@havoc-security/scanner 0.1.0

package/tests/auth-coverage-route-aware.test.ts

@@ -0,0 +1,294 @@
+/**
+ * Route-aware AuthorizationCoverageAnalyzer tests
+ *
+ * These tests validate that route-level middleware correctly reduces false positives:
+ * - can:* middleware → fully authorized → not flagged at all
+ * - auth-only middleware → downgraded from HIGH to LOW
+ * - No middleware → still HIGH
+ * - Webhook handler → not flagged
+ */
+import { describe, it, expect } from 'vitest';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { AuthorizationCoverageAnalyzer } from '../src/analyzers/AuthorizationCoverageAnalyzer.js';
+import { RouteParser } from '../src/parsers/RouteParser.js';
+import { PhpParser } from '../src/parsers/PhpParser.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import { Severity } from '../src/types/index.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const FIXTURES = resolve(__dirname, 'fixtures');
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+async function parsedController(className: string, methods: string) {
+  const parser = new PhpParser();
+  const source = `<?php
+namespace App\\Http\\Controllers;
+class ${className} extends Controller {
+${methods}
+}`;
+  const { writeFile, mkdir } = await import('node:fs/promises');
+  const tmpDir = `/tmp/havoc-test-${className}/app/Http/Controllers`;
+  await mkdir(tmpDir, { recursive: true });
+  const tmpPath = `${tmpDir}/${className}.php`;
+  await writeFile(tmpPath, source, 'utf-8');
+  return parser.parseFile(tmpPath, `/tmp/havoc-test-${className}`);
+}
+
+// ─── can:* middleware → fully authorized ─────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — route-level can:* middleware', () => {
+  it('does NOT flag a controller action with can:* middleware', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/admin', [AdminController::class, 'index'])->middleware('can:view-admin');`,
+    );
+
+    const file = await parsedController('AdminController', `
+      public function index() {
+        return view('admin.index');
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+
+    const authFindings = findings.filter((f) => f.analyzer === 'AuthorizationCoverageAnalyzer' && f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+
+  it('does NOT flag any action when entire group has can:* middleware', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(`
+      Route::middleware(['can:manage-posts'])->group(function () {
+        Route::resource('posts', PostController::class);
+      });
+    `);
+
+    const file = await parsedController('PostController', `
+      public function index() { return Post::all(); }
+      public function store() { return Post::create([]); }
+      public function destroy() { }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+});
+
+// ─── auth-only middleware → downgrade to LOW ──────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — auth-only middleware', () => {
+  it('produces LOW severity (not HIGH) for auth-only middleware', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/profile', [ProfileController::class, 'show'])->middleware('auth');`,
+    );
+
+    const file = await parsedController('ProfileController', `
+      public function show() {
+        return auth()->user();
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+
+    expect(authFindings).toHaveLength(1);
+    expect(authFindings[0].severity).toBe(Severity.Low);
+  });
+
+  it('produces LOW severity for auth:sanctum middleware', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/api/profile', [ApiProfileController::class, 'show'])->middleware('auth:sanctum');`,
+    );
+
+    const file = await parsedController('ApiProfileController', `
+      public function show() { return response()->json([]); }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+
+    expect(authFindings).toHaveLength(1);
+    expect(authFindings[0].severity).toBe(Severity.Low);
+  });
+
+  it('produces LOW for verified middleware', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/dashboard', [DashboardController::class, 'index'])->middleware(['auth', 'verified']);`,
+    );
+
+    const file = await parsedController('DashboardController', `
+      public function index() { return view('dashboard'); }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+
+    expect(authFindings).toHaveLength(1);
+    expect(authFindings[0].severity).toBe(Severity.Low);
+  });
+});
+
+// ─── No middleware → HIGH ─────────────────────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — no route middleware', () => {
+  it('still produces HIGH when no route middleware is provided', async () => {
+    const analyzer = new AuthorizationCoverageAnalyzer([]); // no routes
+
+    const file = await parsedController('ExposedController', `
+      public function show() {
+        return Post::all();
+      }
+    `);
+
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(1);
+    expect(authFindings[0].severity).toBe(Severity.High);
+  });
+
+  it('still produces HIGH for controller not present in route file', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/other', [OtherController::class, 'index'])->middleware('can:do-stuff');`,
+    );
+
+    const file = await parsedController('UnknownController', `
+      public function show() { return Post::find(1); }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([routes]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(1);
+    expect(authFindings[0].severity).toBe(Severity.High);
+  });
+});
+
+// ─── Inline authorization still works ────────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — inline authorization', () => {
+  it('does not flag a method with $this->authorize even without route middleware', async () => {
+    const file = await parsedController('SecureController', `
+      public function show() {
+        $this->authorize('view', Post::class);
+        return Post::find(1);
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+
+  it('does not flag a method with Gate::allows', async () => {
+    const file = await parsedController('GateController', `
+      public function index() {
+        Gate::allows('view-admin');
+        return view('admin');
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+});
+
+// ─── Webhook handler detection ────────────────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — webhook handlers', () => {
+  it('does not flag a webhook controller that verifies signature via X-Signature header', async () => {
+    const file = await parsedController('StripeWebhookController', `
+      public function handle(Request $request) {
+        $sig = $request->header('X-Stripe-Signature');
+        $event = Webhook::constructEvent($payload, $sig, config('services.stripe.secret'));
+        return response()->json(['status' => 'ok']);
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+
+  it('does not flag a webhook controller that uses hash_hmac verification', async () => {
+    const file = await parsedController('GitHubWebhookController', `
+      public function receive(Request $request) {
+        $computed = hash_hmac('sha256', $request->getContent(), config('services.github.secret'));
+        if (!hash_equals($computed, $request->header('X-Hub-Signature-256'))) {
+          abort(403);
+        }
+        return response()->json(['ok' => true]);
+      }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([]);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+});
+
+// ─── Integration: fixture files ───────────────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer — integration with fixture files', () => {
+  it('fixture route file reduces PostController false positives', async () => {
+    const routeParser = new RouteParser();
+    const phpParser = new PhpParser();
+
+    const routes = await routeParser.parseFile(resolve(FIXTURES, 'routes/web.php'), FIXTURES);
+
+    const postFile = await phpParser.parseFile(
+      resolve(FIXTURES, 'app/Http/Controllers/PostController.php'),
+      FIXTURES,
+    );
+
+    // Without routes: store() and update() are HIGH
+    const analyzerNoRoutes = new AuthorizationCoverageAnalyzer([]);
+    const findingsNoRoutes = await analyzerNoRoutes.analyze([postFile], DEFAULT_CONFIG);
+    const highNoRoutes = findingsNoRoutes.filter((f) => f.severity === Severity.High && f.id === 'HAVOC-AUTH-001');
+    expect(highNoRoutes.length).toBeGreaterThan(0);
+
+    // With routes: store() and update() are behind auth group -> downgraded to LOW
+    const analyzerWithRoutes = new AuthorizationCoverageAnalyzer([routes]);
+    const findingsWithRoutes = await analyzerWithRoutes.analyze([postFile], DEFAULT_CONFIG);
+    const highWithRoutes = findingsWithRoutes.filter((f) => f.severity === Severity.High && f.id === 'HAVOC-AUTH-001');
+    expect(highWithRoutes.length).toBeLessThan(highNoRoutes.length);
+  });
+
+  it('setRouteFiles updates route data after construction', async () => {
+    const routeParser = new RouteParser();
+    const routes = routeParser.parseContent(
+      `Route::get('/items', [ItemController::class, 'index'])->middleware('can:view-items');`,
+    );
+
+    const file = await parsedController('ItemController', `
+      public function index() { return Item::all(); }
+    `);
+
+    const analyzer = new AuthorizationCoverageAnalyzer([]);
+
+    // Before setting routes: HIGH
+    const before = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(before.filter((f) => f.id === 'HAVOC-AUTH-001')[0]?.severity).toBe(Severity.High);
+
+    // After setting routes: should be cleared
+    analyzer.setRouteFiles([routes]);
+    const after = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(after.filter((f) => f.id === 'HAVOC-AUTH-001')).toHaveLength(0);
+  });
+});

package/tests/credential-exposure.test.ts

@@ -0,0 +1,142 @@
+import { describe, it, expect } from 'vitest';
+import { CredentialExposureAnalyzer } from '../src/analyzers/CredentialExposureAnalyzer.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import type { ParsedFile } from '../src/types/index.js';
+import { Severity } from '../src/types/index.js';
+
+function makeFile(path: string, content: string): ParsedFile {
+  return { path, content, ast: null };
+}
+
+const analyzer = new CredentialExposureAnalyzer();
+
+// ─── CredentialExposureAnalyzer ───────────────────────────────────────────────
+
+describe('CredentialExposureAnalyzer', () => {
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('CredentialExposureAnalyzer');
+  });
+
+  it('returns empty array for empty file list', async () => {
+    const result = await analyzer.analyze([], DEFAULT_CONFIG);
+    expect(result).toHaveLength(0);
+  });
+
+  // .env file committed
+  it('flags .env file committed to repo as CRITICAL', async () => {
+    const file = makeFile('.env', 'APP_KEY=base64:abc123\nDB_PASSWORD=secret');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-001')).toBe(true);
+    expect(findings.find(f => f.id === 'HAVOC-CRED-001')?.severity).toBe(Severity.Critical);
+  });
+
+  it('flags .env.production as committed', async () => {
+    const file = makeFile('.env.production', 'APP_KEY=base64:abc123');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-001')).toBe(true);
+  });
+
+  it('does NOT flag .env.example as a secret exposure', async () => {
+    const file = makeFile('.env.example', 'APP_KEY=\nDB_PASSWORD=');
+    // .env.example is not treated as an env file by isEnvFile(), so CRED-001 is not triggered
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    // .env.example should not trigger CRED-002 (hardcoded secrets) since values are empty
+    expect(findings.filter(f => f.id === 'HAVOC-CRED-002')).toHaveLength(0);
+  });
+
+  // Hardcoded Stripe key
+  it('detects hardcoded Stripe live secret key as CRITICAL', async () => {
+    const file = makeFile('app/Services/PaymentService.php', `<?php
+$key = 'sk_live_abcdefghijklmnopqrstuvwx123456';
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-002' && f.severity === Severity.Critical)).toBe(true);
+  });
+
+  // AWS key
+  it('detects hardcoded AWS Access Key ID', async () => {
+    const file = makeFile('app/Services/S3Service.php', `<?php
+$key = 'AKIAIOSFODNN7REALKEY';
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-002')).toBe(true);
+  });
+
+  // Clean code with env()
+  it('does NOT flag secrets read from env()', async () => {
+    const file = makeFile('config/services.php', `<?php
+return [
+    'stripe' => ['key' => env('STRIPE_SECRET')],
+];
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-CRED-002')).toHaveLength(0);
+  });
+
+  // APP_DEBUG=true
+  it('flags APP_DEBUG=true in .env as HIGH', async () => {
+    const file = makeFile('.env', 'APP_DEBUG=true\nAPP_ENV=production');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-003' && f.severity === Severity.High)).toBe(true);
+  });
+
+  it('does NOT flag APP_DEBUG=false', async () => {
+    const file = makeFile('.env', 'APP_DEBUG=false\nAPP_ENV=production');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-CRED-003')).toHaveLength(0);
+  });
+
+  // APP_ENV=local in production config
+  it('flags APP_ENV=local in .env.production as MEDIUM', async () => {
+    const file = makeFile('.env.production', 'APP_ENV=local\nAPP_DEBUG=false');
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-004' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  // debug => true in config/app.php
+  it("flags 'debug' => true hardcoded in config/app.php as HIGH", async () => {
+    const file = makeFile('config/app.php', `<?php
+return [
+    'debug' => true,
+    'env' => env('APP_ENV', 'production'),
+];
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-005' && f.severity === Severity.High)).toBe(true);
+  });
+
+  it("does NOT flag 'debug' => env('APP_DEBUG', false)", async () => {
+    const file = makeFile('config/app.php', `<?php
+return [
+    'debug' => env('APP_DEBUG', false),
+];
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-CRED-005')).toHaveLength(0);
+  });
+
+  // Private key inline
+  it('detects PEM private key in PHP source as CRITICAL', async () => {
+    const file = makeFile('app/Services/JwtService.php', `<?php
+$key = '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA...\n-----END RSA PRIVATE KEY-----';
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-007' && f.severity === Severity.Critical)).toBe(true);
+  });
+
+  // DB credentials
+  it('detects PDO instantiation with hardcoded password as CRITICAL', async () => {
+    const file = makeFile('app/Legacy/Database.php', `<?php
+$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', 'supersecretpassword');
+`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-CRED-006' && f.severity === Severity.Critical)).toBe(true);
+  });
+
+  // Non-PHP files not scanned for secrets
+  it('does not scan blade templates for PHP secrets', async () => {
+    const file = makeFile('resources/views/home.blade.php', `password = 'hardcoded_secret'`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-CRED-002')).toHaveLength(0);
+  });
+});

package/tests/file-upload.test.ts

@@ -0,0 +1,141 @@
+import { describe, it, expect } from 'vitest';
+import { FileUploadAnalyzer } from '../src/analyzers/FileUploadAnalyzer.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import type { ParsedFile } from '../src/types/index.js';
+import { Severity } from '../src/types/index.js';
+
+function makeFile(path: string, content: string): ParsedFile {
+  return { path, content, ast: null };
+}
+
+const analyzer = new FileUploadAnalyzer();
+
+describe('FileUploadAnalyzer', () => {
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('FileUploadAnalyzer');
+  });
+
+  it('returns empty for empty file list', async () => {
+    expect(await analyzer.analyze([], DEFAULT_CONFIG)).toHaveLength(0);
+  });
+
+  // Missing type validation
+  it('flags upload without mimes validation as HIGH', async () => {
+    const file = makeFile('app/Http/Controllers/UploadController.php', `<?php
+class UploadController extends Controller {
+    public function store(Request $request) {
+        $request->validate(['file' => 'required|file|max:2048']);
+        $path = $request->file('file')->store('uploads');
+        return response()->json(['path' => $path]);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-001' && f.severity === Severity.High)).toBe(true);
+  });
+
+  // Missing size validation
+  it('flags upload without max: size rule as MEDIUM', async () => {
+    const file = makeFile('app/Http/Controllers/UploadController.php', `<?php
+class UploadController extends Controller {
+    public function store(Request $request) {
+        $request->validate(['file' => 'required|file|mimes:jpg,png']);
+        $path = $request->file('file')->store('uploads');
+        return response()->json(['path' => $path]);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-002' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  // Clean upload controller — full validation
+  it('does NOT flag an upload with proper mimes and max validation', async () => {
+    const file = makeFile('app/Http/Controllers/UploadController.php', `<?php
+class UploadController extends Controller {
+    public function store(Request $request) {
+        $request->validate(['file' => 'required|file|mimes:jpg,png,pdf|max:10240']);
+        $path = $request->file('file')->store('uploads');
+        return response()->json(['path' => $path]);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-UPLOAD-001')).toHaveLength(0);
+    expect(findings.filter(f => f.id === 'HAVOC-UPLOAD-002')).toHaveLength(0);
+  });
+
+  // Public disk storage
+  it('flags storage to public disk as MEDIUM', async () => {
+    const file = makeFile('app/Http/Controllers/AvatarController.php', `<?php
+class AvatarController extends Controller {
+    public function update(Request $request) {
+        $request->validate(['avatar' => 'required|file|mimes:jpg,png|max:2048']);
+        $path = $request->file('avatar')->store('avatars', 'public');
+        return response()->json(['path' => $path]);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-003' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  // Executable extension in mimes
+  it('flags php in allowed mimes as HIGH', async () => {
+    const file = makeFile('app/Http/Controllers/FileController.php', `<?php
+class FileController extends Controller {
+    public function store(Request $request) {
+        $request->validate(['file' => 'required|file|mimes:php,txt|max:1024']);
+        $path = $request->file('file')->store('uploads');
+        return response()->json(['path' => $path]);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-004' && f.severity === Severity.High)).toBe(true);
+  });
+
+  // Path from user input
+  it('flags $request->input("path") used in Storage call as HIGH', async () => {
+    const file = makeFile('app/Http/Controllers/DocumentController.php', `<?php
+class DocumentController extends Controller {
+    public function store(Request $request) {
+        $path = $request->input('path');
+        Storage::put($path, $request->file('doc')->get());
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-005' && f.severity === Severity.High)).toBe(true);
+  });
+
+  // Path from input not near storage — no false positive
+  it('does NOT flag $request->input("path") used in non-storage context', async () => {
+    const file = makeFile('app/Http/Controllers/PageController.php', `<?php
+class PageController extends Controller {
+    public function show(Request $request) {
+        $path = $request->input('path');
+        return view($path);
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-UPLOAD-005')).toHaveLength(0);
+  });
+
+  // Non-PHP files skipped
+  it('does not analyze blade templates for upload issues', async () => {
+    const file = makeFile('resources/views/upload.blade.php', `<form method="POST" enctype="multipart/form-data"></form>`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  // $request->hasFile variant
+  it('detects upload patterns using $request->hasFile()', async () => {
+    const file = makeFile('app/Http/Controllers/ProfileController.php', `<?php
+class ProfileController extends Controller {
+    public function update(Request $request) {
+        if ($request->hasFile('avatar')) {
+            $path = $request->file('avatar')->storeAs('avatars', 'file.jpg');
+        }
+    }
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    // Should flag missing type and size validation
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-001')).toBe(true);
+    expect(findings.some(f => f.id === 'HAVOC-UPLOAD-002')).toBe(true);
+  });
+});

package/tests/fixtures/app/Http/Controllers/AdminController.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Controllers;
+
+class AdminController extends Controller
+{
+    public function dashboard()
+    {
+        Gate::authorize('admin');
+        return view('admin.dashboard');
+    }
+
+    public function settings()
+    {
+        // Fully covered with Gate
+        Gate::allows('manage-settings');
+        return view('admin.settings');
+    }
+}

package/tests/fixtures/app/Http/Controllers/PostController.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\Post;
+use Illuminate\Http\Request;
+
+class PostController extends Controller
+{
+    public function __construct()
+    {
+        // constructors are excluded
+    }
+
+    public function index()
+    {
+        $this->authorize('viewAny', Post::class);
+        return Post::all();
+    }
+
+    public function show(Post $post)
+    {
+        Gate::allows('view', $post);
+        return $post;
+    }
+
+    public function store(Request $request)
+    {
+        // Missing authorization — should be flagged
+        return Post::create($request->all());
+    }
+
+    public function update(Request $request, Post $post)
+    {
+        // Missing authorization — should be flagged
+        $post->update($request->all());
+    }
+
+    public function destroy(Post $post)
+    {
+        $this->authorize('delete', $post);
+        $post->delete();
+    }
+
+    protected function someProtectedMethod()
+    {
+        // protected — not flagged
+    }
+}

package/tests/fixtures/app/Http/Controllers/PublicController.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Http\Controllers;
+
+class PublicController extends Controller
+{
+    public function home()
+    {
+        // Public page — no auth needed, but analyzer will flag it
+        return view('home');
+    }
+
+    public function about()
+    {
+        return view('about');
+    }
+}

package/tests/fixtures/app/Models/Comment.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+// No $fillable or $guarded — should be flagged MEDIUM
+class Comment extends Model
+{
+    public $timestamps = true;
+}