@hookwarden/engine 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/model/build.d.ts.map +1 -1
- package/dist/model/build.js +33 -1
- package/dist/model/build.js.map +1 -1
- package/package.json +9 -6
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAOjD,OAAO,KAAK,EAGV,UAAU,EACV,YAAY,EACb,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,KAAK,gBAAgB,EAAyB,MAAM,cAAc,CAAC;AAK5E,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,QAAQ,CAAC,eAAe,CAAC,EAAE,aAAa,CACtC,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,UAAU,CAAC,KAAK,aAAa,CAAC,gBAAgB,CAAC,CAC3F,CAAC;CACH;AAED,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,sBAAsB,GAAG,OAAO,CAAC,YAAY,CAAC,CAmC5F"}
|
package/dist/model/build.js
CHANGED
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
// - Plan 07's bespoke adapters (Next.js / Django / FastAPI) via the bespokeAdapters hook
|
|
7
7
|
// - This plan's computeReachableSymbols (D-34 cross-file traversal) + extractMiddlewareChain (D-36)
|
|
8
8
|
// - The sdk_verify_call evidence overlay — completes D-32's 7th signal.
|
|
9
|
+
// - The raw-body middleware evidence overlay — prevents FP on express.raw / bodyParser.raw chains.
|
|
9
10
|
import { computeHandlerId } from "../findings/fingerprint.js";
|
|
10
11
|
import { extractBabelLiterals } from "../parsers/literals.js";
|
|
11
12
|
import { extractPythonLiterals } from "../parsers/python-literals.js";
|
|
@@ -77,7 +78,15 @@ async function assembleHandler(cand, file, input) {
|
|
|
77
78
|
});
|
|
78
79
|
// sdk_verify_call evidence overlay (issue #7 fix) — completes D-32's 7th signal.
|
|
79
80
|
const sdkVerifyEvidence = collectSdkVerifyCallEvidence(cand, reachableSymbols, input.ruleSet);
|
|
80
|
-
|
|
81
|
+
// raw-body middleware evidence overlay — prevents stripe/raw-body-misuse FP when express.raw
|
|
82
|
+
// (or bodyParser.raw) is registered as an inline route middleware argument. The handler text
|
|
83
|
+
// search in evidence.ts only sees the arrow function body, not outer route arguments.
|
|
84
|
+
const rawBodyMwEvidence = collectRawBodyMiddlewareEvidence(cand, middlewareChain);
|
|
85
|
+
const evidence = [
|
|
86
|
+
...baseEvidence.evidence,
|
|
87
|
+
...sdkVerifyEvidence,
|
|
88
|
+
...rawBodyMwEvidence,
|
|
89
|
+
];
|
|
81
90
|
// Recompute provider attribution since sdk_verify_call evidence may shift the count.
|
|
82
91
|
const provider = recomputeProvider(evidence, baseEvidence.provider);
|
|
83
92
|
const redactedSnippet = renderHandlerSnippet(file, cand);
|
|
@@ -116,6 +125,29 @@ function collectSdkVerifyCallEvidence(cand, reachableSymbols, ruleSet) {
|
|
|
116
125
|
}
|
|
117
126
|
return out;
|
|
118
127
|
}
|
|
128
|
+
// Raw-body middleware names that guarantee the body arrives as a Buffer/bytes to the handler.
|
|
129
|
+
// Covers both `express.raw(...)` (qualified member call) and `raw(...)` (named import from express
|
|
130
|
+
// or body-parser). import_source guard prevents false-negatives from unrelated `raw` middleware.
|
|
131
|
+
const RAW_BODY_MIDDLEWARE_NAMES = new Set([
|
|
132
|
+
"express.raw",
|
|
133
|
+
"raw", // named import: import { raw } from 'express' or import { raw } from 'body-parser'
|
|
134
|
+
]);
|
|
135
|
+
const RAW_BODY_IMPORT_SOURCES = new Set(["express", "body-parser"]);
|
|
136
|
+
function collectRawBodyMiddlewareEvidence(cand, middlewareChain) {
|
|
137
|
+
const hasRawMiddleware = middlewareChain.some((m) => RAW_BODY_MIDDLEWARE_NAMES.has(m.name) &&
|
|
138
|
+
m.import_source !== null &&
|
|
139
|
+
RAW_BODY_IMPORT_SOURCES.has(m.import_source));
|
|
140
|
+
if (!hasRawMiddleware)
|
|
141
|
+
return [];
|
|
142
|
+
return [
|
|
143
|
+
{
|
|
144
|
+
kind: "body_as_bytes_or_buffer",
|
|
145
|
+
provider: "unknown",
|
|
146
|
+
location: cand.location,
|
|
147
|
+
detail: "raw-body middleware in chain",
|
|
148
|
+
},
|
|
149
|
+
];
|
|
150
|
+
}
|
|
119
151
|
function recomputeProvider(evidence, fallback) {
|
|
120
152
|
const counts = new Map();
|
|
121
153
|
for (const e of evidence) {
|
package/dist/model/build.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,uFAAuF;AACvF,EAAE;AACF,kBAAkB;AAClB,+EAA+E;AAC/E,2FAA2F;AAC3F,sGAAsG;AACtG,0EAA0E;
|
|
1
|
+
{"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,uFAAuF;AACvF,EAAE;AACF,kBAAkB;AAClB,+EAA+E;AAC/E,2FAA2F;AAC3F,sGAAsG;AACtG,0EAA0E;AAC1E,qGAAqG;AAErG,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAe3D,OAAO,EAAyB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAY5D,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAA6B;IACnE,uFAAuF;IACvF,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO;YAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC;IAED,4FAA4F;IAC5F,MAAM,UAAU,GAA0E,EAAE,CAAC;IAC7F,MAAM,QAAQ,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;IAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI;YAAE,SAAS;QACxC,KAAK,MAAM,IAAI,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,WAAW,CAAC;gBAAE,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,+FAA+F;IAC/F,0CAA0C;IAC1C,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU,EAAE,CAAC;QACxC,QAAQ,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,8FAA8F;IAC9F,8EAA8E;IAC9E,MAAM,uBAAuB,GAA0C,EAAE,CAAC;IAE1E,OAAO;QACL,YAAY,EAAE,KAAK,CAAC,WAAW;QAC/B,QAAQ;QACR,wBAAwB,EAAE,uBAAuB;QACjD,YAAY,EAAE,WAAW;KAC1B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAsB,EACtB,IAAgB,EAChB,KAA6B;IAE7B,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;KAClD,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,eAAe,CAAC;QACnC,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,IAAI;QAChB,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS;QACxC,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;QAC/C,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,YAAY,EAAE,IAAI;QAClB,SAAS,EAAE,KAAK,CAAC,WAAW;QAC5B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,sBAAsB;KAC9C,CAAC,CAAC;IACH,MAAM,eAAe,GAAsC,sBAAsB,CAAC;QAChF,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,iFAAiF;IACjF,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,IAAI,EAAE,gBAAgB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9F,6FAA6F;IAC7F,6FAA6F;IAC7F,sFAAsF;IACtF,MAAM,iBAAiB,GAAG,gCAAgC,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAClF,MAAM,QAAQ,GAAmC;QAC/C,GAAG,YAAY,CAAC,QAAQ;QACxB,GAAG,iBAAiB;QACpB,GAAG,iBAAiB;KACrB,CAAC;IACF,qFAAqF;IACrF,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpE,MAAM,eAAe,GAAG,oBAAoB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO;QACL,EAAE;QACF,SAAS,EAAE,IAAI,CAAC,SAAsB;QACtC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;QACjD,QAAQ;QACR,kBAAkB,EAAE,eAAe,EAAE,kDAAkD;QACvF,QAAQ;QACR,gBAAgB,EAAE,eAAe;QACjC,iBAAiB,EAAE,gBAAgB;QACnC,YAAY,EAAE,EAAE,EAAE,sCAAsC;QACxD,gBAAgB,EAAE,eAAe;KAClC,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CACnC,IAAsB,EACtB,gBAGE,EACF,OAAgB;IAEhB,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACtE,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,UAAU,IAAI,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,UAAU,EAAE,CAAC,CACtF,CAAC;YACF,IAAI,OAAO,EAAE,CAAC;gBACZ,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8FAA8F;AAC9F,mGAAmG;AACnG,iGAAiG;AACjG,MAAM,yBAAyB,GAAwB,IAAI,GAAG,CAAC;IAC7D,aAAa;IACb,KAAK,EAAE,qFAAqF;CAC7F,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAwB,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;AAEzF,SAAS,gCAAgC,CACvC,IAAsB,EACtB,eAAkD;IAElD,MAAM,gBAAgB,GAAG,eAAe,CAAC,IAAI,CAC3C,CAAC,CAAC,EAAE,EAAE,CACJ,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QACrC,CAAC,CAAC,aAAa,KAAK,IAAI;QACxB,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAC/C,CAAC;IACF,IAAI,CAAC,gBAAgB;QAAE,OAAO,EAAE,CAAC;IACjC,OAAO;QACL;YACE,IAAI,EAAE,yBAAyB;YAC/B,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,8BAA8B;SACvC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAwC,EAAE,QAAgB;IACnF,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS;YAAE,SAAS;QACvC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC;YACjB,WAAW,GAAG,CAAC,CAAC;YAChB,QAAQ,GAAG,CAAC,CAAC;YACb,IAAI,GAAG,KAAK,CAAC;QACf,CAAC;aAAM,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,IAAI,GAAG,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,IAAI,WAAW,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IAC/C,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;AACzC,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAgB,EAAE,IAAsB;IACpE,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,CAAC;IACzC,MAAM,WAAW,GACf,IAAI,CAAC,OAAO,KAAK,OAAO;QACtB,CAAC,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAqD,CAAC;QAClF,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAsD,CAAC,CAAC;IACzF,MAAM,aAAa,GAAG,WAAW;SAC9B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,oBAAoB,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,kBAAkB,CAAC;SACvF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,GAAG,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;IACxE,OAAO,aAAa,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC;AACxE,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@hookwarden/engine",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.1",
|
|
4
4
|
"description": "hookwarden audit engine — browser-safe, pure-functional. Performs zero I/O.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -18,23 +18,26 @@
|
|
|
18
18
|
"LICENSE"
|
|
19
19
|
],
|
|
20
20
|
"publishConfig": {
|
|
21
|
-
"access": "public"
|
|
22
|
-
|
|
21
|
+
"access": "public"
|
|
22
|
+
},
|
|
23
|
+
"repository": {
|
|
24
|
+
"type": "git",
|
|
25
|
+
"url": "https://github.com/Hookwarden/hookwarden.git",
|
|
26
|
+
"directory": "packages/engine"
|
|
23
27
|
},
|
|
24
|
-
"repository": "github:hookwarden/hookwarden",
|
|
25
28
|
"engines": {
|
|
26
29
|
"node": ">=22.0.0"
|
|
27
30
|
},
|
|
28
31
|
"dependencies": {
|
|
29
32
|
"@babel/parser": "^7.29.3",
|
|
30
33
|
"picomatch": "^4.0.4",
|
|
31
|
-
"tree-sitter-python": "^0.25.0",
|
|
32
34
|
"web-tree-sitter": "^0.26.8"
|
|
33
35
|
},
|
|
34
36
|
"devDependencies": {
|
|
35
37
|
"@babel/types": "^7.29.0",
|
|
36
38
|
"@types/picomatch": "^4.0.3",
|
|
37
|
-
"fast-check": "^3.23.0"
|
|
39
|
+
"fast-check": "^3.23.0",
|
|
40
|
+
"tree-sitter-python": "^0.25.0"
|
|
38
41
|
},
|
|
39
42
|
"scripts": {
|
|
40
43
|
"test": "vitest run"
|