@kevinrabun/judges 2.0.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +133 -2
- package/dist/evaluators/authentication.d.ts.map +1 -1
- package/dist/evaluators/authentication.js +114 -4
- package/dist/evaluators/authentication.js.map +1 -1
- package/dist/evaluators/compliance.d.ts.map +1 -1
- package/dist/evaluators/compliance.js +21 -3
- package/dist/evaluators/compliance.js.map +1 -1
- package/dist/evaluators/configuration-management.d.ts.map +1 -1
- package/dist/evaluators/configuration-management.js +23 -1
- package/dist/evaluators/configuration-management.js.map +1 -1
- package/dist/evaluators/cybersecurity.d.ts.map +1 -1
- package/dist/evaluators/cybersecurity.js +27 -5
- package/dist/evaluators/cybersecurity.js.map +1 -1
- package/dist/evaluators/data-security.d.ts.map +1 -1
- package/dist/evaluators/data-security.js +114 -2
- package/dist/evaluators/data-security.js.map +1 -1
- package/dist/evaluators/database.js +1 -1
- package/dist/evaluators/database.js.map +1 -1
- package/dist/evaluators/ethics-bias.d.ts.map +1 -1
- package/dist/evaluators/ethics-bias.js +13 -1
- package/dist/evaluators/ethics-bias.js.map +1 -1
- package/dist/evaluators/index.d.ts +10 -4
- package/dist/evaluators/index.d.ts.map +1 -1
- package/dist/evaluators/index.js +111 -17
- package/dist/evaluators/index.js.map +1 -1
- package/dist/evaluators/observability.d.ts.map +1 -1
- package/dist/evaluators/observability.js +2 -1
- package/dist/evaluators/observability.js.map +1 -1
- package/dist/evaluators/performance.js +1 -1
- package/dist/evaluators/performance.js.map +1 -1
- package/dist/evaluators/shared.d.ts.map +1 -1
- package/dist/evaluators/shared.js +30 -3
- package/dist/evaluators/shared.js.map +1 -1
- package/dist/evaluators/v2.d.ts +4 -0
- package/dist/evaluators/v2.d.ts.map +1 -1
- package/dist/evaluators/v2.js +8 -2
- package/dist/evaluators/v2.js.map +1 -1
- package/dist/index.js +104 -11
- package/dist/index.js.map +1 -1
- package/dist/language-patterns.js +2 -2
- package/dist/reports/public-repo-report.d.ts +10 -0
- package/dist/reports/public-repo-report.d.ts.map +1 -1
- package/dist/reports/public-repo-report.js +201 -16
- package/dist/reports/public-repo-report.js.map +1 -1
- package/dist/types.d.ts +2 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +3 -1
- package/server.json +2 -2
package/README.md
CHANGED
|
@@ -159,6 +159,78 @@ npm install -g @kevinrabun/judges
|
|
|
159
159
|
|
|
160
160
|
Then use `judges` as the command in your MCP config (no `args` needed).
|
|
161
161
|
|
|
162
|
+
### 5. Use Judges in GitHub Copilot PR Reviews
|
|
163
|
+
|
|
164
|
+
Yes — users can include Judges as part of GitHub-based review workflows, with one important caveat:
|
|
165
|
+
|
|
166
|
+
- The hosted `copilot-pull-request-reviewer` on GitHub does not currently let you directly attach arbitrary local MCP servers the same way VS Code does.
|
|
167
|
+
- The practical pattern is to run Judges in CI on each PR, publish a report/check, and have Copilot + human reviewers use that output during review.
|
|
168
|
+
|
|
169
|
+
#### Option A (recommended): PR workflow check + report artifact
|
|
170
|
+
|
|
171
|
+
Create `.github/workflows/judges-pr-review.yml`:
|
|
172
|
+
|
|
173
|
+
```yaml
|
|
174
|
+
name: Judges PR Review
|
|
175
|
+
|
|
176
|
+
on:
|
|
177
|
+
pull_request:
|
|
178
|
+
types: [opened, synchronize, reopened]
|
|
179
|
+
|
|
180
|
+
jobs:
|
|
181
|
+
judges:
|
|
182
|
+
runs-on: ubuntu-latest
|
|
183
|
+
permissions:
|
|
184
|
+
contents: read
|
|
185
|
+
pull-requests: write
|
|
186
|
+
|
|
187
|
+
steps:
|
|
188
|
+
- name: Checkout
|
|
189
|
+
uses: actions/checkout@v4
|
|
190
|
+
|
|
191
|
+
- name: Setup Node
|
|
192
|
+
uses: actions/setup-node@v4
|
|
193
|
+
with:
|
|
194
|
+
node-version: 20
|
|
195
|
+
cache: npm
|
|
196
|
+
|
|
197
|
+
- name: Install
|
|
198
|
+
run: npm ci
|
|
199
|
+
|
|
200
|
+
- name: Generate Judges report
|
|
201
|
+
run: |
|
|
202
|
+
npx tsx -e "import { generateRepoReportFromLocalPath } from './src/reports/public-repo-report.ts';
|
|
203
|
+
const result = generateRepoReportFromLocalPath({
|
|
204
|
+
repoPath: process.cwd(),
|
|
205
|
+
outputPath: 'judges-pr-report.md',
|
|
206
|
+
maxFiles: 600,
|
|
207
|
+
maxFindingsInReport: 150,
|
|
208
|
+
});
|
|
209
|
+
console.log('Overall:', result.overallVerdict, result.averageScore);"
|
|
210
|
+
|
|
211
|
+
- name: Upload report artifact
|
|
212
|
+
uses: actions/upload-artifact@v4
|
|
213
|
+
with:
|
|
214
|
+
name: judges-pr-report
|
|
215
|
+
path: judges-pr-report.md
|
|
216
|
+
```
|
|
217
|
+
|
|
218
|
+
This gives every PR a reproducible Judges output your team (and Copilot) can reference.
|
|
219
|
+
|
|
220
|
+
#### Option B: Add Copilot custom instructions in-repo
|
|
221
|
+
|
|
222
|
+
Add `.github/instructions/judges.instructions.md` with guidance such as:
|
|
223
|
+
|
|
224
|
+
```markdown
|
|
225
|
+
When reviewing pull requests:
|
|
226
|
+
1. Read the latest Judges report artifact/check output first.
|
|
227
|
+
2. Prioritize CRITICAL and HIGH findings in remediation guidance.
|
|
228
|
+
3. If findings conflict, defer to security/compliance-related Judges.
|
|
229
|
+
4. Include rule IDs (e.g., DATA-001, CYBER-004) in suggested fixes.
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
This helps keep Copilot feedback aligned with Judges findings.
|
|
233
|
+
|
|
162
234
|
---
|
|
163
235
|
|
|
164
236
|
## The Judge Panel
|
|
@@ -303,6 +375,8 @@ Supports:
|
|
|
303
375
|
| `language` | string | conditional | Programming language for single-file mode |
|
|
304
376
|
| `files` | array | conditional | `{ path, content, language }[]` for project mode |
|
|
305
377
|
| `context` | string | no | High-level review context |
|
|
378
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
379
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
306
380
|
| `policyProfile` | enum | no | `default`, `startup`, `regulated`, `healthcare`, `fintech`, `public-sector` |
|
|
307
381
|
| `evaluationContext` | object | no | Structured architecture/constraint context |
|
|
308
382
|
| `evidence` | object | no | Runtime/operational evidence for confidence calibration |
|
|
@@ -328,10 +402,17 @@ Supports:
|
|
|
328
402
|
| `context` | string | no | Optional business/technical context |
|
|
329
403
|
| `maxFindings` | number | no | Max translated top findings (default: 10) |
|
|
330
404
|
| `maxTasks` | number | no | Max generated tasks (default: 20) |
|
|
405
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
406
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
331
407
|
|
|
332
408
|
### `evaluate_public_repo_report`
|
|
333
409
|
Clone a **public repository URL**, run the full judges panel across eligible source files, and generate a consolidated markdown report.
|
|
334
410
|
|
|
411
|
+
Report prioritization behavior includes:
|
|
412
|
+
- weighted risk ranking (`severity × confidence × fixability`)
|
|
413
|
+
- root-cause clustering to collapse duplicate findings across files
|
|
414
|
+
- actionable top-risk output with confidence and suggested-fix snippets when available
|
|
415
|
+
|
|
335
416
|
| Parameter | Type | Required | Description |
|
|
336
417
|
|-----------|------|----------|-------------|
|
|
337
418
|
| `repoUrl` | string | yes | Public repository URL (`https://...`) |
|
|
@@ -340,6 +421,10 @@ Clone a **public repository URL**, run the full judges panel across eligible sou
|
|
|
340
421
|
| `maxFiles` | number | no | Max files analyzed (default: 600) |
|
|
341
422
|
| `maxFileBytes` | number | no | Max file size in bytes (default: 300000) |
|
|
342
423
|
| `maxFindingsInReport` | number | no | Max detailed findings in output (default: 150) |
|
|
424
|
+
| `credentialMode` | string | no | Credential detection mode: `standard` (default) or `strict` |
|
|
425
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
426
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
427
|
+
| `quickStart` | flag | no | Opinionated high-signal defaults for onboarding (`minConfidence=0.9`, `credentialMode=strict`, path exclusions) |
|
|
343
428
|
| `keepClone` | boolean | no | Keep cloned repo on disk for inspection |
|
|
344
429
|
|
|
345
430
|
**Quick examples**
|
|
@@ -348,6 +433,18 @@ Generate a report from CLI:
|
|
|
348
433
|
|
|
349
434
|
```bash
|
|
350
435
|
npm run report:public-repo -- --repoUrl https://github.com/microsoft/vscode --output reports/vscode-judges-report.md
|
|
436
|
+
|
|
437
|
+
# stricter credential-signal mode (optional)
|
|
438
|
+
npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --credentialMode strict --output reports/openclaw-judges-report-strict.md
|
|
439
|
+
|
|
440
|
+
# judge findings only (exclude AST/code-structure findings)
|
|
441
|
+
npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --includeAstFindings false --output reports/openclaw-judges-report-no-ast.md
|
|
442
|
+
|
|
443
|
+
# show only findings at 80%+ confidence
|
|
444
|
+
npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --minConfidence 0.8 --output reports/openclaw-judges-report-high-confidence.md
|
|
445
|
+
|
|
446
|
+
# opinionated quick-start mode (recommended first run)
|
|
447
|
+
npm run report:quickstart -- --repoUrl https://github.com/openclaw/openclaw --output reports/openclaw-quickstart.md
|
|
351
448
|
```
|
|
352
449
|
|
|
353
450
|
Call from MCP client:
|
|
@@ -360,6 +457,9 @@ Call from MCP client:
|
|
|
360
457
|
"branch": "main",
|
|
361
458
|
"maxFiles": 400,
|
|
362
459
|
"maxFindingsInReport": 120,
|
|
460
|
+
"credentialMode": "strict",
|
|
461
|
+
"includeAstFindings": false,
|
|
462
|
+
"minConfidence": 0.8,
|
|
363
463
|
"outputPath": "reports/vscode-judges-report.md"
|
|
364
464
|
}
|
|
365
465
|
}
|
|
@@ -369,7 +469,8 @@ Typical response summary includes:
|
|
|
369
469
|
- overall verdict and average score
|
|
370
470
|
- analyzed file count and total findings
|
|
371
471
|
- per-judge score table
|
|
372
|
-
- highest-risk findings and
|
|
472
|
+
- highest-risk findings with risk scores and occurrence counts
|
|
473
|
+
- unique root-cause cluster count and lowest-scoring files
|
|
373
474
|
|
|
374
475
|
Sample report snippet:
|
|
375
476
|
|
|
@@ -395,6 +496,8 @@ Submit code to the **full judges panel**. All 33 judges evaluate independently a
|
|
|
395
496
|
| `code` | string | yes | The source code to evaluate |
|
|
396
497
|
| `language` | string | yes | Programming language (e.g., `typescript`, `python`) |
|
|
397
498
|
| `context` | string | no | Additional context about the code |
|
|
499
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
500
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
398
501
|
|
|
399
502
|
### `evaluate_code_single_judge`
|
|
400
503
|
Submit code to a **specific judge** for targeted review.
|
|
@@ -405,6 +508,7 @@ Submit code to a **specific judge** for targeted review.
|
|
|
405
508
|
| `language` | string | yes | Programming language |
|
|
406
509
|
| `judgeId` | string | yes | See [judge IDs](#judge-ids) below |
|
|
407
510
|
| `context` | string | no | Additional context |
|
|
511
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
408
512
|
|
|
409
513
|
### `evaluate_project`
|
|
410
514
|
Submit multiple files for **project-level analysis**. All 33 judges evaluate each file, plus cross-file architectural analysis detects code duplication, inconsistent error handling, and dependency cycles.
|
|
@@ -413,6 +517,8 @@ Submit multiple files for **project-level analysis**. All 33 judges evaluate eac
|
|
|
413
517
|
|-----------|------|----------|-------------|
|
|
414
518
|
| `files` | array | yes | Array of `{ path, content, language }` objects |
|
|
415
519
|
| `context` | string | no | Optional project context |
|
|
520
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
521
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
416
522
|
|
|
417
523
|
### `evaluate_diff`
|
|
418
524
|
Evaluate only the **changed lines** in a code diff. Runs all 33 judges on the full file but filters findings to lines you specify. Ideal for PR reviews and incremental analysis.
|
|
@@ -423,6 +529,8 @@ Evaluate only the **changed lines** in a code diff. Runs all 33 judges on the fu
|
|
|
423
529
|
| `language` | string | yes | Programming language |
|
|
424
530
|
| `changedLines` | number[] | yes | 1-based line numbers that were changed |
|
|
425
531
|
| `context` | string | no | Optional context about the change |
|
|
532
|
+
| `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
|
|
533
|
+
| `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
|
|
426
534
|
|
|
427
535
|
### `analyze_dependencies`
|
|
428
536
|
Analyze a dependency manifest file for supply-chain risks, version pinning issues, typosquatting indicators, and dependency hygiene. Supports `package.json`, `requirements.txt`, `Cargo.toml`, `go.mod`, `pom.xml`, and `.csproj` files.
|
|
@@ -525,7 +633,8 @@ judges/
|
|
|
525
633
|
│ ├── index.ts # JUDGES array, getJudge(), getJudgeSummaries()
|
|
526
634
|
│ └── *.ts # One definition per judge (33 files)
|
|
527
635
|
├── scripts/
|
|
528
|
-
│
|
|
636
|
+
│ ├── generate-public-repo-report.ts # Run: npm run report:public-repo -- --repoUrl <url>
|
|
637
|
+
│ └── daily-popular-repo-autofix.ts # Run: npm run automation:daily-popular
|
|
529
638
|
├── examples/
|
|
530
639
|
│ ├── sample-vulnerable-api.ts # Intentionally flawed code (triggers all judges)
|
|
531
640
|
│ └── demo.ts # Run: npm run demo
|
|
@@ -548,11 +657,33 @@ judges/
|
|
|
548
657
|
| `npm test` | Run the full test suite |
|
|
549
658
|
| `npm run demo` | Run the sample tribunal demo |
|
|
550
659
|
| `npm run report:public-repo -- --repoUrl <url>` | Generate a full tribunal report for a public repository URL |
|
|
660
|
+
| `npm run report:quickstart -- --repoUrl <url>` | Run opinionated high-signal report defaults for fast adoption |
|
|
661
|
+
| `npm run automation:daily-popular` | Analyze up to 10 rotating popular repos/day and open up to 5 remediation PRs per repo |
|
|
551
662
|
| `npm start` | Start the MCP server |
|
|
552
663
|
| `npm run clean` | Remove `dist/` |
|
|
553
664
|
|
|
554
665
|
---
|
|
555
666
|
|
|
667
|
+
## Daily Popular Repo Automation
|
|
668
|
+
|
|
669
|
+
This repo includes a scheduled workflow at `.github/workflows/daily-popular-repo-autofix.yml` that:
|
|
670
|
+
- selects up to 10 repositories per day from a default pool of 100+ popular repos (or a manually supplied target),
|
|
671
|
+
- runs the full Judges evaluation across supported source languages,
|
|
672
|
+
- applies only conservative, single-line remediations that reduce matching finding counts,
|
|
673
|
+
- opens up to 5 PRs per repository with attribution to both Judges and the target repository,
|
|
674
|
+
- skips repositories unless they are public and PR creation is possible with existing GitHub auth (no additional auth flow).
|
|
675
|
+
- enforces hard runtime caps of 10 repositories/day and 5 PRs/repository.
|
|
676
|
+
|
|
677
|
+
Required secret:
|
|
678
|
+
- `JUDGES_AUTOFIX_GH_TOKEN` — GitHub token with permission to fork/push/create PRs for target repositories.
|
|
679
|
+
|
|
680
|
+
Manual run:
|
|
681
|
+
```bash
|
|
682
|
+
gh workflow run "Judges Daily Full-Run Autofix PRs" -f targetRepoUrl=https://github.com/owner/repo
|
|
683
|
+
```
|
|
684
|
+
|
|
685
|
+
---
|
|
686
|
+
|
|
556
687
|
## License
|
|
557
688
|
|
|
558
689
|
MIT
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAgJtC,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAmL/E"}
|
|
@@ -1,12 +1,123 @@
|
|
|
1
1
|
import { getLineNumbers, getLangFamily } from "./shared.js";
|
|
2
|
+
function isLikelyPlaceholderCredentialValue(value) {
|
|
3
|
+
const normalized = value.trim().toLowerCase();
|
|
4
|
+
const exactPlaceholders = new Set([
|
|
5
|
+
"test",
|
|
6
|
+
"testing",
|
|
7
|
+
"mock",
|
|
8
|
+
"dummy",
|
|
9
|
+
"example",
|
|
10
|
+
"sample",
|
|
11
|
+
"fake",
|
|
12
|
+
"na",
|
|
13
|
+
"n/a",
|
|
14
|
+
"none",
|
|
15
|
+
"null",
|
|
16
|
+
"undefined",
|
|
17
|
+
"changeme",
|
|
18
|
+
"change_me",
|
|
19
|
+
"replace_me",
|
|
20
|
+
"replace-me",
|
|
21
|
+
"your_token_here",
|
|
22
|
+
"your_api_key",
|
|
23
|
+
"unused",
|
|
24
|
+
"not_used",
|
|
25
|
+
"placeholder",
|
|
26
|
+
]);
|
|
27
|
+
if (exactPlaceholders.has(normalized)) {
|
|
28
|
+
return true;
|
|
29
|
+
}
|
|
30
|
+
if (/^(?:test|mock|dummy|sample|example|fake|placeholder|na|n\/a|unused|changeme|replace)[-_a-z0-9]*$/i.test(normalized)) {
|
|
31
|
+
return true;
|
|
32
|
+
}
|
|
33
|
+
return false;
|
|
34
|
+
}
|
|
35
|
+
function isStrictCredentialDetectionEnabled() {
|
|
36
|
+
return process.env.JUDGES_CREDENTIAL_MODE?.toLowerCase() === "strict";
|
|
37
|
+
}
|
|
38
|
+
function looksLikeRealCredentialValue(value) {
|
|
39
|
+
if (isLikelyPlaceholderCredentialValue(value)) {
|
|
40
|
+
return false;
|
|
41
|
+
}
|
|
42
|
+
if (!isStrictCredentialDetectionEnabled()) {
|
|
43
|
+
return true;
|
|
44
|
+
}
|
|
45
|
+
const normalized = value.trim();
|
|
46
|
+
if (normalized.length < 12) {
|
|
47
|
+
return false;
|
|
48
|
+
}
|
|
49
|
+
if (/(?:test|mock|dummy|sample|example|fake|placeholder|changeme|replace[_-]?me|unused|not[_-]?used|password|secret)/i.test(normalized)) {
|
|
50
|
+
return false;
|
|
51
|
+
}
|
|
52
|
+
const hasLower = /[a-z]/.test(normalized);
|
|
53
|
+
const hasUpper = /[A-Z]/.test(normalized);
|
|
54
|
+
const hasDigit = /\d/.test(normalized);
|
|
55
|
+
const hasSymbol = /[^A-Za-z0-9]/.test(normalized);
|
|
56
|
+
const classCount = [hasLower, hasUpper, hasDigit, hasSymbol].filter(Boolean).length;
|
|
57
|
+
if (normalized.length >= 20 && classCount >= 2) {
|
|
58
|
+
return true;
|
|
59
|
+
}
|
|
60
|
+
if (normalized.length >= 16 && classCount >= 3) {
|
|
61
|
+
return true;
|
|
62
|
+
}
|
|
63
|
+
return false;
|
|
64
|
+
}
|
|
65
|
+
function getHardcodedCredentialLinesWithoutPlaceholders(code) {
|
|
66
|
+
const lines = code.split("\n");
|
|
67
|
+
const flaggedLines = [];
|
|
68
|
+
const assignmentPattern = /\b(password|passwd|pwd|secret|api_?key|apikey|token|auth_?token)\b\s*[:=]\s*["'`]([^"'`]{3,})["'`]/gi;
|
|
69
|
+
const nonProductionContextPattern = /\b(?:test|tests|mock|mocks|fixture|fixtures|harness|e2e|example|sample|dummy)\b/i;
|
|
70
|
+
const productionContextPattern = /\b(?:prod|production|release|deploy|deployment)\b/i;
|
|
71
|
+
const isLikelyTestModule = /\b(?:describe|it|test)\s*\(/i.test(code);
|
|
72
|
+
if (isLikelyTestModule && !productionContextPattern.test(code)) {
|
|
73
|
+
return [];
|
|
74
|
+
}
|
|
75
|
+
for (let index = 0; index < lines.length; index += 1) {
|
|
76
|
+
const line = lines[index];
|
|
77
|
+
const matches = [...line.matchAll(assignmentPattern)];
|
|
78
|
+
if (matches.length === 0)
|
|
79
|
+
continue;
|
|
80
|
+
const contextStart = Math.max(0, index - 2);
|
|
81
|
+
const contextEnd = Math.min(lines.length, index + 3);
|
|
82
|
+
const context = lines.slice(contextStart, contextEnd).join("\n");
|
|
83
|
+
const isLikelyNonProductionContext = nonProductionContextPattern.test(context) &&
|
|
84
|
+
!productionContextPattern.test(context);
|
|
85
|
+
const hasRealCredential = matches.some((match) => {
|
|
86
|
+
const value = match[2] ?? "";
|
|
87
|
+
return looksLikeRealCredentialValue(value);
|
|
88
|
+
});
|
|
89
|
+
if (hasRealCredential && !isLikelyNonProductionContext) {
|
|
90
|
+
flaggedLines.push(index + 1);
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
return flaggedLines;
|
|
94
|
+
}
|
|
95
|
+
function getWeakCredentialHashLines(code) {
|
|
96
|
+
const lines = code.split("\n");
|
|
97
|
+
const weakHashPattern = /createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\)|(?:\bmd5\b|\bsha1\b)\s*\(/gi;
|
|
98
|
+
const authContextPattern = /password|passwd|pwd|credential|login|signin|signup|auth|token|session|user/i;
|
|
99
|
+
const flagged = [];
|
|
100
|
+
for (let index = 0; index < lines.length; index += 1) {
|
|
101
|
+
weakHashPattern.lastIndex = 0;
|
|
102
|
+
if (!weakHashPattern.test(lines[index])) {
|
|
103
|
+
continue;
|
|
104
|
+
}
|
|
105
|
+
const start = Math.max(0, index - 4);
|
|
106
|
+
const end = Math.min(lines.length - 1, index + 4);
|
|
107
|
+
const context = lines.slice(start, end + 1).join("\n");
|
|
108
|
+
if (authContextPattern.test(context)) {
|
|
109
|
+
flagged.push(index + 1);
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
return flagged;
|
|
113
|
+
}
|
|
2
114
|
export function analyzeAuthentication(code, language) {
|
|
3
115
|
const findings = [];
|
|
4
116
|
let ruleNum = 1;
|
|
5
117
|
const prefix = "AUTH";
|
|
6
118
|
const lang = getLangFamily(language);
|
|
7
119
|
// Hardcoded credentials
|
|
8
|
-
const
|
|
9
|
-
const credentialLines = getLineNumbers(code, credentialPattern);
|
|
120
|
+
const credentialLines = getHardcodedCredentialLinesWithoutPlaceholders(code);
|
|
10
121
|
if (credentialLines.length > 0) {
|
|
11
122
|
findings.push({
|
|
12
123
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
@@ -46,8 +157,7 @@ export function analyzeAuthentication(code, language) {
|
|
|
46
157
|
});
|
|
47
158
|
}
|
|
48
159
|
// Weak password hashing
|
|
49
|
-
const
|
|
50
|
-
const weakHashLines = getLineNumbers(code, weakHashPattern);
|
|
160
|
+
const weakHashLines = getWeakCredentialHashLines(code);
|
|
51
161
|
if (weakHashLines.length > 0) {
|
|
52
162
|
findings.push({
|
|
53
163
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authentication.js","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAsB,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,
|
|
1
|
+
{"version":3,"file":"authentication.js","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAsB,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,SAAS,kCAAkC,CAAC,KAAa;IACvD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE9C,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;QAChC,MAAM;QACN,SAAS;QACT,MAAM;QACN,OAAO;QACP,SAAS;QACT,QAAQ;QACR,MAAM;QACN,IAAI;QACJ,KAAK;QACL,MAAM;QACN,MAAM;QACN,WAAW;QACX,UAAU;QACV,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,iBAAiB;QACjB,cAAc;QACd,QAAQ;QACR,UAAU;QACV,aAAa;KACd,CAAC,CAAC;IAEH,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,mGAAmG,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACzH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kCAAkC;IACzC,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,WAAW,EAAE,KAAK,QAAQ,CAAC;AACxE,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,IAAI,kCAAkC,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,kCAAkC,EAAE,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,kHAAkH,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACxI,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAEpF,IAAI,UAAU,CAAC,MAAM,IAAI,EAAE,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,IAAI,EAAE,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,8CAA8C,CAAC,IAAY;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,iBAAiB,GAAG,sGAAsG,CAAC;IAEjI,MAAM,2BAA2B,GAAG,kFAAkF,CAAC;IACvH,MAAM,wBAAwB,GAAG,oDAAoD,CAAC;IACtF,MAAM,kBAAkB,GAAG,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAErE,IAAI,kBAAkB,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEnC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEjE,MAAM,4BAA4B,GAChC,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC;YACzC,CAAC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE1C,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;YAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,OAAO,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,IAAI,iBAAiB,IAAI,CAAC,4BAA4B,EAAE,CAAC;YACvD,YAAY,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,eAAe,GAAG,+EAA+E,CAAC;IACxG,MAAM,kBAAkB,GAAG,6EAA6E,CAAC;IAEzG,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrD,eAAe,CAAC,SAAS,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACxC,SAAS;QACX,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEvD,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAY,EAAE,QAAgB;IAClE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,CAAC;IACtB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,wBAAwB;IACxB,MAAM,eAAe,GAAG,8CAA8C,CAAC,IAAI,CAAC,CAAC;IAC7E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,SAAS,eAAe,CAAC,MAAM,iKAAiK;YAC7M,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,sJAAsJ;YACtK,SAAS,EAAE,wCAAwC;SACpD,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,iDAAiD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,MAAM,iBAAiB,GAAG,wJAAwJ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9L,IAAI,SAAS,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,gJAAgJ;YAC7J,cAAc,EAAE,gKAAgK;YAChL,SAAS,EAAE,yDAAyD;SACrE,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAC5B,MAAM,iBAAiB,GAAG,oEAAoE,CAAC;IAC/F,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,6CAA6C;YACpD,WAAW,EAAE,0JAA0J;YACvK,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,uIAAuI;YACvJ,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,aAAa,GAAG,0BAA0B,CAAC,IAAI,CAAC,CAAC;IACvD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,2IAA2I;YACxJ,WAAW,EAAE,aAAa;YAC1B,cAAc,EAAE,0HAA0H;YAC1I,SAAS,EAAE,mDAAmD;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,MAAM,YAAY,GAAG,kGAAkG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnI,IAAI,SAAS,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,uDAAuD;YAC9D,WAAW,EAAE,yIAAyI;YACtJ,cAAc,EAAE,6IAA6I;YAC7J,SAAS,EAAE,uEAAuE;SACnF,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAC3B,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9D,IAAI,MAAM,IAAI,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,6IAA6I;YAC1J,cAAc,EAAE,iHAAiH;YACjI,SAAS,EAAE,uCAAuC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,kBAAkB,GAAG,8HAA8H,CAAC;IAC1J,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAC1D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,wJAAwJ;YACrK,WAAW,EAAE,QAAQ;YACrB,cAAc,EAAE,0IAA0I;YAC1J,SAAS,EAAE,0CAA0C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,UAAU,GAAG,4DAA4D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3F,MAAM,SAAS,GAAG,kEAAkE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChG,IAAI,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,iJAAiJ;YAC9J,cAAc,EAAE,qIAAqI;YACrJ,SAAS,EAAE,sCAAsC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtG,MAAM,iBAAiB,GAAG,kHAAkH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxJ,IAAI,mBAAmB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,oCAAoC;YAC3C,WAAW,EAAE,mJAAmJ;YAChK,cAAc,EAAE,qJAAqJ;YACrK,SAAS,EAAE,0CAA0C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,QAAQ,GAAG,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChG,MAAM,UAAU,GAAG,gGAAgG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/H,IAAI,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,+HAA+H;YAC5I,cAAc,EAAE,6JAA6J;YAC7K,SAAS,EAAE,wCAAwC;SACpD,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,aAAa,GAAG,2DAA2D,CAAC;IAClF,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,MAAM,cAAc,GAAG,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3F,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,2CAA2C;YAClD,WAAW,EAAE,yIAAyI;YACtJ,WAAW,EAAE,WAAW;YACxB,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,8CAA8C;SAC1D,CAAC,CAAC;IACL,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAG,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1F,IAAI,WAAW,IAAI,CAAC,OAAO,IAAI,UAAU,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,0IAA0I;YACvJ,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,6CAA6C;SACzD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compliance.d.ts","sourceRoot":"","sources":["../../src/evaluators/compliance.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"compliance.d.ts","sourceRoot":"","sources":["../../src/evaluators/compliance.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAsP3E"}
|
|
@@ -5,11 +5,24 @@ export function analyzeCompliance(code, language) {
|
|
|
5
5
|
const prefix = "COMP";
|
|
6
6
|
let ruleNum = 1;
|
|
7
7
|
const lang = getLangFamily(language);
|
|
8
|
+
const isCommentLikeLine = (line) => {
|
|
9
|
+
const trimmed = line.trim();
|
|
10
|
+
return (trimmed.startsWith("//") ||
|
|
11
|
+
trimmed.startsWith("/*") ||
|
|
12
|
+
trimmed.startsWith("*") ||
|
|
13
|
+
trimmed.startsWith("#") ||
|
|
14
|
+
trimmed.startsWith("--"));
|
|
15
|
+
};
|
|
8
16
|
// Detect PII handling without encryption
|
|
9
17
|
const piiFieldLines = [];
|
|
10
18
|
lines.forEach((line, i) => {
|
|
19
|
+
if (isCommentLikeLine(line))
|
|
20
|
+
return;
|
|
11
21
|
if (/(?:ssn|social_security|tax_id|passport|national_id|driver_license)/i.test(line) && !/encrypt|hash|mask|redact/i.test(line)) {
|
|
12
|
-
|
|
22
|
+
const context = lines.slice(Math.max(0, i - 4), Math.min(lines.length, i + 5)).join("\n");
|
|
23
|
+
if (/(?:save|store|insert|persist|write|log|send|post|request|payload|body|db\.)/i.test(context)) {
|
|
24
|
+
piiFieldLines.push(i + 1);
|
|
25
|
+
}
|
|
13
26
|
}
|
|
14
27
|
});
|
|
15
28
|
if (piiFieldLines.length > 0) {
|
|
@@ -105,10 +118,15 @@ export function analyzeCompliance(code, language) {
|
|
|
105
118
|
// Detect credit card number patterns (PCI DSS)
|
|
106
119
|
const cardNumberLines = [];
|
|
107
120
|
lines.forEach((line, i) => {
|
|
108
|
-
if (
|
|
121
|
+
if (isCommentLikeLine(line))
|
|
122
|
+
return;
|
|
123
|
+
const context = lines.slice(Math.max(0, i - 4), Math.min(lines.length, i + 5)).join("\n");
|
|
124
|
+
const hasPaymentContext = /(?:payment|billing|checkout|charge|\bcard(?:Number)?\b|\bpan\b|stripe|braintree|authorize|capture|transaction)/i.test(context);
|
|
125
|
+
const hasOperationalFlow = /(?:store|save|log|send|post|request|payload|body|db\.)/i.test(context);
|
|
126
|
+
if (/\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/.test(line) && hasPaymentContext && hasOperationalFlow) {
|
|
109
127
|
cardNumberLines.push(i + 1);
|
|
110
128
|
}
|
|
111
|
-
if (/credit.?card|card.?number|ccn|pan\b|cardNumber/i.test(line) && !/mask|redact|encrypt|hash|tokenize|\*{4}/i.test(line)) {
|
|
129
|
+
if (/credit.?card|card.?number|ccn|pan\b|cardNumber/i.test(line) && !/mask|redact|encrypt|hash|tokenize|\*{4}/i.test(line) && hasPaymentContext && hasOperationalFlow) {
|
|
112
130
|
cardNumberLines.push(i + 1);
|
|
113
131
|
}
|
|
114
132
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compliance.js","sourceRoot":"","sources":["../../src/evaluators/compliance.ts"],"names":[],"mappings":"AACA,OAAO,EAAsC,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IAC9D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,MAAM,CAAC;IACtB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,yCAAyC;IACzC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,qEAAqE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAChI,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"compliance.js","sourceRoot":"","sources":["../../src/evaluators/compliance.ts"],"names":[],"mappings":"AACA,OAAO,EAAsC,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IAC9D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,MAAM,CAAC;IACtB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAAW,EAAE;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YACxB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAC;IACJ,CAAC,CAAC;IAEF,yCAAyC;IACzC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,iBAAiB,CAAC,IAAI,CAAC;YAAE,OAAO;QAEpC,IAAI,qEAAqE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAChI,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1F,IAAI,8EAA8E,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjG,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,2HAA2H;YACxI,WAAW,EAAE,aAAa;YAC1B,cAAc,EAAE,iHAAiH;YACjI,SAAS,EAAE,gCAAgC;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,sDAAsD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QAC5C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EAAE,mIAAmI;YAChJ,WAAW,EAAE,aAAa;YAC1B,cAAc,EAAE,0GAA0G;YAC1H,SAAS,EAAE,qCAAqC;SACjD,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,2CAA2C,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iDAAiD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3H,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1F,IAAI,CAAC,kDAAkD,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,+CAA+C;YACtD,WAAW,EAAE,0GAA0G;YACvH,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EAAE,wHAAwH;YACxI,SAAS,EAAE,yCAAyC;SACrD,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5H,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,kCAAkC;YACzC,WAAW,EAAE,yHAAyH;YACtI,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EAAE,6GAA6G;YAC7H,SAAS,EAAE,mDAAmD;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,uFAAuF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvG,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,gEAAgE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpF,cAAc,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,yCAAyC;YAChD,WAAW,EAAE,qHAAqH;YAClI,WAAW,EAAE,cAAc;YAC3B,cAAc,EAAE,kHAAkH;YAClI,SAAS,EAAE,oCAAoC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,iBAAiB,CAAC,IAAI,CAAC;YAAE,OAAO;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1F,MAAM,iBAAiB,GAAG,iHAAiH,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1J,MAAM,kBAAkB,GAAG,yDAAyD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEnG,IAAI,4FAA4F,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;YACvJ,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,iDAAiD,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,0CAA0C,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;YACtK,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,oCAAoC;YAC3C,WAAW,EAAE,mIAAmI;YAChJ,WAAW,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;YAC1C,cAAc,EAAE,kIAAkI;YAClJ,SAAS,EAAE,uDAAuD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,oCAAoC;IACpC,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,6GAA6G,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7K,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,uDAAuD;YAC9D,WAAW,EAAE,gIAAgI;YAC7I,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,oHAAoH;YACpI,SAAS,EAAE,uCAAuC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,MAAM,oBAAoB,GAAG,wFAAwF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjI,MAAM,cAAc,GAAG,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpG,IAAI,cAAc,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC5C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,6HAA6H;YAC1I,cAAc,EAAE,uHAAuH;YACvI,SAAS,EAAE,0DAA0D;SACtE,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9F,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,oCAAoC;YAC3C,WAAW,EAAE,+GAA+G;YAC5H,WAAW,EAAE,WAAW;YACxB,cAAc,EAAE,sHAAsH;YACtI,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,yFAAyF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACzG,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,kBAAkB,GAAG,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1G,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,iDAAiD;YACxD,WAAW,EAAE,yJAAyJ;YACtK,WAAW,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACxC,cAAc,EAAE,qGAAqG;YACrH,SAAS,EAAE,sDAAsD;SAClE,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,+EAA+E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/F,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,sDAAsD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EAAE,sIAAsI;YACnJ,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACzC,cAAc,EAAE,uGAAuG;YACvH,SAAS,EAAE,sCAAsC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"configuration-management.d.ts","sourceRoot":"","sources":["../../src/evaluators/configuration-management.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"configuration-management.d.ts","sourceRoot":"","sources":["../../src/evaluators/configuration-management.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAsLxF"}
|
|
@@ -6,7 +6,29 @@ export function analyzeConfigurationManagement(code, language) {
|
|
|
6
6
|
const lang = getLangFamily(language);
|
|
7
7
|
// Hardcoded secrets / credentials
|
|
8
8
|
const secretPattern = /(?:password|passwd|secret|api_?key|token|private_?key)\s*[:=]\s*["'`][^"'`]{3,}/gi;
|
|
9
|
-
const
|
|
9
|
+
const nonProductionContextPattern = /\b(?:test|tests|mock|mocks|fixture|fixtures|harness|e2e|example|sample|dummy)\b/i;
|
|
10
|
+
const productionContextPattern = /\b(?:prod|production|release|deploy|deployment)\b/i;
|
|
11
|
+
const secretLines = [];
|
|
12
|
+
if (/\b(?:describe|it|test)\s*\(/i.test(code) && !productionContextPattern.test(code)) {
|
|
13
|
+
// Skip hardcoded secret findings in explicit test modules.
|
|
14
|
+
}
|
|
15
|
+
else {
|
|
16
|
+
const lines = code.split("\n");
|
|
17
|
+
for (let index = 0; index < lines.length; index += 1) {
|
|
18
|
+
secretPattern.lastIndex = 0;
|
|
19
|
+
if (!secretPattern.test(lines[index])) {
|
|
20
|
+
continue;
|
|
21
|
+
}
|
|
22
|
+
const contextStart = Math.max(0, index - 2);
|
|
23
|
+
const contextEnd = Math.min(lines.length, index + 3);
|
|
24
|
+
const context = lines.slice(contextStart, contextEnd).join("\n");
|
|
25
|
+
const isLikelyNonProductionContext = nonProductionContextPattern.test(context) &&
|
|
26
|
+
!productionContextPattern.test(context);
|
|
27
|
+
if (!isLikelyNonProductionContext) {
|
|
28
|
+
secretLines.push(index + 1);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
}
|
|
10
32
|
if (secretLines.length > 0) {
|
|
11
33
|
findings.push({
|
|
12
34
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"configuration-management.js","sourceRoot":"","sources":["../../src/evaluators/configuration-management.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAsB,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,8BAA8B,CAAC,IAAY,EAAE,QAAgB;IAC3E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,KAAK,CAAC;IACrB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,aAAa,GAAG,mFAAmF,CAAC;IAC1G,MAAM,WAAW,GAAG,
|
|
1
|
+
{"version":3,"file":"configuration-management.js","sourceRoot":"","sources":["../../src/evaluators/configuration-management.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAsB,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,8BAA8B,CAAC,IAAY,EAAE,QAAgB;IAC3E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,KAAK,CAAC;IACrB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,kCAAkC;IAClC,MAAM,aAAa,GAAG,mFAAmF,CAAC;IAC1G,MAAM,2BAA2B,GAAG,kFAAkF,CAAC;IACvH,MAAM,wBAAwB,GAAG,oDAAoD,CAAC;IACtF,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtF,2DAA2D;IAC7D,CAAC;SAAM,CAAC;QAEN,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/B,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;YACrD,aAAa,CAAC,SAAS,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjE,MAAM,4BAA4B,GAChC,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC;gBACzC,CAAC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE1C,IAAI,CAAC,4BAA4B,EAAE,CAAC;gBAClC,WAAW,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,kCAAkC;YACzC,WAAW,EAAE,SAAS,WAAW,CAAC,MAAM,4JAA4J;YACpM,WAAW,EAAE,WAAW;YACxB,cAAc,EAAE,gKAAgK;YAChL,SAAS,EAAE,mDAAmD;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,MAAM,sBAAsB,GAAG,oHAAoH,CAAC;IACpJ,MAAM,oBAAoB,GAAG,cAAc,CAAC,IAAI,EAAE,sBAAsB,CAAC,CAAC;IAC1E,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wDAAwD;YAC/D,WAAW,EAAE,SAAS,oBAAoB,CAAC,MAAM,sIAAsI;YACvL,WAAW,EAAE,oBAAoB;YACjC,cAAc,EAAE,4JAA4J;YAC5K,SAAS,EAAE,oCAAoC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,gCAAgC;IAChC,MAAM,UAAU,GAAG,gGAAgG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/H,MAAM,SAAS,GAAG,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/F,IAAI,CAAC,UAAU,IAAI,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,wKAAwK;YACrL,cAAc,EAAE,6JAA6J;YAC7K,SAAS,EAAE,oCAAoC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,mBAAmB,GAAG,+FAA+F,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvI,IAAI,SAAS,IAAI,CAAC,mBAAmB,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,6JAA6J;YAC1K,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,qCAAqC;SACjD,CAAC,CAAC;IACL,CAAC;IAED,yDAAyD;IACzD,MAAM,mBAAmB,GAAG,qDAAqD,CAAC;IAClF,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,qEAAqE;IACrE,IAAI,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,kDAAkD;YACzD,WAAW,EAAE,sKAAsK;YACnL,cAAc,EAAE,uJAAuJ;YACvK,SAAS,EAAE,+CAA+C;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,mBAAmB,GAAG,iEAAiE,CAAC;IAC9F,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,MAAM,qBAAqB,GAAG,uCAAuC,CAAC;IACtE,MAAM,eAAe,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IACzE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC;IAC1C,IAAI,QAAQ,GAAG,CAAC,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,6CAA6C;YACpD,WAAW,EAAE,SAAS,QAAQ,qIAAqI;YACnK,WAAW,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YAC1C,cAAc,EAAE,sJAAsJ;YACtK,SAAS,EAAE,sCAAsC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,kBAAkB,GAAG,iGAAiG,CAAC;IAC7H,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAClE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,SAAS,gBAAgB,CAAC,MAAM,uGAAuG;YACpJ,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,8DAA8D;SAC1E,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,UAAU,GAAG,0DAA0D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzF,MAAM,WAAW,GAAG,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9F,IAAI,UAAU,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,uCAAuC;YAC9C,WAAW,EAAE,iKAAiK;YAC9K,cAAc,EAAE,6KAA6K;YAC7L,SAAS,EAAE,sDAAsD;SAClE,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,eAAe,GAAG,kFAAkF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtH,IAAI,UAAU,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACnE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EAAE,8KAA8K;YAC3L,cAAc,EAAE,4JAA4J;YAC5K,SAAS,EAAE,iDAAiD;SAC7D,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAC5B,MAAM,kBAAkB,GAAG,yHAAyH,CAAC;IACrJ,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAClE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,kDAAkD;YACzD,WAAW,EAAE,SAAS,gBAAgB,CAAC,MAAM,yIAAyI;YACtL,WAAW,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACzC,cAAc,EAAE,+JAA+J;YAC/K,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cybersecurity.d.ts","sourceRoot":"","sources":["../../src/evaluators/cybersecurity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"cybersecurity.d.ts","sourceRoot":"","sources":["../../src/evaluators/cybersecurity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAoU9E"}
|
|
@@ -35,13 +35,25 @@ export function analyzeCybersecurity(code, language) {
|
|
|
35
35
|
}
|
|
36
36
|
// Command injection risk (multi-language)
|
|
37
37
|
const cmdLines = getLangLineNumbers(code, language, LP.COMMAND_INJECTION);
|
|
38
|
-
|
|
38
|
+
const filteredCmdLines = cmdLines.filter((lineNumber) => {
|
|
39
|
+
const index = lineNumber - 1;
|
|
40
|
+
const context = code
|
|
41
|
+
.split("\n")
|
|
42
|
+
.slice(Math.max(0, index - 3), index + 4)
|
|
43
|
+
.join("\n");
|
|
44
|
+
const dangerousSink = /\b(?:exec|execSync|spawn|spawnSync|system|popen|Runtime\.getRuntime\(\)\.exec|subprocess\.(?:Popen|run|call)|os\.system)\s*\(/i;
|
|
45
|
+
const safeSink = /\bexecFile\s*\(/i;
|
|
46
|
+
const untrustedInput = /(?:req\.|request\.|params\.|query\.|body\.|argv|input|user|prompt|command)/i;
|
|
47
|
+
const unsafeConstruction = /(?:\+\s*\w|\$\{[^}]+\}|\.concat\s*\(|\.join\s*\(|shell\s*:\s*true)/i;
|
|
48
|
+
return dangerousSink.test(context) && !safeSink.test(context) && untrustedInput.test(context) && unsafeConstruction.test(context);
|
|
49
|
+
});
|
|
50
|
+
if (filteredCmdLines.length > 0) {
|
|
39
51
|
findings.push({
|
|
40
52
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
41
53
|
severity: "critical",
|
|
42
54
|
title: "Potential command injection",
|
|
43
55
|
description: "Shell commands are constructed with string concatenation/interpolation, allowing an attacker to inject arbitrary OS commands if user input is included.",
|
|
44
|
-
lineNumbers:
|
|
56
|
+
lineNumbers: filteredCmdLines,
|
|
45
57
|
recommendation: "Use execFile() with an argument array instead of exec(). Never concatenate user input into shell commands. Validate and sanitize all inputs.",
|
|
46
58
|
reference: "OWASP Command Injection — CWE-78",
|
|
47
59
|
});
|
|
@@ -176,15 +188,25 @@ export function analyzeCybersecurity(code, language) {
|
|
|
176
188
|
});
|
|
177
189
|
}
|
|
178
190
|
// Template injection (SSTI)
|
|
179
|
-
const templatePatterns = /render_template_string|
|
|
191
|
+
const templatePatterns = /render_template_string|nunjucks\.renderString|Handlebars\.compile\s*\(|ERB\.new\s*\(/gi;
|
|
180
192
|
const templateLines = getLineNumbers(code, templatePatterns);
|
|
181
|
-
|
|
193
|
+
const filteredTemplateLines = templateLines.filter((lineNumber) => {
|
|
194
|
+
const index = lineNumber - 1;
|
|
195
|
+
const context = code
|
|
196
|
+
.split("\n")
|
|
197
|
+
.slice(Math.max(0, index - 3), index + 4)
|
|
198
|
+
.join("\n");
|
|
199
|
+
const templateSink = /(?:render_template_string|nunjucks\.renderString|Handlebars\.compile\s*\(|ERB\.new\s*\()/i;
|
|
200
|
+
const untrustedInput = /(?:req\.|request\.|params\.|query\.|body\.|input|user)/i;
|
|
201
|
+
return templateSink.test(context) && untrustedInput.test(context);
|
|
202
|
+
});
|
|
203
|
+
if (filteredTemplateLines.length > 0) {
|
|
182
204
|
findings.push({
|
|
183
205
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
184
206
|
severity: "critical",
|
|
185
207
|
title: "Potential Server-Side Template Injection (SSTI)",
|
|
186
208
|
description: "User input appears to be passed directly to template rendering, allowing attackers to execute arbitrary code via template syntax.",
|
|
187
|
-
lineNumbers:
|
|
209
|
+
lineNumbers: filteredTemplateLines,
|
|
188
210
|
recommendation: "Never pass user input as template source. Use templates only from trusted files with parameterized data. Enable sandboxing if available.",
|
|
189
211
|
reference: "OWASP SSTI — CWE-1336",
|
|
190
212
|
});
|