@havoc-security/scanner 0.1.0

package/dist/analyzers/EncryptionAnalyzer.js

@@ -0,0 +1,170 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const FINDING_UNENCRYPTED_SENSITIVE = 'HAVOC-ENC-001';
+const FINDING_MISSING_CAST = 'HAVOC-ENC-002';
+const FINDING_APP_KEY_ROTATION = 'HAVOC-ENC-003';
+const ANALYZER_NAME = 'EncryptionAnalyzer';
+/**
+ * Field names considered sensitive PII / secrets that should be encrypted at rest.
+ */
+const SENSITIVE_FIELDS = new Set([
+    'ssn',
+    'social_security_number',
+    'tax_id',
+    'ein',
+    'credit_card',
+    'credit_card_number',
+    'card_number',
+    'bank_account',
+    'bank_account_number',
+    'routing_number',
+    'api_key',
+    'api_secret',
+    'secret',
+    'secret_key',
+    'private_key',
+    'access_token',
+    'refresh_token',
+    'oauth_token',
+    'personal_access_token',
+    'webhook_secret',
+    'encryption_key',
+    'date_of_birth',
+    'dob',
+    'passport_number',
+    'drivers_license',
+    'medical_record',
+]);
+/** Encrypted cast values that satisfy the requirement. */
+const ENCRYPTED_CASTS = new Set(['encrypted', 'encrypted:array', 'encrypted:object', 'encrypted:collection', 'encrypted:json']);
+function isModelFile(path) {
+    return path.includes('app/Models') || path.includes('app\\Models');
+}
+function extractFillableFields(initText) {
+    const matches = initText.match(/['"]([^'"]+)['"]/g) ?? [];
+    return matches.map((m) => m.replace(/['"]/g, ''));
+}
+function extractCastValues(castsText) {
+    const map = new Map();
+    // Match 'field' => 'cast_type' pairs
+    const pairRegex = /['"]([^'"]+)['"]\s*=>\s*['"]([^'"]+)['"]/g;
+    let m;
+    while ((m = pairRegex.exec(castsText)) !== null) {
+        map.set(m[1], m[2]);
+    }
+    return map;
+}
+export class EncryptionAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects sensitive model attributes missing encryption casts and other encryption issues';
+    async analyze(files, _config) {
+        const findings = [];
+        let hasAppFiles = false;
+        for (const file of files) {
+            // Check for APP_KEY usage hints (only once)
+            if (!hasAppFiles && (file.path === '.env' || file.path === 'config/app.php')) {
+                hasAppFiles = true;
+            }
+            if (!isModelFile(file.path))
+                continue;
+            const phpFile = file;
+            if (!phpFile.classes)
+                continue;
+            for (const cls of phpFile.classes) {
+                if (cls.isAbstract || cls.isTrait)
+                    continue;
+                const fillableProp = cls.properties.find((p) => p.name === 'fillable');
+                const castsProp = cls.properties.find((p) => p.name === 'casts');
+                const fillableFields = fillableProp ? extractFillableFields(fillableProp.initializer ?? '') : [];
+                const castsMap = castsProp ? extractCastValues(castsProp.initializer ?? '') : new Map();
+                for (const field of fillableFields) {
+                    if (!SENSITIVE_FIELDS.has(field))
+                        continue;
+                    const castValue = castsMap.get(field);
+                    const isEncrypted = castValue !== undefined && ENCRYPTED_CASTS.has(castValue);
+                    if (!isEncrypted) {
+                        if (castsProp && castsMap.has(field)) {
+                            // Has a cast but not encrypted
+                            findings.push({
+                                id: FINDING_MISSING_CAST,
+                                severity: Severity.Medium,
+                                analyzer: ANALYZER_NAME,
+                                title: `Sensitive field \`${field}\` in \`${cls.name}\` is not cast as encrypted`,
+                                description: `The field \`${field}\` in model \`${cls.name}\` is cast as \`${castValue}\` ` +
+                                    `but not encrypted. Sensitive PII/secret fields should use an encrypted cast ` +
+                                    `to protect data at rest.`,
+                                file: file.path,
+                                line: castsProp?.line ?? fillableProp?.line ?? cls.line,
+                                recommendation: `Change the cast to \`'${field}' => 'encrypted'\` (or \`encrypted:array\` / ` +
+                                    `\`encrypted:object\` for structured data). Requires \`APP_KEY\` to be set.`,
+                                cwe: 'CWE-312',
+                                snippet: `protected $casts = ['${field}' => '${castValue}'];`,
+                            });
+                        }
+                        else {
+                            // No encrypted cast at all — HIGH severity
+                            findings.push({
+                                id: FINDING_UNENCRYPTED_SENSITIVE,
+                                severity: Severity.High,
+                                analyzer: ANALYZER_NAME,
+                                title: `Sensitive field \`${field}\` in \`${cls.name}\` is stored unencrypted`,
+                                description: `The field \`${field}\` is listed in \`$fillable\` on \`${cls.name}\` but has ` +
+                                    `no encrypted cast in \`$casts\`. This means sensitive data is stored in plain ` +
+                                    `text in the database, exposing it if the database is compromised.`,
+                                file: file.path,
+                                line: fillableProp?.line ?? cls.line,
+                                recommendation: `Add \`'${field}' => 'encrypted'\` to the model's \`$casts\` array. ` +
+                                    `Laravel will automatically encrypt/decrypt using \`APP_KEY\`.`,
+                                cwe: 'CWE-312',
+                                snippet: `protected $casts = ['${field}' => 'encrypted'];`,
+                            });
+                        }
+                    }
+                }
+                // Check for Crypt:: usage in the file content (hardcoded key risk)
+                const cryptUsageRegex = /Crypt::(encrypt|decrypt)\s*\(/g;
+                if (cryptUsageRegex.test(file.content)) {
+                    // Look for string literals passed directly that might be hardcoded keys
+                    const hardcodedKeyRegex = /Crypt::(encrypt|decrypt)\s*\(\s*\$[a-zA-Z_]+\s*,\s*['"][^'"]{8,}['"]/;
+                    if (hardcodedKeyRegex.test(file.content)) {
+                        findings.push({
+                            id: FINDING_UNENCRYPTED_SENSITIVE,
+                            severity: Severity.High,
+                            analyzer: ANALYZER_NAME,
+                            title: `Possible hardcoded key in \`Crypt::\` call in \`${cls.name}\``,
+                            description: `A \`Crypt::encrypt()\` or \`Crypt::decrypt()\` call in \`${cls.name}\` appears ` +
+                                `to pass a hardcoded string as a key parameter. Laravel's \`Crypt\` facade uses ` +
+                                `\`APP_KEY\` automatically — passing extra string arguments is unusual and may ` +
+                                `indicate a misuse or hardcoded secret.`,
+                            file: file.path,
+                            line: cls.line,
+                            recommendation: `Use \`Crypt::encrypt($data)\` without a second argument. Never hardcode ` +
+                                `encryption keys — use \`APP_KEY\` via the config system.`,
+                            cwe: 'CWE-321',
+                        });
+                    }
+                }
+            }
+        }
+        // APP_KEY rotation info finding (once per scan if app files present)
+        if (hasAppFiles) {
+            findings.push({
+                id: FINDING_APP_KEY_ROTATION,
+                severity: Severity.Info,
+                analyzer: ANALYZER_NAME,
+                title: 'Ensure regular APP_KEY rotation is planned',
+                description: `Laravel's \`APP_KEY\` is used for all encryption and signed URLs. A compromised ` +
+                    `\`APP_KEY\` exposes all encrypted model attributes. Ensure the key is rotated ` +
+                    `periodically and after any potential compromise, using \`php artisan key:rotate\` ` +
+                    `(Laravel 11+) to re-encrypt data gracefully.`,
+                file: 'config/app.php',
+                line: 1,
+                recommendation: 'Rotate APP_KEY using `php artisan key:rotate` (requires `APP_PREVIOUS_KEYS` for ' +
+                    'graceful re-encryption). Store keys in a secrets manager, never in version control.',
+                cwe: 'CWE-320',
+            });
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=EncryptionAnalyzer.js.map

package/dist/analyzers/EncryptionAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EncryptionAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/EncryptionAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAGzF,iFAAiF;AAEjF,MAAM,6BAA6B,GAAG,eAAe,CAAC;AACtD,MAAM,oBAAoB,GAAG,eAAe,CAAC;AAC7C,MAAM,wBAAwB,GAAG,eAAe,CAAC;AACjD,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAE3C;;GAEG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,KAAK;IACL,wBAAwB;IACxB,QAAQ;IACR,KAAK;IACL,aAAa;IACb,oBAAoB;IACpB,aAAa;IACb,cAAc;IACd,qBAAqB;IACrB,gBAAgB;IAChB,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,YAAY;IACZ,aAAa;IACb,cAAc;IACd,eAAe;IACf,aAAa;IACb,uBAAuB;IACvB,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,KAAK;IACL,iBAAiB;IACjB,iBAAiB;IACjB,gBAAgB;CACjB,CAAC,CAAC;AAEH,0DAA0D;AAC1D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAEhI,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB;IAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,qCAAqC;IACrC,MAAM,SAAS,GAAG,2CAA2C,CAAC;IAC9D,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChD,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAClB,yFAAyF,CAAC;IAE5F,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,4CAA4C;YAC5C,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,EAAE,CAAC;gBAC7E,WAAW,GAAG,IAAI,CAAC;YACrB,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEtC,MAAM,OAAO,GAAG,IAAqB,CAAC;YACtC,IAAI,CAAC,OAAO,CAAC,OAAO;gBAAE,SAAS;YAE/B,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO;oBAAE,SAAS;gBAE5C,MAAM,YAAY,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;gBACvE,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC;gBAEjE,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,qBAAqB,CAAC,YAAY,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjG,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAkB,CAAC;gBAExG,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;oBACnC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC;wBAAE,SAAS;oBAE3C,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;oBACtC,MAAM,WAAW,GAAG,SAAS,KAAK,SAAS,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAE9E,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,IAAI,SAAS,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;4BACrC,+BAA+B;4BAC/B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,oBAAoB;gCACxB,QAAQ,EAAE,QAAQ,CAAC,MAAM;gCACzB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,qBAAqB,KAAK,WAAW,GAAG,CAAC,IAAI,6BAA6B;gCACjF,WAAW,EACT,eAAe,KAAK,iBAAiB,GAAG,CAAC,IAAI,mBAAmB,SAAS,KAAK;oCAC9E,8EAA8E;oCAC9E,0BAA0B;gCAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,YAAY,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI;gCACvD,cAAc,EACZ,yBAAyB,KAAK,+CAA+C;oCAC7E,4EAA4E;gCAC9E,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,wBAAwB,KAAK,SAAS,SAAS,KAAK;6BAC9D,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,2CAA2C;4BAC3C,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,6BAA6B;gCACjC,QAAQ,EAAE,QAAQ,CAAC,IAAI;gCACvB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,qBAAqB,KAAK,WAAW,GAAG,CAAC,IAAI,0BAA0B;gCAC9E,WAAW,EACT,eAAe,KAAK,sCAAsC,GAAG,CAAC,IAAI,aAAa;oCAC/E,gFAAgF;oCAChF,mEAAmE;gCACrE,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,YAAY,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI;gCACpC,cAAc,EACZ,UAAU,KAAK,sDAAsD;oCACrE,+DAA+D;gCACjE,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,wBAAwB,KAAK,oBAAoB;6BAC3D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,mEAAmE;gBACnE,MAAM,eAAe,GAAG,gCAAgC,CAAC;gBACzD,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACvC,wEAAwE;oBACxE,MAAM,iBAAiB,GAAG,sEAAsE,CAAC;oBACjG,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACzC,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,6BAA6B;4BACjC,QAAQ,EAAE,QAAQ,CAAC,IAAI;4BACvB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,mDAAmD,GAAG,CAAC,IAAI,IAAI;4BACtE,WAAW,EACT,4DAA4D,GAAG,CAAC,IAAI,aAAa;gCACjF,iFAAiF;gCACjF,gFAAgF;gCAChF,wCAAwC;4BAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,cAAc,EACZ,0EAA0E;gCAC1E,0DAA0D;4BAC5D,GAAG,EAAE,SAAS;yBACf,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,wBAAwB;gBAC5B,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,4CAA4C;gBACnD,WAAW,EACT,kFAAkF;oBAClF,gFAAgF;oBAChF,oFAAoF;oBACpF,8CAA8C;gBAChD,IAAI,EAAE,gBAAgB;gBACtB,IAAI,EAAE,CAAC;gBACP,cAAc,EACZ,kFAAkF;oBAClF,qFAAqF;gBACvF,GAAG,EAAE,SAAS;aACf,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/FileUploadAnalyzer.d.ts

@@ -0,0 +1,8 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class FileUploadAnalyzer implements Analyzer {
+    readonly name = "FileUploadAnalyzer";
+    readonly description = "Detects insecure file upload patterns including missing validation and dangerous storage configurations";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+    private checkPathFromInput;
+}
+//# sourceMappingURL=FileUploadAnalyzer.d.ts.map

package/dist/analyzers/FileUploadAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileUploadAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/FileUploadAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAoGzF,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,IAAI,wBAAiB;IAC9B,QAAQ,CAAC,WAAW,6GAA6G;IAE3H,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAuG5E,OAAO,CAAC,kBAAkB;CA8B3B"}

package/dist/analyzers/FileUploadAnalyzer.js

@@ -0,0 +1,193 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const ANALYZER_NAME = 'FileUploadAnalyzer';
+const FINDING_NO_TYPE_VALIDATION = 'HAVOC-UPLOAD-001';
+const FINDING_NO_SIZE_VALIDATION = 'HAVOC-UPLOAD-002';
+const FINDING_PUBLIC_DISK = 'HAVOC-UPLOAD-003';
+const FINDING_EXECUTABLE_EXTENSION = 'HAVOC-UPLOAD-004';
+const FINDING_PATH_FROM_INPUT = 'HAVOC-UPLOAD-005';
+// Executable extensions that should never be allowed in uploads
+const EXECUTABLE_EXTENSIONS = ['.php', '.phtml', '.php3', '.php4', '.php5', '.php7', '.phar', '.blade.php'];
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function isPhpFile(path) {
+    return path.endsWith('.php') && !path.endsWith('.blade.php');
+}
+function findLineNumber(content, matchIndex) {
+    return content.slice(0, matchIndex).split('\n').length;
+}
+/**
+ * Find method blocks that handle file uploads.
+ * Deduplicates blocks by startIndex to avoid duplicate findings when a method
+ * contains multiple upload-related tokens.
+ */
+function findUploadBlocks(content) {
+    const seen = new Set();
+    const blocks = [];
+    const uploadPattern = /\$request->(file|hasFile)\s*\(|->store(As)?\s*\(/g;
+    let match;
+    while ((match = uploadPattern.exec(content)) !== null) {
+        const before = content.slice(0, match.index);
+        const functionStart = before.lastIndexOf('function ');
+        if (functionStart === -1)
+            continue;
+        if (seen.has(functionStart))
+            continue;
+        seen.add(functionStart);
+        // Find end of method body (brace-balanced)
+        let depth = 0;
+        let end = functionStart;
+        for (let i = functionStart; i < content.length; i++) {
+            if (content[i] === '{')
+                depth++;
+            else if (content[i] === '}') {
+                depth--;
+                if (depth === 0) {
+                    end = i;
+                    break;
+                }
+            }
+        }
+        const methodContent = content.slice(functionStart, end + 1);
+        blocks.push({
+            startIndex: functionStart,
+            endIndex: end,
+            snippet: methodContent,
+            line: findLineNumber(content, functionStart),
+        });
+    }
+    return blocks;
+}
+/**
+ * Check if a method block has file type validation rules.
+ */
+function hasTypeValidation(methodBlock) {
+    return /mimes\s*:|mimetypes\s*:|extensions\s*:/i.test(methodBlock);
+}
+/**
+ * Check if a method block has file size validation.
+ */
+function hasSizeValidation(methodBlock) {
+    return /\bmax\s*:/i.test(methodBlock);
+}
+/**
+ * Extract the validation rules string if present in a method block.
+ */
+function extractValidationRules(methodBlock) {
+    const rulesMatch = /(?:validate|rules)\s*\([^)]*\[([^\]]+)\]/s.exec(methodBlock);
+    return rulesMatch ? rulesMatch[1] : null;
+}
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+export class FileUploadAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects insecure file upload patterns including missing validation and dangerous storage configurations';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!isPhpFile(file.path))
+                continue;
+            const content = file.content;
+            const uploadBlocks = findUploadBlocks(content);
+            for (const block of uploadBlocks) {
+                const { snippet, line } = block;
+                // 1. Missing file type validation
+                if (!hasTypeValidation(snippet)) {
+                    findings.push({
+                        id: FINDING_NO_TYPE_VALIDATION,
+                        severity: Severity.High,
+                        analyzer: ANALYZER_NAME,
+                        title: 'File upload without type validation',
+                        description: `File upload in \`${file.path}\` does not validate the file type (missing \`mimes:\`, \`mimetypes:\`, or \`extensions:\` rule). ` +
+                            `Without type validation, users can upload arbitrary files including scripts.`,
+                        file: file.path,
+                        line,
+                        recommendation: "Add file type validation: `'file' => 'required|file|mimes:jpg,png,pdf|max:2048'`.",
+                        cwe: 'CWE-434',
+                    });
+                }
+                // 2. Missing size validation
+                if (!hasSizeValidation(snippet)) {
+                    findings.push({
+                        id: FINDING_NO_SIZE_VALIDATION,
+                        severity: Severity.Medium,
+                        analyzer: ANALYZER_NAME,
+                        title: 'File upload without size validation',
+                        description: `File upload in \`${file.path}\` does not validate file size (missing \`max:\` rule). ` +
+                            `Without size limits, attackers can upload very large files to exhaust storage or cause denial of service.`,
+                        file: file.path,
+                        line,
+                        recommendation: "Add a file size limit: `'file' => 'required|file|max:10240'` (in kilobytes).",
+                        cwe: 'CWE-400',
+                    });
+                }
+                // 3. Storage to public disk without access control
+                const pdRegex = /->store(?:As)?\s*\([^)]*['"]public['"]/g;
+                let pdMatch;
+                while ((pdMatch = pdRegex.exec(snippet)) !== null) {
+                    findings.push({
+                        id: FINDING_PUBLIC_DISK,
+                        severity: Severity.Medium,
+                        analyzer: ANALYZER_NAME,
+                        title: 'File stored on public disk without access control',
+                        description: `\`store()\` call in \`${file.path}\` uses the \`public\` disk, making files directly accessible via URL. ` +
+                            `Sensitive uploaded files should not be publicly accessible without authorization checks.`,
+                        file: file.path,
+                        line: findLineNumber(content, block.startIndex + pdMatch.index),
+                        recommendation: "Use the default (private) disk for sensitive files and serve them through an authorized controller action.",
+                        cwe: 'CWE-284',
+                        snippet: pdMatch[0],
+                    });
+                }
+                // 4. Executable file extensions allowed in mimes/extensions rules
+                const rulesStr = extractValidationRules(snippet);
+                if (rulesStr) {
+                    for (const ext of EXECUTABLE_EXTENSIONS) {
+                        const extWithoutDot = ext.replace('.', '');
+                        const extPattern = new RegExp(`(?:mimes|extensions):[^|'"]*\\b${extWithoutDot}\\b`, 'i');
+                        if (extPattern.test(rulesStr)) {
+                            findings.push({
+                                id: FINDING_EXECUTABLE_EXTENSION,
+                                severity: Severity.High,
+                                analyzer: ANALYZER_NAME,
+                                title: `Executable extension \`${ext}\` allowed in file upload`,
+                                description: `The file upload rule in \`${file.path}\` allows the \`${ext}\` extension. ` +
+                                    `Allowing executable file uploads can lead to remote code execution.`,
+                                file: file.path,
+                                line,
+                                recommendation: `Remove \`${extWithoutDot}\` from allowed extensions. Never allow PHP or other server-side executable files to be uploaded.`,
+                                cwe: 'CWE-434',
+                                snippet: rulesStr.slice(0, 80),
+                            });
+                        }
+                    }
+                }
+            }
+            // 5. Direct file path from user input used in storage operations
+            this.checkPathFromInput(file, findings);
+        }
+        return findings;
+    }
+    checkPathFromInput(file, findings) {
+        const content = file.content;
+        const inputPathPattern = /\$request->(?:input|get)\s*\(\s*['"](?:path|filename|dir|directory|folder)['"]\s*\)/g;
+        let match;
+        while ((match = inputPathPattern.exec(content)) !== null) {
+            const surroundingCode = content.slice(Math.max(0, match.index - 200), match.index + match[0].length + 200);
+            if (/Storage::|->store|->storeAs|->move|->putFile/.test(surroundingCode)) {
+                findings.push({
+                    id: FINDING_PATH_FROM_INPUT,
+                    severity: Severity.High,
+                    analyzer: ANALYZER_NAME,
+                    title: 'File path derived from user input in storage operation',
+                    description: `\`$request->input('path')\` (or similar) is used in a storage operation in \`${file.path}\`. ` +
+                        `Using user-supplied paths in storage operations can lead to path traversal attacks.`,
+                    file: file.path,
+                    line: findLineNumber(content, match.index),
+                    recommendation: 'Never use user-supplied input directly as a file path. Generate paths server-side using `Str::uuid()` or similar.',
+                    cwe: 'CWE-22',
+                    snippet: match[0],
+                });
+            }
+        }
+    }
+}
+//# sourceMappingURL=FileUploadAnalyzer.js.map

package/dist/analyzers/FileUploadAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileUploadAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/FileUploadAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,iFAAiF;AAEjF,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAE3C,MAAM,0BAA0B,GAAG,kBAAkB,CAAC;AACtD,MAAM,0BAA0B,GAAG,kBAAkB,CAAC;AACtD,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;AAC/C,MAAM,4BAA4B,GAAG,kBAAkB,CAAC;AACxD,MAAM,uBAAuB,GAAG,kBAAkB,CAAC;AAEnD,gEAAgE;AAChE,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;AAE5G,gFAAgF;AAEhF,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,UAAkB;IACzD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACzD,CAAC;AASD;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,MAAM,aAAa,GAAG,mDAAmD,CAAC;IAC1E,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,aAAa,GAAG,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QACtD,IAAI,aAAa,KAAK,CAAC,CAAC;YAAE,SAAS;QACnC,IAAI,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC;YAAE,SAAS;QACtC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAExB,2CAA2C;QAC3C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,GAAG,GAAG,aAAa,CAAC;QACxB,KAAK,IAAI,CAAC,GAAG,aAAa,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpD,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBAC3B,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC5B,KAAK,EAAE,CAAC;gBACR,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;oBAChB,GAAG,GAAG,CAAC,CAAC;oBACR,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC;YACV,UAAU,EAAE,aAAa;YACzB,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,WAAmB;IAC5C,OAAO,yCAAyC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,WAAmB;IAC5C,OAAO,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,WAAmB;IACjD,MAAM,UAAU,GAAG,2CAA2C,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjF,OAAO,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3C,CAAC;AAED,iFAAiF;AAEjF,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,yGAAyG,CAAC;IAEjI,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;YAC7B,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAE/C,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;gBACjC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;gBAEhC,kCAAkC;gBAClC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,0BAA0B;wBAC9B,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,qCAAqC;wBAC5C,WAAW,EACT,oBAAoB,IAAI,CAAC,IAAI,oGAAoG;4BACjI,8EAA8E;wBAChF,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI;wBACJ,cAAc,EACZ,mFAAmF;wBACrF,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;gBAED,6BAA6B;gBAC7B,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,0BAA0B;wBAC9B,QAAQ,EAAE,QAAQ,CAAC,MAAM;wBACzB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,qCAAqC;wBAC5C,WAAW,EACT,oBAAoB,IAAI,CAAC,IAAI,0DAA0D;4BACvF,2GAA2G;wBAC7G,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI;wBACJ,cAAc,EACZ,8EAA8E;wBAChF,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;gBAED,mDAAmD;gBACnD,MAAM,OAAO,GAAG,yCAAyC,CAAC;gBAC1D,IAAI,OAA+B,CAAC;gBACpC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAClD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,mBAAmB;wBACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;wBACzB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,mDAAmD;wBAC1D,WAAW,EACT,yBAAyB,IAAI,CAAC,IAAI,yEAAyE;4BAC3G,0FAA0F;wBAC5F,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC;wBAC/D,cAAc,EACZ,4GAA4G;wBAC9G,GAAG,EAAE,SAAS;wBACd,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;gBAED,kEAAkE;gBAClE,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,QAAQ,EAAE,CAAC;oBACb,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;wBACxC,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;wBAC3C,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,kCAAkC,aAAa,KAAK,EAAE,GAAG,CAAC,CAAC;wBACzF,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,4BAA4B;gCAChC,QAAQ,EAAE,QAAQ,CAAC,IAAI;gCACvB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,0BAA0B,GAAG,2BAA2B;gCAC/D,WAAW,EACT,6BAA6B,IAAI,CAAC,IAAI,mBAAmB,GAAG,gBAAgB;oCAC5E,qEAAqE;gCACvE,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI;gCACJ,cAAc,EACZ,YAAY,aAAa,mGAAmG;gCAC9H,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;6BAC/B,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iEAAiE;YACjE,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,IAAgB,EAAE,QAAmB;QAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC7B,MAAM,gBAAgB,GAAG,sFAAsF,CAAC;QAChH,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CACnC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,EAC9B,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,CACpC,CAAC;YAEF,IAAI,8CAA8C,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;gBACzE,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,uBAAuB;oBAC3B,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,wDAAwD;oBAC/D,WAAW,EACT,gFAAgF,IAAI,CAAC,IAAI,MAAM;wBAC/F,qFAAqF;oBACvF,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC1C,cAAc,EACZ,mHAAmH;oBACrH,GAAG,EAAE,QAAQ;oBACb,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/analyzers/IdorAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class IdorAnalyzer implements Analyzer {
+    readonly name = "IdorAnalyzer";
+    readonly description = "Detects potential Insecure Direct Object Reference (IDOR) vulnerabilities";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=IdorAnalyzer.d.ts.map

package/dist/analyzers/IdorAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"IdorAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/IdorAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AA4EzF,qBAAa,YAAa,YAAW,QAAQ;IAC3C,QAAQ,CAAC,IAAI,kBAAiB;IAC9B,QAAQ,CAAC,WAAW,+EAA+E;IAE7F,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAqC7E"}

package/dist/analyzers/IdorAnalyzer.js

@@ -0,0 +1,91 @@
+import { Severity } from '../types/index.js';
+const NESTED_RESOURCE_PATTERN = /\{([^}]+)\}[^{]*\{([^}]+)\}/;
+const RESOURCE_ROUTE_PATTERN = /Route::(?:resource|apiResource)\s*\(\s*['"]([^'"]+)['"]/g;
+const MULTI_PARAM_ROUTE_PATTERN = /Route::\w+\s*\(\s*['"]([^'"]+)['"]/g;
+const OWNERSHIP_CHECK_PATTERNS = [
+    /->where\s*\(\s*['"]user_id['"]\s*,/,
+    /->where\s*\(\s*['"]owner_id['"]\s*,/,
+    /->whereHas\s*\(/,
+    /abort_if\s*\(/,
+    /abort_unless\s*\(/,
+    /\$this->authorize\s*\(/,
+    /Gate::/,
+    /belongsTo\s*\(/,
+    /auth\(\)->user\(\)->/,
+];
+const FINDING_NESTED_IDOR = 'HAVOC-IDOR-001';
+const FINDING_RESOURCE_IDOR = 'HAVOC-IDOR-002';
+const ANALYZER_NAME = 'IdorAnalyzer';
+function isRouteFile(path) {
+    return (path.startsWith('routes/') ||
+        path.startsWith('routes\\') ||
+        path === 'routes/web.php' ||
+        path === 'routes/api.php');
+}
+function isControllerFile(path) {
+    return path.includes('Http/Controllers') || path.includes('Http\\Controllers');
+}
+function extractNestedRoutes(content) {
+    const routes = [];
+    const lines = content.split('\n');
+    lines.forEach((lineText, idx) => {
+        const lineNum = idx + 1;
+        // Check multi-param routes
+        const re1 = new RegExp(MULTI_PARAM_ROUTE_PATTERN.source, 'g');
+        let match;
+        while ((match = re1.exec(lineText)) !== null) {
+            const routePath = match[1];
+            if (NESTED_RESOURCE_PATTERN.test(routePath)) {
+                routes.push({ path: routePath, line: lineNum, isResource: false, routeDefinition: lineText.trim() });
+            }
+        }
+        // Check resource routes
+        const re2 = new RegExp(RESOURCE_ROUTE_PATTERN.source, 'g');
+        while ((match = re2.exec(lineText)) !== null) {
+            const resourcePath = match[1];
+            if (resourcePath.includes('.') || resourcePath.includes('/')) {
+                routes.push({ path: resourcePath, line: lineNum, isResource: true, routeDefinition: lineText.trim() });
+            }
+        }
+    });
+    return routes;
+}
+function hasOwnershipCheck(content) {
+    return OWNERSHIP_CHECK_PATTERNS.some((re) => re.test(content));
+}
+export class IdorAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects potential Insecure Direct Object Reference (IDOR) vulnerabilities';
+    async analyze(files, _config) {
+        const findings = [];
+        const allControllerText = files
+            .filter((f) => isControllerFile(f.path))
+            .map((f) => f.content)
+            .join('\n');
+        for (const file of files) {
+            if (!isRouteFile(file.path))
+                continue;
+            const routes = extractNestedRoutes(file.content);
+            for (const route of routes) {
+                if (!hasOwnershipCheck(allControllerText)) {
+                    findings.push({
+                        id: route.isResource ? FINDING_RESOURCE_IDOR : FINDING_NESTED_IDOR,
+                        severity: Severity.Medium,
+                        analyzer: ANALYZER_NAME,
+                        title: `Potential IDOR on nested route: \`${route.path}\``,
+                        description: `The route \`${route.path}\` has multiple parameters suggesting a parent-child resource relationship. ` +
+                            `Without ownership verification, a user could access another user\'s child resources.`,
+                        file: file.path,
+                        line: route.line,
+                        recommendation: 'In the controller, verify the child resource belongs to the parent. ' +
+                            'Example: `$post = $user->posts()->findOrFail($postId);`',
+                        cwe: 'CWE-639',
+                        snippet: route.routeDefinition,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=IdorAnalyzer.js.map

package/dist/analyzers/IdorAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IdorAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/IdorAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,MAAM,uBAAuB,GAAG,6BAA6B,CAAC;AAC9D,MAAM,sBAAsB,GAAG,0DAA0D,CAAC;AAC1F,MAAM,yBAAyB,GAAG,qCAAqC,CAAC;AAExE,MAAM,wBAAwB,GAAG;IAC/B,oCAAoC;IACpC,qCAAqC;IACrC,iBAAiB;IACjB,eAAe;IACf,mBAAmB;IACnB,wBAAwB;IACxB,QAAQ;IACR,gBAAgB;IAChB,sBAAsB;CACvB,CAAC;AAEF,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,qBAAqB,GAAG,gBAAgB,CAAC;AAC/C,MAAM,aAAa,GAAG,cAAc,CAAC;AAErC,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,CACL,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC1B,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAC3B,IAAI,KAAK,gBAAgB;QACzB,IAAI,KAAK,gBAAgB,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AACjF,CAAC;AASD,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;QAC9B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC;QAExB,2BAA2B;QAC3B,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,yBAAyB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC9D,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC3B,IAAI,uBAAuB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACvG,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,CAAC,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7D,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzG,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,2EAA2E,CAAC;IAEnG,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,MAAM,iBAAiB,GAAG,KAAK;aAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;aACrB,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEtC,MAAM,MAAM,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,mBAAmB;wBAClE,QAAQ,EAAE,QAAQ,CAAC,MAAM;wBACzB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,qCAAqC,KAAK,CAAC,IAAI,IAAI;wBAC1D,WAAW,EACT,eAAe,KAAK,CAAC,IAAI,8EAA8E;4BACvG,sFAAsF;wBACxF,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,CAAC,IAAI;wBAChB,cAAc,EACZ,sEAAsE;4BACtE,yDAAyD;wBAC3D,GAAG,EAAE,SAAS;wBACd,OAAO,EAAE,KAAK,CAAC,eAAe;qBAC/B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/MassAssignmentAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class MassAssignmentAnalyzer implements Analyzer {
+    readonly name = "MassAssignmentAnalyzer";
+    readonly description = "Detects Eloquent models vulnerable to mass assignment attacks";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=MassAssignmentAnalyzer.d.ts.map

package/dist/analyzers/MassAssignmentAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MassAssignmentAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/MassAssignmentAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAkBzF,qBAAa,sBAAuB,YAAW,QAAQ;IACrD,QAAQ,CAAC,IAAI,4BAAiB;IAC9B,QAAQ,CAAC,WAAW,mEAAmE;IAEjF,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAkF7E"}

package/dist/analyzers/MassAssignmentAnalyzer.js

@@ -0,0 +1,90 @@
+import { Severity } from '../types/index.js';
+const SENSITIVE_FILLABLE_FIELDS = new Set([
+    'password', 'password_hash', 'password_confirmation', 'role', 'roles',
+    'is_admin', 'admin', 'is_superuser', 'email_verified_at', 'remember_token',
+    'api_token', 'api_key', 'stripe_id', 'two_factor_secret', 'two_factor_recovery_codes',
+]);
+const FINDING_NO_GUARD = 'HAVOC-MA-001';
+const FINDING_OPEN_GUARD = 'HAVOC-MA-002';
+const FINDING_SENSITIVE = 'HAVOC-MA-003';
+const ANALYZER_NAME = 'MassAssignmentAnalyzer';
+function isModelFile(path) {
+    return path.includes('app/Models') || path.includes('app\\Models');
+}
+export class MassAssignmentAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects Eloquent models vulnerable to mass assignment attacks';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!isModelFile(file.path))
+                continue;
+            const phpFile = file;
+            if (!phpFile.classes)
+                continue;
+            for (const cls of phpFile.classes) {
+                if (cls.isAbstract || cls.isTrait)
+                    continue;
+                const fillableProp = cls.properties.find((p) => p.name === 'fillable');
+                const guardedProp = cls.properties.find((p) => p.name === 'guarded');
+                const hasFillable = fillableProp !== undefined;
+                const hasGuarded = guardedProp !== undefined;
+                if (!hasFillable && !hasGuarded) {
+                    findings.push({
+                        id: FINDING_NO_GUARD,
+                        severity: Severity.Medium,
+                        analyzer: ANALYZER_NAME,
+                        title: `Model \`${cls.name}\` has no mass assignment protection`,
+                        description: `The Eloquent model \`${cls.name}\` defines neither \`$fillable\` nor \`$guarded\`. ` +
+                            `Without these, all attributes may be mass-assignable.`,
+                        file: file.path,
+                        line: cls.line,
+                        recommendation: 'Define `$fillable` with an explicit list of safe attributes, or define `$guarded = [\'id\']`.',
+                        cwe: 'CWE-915',
+                    });
+                    continue;
+                }
+                if (hasGuarded) {
+                    const initText = guardedProp?.initializer ?? '';
+                    const isOpenGuard = initText.trim() === '[]';
+                    if (isOpenGuard) {
+                        findings.push({
+                            id: FINDING_OPEN_GUARD,
+                            severity: Severity.High,
+                            analyzer: ANALYZER_NAME,
+                            title: `Model \`${cls.name}\` uses \`$guarded = []\` (effectively unguarded)`,
+                            description: `\`${cls.name}\` sets \`$guarded = []\`, which disables all mass assignment protection.`,
+                            file: file.path,
+                            line: guardedProp?.line ?? cls.line,
+                            recommendation: 'Switch to `$fillable` with an explicit allowlist.',
+                            cwe: 'CWE-915',
+                            snippet: 'protected $guarded = [];',
+                        });
+                    }
+                }
+                if (hasFillable) {
+                    const initText = fillableProp?.initializer ?? '';
+                    for (const sensitive of SENSITIVE_FILLABLE_FIELDS) {
+                        if (initText.includes('"' + sensitive + '"') || initText.includes("'" + sensitive + "'")) {
+                            findings.push({
+                                id: FINDING_SENSITIVE,
+                                severity: Severity.Medium,
+                                analyzer: ANALYZER_NAME,
+                                title: `Sensitive field \`${sensitive}\` is mass-assignable in \`${cls.name}\``,
+                                description: `The field \`${sensitive}\` is listed in \`$fillable\` on model \`${cls.name}\`. ` +
+                                    `Allowing mass assignment of this field could allow privilege escalation.`,
+                                file: file.path,
+                                line: fillableProp?.line ?? cls.line,
+                                recommendation: `Remove \`${sensitive}\` from \`$fillable\` and set it via dedicated methods.`,
+                                cwe: 'CWE-915',
+                                snippet: "protected $fillable = [..., '" + sensitive + "', ...];",
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=MassAssignmentAnalyzer.js.map

package/dist/analyzers/MassAssignmentAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"MassAssignmentAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/MassAssignmentAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAGzF,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,UAAU,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,EAAE,OAAO;IACrE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB;IAC1E,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,mBAAmB,EAAE,2BAA2B;CACtF,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,cAAc,CAAC;AACxC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,iBAAiB,GAAG,cAAc,CAAC;AACzC,MAAM,aAAa,GAAG,wBAAwB,CAAC;AAE/C,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,OAAO,sBAAsB;IACxB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,+DAA+D,CAAC;IAEvF,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEtC,MAAM,OAAO,GAAG,IAAqB,CAAC;YACtC,IAAI,CAAC,OAAO,CAAC,OAAO;gBAAE,SAAS;YAE/B,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO;oBAAE,SAAS;gBAE5C,MAAM,YAAY,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;gBACvE,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;gBACrE,MAAM,WAAW,GAAG,YAAY,KAAK,SAAS,CAAC;gBAC/C,MAAM,UAAU,GAAG,WAAW,KAAK,SAAS,CAAC;gBAE7C,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,gBAAgB;wBACpB,QAAQ,EAAE,QAAQ,CAAC,MAAM;wBACzB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,WAAW,GAAG,CAAC,IAAI,sCAAsC;wBAChE,WAAW,EACT,wBAAwB,GAAG,CAAC,IAAI,qDAAqD;4BACrF,uDAAuD;wBACzD,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,cAAc,EACZ,+FAA+F;wBACjG,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,QAAQ,GAAG,WAAW,EAAE,WAAW,IAAI,EAAE,CAAC;oBAChD,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC;oBAC7C,IAAI,WAAW,EAAE,CAAC;wBAChB,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,kBAAkB;4BACtB,QAAQ,EAAE,QAAQ,CAAC,IAAI;4BACvB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,WAAW,GAAG,CAAC,IAAI,mDAAmD;4BAC7E,WAAW,EACT,KAAK,GAAG,CAAC,IAAI,2EAA2E;4BAC1F,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,WAAW,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI;4BACnC,cAAc,EAAE,mDAAmD;4BACnE,GAAG,EAAE,SAAS;4BACd,OAAO,EAAE,0BAA0B;yBACpC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,QAAQ,GAAG,YAAY,EAAE,WAAW,IAAI,EAAE,CAAC;oBACjD,KAAK,MAAM,SAAS,IAAI,yBAAyB,EAAE,CAAC;wBAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,GAAG,CAAC,EAAE,CAAC;4BACzF,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,iBAAiB;gCACrB,QAAQ,EAAE,QAAQ,CAAC,MAAM;gCACzB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,qBAAqB,SAAS,8BAA8B,GAAG,CAAC,IAAI,IAAI;gCAC/E,WAAW,EACT,eAAe,SAAS,4CAA4C,GAAG,CAAC,IAAI,MAAM;oCAClF,0EAA0E;gCAC5E,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,YAAY,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI;gCACpC,cAAc,EACZ,YAAY,SAAS,yDAAyD;gCAChF,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,+BAA+B,GAAG,SAAS,GAAG,UAAU;6BAClE,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/PrivilegeEscalationAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class PrivilegeEscalationAnalyzer implements Analyzer {
+    readonly name = "PrivilegeEscalationAnalyzer";
+    readonly description = "Detects privilege escalation vectors: mass-assignable role fields, unprotected role changes, and missing admin middleware";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=PrivilegeEscalationAnalyzer.d.ts.map

package/dist/analyzers/PrivilegeEscalationAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PrivilegeEscalationAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/PrivilegeEscalationAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AA2FzF,qBAAa,2BAA4B,YAAW,QAAQ;IAC1D,QAAQ,CAAC,IAAI,iCAAiB;IAC9B,QAAQ,CAAC,WAAW,+HAC0G;IAExH,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAiK7E"}