@havoc-security/scanner 0.1.0

package/dist/analyzers/PrivilegeEscalationAnalyzer.js

@@ -0,0 +1,217 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const FINDING_MASS_ASSIGNABLE_PRIVILEGE = 'HAVOC-PE-001';
+const FINDING_UNPROTECTED_ROLE_CHANGE = 'HAVOC-PE-002';
+const FINDING_MISSING_ADMIN_MIDDLEWARE = 'HAVOC-PE-003';
+const ANALYZER_NAME = 'PrivilegeEscalationAnalyzer';
+/** Fields in $fillable that indicate privilege escalation risk. */
+const PRIVILEGE_FILLABLE_FIELDS = new Set([
+    'is_admin',
+    'is_superadmin',
+    'is_super_admin',
+    'is_superuser',
+    'role',
+    'roles',
+    'admin',
+    'superadmin',
+    'permissions',
+    'permission',
+    'user_type',
+    'account_type',
+    'access_level',
+]);
+/** Methods that mutate roles/permissions. */
+const ROLE_MUTATION_METHODS = [
+    'assignRole',
+    'givePermissionTo',
+    'syncRoles',
+    'syncPermissions',
+    'revokePermissionTo',
+    'removeRole',
+    'syncPermissionsWithoutDetaching',
+];
+/** Patterns indicating authorization was checked. */
+const AUTHORIZATION_PATTERNS = [
+    /\$this->authorize\s*\(/,
+    /Gate::authorize\s*\(/,
+    /Gate::allows\s*\(/,
+    /Gate::denies\s*\(/,
+    /Gate::check\s*\(/,
+    /->can\s*\(/,
+    /->cannot\s*\(/,
+    /abort_if\s*\(/,
+    /abort_unless\s*\(/,
+];
+/** Admin-level middleware that protects privilege routes. */
+const ADMIN_MIDDLEWARE_PATTERNS = [
+    /['"]role:admin['"]/,
+    /['"]can:manage['"]/,
+    /['"]can:admin['"]/,
+    /['"]admin['"]/,
+    /['"]is[._]admin['"]/i,
+    /['"]permission:manage['"]/,
+    /middleware\s*\(\s*['"][^'"]*admin[^'"]*['"]/,
+];
+function isModelFile(path) {
+    return path.includes('app/Models') || path.includes('app\\Models');
+}
+function isControllerFile(path) {
+    return path.includes('Http/Controllers') || path.includes('Http\\Controllers');
+}
+function isRouteFile(path) {
+    return path.startsWith('routes/') || path.startsWith('routes\\');
+}
+function hasAuthorization(bodyText) {
+    return AUTHORIZATION_PATTERNS.some((re) => re.test(bodyText));
+}
+function extractFillableFields(initText) {
+    const matches = initText.match(/['"]([^'"]+)['"]/g) ?? [];
+    return matches.map((m) => m.replace(/['"]/g, ''));
+}
+function hasAdminMiddleware(routeSnippet) {
+    return ADMIN_MIDDLEWARE_PATTERNS.some((p) => p.test(routeSnippet));
+}
+function isAdminRoute(uri) {
+    return /admin/i.test(uri);
+}
+export class PrivilegeEscalationAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects privilege escalation vectors: mass-assignable role fields, unprotected role changes, and missing admin middleware';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            // ── 1. Check models for mass-assignable privilege fields ────────────────
+            if (isModelFile(file.path)) {
+                const phpFile = file;
+                if (!phpFile.classes)
+                    continue;
+                for (const cls of phpFile.classes) {
+                    if (cls.isAbstract || cls.isTrait)
+                        continue;
+                    const fillableProp = cls.properties.find((p) => p.name === 'fillable');
+                    if (!fillableProp)
+                        continue;
+                    const fields = extractFillableFields(fillableProp.initializer ?? '');
+                    for (const field of fields) {
+                        if (PRIVILEGE_FILLABLE_FIELDS.has(field)) {
+                            findings.push({
+                                id: FINDING_MASS_ASSIGNABLE_PRIVILEGE,
+                                severity: Severity.Critical,
+                                analyzer: ANALYZER_NAME,
+                                title: `Privilege field \`${field}\` is mass-assignable in \`${cls.name}\``,
+                                description: `The field \`${field}\` is listed in \`$fillable\` on model \`${cls.name}\`. ` +
+                                    `This means it can be set via mass assignment (e.g., \`User::create($request->all())\`), ` +
+                                    `allowing an attacker to escalate their own privileges by crafting a request ` +
+                                    `with \`${field}=1\` or \`role=admin\`.`,
+                                file: file.path,
+                                line: fillableProp.line ?? cls.line,
+                                recommendation: `Remove \`${field}\` from \`$fillable\` immediately. Use a dedicated method ` +
+                                    `(e.g., \`assignRole()\`, \`promoteToAdmin()\`) with proper authorization checks ` +
+                                    `to modify this field.`,
+                                cwe: 'CWE-269',
+                                snippet: `protected $fillable = [..., '${field}', ...];`,
+                            });
+                        }
+                    }
+                }
+            }
+            // ── 2. Check controllers for role mutations without authorization ───────
+            if (isControllerFile(file.path)) {
+                const phpFile = file;
+                if (!phpFile.classes)
+                    continue;
+                for (const cls of phpFile.classes) {
+                    for (const method of cls.methods) {
+                        if (method.visibility !== 'public')
+                            continue;
+                        const body = method.bodyText;
+                        const hasRoleMutation = ROLE_MUTATION_METHODS.some((m) => new RegExp(`->${m}\\s*\\(`).test(body));
+                        if (!hasRoleMutation)
+                            continue;
+                        const mutatingMethod = ROLE_MUTATION_METHODS.find((m) => new RegExp(`->${m}\\s*\\(`).test(body)) ?? 'unknown';
+                        if (!hasAuthorization(body)) {
+                            findings.push({
+                                id: FINDING_UNPROTECTED_ROLE_CHANGE,
+                                severity: Severity.High,
+                                analyzer: ANALYZER_NAME,
+                                title: `Role mutation \`${mutatingMethod}()\` without authorization in \`${cls.name}::${method.name}()\``,
+                                description: `The method \`${method.name}()\` in \`${cls.name}\` calls \`${mutatingMethod}()\` ` +
+                                    `to modify roles or permissions, but no authorization check (\`$this->authorize()\`, ` +
+                                    `\`Gate::authorize()\`, etc.) was detected before the mutation. This may allow ` +
+                                    `unauthorized privilege escalation.`,
+                                file: file.path,
+                                line: method.line,
+                                recommendation: `Add \`$this->authorize('manage-roles')\` or an equivalent Gate/Policy check ` +
+                                    `at the top of \`${method.name}()\` before calling \`${mutatingMethod}()\`. ` +
+                                    `Ensure only admins can modify roles.`,
+                                cwe: 'CWE-269',
+                                snippet: body.slice(0, 200),
+                            });
+                        }
+                        // Check for self-referential role changes: $user = auth()->user() or similar
+                        const selfUpdatePatterns = [
+                            /auth\(\)->user\(\)/,
+                            /\$request->user\(\)/,
+                            /Auth::user\(\)/,
+                        ];
+                        const hasSelfUpdate = selfUpdatePatterns.some((p) => p.test(body));
+                        if (hasSelfUpdate) {
+                            findings.push({
+                                id: FINDING_UNPROTECTED_ROLE_CHANGE,
+                                severity: Severity.High,
+                                analyzer: ANALYZER_NAME,
+                                title: `Possible self-referential role change in \`${cls.name}::${method.name}()\``,
+                                description: `The method \`${method.name}()\` in \`${cls.name}\` appears to call ` +
+                                    `\`${mutatingMethod}()\` on the authenticated user (\`auth()->user()\`), which ` +
+                                    `may allow a user to escalate their own privileges.`,
+                                file: file.path,
+                                line: method.line,
+                                recommendation: `Ensure role/permission changes can only be performed by an admin on OTHER users. ` +
+                                    `Add a check like: \`abort_if(auth()->id() === $targetUser->id, 403)\`.`,
+                                cwe: 'CWE-269',
+                                snippet: body.slice(0, 200),
+                            });
+                        }
+                    }
+                }
+            }
+            // ── 3. Check route files for admin routes without admin middleware ───────
+            if (isRouteFile(file.path)) {
+                const routeRegex = /Route::(get|post|put|patch|delete|any)\s*\(\s*['"`]([^'"`]+)['"`][^;]*\);/g;
+                let match;
+                while ((match = routeRegex.exec(file.content)) !== null) {
+                    const uri = match[2];
+                    if (!isAdminRoute(uri))
+                        continue;
+                    const lineStart = file.content.lastIndexOf('\n', match.index) + 1;
+                    const snippet = file.content.slice(lineStart, match.index + match[0].length).trim();
+                    // Check if the route itself has admin middleware, or look for enclosing group
+                    // by checking nearby context (simple heuristic: 200 chars before)
+                    const context = file.content.slice(Math.max(0, match.index - 300), match.index + match[0].length);
+                    if (!hasAdminMiddleware(context)) {
+                        const beforeMatch = file.content.slice(0, match.index);
+                        const line = (beforeMatch.match(/\n/g) ?? []).length + 1;
+                        findings.push({
+                            id: FINDING_MISSING_ADMIN_MIDDLEWARE,
+                            severity: Severity.Medium,
+                            analyzer: ANALYZER_NAME,
+                            title: `Admin route \`${uri}\` may be missing admin middleware`,
+                            description: `The route \`${match[1].toUpperCase()} ${uri}\` appears to be an admin endpoint ` +
+                                `but no \`role:admin\`, \`can:manage-users\`, or similar admin middleware was ` +
+                                `detected in its definition or enclosing group.`,
+                            file: file.path,
+                            line,
+                            recommendation: `Wrap admin routes in a middleware group: ` +
+                                `\`Route::middleware(['auth', 'role:admin'])->group(...)\`. ` +
+                                `Use Spatie's \`role\` middleware or a custom admin middleware.`,
+                            cwe: 'CWE-269',
+                            snippet: snippet.slice(0, 200),
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=PrivilegeEscalationAnalyzer.js.map

package/dist/analyzers/PrivilegeEscalationAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PrivilegeEscalationAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/PrivilegeEscalationAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAGzF,iFAAiF;AAEjF,MAAM,iCAAiC,GAAG,cAAc,CAAC;AACzD,MAAM,+BAA+B,GAAG,cAAc,CAAC;AACvD,MAAM,gCAAgC,GAAG,cAAc,CAAC;AACxD,MAAM,aAAa,GAAG,6BAA6B,CAAC;AAEpD,mEAAmE;AACnE,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,UAAU;IACV,eAAe;IACf,gBAAgB;IAChB,cAAc;IACd,MAAM;IACN,OAAO;IACP,OAAO;IACP,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,WAAW;IACX,cAAc;IACd,cAAc;CACf,CAAC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,qBAAqB,GAAG;IAC5B,YAAY;IACZ,kBAAkB;IAClB,WAAW;IACX,iBAAiB;IACjB,oBAAoB;IACpB,YAAY;IACZ,iCAAiC;CAClC,CAAC;AAEF,qDAAqD;AACrD,MAAM,sBAAsB,GAAG;IAC7B,wBAAwB;IACxB,sBAAsB;IACtB,mBAAmB;IACnB,mBAAmB;IACnB,kBAAkB;IAClB,YAAY;IACZ,eAAe;IACf,eAAe;IACf,mBAAmB;CACpB,CAAC;AAEF,6DAA6D;AAC7D,MAAM,yBAAyB,GAAG;IAChC,oBAAoB;IACpB,oBAAoB;IACpB,mBAAmB;IACnB,eAAe;IACf,sBAAsB;IACtB,2BAA2B;IAC3B,6CAA6C;CAC9C,CAAC;AAEF,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,OAAO,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,OAAO,2BAA2B;IAC7B,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAClB,2HAA2H,CAAC;IAE9H,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,2EAA2E;YAC3E,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,IAAqB,CAAC;gBACtC,IAAI,CAAC,OAAO,CAAC,OAAO;oBAAE,SAAS;gBAE/B,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;oBAClC,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO;wBAAE,SAAS;oBAE5C,MAAM,YAAY,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;oBACvE,IAAI,CAAC,YAAY;wBAAE,SAAS;oBAE5B,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;oBACrE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;wBAC3B,IAAI,yBAAyB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;4BACzC,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,iCAAiC;gCACrC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gCAC3B,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,qBAAqB,KAAK,8BAA8B,GAAG,CAAC,IAAI,IAAI;gCAC3E,WAAW,EACT,eAAe,KAAK,4CAA4C,GAAG,CAAC,IAAI,MAAM;oCAC9E,0FAA0F;oCAC1F,8EAA8E;oCAC9E,UAAU,KAAK,yBAAyB;gCAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,YAAY,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI;gCACnC,cAAc,EACZ,YAAY,KAAK,4DAA4D;oCAC7E,kFAAkF;oCAClF,uBAAuB;gCACzB,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,gCAAgC,KAAK,UAAU;6BACzD,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,2EAA2E;YAC3E,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,MAAM,OAAO,GAAG,IAAqB,CAAC;gBACtC,IAAI,CAAC,OAAO,CAAC,OAAO;oBAAE,SAAS;gBAE/B,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;oBAClC,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;wBACjC,IAAI,MAAM,CAAC,UAAU,KAAK,QAAQ;4BAAE,SAAS;wBAE7C,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;wBAC7B,MAAM,eAAe,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACvC,CAAC;wBAEF,IAAI,CAAC,eAAe;4BAAE,SAAS;wBAE/B,MAAM,cAAc,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACtD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACvC,IAAI,SAAS,CAAC;wBAEf,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;4BAE5B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,+BAA+B;gCACnC,QAAQ,EAAE,QAAQ,CAAC,IAAI;gCACvB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,mBAAmB,cAAc,mCAAmC,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,MAAM;gCACzG,WAAW,EACT,gBAAgB,MAAM,CAAC,IAAI,aAAa,GAAG,CAAC,IAAI,cAAc,cAAc,OAAO;oCACnF,sFAAsF;oCACtF,gFAAgF;oCAChF,oCAAoC;gCACtC,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,MAAM,CAAC,IAAI;gCACjB,cAAc,EACZ,8EAA8E;oCAC9E,mBAAmB,MAAM,CAAC,IAAI,yBAAyB,cAAc,QAAQ;oCAC7E,sCAAsC;gCACxC,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;6BAC5B,CAAC,CAAC;wBACL,CAAC;wBAED,6EAA6E;wBAC7E,MAAM,kBAAkB,GAAG;4BACzB,oBAAoB;4BACpB,qBAAqB;4BACrB,gBAAgB;yBACjB,CAAC;wBACF,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBACnE,IAAI,aAAa,EAAE,CAAC;4BAClB,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,+BAA+B;gCACnC,QAAQ,EAAE,QAAQ,CAAC,IAAI;gCACvB,QAAQ,EAAE,aAAa;gCACvB,KAAK,EAAE,8CAA8C,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,MAAM;gCACnF,WAAW,EACT,gBAAgB,MAAM,CAAC,IAAI,aAAa,GAAG,CAAC,IAAI,qBAAqB;oCACrE,KAAK,cAAc,6DAA6D;oCAChF,oDAAoD;gCACtD,IAAI,EAAE,IAAI,CAAC,IAAI;gCACf,IAAI,EAAE,MAAM,CAAC,IAAI;gCACjB,cAAc,EACZ,mFAAmF;oCACnF,wEAAwE;gCAC1E,GAAG,EAAE,SAAS;gCACd,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;6BAC5B,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,4EAA4E;YAC5E,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,MAAM,UAAU,GACd,4EAA4E,CAAC;gBAC/E,IAAI,KAA6B,CAAC;gBAElC,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACxD,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACrB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAEjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAClE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEpF,8EAA8E;oBAC9E,kEAAkE;oBAClE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;oBAElG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;wBACjC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;wBACvD,MAAM,IAAI,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;wBAEzD,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,gCAAgC;4BACpC,QAAQ,EAAE,QAAQ,CAAC,MAAM;4BACzB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,iBAAiB,GAAG,oCAAoC;4BAC/D,WAAW,EACT,eAAe,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,IAAI,GAAG,qCAAqC;gCACjF,+EAA+E;gCAC/E,gDAAgD;4BAClD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI;4BACJ,cAAc,EACZ,2CAA2C;gCAC3C,6DAA6D;gCAC7D,gEAAgE;4BAClE,GAAG,EAAE,SAAS;4BACd,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBAC/B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/RateLimitAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class RateLimitAnalyzer implements Analyzer {
+    readonly name = "RateLimitAnalyzer";
+    readonly description = "Detects sensitive endpoints (auth, API) missing rate limiting middleware";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=RateLimitAnalyzer.d.ts.map

package/dist/analyzers/RateLimitAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimitAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/RateLimitAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAqIzF,qBAAa,iBAAkB,YAAW,QAAQ;IAChD,QAAQ,CAAC,IAAI,uBAAiB;IAC9B,QAAQ,CAAC,WAAW,8EACyD;IAEvE,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAwD7E"}

package/dist/analyzers/RateLimitAnalyzer.js

@@ -0,0 +1,151 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const FINDING_AUTH_NO_THROTTLE = 'HAVOC-RL-001';
+const FINDING_API_NO_THROTTLE = 'HAVOC-RL-002';
+const ANALYZER_NAME = 'RateLimitAnalyzer';
+/** Patterns that indicate an auth-sensitive endpoint. */
+const AUTH_ENDPOINT_PATTERNS = [
+    /login/i,
+    /logout/i,
+    /register/i,
+    /password\/reset/i,
+    /password\/email/i,
+    /password\/confirm/i,
+    /forgot-password/i,
+    /reset-password/i,
+    /two-factor/i,
+    /verify-email/i,
+    /webhook/i,
+];
+/** Patterns that identify throttle/rate-limit middleware. */
+const THROTTLE_PATTERNS = [/throttle:/, /RateLimiter/, /rate.limit/i];
+function isRouteFile(path) {
+    return path.startsWith('routes/') || path.startsWith('routes\\');
+}
+function hasThrottle(middlewareList) {
+    return middlewareList.some((m) => THROTTLE_PATTERNS.some((p) => p.test(m)));
+}
+function isAuthEndpoint(uri) {
+    return AUTH_ENDPOINT_PATTERNS.some((p) => p.test(uri));
+}
+function extractMiddlewareList(raw) {
+    // Extract quoted strings individually to avoid splitting on commas inside throttle:X,Y
+    const matches = raw.match(/['"](throttle:[^'"]+)['"]/g);
+    if (matches) {
+        // Return the full throttle values plus any other middlewares
+        const throttleValues = matches.map((m) => m.replace(/['"]/g, ''));
+        const others = raw
+            .replace(/[\[\]]/g, '')
+            .split(',')
+            .map((m) => m.trim().replace(/['"]/g, ''))
+            .filter((m) => !m.startsWith('throttle:') && Boolean(m));
+        return [...throttleValues, ...others];
+    }
+    return raw
+        .replace(/[\[\]]/g, '')
+        .split(',')
+        .map((m) => m.trim().replace(/['"]/g, ''))
+        .filter(Boolean);
+}
+function parseRoutesInBlock(block, inheritedMiddleware) {
+    const routes = [];
+    const routeRegex = /Route::(get|post|put|patch|delete|any|match|apiResource|resource)\s*\(\s*['"`]([^'"`]+)['"`]/gi;
+    let match;
+    while ((match = routeRegex.exec(block)) !== null) {
+        const method = match[1].toUpperCase();
+        const uri = match[2];
+        const lineStart = block.lastIndexOf('\n', match.index) + 1;
+        const lineEnd = block.indexOf(';', match.index);
+        const snippet = lineEnd >= 0
+            ? block.slice(lineStart, lineEnd + 1).trim()
+            : block.slice(lineStart, match.index + 120).trim();
+        // Inline ->middleware(...) on this specific route
+        const inlineMatch = snippet.match(/->middleware\s*\(\s*\[?([^\])\n]+)\]?\s*\)/);
+        const inlineMiddleware = inlineMatch ? extractMiddlewareList(inlineMatch[1]) : [];
+        const allMiddleware = [...inheritedMiddleware, ...inlineMiddleware];
+        const beforeMatch = block.slice(0, match.index);
+        const line = (beforeMatch.match(/\n/g) ?? []).length + 1;
+        routes.push({ method, uri, line, snippet, allMiddleware });
+    }
+    return routes;
+}
+function parseRouteGroups(content) {
+    const groups = [];
+    const groupSpans = [];
+    // Extract Route::middleware(...)->group(...) blocks
+    const groupRegex = /Route::middleware\s*\(([^)]+)\)\s*->group\s*\(\s*function\s*\(\s*\)\s*\{([\s\S]*?)\}\s*\)/g;
+    let groupMatch;
+    while ((groupMatch = groupRegex.exec(content)) !== null) {
+        groupSpans.push({ start: groupMatch.index, end: groupMatch.index + groupMatch[0].length });
+        const middlewareList = extractMiddlewareList(groupMatch[1]);
+        const groupBody = groupMatch[2];
+        const routes = parseRoutesInBlock(groupBody, middlewareList);
+        groups.push({ middleware: middlewareList, routes });
+    }
+    // Top-level routes: strip out group blocks first to avoid double-counting
+    let topLevelContent = content;
+    for (const span of [...groupSpans].reverse()) {
+        topLevelContent =
+            topLevelContent.slice(0, span.start) + ' '.repeat(span.end - span.start) + topLevelContent.slice(span.end);
+    }
+    const topLevelRoutes = parseRoutesInBlock(topLevelContent, []);
+    if (topLevelRoutes.length > 0) {
+        groups.push({ middleware: [], routes: topLevelRoutes });
+    }
+    return groups;
+}
+export class RateLimitAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects sensitive endpoints (auth, API) missing rate limiting middleware';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!isRouteFile(file.path))
+                continue;
+            const groups = parseRouteGroups(file.content);
+            const isApiFile = file.path.includes('api');
+            for (const group of groups) {
+                for (const route of group.routes) {
+                    const allMiddleware = [...group.middleware, ...route.allMiddleware];
+                    if (hasThrottle(allMiddleware))
+                        continue;
+                    if (isAuthEndpoint(route.uri)) {
+                        findings.push({
+                            id: FINDING_AUTH_NO_THROTTLE,
+                            severity: Severity.High,
+                            analyzer: ANALYZER_NAME,
+                            title: `Auth endpoint \`${route.uri}\` has no rate limiting`,
+                            description: `The authentication-sensitive route \`${route.method} ${route.uri}\` has no ` +
+                                `\`throttle:\` middleware. Without rate limiting, this endpoint is vulnerable to ` +
+                                `brute-force attacks and credential stuffing.`,
+                            file: file.path,
+                            line: route.line,
+                            recommendation: `Add \`throttle:5,1\` (or stricter) middleware: ` +
+                                `\`->middleware('throttle:5,1')\`. For auth routes, consider a named limiter ` +
+                                `with \`RateLimiter::for('login', ...)\`.`,
+                            cwe: 'CWE-307',
+                            snippet: route.snippet.slice(0, 200),
+                        });
+                    }
+                    else if (isApiFile || /^\/?(api)\//.test(route.uri)) {
+                        findings.push({
+                            id: FINDING_API_NO_THROTTLE,
+                            severity: Severity.Medium,
+                            analyzer: ANALYZER_NAME,
+                            title: `API endpoint \`${route.uri}\` has no rate limiting`,
+                            description: `The API route \`${route.method} ${route.uri}\` has no \`throttle:\` middleware. ` +
+                                `Unprotected API endpoints can be abused by scrapers or automated bots.`,
+                            file: file.path,
+                            line: route.line,
+                            recommendation: `Add \`throttle:60,1\` middleware to this route or the enclosing route group.`,
+                            cwe: 'CWE-770',
+                            snippet: route.snippet.slice(0, 200),
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=RateLimitAnalyzer.js.map

package/dist/analyzers/RateLimitAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimitAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/RateLimitAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,iFAAiF;AAEjF,MAAM,wBAAwB,GAAG,cAAc,CAAC;AAChD,MAAM,uBAAuB,GAAG,cAAc,CAAC;AAC/C,MAAM,aAAa,GAAG,mBAAmB,CAAC;AAE1C,yDAAyD;AACzD,MAAM,sBAAsB,GAAG;IAC7B,QAAQ;IACR,SAAS;IACT,WAAW;IACX,kBAAkB;IAClB,kBAAkB;IAClB,oBAAoB;IACpB,kBAAkB;IAClB,iBAAiB;IACjB,aAAa;IACb,eAAe;IACf,UAAU;CACX,CAAC;AAEF,6DAA6D;AAC7D,MAAM,iBAAiB,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;AAetE,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,WAAW,CAAC,cAAwB;IAC3C,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,uFAAuF;IACvF,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,6DAA6D;QAC7D,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,GAAG;aACf,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;aACzC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,cAAc,EAAE,GAAG,MAAM,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,GAAG;SACP,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;SACzC,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa,EAAE,mBAA6B;IACtE,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,MAAM,UAAU,GACd,gGAAgG,CAAC;IACnG,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACjD,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAErB,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAChD,MAAM,OAAO,GACX,OAAO,IAAI,CAAC;YACV,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;YAC5C,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAEvD,kDAAkD;QAClD,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChF,MAAM,gBAAgB,GAAG,WAAW,CAAC,CAAC,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClF,MAAM,aAAa,GAAG,CAAC,GAAG,mBAAmB,EAAE,GAAG,gBAAgB,CAAC,CAAC;QAEpE,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QAEzD,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,MAAM,UAAU,GAA0C,EAAE,CAAC;IAE7D,oDAAoD;IACpD,MAAM,UAAU,GACd,4FAA4F,CAAC;IAC/F,IAAI,UAAkC,CAAC;IAEvC,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,UAAU,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,GAAG,EAAE,UAAU,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3F,MAAM,cAAc,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5D,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,0EAA0E;IAC1E,IAAI,eAAe,GAAG,OAAO,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7C,eAAe;YACb,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/G,CAAC;IACD,MAAM,cAAc,GAAG,kBAAkB,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;IAC/D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAClB,0EAA0E,CAAC;IAE7E,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE5C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;oBACjC,MAAM,aAAa,GAAG,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC;oBACpE,IAAI,WAAW,CAAC,aAAa,CAAC;wBAAE,SAAS;oBAEzC,IAAI,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC9B,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,wBAAwB;4BAC5B,QAAQ,EAAE,QAAQ,CAAC,IAAI;4BACvB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,mBAAmB,KAAK,CAAC,GAAG,yBAAyB;4BAC5D,WAAW,EACT,wCAAwC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,YAAY;gCAC7E,kFAAkF;gCAClF,8CAA8C;4BAChD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,KAAK,CAAC,IAAI;4BAChB,cAAc,EACZ,iDAAiD;gCACjD,8EAA8E;gCAC9E,0CAA0C;4BAC5C,GAAG,EAAE,SAAS;4BACd,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBACrC,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,SAAS,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;wBACtD,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,uBAAuB;4BAC3B,QAAQ,EAAE,QAAQ,CAAC,MAAM;4BACzB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,kBAAkB,KAAK,CAAC,GAAG,yBAAyB;4BAC3D,WAAW,EACT,mBAAmB,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,sCAAsC;gCAClF,wEAAwE;4BAC1E,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,KAAK,CAAC,IAAI;4BAChB,cAAc,EACZ,8EAA8E;4BAChF,GAAG,EAAE,SAAS;4BACd,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBACrC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/SessionSecurityAnalyzer.d.ts

@@ -0,0 +1,10 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class SessionSecurityAnalyzer implements Analyzer {
+    readonly name = "SessionSecurityAnalyzer";
+    readonly description = "Analyzes session and cookie security configuration for vulnerabilities";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+    private analyzeSessionConfig;
+    private analyzeCsrfExclusions;
+    private analyzeCookieEncryption;
+}
+//# sourceMappingURL=SessionSecurityAnalyzer.d.ts.map

package/dist/analyzers/SessionSecurityAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SessionSecurityAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/SessionSecurityAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AA8FzF,qBAAa,uBAAwB,YAAW,QAAQ;IACtD,QAAQ,CAAC,IAAI,6BAAiB;IAC9B,QAAQ,CAAC,WAAW,4EAA4E;IAE1F,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAmB5E,OAAO,CAAC,oBAAoB;IAwI5B,OAAO,CAAC,qBAAqB;IAuD7B,OAAO,CAAC,uBAAuB;CAiChC"}