@elytrasec/engine 0.4.3 → 0.4.4

package/dist/index.js

@@ -3028,12 +3028,48 @@ var securityRules = [
     title: "Potential command injection",
     description: "Shell command built with string concatenation or template literals. Attacker-controlled input may escape the intended command.",
     suggestion: "Use execFile() with an argument array or a library like execa that avoids shell interpretation.",
-    pattern: /(?:exec|execSync|spawn|spawnSync|system)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/,
+    // Catches:
+    //   JS:  exec(`ls ${dir}`), execSync("cmd " + x), spawn("...", ...)
+    //   Py:  os.system(f"ping {host}"), os.popen("cmd " + x), subprocess.call("..." + x, shell=True)
+    pattern: /(?:exec|execSync|spawn|spawnSync|system|popen|run|call|check_output|getoutput)\s*\(\s*(?:`[^`]*\$\{|[fF]"(?:[^"\\]|\\.)*\{|[fF]'(?:[^'\\]|\\.)*\{|"(?:[^"\\]|\\.)*"\s*\+|'(?:[^'\\]|\\.)*'\s*\+)/,
     severity: "critical",
     category: "security",
     confidence: "medium",
     languages: [...JS_TS, ...PY]
   },
+  {
+    id: "cp-sec-python-eval",
+    title: "Python eval() / exec() with dynamic input",
+    description: "Python `eval()` or `exec()` executes arbitrary code from a string. Reachable via `request.args`, `request.form`, or any user-controlled variable, this is direct RCE.",
+    suggestion: "Avoid eval/exec entirely. For arithmetic, use `ast.literal_eval`. For dispatch, use an explicit allow-list dict.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?:request\.|input\s*\(|sys\.argv|os\.environ|[\w.]+\.(?:args|form|query|params|json|body))/,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: PY
+  },
+  {
+    id: "cp-sec-python-eval-loose",
+    title: "Python eval() / exec() call",
+    description: "Python's `eval()` and `exec()` evaluate arbitrary code. Even when input looks trusted, these are common code-injection vectors.",
+    suggestion: "Replace with `ast.literal_eval` (for data literals) or an explicit allow-list. If you must use eval, scope the globals/locals dict to empty.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?!{|\[|'\)|"\)|None|globals|locals)/,
+    severity: "high",
+    category: "security",
+    confidence: "low",
+    languages: PY
+  },
+  {
+    id: "cp-sec-go-path-traversal",
+    title: "Go file read with unsanitized user input (path traversal)",
+    description: "`ioutil.ReadFile` / `os.ReadFile` / `os.Open` constructed via concatenation with HTTP request data is path-traversal-vulnerable. Attackers pass `../../etc/passwd`.",
+    suggestion: "Use `filepath.Clean` and verify the resolved path starts with the expected base directory. Better: maintain an allow-list of accepted file IDs.",
+    pattern: /(?:ioutil\.ReadFile|os\.ReadFile|os\.Open(?:File)?)\s*\([^)]*(?:\+\s*\w+\s*\)|r\.URL\.Query|r\.FormValue|mux\.Vars)/,
+    severity: "high",
+    category: "security",
+    confidence: "medium",
+    languages: [".go"]
+  },
   {
     id: "cp-sec-open-redirect",
     title: "Potential open redirect",
@@ -5479,6 +5515,7 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (!rule.multilinePattern) continue;
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
+    if (rule.id === "cp-hack-wormhole-unchecked-signature-set" && /\b(?:EIP712|DOMAIN_SEPARATOR|_hashTypedDataV4|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|EIP712Upgradeable)\b/.test(content)) continue;
     rule.multilinePattern.lastIndex = 0;
     const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",