@havoc-security/scanner 0.1.0

package/src/analyzers/InsecureDeserializationAnalyzer.ts

@@ -0,0 +1,212 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile, Severity } from '../types/index.js';
+
+// ─── Constants ────────────────────────────────────────────────────────────────
+
+const ANALYZER_NAME = 'InsecureDeserializationAnalyzer';
+
+const USER_INPUT_SOURCES = [
+  /\$_GET\s*\[/,
+  /\$_POST\s*\[/,
+  /\$_COOKIE\s*\[/,
+  /\$_REQUEST\s*\[/,
+  /\$request\s*->\s*input\s*\(/i,
+  /\$request\s*->\s*get\s*\(/i,
+  /\$request\s*->\s*post\s*\(/i,
+  /\$request\s*->\s*cookie\s*\(/i,
+  /\$request\s*->\s*query\s*\(/i,
+  /\$request\s*->\s*all\s*\(/i,
+  /Input\s*::\s*get\s*\(/i,
+  /Input\s*::\s*all\s*\(/i,
+];
+
+const PREG_REPLACE_E_PATTERN =
+  /preg_replace\s*\(\s*['"][^'"]*\/e[^'"]*['"]/i;
+
+const ASSERT_STRING_PATTERN =
+  /\bassert\s*\(\s*(?:'[^']*'|"[^"]*"|\$[a-zA-Z_]\w*\s*\.)/;
+
+// ─── Finding IDs ──────────────────────────────────────────────────────────────
+
+const FINDING_UNSERIALIZE_USER_INPUT = 'HAVOC-DESER-001';
+const FINDING_EVAL = 'HAVOC-DESER-002';
+const FINDING_CREATE_FUNCTION = 'HAVOC-DESER-003';
+const FINDING_UNSERIALIZE_NO_ALLOWED_CLASSES = 'HAVOC-DESER-004';
+const FINDING_PREG_REPLACE_E = 'HAVOC-DESER-005';
+const FINDING_ASSERT_STRING = 'HAVOC-DESER-006';
+const FINDING_EXTRACT_USER_INPUT = 'HAVOC-DESER-007';
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function hasUserInput(line: string): boolean {
+  return USER_INPUT_SOURCES.some((re) => re.test(line));
+}
+
+function hasAllowedClasses(line: string): boolean {
+  return /unserialize\s*\([^)]*allowed_classes/i.test(line);
+}
+
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+
+export class InsecureDeserializationAnalyzer implements Analyzer {
+  readonly name = ANALYZER_NAME;
+  readonly description =
+    'Detects unsafe deserialization and code-execution sinks: unserialize(), eval(), create_function(), preg_replace /e, assert() with string, and extract() on user input';
+
+  async analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    for (const file of files) {
+      if (!file.path.endsWith('.php') || file.path.endsWith('.blade.php')) continue;
+
+      const lines = file.content.split('\n');
+
+      lines.forEach((lineText, idx) => {
+        const lineNum = idx + 1;
+        const trimmed = lineText.trim();
+
+        // ── unserialize() ──────────────────────────────────────────────────
+        if (/\bunserialize\s*\(/i.test(lineText)) {
+          if (hasUserInput(lineText)) {
+            findings.push({
+              id: FINDING_UNSERIALIZE_USER_INPUT,
+              severity: Severity.Critical,
+              analyzer: ANALYZER_NAME,
+              title: 'unserialize() called with user-controlled input',
+              description:
+                '`unserialize()` is called with data that appears to originate from user input. ' +
+                'Deserializing untrusted data can lead to remote code execution via PHP object injection.',
+              file: file.path,
+              line: lineNum,
+              recommendation:
+                'Never deserialize user-supplied data. Use a safe data format such as JSON ' +
+                '(`json_decode()`). If you must use `unserialize()`, pass ' +
+                '`["allowed_classes" => false]` as the second argument and validate input first.',
+              cwe: 'CWE-502',
+              snippet: trimmed,
+            });
+          } else if (!hasAllowedClasses(lineText)) {
+            findings.push({
+              id: FINDING_UNSERIALIZE_NO_ALLOWED_CLASSES,
+              severity: Severity.Medium,
+              analyzer: ANALYZER_NAME,
+              title: 'unserialize() called without allowed_classes restriction',
+              description:
+                '`unserialize()` is called without the `allowed_classes` option (PHP 7+). ' +
+                'Without this restriction, any class available in the codebase can be instantiated ' +
+                'during deserialization.',
+              file: file.path,
+              line: lineNum,
+              recommendation:
+                'Pass `["allowed_classes" => false]` (or a specific allowlist) as the second argument: ' +
+                '`unserialize($data, ["allowed_classes" => false])`.',
+              cwe: 'CWE-502',
+              snippet: trimmed,
+            });
+          }
+        }
+
+        // ── eval() ────────────────────────────────────────────────────────
+        if (/\beval\s*\(/i.test(lineText)) {
+          findings.push({
+            id: FINDING_EVAL,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'eval() usage detected',
+            description:
+              '`eval()` executes arbitrary PHP code. If any portion of the evaluated string ' +
+              'originates from user input, this is a critical remote code execution vulnerability.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Remove `eval()`. Redesign the feature to avoid dynamic code execution. ' +
+              'If templating is needed, use a sandboxed template engine.',
+            cwe: 'CWE-95',
+            snippet: trimmed,
+          });
+        }
+
+        // ── create_function() ─────────────────────────────────────────────
+        if (/\bcreate_function\s*\(/i.test(lineText)) {
+          findings.push({
+            id: FINDING_CREATE_FUNCTION,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'create_function() usage detected',
+            description:
+              '`create_function()` is deprecated (PHP 7.2) and removed (PHP 8.0). ' +
+              'It internally uses `eval()` and is equivalent to a code injection sink.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Replace `create_function()` with an anonymous function (closure): ' +
+              '`function($args) { /* body */ }`.',
+            cwe: 'CWE-95',
+            snippet: trimmed,
+          });
+        }
+
+        // ── preg_replace() with /e modifier ──────────────────────────────
+        if (PREG_REPLACE_E_PATTERN.test(lineText)) {
+          findings.push({
+            id: FINDING_PREG_REPLACE_E,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'preg_replace() with /e modifier detected',
+            description:
+              '`preg_replace()` with the `/e` (eval) modifier evaluates the replacement string ' +
+              'as PHP code. This modifier was deprecated in PHP 5.5 and removed in PHP 7.0.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Replace with `preg_replace_callback()` which accepts a proper closure.',
+            cwe: 'CWE-95',
+            snippet: trimmed,
+          });
+        }
+
+        // ── assert() with string argument ────────────────────────────────
+        if (ASSERT_STRING_PATTERN.test(lineText)) {
+          findings.push({
+            id: FINDING_ASSERT_STRING,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'assert() called with a string argument',
+            description:
+              '`assert()` evaluates string arguments as PHP code (similar to `eval()`). ' +
+              'Passing user-controlled strings to `assert()` is a code injection vulnerability.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Pass a boolean expression directly to `assert()` instead of a string: ' +
+              '`assert($value > 0)`. Never pass user-controlled strings.',
+            cwe: 'CWE-95',
+            snippet: trimmed,
+          });
+        }
+
+        // ── extract() on user input ───────────────────────────────────────
+        if (/\bextract\s*\(/i.test(lineText) && hasUserInput(lineText)) {
+          findings.push({
+            id: FINDING_EXTRACT_USER_INPUT,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'extract() called with user-controlled input',
+            description:
+              '`extract()` imports array keys as variable names. Calling it with user-supplied ' +
+              'data allows an attacker to overwrite arbitrary variables in the current scope, ' +
+              'potentially leading to authentication bypass or code execution.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Never call `extract()` on user-supplied data. Access individual keys explicitly: ' +
+              '`$value = $data["key"] ?? null`.',
+            cwe: 'CWE-621',
+            snippet: trimmed,
+          });
+        }
+      });
+    }
+
+    return findings;
+  }
+}

package/src/analyzers/MassAssignmentAnalyzer.ts

@@ -0,0 +1,105 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile, Severity } from '../types/index.js';
+import type { ParsedPhpFile } from '../parsers/PhpParser.js';
+
+const SENSITIVE_FILLABLE_FIELDS = new Set([
+  'password', 'password_hash', 'password_confirmation', 'role', 'roles',
+  'is_admin', 'admin', 'is_superuser', 'email_verified_at', 'remember_token',
+  'api_token', 'api_key', 'stripe_id', 'two_factor_secret', 'two_factor_recovery_codes',
+]);
+
+const FINDING_NO_GUARD = 'HAVOC-MA-001';
+const FINDING_OPEN_GUARD = 'HAVOC-MA-002';
+const FINDING_SENSITIVE = 'HAVOC-MA-003';
+const ANALYZER_NAME = 'MassAssignmentAnalyzer';
+
+function isModelFile(path: string): boolean {
+  return path.includes('app/Models') || path.includes('app\\Models');
+}
+
+export class MassAssignmentAnalyzer implements Analyzer {
+  readonly name = ANALYZER_NAME;
+  readonly description = 'Detects Eloquent models vulnerable to mass assignment attacks';
+
+  async analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    for (const file of files) {
+      if (!isModelFile(file.path)) continue;
+
+      const phpFile = file as ParsedPhpFile;
+      if (!phpFile.classes) continue;
+
+      for (const cls of phpFile.classes) {
+        if (cls.isAbstract || cls.isTrait) continue;
+
+        const fillableProp = cls.properties.find((p) => p.name === 'fillable');
+        const guardedProp = cls.properties.find((p) => p.name === 'guarded');
+        const hasFillable = fillableProp !== undefined;
+        const hasGuarded = guardedProp !== undefined;
+
+        if (!hasFillable && !hasGuarded) {
+          findings.push({
+            id: FINDING_NO_GUARD,
+            severity: Severity.Medium,
+            analyzer: ANALYZER_NAME,
+            title: `Model \`${cls.name}\` has no mass assignment protection`,
+            description:
+              `The Eloquent model \`${cls.name}\` defines neither \`$fillable\` nor \`$guarded\`. ` +
+              `Without these, all attributes may be mass-assignable.`,
+            file: file.path,
+            line: cls.line,
+            recommendation:
+              'Define `$fillable` with an explicit list of safe attributes, or define `$guarded = [\'id\']`.',
+            cwe: 'CWE-915',
+          });
+          continue;
+        }
+
+        if (hasGuarded) {
+          const initText = guardedProp?.initializer ?? '';
+          const isOpenGuard = initText.trim() === '[]';
+          if (isOpenGuard) {
+            findings.push({
+              id: FINDING_OPEN_GUARD,
+              severity: Severity.High,
+              analyzer: ANALYZER_NAME,
+              title: `Model \`${cls.name}\` uses \`$guarded = []\` (effectively unguarded)`,
+              description:
+                `\`${cls.name}\` sets \`$guarded = []\`, which disables all mass assignment protection.`,
+              file: file.path,
+              line: guardedProp?.line ?? cls.line,
+              recommendation: 'Switch to `$fillable` with an explicit allowlist.',
+              cwe: 'CWE-915',
+              snippet: 'protected $guarded = [];',
+            });
+          }
+        }
+
+        if (hasFillable) {
+          const initText = fillableProp?.initializer ?? '';
+          for (const sensitive of SENSITIVE_FILLABLE_FIELDS) {
+            if (initText.includes('"' + sensitive + '"') || initText.includes("'" + sensitive + "'")) {
+              findings.push({
+                id: FINDING_SENSITIVE,
+                severity: Severity.Medium,
+                analyzer: ANALYZER_NAME,
+                title: `Sensitive field \`${sensitive}\` is mass-assignable in \`${cls.name}\``,
+                description:
+                  `The field \`${sensitive}\` is listed in \`$fillable\` on model \`${cls.name}\`. ` +
+                  `Allowing mass assignment of this field could allow privilege escalation.`,
+                file: file.path,
+                line: fillableProp?.line ?? cls.line,
+                recommendation:
+                  `Remove \`${sensitive}\` from \`$fillable\` and set it via dedicated methods.`,
+                cwe: 'CWE-915',
+                snippet: "protected $fillable = [..., '" + sensitive + "', ...];",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return findings;
+  }
+}

package/src/analyzers/OpenRedirectAnalyzer.ts

@@ -0,0 +1,149 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile, Severity } from '../types/index.js';
+
+// ─── Constants ────────────────────────────────────────────────────────────────
+
+const ANALYZER_NAME = 'OpenRedirectAnalyzer';
+
+const FINDING_DIRECT = 'HAVOC-REDIRECT-001';
+const FINDING_INDIRECT = 'HAVOC-REDIRECT-002';
+
+/**
+ * Common open-redirect parameter names that attackers target.
+ */
+const REDIRECT_PARAM_NAMES = [
+  'url', 'redirect', 'next', 'return', 'return_to',
+  'callback', 'goto', 'dest', 'destination', 'forward',
+  'target', 'redir', 'redirect_url', 'redirect_uri',
+];
+
+/**
+ * Patterns that indicate the destination is user-controlled (inline in the call).
+ */
+const DIRECT_USER_INPUT_PATTERNS = [
+  // redirect($request->input('url'))
+  /\bredirect\s*\(\s*\$request\s*->\s*(?:input|get|query|post|cookie)\s*\(/i,
+  // Redirect::to($request->input('url'))
+  /Redirect\s*::\s*to\s*\(\s*\$request\s*->\s*(?:input|get|query|post|cookie)\s*\(/i,
+  // redirect($_GET['url'])
+  /\bredirect\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE)\s*\[/i,
+  // Redirect::to($_GET['url'])
+  /Redirect\s*::\s*to\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE)\s*\[/i,
+  // header('Location: ' . $userVar) — where the var comes right after concat
+  /header\s*\(\s*['"]Location:\s*['"]\s*\.\s*\$(?:_GET|_POST|_REQUEST|_COOKIE)\s*\[/i,
+];
+
+/**
+ * Patterns that look like redirect to a variable (indirect).
+ */
+const INDIRECT_REDIRECT_PATTERNS = [
+  // redirect($url) / redirect($destination) etc.
+  new RegExp(
+    `\\bredirect\\s*\\(\\s*\\$(?:${REDIRECT_PARAM_NAMES.join('|')})\\b`,
+    'i',
+  ),
+  // Redirect::to($url)
+  new RegExp(
+    `Redirect\\s*::\\s*to\\s*\\(\\s*\\$(?:${REDIRECT_PARAM_NAMES.join('|')})\\b`,
+    'i',
+  ),
+  // header('Location: ' . $url)
+  new RegExp(
+    `header\\s*\\(\\s*['"]Location[^'"]*['"]\\s*\\.\\s*\\$(?:${REDIRECT_PARAM_NAMES.join('|')})\\b`,
+    'i',
+  ),
+];
+
+/**
+ * Safe redirect helpers — skip these to avoid false positives.
+ */
+const SAFE_PATTERNS = [
+  /\bredirect\s*\(\s*\)\s*->\s*intended\s*\(/i,
+  /\bback\s*\(\s*\)/i,
+  /Redirect\s*::\s*intended\s*\(/i,
+  /Redirect\s*::\s*back\s*\(/i,
+  // redirect(route(...)) or redirect(url(...)) — trusted helpers
+  /\bredirect\s*\(\s*(?:route|url|action|asset)\s*\(/i,
+  /Redirect\s*::\s*to\s*\(\s*(?:route|url|action|asset)\s*\(/i,
+  // redirect('/explicit-path') — single-quoted string is always safe
+  // redirect("/path") — double-quoted without $ interpolation is safe
+  /\bredirect\s*\(\s*'/i,
+  /Redirect\s*::\s*to\s*\(\s*'/i,
+  /\bredirect\s*\(\s*"[^"$]*"\s*\)/i,
+  /Redirect\s*::\s*to\s*\(\s*"[^"$]*"\s*\)/i,
+];
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function isSafe(line: string): boolean {
+  return SAFE_PATTERNS.some((re) => re.test(line));
+}
+
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+
+export class OpenRedirectAnalyzer implements Analyzer {
+  readonly name = ANALYZER_NAME;
+  readonly description =
+    'Detects open redirect vulnerabilities where user-controlled input is used as a redirect destination without validation';
+
+  async analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    for (const file of files) {
+      if (!file.path.endsWith('.php') || file.path.endsWith('.blade.php')) continue;
+
+      const lines = file.content.split('\n');
+
+      lines.forEach((lineText, idx) => {
+        const lineNum = idx + 1;
+        const trimmed = lineText.trim();
+
+        // Skip safe patterns first
+        if (isSafe(lineText)) return;
+
+        // ── Direct user input in redirect ────────────────────────────────
+        if (DIRECT_USER_INPUT_PATTERNS.some((re) => re.test(lineText))) {
+          findings.push({
+            id: FINDING_DIRECT,
+            severity: Severity.High,
+            analyzer: ANALYZER_NAME,
+            title: 'Open redirect: user-controlled redirect destination',
+            description:
+              'A redirect is performed using a value that appears to come directly from user input. ' +
+              'An attacker can craft a URL that redirects victims to a malicious site (phishing, credential harvesting).',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Validate redirect destinations against an allowlist of trusted URLs or paths. ' +
+              'Use `redirect()->intended(\'/\')` for post-login redirects. ' +
+              'Never trust `url`, `redirect`, `next`, or similar parameters without validation.',
+            cwe: 'CWE-601',
+            snippet: trimmed,
+          });
+          return;
+        }
+
+        // ── Indirect redirect via named variable ──────────────────────────
+        if (INDIRECT_REDIRECT_PATTERNS.some((re) => re.test(lineText))) {
+          findings.push({
+            id: FINDING_INDIRECT,
+            severity: Severity.Medium,
+            analyzer: ANALYZER_NAME,
+            title: 'Open redirect: redirect destination via variable — verify validation',
+            description:
+              'A redirect is performed using a variable with a common redirect-parameter name. ' +
+              'If this variable is populated from user input without validation, it is an open redirect vulnerability.',
+            file: file.path,
+            line: lineNum,
+            recommendation:
+              'Ensure the redirect destination is validated against an allowlist of trusted domains/paths ' +
+              'before use. Consider using `redirect()->intended(\'/dashboard\')` instead.',
+            cwe: 'CWE-601',
+            snippet: trimmed,
+          });
+        }
+      });
+    }
+
+    return findings;
+  }
+}