@havoc-security/scanner 0.1.0

package/dist/analyzers/SessionSecurityAnalyzer.js

@@ -0,0 +1,295 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const ANALYZER_NAME = 'SessionSecurityAnalyzer';
+const FINDING_SECURE_COOKIE = 'HAVOC-SESS-001';
+const FINDING_HTTP_ONLY = 'HAVOC-SESS-002';
+const FINDING_SAME_SITE = 'HAVOC-SESS-003';
+const FINDING_FILE_DRIVER = 'HAVOC-SESS-004';
+const FINDING_CSRF_EXCLUSION = 'HAVOC-SESS-005';
+const FINDING_SESSION_LIFETIME = 'HAVOC-SESS-006';
+const FINDING_COOKIE_ENCRYPTION = 'HAVOC-SESS-007';
+const SESSION_LIFETIME_THRESHOLD = 480; // minutes
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function isSessionConfig(path) {
+    return path === 'config/session.php' || path.endsWith('/config/session.php');
+}
+function isBootstrapApp(path) {
+    return path === 'bootstrap/app.php' || path.endsWith('/bootstrap/app.php');
+}
+function isMiddlewareFile(path) {
+    return path.includes('Middleware') && path.endsWith('.php');
+}
+function findLineNumber(content, matchIndex) {
+    return content.slice(0, matchIndex).split('\n').length;
+}
+/**
+ * Extract a config value from a PHP config file.
+ *
+ * Handles:
+ *  - scalar booleans: `'key' => true`
+ *  - scalar strings: `'key' => 'value'`
+ *  - env() calls with inner commas: `'key' => env('VAR', 'default')`
+ *  - integer literals: `'key' => 120`
+ *
+ * Returns the raw matched value string, or null if the key isn't found.
+ */
+function extractConfigValue(content, key) {
+    // Match the key, then capture either:
+    //   - an env(...) call (balancing parentheses up to closing paren)
+    //   - a quoted string
+    //   - a bare token (true/false/null/number)
+    const keyPattern = new RegExp(`['"]${key}['"]\\s*=>\\s*`, 'i');
+    const keyMatch = keyPattern.exec(content);
+    if (!keyMatch)
+        return null;
+    const afterKey = content.slice(keyMatch.index + keyMatch[0].length);
+    // env(...) call — capture to the matching close paren
+    const envCallMatch = /^env\s*\(/.exec(afterKey);
+    if (envCallMatch) {
+        let depth = 0;
+        let i = afterKey.indexOf('(');
+        for (; i < afterKey.length; i++) {
+            if (afterKey[i] === '(')
+                depth++;
+            else if (afterKey[i] === ')') {
+                depth--;
+                if (depth === 0)
+                    return afterKey.slice(0, i + 1).trim();
+            }
+        }
+        return afterKey.slice(0, 60).trim(); // fallback
+    }
+    // Quoted string: 'value' or "value"
+    const quotedMatch = /^(['"])(.*?)\1/.exec(afterKey);
+    if (quotedMatch)
+        return quotedMatch[0].trim();
+    // Bare token: true, false, null, or integer — stop at comma or newline
+    const bareMatch = /^[^\s,\n\r]+/.exec(afterKey);
+    if (bareMatch)
+        return bareMatch[0].trim();
+    return null;
+}
+/**
+ * Unwrap env(...) call to extract the default value (second argument).
+ * e.g., `env('SESSION_SECURE_COOKIE', false)` → 'false'
+ */
+function extractEnvDefault(envCall) {
+    const match = /env\s*\([^,)]+,\s*(.+?)\s*\)$/.exec(envCall.trim());
+    if (!match)
+        return null;
+    return match[1].replace(/['"]/g, '').trim();
+}
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+export class SessionSecurityAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Analyzes session and cookie security configuration for vulnerabilities';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!file.path.endsWith('.php'))
+                continue;
+            if (isSessionConfig(file.path)) {
+                findings.push(...this.analyzeSessionConfig(file));
+            }
+            if (isBootstrapApp(file.path) || isMiddlewareFile(file.path)) {
+                findings.push(...this.analyzeCsrfExclusions(file));
+                findings.push(...this.analyzeCookieEncryption(file));
+            }
+        }
+        return findings;
+    }
+    analyzeSessionConfig(file) {
+        const findings = [];
+        const content = file.content;
+        // Check 'secure' flag — should be true (or env-driven default true) in production
+        const secureValue = extractConfigValue(content, 'secure');
+        if (secureValue !== null) {
+            let isInsecure = false;
+            if (secureValue === 'false') {
+                isInsecure = true;
+            }
+            else if (/^env\s*\(/.test(secureValue)) {
+                const defaultVal = extractEnvDefault(secureValue);
+                if (defaultVal === 'false')
+                    isInsecure = true;
+            }
+            if (isInsecure) {
+                const idx = content.search(/'secure'\s*=>/i);
+                findings.push({
+                    id: FINDING_SECURE_COOKIE,
+                    severity: Severity.High,
+                    analyzer: ANALYZER_NAME,
+                    title: 'Session cookie `secure` flag is disabled',
+                    description: `\`'secure' => false\` in \`${file.path}\`. ` +
+                        `Session cookies without the Secure flag can be transmitted over unencrypted HTTP connections.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: "Set `'secure' => env('SESSION_SECURE_COOKIE', true)` to ensure cookies are only sent over HTTPS.",
+                    cwe: 'CWE-614',
+                    snippet: `'secure' => false`,
+                });
+            }
+        }
+        // Check 'http_only' — should be true
+        const httpOnlyValue = extractConfigValue(content, 'http_only');
+        if (httpOnlyValue !== null && httpOnlyValue === 'false') {
+            const idx = content.search(/'http_only'\s*=>/i);
+            findings.push({
+                id: FINDING_HTTP_ONLY,
+                severity: Severity.High,
+                analyzer: ANALYZER_NAME,
+                title: 'Session cookie `http_only` flag is disabled',
+                description: `\`'http_only' => false\` in \`${file.path}\`. ` +
+                    `Without the HttpOnly flag, session cookies can be accessed by client-side JavaScript, enabling XSS-based session theft.`,
+                file: file.path,
+                line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                recommendation: "Set `'http_only' => true` to prevent JavaScript access to session cookies.",
+                cwe: 'CWE-1004',
+                snippet: `'http_only' => false`,
+            });
+        }
+        // Check 'same_site' — should be 'lax' or 'strict'
+        const sameSiteValue = extractConfigValue(content, 'same_site');
+        if (sameSiteValue !== null) {
+            const cleaned = sameSiteValue.replace(/['"]/g, '').toLowerCase().trim();
+            if (cleaned === 'none' || cleaned === 'null' || cleaned === '') {
+                const idx = content.search(/'same_site'\s*=>/i);
+                findings.push({
+                    id: FINDING_SAME_SITE,
+                    severity: Severity.Medium,
+                    analyzer: ANALYZER_NAME,
+                    title: `Session cookie \`same_site\` is set to \`${cleaned || 'null'}\``,
+                    description: `\`'same_site' => '${cleaned}'\` in \`${file.path}\`. ` +
+                        `A permissive SameSite policy increases CSRF attack surface.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: "Set `'same_site' => 'lax'` or `'strict'` to mitigate CSRF attacks.",
+                    cwe: 'CWE-352',
+                    snippet: `'same_site' => '${cleaned}'`,
+                });
+            }
+        }
+        // Check 'driver' — warn if 'file' (should be redis/database in production)
+        const driverValue = extractConfigValue(content, 'driver');
+        if (driverValue !== null) {
+            let driverStr = driverValue.replace(/['"]/g, '').trim();
+            // If env-driven, extract default
+            if (/^env\s*\(/.test(driverValue)) {
+                const def = extractEnvDefault(driverValue);
+                driverStr = def ?? driverStr;
+            }
+            if (driverStr === 'file') {
+                const idx = content.search(/'driver'\s*=>/i);
+                findings.push({
+                    id: FINDING_FILE_DRIVER,
+                    severity: Severity.Medium,
+                    analyzer: ANALYZER_NAME,
+                    title: 'Session driver is set to `file`',
+                    description: `\`'driver' => 'file'\` in \`${file.path}\`. ` +
+                        `File-based session storage is not suitable for production — it doesn't scale across multiple servers.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: "Use `'driver' => env('SESSION_DRIVER', 'redis')` and configure Redis or database session storage in production.",
+                    cwe: 'CWE-16',
+                    snippet: `'driver' => 'file'`,
+                });
+            }
+        }
+        // Check session lifetime > 480 minutes
+        const lifetimeValue = extractConfigValue(content, 'lifetime');
+        if (lifetimeValue !== null) {
+            const numStr = lifetimeValue.replace(/[^0-9]/g, '');
+            const lifetimeNum = parseInt(numStr, 10);
+            if (!isNaN(lifetimeNum) && lifetimeNum > SESSION_LIFETIME_THRESHOLD) {
+                const idx = content.search(/'lifetime'\s*=>/i);
+                findings.push({
+                    id: FINDING_SESSION_LIFETIME,
+                    severity: Severity.Medium,
+                    analyzer: ANALYZER_NAME,
+                    title: `Session lifetime is excessively long (${lifetimeNum} minutes)`,
+                    description: `Session lifetime of ${lifetimeNum} minutes in \`${file.path}\` exceeds the recommended maximum of ${SESSION_LIFETIME_THRESHOLD} minutes (8 hours). ` +
+                        `Long-lived sessions increase the window of opportunity for session hijacking.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: `Set the session lifetime to ${SESSION_LIFETIME_THRESHOLD} minutes or less and implement idle timeout.`,
+                    cwe: 'CWE-613',
+                    snippet: `'lifetime' => ${lifetimeNum}`,
+                });
+            }
+        }
+        return findings;
+    }
+    analyzeCsrfExclusions(file) {
+        const findings = [];
+        const content = file.content;
+        // Gate to VerifyCsrfToken-specific files: check by filename or class/use declarations
+        const isCsrfMiddleware = file.path.includes('VerifyCsrfToken') ||
+            /class\s+VerifyCsrfToken/.test(content) ||
+            (/VerifyCsrfToken/.test(content) && !content.includes('class EncryptCookies'));
+        if (isCsrfMiddleware) {
+            const hasExceptArray = /\$except\s*=\s*\[([^\]]+)\]/.exec(content);
+            if (hasExceptArray && hasExceptArray[1].trim() !== '') {
+                const idx = content.search(/\$except\s*=\s*\[/);
+                findings.push({
+                    id: FINDING_CSRF_EXCLUSION,
+                    severity: Severity.High,
+                    analyzer: ANALYZER_NAME,
+                    title: 'CSRF token verification is excluded for some routes',
+                    description: `\`$except\` array with routes is defined in \`${file.path}\`. ` +
+                        `Excluding routes from CSRF verification leaves them vulnerable to cross-site request forgery attacks.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: 'Remove CSRF exclusions unless absolutely necessary. For API routes, use token-based auth instead.',
+                    cwe: 'CWE-352',
+                    snippet: hasExceptArray[0].slice(0, 80),
+                });
+            }
+        }
+        // Check bootstrap/app.php for withoutMiddleware(VerifyCsrfToken)
+        const withoutCsrf = /withoutMiddleware\s*\(\s*(?:[^)]*VerifyCsrfToken[^)]*)\)/.exec(content);
+        if (withoutCsrf) {
+            findings.push({
+                id: FINDING_CSRF_EXCLUSION,
+                severity: Severity.High,
+                analyzer: ANALYZER_NAME,
+                title: 'CSRF middleware explicitly disabled for routes',
+                description: `\`withoutMiddleware(VerifyCsrfToken::class)\` found in \`${file.path}\`. ` +
+                    `Disabling CSRF verification exposes endpoints to cross-site request forgery.`,
+                file: file.path,
+                line: findLineNumber(content, withoutCsrf.index),
+                recommendation: 'Use proper API authentication (Sanctum, Passport) for routes that need to skip web CSRF middleware.',
+                cwe: 'CWE-352',
+                snippet: withoutCsrf[0].slice(0, 80),
+            });
+        }
+        return findings;
+    }
+    analyzeCookieEncryption(file) {
+        const findings = [];
+        const content = file.content;
+        // Only check EncryptCookies middleware files
+        const isEncryptCookiesFile = file.path.includes('EncryptCookies') ||
+            /class\s+EncryptCookies/.test(content);
+        if (isEncryptCookiesFile) {
+            const exceptMatch = /\$except\s*=\s*\[([^\]]+)\]/.exec(content);
+            if (exceptMatch && exceptMatch[1].trim() !== '') {
+                const idx = content.search(/\$except\s*=\s*\[/);
+                findings.push({
+                    id: FINDING_COOKIE_ENCRYPTION,
+                    severity: Severity.Medium,
+                    analyzer: ANALYZER_NAME,
+                    title: 'Sensitive cookies may be excluded from encryption',
+                    description: `The \`$except\` array in \`${file.path}\` excludes some cookies from encryption. ` +
+                        `Unencrypted cookies can be read or tampered with by the client.`,
+                    file: file.path,
+                    line: idx !== -1 ? findLineNumber(content, idx) : 1,
+                    recommendation: 'Only exclude cookies that are explicitly designed to be readable client-side. Remove sensitive cookie names from `$except`.',
+                    cwe: 'CWE-311',
+                    snippet: exceptMatch[0].slice(0, 80),
+                });
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=SessionSecurityAnalyzer.js.map

package/dist/analyzers/SessionSecurityAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SessionSecurityAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/SessionSecurityAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,iFAAiF;AAEjF,MAAM,aAAa,GAAG,yBAAyB,CAAC;AAEhD,MAAM,qBAAqB,GAAG,gBAAgB,CAAC;AAC/C,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAC3C,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAC3C,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,sBAAsB,GAAG,gBAAgB,CAAC;AAChD,MAAM,wBAAwB,GAAG,gBAAgB,CAAC;AAClD,MAAM,yBAAyB,GAAG,gBAAgB,CAAC;AAEnD,MAAM,0BAA0B,GAAG,GAAG,CAAC,CAAC,UAAU;AAElD,gFAAgF;AAEhF,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,IAAI,KAAK,oBAAoB,IAAI,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,UAAkB;IACzD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACzD,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,kBAAkB,CAAC,OAAe,EAAE,GAAW;IACtD,sCAAsC;IACtC,mEAAmE;IACnE,sBAAsB;IACtB,4CAA4C;IAC5C,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,OAAO,GAAG,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAEpE,sDAAsD;IACtD,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBAC5B,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC7B,KAAK,EAAE,CAAC;gBACR,IAAI,KAAK,KAAK,CAAC;oBAAE,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1D,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW;IAClD,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE9C,uEAAuE;IACvE,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE1C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,KAAK,GAAG,+BAA+B,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9C,CAAC;AAED,iFAAiF;AAEjF,MAAM,OAAO,uBAAuB;IACzB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,wEAAwE,CAAC;IAEhG,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE1C,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;gBACnD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,oBAAoB,CAAC,IAAgB;QAC3C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7B,kFAAkF;QAClF,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1D,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,UAAU,GAAG,KAAK,CAAC;YAEvB,IAAI,WAAW,KAAK,OAAO,EAAE,CAAC;gBAC5B,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;iBAAM,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzC,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;gBAClD,IAAI,UAAU,KAAK,OAAO;oBAAE,UAAU,GAAG,IAAI,CAAC;YAChD,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,qBAAqB;oBACzB,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,0CAA0C;oBACjD,WAAW,EACT,8BAA8B,IAAI,CAAC,IAAI,MAAM;wBAC7C,+FAA+F;oBACjG,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EACZ,kGAAkG;oBACpG,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,mBAAmB;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,MAAM,aAAa,GAAG,kBAAkB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/D,IAAI,aAAa,KAAK,IAAI,IAAI,aAAa,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,iBAAiB;gBACrB,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,6CAA6C;gBACpD,WAAW,EACT,iCAAiC,IAAI,CAAC,IAAI,MAAM;oBAChD,yHAAyH;gBAC3H,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACnD,cAAc,EAAE,4EAA4E;gBAC5F,GAAG,EAAE,UAAU;gBACf,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,MAAM,aAAa,GAAG,kBAAkB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC/D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;YACxE,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;gBAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBAChD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB;oBACrB,QAAQ,EAAE,QAAQ,CAAC,MAAM;oBACzB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,4CAA4C,OAAO,IAAI,MAAM,IAAI;oBACxE,WAAW,EACT,qBAAqB,OAAO,YAAY,IAAI,CAAC,IAAI,MAAM;wBACvD,6DAA6D;oBAC/D,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EAAE,oEAAoE;oBACpF,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,mBAAmB,OAAO,GAAG;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1D,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACxD,iCAAiC;YACjC,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;gBAC3C,SAAS,GAAG,GAAG,IAAI,SAAS,CAAC;YAC/B,CAAC;YACD,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB;oBACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;oBACzB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EACT,+BAA+B,IAAI,CAAC,IAAI,MAAM;wBAC9C,uGAAuG;oBACzG,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EACZ,iHAAiH;oBACnH,GAAG,EAAE,QAAQ;oBACb,OAAO,EAAE,oBAAoB;iBAC9B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,MAAM,aAAa,GAAG,kBAAkB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC9D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACpD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,WAAW,GAAG,0BAA0B,EAAE,CAAC;gBACpE,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,wBAAwB;oBAC5B,QAAQ,EAAE,QAAQ,CAAC,MAAM;oBACzB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,yCAAyC,WAAW,WAAW;oBACtE,WAAW,EACT,uBAAuB,WAAW,iBAAiB,IAAI,CAAC,IAAI,yCAAyC,0BAA0B,sBAAsB;wBACrJ,+EAA+E;oBACjF,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EACZ,+BAA+B,0BAA0B,8CAA8C;oBACzG,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,iBAAiB,WAAW,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,qBAAqB,CAAC,IAAgB;QAC5C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7B,sFAAsF;QACtF,MAAM,gBAAgB,GACpB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YACrC,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC;YACvC,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC;QAEjF,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,cAAc,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnE,IAAI,cAAc,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACtD,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBAChD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB;oBAC1B,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,qDAAqD;oBAC5D,WAAW,EACT,iDAAiD,IAAI,CAAC,IAAI,MAAM;wBAChE,uGAAuG;oBACzG,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EACZ,mGAAmG;oBACrG,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,MAAM,WAAW,GAAG,0DAA0D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7F,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,sBAAsB;gBAC1B,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,gDAAgD;gBACvD,WAAW,EACT,4DAA4D,IAAI,CAAC,IAAI,MAAM;oBAC3E,8EAA8E;gBAChF,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,cAAc,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC;gBAChD,cAAc,EACZ,qGAAqG;gBACvG,GAAG,EAAE,SAAS;gBACd,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACrC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,uBAAuB,CAAC,IAAgB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7B,6CAA6C;QAC7C,MAAM,oBAAoB,GACxB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,oBAAoB,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChE,IAAI,WAAW,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBAChD,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBAChD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,yBAAyB;oBAC7B,QAAQ,EAAE,QAAQ,CAAC,MAAM;oBACzB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,mDAAmD;oBAC1D,WAAW,EACT,8BAA8B,IAAI,CAAC,IAAI,4CAA4C;wBACnF,iEAAiE;oBACnE,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnD,cAAc,EACZ,6HAA6H;oBAC/H,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACrC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/SqlInjectionAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class SqlInjectionAnalyzer implements Analyzer {
+    readonly name = "SqlInjectionAnalyzer";
+    readonly description = "Finds raw SQL queries with potential injection vulnerabilities";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=SqlInjectionAnalyzer.d.ts.map

package/dist/analyzers/SqlInjectionAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlInjectionAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/SqlInjectionAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAkDzF,qBAAa,oBAAqB,YAAW,QAAQ;IACnD,QAAQ,CAAC,IAAI,0BAAiB;IAC9B,QAAQ,CAAC,WAAW,oEAAoE;IAElF,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CA4C7E"}

package/dist/analyzers/SqlInjectionAnalyzer.js

@@ -0,0 +1,77 @@
+import { Severity } from '../types/index.js';
+const RAW_SQL_METHODS = [
+    'whereRaw', 'orWhereRaw', 'orderByRaw', 'selectRaw',
+    'havingRaw', 'orHavingRaw', 'groupByRaw', 'fromRaw',
+];
+const DB_FACADE_METHODS = [
+    'DB::raw', 'DB::statement', 'DB::select', 'DB::insert', 'DB::update', 'DB::delete',
+];
+// Matches: "str" . $var, "$var inside string", $var . 'str'
+const INTERPOLATION_PATTERN = /(?:['"]\s*\.\s*\$|\$\{[^}]+\}|"[^"]*\$[a-zA-Z_][a-zA-Z0-9_]*[^"]*"|\$[a-zA-Z_][a-zA-Z0-9_]*\s*\.\s*['"])/;
+// Matches ? placeholders or :named (but NOT ::method calls)
+const BINDING_PATTERN = /\[\s*\$|\?\s*[,\]]|(?<![:])\s*:\s*(?!:)[a-zA-Z_]\w*/;
+const FINDING_INJECTION = 'HAVOC-SQL-001';
+const FINDING_RAW_INFO = 'HAVOC-SQL-002';
+const ANALYZER_NAME = 'SqlInjectionAnalyzer';
+function findRawSqlUsages(content) {
+    const lines = content.split('\n');
+    const matches = [];
+    lines.forEach((lineText, idx) => {
+        const lineNum = idx + 1;
+        for (const method of [...RAW_SQL_METHODS, ...DB_FACADE_METHODS]) {
+            const escaped = method.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const methodPattern = new RegExp(`${escaped}\\s*\\(`, 'g');
+            if (methodPattern.test(lineText)) {
+                const hasInterpolation = INTERPOLATION_PATTERN.test(lineText);
+                const hasBinding = BINDING_PATTERN.test(lineText);
+                matches.push({ method, line: lineNum, snippet: lineText.trim(), hasInterpolation, hasBinding });
+            }
+        }
+    });
+    return matches;
+}
+export class SqlInjectionAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Finds raw SQL queries with potential injection vulnerabilities';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!file.path.endsWith('.php') || file.path.endsWith('.blade.php'))
+                continue;
+            const usages = findRawSqlUsages(file.content);
+            for (const usage of usages) {
+                if (usage.hasInterpolation && !usage.hasBinding) {
+                    findings.push({
+                        id: FINDING_INJECTION,
+                        severity: Severity.High,
+                        analyzer: ANALYZER_NAME,
+                        title: `SQL injection risk in \`${usage.method}()\``,
+                        description: `\`${usage.method}()\` is called with a string containing variable interpolation ` +
+                            `or concatenation without parameter bindings.`,
+                        file: file.path,
+                        line: usage.line,
+                        recommendation: `Use parameter bindings: \`${usage.method}('col = ?', [$value])\`.`,
+                        cwe: 'CWE-89',
+                        snippet: usage.snippet,
+                    });
+                }
+                else if (!usage.hasBinding) {
+                    findings.push({
+                        id: FINDING_RAW_INFO,
+                        severity: Severity.Info,
+                        analyzer: ANALYZER_NAME,
+                        title: `Raw SQL usage in \`${usage.method}()\` — verify safety`,
+                        description: `\`${usage.method}()\` contains a raw SQL fragment. Ensure no user input reaches this query.`,
+                        file: file.path,
+                        line: usage.line,
+                        recommendation: 'If any part of this query can be user-influenced, use parameter bindings.',
+                        cwe: 'CWE-89',
+                        snippet: usage.snippet,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=SqlInjectionAnalyzer.js.map

package/dist/analyzers/SqlInjectionAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlInjectionAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/SqlInjectionAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,MAAM,eAAe,GAAG;IACtB,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,WAAW;IACnD,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,SAAS;CAC3C,CAAC;AAEX,MAAM,iBAAiB,GAAG;IACxB,SAAS,EAAE,eAAe,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;CAC1E,CAAC;AAEX,4DAA4D;AAC5D,MAAM,qBAAqB,GACzB,0GAA0G,CAAC;AAE7G,4DAA4D;AAC5D,MAAM,eAAe,GAAG,qDAAqD,CAAC;AAE9E,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAC1C,MAAM,gBAAgB,GAAG,eAAe,CAAC;AACzC,MAAM,aAAa,GAAG,sBAAsB,CAAC;AAU7C,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,OAAO,GAAe,EAAE,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;QAC9B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC;QACxB,KAAK,MAAM,MAAM,IAAI,CAAC,GAAG,eAAe,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;YAChE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC9D,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,GAAG,OAAO,SAAS,EAAE,GAAG,CAAC,CAAC;YAC3D,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC9D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAClD,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;YAClG,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,gEAAgE,CAAC;IAExF,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAAE,SAAS;YAE9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;oBAChD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB;wBACrB,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,2BAA2B,KAAK,CAAC,MAAM,MAAM;wBACpD,WAAW,EACT,KAAK,KAAK,CAAC,MAAM,iEAAiE;4BAClF,8CAA8C;wBAChD,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,CAAC,IAAI;wBAChB,cAAc,EACZ,6BAA6B,KAAK,CAAC,MAAM,0BAA0B;wBACrE,GAAG,EAAE,QAAQ;wBACb,OAAO,EAAE,KAAK,CAAC,OAAO;qBACvB,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;oBAC7B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,gBAAgB;wBACpB,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,sBAAsB,KAAK,CAAC,MAAM,sBAAsB;wBAC/D,WAAW,EAAE,KAAK,KAAK,CAAC,MAAM,4EAA4E;wBAC1G,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,CAAC,IAAI;wBAChB,cAAc,EAAE,2EAA2E;wBAC3F,GAAG,EAAE,QAAQ;wBACb,OAAO,EAAE,KAAK,CAAC,OAAO;qBACvB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/XssSurfaceAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class XssSurfaceAnalyzer implements Analyzer {
+    readonly name = "XssSurfaceAnalyzer";
+    readonly description = "Identifies unescaped Blade output that could lead to Cross-Site Scripting (XSS)";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=XssSurfaceAnalyzer.d.ts.map

package/dist/analyzers/XssSurfaceAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"XssSurfaceAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/XssSurfaceAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAqDzF,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,IAAI,wBAAiB;IAC9B,QAAQ,CAAC,WAAW,qFAAqF;IAEnG,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAqD7E"}

package/dist/analyzers/XssSurfaceAnalyzer.js

@@ -0,0 +1,100 @@
+import { Severity } from '../types/index.js';
+const UNESCAPED_OUTPUT_PATTERN = /\{!!\s*(.+?)\s*!!\}/g;
+const TRUSTED_CONTEXT_PATTERNS = [
+    /config\s*\(/,
+    /asset\s*\(/,
+    /url\s*\(/,
+    /route\s*\(/,
+    /__\s*\(/,
+    /trans\s*\(/,
+];
+const USER_CONTROLLED_PATTERNS = [
+    /\$[a-zA-Z_][a-zA-Z0-9_]*->(?:body|content|message|description|text|html|comment|bio|about|summary)/i,
+    /\$(?:body|content|message|description|text|html|comment|bio|about|summary)\b/i,
+    /request\(\)/i,
+    /->input\s*\(/i,
+];
+const ESCAPE_FUNCTION_PATTERNS = [
+    /\be\s*\(/,
+    /htmlspecialchars\s*\(/,
+    /Purifier::/,
+    /clean\s*\(/,
+    /strip_tags\s*\(/,
+];
+const FINDING_HIGH = 'HAVOC-XSS-001';
+const FINDING_MED = 'HAVOC-XSS-002';
+const ANALYZER_NAME = 'XssSurfaceAnalyzer';
+function isTrustedFilePath(path) {
+    return (path.includes('/mail/') ||
+        path.includes('/emails/') ||
+        path.includes('/notifications/') ||
+        path.includes('\\mail\\') ||
+        path.includes('\\emails\\') ||
+        path.includes('/svg/') ||
+        path.includes('/icons/') ||
+        path.endsWith('.svg.blade.php'));
+}
+function classifyExpression(expression, filePath) {
+    if (ESCAPE_FUNCTION_PATTERNS.some((re) => re.test(expression)))
+        return 'trusted';
+    if (TRUSTED_CONTEXT_PATTERNS.some((re) => re.test(expression)))
+        return 'trusted';
+    if (isTrustedFilePath(filePath))
+        return 'trusted';
+    if (USER_CONTROLLED_PATTERNS.some((re) => re.test(expression)))
+        return 'user-controlled';
+    return 'unknown';
+}
+export class XssSurfaceAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Identifies unescaped Blade output that could lead to Cross-Site Scripting (XSS)';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            if (!file.path.endsWith('.blade.php'))
+                continue;
+            const lines = file.content.split('\n');
+            lines.forEach((lineText, idx) => {
+                const lineNum = idx + 1;
+                const re = new RegExp(UNESCAPED_OUTPUT_PATTERN.source, 'g');
+                let match;
+                while ((match = re.exec(lineText)) !== null) {
+                    const expression = match[1];
+                    const classification = classifyExpression(expression, file.path);
+                    if (classification === 'trusted')
+                        continue;
+                    if (classification === 'user-controlled') {
+                        findings.push({
+                            id: FINDING_HIGH,
+                            severity: Severity.High,
+                            analyzer: ANALYZER_NAME,
+                            title: 'Unescaped user-controlled output in Blade template',
+                            description: `\`{!! ${expression} !!}\` outputs potentially user-controlled content without HTML escaping.`,
+                            file: file.path,
+                            line: lineNum,
+                            recommendation: 'Use `{{ $variable }}` for automatic escaping.',
+                            cwe: 'CWE-79',
+                            snippet: lineText.trim(),
+                        });
+                    }
+                    else {
+                        findings.push({
+                            id: FINDING_MED,
+                            severity: Severity.Medium,
+                            analyzer: ANALYZER_NAME,
+                            title: 'Unescaped output in Blade template — verify safety',
+                            description: `\`{!! ${expression} !!}\` outputs content without HTML escaping. Verify this cannot contain user HTML.`,
+                            file: file.path,
+                            line: lineNum,
+                            recommendation: 'If the value could contain user input, switch to `{{ $variable }}`.',
+                            cwe: 'CWE-79',
+                            snippet: lineText.trim(),
+                        });
+                    }
+                }
+            });
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=XssSurfaceAnalyzer.js.map

package/dist/analyzers/XssSurfaceAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"XssSurfaceAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/XssSurfaceAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAExD,MAAM,wBAAwB,GAAG;IAC/B,aAAa;IACb,YAAY;IACZ,UAAU;IACV,YAAY;IACZ,SAAS;IACT,YAAY;CACb,CAAC;AAEF,MAAM,wBAAwB,GAAG;IAC/B,qGAAqG;IACrG,+EAA+E;IAC/E,cAAc;IACd,eAAe;CAChB,CAAC;AAEF,MAAM,wBAAwB,GAAG;IAC/B,UAAU;IACV,uBAAuB;IACvB,YAAY;IACZ,YAAY;IACZ,iBAAiB;CAClB,CAAC;AAEF,MAAM,YAAY,GAAG,eAAe,CAAC;AACrC,MAAM,WAAW,GAAG,eAAe,CAAC;AACpC,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAE3C,SAAS,iBAAiB,CAAC,IAAY;IACrC,OAAO,CACL,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAChC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAChC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAkB,EAAE,QAAgB;IAC9D,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACjF,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACjF,IAAI,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IAClD,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACzF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,kBAAkB;IACpB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,iFAAiF,CAAC;IAEzG,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAAE,SAAS;YAEhD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;gBAC9B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC;gBACxB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,wBAAwB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;gBAC5D,IAAI,KAA6B,CAAC;gBAElC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC5C,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC5B,MAAM,cAAc,GAAG,kBAAkB,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjE,IAAI,cAAc,KAAK,SAAS;wBAAE,SAAS;oBAE3C,IAAI,cAAc,KAAK,iBAAiB,EAAE,CAAC;wBACzC,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,YAAY;4BAChB,QAAQ,EAAE,QAAQ,CAAC,IAAI;4BACvB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,oDAAoD;4BAC3D,WAAW,EACT,SAAS,UAAU,2EAA2E;4BAChG,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,OAAO;4BACb,cAAc,EAAE,+CAA+C;4BAC/D,GAAG,EAAE,QAAQ;4BACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;yBACzB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,WAAW;4BACf,QAAQ,EAAE,QAAQ,CAAC,MAAM;4BACzB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,oDAAoD;4BAC3D,WAAW,EACT,SAAS,UAAU,qFAAqF;4BAC1G,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,OAAO;4BACb,cAAc,EACZ,qEAAqE;4BACvE,GAAG,EAAE,QAAQ;4BACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE;yBACzB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/index.d.ts

@@ -0,0 +1,13 @@
+export { AuthorizationCoverageAnalyzer } from './AuthorizationCoverageAnalyzer.js';
+export { MassAssignmentAnalyzer } from './MassAssignmentAnalyzer.js';
+export { XssSurfaceAnalyzer } from './XssSurfaceAnalyzer.js';
+export { SqlInjectionAnalyzer } from './SqlInjectionAnalyzer.js';
+export { DependencyAuditAnalyzer } from './DependencyAuditAnalyzer.js';
+export { IdorAnalyzer } from './IdorAnalyzer.js';
+export { CredentialExposureAnalyzer } from './CredentialExposureAnalyzer.js';
+export { SessionSecurityAnalyzer } from './SessionSecurityAnalyzer.js';
+export { FileUploadAnalyzer } from './FileUploadAnalyzer.js';
+export { RateLimitAnalyzer } from './RateLimitAnalyzer.js';
+export { EncryptionAnalyzer } from './EncryptionAnalyzer.js';
+export { PrivilegeEscalationAnalyzer } from './PrivilegeEscalationAnalyzer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC"}

package/dist/analyzers/index.js

@@ -0,0 +1,13 @@
+export { AuthorizationCoverageAnalyzer } from './AuthorizationCoverageAnalyzer.js';
+export { MassAssignmentAnalyzer } from './MassAssignmentAnalyzer.js';
+export { XssSurfaceAnalyzer } from './XssSurfaceAnalyzer.js';
+export { SqlInjectionAnalyzer } from './SqlInjectionAnalyzer.js';
+export { DependencyAuditAnalyzer } from './DependencyAuditAnalyzer.js';
+export { IdorAnalyzer } from './IdorAnalyzer.js';
+export { CredentialExposureAnalyzer } from './CredentialExposureAnalyzer.js';
+export { SessionSecurityAnalyzer } from './SessionSecurityAnalyzer.js';
+export { FileUploadAnalyzer } from './FileUploadAnalyzer.js';
+export { RateLimitAnalyzer } from './RateLimitAnalyzer.js';
+export { EncryptionAnalyzer } from './EncryptionAnalyzer.js';
+export { PrivilegeEscalationAnalyzer } from './PrivilegeEscalationAnalyzer.js';
+//# sourceMappingURL=index.js.map

package/dist/analyzers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+export * from './types/index.js';
+export * from './analyzers/index.js';
+export { PhpParser, PHP_FILE_PATTERNS } from './parsers/PhpParser.js';
+export type { ParsedPhpFile, PhpClassInfo, PhpMethodInfo, PhpPropertyInfo } from './parsers/PhpParser.js';
+export { rules } from './rules/index.js';
+import { Analyzer, HavocConfig, ParsedFile, ScanResult, Severity } from './types/index.js';
+export type SecurityGrade = 'A' | 'B' | 'C' | 'D' | 'F';
+export declare function calculateSecurityGrade(findings: {
+    severity: Severity;
+}[]): SecurityGrade;
+export declare const DEFAULT_ANALYZERS: Analyzer[];
+export declare const DEFAULT_CONFIG: HavocConfig;
+export declare function scan(files: ParsedFile[], config?: HavocConfig, analyzers?: Analyzer[]): Promise<ScanResult>;
+export declare function scanProject(projectPath: string, config?: HavocConfig, analyzers?: Analyzer[]): Promise<ScanResult & {
+    grade: SecurityGrade;
+}>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AACtE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC1G,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAMzC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAiB3F,MAAM,MAAM,aAAa,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAuBxD,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,EAAE,GAAG,aAAa,CAMxF;AAID,eAAO,MAAM,iBAAiB,EAAE,QAAQ,EAavC,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,WAI5B,CAAC;AAoEF,wBAAsB,IAAI,CACxB,KAAK,EAAE,UAAU,EAAE,EACnB,MAAM,GAAE,WAA4B,EACpC,SAAS,GAAE,QAAQ,EAAsB,GACxC,OAAO,CAAC,UAAU,CAAC,CAqBrB;AAED,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,EACnB,MAAM,GAAE,WAA4B,EACpC,SAAS,GAAE,QAAQ,EAAsB,GACxC,OAAO,CAAC,UAAU,GAAG;IAAE,KAAK,EAAE,aAAa,CAAA;CAAE,CAAC,CAOhD"}