+
'https://owasp.org/www-community/attacks/SQL_Injection',
|
|
61
|
+
'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
|
|
62
|
+
]));
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
// Pattern 3: Unsafe query execution methods
|
|
66
|
+
const unsafeMethodPatterns = [
|
|
67
|
+
/\.query\(['"`][^'"`]*\$\{/gi,
|
|
68
|
+
/\.exec\(['"`][^'"`]*\$\{/gi,
|
|
69
|
+
/\.raw\(['"`][^'"`]*\$\{/gi,
|
|
70
|
+
];
|
|
71
|
+
for (const pattern of unsafeMethodPatterns) {
|
|
72
|
+
let match;
|
|
73
|
+
const regex = new RegExp(pattern);
|
|
74
|
+
while ((match = regex.exec(content)) !== null) {
|
|
75
|
+
if (this.shouldIgnore(content, match.index)) {
|
|
76
|
+
continue;
|
|
77
|
+
}
|
|
78
|
+
const line = this.findLineNumber(content, match.index);
|
|
79
|
+
const code = this.extractCodeSnippet(content, match.index, 1);
|
|
80
|
+
vulnerabilities.push(this.createVulnerability(filePath, line, code, 'Database method uses template literals which may be vulnerable to SQL injection', 'Use parameterized queries with placeholders (?, $1, etc.) instead of template literals', [
|
|
81
|
+
'https://owasp.org/www-community/attacks/SQL_Injection',
|
|
82
|
+
]));
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
return vulnerabilities;
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
//# sourceMappingURL=sql-injection-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sql-injection-detector.js","sourceRoot":"","sources":["../../../../src/analyzers/security/detectors/sql-injection-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,OAAO,oBAAqB,SAAQ,oBAAoB;IAC5D;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,eAAe;YACnB,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,iDAAiD;YAC9D,QAAQ,EAAE,UAAU;YACpB,aAAa,EAAE,sBAAsB;YACrC,KAAK,EAAE,QAAQ;SAChB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,iDAAiD;QACjD,MAAM,cAAc,GAAG;YACrB,mEAAmE;YACnE,gEAAgE;YAChE,+DAA+D;SAChE,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,qEAAqE,EACrE,kFAAkF,EAClF;oBACE,uDAAuD;oBACvD,0FAA0F;iBAC3F,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,MAAM,iBAAiB,GAAG;YACxB,mHAAmH;YACnH,iGAAiG;SAClG,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,yDAAyD,EACzD,mFAAmF,EACnF;oBACE,uDAAuD;oBACvD,kFAAkF;iBACnF,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,oBAAoB,GAAG;YAC3B,6BAA6B;YAC7B,4BAA4B;YAC5B,2BAA2B;SAC5B,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;YAC3C,IAAI,KAAK,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAE9D,eAAe,CAAC,IAAI,CAClB,IAAI,CAAC,mBAAmB,CACtB,QAAQ,EACR,IAAI,EACJ,IAAI,EACJ,iFAAiF,EACjF,wFAAwF,EACxF;oBACE,uDAAuD;iBACxD,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Weak Cryptography Detector
|
|
3
|
+
*
|
|
4
|
+
* Detects use of weak or deprecated cryptographic algorithms
|
|
5
|
+
* OWASP A02:2021 - Cryptographic Failures
|
|
6
|
+
*/
|
|
7
|
+
import { BaseSecurityDetector } from '../base-detector.js';
|
|
8
|
+
import type { SecurityVulnerability } from '../types.js';
|
|
9
|
+
export declare class WeakCryptoDetector extends BaseSecurityDetector {
|
|
10
|
+
constructor();
|
|
11
|
+
scan(content: string, filePath: string): Promise<SecurityVulnerability[]>;
|
|
12
|
+
}
|