@elytrasec/engine 0.4.0 → 0.4.1

package/dist/index.js

@@ -3105,7 +3105,7 @@ var securityRules = [
     title: "Form without CSRF protection",
     description: "HTML form with method=POST but no visible CSRF token field. This may be vulnerable to cross-site request forgery.",
     suggestion: "Add a hidden CSRF token field to the form or use a framework-provided CSRF middleware.",
-    pattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
+    multilinePattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
     severity: "medium",
     category: "security",
     confidence: "low",
@@ -3161,7 +3161,7 @@ var securityRules = [
     title: "XML parsing without entity restriction (XXE)",
     description: "XML parsers that allow external entities can be exploited to read local files or perform SSRF.",
     suggestion: "Disable external entity processing: set noent: false, or use defusedxml in Python.",
-    pattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
+    multilinePattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3211,7 +3211,7 @@ var securityRules = [
     title: "Mass assignment via spread of user input",
     description: "Spreading req.body directly into a database create/update allows attackers to set arbitrary fields (e.g. isAdmin).",
     suggestion: "Explicitly pick allowed fields instead of spreading the entire request body.",
-    pattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
+    multilinePattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3278,7 +3278,7 @@ var securityRules = [
     title: "Cookie set without security flags",
     description: "Cookies set without Secure, HttpOnly, or SameSite flags are vulnerable to interception and XSS theft.",
     suggestion: "Set cookies with { secure: true, httpOnly: true, sameSite: 'strict' } flags.",
-    pattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
+    multilinePattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
     severity: "medium",
     category: "security",
     confidence: "medium",
@@ -3306,7 +3306,7 @@ var securityRules = [
     title: "CORS credentials with wildcard origin",
     description: "Enabling credentials with a wildcard or reflected origin allows any site to make authenticated cross-origin requests.",
     suggestion: "When using credentials: true, specify explicit trusted origins instead of '*' or reflecting the Origin header.",
-    pattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
+    multilinePattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
     severity: "high",
     category: "security",
     confidence: "high",
@@ -3477,7 +3477,7 @@ var solidityRules2 = [
     title: "balanceOf used for pricing without flash loan guards",
     description: "Using balanceOf() for pricing calculations is vulnerable to flash loan manipulation.",
     suggestion: "Use time-weighted average prices (TWAP) or Chainlink oracles instead of spot balanceOf for pricing.",
-    pattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
+    multilinePattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3537,7 +3537,7 @@ var javaRules = [
     title: "XPath injection via string concatenation",
     description: "Building XPath queries with string concatenation allows injection attacks.",
     suggestion: "Use XPath parameterization via XPathExpression or sanitize input.",
-    pattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
+    multilinePattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3931,7 +3931,7 @@ var performanceRules = [
     title: "Potential N+1 query \u2014 database call inside a loop",
     description: "A database query inside a loop makes N separate round-trips instead of 1 batch query. This causes severe performance degradation at scale.",
     suggestion: "Batch the queries: collect all IDs first, then execute a single WHERE IN query.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
     severity: "high",
     category: "performance",
     confidence: "medium",
@@ -3942,7 +3942,7 @@ var performanceRules = [
     title: "Nested iteration \u2014 Array search inside a loop",
     description: "Using Array.find/filter/some/indexOf inside a loop is O(n*m). Use a Map or Set for O(n) lookups.",
     suggestion: "Build a Map or Set from the inner array before the loop, then use .get()/.has() for O(1) lookup.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3965,7 +3965,7 @@ var performanceRules = [
     title: "RegExp construction inside a loop",
     description: "Creating a new RegExp object on every iteration is wasteful. Regex compilation is expensive.",
     suggestion: "Move the RegExp construction outside the loop and reuse the compiled pattern.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3976,7 +3976,7 @@ var performanceRules = [
     title: "JSON.parse inside a loop",
     description: "Parsing JSON inside a loop is CPU-intensive. If the same data is re-parsed, cache the result.",
     suggestion: "Parse the JSON once before the loop and reuse the result, or use streaming JSON parsing for large datasets.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3987,7 +3987,7 @@ var performanceRules = [
     title: "Sequential await inside a loop",
     description: "Using await inside a loop executes async operations sequentially. Independent operations can run in parallel with Promise.all.",
     suggestion: "Collect promises in an array and use Promise.all() or Promise.allSettled() for parallel execution.",
-    pattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
+    multilinePattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
     severity: "low",
     category: "performance",
     confidence: "low",
@@ -4719,7 +4719,7 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: BalanceDelta returned without settle/take",
     description: "Hooks that return a modified `BalanceDelta` must ensure the delta is fully consumed (settled or taken) within the same unlock cycle. An unconsumed delta causes `CurrencyNotSettled` revert; partial consumption can silently strand tokens.",
     suggestion: "Ensure `poolManager.settle()` or `poolManager.take()` is called for both currency0 and currency1 before returning from the unlock callback.",
-    pattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
+    multilinePattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4730,7 +4730,7 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: overly broad hook permissions",
     description: "Hook permissions are set at deployment via the address bit-flags and cannot be changed. Requesting permissions you don't need (e.g. `BEFORE_SWAP_RETURNS_DELTA` when you never return a delta) increases attack surface and gas costs for every pool interaction.",
     suggestion: "Return only the minimum required `Hooks.Permissions` from `getHookPermissions()`. Audit each permission flag against your actual callback implementations.",
-    pattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
+    multilinePattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
     severity: "medium",
     category: "solidity",
     confidence: "low",
@@ -4789,7 +4789,7 @@ var hackReplayRules = [
     title: "Radiant hack pattern \u2014 single-step ownership transfer (no Ownable2Step)",
     description: "transferOwnership is implemented as a single-call function \u2014 the new owner takes effect immediately. This is the same pattern the Radiant Capital ($53M, Oct 2024) attackers exploited after compromising a multisig signer's UI: ownership flipped before anyone could react. A two-step or timelocked pattern would have created a defensive window.",
     suggestion: "Inherit from OpenZeppelin Ownable2Step (requires acceptOwnership from the new owner) AND gate it behind a timelock for production deployments. Never let a single signature transfer ownership atomically.",
-    pattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
+    multilinePattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
     severity: "high",
     category: "hack-replay",
     confidence: "medium",
@@ -4841,7 +4841,7 @@ var hackReplayRules = [
     title: "Beanstalk hack pattern \u2014 governance execute() with no timelock between vote and call",
     description: "A governance contract exposes an execute() / executeProposal() / propose() function callable in the same block as voting. This is the exact $182M Beanstalk vector (April 2022): an attacker flash-loaned the governance token, voted yes on a self-draining proposal, and called execute() in the same transaction. A timelock between successful vote and execution would have made the flash-loan economically pointless.",
     suggestion: "Add a queue/execute split: successful proposals enter a TimelockController with a minimum delay (24-48h is standard). Require execute() to verify block.timestamp >= queuedAt + delay. Never let voting power, proposal acceptance, and code execution happen atomically.",
-    pattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4857,7 +4857,7 @@ var hackReplayRules = [
     title: "Multichain hack pattern \u2014 bridge withdraw/unlock gated by single owner role",
     description: "A bridge function (withdraw, unlock, releaseTo, claim, mintBridged) is gated only by onlyOwner or a single-address admin check. This was the structural failure behind the $126M Multichain collapse (July 2023): the CEO's MPC key controlled bridge outflows, and when he was detained, attackers (or insiders) drained the bridge. Bridge withdraw functions are the highest-value attack surface in crypto and must be multi-party.",
     suggestion: "Require a multi-sig (Safe / Gnosis), a multi-party MPC (TSS), or an N-of-M validator set before any bridge outflow. Never let a single private key sign a withdraw of bridged assets. Add per-asset and per-block outflow caps as a defense-in-depth limit.",
-    pattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
+    multilinePattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "medium",
@@ -4909,7 +4909,7 @@ var hackReplayRules = [
     title: "Wormhole hack pattern \u2014 guardian/validator signature accepted without strict set verification",
     description: "A function verifies a signature against a validator/guardian set but does not strictly check that the set hash matches the expected current set (or compares against a default/empty value). The $325M Wormhole hack (Feb 2022) exploited a stub `verify_signatures` path that accepted forged signatures because the validator set comparison was missing/insecure. ecrecover-based signature schemes need every validator set rotation tracked by an explicit hash check.",
     suggestion: "Verify the signed message includes a strict hash of the current validator set. Reject signatures where the recovered signer is not in the active set. Never use `default!()` or zero-initialized guardian arrays in signature paths.",
-    pattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
+    multilinePattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4945,7 +4945,7 @@ var hackReplayRules = [
     // Tightened: require the call to appear in a function whose name implies
     // lending / collateral / liquidation context (the actual hack surface).
     // Plain DEX pool internals like Uniswap getReserves are not at risk.
-    pattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
+    multilinePattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
     severity: "medium",
     category: "hack-replay",
     confidence: "low",
@@ -5046,7 +5046,7 @@ var rugSurfaceRules = [
     title: "Renounceable ownership without evidence of renunciation",
     description: "Contract inherits Ownable / OwnableUpgradeable but the constructor / initializer doesn't transfer ownership to a known-safe address (zero, multisig, timelock). Owner power may still be active.",
     suggestion: "Either renounce ownership in the constructor (acceptably for fully-immutable contracts), or transfer to a multisig. Document this explicitly.",
-    pattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
+    multilinePattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
     severity: "medium",
     category: "rug-surface",
     confidence: "low",
@@ -5068,7 +5068,7 @@ var rugSurfaceRules = [
     title: "Privileged modifier without visible role check in body",
     description: "A modifier name doesn't suggest privilege (e.g. `lock`, `safe`, `nonReentrant`-shaped names) but its body restricts access. Auditors miss these; users assume the function is open.",
     suggestion: "Rename modifier to make privilege explicit (e.g. `onlyOperator`). Or move check inline so reviewers see it in the function body.",
-    pattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
+    multilinePattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
     severity: "medium",
     category: "rug-surface",
     confidence: "low",
@@ -5395,6 +5395,7 @@ function scanFile(relPath, content, rules, changedRanges) {
   const applicableRules = rules.filter((r) => ruleAppliesToFile(r, relPath));
   if (applicableRules.length === 0) return findings;
   for (const rule of applicableRules) {
+    if (!rule.pattern) continue;
     for (let i = 0; i < lines.length; i++) {
       const lineNumber = i + 1;
       const line = lines[i];
@@ -5426,8 +5427,10 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
     rule.multilinePattern.lastIndex = 0;
+    const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;
     while ((match = rule.multilinePattern.exec(content)) !== null) {
+      const breakAfter = !isGlobal;
       const textBefore = content.slice(0, match.index);
       const startLine = textBefore.split("\n").length;
       const matchLines = match[0].split("\n").length;
@@ -5453,6 +5456,7 @@ function scanFile(relPath, content, rules, changedRanges) {
       if (match[0].length === 0) {
         rule.multilinePattern.lastIndex++;
       }
+      if (breakAfter) break;
     }
   }
   if (rules.some((r) => r.category === "code-cleaning")) {

package/package.json

@@ -1,12 +1,21 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.0",
-  "description": "Core analysis engine for Elytra — 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
+  "version": "0.4.1",
+  "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",
   "bugs": "https://elytrasec.io/agents",
-  "keywords": ["security", "scanner", "static-analysis", "code-review", "vulnerability-detection", "solidity", "defi", "rug-surface"],
+  "keywords": [
+    "security",
+    "scanner",
+    "static-analysis",
+    "code-review",
+    "vulnerability-detection",
+    "solidity",
+    "defi",
+    "rug-surface"
+  ],
   "engines": {
     "node": ">=20"
   },