@havoc-security/scanner 0.1.0

package/src/analyzers/SecurityHeaderAnalyzer.ts

@@ -0,0 +1,263 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile, Severity } from '../types/index.js';
+
+// ─── Constants ────────────────────────────────────────────────────────────────
+
+const ANALYZER_NAME = 'SecurityHeaderAnalyzer';
+
+const FINDING_MISSING_HEADER_MEDIUM = 'HAVOC-HEADER-001';
+const FINDING_MISSING_HEADER_LOW = 'HAVOC-HEADER-002';
+const FINDING_NO_HTTPS = 'HAVOC-HEADER-003';
+const FINDING_MISSING_HEADER_INFO = 'HAVOC-HEADER-004';
+
+interface SecurityHeader {
+  name: string;
+  description: string;
+  cwe: string;
+  severity: Severity;
+  findingId: string;
+  recommendation: string;
+  /** Patterns that indicate this header is already set */
+  detectionPatterns: RegExp[];
+}
+
+const SECURITY_HEADERS: SecurityHeader[] = [
+  {
+    name: 'X-Frame-Options',
+    description:
+      'The `X-Frame-Options` header (or `Content-Security-Policy: frame-ancestors`) is not set. ' +
+      'Without this header, the application may be vulnerable to clickjacking attacks.',
+    cwe: 'CWE-1021',
+    severity: Severity.Medium,
+    findingId: FINDING_MISSING_HEADER_MEDIUM,
+    recommendation:
+      'Add `X-Frame-Options: SAMEORIGIN` or use `Content-Security-Policy: frame-ancestors \'self\'` ' +
+      'in a security headers middleware.',
+    detectionPatterns: [
+      /X-Frame-Options/i,
+      /frame-ancestors/i,
+      /PreventClickjacking/i,
+      /FrameOptions/i,
+    ],
+  },
+  {
+    name: 'X-Content-Type-Options',
+    description:
+      'The `X-Content-Type-Options: nosniff` header is not set. ' +
+      'Without it, browsers may MIME-sniff responses, potentially executing malicious content.',
+    cwe: 'CWE-693',
+    severity: Severity.Medium,
+    findingId: FINDING_MISSING_HEADER_MEDIUM,
+    recommendation:
+      'Add `X-Content-Type-Options: nosniff` in a security headers middleware.',
+    detectionPatterns: [
+      /X-Content-Type-Options/i,
+      /nosniff/i,
+      /ContentTypeOptions/i,
+    ],
+  },
+  {
+    name: 'Strict-Transport-Security',
+    description:
+      'The `Strict-Transport-Security` (HSTS) header is not set. ' +
+      'Without HSTS, the application is vulnerable to SSL-stripping attacks.',
+    cwe: 'CWE-319',
+    severity: Severity.Medium,
+    findingId: FINDING_MISSING_HEADER_MEDIUM,
+    recommendation:
+      'Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` ' +
+      'in a security headers middleware. Ensure HTTPS is enforced.',
+    detectionPatterns: [
+      /Strict-Transport-Security/i,
+      /HSTS/i,
+      /StrictTransportSecurity/i,
+    ],
+  },
+  {
+    name: 'Content-Security-Policy',
+    description:
+      'No `Content-Security-Policy` header was detected. ' +
+      'CSP helps mitigate XSS and data-injection attacks.',
+    cwe: 'CWE-693',
+    severity: Severity.Medium,
+    findingId: FINDING_MISSING_HEADER_MEDIUM,
+    recommendation:
+      'Define a `Content-Security-Policy` header in a security headers middleware. ' +
+      'Start restrictively and relax only as needed.',
+    detectionPatterns: [
+      /Content-Security-Policy/i,
+      /ContentSecurityPolicy/i,
+      /CSP/,
+    ],
+  },
+  {
+    name: 'X-XSS-Protection',
+    description:
+      'The `X-XSS-Protection` header is not set. ' +
+      'While modern browsers have deprecated this header in favour of CSP, it still provides ' +
+      'protection in older browsers.',
+    cwe: 'CWE-79',
+    severity: Severity.Low,
+    findingId: FINDING_MISSING_HEADER_LOW,
+    recommendation:
+      'Add `X-XSS-Protection: 1; mode=block` in a security headers middleware. ' +
+      'Note: this header is deprecated; prefer a strong Content-Security-Policy.',
+    detectionPatterns: [
+      /X-XSS-Protection/i,
+      /XssProtection/i,
+    ],
+  },
+  {
+    name: 'Referrer-Policy',
+    description:
+      'No `Referrer-Policy` header was detected. ' +
+      'Without this header, full URLs (including query strings with sensitive data) may be sent ' +
+      'in the `Referer` header to third parties.',
+    cwe: 'CWE-116',
+    severity: Severity.Low,
+    findingId: FINDING_MISSING_HEADER_LOW,
+    recommendation:
+      'Add `Referrer-Policy: strict-origin-when-cross-origin` in a security headers middleware.',
+    detectionPatterns: [
+      /Referrer-Policy/i,
+      /ReferrerPolicy/i,
+    ],
+  },
+  {
+    name: 'Permissions-Policy',
+    description:
+      'No `Permissions-Policy` header was detected. ' +
+      'This header lets you control which browser features (camera, microphone, geolocation) ' +
+      'the application may use.',
+    cwe: 'CWE-693',
+    severity: Severity.Info,
+    findingId: FINDING_MISSING_HEADER_INFO,
+    recommendation:
+      'Add a `Permissions-Policy` header to restrict unused browser features: ' +
+      '`Permissions-Policy: camera=(), microphone=(), geolocation=()`.',
+    detectionPatterns: [
+      /Permissions-Policy/i,
+      /Feature-Policy/i,
+      /PermissionsPolicy/i,
+    ],
+  },
+];
+
+/** Patterns that indicate HTTPS enforcement */
+const HTTPS_ENFORCEMENT_PATTERNS = [
+  /URL\s*::\s*forceScheme\s*\(\s*['"]https['"]/i,
+  /forceHttps\s*\(/i,
+  /FORCE_HTTPS/i,
+  /->forceScheme\s*\(\s*['"]https['"]/i,
+  /SecureHeaders/i,
+];
+
+/** Files that are relevant to check for security configuration */
+const RELEVANT_FILE_PATTERNS = [
+  /app\/Http\/Middleware/,
+  /app\\Http\\Middleware/,
+  /bootstrap\/app\.php/,
+  /bootstrap\\app\.php/,
+  /app\/Http\/Kernel\.php/,
+  /app\\Http\\Kernel\.php/,
+  /app\/Providers\/AppServiceProvider\.php/,
+  /app\\Providers\\AppServiceProvider\.php/,
+];
+
+function isRelevantFile(path: string): boolean {
+  return RELEVANT_FILE_PATTERNS.some((re) => re.test(path));
+}
+
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+
+export class SecurityHeaderAnalyzer implements Analyzer {
+  readonly name = ANALYZER_NAME;
+  readonly description =
+    'Checks for missing security headers middleware and HTTPS enforcement in Laravel applications';
+
+  async analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    // Collect all content from relevant configuration files
+    const relevantContent = files
+      .filter((f) => isRelevantFile(f.path))
+      .map((f) => f.content)
+      .join('\n');
+
+    // Also check all PHP files for header-related content
+    const allPhpContent = files
+      .filter((f) => f.path.endsWith('.php') && !f.path.endsWith('.blade.php'))
+      .map((f) => f.content)
+      .join('\n');
+
+    const combinedContent = relevantContent + '\n' + allPhpContent;
+
+    // If no PHP files found, skip (not a PHP project)
+    if (files.filter((f) => f.path.endsWith('.php') && !f.path.endsWith('.blade.php')).length === 0) {
+      return findings;
+    }
+
+    // ── Check each security header ─────────────────────────────────────────
+    for (const header of SECURITY_HEADERS) {
+      const isDetected = header.detectionPatterns.some((re) => re.test(combinedContent));
+
+      if (!isDetected) {
+        // Find the best file to attach the finding to
+        const kernelFile = files.find(
+          (f) =>
+            f.path.includes('Kernel.php') ||
+            f.path.includes('bootstrap/app.php') ||
+            f.path.includes('bootstrap\\app.php'),
+        );
+        const targetFile = kernelFile ?? files.find((f) => f.path.endsWith('.php'));
+
+        if (!targetFile) continue;
+
+        findings.push({
+          id: header.findingId,
+          severity: header.severity,
+          analyzer: ANALYZER_NAME,
+          title: `Missing security header: ${header.name}`,
+          description: header.description,
+          file: targetFile.path,
+          line: 1,
+          recommendation: header.recommendation,
+          cwe: header.cwe,
+        });
+      }
+    }
+
+    // ── Check HTTPS enforcement ────────────────────────────────────────────
+    const httpsEnforced = HTTPS_ENFORCEMENT_PATTERNS.some((re) => re.test(combinedContent));
+
+    if (!httpsEnforced) {
+      const serviceProviderFile = files.find(
+        (f) =>
+          f.path.includes('AppServiceProvider.php') ||
+          f.path.includes('Kernel.php') ||
+          f.path.includes('bootstrap/app.php') ||
+          f.path.includes('bootstrap\\app.php'),
+      );
+      const targetFile = serviceProviderFile ?? files.find((f) => f.path.endsWith('.php'));
+
+      if (targetFile) {
+        findings.push({
+          id: FINDING_NO_HTTPS,
+          severity: Severity.Medium,
+          analyzer: ANALYZER_NAME,
+          title: 'HTTPS enforcement not detected',
+          description:
+            'No HTTPS enforcement was detected in `AppServiceProvider` or application middleware. ' +
+            'Without enforcing HTTPS, users may access the application over unencrypted HTTP.',
+          file: targetFile.path,
+          line: 1,
+          recommendation:
+            'Add `URL::forceScheme(\'https\')` in `AppServiceProvider::boot()` for production environments, ' +
+            'or configure `FORCE_HTTPS=true` in your environment and handle it in middleware.',
+          cwe: 'CWE-319',
+        });
+      }
+    }
+
+    return findings;
+  }
+}

package/src/analyzers/SessionSecurityAnalyzer.ts

@@ -0,0 +1,342 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile, Severity } from '../types/index.js';
+
+// ─── Constants ────────────────────────────────────────────────────────────────
+
+const ANALYZER_NAME = 'SessionSecurityAnalyzer';
+
+const FINDING_SECURE_COOKIE = 'HAVOC-SESS-001';
+const FINDING_HTTP_ONLY = 'HAVOC-SESS-002';
+const FINDING_SAME_SITE = 'HAVOC-SESS-003';
+const FINDING_FILE_DRIVER = 'HAVOC-SESS-004';
+const FINDING_CSRF_EXCLUSION = 'HAVOC-SESS-005';
+const FINDING_SESSION_LIFETIME = 'HAVOC-SESS-006';
+const FINDING_COOKIE_ENCRYPTION = 'HAVOC-SESS-007';
+
+const SESSION_LIFETIME_THRESHOLD = 480; // minutes
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function isSessionConfig(path: string): boolean {
+  return path === 'config/session.php' || path.endsWith('/config/session.php');
+}
+
+function isBootstrapApp(path: string): boolean {
+  return path === 'bootstrap/app.php' || path.endsWith('/bootstrap/app.php');
+}
+
+function isMiddlewareFile(path: string): boolean {
+  return path.includes('Middleware') && path.endsWith('.php');
+}
+
+function findLineNumber(content: string, matchIndex: number): number {
+  return content.slice(0, matchIndex).split('\n').length;
+}
+
+/**
+ * Extract a config value from a PHP config file.
+ *
+ * Handles:
+ *  - scalar booleans: `'key' => true`
+ *  - scalar strings: `'key' => 'value'`
+ *  - env() calls with inner commas: `'key' => env('VAR', 'default')`
+ *  - integer literals: `'key' => 120`
+ *
+ * Returns the raw matched value string, or null if the key isn't found.
+ */
+function extractConfigValue(content: string, key: string): string | null {
+  // Match the key, then capture either:
+  //   - an env(...) call (balancing parentheses up to closing paren)
+  //   - a quoted string
+  //   - a bare token (true/false/null/number)
+  const keyPattern = new RegExp(`['"]${key}['"]\\s*=>\\s*`, 'i');
+  const keyMatch = keyPattern.exec(content);
+  if (!keyMatch) return null;
+
+  const afterKey = content.slice(keyMatch.index + keyMatch[0].length);
+
+  // env(...) call — capture to the matching close paren
+  const envCallMatch = /^env\s*\(/.exec(afterKey);
+  if (envCallMatch) {
+    let depth = 0;
+    let i = afterKey.indexOf('(');
+    for (; i < afterKey.length; i++) {
+      if (afterKey[i] === '(') depth++;
+      else if (afterKey[i] === ')') {
+        depth--;
+        if (depth === 0) return afterKey.slice(0, i + 1).trim();
+      }
+    }
+    return afterKey.slice(0, 60).trim(); // fallback
+  }
+
+  // Quoted string: 'value' or "value"
+  const quotedMatch = /^(['"])(.*?)\1/.exec(afterKey);
+  if (quotedMatch) return quotedMatch[0].trim();
+
+  // Bare token: true, false, null, or integer — stop at comma or newline
+  const bareMatch = /^[^\s,\n\r]+/.exec(afterKey);
+  if (bareMatch) return bareMatch[0].trim();
+
+  return null;
+}
+
+/**
+ * Unwrap env(...) call to extract the default value (second argument).
+ * e.g., `env('SESSION_SECURE_COOKIE', false)` → 'false'
+ */
+function extractEnvDefault(envCall: string): string | null {
+  const match = /env\s*\([^,)]+,\s*(.+?)\s*\)$/.exec(envCall.trim());
+  if (!match) return null;
+  return match[1].replace(/['"]/g, '').trim();
+}
+
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+
+export class SessionSecurityAnalyzer implements Analyzer {
+  readonly name = ANALYZER_NAME;
+  readonly description = 'Analyzes session and cookie security configuration for vulnerabilities';
+
+  async analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    for (const file of files) {
+      if (!file.path.endsWith('.php')) continue;
+
+      if (isSessionConfig(file.path)) {
+        findings.push(...this.analyzeSessionConfig(file));
+      }
+
+      if (isBootstrapApp(file.path) || isMiddlewareFile(file.path)) {
+        findings.push(...this.analyzeCsrfExclusions(file));
+        findings.push(...this.analyzeCookieEncryption(file));
+      }
+    }
+
+    return findings;
+  }
+
+  private analyzeSessionConfig(file: ParsedFile): Finding[] {
+    const findings: Finding[] = [];
+    const content = file.content;
+
+    // Check 'secure' flag — should be true (or env-driven default true) in production
+    const secureValue = extractConfigValue(content, 'secure');
+    if (secureValue !== null) {
+      let isInsecure = false;
+
+      if (secureValue === 'false') {
+        isInsecure = true;
+      } else if (/^env\s*\(/.test(secureValue)) {
+        const defaultVal = extractEnvDefault(secureValue);
+        if (defaultVal === 'false') isInsecure = true;
+      }
+
+      if (isInsecure) {
+        const idx = content.search(/'secure'\s*=>/i);
+        findings.push({
+          id: FINDING_SECURE_COOKIE,
+          severity: Severity.High,
+          analyzer: ANALYZER_NAME,
+          title: 'Session cookie `secure` flag is disabled',
+          description:
+            `\`'secure' => false\` in \`${file.path}\`. ` +
+            `Session cookies without the Secure flag can be transmitted over unencrypted HTTP connections.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation:
+            "Set `'secure' => env('SESSION_SECURE_COOKIE', true)` to ensure cookies are only sent over HTTPS.",
+          cwe: 'CWE-614',
+          snippet: `'secure' => false`,
+        });
+      }
+    }
+
+    // Check 'http_only' — should be true
+    const httpOnlyValue = extractConfigValue(content, 'http_only');
+    if (httpOnlyValue !== null && httpOnlyValue === 'false') {
+      const idx = content.search(/'http_only'\s*=>/i);
+      findings.push({
+        id: FINDING_HTTP_ONLY,
+        severity: Severity.High,
+        analyzer: ANALYZER_NAME,
+        title: 'Session cookie `http_only` flag is disabled',
+        description:
+          `\`'http_only' => false\` in \`${file.path}\`. ` +
+          `Without the HttpOnly flag, session cookies can be accessed by client-side JavaScript, enabling XSS-based session theft.`,
+        file: file.path,
+        line: idx !== -1 ? findLineNumber(content, idx) : 1,
+        recommendation: "Set `'http_only' => true` to prevent JavaScript access to session cookies.",
+        cwe: 'CWE-1004',
+        snippet: `'http_only' => false`,
+      });
+    }
+
+    // Check 'same_site' — should be 'lax' or 'strict'
+    const sameSiteValue = extractConfigValue(content, 'same_site');
+    if (sameSiteValue !== null) {
+      const cleaned = sameSiteValue.replace(/['"]/g, '').toLowerCase().trim();
+      if (cleaned === 'none' || cleaned === 'null' || cleaned === '') {
+        const idx = content.search(/'same_site'\s*=>/i);
+        findings.push({
+          id: FINDING_SAME_SITE,
+          severity: Severity.Medium,
+          analyzer: ANALYZER_NAME,
+          title: `Session cookie \`same_site\` is set to \`${cleaned || 'null'}\``,
+          description:
+            `\`'same_site' => '${cleaned}'\` in \`${file.path}\`. ` +
+            `A permissive SameSite policy increases CSRF attack surface.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation: "Set `'same_site' => 'lax'` or `'strict'` to mitigate CSRF attacks.",
+          cwe: 'CWE-352',
+          snippet: `'same_site' => '${cleaned}'`,
+        });
+      }
+    }
+
+    // Check 'driver' — warn if 'file' (should be redis/database in production)
+    const driverValue = extractConfigValue(content, 'driver');
+    if (driverValue !== null) {
+      let driverStr = driverValue.replace(/['"]/g, '').trim();
+      // If env-driven, extract default
+      if (/^env\s*\(/.test(driverValue)) {
+        const def = extractEnvDefault(driverValue);
+        driverStr = def ?? driverStr;
+      }
+      if (driverStr === 'file') {
+        const idx = content.search(/'driver'\s*=>/i);
+        findings.push({
+          id: FINDING_FILE_DRIVER,
+          severity: Severity.Medium,
+          analyzer: ANALYZER_NAME,
+          title: 'Session driver is set to `file`',
+          description:
+            `\`'driver' => 'file'\` in \`${file.path}\`. ` +
+            `File-based session storage is not suitable for production — it doesn't scale across multiple servers.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation:
+            "Use `'driver' => env('SESSION_DRIVER', 'redis')` and configure Redis or database session storage in production.",
+          cwe: 'CWE-16',
+          snippet: `'driver' => 'file'`,
+        });
+      }
+    }
+
+    // Check session lifetime > 480 minutes
+    const lifetimeValue = extractConfigValue(content, 'lifetime');
+    if (lifetimeValue !== null) {
+      const numStr = lifetimeValue.replace(/[^0-9]/g, '');
+      const lifetimeNum = parseInt(numStr, 10);
+      if (!isNaN(lifetimeNum) && lifetimeNum > SESSION_LIFETIME_THRESHOLD) {
+        const idx = content.search(/'lifetime'\s*=>/i);
+        findings.push({
+          id: FINDING_SESSION_LIFETIME,
+          severity: Severity.Medium,
+          analyzer: ANALYZER_NAME,
+          title: `Session lifetime is excessively long (${lifetimeNum} minutes)`,
+          description:
+            `Session lifetime of ${lifetimeNum} minutes in \`${file.path}\` exceeds the recommended maximum of ${SESSION_LIFETIME_THRESHOLD} minutes (8 hours). ` +
+            `Long-lived sessions increase the window of opportunity for session hijacking.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation:
+            `Set the session lifetime to ${SESSION_LIFETIME_THRESHOLD} minutes or less and implement idle timeout.`,
+          cwe: 'CWE-613',
+          snippet: `'lifetime' => ${lifetimeNum}`,
+        });
+      }
+    }
+
+    return findings;
+  }
+
+  private analyzeCsrfExclusions(file: ParsedFile): Finding[] {
+    const findings: Finding[] = [];
+    const content = file.content;
+
+    // Gate to VerifyCsrfToken-specific files: check by filename or class/use declarations
+    const isCsrfMiddleware =
+      file.path.includes('VerifyCsrfToken') ||
+      /class\s+VerifyCsrfToken/.test(content) ||
+      (/VerifyCsrfToken/.test(content) && !content.includes('class EncryptCookies'));
+
+    if (isCsrfMiddleware) {
+      const hasExceptArray = /\$except\s*=\s*\[([^\]]+)\]/.exec(content);
+      if (hasExceptArray && hasExceptArray[1].trim() !== '') {
+        const idx = content.search(/\$except\s*=\s*\[/);
+        findings.push({
+          id: FINDING_CSRF_EXCLUSION,
+          severity: Severity.High,
+          analyzer: ANALYZER_NAME,
+          title: 'CSRF token verification is excluded for some routes',
+          description:
+            `\`$except\` array with routes is defined in \`${file.path}\`. ` +
+            `Excluding routes from CSRF verification leaves them vulnerable to cross-site request forgery attacks.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation:
+            'Remove CSRF exclusions unless absolutely necessary. For API routes, use token-based auth instead.',
+          cwe: 'CWE-352',
+          snippet: hasExceptArray[0].slice(0, 80),
+        });
+      }
+    }
+
+    // Check bootstrap/app.php for withoutMiddleware(VerifyCsrfToken)
+    const withoutCsrf = /withoutMiddleware\s*\(\s*(?:[^)]*VerifyCsrfToken[^)]*)\)/.exec(content);
+    if (withoutCsrf) {
+      findings.push({
+        id: FINDING_CSRF_EXCLUSION,
+        severity: Severity.High,
+        analyzer: ANALYZER_NAME,
+        title: 'CSRF middleware explicitly disabled for routes',
+        description:
+          `\`withoutMiddleware(VerifyCsrfToken::class)\` found in \`${file.path}\`. ` +
+          `Disabling CSRF verification exposes endpoints to cross-site request forgery.`,
+        file: file.path,
+        line: findLineNumber(content, withoutCsrf.index),
+        recommendation:
+          'Use proper API authentication (Sanctum, Passport) for routes that need to skip web CSRF middleware.',
+        cwe: 'CWE-352',
+        snippet: withoutCsrf[0].slice(0, 80),
+      });
+    }
+
+    return findings;
+  }
+
+  private analyzeCookieEncryption(file: ParsedFile): Finding[] {
+    const findings: Finding[] = [];
+    const content = file.content;
+
+    // Only check EncryptCookies middleware files
+    const isEncryptCookiesFile =
+      file.path.includes('EncryptCookies') ||
+      /class\s+EncryptCookies/.test(content);
+
+    if (isEncryptCookiesFile) {
+      const exceptMatch = /\$except\s*=\s*\[([^\]]+)\]/.exec(content);
+      if (exceptMatch && exceptMatch[1].trim() !== '') {
+        const idx = content.search(/\$except\s*=\s*\[/);
+        findings.push({
+          id: FINDING_COOKIE_ENCRYPTION,
+          severity: Severity.Medium,
+          analyzer: ANALYZER_NAME,
+          title: 'Sensitive cookies may be excluded from encryption',
+          description:
+            `The \`$except\` array in \`${file.path}\` excludes some cookies from encryption. ` +
+            `Unencrypted cookies can be read or tampered with by the client.`,
+          file: file.path,
+          line: idx !== -1 ? findLineNumber(content, idx) : 1,
+          recommendation:
+            'Only exclude cookies that are explicitly designed to be readable client-side. Remove sensitive cookie names from `$except`.',
+          cwe: 'CWE-311',
+          snippet: exceptMatch[0].slice(0, 80),
+        });
+      }
+    }
+
+    return findings;
+  }
+}