@feiyoug/skill-lab 0.0.0 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +73 -0
- package/esm/analyzer/astgrep/client.d.ts +20 -8
- package/esm/analyzer/astgrep/client.d.ts.map +1 -1
- package/esm/analyzer/astgrep/client.js +58 -31
- package/esm/analyzer/config/default.d.ts +8 -0
- package/esm/analyzer/config/default.d.ts.map +1 -0
- package/esm/analyzer/config/default.js +91 -0
- package/esm/analyzer/config/helpers.d.ts +8 -0
- package/esm/analyzer/config/helpers.d.ts.map +1 -0
- package/esm/analyzer/config/helpers.js +72 -0
- package/esm/analyzer/config/mod.d.ts +4 -0
- package/esm/analyzer/config/mod.d.ts.map +1 -0
- package/esm/analyzer/config/mod.js +3 -0
- package/esm/analyzer/config/types.d.ts +58 -0
- package/esm/analyzer/config/types.d.ts.map +1 -0
- package/esm/analyzer/{config.js → config/types.js} +0 -28
- package/esm/analyzer/logging.d.ts +3 -0
- package/esm/analyzer/logging.d.ts.map +1 -0
- package/esm/analyzer/logging.js +6 -0
- package/esm/analyzer/mod.d.ts +12 -5
- package/esm/analyzer/mod.d.ts.map +1 -1
- package/esm/analyzer/mod.js +25 -12
- package/esm/analyzer/result.d.ts +35 -0
- package/esm/analyzer/result.d.ts.map +1 -0
- package/esm/analyzer/result.js +311 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/commands/mod.js +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/esm/analyzer/rules/bash/commands/pip.js +14 -0
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/esm/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/esm/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/esm/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.js +2 -2
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/esm/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/mod.js +39 -9
- package/esm/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/mod.js +156 -73
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/esm/analyzer/steps/002-permissions/seed-frontmatter.js +2 -2
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/dep-risks.js +74 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/helpers.js +1 -0
- package/esm/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/esm/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/mod.js +41 -4
- package/esm/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/esm/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/policy.js +23 -0
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/esm/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/esm/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/scoring.js +55 -42
- package/esm/analyzer/treesitter/client.d.ts +31 -0
- package/esm/analyzer/treesitter/client.d.ts.map +1 -0
- package/esm/analyzer/{treesiter → treesitter}/client.js +43 -39
- package/esm/analyzer/treesitter/registry.d.ts +73 -0
- package/esm/analyzer/treesitter/registry.d.ts.map +1 -0
- package/esm/analyzer/treesitter/registry.js +165 -0
- package/esm/analyzer/types.d.ts +14 -28
- package/esm/analyzer/types.d.ts.map +1 -1
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +297 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +268 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.js +45 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.js +903 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.js +15 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.js +61 -0
- package/esm/shared/deep_merge.d.ts +12 -0
- package/esm/shared/deep_merge.d.ts.map +1 -0
- package/esm/shared/deep_merge.js +49 -0
- package/esm/shared/mod.d.ts +1 -0
- package/esm/shared/mod.d.ts.map +1 -1
- package/esm/shared/mod.js +1 -0
- package/esm/shared/types/filetypes.d.ts +2 -2
- package/esm/shared/types/filetypes.d.ts.map +1 -1
- package/esm/shared/types/permissions.d.ts +1 -1
- package/esm/shared/types/permissions.d.ts.map +1 -1
- package/esm/shared/types/risks.d.ts +4 -1
- package/esm/shared/types/risks.d.ts.map +1 -1
- package/esm/skillreader/types.d.ts +2 -2
- package/esm/skillreader/types.d.ts.map +1 -1
- package/esm/skillreader/types.js +2 -2
- package/package.json +1 -1
- package/script/analyzer/astgrep/client.d.ts +20 -8
- package/script/analyzer/astgrep/client.d.ts.map +1 -1
- package/script/analyzer/astgrep/client.js +58 -64
- package/script/analyzer/config/default.d.ts +8 -0
- package/script/analyzer/config/default.d.ts.map +1 -0
- package/script/analyzer/config/default.js +94 -0
- package/script/analyzer/config/helpers.d.ts +8 -0
- package/script/analyzer/config/helpers.d.ts.map +1 -0
- package/script/analyzer/config/helpers.js +76 -0
- package/script/analyzer/config/mod.d.ts +4 -0
- package/script/analyzer/config/mod.d.ts.map +1 -0
- package/script/analyzer/config/mod.js +21 -0
- package/script/analyzer/config/types.d.ts +58 -0
- package/script/analyzer/config/types.d.ts.map +1 -0
- package/script/analyzer/{config.js → config/types.js} +1 -29
- package/script/analyzer/logging.d.ts +3 -0
- package/script/analyzer/logging.d.ts.map +1 -0
- package/script/analyzer/logging.js +9 -0
- package/script/analyzer/mod.d.ts +12 -5
- package/script/analyzer/mod.d.ts.map +1 -1
- package/script/analyzer/mod.js +35 -20
- package/script/analyzer/result.d.ts +35 -0
- package/script/analyzer/result.d.ts.map +1 -0
- package/script/analyzer/result.js +315 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/script/analyzer/rules/bash/commands/mod.js +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/script/analyzer/rules/bash/commands/pip.js +17 -0
- package/script/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/script/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/script/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/script/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/python/extractFileRefs.js +2 -2
- package/script/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/script/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/script/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/mod.js +77 -11
- package/script/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/mod.js +194 -75
- package/script/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/script/analyzer/steps/002-permissions/seed-frontmatter.js +3 -3
- package/script/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/script/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/dep-risks.js +77 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/helpers.js +1 -0
- package/script/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/script/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/mod.js +77 -4
- package/script/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/script/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/policy.js +29 -0
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/script/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/script/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/scoring.js +55 -42
- package/script/analyzer/treesitter/client.d.ts +31 -0
- package/script/analyzer/treesitter/client.d.ts.map +1 -0
- package/script/analyzer/treesitter/client.js +136 -0
- package/script/analyzer/treesitter/registry.d.ts +73 -0
- package/script/analyzer/treesitter/registry.d.ts.map +1 -0
- package/script/analyzer/treesitter/registry.js +206 -0
- package/script/analyzer/types.d.ts +14 -28
- package/script/analyzer/types.d.ts.map +1 -1
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +10 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +334 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +305 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.js +48 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.js +986 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.js +18 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.js +65 -0
- package/script/shared/deep_merge.d.ts +12 -0
- package/script/shared/deep_merge.d.ts.map +1 -0
- package/script/shared/deep_merge.js +53 -0
- package/script/shared/mod.d.ts +1 -0
- package/script/shared/mod.d.ts.map +1 -1
- package/script/shared/mod.js +1 -0
- package/script/shared/types/filetypes.d.ts +2 -2
- package/script/shared/types/filetypes.d.ts.map +1 -1
- package/script/shared/types/permissions.d.ts +1 -1
- package/script/shared/types/permissions.d.ts.map +1 -1
- package/script/shared/types/risks.d.ts +4 -1
- package/script/shared/types/risks.d.ts.map +1 -1
- package/script/skillreader/types.d.ts +2 -2
- package/script/skillreader/types.d.ts.map +1 -1
- package/script/skillreader/types.js +2 -2
- package/src/_dnt.polyfills.ts +27 -0
- package/src/_dnt.shims.ts +64 -0
- package/src/analyzer/astgrep/client.ts +184 -0
- package/src/analyzer/astgrep/mod.ts +2 -0
- package/src/analyzer/config/default.ts +98 -0
- package/src/analyzer/config/helpers.ts +107 -0
- package/src/analyzer/config/mod.ts +3 -0
- package/src/analyzer/config/types.ts +103 -0
- package/src/analyzer/logging.ts +8 -0
- package/src/analyzer/mod.ts +118 -0
- package/src/analyzer/result.ts +393 -0
- package/src/analyzer/rules/bash/astTypes.ts +5 -0
- package/src/analyzer/rules/bash/commands/bd.ts +23 -0
- package/src/analyzer/rules/bash/commands/cron.ts +21 -0
- package/src/analyzer/rules/bash/commands/docker.ts +37 -0
- package/src/analyzer/rules/bash/commands/eval.ts +52 -0
- package/src/analyzer/rules/bash/commands/generic.ts +16 -0
- package/src/analyzer/rules/bash/commands/gh.ts +21 -0
- package/src/analyzer/rules/bash/commands/git.ts +28 -0
- package/src/analyzer/rules/bash/commands/mod.ts +38 -0
- package/src/analyzer/rules/bash/commands/node.ts +64 -0
- package/src/analyzer/rules/bash/commands/openspec.ts +16 -0
- package/src/analyzer/rules/bash/commands/pip.ts +16 -0
- package/src/analyzer/rules/bash/commands/sudo.ts +21 -0
- package/src/analyzer/rules/bash/destructive.ts +28 -0
- package/src/analyzer/rules/bash/extractFileRefs.ts +101 -0
- package/src/analyzer/rules/bash/filesystem.ts +50 -0
- package/src/analyzer/rules/bash/injection.ts +21 -0
- package/src/analyzer/rules/bash/inline-command-classifier.ts +94 -0
- package/src/analyzer/rules/bash/mod.ts +23 -0
- package/src/analyzer/rules/bash/network.ts +64 -0
- package/src/analyzer/rules/bash/secret-detection.ts +43 -0
- package/src/analyzer/rules/javascript/astTypes.ts +8 -0
- package/src/analyzer/rules/javascript/extractFileRefs.ts +131 -0
- package/src/analyzer/rules/javascript/filesystem.ts +28 -0
- package/src/analyzer/rules/javascript/injection.ts +21 -0
- package/src/analyzer/rules/javascript/mod.ts +26 -0
- package/src/analyzer/rules/javascript/network.ts +27 -0
- package/src/analyzer/rules/javascript/secret-detection.ts +68 -0
- package/src/analyzer/rules/javascript/subprocess.ts +16 -0
- package/src/analyzer/rules/markdown/astTypes.ts +35 -0
- package/src/analyzer/rules/markdown/extractCodeBlocks.ts +101 -0
- package/src/analyzer/rules/markdown/extractFileRefs.ts +179 -0
- package/src/analyzer/rules/markdown/mod.ts +12 -0
- package/src/analyzer/rules/mod.ts +77 -0
- package/src/analyzer/rules/python/astTypes.ts +9 -0
- package/src/analyzer/rules/python/extractFileRefs.ts +92 -0
- package/src/analyzer/rules/python/mod.ts +15 -0
- package/src/analyzer/rules/python/network.ts +26 -0
- package/src/analyzer/rules/python/secret-detection.ts +30 -0
- package/src/analyzer/rules/shared/file-refs.ts +38 -0
- package/src/analyzer/rules/shared/network-evaluators.ts +107 -0
- package/src/analyzer/rules/shared/prompt-injection.ts +48 -0
- package/src/analyzer/rules/shared/secret-evaluators.ts +13 -0
- package/src/analyzer/rules/text/mod.ts +12 -0
- package/src/analyzer/rules/typescript/mod.ts +7 -0
- package/src/analyzer/steps/001-discovery/discover-files.ts +211 -0
- package/src/analyzer/steps/001-discovery/filter-files.ts +72 -0
- package/src/analyzer/steps/001-discovery/mod.ts +103 -0
- package/src/analyzer/steps/002-permissions/mod.ts +329 -0
- package/src/analyzer/steps/002-permissions/scan-file.ts +258 -0
- package/src/analyzer/steps/002-permissions/seed-frontmatter.ts +66 -0
- package/src/analyzer/steps/002-permissions/synthesize.ts +42 -0
- package/src/analyzer/steps/003-risks/dep-risks.ts +89 -0
- package/src/analyzer/steps/003-risks/helpers.ts +41 -0
- package/src/analyzer/steps/003-risks/mod.ts +86 -0
- package/src/analyzer/steps/003-risks/policy.ts +38 -0
- package/src/analyzer/steps/003-risks/rule-mapped.ts +206 -0
- package/src/analyzer/steps/003-risks/scoring.ts +117 -0
- package/src/analyzer/steps/mod.ts +3 -0
- package/src/analyzer/treesitter/client.ts +120 -0
- package/src/analyzer/treesitter/registry.ts +198 -0
- package/src/analyzer/types.ts +78 -0
- package/src/analyzer/utils/code-block-path.ts +33 -0
- package/src/analyzer/utils/id-generator.ts +59 -0
- package/src/analyzer/utils/secret-validator.ts +29 -0
- package/src/analyzer/utils/url-parser.ts +25 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/deps.ts +3 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/mod.ts +265 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/multi.ts +250 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/time.ts +69 -0
- package/src/deps/jsr.io/@std/fmt/1.0.3/colors.ts +1004 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/_os.ts +15 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/os.ts +7 -0
- package/src/deps/jsr.io/@std/io/0.225.0/types.ts +157 -0
- package/src/deps/jsr.io/@std/io/0.225.0/write_all.ts +65 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/assert_path.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/basename.ts +53 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/common.ts +26 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/constants.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/dirname.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/format.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/from_file_url.ts +12 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/glob_to_reg_exp.ts +295 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize_string.ts +74 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/relative.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/strip_trailing_separators.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/to_file_url.ts +17 -0
- package/src/deps/jsr.io/@std/path/1.1.4/basename.ts +37 -0
- package/src/deps/jsr.io/@std/path/1.1.4/common.ts +35 -0
- package/src/deps/jsr.io/@std/path/1.1.4/constants.ts +18 -0
- package/src/deps/jsr.io/@std/path/1.1.4/dirname.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/extname.ts +29 -0
- package/src/deps/jsr.io/@std/path/1.1.4/format.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/from_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_absolute.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_glob.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join_globs.ts +42 -0
- package/src/deps/jsr.io/@std/path/1.1.4/mod.ts +217 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize.ts +33 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize_glob.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/parse.ts +44 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/_util.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/basename.ts +62 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/dirname.ts +72 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/extname.ts +96 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/from_file_url.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/is_absolute.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join_globs.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize.ts +63 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/parse.ts +121 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/relative.ts +103 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/resolve.ts +71 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_file_url.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_namespaced_path.ts +21 -0
- package/src/deps/jsr.io/@std/path/1.1.4/relative.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/resolve.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_namespaced_path.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/types.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/_util.ts +28 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/basename.ts +54 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/dirname.ts +118 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/extname.ts +90 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/from_file_url.ts +34 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/glob_to_regexp.ts +92 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/is_absolute.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join.ts +78 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join_globs.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize.ts +136 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/parse.ts +184 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/relative.ts +128 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/resolve.ts +178 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_file_url.ts +38 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_namespaced_path.ts +60 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_chars.ts +55 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_dumper_state.ts +841 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_loader_state.ts +1780 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_schema.ts +183 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/binary.ts +127 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/bool.ts +37 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/float.ts +112 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/int.ts +174 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/map.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/merge.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/nil.ts +27 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/omap.ts +30 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/pairs.ts +22 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/regexp.ts +33 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/seq.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/set.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/str.ts +12 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/timestamp.ts +101 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/undefined.ts +23 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type.ts +49 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_utils.ts +16 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/mod.ts +54 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/parse.ts +128 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/stringify.ts +118 -0
- package/src/shared/deep_merge.ts +73 -0
- package/src/shared/mod.ts +2 -0
- package/src/shared/types/filetypes.ts +101 -0
- package/src/shared/types/findings.ts +7 -0
- package/src/shared/types/mod.ts +6 -0
- package/src/shared/types/permissions.ts +17 -0
- package/src/shared/types/references.ts +62 -0
- package/src/shared/types/risks.ts +72 -0
- package/src/shared/types/syntaxNode.ts +7 -0
- package/src/skillreader/cloudStorage/mod.ts +170 -0
- package/src/skillreader/factory.ts +71 -0
- package/src/skillreader/fs/git.ts +153 -0
- package/src/skillreader/fs/mod.ts +84 -0
- package/src/skillreader/github/base.ts +162 -0
- package/src/skillreader/github/githubApi.ts +40 -0
- package/src/skillreader/github/githubRaw.ts +24 -0
- package/src/skillreader/github/mod.ts +45 -0
- package/src/skillreader/github/utils.ts +40 -0
- package/src/skillreader/manifest.ts +67 -0
- package/src/skillreader/mod.ts +26 -0
- package/src/skillreader/types.ts +150 -0
- package/src/skillreader/utils/frontmatter-parser.ts +72 -0
- package/src/skillreader/utils/http-range.ts +38 -0
- package/src/skillreader/utils/mod.ts +12 -0
- package/esm/analyzer/astgrep/registry.d.ts +0 -18
- package/esm/analyzer/astgrep/registry.d.ts.map +0 -1
- package/esm/analyzer/astgrep/registry.js +0 -71
- package/esm/analyzer/config.d.ts +0 -27
- package/esm/analyzer/config.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.d.ts +0 -3
- package/esm/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.js +0 -16
- package/esm/analyzer/treesiter/client.d.ts +0 -26
- package/esm/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.d.ts +0 -18
- package/script/analyzer/astgrep/registry.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.js +0 -109
- package/script/analyzer/config.d.ts +0 -27
- package/script/analyzer/config.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.d.ts +0 -3
- package/script/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.js +0 -19
- package/script/analyzer/treesiter/client.d.ts +0 -26
- package/script/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/treesiter/client.js +0 -165
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* File reference extractor for JavaScript and TypeScript files.
|
|
3
|
+
*
|
|
4
|
+
* Detects:
|
|
5
|
+
* - import/export ... from "specifier" → via: "import"
|
|
6
|
+
* - require("specifier") → via: "import"
|
|
7
|
+
* - URL string literals used in fetch/axios/XMLHttpRequest → via: "url"
|
|
8
|
+
* - Host filesystem paths in fs.readFile / fs.writeFile / open calls → via: "bare-path"
|
|
9
|
+
*
|
|
10
|
+
* Uses ast-grep AST traversal.
|
|
11
|
+
*/
|
|
12
|
+
|
|
13
|
+
import { isHostFsPath, isUrl } from "../shared/file-refs.js";
|
|
14
|
+
import type { AnalyzerContext, FileRefDiscovery } from "../../types.js";
|
|
15
|
+
import { JS_NODE } from "./astTypes.js";
|
|
16
|
+
|
|
17
|
+
async function extractJsLikeFileRefs(
|
|
18
|
+
lang: "javascript" | "typescript",
|
|
19
|
+
context: AnalyzerContext,
|
|
20
|
+
content: string,
|
|
21
|
+
): Promise<FileRefDiscovery[]> {
|
|
22
|
+
const refs: FileRefDiscovery[] = [];
|
|
23
|
+
|
|
24
|
+
const ast = await context.astgrepClient.parse(lang, content);
|
|
25
|
+
const root = ast.root();
|
|
26
|
+
|
|
27
|
+
// ── import_statement ────────────────────────────────────────────────────
|
|
28
|
+
const importNodes = root.findAll({ rule: { kind: JS_NODE.IMPORT_STATEMENT } });
|
|
29
|
+
for (const node of importNodes) {
|
|
30
|
+
const sourceNode = node.field("source");
|
|
31
|
+
if (!sourceNode) continue;
|
|
32
|
+
const fragmentNode = sourceNode.find({ rule: { kind: JS_NODE.STRING_FRAGMENT } });
|
|
33
|
+
const specifier = fragmentNode?.text() ?? "";
|
|
34
|
+
if (specifier) {
|
|
35
|
+
refs.push({ path: specifier, line: node.range().start.line + 1, via: "import" });
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
// ── export_statement (re-exports only — export ... from "…") ────────────
|
|
40
|
+
const exportNodes = root.findAll({ rule: { kind: JS_NODE.EXPORT_STATEMENT } });
|
|
41
|
+
for (const node of exportNodes) {
|
|
42
|
+
const sourceNode = node.field("source");
|
|
43
|
+
if (!sourceNode) continue; // no `from` clause → local export, skip
|
|
44
|
+
const fragmentNode = sourceNode.find({ rule: { kind: JS_NODE.STRING_FRAGMENT } });
|
|
45
|
+
const specifier = fragmentNode?.text() ?? "";
|
|
46
|
+
if (specifier) {
|
|
47
|
+
refs.push({ path: specifier, line: node.range().start.line + 1, via: "import" });
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
// ── require("specifier") ────────────────────────────────────────────────
|
|
52
|
+
const requireNodes = root.findAll({
|
|
53
|
+
rule: {
|
|
54
|
+
kind: JS_NODE.CALL_EXPRESSION,
|
|
55
|
+
has: {
|
|
56
|
+
field: "function",
|
|
57
|
+
regex: "^require$",
|
|
58
|
+
stopBy: "neighbor",
|
|
59
|
+
},
|
|
60
|
+
},
|
|
61
|
+
});
|
|
62
|
+
for (const node of requireNodes) {
|
|
63
|
+
const argsNode = node.field("arguments");
|
|
64
|
+
if (!argsNode) continue;
|
|
65
|
+
const fragmentNode = argsNode.find({ rule: { kind: JS_NODE.STRING_FRAGMENT } });
|
|
66
|
+
const specifier = fragmentNode?.text() ?? "";
|
|
67
|
+
if (specifier) {
|
|
68
|
+
refs.push({ path: specifier, line: node.range().start.line + 1, via: "import" });
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
// ── fetch/axios/etc. URL calls ──────────────────────────────────────────
|
|
73
|
+
const urlCallNodes = root.findAll({
|
|
74
|
+
rule: {
|
|
75
|
+
kind: JS_NODE.CALL_EXPRESSION,
|
|
76
|
+
has: {
|
|
77
|
+
field: "function",
|
|
78
|
+
regex:
|
|
79
|
+
"^(?:fetch|axios\\.(?:get|post|put|delete|patch|head)|XMLHttpRequest|request|got|superagent)$",
|
|
80
|
+
stopBy: "neighbor",
|
|
81
|
+
},
|
|
82
|
+
},
|
|
83
|
+
});
|
|
84
|
+
for (const node of urlCallNodes) {
|
|
85
|
+
const argsNode = node.field("arguments");
|
|
86
|
+
if (!argsNode) continue;
|
|
87
|
+
const fragmentNode = argsNode.find({ rule: { kind: JS_NODE.STRING_FRAGMENT } });
|
|
88
|
+
const url = fragmentNode?.text() ?? "";
|
|
89
|
+
if (url && isUrl(url)) {
|
|
90
|
+
refs.push({ path: url, line: node.range().start.line + 1, via: "url" });
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
// ── fs.* calls with host paths ──────────────────────────────────────────
|
|
95
|
+
const fsCallNodes = root.findAll({
|
|
96
|
+
rule: {
|
|
97
|
+
kind: JS_NODE.CALL_EXPRESSION,
|
|
98
|
+
has: {
|
|
99
|
+
field: "function",
|
|
100
|
+
regex:
|
|
101
|
+
"^fs\\.(?:readFile|writeFile|appendFile|open|access|stat|unlink|mkdir|rmdir|rename|copyFile)$",
|
|
102
|
+
stopBy: "neighbor",
|
|
103
|
+
},
|
|
104
|
+
},
|
|
105
|
+
});
|
|
106
|
+
for (const node of fsCallNodes) {
|
|
107
|
+
const argsNode = node.field("arguments");
|
|
108
|
+
if (!argsNode) continue;
|
|
109
|
+
const fragmentNode = argsNode.find({ rule: { kind: JS_NODE.STRING_FRAGMENT } });
|
|
110
|
+
const path = fragmentNode?.text() ?? "";
|
|
111
|
+
if (path && isHostFsPath(path)) {
|
|
112
|
+
refs.push({ path, line: node.range().start.line + 1, via: "bare-path" });
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
return refs;
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
export function extractJsFileRefs(
|
|
120
|
+
context: AnalyzerContext,
|
|
121
|
+
content: string,
|
|
122
|
+
): Promise<FileRefDiscovery[]> {
|
|
123
|
+
return extractJsLikeFileRefs("javascript", context, content);
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
export function extractTsFileRefs(
|
|
127
|
+
context: AnalyzerContext,
|
|
128
|
+
content: string,
|
|
129
|
+
): Promise<FileRefDiscovery[]> {
|
|
130
|
+
return extractJsLikeFileRefs("typescript", context, content);
|
|
131
|
+
}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const JAVASCRIPT_FILESYSTEM_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "fs-read-js",
|
|
6
|
+
description: "Detects JS file reads",
|
|
7
|
+
grammar: "javascript",
|
|
8
|
+
patterns: ["Deno.readTextFile($FILE)", "Deno.readFile($FILE)", "readFileSync($FILE)"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "read",
|
|
11
|
+
scope: "fs",
|
|
12
|
+
permission: "read",
|
|
13
|
+
metadata: { file: "FILE" },
|
|
14
|
+
},
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
id: "fs-write-js",
|
|
18
|
+
description: "Detects JS file writes",
|
|
19
|
+
grammar: "javascript",
|
|
20
|
+
patterns: ["Deno.writeTextFile($FILE, $CONTENT)", "Deno.writeFile($FILE, $CONTENT)"],
|
|
21
|
+
permission: {
|
|
22
|
+
tool: "write",
|
|
23
|
+
scope: "fs",
|
|
24
|
+
permission: "write",
|
|
25
|
+
metadata: { file: "FILE" },
|
|
26
|
+
},
|
|
27
|
+
},
|
|
28
|
+
];
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const JAVASCRIPT_INJECTION_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "inject-eval",
|
|
6
|
+
description: "Detects eval-style execution",
|
|
7
|
+
grammar: "javascript",
|
|
8
|
+
patterns: ["eval($CODE)", "new Function($CODE)", "exec($CODE)"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "eval",
|
|
11
|
+
scope: "sys",
|
|
12
|
+
permission: "shell",
|
|
13
|
+
metadata: { code: "CODE" },
|
|
14
|
+
mappedRisks: [{
|
|
15
|
+
code: "INJECTION:command_injection",
|
|
16
|
+
severity: "critical",
|
|
17
|
+
message: "Dynamic code execution detected",
|
|
18
|
+
}],
|
|
19
|
+
},
|
|
20
|
+
},
|
|
21
|
+
];
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
import { FileTypeConfig } from "../../types.js";
|
|
3
|
+
import { extractJsFileRefs, extractTsFileRefs } from "./extractFileRefs.js";
|
|
4
|
+
import { JAVASCRIPT_FILESYSTEM_RULES } from "./filesystem.js";
|
|
5
|
+
import { JAVASCRIPT_INJECTION_RULES } from "./injection.js";
|
|
6
|
+
import { JAVASCRIPT_NETWORK_RULES } from "./network.js";
|
|
7
|
+
import { JAVASCRIPT_SECRET_DETECTION_RULES } from "./secret-detection.js";
|
|
8
|
+
import { JAVASCRIPT_SUBPROCESS_RULES } from "./subprocess.js";
|
|
9
|
+
|
|
10
|
+
export const JAVASCRIPT_RULES: AstGrepRule[] = [
|
|
11
|
+
...JAVASCRIPT_NETWORK_RULES,
|
|
12
|
+
...JAVASCRIPT_FILESYSTEM_RULES,
|
|
13
|
+
...JAVASCRIPT_INJECTION_RULES,
|
|
14
|
+
...JAVASCRIPT_SUBPROCESS_RULES,
|
|
15
|
+
...JAVASCRIPT_SECRET_DETECTION_RULES,
|
|
16
|
+
];
|
|
17
|
+
|
|
18
|
+
export const JAVASCRIPT_FILETYPE_CONFIGS: FileTypeConfig = {
|
|
19
|
+
defaultLanguage: "javascript",
|
|
20
|
+
extractFileRefs: extractJsFileRefs,
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
export const TYPESCRIPT_FILETYPE_CONFIGS: FileTypeConfig = {
|
|
24
|
+
defaultLanguage: "typescript",
|
|
25
|
+
extractFileRefs: extractTsFileRefs,
|
|
26
|
+
};
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
import { DETECT_NETWORK_FETCH_RISKS } from "../shared/network-evaluators.js";
|
|
3
|
+
|
|
4
|
+
export const JAVASCRIPT_NETWORK_RULES: AstGrepRule[] = [
|
|
5
|
+
{
|
|
6
|
+
id: "net-fetch",
|
|
7
|
+
description: "Detects fetch() calls",
|
|
8
|
+
grammar: "javascript",
|
|
9
|
+
patterns: [
|
|
10
|
+
"fetch($URL)",
|
|
11
|
+
"fetch($URL, { method: $METHOD })",
|
|
12
|
+
"fetch($URL, { headers: $HEADERS })",
|
|
13
|
+
"fetch($URL, { method: $METHOD, headers: $HEADERS })",
|
|
14
|
+
],
|
|
15
|
+
permission: {
|
|
16
|
+
tool: "fetch",
|
|
17
|
+
scope: "net",
|
|
18
|
+
permission: "fetch",
|
|
19
|
+
metadata: {
|
|
20
|
+
url: "URL",
|
|
21
|
+
method: "METHOD",
|
|
22
|
+
headers: "HEADERS",
|
|
23
|
+
},
|
|
24
|
+
mappedRisks: [DETECT_NETWORK_FETCH_RISKS],
|
|
25
|
+
},
|
|
26
|
+
},
|
|
27
|
+
];
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
import { DETECT_SECRET_NAME_RISK } from "../shared/secret-evaluators.js";
|
|
3
|
+
|
|
4
|
+
export const JAVASCRIPT_SECRET_DETECTION_RULES: AstGrepRule[] = [
|
|
5
|
+
{
|
|
6
|
+
id: "secret-js-deno-env-read",
|
|
7
|
+
description: "Detects Deno.env.get access",
|
|
8
|
+
grammar: "javascript",
|
|
9
|
+
patterns: ["Deno.env.get($KEY)"],
|
|
10
|
+
permission: {
|
|
11
|
+
tool: "env",
|
|
12
|
+
scope: "env",
|
|
13
|
+
permission: "read",
|
|
14
|
+
metadata: { key: "KEY" },
|
|
15
|
+
mappedRisks: [DETECT_SECRET_NAME_RISK],
|
|
16
|
+
},
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
id: "secret-js-node-env-read-bracket",
|
|
20
|
+
description: "Detects process.env[key] access",
|
|
21
|
+
grammar: "javascript",
|
|
22
|
+
patterns: ["process.env[$KEY]"],
|
|
23
|
+
permission: {
|
|
24
|
+
tool: "env",
|
|
25
|
+
scope: "env",
|
|
26
|
+
permission: "read",
|
|
27
|
+
metadata: { key: "KEY" },
|
|
28
|
+
mappedRisks: [DETECT_SECRET_NAME_RISK],
|
|
29
|
+
},
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
id: "secret-js-node-env-read-dot",
|
|
33
|
+
description: "Detects process.env.KEY access",
|
|
34
|
+
grammar: "javascript",
|
|
35
|
+
patterns: ["process.env.$KEY"],
|
|
36
|
+
permission: {
|
|
37
|
+
tool: "env",
|
|
38
|
+
scope: "env",
|
|
39
|
+
permission: "read",
|
|
40
|
+
metadata: { key: "KEY" },
|
|
41
|
+
mappedRisks: [DETECT_SECRET_NAME_RISK],
|
|
42
|
+
},
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
id: "secret-js-deno-env-write",
|
|
46
|
+
description: "Detects Deno.env.set access",
|
|
47
|
+
grammar: "javascript",
|
|
48
|
+
patterns: ["Deno.env.set($KEY, $VALUE)"],
|
|
49
|
+
permission: {
|
|
50
|
+
tool: "env",
|
|
51
|
+
scope: "env",
|
|
52
|
+
permission: "write",
|
|
53
|
+
metadata: { key: "KEY" },
|
|
54
|
+
},
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
id: "secret-js-node-env-write",
|
|
58
|
+
description: "Detects process.env assignments",
|
|
59
|
+
grammar: "javascript",
|
|
60
|
+
patterns: ["process.env.$KEY = $VALUE", "process.env[$KEY] = $VALUE"],
|
|
61
|
+
permission: {
|
|
62
|
+
tool: "env",
|
|
63
|
+
scope: "env",
|
|
64
|
+
permission: "write",
|
|
65
|
+
metadata: { key: "KEY" },
|
|
66
|
+
},
|
|
67
|
+
},
|
|
68
|
+
];
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const JAVASCRIPT_SUBPROCESS_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-subprocess-js",
|
|
6
|
+
description: "Detects JS subprocess execution",
|
|
7
|
+
grammar: "javascript",
|
|
8
|
+
patterns: ["Deno.Command($CMD)", "spawn($CMD)", "exec($CMD)"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "subprocess",
|
|
11
|
+
scope: "sys",
|
|
12
|
+
permission: "subprocess",
|
|
13
|
+
metadata: { command: "CMD" },
|
|
14
|
+
},
|
|
15
|
+
},
|
|
16
|
+
];
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
/** ast-grep node types for the Markdown block grammar (@ast-grep/lang-markdown). */
|
|
2
|
+
export const MARKDOWN_NODE = {
|
|
3
|
+
CODE_FENCE_BLOCK: "fenced_code_block",
|
|
4
|
+
CODE_FENCE_CONTENT: "code_fence_content",
|
|
5
|
+
CODE_FENCE_LANGUAGE: "language",
|
|
6
|
+
INFO_STRING: "info_string",
|
|
7
|
+
PARAGRAPH: "paragraph",
|
|
8
|
+
INLINE: "inline",
|
|
9
|
+
} as const;
|
|
10
|
+
|
|
11
|
+
/** tree-sitter node types for the Markdown inline grammar ("markdown-inline"). */
|
|
12
|
+
export const MARKDOWN_INLINE_NODE = {
|
|
13
|
+
INLINE_LINK: "inline_link",
|
|
14
|
+
LINK_DESTINATION: "link_destination",
|
|
15
|
+
CODE_SPAN: "code_span",
|
|
16
|
+
TEXT: "text",
|
|
17
|
+
} as const;
|
|
18
|
+
|
|
19
|
+
/**
|
|
20
|
+
* Pre-built tree-sitter S-expression query strings for the Markdown inline grammar.
|
|
21
|
+
* Pass these to treesitterClient.createQuery("markdown-inline", …) — results are cached
|
|
22
|
+
* by TreesitterClient so compilation happens only once per client instance.
|
|
23
|
+
*/
|
|
24
|
+
export const MARKDOWN_INLINE_QUERY = {
|
|
25
|
+
INLINE_LINK_DEST:
|
|
26
|
+
`(${MARKDOWN_INLINE_NODE.INLINE_LINK} (${MARKDOWN_INLINE_NODE.LINK_DESTINATION}) @dest)`,
|
|
27
|
+
CODE_SPAN: `(${MARKDOWN_INLINE_NODE.CODE_SPAN}) @code`,
|
|
28
|
+
TEXT: `(${MARKDOWN_INLINE_NODE.TEXT}) @text`,
|
|
29
|
+
} as const;
|
|
30
|
+
|
|
31
|
+
/** tree-sitter query strings for the Markdown block grammar ("markdown"). */
|
|
32
|
+
export const MARKDOWN_QUERY = {
|
|
33
|
+
FENCED_BLOCK: `(${MARKDOWN_NODE.CODE_FENCE_BLOCK}) @block`,
|
|
34
|
+
INLINE: `(${MARKDOWN_NODE.INLINE}) @inline`,
|
|
35
|
+
} as const;
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
import { FILETYPE_BY_LANGUAGE } from "../../../shared/mod.js";
|
|
2
|
+
import type { AnalyzerContext, CodeBlock } from "../../types.js";
|
|
3
|
+
import { MARKDOWN_INLINE_QUERY, MARKDOWN_NODE, MARKDOWN_QUERY } from "./astTypes.js";
|
|
4
|
+
import type { Node as TsNode } from "web-tree-sitter";
|
|
5
|
+
|
|
6
|
+
/**
|
|
7
|
+
* For markdown we use treesitter query directly
|
|
8
|
+
* as AST-grep doesn't support inline markdown
|
|
9
|
+
*/
|
|
10
|
+
export async function extractCodeBlocks(
|
|
11
|
+
context: AnalyzerContext,
|
|
12
|
+
content: string,
|
|
13
|
+
): Promise<CodeBlock[]> {
|
|
14
|
+
const blocks: CodeBlock[] = [];
|
|
15
|
+
|
|
16
|
+
try {
|
|
17
|
+
const blockTree = await context.treesitterClient.parse("markdown", content);
|
|
18
|
+
|
|
19
|
+
const fencedBlockQuery = await context.treesitterClient.createQuery(
|
|
20
|
+
"markdown",
|
|
21
|
+
MARKDOWN_QUERY.FENCED_BLOCK,
|
|
22
|
+
);
|
|
23
|
+
|
|
24
|
+
for (const match of fencedBlockQuery.matches(blockTree.rootNode)) {
|
|
25
|
+
for (const capture of match.captures) {
|
|
26
|
+
if (capture.name !== "block") continue;
|
|
27
|
+
const blockNode = capture.node as TsNode;
|
|
28
|
+
|
|
29
|
+
const startLine = blockNode.startPosition.row + 1;
|
|
30
|
+
const endLine = blockNode.endPosition.row + 1;
|
|
31
|
+
|
|
32
|
+
const languageNode = blockNode.children.find((child: TsNode | null) =>
|
|
33
|
+
child !== null &&
|
|
34
|
+
(child.type === MARKDOWN_NODE.CODE_FENCE_LANGUAGE ||
|
|
35
|
+
child.type === MARKDOWN_NODE.INFO_STRING)
|
|
36
|
+
);
|
|
37
|
+
const fenceLanguage = FILETYPE_BY_LANGUAGE[
|
|
38
|
+
(languageNode?.text ?? "").trim().toLowerCase()
|
|
39
|
+
] ?? null;
|
|
40
|
+
|
|
41
|
+
const contentNode = blockNode.children.find((child: TsNode | null) =>
|
|
42
|
+
child !== null && child.type === MARKDOWN_NODE.CODE_FENCE_CONTENT
|
|
43
|
+
);
|
|
44
|
+
const codeContent = (contentNode?.text ?? "")
|
|
45
|
+
.replace(/\n?[`~]{3,}[^\n]*\s*$/, "")
|
|
46
|
+
.trimEnd();
|
|
47
|
+
if (!codeContent.trim()) continue;
|
|
48
|
+
|
|
49
|
+
blocks.push({
|
|
50
|
+
language: fenceLanguage ?? "text",
|
|
51
|
+
content: codeContent,
|
|
52
|
+
startLine,
|
|
53
|
+
endLine,
|
|
54
|
+
type: "script",
|
|
55
|
+
});
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
const inlineNodeQuery = await context.treesitterClient.createQuery(
|
|
60
|
+
"markdown",
|
|
61
|
+
MARKDOWN_QUERY.INLINE,
|
|
62
|
+
);
|
|
63
|
+
const inlineParser = await context.treesitterClient.getParser("markdown-inline");
|
|
64
|
+
const codeSpanQuery = await context.treesitterClient.createQuery(
|
|
65
|
+
"markdown-inline",
|
|
66
|
+
MARKDOWN_INLINE_QUERY.CODE_SPAN,
|
|
67
|
+
);
|
|
68
|
+
|
|
69
|
+
for (const inlineMatch of inlineNodeQuery.matches(blockTree.rootNode)) {
|
|
70
|
+
for (const inlineCapture of inlineMatch.captures) {
|
|
71
|
+
if (inlineCapture.name !== "inline") continue;
|
|
72
|
+
const inlineNode = inlineCapture.node as TsNode;
|
|
73
|
+
|
|
74
|
+
const inlineTree = inlineParser.parse(inlineNode.text);
|
|
75
|
+
if (!inlineTree) continue;
|
|
76
|
+
|
|
77
|
+
for (const codeMatch of codeSpanQuery.matches(inlineTree.rootNode)) {
|
|
78
|
+
for (const codeCapture of codeMatch.captures) {
|
|
79
|
+
if (codeCapture.name !== "code") continue;
|
|
80
|
+
const spanNode = codeCapture.node as TsNode;
|
|
81
|
+
|
|
82
|
+
const snippet = spanNode.text.replace(/^`+/, "").replace(/`+$/, "").trim();
|
|
83
|
+
if (!snippet || snippet.length > 200 || !/^[a-z]/i.test(snippet)) continue;
|
|
84
|
+
|
|
85
|
+
blocks.push({
|
|
86
|
+
language: "bash",
|
|
87
|
+
content: snippet,
|
|
88
|
+
startLine: inlineNode.startPosition.row + 1,
|
|
89
|
+
endLine: inlineNode.startPosition.row + 1,
|
|
90
|
+
type: "inline",
|
|
91
|
+
});
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
} catch (error) {
|
|
97
|
+
throw new Error(`Failed to extract code blocks from markdown: ${error}`);
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
return blocks;
|
|
101
|
+
}
|
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AST-based file reference extractor for Markdown content.
|
|
3
|
+
*
|
|
4
|
+
* Extracts file path references using:
|
|
5
|
+
* - tree-sitter block grammar + MARKDOWN_QUERY.INLINE to find inline nodes
|
|
6
|
+
* - tree-sitter inline grammar for inline_link, code_span, text nodes
|
|
7
|
+
* - regex fallback if AST parsing fails
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
import { BARE_PATH_PATTERN, isUrl, looksLikePath } from "../shared/file-refs.js";
|
|
11
|
+
import type { AnalyzerContext, FileRefDiscovery } from "../../types.js";
|
|
12
|
+
import { MARKDOWN_INLINE_QUERY, MARKDOWN_QUERY } from "./astTypes.js";
|
|
13
|
+
import type { Node as TsNode } from "web-tree-sitter";
|
|
14
|
+
|
|
15
|
+
export async function extractMarkdownFileRefs(
|
|
16
|
+
context: AnalyzerContext,
|
|
17
|
+
content: string,
|
|
18
|
+
): Promise<FileRefDiscovery[]> {
|
|
19
|
+
try {
|
|
20
|
+
const refs: FileRefDiscovery[] = [];
|
|
21
|
+
const blockTree = await context.treesitterClient.parse("markdown", content);
|
|
22
|
+
|
|
23
|
+
const inlineNodeQuery = await context.treesitterClient.createQuery(
|
|
24
|
+
"markdown",
|
|
25
|
+
MARKDOWN_QUERY.INLINE,
|
|
26
|
+
);
|
|
27
|
+
const inlineParser = await context.treesitterClient.getParser("markdown-inline");
|
|
28
|
+
|
|
29
|
+
const linkDestQuery = await context.treesitterClient.createQuery(
|
|
30
|
+
"markdown-inline",
|
|
31
|
+
MARKDOWN_INLINE_QUERY.INLINE_LINK_DEST,
|
|
32
|
+
);
|
|
33
|
+
const codeSpanQuery = await context.treesitterClient.createQuery(
|
|
34
|
+
"markdown-inline",
|
|
35
|
+
MARKDOWN_INLINE_QUERY.CODE_SPAN,
|
|
36
|
+
);
|
|
37
|
+
const textQuery = await context.treesitterClient.createQuery(
|
|
38
|
+
"markdown-inline",
|
|
39
|
+
MARKDOWN_INLINE_QUERY.TEXT,
|
|
40
|
+
);
|
|
41
|
+
|
|
42
|
+
for (const inlineMatch of inlineNodeQuery.matches(blockTree.rootNode)) {
|
|
43
|
+
for (const inlineCapture of inlineMatch.captures) {
|
|
44
|
+
if (inlineCapture.name !== "inline") continue;
|
|
45
|
+
const inlineNode = inlineCapture.node as TsNode;
|
|
46
|
+
const blockLine = inlineNode.startPosition.row;
|
|
47
|
+
|
|
48
|
+
const inlineTree = inlineParser.parse(inlineNode.text);
|
|
49
|
+
if (!inlineTree) continue;
|
|
50
|
+
const inlineRoot = inlineTree.rootNode;
|
|
51
|
+
|
|
52
|
+
for (const match of linkDestQuery.matches(inlineRoot)) {
|
|
53
|
+
for (const capture of match.captures) {
|
|
54
|
+
if (capture.name !== "dest") continue;
|
|
55
|
+
const destNode = capture.node as TsNode;
|
|
56
|
+
const path = destNode.text.trim();
|
|
57
|
+
if (!path || isUrl(path) || path.startsWith("#")) continue;
|
|
58
|
+
refs.push({ path, line: blockLine + 1, via: "markdown-link" });
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
for (const match of codeSpanQuery.matches(inlineRoot)) {
|
|
63
|
+
for (const capture of match.captures) {
|
|
64
|
+
if (capture.name !== "code") continue;
|
|
65
|
+
const codeNode = capture.node as TsNode;
|
|
66
|
+
const snippet = codeNode.text.replace(/^`+/, "").replace(/`+$/, "").trim();
|
|
67
|
+
if (!snippet) continue;
|
|
68
|
+
const parts = snippet.split(/\s+/);
|
|
69
|
+
for (let pi = 0; pi < parts.length; pi++) {
|
|
70
|
+
const part = parts[pi];
|
|
71
|
+
if (pi === 0 && !part.includes("/") && !part.includes(".")) continue;
|
|
72
|
+
if (looksLikePath(part) && !isUrl(part)) {
|
|
73
|
+
refs.push({ path: part, line: blockLine + 1, via: "inline-code" });
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
for (const match of textQuery.matches(inlineRoot)) {
|
|
80
|
+
for (const capture of match.captures) {
|
|
81
|
+
if (capture.name !== "text") continue;
|
|
82
|
+
const textNode = capture.node as TsNode;
|
|
83
|
+
BARE_PATH_PATTERN.lastIndex = 0;
|
|
84
|
+
for (const pathMatch of textNode.text.matchAll(BARE_PATH_PATTERN)) {
|
|
85
|
+
const path = pathMatch[0].trim();
|
|
86
|
+
if (!path || isUrl(path) || !looksLikePath(path)) continue;
|
|
87
|
+
refs.push({ path, line: blockLine + 1, via: "bare-path" });
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
return deduplicateRefs(refs);
|
|
95
|
+
} catch {
|
|
96
|
+
// Fallback to regex-based extraction if AST parsing is unavailable
|
|
97
|
+
return extractMarkdownFileRefsRegex(content);
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
/**
|
|
102
|
+
* Deduplicate refs, preferring higher-specificity discovery methods.
|
|
103
|
+
* Priority: markdown-link > inline-code > bare-path
|
|
104
|
+
*/
|
|
105
|
+
function deduplicateRefs(refs: FileRefDiscovery[]): FileRefDiscovery[] {
|
|
106
|
+
const priority: Record<string, number> = {
|
|
107
|
+
"markdown-link": 3,
|
|
108
|
+
"inline-code": 2,
|
|
109
|
+
"bare-path": 1,
|
|
110
|
+
"import": 2,
|
|
111
|
+
"url": 3,
|
|
112
|
+
"source": 2,
|
|
113
|
+
};
|
|
114
|
+
|
|
115
|
+
const best = new Map<string, FileRefDiscovery>();
|
|
116
|
+
for (const ref of refs) {
|
|
117
|
+
const key = `${ref.path}:${ref.line}`;
|
|
118
|
+
const existing = best.get(key);
|
|
119
|
+
if (!existing || (priority[ref.via] ?? 0) > (priority[existing.via] ?? 0)) {
|
|
120
|
+
best.set(key, ref);
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
return Array.from(best.values());
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
/**
|
|
128
|
+
* Regex-based fallback for when AST parsing is unavailable.
|
|
129
|
+
*/
|
|
130
|
+
function extractMarkdownFileRefsRegex(content: string): FileRefDiscovery[] {
|
|
131
|
+
const refs: FileRefDiscovery[] = [];
|
|
132
|
+
const lines = content.split("\n");
|
|
133
|
+
let inFencedBlock = false;
|
|
134
|
+
|
|
135
|
+
const markdownLink = /\[[^\]]+\]\(([^)]+)\)/g;
|
|
136
|
+
const inlineCode = /`([^`\n]+)`/g;
|
|
137
|
+
|
|
138
|
+
for (let i = 0; i < lines.length; i++) {
|
|
139
|
+
const line = lines[i];
|
|
140
|
+
const lineNo = i + 1;
|
|
141
|
+
|
|
142
|
+
if (/^[ \t]*(`{3,}|~{3,})/.test(line)) {
|
|
143
|
+
inFencedBlock = !inFencedBlock;
|
|
144
|
+
continue;
|
|
145
|
+
}
|
|
146
|
+
if (inFencedBlock) continue;
|
|
147
|
+
|
|
148
|
+
markdownLink.lastIndex = 0;
|
|
149
|
+
for (const match of line.matchAll(markdownLink)) {
|
|
150
|
+
const path = match[1]?.trim();
|
|
151
|
+
if (path && !isUrl(path) && !path.startsWith("#")) {
|
|
152
|
+
refs.push({ path, line: lineNo, via: "markdown-link" });
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
inlineCode.lastIndex = 0;
|
|
157
|
+
for (const match of line.matchAll(inlineCode)) {
|
|
158
|
+
const parts = match[1].trim().split(/\s+/);
|
|
159
|
+
for (let pi = 0; pi < parts.length; pi++) {
|
|
160
|
+
const part = parts[pi];
|
|
161
|
+
if (pi === 0 && !part.includes("/") && !part.includes(".")) continue;
|
|
162
|
+
if (looksLikePath(part) && !isUrl(part)) {
|
|
163
|
+
refs.push({ path: part, line: lineNo, via: "inline-code" });
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
const maskedLine = line.replace(/\[[^\]]*\]\([^)]*\)/g, "");
|
|
169
|
+
BARE_PATH_PATTERN.lastIndex = 0;
|
|
170
|
+
for (const match of maskedLine.matchAll(BARE_PATH_PATTERN)) {
|
|
171
|
+
const path = match[0].trim();
|
|
172
|
+
if (path && looksLikePath(path) && !isUrl(path)) {
|
|
173
|
+
refs.push({ path, line: lineNo, via: "bare-path" });
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
return deduplicateRefs(refs);
|
|
179
|
+
}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../astgrep/client.js";
|
|
2
|
+
import { extractCodeBlocks } from "./extractCodeBlocks.js";
|
|
3
|
+
import { FileTypeConfig } from "../../types.js";
|
|
4
|
+
import { extractMarkdownFileRefs } from "./extractFileRefs.js";
|
|
5
|
+
|
|
6
|
+
export const MARKDOWN_RULES: AstGrepRule[] = [];
|
|
7
|
+
|
|
8
|
+
export const MARKDOWN_FILETYPE_CONFIG: FileTypeConfig = {
|
|
9
|
+
extractCodeBlocks,
|
|
10
|
+
defaultLanguage: "markdown",
|
|
11
|
+
extractFileRefs: extractMarkdownFileRefs,
|
|
12
|
+
};
|