@nahisaho/musubix-security 2.0.1 → 2.1.0

package/dist/rules/owasp/a03-injection.js

@@ -0,0 +1,342 @@
+/**
+ * @fileoverview OWASP A03:2021 - Injection Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a03-injection
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - SQL Injection
+ * - NoSQL Injection
+ * - Command Injection
+ * - Code Injection (eval)
+ * - Template Injection
+ *
+ * Uses taint analysis when available for improved accuracy.
+ */
+/**
+ * OWASP A03 - Injection
+ */
+export const owaspA03Injection = {
+    id: 'owasp-a03-injection',
+    name: 'OWASP A03:2021 - Injection',
+    description: 'Detects injection vulnerabilities including SQL, NoSQL, command, and code injection',
+    defaultSeverity: 'critical',
+    detectionMethod: 'combined',
+    tags: ['owasp', 'injection', 'sql', 'nosql', 'command', 'security'],
+    owasp: ['A03:2021'],
+    cwe: ['77', '78', '79', '89', '90', '91', '94', '95', '96', '917'],
+    references: [
+        { title: 'OWASP A03:2021 - Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
+        { title: 'CWE-89: SQL Injection', url: 'https://cwe.mitre.org/data/definitions/89.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceFile = context.sourceFile;
+        if (!sourceFile)
+            return findings;
+        // Use taint analysis if available
+        if (context.taintResults && context.taintResults.flows.length > 0) {
+            analyzeTaintFlows(context, findings);
+        }
+        // Pattern-based detection
+        checkSQLInjection(context, findings);
+        checkNoSQLInjection(context, findings);
+        checkCommandInjection(context, findings);
+        checkCodeInjection(context, findings);
+        checkTemplateInjection(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for SQL injection vulnerabilities
+ */
+function checkSQLInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const sqlPatterns = [
+        // String concatenation in SQL
+        { pattern: /['"`]SELECT\s+.*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'SQL query with string concatenation' },
+        { pattern: /['"`]INSERT\s+INTO\s+.*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'SQL insert with string concatenation' },
+        { pattern: /['"`]UPDATE\s+.*SET\s+.*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'SQL update with string concatenation' },
+        { pattern: /['"`]DELETE\s+FROM\s+.*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'SQL delete with string concatenation' },
+        // Template literals in SQL
+        { pattern: /`SELECT\s+[^`]*\$\{[^}]*(?:req\.|params\.|query\.|body\.)/gi, type: 'SQL with template literal injection' },
+        // Raw query with user input
+        { pattern: /(?:query|execute|raw)\s*\(\s*['"`][^'"`]*\+/gi, type: 'Raw query with concatenation' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of sqlPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a03-sql-${findings.length + 1}`,
+                    ruleId: 'owasp-a03-injection',
+                    severity: 'critical',
+                    message: `Potential SQL Injection: ${type}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['89'],
+                    suggestion: {
+                        description: 'Use parameterized queries',
+                        example: `// Use parameterized query:
+// PostgreSQL/MySQL: db.query('SELECT * FROM users WHERE id = $1', [userId])
+// ORM: Model.findOne({ where: { id: userId } })`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for NoSQL injection vulnerabilities
+ */
+function checkNoSQLInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const nosqlPatterns = [
+        // Direct user input in MongoDB queries
+        { pattern: /\.\s*find\s*\(\s*\{\s*[^}]*:\s*(?:req\.body|req\.query|req\.params)/gi, type: 'MongoDB find with user input' },
+        { pattern: /\.\s*findOne\s*\(\s*\{\s*[^}]*:\s*(?:req\.body|req\.query|req\.params)/gi, type: 'MongoDB findOne with user input' },
+        { pattern: /\.\s*updateOne\s*\(\s*\{\s*[^}]*:\s*(?:req\.body|req\.query|req\.params)/gi, type: 'MongoDB updateOne with user input' },
+        // $where with user input
+        { pattern: /\$where\s*:\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'MongoDB $where with user input' },
+        // JSON.parse of user input in query
+        { pattern: /JSON\.parse\s*\([^)]*(?:req\.body|req\.query)/gi, type: 'JSON.parse with user input' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of nosqlPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                // Check for sanitization
+                const surroundingCode = lines.slice(Math.max(0, lineNum - 3), lineNum + 1).join('\n');
+                if (!hasSanitization(surroundingCode)) {
+                    findings.push({
+                        id: `owasp-a03-nosql-${findings.length + 1}`,
+                        ruleId: 'owasp-a03-injection',
+                        severity: 'high',
+                        message: `Potential NoSQL Injection: ${type}`,
+                        location: {
+                            file: context.filePath,
+                            startLine: lineNum + 1,
+                            endLine: lineNum + 1,
+                            startColumn: 0,
+                            endColumn: line.length,
+                        },
+                        cwe: ['943'],
+                        suggestion: {
+                            description: 'Sanitize user input before use in queries',
+                            example: `// Sanitize input before use:
+const sanitizedInput = mongo.sanitize(userInput);
+// Or use explicit type casting:
+const id = new ObjectId(userId);`,
+                        },
+                    });
+                }
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for command injection vulnerabilities
+ */
+function checkCommandInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const commandPatterns = [
+        // exec with user input (string concatenation)
+        { pattern: /exec\s*\(\s*['"`][^'"`]*['"`]\s*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'exec with concatenation' },
+        { pattern: /exec\s*\([^)]*\+\s*req\./gi, type: 'exec with request input' },
+        // exec with template literal
+        { pattern: /exec\s*\(\s*`[^`]*\$\{[^}]*(?:req\.|params\.|query\.|body\.)/gi, type: 'exec with template literal' },
+        { pattern: /exec\s*\(\s*`[^`]*\$\{/gi, type: 'exec with template literal variable' },
+        // execSync with user input
+        { pattern: /execSync\s*\(\s*['"`][^'"`]*['"`]\s*\+\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'execSync with concatenation' },
+        { pattern: /execSync\s*\([^)]*\+\s*req\./gi, type: 'execSync with request input' },
+        // spawn with shell
+        { pattern: /spawn\s*\([^)]*shell\s*:\s*true/gi, type: 'spawn with shell option' },
+        // child_process with user input
+        { pattern: /child_process\s*\.\s*exec\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi, type: 'child_process.exec with user input' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of commandPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a03-cmd-${findings.length + 1}`,
+                    ruleId: 'owasp-a03-injection',
+                    severity: 'critical',
+                    message: `Potential Command Injection: ${type}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['78'],
+                    suggestion: {
+                        description: 'Use execFile or spawn with argument array',
+                        example: `// Use execFile with argument array (safer):
+execFile('command', [arg1, arg2], callback);
+// Or use spawn without shell:
+spawn('command', ['arg1', 'arg2']);`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for code injection vulnerabilities (eval, Function constructor)
+ */
+function checkCodeInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const codeInjectionPatterns = [
+        // eval with any variable
+        { pattern: /\beval\s*\(\s*[a-zA-Z_$]/gi, type: 'eval with variable' },
+        // Function constructor
+        { pattern: /new\s+Function\s*\(/gi, type: 'Function constructor' },
+        // setTimeout/setInterval with string
+        { pattern: /set(?:Timeout|Interval)\s*\(\s*['"`][^'"`]+['"`]/gi, type: 'setTimeout/setInterval with string' },
+        // vm.runInContext with user input
+        { pattern: /vm\.runIn(?:Context|NewContext|ThisContext)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi, type: 'VM execution with user input' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of codeInjectionPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a03-code-${findings.length + 1}`,
+                    ruleId: 'owasp-a03-injection',
+                    severity: 'critical',
+                    message: `Potential Code Injection: ${type}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['94', '95'],
+                    suggestion: {
+                        description: 'Avoid eval and Function constructor',
+                        example: `// Avoid eval and Function constructor
+// Use JSON.parse for JSON data:
+const data = JSON.parse(jsonString);
+// Use a sandboxed VM for untrusted code execution`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for template injection vulnerabilities
+ */
+function checkTemplateInjection(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const templatePatterns = [
+        // EJS with unescaped output
+        { pattern: /<%[-=]\s*[^%]*(?:req\.|params\.|query\.|body\.)/gi, type: 'EJS template with unescaped user input' },
+        // Pug/Jade with unescaped
+        { pattern: /!{[^}]*(?:req\.|params\.|query\.|body\.)/gi, type: 'Pug template with unescaped user input' },
+        // Handlebars triple braces
+        { pattern: /\{\{\{[^}]*(?:req\.|params\.|query\.|body\.)/gi, type: 'Handlebars with unescaped user input' },
+        // innerHTML assignment
+        { pattern: /\.innerHTML\s*=\s*(?:req\.|params\.|query\.|body\.)/gi, type: 'innerHTML with user input' },
+        // document.write
+        { pattern: /document\.write\s*\([^)]*(?:req\.|params\.|query\.|body\.)/gi, type: 'document.write with user input' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type } of templatePatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a03-template-${findings.length + 1}`,
+                    ruleId: 'owasp-a03-injection',
+                    severity: 'high',
+                    message: `Potential Template/XSS Injection: ${type}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['79', '917'],
+                    suggestion: {
+                        description: 'Use auto-escaping templates and avoid innerHTML',
+                        example: `// Use auto-escaping templates
+// EJS: use <%= instead of <%-
+// Use textContent instead of innerHTML
+// Apply DOMPurify for HTML content`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Analyze taint flows for injection vulnerabilities
+ */
+function analyzeTaintFlows(context, findings) {
+    if (!context.taintResults)
+        return;
+    const injectionSinks = ['sql', 'exec', 'eval', 'query', 'command', 'shell'];
+    for (const flow of context.taintResults.flows) {
+        const sinkCategory = flow.sink.category?.toLowerCase() || '';
+        if (injectionSinks.some(sink => sinkCategory.includes(sink))) {
+            findings.push({
+                id: `owasp-a03-taint-${findings.length + 1}`,
+                ruleId: 'owasp-a03-injection',
+                severity: 'critical',
+                message: `Taint flow detected: user input flows to ${flow.sink.category} sink without sanitization`,
+                location: {
+                    file: context.filePath,
+                    startLine: flow.sink.location?.startLine ?? 1,
+                    endLine: flow.sink.location?.endLine ?? 1,
+                    startColumn: flow.sink.location?.startColumn ?? 0,
+                    endColumn: flow.sink.location?.endColumn ?? 10,
+                },
+                suggestion: {
+                    description: 'Add input validation and sanitization at the source',
+                    example: '// Add input validation and sanitization at the source',
+                },
+            });
+        }
+    }
+}
+/**
+ * Check if code contains input sanitization
+ */
+function hasSanitization(code) {
+    const sanitizationPatterns = [
+        /sanitize/i,
+        /escape/i,
+        /validate/i,
+        /parameterized/i,
+        /prepared/i,
+        /placeholder/i,
+        /bindParam/i,
+        /ObjectId/i,
+    ];
+    return sanitizationPatterns.some(p => p.test(code));
+}
+export default owaspA03Injection;
+//# sourceMappingURL=a03-injection.js.map

package/dist/rules/owasp/a03-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a03-injection.js","sourceRoot":"","sources":["../../../src/rules/owasp/a03-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAiB;IAC7C,EAAE,EAAE,qBAAqB;IACzB,IAAI,EAAE,4BAA4B;IAClC,WAAW,EAAE,qFAAqF;IAClG,eAAe,EAAE,UAAU;IAC3B,eAAe,EAAE,UAAU;IAC3B,IAAI,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC;IACnE,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;IAClE,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,4BAA4B,EAAE,GAAG,EAAE,6CAA6C,EAAE;QAC3F,EAAE,KAAK,EAAE,uBAAuB,EAAE,GAAG,EAAE,gDAAgD,EAAE;KAC1F;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACtC,IAAI,CAAC,UAAU;YAAE,OAAO,QAAQ,CAAC;QAEjC,kCAAkC;QAClC,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClE,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,0BAA0B;QAC1B,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,mBAAmB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACvC,qBAAqB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACzC,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtC,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE1C,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAoB,EAAE,QAAuB;IACtE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,WAAW,GAAG;QAClB,8BAA8B;QAC9B,EAAE,OAAO,EAAE,0DAA0D,EAAE,IAAI,EAAE,qCAAqC,EAAE;QACpH,EAAE,OAAO,EAAE,iEAAiE,EAAE,IAAI,EAAE,sCAAsC,EAAE;QAC5H,EAAE,OAAO,EAAE,kEAAkE,EAAE,IAAI,EAAE,sCAAsC,EAAE;QAC7H,EAAE,OAAO,EAAE,iEAAiE,EAAE,IAAI,EAAE,sCAAsC,EAAE;QAC5H,2BAA2B;QAC3B,EAAE,OAAO,EAAE,6DAA6D,EAAE,IAAI,EAAE,qCAAqC,EAAE;QACvH,4BAA4B;QAC5B,EAAE,OAAO,EAAE,+CAA+C,EAAE,IAAI,EAAE,8BAA8B,EAAE;KACnG,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC;YAC5C,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,qBAAqB;oBAC7B,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,4BAA4B,IAAI,EAAE;oBAC3C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,2BAA2B;wBACxC,OAAO,EAAE;;iDAE4B;qBACtC;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAoB,EAAE,QAAuB;IACxE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB,uCAAuC;QACvC,EAAE,OAAO,EAAE,uEAAuE,EAAE,IAAI,EAAE,8BAA8B,EAAE;QAC1H,EAAE,OAAO,EAAE,0EAA0E,EAAE,IAAI,EAAE,iCAAiC,EAAE;QAChI,EAAE,OAAO,EAAE,4EAA4E,EAAE,IAAI,EAAE,mCAAmC,EAAE;QACpI,yBAAyB;QACzB,EAAE,OAAO,EAAE,mDAAmD,EAAE,IAAI,EAAE,gCAAgC,EAAE;QACxG,oCAAoC;QACpC,EAAE,OAAO,EAAE,iDAAiD,EAAE,IAAI,EAAE,4BAA4B,EAAE;KACnG,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,aAAa,EAAE,CAAC;YAC9C,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,yBAAyB;gBACzB,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEtF,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,EAAE,CAAC;oBACtC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC5C,MAAM,EAAE,qBAAqB;wBAC7B,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,8BAA8B,IAAI,EAAE;wBAC7C,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,2CAA2C;4BACxD,OAAO,EAAE;;;iCAGU;yBACpB;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAAoB,EAAE,QAAuB;IAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,eAAe,GAAG;QACtB,8CAA8C;QAC9C,EAAE,OAAO,EAAE,0EAA0E,EAAE,IAAI,EAAE,yBAAyB,EAAE;QACxH,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,yBAAyB,EAAE;QAC1E,6BAA6B;QAC7B,EAAE,OAAO,EAAE,gEAAgE,EAAE,IAAI,EAAE,4BAA4B,EAAE;QACjH,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,qCAAqC,EAAE;QACpF,2BAA2B;QAC3B,EAAE,OAAO,EAAE,8EAA8E,EAAE,IAAI,EAAE,6BAA6B,EAAE;QAChI,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,6BAA6B,EAAE;QAClF,mBAAmB;QACnB,EAAE,OAAO,EAAE,mCAAmC,EAAE,IAAI,EAAE,yBAAyB,EAAE;QACjF,gCAAgC;QAChC,EAAE,OAAO,EAAE,wEAAwE,EAAE,IAAI,EAAE,oCAAoC,EAAE;KAClI,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,eAAe,EAAE,CAAC;YAChD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,qBAAqB;oBAC7B,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,gCAAgC,IAAI,EAAE;oBAC/C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,2CAA2C;wBACxD,OAAO,EAAE;;;oCAGe;qBACzB;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAoB,EAAE,QAAuB;IACvE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,qBAAqB,GAAG;QAC5B,yBAAyB;QACzB,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,oBAAoB,EAAE;QACrE,uBAAuB;QACvB,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,sBAAsB,EAAE;QAClE,qCAAqC;QACrC,EAAE,OAAO,EAAE,oDAAoD,EAAE,IAAI,EAAE,oCAAoC,EAAE;QAC7G,kCAAkC;QAClC,EAAE,OAAO,EAAE,0FAA0F,EAAE,IAAI,EAAE,8BAA8B,EAAE;KAC9I,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,qBAAqB,EAAE,CAAC;YACtD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC3C,MAAM,EAAE,qBAAqB;oBAC7B,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,6BAA6B,IAAI,EAAE;oBAC5C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC;oBACjB,UAAU,EAAE;wBACV,WAAW,EAAE,qCAAqC;wBAClD,OAAO,EAAE;;;mDAG8B;qBACxC;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,OAAoB,EAAE,QAAuB;IAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB,4BAA4B;QAC5B,EAAE,OAAO,EAAE,mDAAmD,EAAE,IAAI,EAAE,wCAAwC,EAAE;QAChH,0BAA0B;QAC1B,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,wCAAwC,EAAE;QACzG,2BAA2B;QAC3B,EAAE,OAAO,EAAE,gDAAgD,EAAE,IAAI,EAAE,sCAAsC,EAAE;QAC3G,uBAAuB;QACvB,EAAE,OAAO,EAAE,uDAAuD,EAAE,IAAI,EAAE,2BAA2B,EAAE;QACvG,iBAAiB;QACjB,EAAE,OAAO,EAAE,8DAA8D,EAAE,IAAI,EAAE,gCAAgC,EAAE;KACpH,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,gBAAgB,EAAE,CAAC;YACjD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,qBAAqB;oBAC7B,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,qCAAqC,IAAI,EAAE;oBACpD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC;oBAClB,UAAU,EAAE;wBACV,WAAW,EAAE,iDAAiD;wBAC9D,OAAO,EAAE;;;oCAGe;qBACzB;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAoB,EAAE,QAAuB;IACtE,IAAI,CAAC,OAAO,CAAC,YAAY;QAAE,OAAO;IAElC,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAE5E,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC9C,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAE7D,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;gBAC5C,MAAM,EAAE,qBAAqB;gBAC7B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,4CAA4C,IAAI,CAAC,IAAI,CAAC,QAAQ,4BAA4B;gBACnG,QAAQ,EAAE;oBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;oBACtB,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,IAAI,CAAC;oBAC7C,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,IAAI,CAAC;oBACzC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,IAAI,CAAC;oBACjD,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,IAAI,EAAE;iBAC/C;gBACD,UAAU,EAAE;oBACV,WAAW,EAAE,qDAAqD;oBAClE,OAAO,EAAE,wDAAwD;iBAClE;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,oBAAoB,GAAG;QAC3B,WAAW;QACX,SAAS;QACT,WAAW;QACX,gBAAgB;QAChB,WAAW;QACX,cAAc;QACd,YAAY;QACZ,WAAW;KACZ,CAAC;IAEF,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,eAAe,iBAAiB,CAAC"}

package/dist/rules/owasp/a04-insecure-design.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview OWASP A04:2021 - Insecure Design Rule
+ * @module @nahisaho/musubix-security/rules/owasp/a04-insecure-design
+ * @trace TSK-RULE-003
+ *
+ * Detects:
+ * - Missing rate limiting
+ * - Missing input validation
+ * - Missing output encoding
+ * - Insecure defaults
+ * - Business logic flaws
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A04 - Insecure Design
+ */
+export declare const owaspA04InsecureDesign: SecurityRule;
+export default owaspA04InsecureDesign;
+//# sourceMappingURL=a04-insecure-design.d.ts.map

package/dist/rules/owasp/a04-insecure-design.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a04-insecure-design.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a04-insecure-design.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,YAuCpC,CAAC;AAwYF,eAAe,sBAAsB,CAAC"}