@havoc-security/scanner 0.1.0

package/tests/fixtures/app/Models/OpenModel.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+// $guarded = [] — effectively unguarded — should be flagged HIGH
+class OpenModel extends Model
+{
+    protected $guarded = [];
+}

package/tests/fixtures/app/Models/Post.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class Post extends Model
+{
+    protected $fillable = [
+        'title',
+        'body',
+        'slug',
+    ];
+}

package/tests/fixtures/app/Models/SafeModel.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class SafeModel extends Model
+{
+    protected $fillable = ['name', 'description'];
+}

package/tests/fixtures/app/Models/User.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class User extends Model
+{
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'role',
+    ];
+}

package/tests/fixtures/blade/mail.blade.php

@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <!-- Mail template — trusted context -->
+    <div>{!! $mailContent !!}</div>
+    <div>{!! $htmlBody !!}</div>
+</body>
+</html>

package/tests/fixtures/blade/safe.blade.php

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head><title>{{ $title }}</title></head>
+<body>
+    <p>{{ $user->name }}</p>
+    <p>{{ $content }}</p>
+    <!-- Safe: using e() -->
+    <div>{!! e($userContent) !!}</div>
+    <!-- Safe: config value -->
+    <div>{!! config('app.footer_html') !!}</div>
+</body>
+</html>

package/tests/fixtures/blade/vulnerable.blade.php

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <!-- Dangerous: user-controlled content without escaping -->
+    <div>{!! $comment->body !!}</div>
+    <div>{!! $message !!}</div>
+    <!-- Unknown context -->
+    <div>{!! $someVariable !!}</div>
+    <!-- Safe usage -->
+    <div>{{ $safeVariable }}</div>
+</body>
+</html>

package/tests/fixtures/controllers/AdminController.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Controllers;
+
+class AdminController extends Controller
+{
+    public function dashboard()
+    {
+        Gate::authorize('admin');
+        return view('admin.dashboard');
+    }
+
+    public function settings()
+    {
+        // Fully covered with Gate
+        Gate::allows('manage-settings');
+        return view('admin.settings');
+    }
+}

package/tests/fixtures/controllers/PostController.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\Post;
+use Illuminate\Http\Request;
+
+class PostController extends Controller
+{
+    public function __construct()
+    {
+        // constructors are excluded
+    }
+
+    public function index()
+    {
+        $this->authorize('viewAny', Post::class);
+        return Post::all();
+    }
+
+    public function show(Post $post)
+    {
+        Gate::allows('view', $post);
+        return $post;
+    }
+
+    public function store(Request $request)
+    {
+        // Missing authorization — should be flagged
+        return Post::create($request->all());
+    }
+
+    public function update(Request $request, Post $post)
+    {
+        // Missing authorization — should be flagged
+        $post->update($request->all());
+    }
+
+    public function destroy(Post $post)
+    {
+        $this->authorize('delete', $post);
+        $post->delete();
+    }
+
+    protected function someProtectedMethod()
+    {
+        // protected — not flagged
+    }
+}

package/tests/fixtures/controllers/PublicController.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Http\Controllers;
+
+class PublicController extends Controller
+{
+    public function home()
+    {
+        // Public page — no auth needed, but analyzer will flag it
+        return view('home');
+    }
+
+    public function about()
+    {
+        return view('about');
+    }
+}

package/tests/fixtures/deserialization/safe.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Http\Controllers;
+
+class SafeDeserializationController extends Controller
+{
+    // SAFE: unserialize with allowed_classes => false
+    public function loadSafe($data)
+    {
+        return unserialize($data, ['allowed_classes' => false]);
+    }
+
+    // SAFE: json_decode instead of unserialize
+    public function loadJson($data)
+    {
+        return json_decode($data, true);
+    }
+
+    // SAFE: assert with boolean expression
+    public function checkBool($value)
+    {
+        assert($value > 0);
+    }
+
+    // SAFE: preg_replace_callback
+    public function transform($content)
+    {
+        return preg_replace_callback('/\{(\w+)\}/', function($matches) {
+            return strtoupper($matches[1]);
+        }, $content);
+    }
+}

package/tests/fixtures/deserialization/unsafe.php

@@ -0,0 +1,60 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use Illuminate\Http\Request;
+
+class DeserializationController extends Controller
+{
+    // CRITICAL: unserialize with user input
+    public function loadSession(Request $request)
+    {
+        $data = unserialize($request->input('session_data'));
+        return response()->json($data);
+    }
+
+    // CRITICAL: unserialize with $_GET
+    public function legacyLoad()
+    {
+        $obj = unserialize($_GET['data']);
+        return $obj;
+    }
+
+    // MEDIUM: unserialize without allowed_classes
+    public function loadFromCache($cacheValue)
+    {
+        $data = unserialize($cacheValue);
+        return $data;
+    }
+
+    // HIGH: eval usage
+    public function executeTemplate($template)
+    {
+        eval($template);
+    }
+
+    // HIGH: create_function
+    public function legacyCallback()
+    {
+        $fn = create_function('$x', 'return $x * 2;');
+        return $fn(5);
+    }
+
+    // HIGH: preg_replace with /e
+    public function transformContent($content)
+    {
+        return preg_replace('/\{(\w+)\}/e', 'strtoupper("$1")', $content);
+    }
+
+    // HIGH: assert with string
+    public function checkValue()
+    {
+        assert('strlen($str) > 0');
+    }
+
+    // HIGH: extract with user input
+    public function processRequest(Request $request)
+    {
+        extract($request->all());
+    }
+}

package/tests/fixtures/models/Comment.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+// No $fillable or $guarded — should be flagged MEDIUM
+class Comment extends Model
+{
+    public $timestamps = true;
+}

package/tests/fixtures/models/OpenModel.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+// $guarded = [] — effectively unguarded — should be flagged HIGH
+class OpenModel extends Model
+{
+    protected $guarded = [];
+}

package/tests/fixtures/models/Post.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class Post extends Model
+{
+    protected $fillable = [
+        'title',
+        'body',
+        'slug',
+    ];
+}

package/tests/fixtures/models/SafeModel.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class SafeModel extends Model
+{
+    protected $fillable = ['name', 'description'];
+}

package/tests/fixtures/models/User.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class User extends Model
+{
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'role',
+    ];
+}

package/tests/fixtures/redirect/safe.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use Illuminate\Http\Request;
+
+class SafeRedirectController extends Controller
+{
+    // SAFE: redirect()->intended()
+    public function loginSafe(Request $request)
+    {
+        return redirect()->intended('/dashboard');
+    }
+
+    // SAFE: back()
+    public function goBack()
+    {
+        return back();
+    }
+
+    // SAFE: Redirect::back()
+    public function redirectBack()
+    {
+        return \Redirect::back();
+    }
+
+    // SAFE: redirect to explicit path
+    public function goHome()
+    {
+        return redirect('/home');
+    }
+
+    // SAFE: redirect to named route
+    public function goRoute()
+    {
+        return redirect(route('dashboard'));
+    }
+}

package/tests/fixtures/redirect/unsafe.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use Illuminate\Http\Request;
+
+class RedirectController extends Controller
+{
+    // HIGH: direct user input redirect
+    public function loginRedirect(Request $request)
+    {
+        return redirect($request->input('url'));
+    }
+
+    // HIGH: Redirect::to with user input
+    public function oauthCallback(Request $request)
+    {
+        return \Redirect::to($request->get('redirect'));
+    }
+
+    // HIGH: $_GET in redirect
+    public function legacyRedirect()
+    {
+        return redirect($_GET['next']);
+    }
+
+    // MEDIUM: redirect via named variable
+    public function afterLogin(Request $request)
+    {
+        $url = $request->input('redirect');
+        return redirect($url);
+    }
+
+    // MEDIUM: Redirect::to with variable
+    public function goTo($redirect)
+    {
+        return \Redirect::to($redirect);
+    }
+}

package/tests/fixtures/routes/api.php

@@ -0,0 +1,9 @@
+<?php
+
+use App\Http\Controllers\PostController;
+
+Route::middleware('auth:sanctum')->group(function () {
+    Route::apiResource('posts', PostController::class);
+    // Nested
+    Route::get('/users/{user}/comments/{comment}', [PostController::class, 'userComment']);
+});

package/tests/fixtures/routes/web.php

@@ -0,0 +1,18 @@
+<?php
+
+use App\Http\Controllers\PostController;
+use App\Http\Controllers\AdminController;
+
+Route::middleware(['auth'])->group(function () {
+    Route::resource('posts', PostController::class);
+    Route::get('/admin/dashboard', [AdminController::class, 'dashboard']);
+});
+
+// Nested resource — potential IDOR
+Route::get('/users/{userId}/posts/{postId}', [PostController::class, 'showUserPost']);
+Route::resource('users.posts', PostController::class);
+
+// Public routes
+Route::get('/', function () {
+    return view('welcome');
+});

package/tests/fixtures/security-headers/app/Http/Middleware/SecurityHeaders.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class SecurityHeaders
+{
+    public function handle(Request $request, Closure $next)
+    {
+        $response = $next($request);
+
+        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        $response->headers->set('X-XSS-Protection', '1; mode=block');
+        $response->headers->set('Content-Security-Policy', "default-src 'self'");
+        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
+        $response->headers->set('Permissions-Policy', 'camera=(), microphone=()');
+
+        return $response;
+    }
+}

package/tests/fixtures/security-headers/app/Providers/AppServiceProvider.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Providers;
+
+use Illuminate\Support\ServiceProvider;
+use Illuminate\Support\Facades\URL;
+
+class AppServiceProvider extends ServiceProvider
+{
+    public function boot(): void
+    {
+        if (app()->environment('production')) {
+            URL::forceScheme('https');
+        }
+    }
+}

package/tests/fixtures/sql/safe_queries.php

@@ -0,0 +1,7 @@
+<?php
+
+// Safe: using parameter bindings
+$results = DB::select('SELECT * FROM users WHERE id = ?', [$id]);
+$users = User::whereRaw('age > ?', [$minAge])->get();
+$posts = Post::orderByRaw('created_at DESC')->get();
+$stats = DB::select('SELECT count(*) FROM orders WHERE status = :status', ['status' => $status]);

package/tests/fixtures/sql/vulnerable_queries.php

@@ -0,0 +1,7 @@
+<?php
+
+// Dangerous: string interpolation
+$results = DB::select("SELECT * FROM users WHERE name = '$name'");
+$users = User::whereRaw("age > $minAge")->get();
+$posts = Post::whereRaw('status = ' . $status)->get();
+$raw = DB::statement("DELETE FROM logs WHERE user = " . $userId);