@havoc-security/scanner 0.1.0

package/tests/scanner.test.ts

@@ -0,0 +1,82 @@
+import { describe, it, expect } from 'vitest';
+import { scan, DEFAULT_CONFIG, Severity } from '../src/index.js';
+import type { ParsedFile } from '../src/types/index.js';
+
+describe('scan() orchestrator', () => {
+  it('returns a valid ScanResult shape for empty input', async () => {
+    const result = await scan([], DEFAULT_CONFIG);
+    expect(result).toHaveProperty('findings');
+    expect(result).toHaveProperty('coverage');
+    expect(result).toHaveProperty('metadata');
+    expect(Array.isArray(result.findings)).toBe(true);
+  });
+
+  it('metadata contains required fields', async () => {
+    const result = await scan([], DEFAULT_CONFIG);
+    expect(result.metadata.scannedAt).toBeTruthy();
+    expect(result.metadata.framework).toBe('laravel');
+    expect(result.metadata.filesScanned).toBe(0);
+    expect(typeof result.metadata.durationMs).toBe('number');
+    expect(result.metadata.scannerVersion).toBeTruthy();
+  });
+
+  it('counts files scanned correctly', async () => {
+    const files: ParsedFile[] = [
+      { path: 'a.php', content: '', ast: null },
+      { path: 'b.php', content: '', ast: null },
+    ];
+    const result = await scan(files, DEFAULT_CONFIG);
+    expect(result.metadata.filesScanned).toBe(2);
+  });
+
+  it('runs with custom analyzers', async () => {
+    const mockAnalyzer = {
+      name: 'MockAnalyzer',
+      description: 'Test',
+      analyze: async () => [{
+        id: 'MOCK-001', severity: Severity.Low, analyzer: 'MockAnalyzer',
+        title: 'Mock', description: 'Test', file: 'test.php', line: 1, recommendation: 'Fix it',
+      }],
+    };
+    const result = await scan([], DEFAULT_CONFIG, [mockAnalyzer]);
+    expect(result.findings).toHaveLength(1);
+    expect(result.findings[0].id).toBe('MOCK-001');
+  });
+
+  it('aggregates findings from multiple analyzers', async () => {
+    const a1 = {
+      name: 'A1', description: 'First',
+      analyze: async () => [{ id: 'A1-001', severity: Severity.High, analyzer: 'A1', title: 'A1', description: '', file: 'f.php', line: 1, recommendation: '' }],
+    };
+    const a2 = {
+      name: 'A2', description: 'Second',
+      analyze: async () => [{ id: 'A2-001', severity: Severity.Medium, analyzer: 'A2', title: 'A2', description: '', file: 'g.php', line: 5, recommendation: '' }],
+    };
+    const result = await scan([], DEFAULT_CONFIG, [a1, a2]);
+    expect(result.findings).toHaveLength(2);
+  });
+
+  it('coverage struct has all required fields', async () => {
+    const result = await scan([], DEFAULT_CONFIG);
+    expect(result.coverage).toHaveProperty('totalRoutes');
+    expect(result.coverage).toHaveProperty('coveredRoutes');
+    expect(result.coverage).toHaveProperty('coveragePercent');
+    expect(result.coverage).toHaveProperty('totalModels');
+    expect(result.coverage).toHaveProperty('protectedModels');
+  });
+
+  it('durationMs is a non-negative number', async () => {
+    const result = await scan([], DEFAULT_CONFIG);
+    expect(result.metadata.durationMs).toBeGreaterThanOrEqual(0);
+  });
+
+  it('scanner returns empty findings for empty analyzers list', async () => {
+    const result = await scan([], DEFAULT_CONFIG, []);
+    expect(result.findings).toHaveLength(0);
+  });
+
+  it('scanner version is a valid semver-like string', async () => {
+    const result = await scan([], DEFAULT_CONFIG);
+    expect(result.metadata.scannerVersion).toMatch(/^\d+\.\d+\.\d+$/);
+  });
+});

package/tests/session-security.test.ts

@@ -0,0 +1,161 @@
+import { describe, it, expect } from 'vitest';
+import { SessionSecurityAnalyzer } from '../src/analyzers/SessionSecurityAnalyzer.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import type { ParsedFile } from '../src/types/index.js';
+import { Severity } from '../src/types/index.js';
+
+function makeFile(path: string, content: string): ParsedFile {
+  return { path, content, ast: null };
+}
+
+const analyzer = new SessionSecurityAnalyzer();
+
+const SECURE_SESSION_CONFIG = `<?php
+return [
+    'driver' => env('SESSION_DRIVER', 'redis'),
+    'lifetime' => env('SESSION_LIFETIME', 120),
+    'secure' => env('SESSION_SECURE_COOKIE', true),
+    'http_only' => true,
+    'same_site' => 'lax',
+];`;
+
+describe('SessionSecurityAnalyzer', () => {
+  it('has correct name', () => {
+    expect(analyzer.name).toBe('SessionSecurityAnalyzer');
+  });
+
+  it('returns empty for empty file list', async () => {
+    expect(await analyzer.analyze([], DEFAULT_CONFIG)).toHaveLength(0);
+  });
+
+  // Secure flag
+  it("flags 'secure' => false as HIGH", async () => {
+    const file = makeFile('config/session.php', `<?php
+return [
+    'secure' => false,
+    'http_only' => true,
+    'same_site' => 'lax',
+    'driver' => 'redis',
+    'lifetime' => 120,
+];`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-001' && f.severity === Severity.High)).toBe(true);
+  });
+
+  it('does NOT flag secure => env(...) with no explicit false', async () => {
+    const file = makeFile('config/session.php', SECURE_SESSION_CONFIG);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-SESS-001')).toHaveLength(0);
+  });
+
+  // http_only flag
+  it("flags 'http_only' => false as HIGH", async () => {
+    const file = makeFile('config/session.php', `<?php
+return [
+    'http_only' => false,
+    'secure' => true,
+    'same_site' => 'lax',
+    'driver' => 'redis',
+    'lifetime' => 120,
+];`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-002' && f.severity === Severity.High)).toBe(true);
+  });
+
+  // same_site
+  it("flags same_site => 'none' as MEDIUM", async () => {
+    const file = makeFile('config/session.php', `<?php
+return [
+    'same_site' => 'none',
+    'secure' => true,
+    'http_only' => true,
+    'driver' => 'redis',
+    'lifetime' => 120,
+];`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-003' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  it("does NOT flag same_site => 'lax'", async () => {
+    const file = makeFile('config/session.php', SECURE_SESSION_CONFIG);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-SESS-003')).toHaveLength(0);
+  });
+
+  // File driver
+  it("flags driver => 'file' as MEDIUM", async () => {
+    const file = makeFile('config/session.php', `<?php
+return [
+    'driver' => 'file',
+    'secure' => true,
+    'http_only' => true,
+    'same_site' => 'lax',
+    'lifetime' => 120,
+];`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-004' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  // Session lifetime
+  it('flags lifetime > 480 minutes as MEDIUM', async () => {
+    const file = makeFile('config/session.php', `<?php
+return [
+    'lifetime' => 1440,
+    'driver' => 'redis',
+    'secure' => true,
+    'http_only' => true,
+    'same_site' => 'lax',
+];`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-006' && f.severity === Severity.Medium)).toBe(true);
+  });
+
+  it('does NOT flag lifetime <= 480 minutes', async () => {
+    const file = makeFile('config/session.php', SECURE_SESSION_CONFIG);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-SESS-006')).toHaveLength(0);
+  });
+
+  // CSRF exclusions
+  it('flags non-empty $except in VerifyCsrfToken as HIGH', async () => {
+    const file = makeFile('app/Http/Middleware/VerifyCsrfToken.php', `<?php
+class VerifyCsrfToken extends Middleware {
+    protected $except = [
+        'stripe/webhook',
+        'paypal/ipn',
+    ];
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-005' && f.severity === Severity.High)).toBe(true);
+  });
+
+  it('does NOT flag empty $except array', async () => {
+    const file = makeFile('app/Http/Middleware/VerifyCsrfToken.php', `<?php
+class VerifyCsrfToken extends Middleware {
+    protected $except = [];
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter(f => f.id === 'HAVOC-SESS-005')).toHaveLength(0);
+  });
+
+  // Cookie encryption
+  it('flags non-empty $except in EncryptCookies', async () => {
+    const file = makeFile('app/Http/Middleware/EncryptCookies.php', `<?php
+class EncryptCookies extends Middleware {
+    protected $except = [
+        'analytics_id',
+    ];
+}`);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-007')).toBe(true);
+    expect(findings.some(f => f.id === 'HAVOC-SESS-005')).toBe(false);
+  });
+
+  // Clean session config — no findings
+  it('produces no findings for a well-configured session config', async () => {
+    const file = makeFile('config/session.php', SECURE_SESSION_CONFIG);
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    // Should have no findings on a clean config
+    expect(findings).toHaveLength(0);
+  });
+});

package/tests/types.test.ts

@@ -0,0 +1,29 @@
+import { describe, it, expect } from 'vitest';
+import { Severity } from '../src/types/index.js';
+
+describe('Severity enum', () => {
+  it('has Critical value', () => {
+    expect(Severity.Critical).toBe('critical');
+  });
+
+  it('has High value', () => {
+    expect(Severity.High).toBe('high');
+  });
+
+  it('has Medium value', () => {
+    expect(Severity.Medium).toBe('medium');
+  });
+
+  it('has Low value', () => {
+    expect(Severity.Low).toBe('low');
+  });
+
+  it('has Info value', () => {
+    expect(Severity.Info).toBe('info');
+  });
+
+  it('has exactly 5 severity levels', () => {
+    const values = Object.values(Severity);
+    expect(values).toHaveLength(5);
+  });
+});

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["dist", "node_modules", "tests"]
+}