@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/rules/cwe/cwe-190-integer-overflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-190-integer-overflow.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-190-integer-overflow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,EAAE,EAAE,0BAA0B;IAC9B,IAAI,EAAE,yCAAyC;IAC/C,WAAW,EAAE,oDAAoD;IACjE,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,CAAC;IAChD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,iDAAiD,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC9H,EAAE,OAAO,EAAE,mCAAmC,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAChH,EAAE,OAAO,EAAE,oDAAoD,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAc,EAAE;YAC7H,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC3G,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAChF,EAAE,OAAO,EAAE,uDAAuD,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,KAAc,EAAE;SAC5H,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,0BAA0B;wBAClC,QAAQ;wBACR,OAAO,EAAE,sBAAsB,IAAI,2BAA2B;wBAC9D,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,+BAA+B;4BAC5C,OAAO,EAAE;;;;kEAI2C;yBACrD;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-20-input-validation.d.ts

@@ -0,0 +1,21 @@
+/**
+ * @fileoverview CWE-20: Improper Input Validation
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-20-input-validation
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - Missing input validation
+ * - Insufficient type checking
+ * - Missing length/size limits
+ * - Unsafe type coercion
+ * - Missing sanitization
+ *
+ * CWE-20 is #6 in CWE Top 25 2023.
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * CWE-20 - Improper Input Validation
+ */
+export declare const cwe20InputValidation: SecurityRule;
+export default cwe20InputValidation;
+//# sourceMappingURL=cwe-20-input-validation.d.ts.map

package/dist/rules/cwe/cwe-20-input-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-20-input-validation.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-20-input-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,YA+BlC,CAAC;AAyUF,eAAe,oBAAoB,CAAC"}

package/dist/rules/cwe/cwe-20-input-validation.js

@@ -0,0 +1,342 @@
+/**
+ * @fileoverview CWE-20: Improper Input Validation
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-20-input-validation
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - Missing input validation
+ * - Insufficient type checking
+ * - Missing length/size limits
+ * - Unsafe type coercion
+ * - Missing sanitization
+ *
+ * CWE-20 is #6 in CWE Top 25 2023.
+ */
+/**
+ * CWE-20 - Improper Input Validation
+ */
+export const cwe20InputValidation = {
+    id: 'cwe-20-input-validation',
+    name: 'CWE-20: Improper Input Validation',
+    description: 'Detects missing or insufficient input validation patterns',
+    defaultSeverity: 'medium',
+    category: 'input-validation',
+    tags: ['cwe', 'input', 'validation', 'security'],
+    cwe: ['20'],
+    references: [
+        {
+            title: 'CWE-20: Improper Input Validation',
+            url: 'https://cwe.mitre.org/data/definitions/20.html',
+        },
+        {
+            title: 'OWASP Input Validation Cheat Sheet',
+            url: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceCode = context.sourceCode;
+        checkDirectUserInput(context, sourceCode, findings);
+        checkTypeCoercion(context, sourceCode, findings);
+        checkMissingLengthChecks(context, sourceCode, findings);
+        checkRegexValidation(context, sourceCode, findings);
+        return findings;
+    },
+};
+/**
+ * Check for direct use of user input without validation
+ */
+function checkDirectUserInput(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const inputPatterns = [
+        {
+            pattern: /const\s+\w+\s*=\s*req\.body\.\w+\s*;/gi,
+            type: 'Direct body access',
+            message: 'Request body field used without validation',
+            severity: 'medium',
+        },
+        {
+            pattern: /const\s+\w+\s*=\s*req\.query\.\w+\s*;/gi,
+            type: 'Direct query access',
+            message: 'Query parameter used without validation',
+            severity: 'medium',
+        },
+        {
+            pattern: /const\s+\w+\s*=\s*req\.params\.\w+\s*;/gi,
+            type: 'Direct params access',
+            message: 'URL parameter used without validation',
+            severity: 'medium',
+        },
+        {
+            pattern: /const\s*\{[^}]+\}\s*=\s*req\.body\s*;/gi,
+            type: 'Destructured body',
+            message: 'Destructuring body without validation schema',
+            severity: 'low',
+        },
+        {
+            pattern: /JSON\.parse\s*\(\s*(?:req\.|body|data|input)/gi,
+            type: 'JSON.parse with user input',
+            message: 'JSON.parse with user input should have error handling',
+            severity: 'medium',
+        },
+        {
+            pattern: /parseInt\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'parseInt with user input',
+            message: 'parseInt with user input may produce unexpected results',
+            severity: 'low',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of inputPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-20-input-${findings.length + 1}`,
+                    ruleId: 'cwe-20-input-validation',
+                    severity,
+                    message: `Input Validation - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['20'],
+                    suggestion: {
+                        description: 'Use validation library like Zod, Joi, or Yup',
+                        example: `// Use Zod for validation
+import { z } from 'zod';
+
+const schema = z.object({
+  email: z.string().email(),
+  age: z.number().min(0).max(120),
+});
+
+const result = schema.safeParse(req.body);
+if (!result.success) {
+  return res.status(400).json({ errors: result.error.issues });
+}
+const { email, age } = result.data;`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for unsafe type coercion
+ */
+function checkTypeCoercion(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const coercionPatterns = [
+        {
+            pattern: /==\s*(?:null|undefined|true|false|['"`]\w*['"`]|\d+)/gi,
+            type: 'Loose equality comparison',
+            message: 'Loose equality (==) can cause type coercion issues',
+            severity: 'low',
+        },
+        {
+            pattern: /!=\s*(?:null|undefined)/gi,
+            type: 'Loose inequality',
+            message: 'Loose inequality (!=) can cause type coercion issues',
+            severity: 'low',
+        },
+        {
+            pattern: /Number\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'Number coercion of user input',
+            message: 'Number() coercion may return NaN for invalid input',
+            severity: 'low',
+        },
+        {
+            pattern: /\+\s*(?:req\.|params\.|query\.)\w+/gi,
+            type: 'Unary plus coercion',
+            message: 'Unary plus for number conversion is implicit and error-prone',
+            severity: 'low',
+        },
+        {
+            pattern: /Boolean\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'Boolean coercion',
+            message: 'Boolean coercion treats empty string as false',
+            severity: 'info',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of coercionPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-20-coerce-${findings.length + 1}`,
+                    ruleId: 'cwe-20-input-validation',
+                    severity,
+                    message: `Type Coercion - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['20'],
+                    suggestion: {
+                        description: 'Use strict equality and explicit type checking',
+                        example: `// Use strict equality
+if (value === null || value === undefined) { }
+
+// Explicit number parsing with validation
+const num = Number.parseInt(input, 10);
+if (Number.isNaN(num)) {
+  throw new Error('Invalid number');
+}
+
+// Boolean from string
+const boolValue = input === 'true';`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for missing length/size checks
+ */
+function checkMissingLengthChecks(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const lengthPatterns = [
+        {
+            pattern: /req\.body\.\w+\.(?:split|slice|substring|substr)\s*\(/gi,
+            type: 'String operation without length check',
+            message: 'String operation on user input without length validation',
+            severity: 'low',
+        },
+        {
+            pattern: /\.forEach\s*\(\s*(?:async\s*)?\([^)]*\)\s*=>\s*\{[^}]*await/gi,
+            type: 'Async forEach on user array',
+            message: 'Unbounded iteration over user input may cause DoS',
+            severity: 'medium',
+        },
+        {
+            pattern: /req\.files?\.\w+\s*(?:;|$)/gi,
+            type: 'File access without size check',
+            message: 'File upload accessed without size validation',
+            severity: 'medium',
+        },
+        {
+            pattern: /\.repeat\s*\(\s*(?:req\.|params\.|query\.|Number\()/gi,
+            type: 'String repeat with user input',
+            message: 'String.repeat with user input can cause memory exhaustion',
+            severity: 'high',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of lengthPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-20-length-${findings.length + 1}`,
+                    ruleId: 'cwe-20-input-validation',
+                    severity,
+                    message: `Missing Length Check - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['20'],
+                    suggestion: {
+                        description: 'Add length/size limits to user input',
+                        example: `// Limit string length
+const MAX_LENGTH = 1000;
+if (input.length > MAX_LENGTH) {
+  throw new Error('Input too long');
+}
+
+// Limit array operations
+const MAX_ITEMS = 100;
+const items = userArray.slice(0, MAX_ITEMS);
+
+// Limit file size
+const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5MB
+if (req.file.size > MAX_FILE_SIZE) {
+  throw new Error('File too large');
+}`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for regex validation issues
+ */
+function checkRegexValidation(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const regexPatterns = [
+        {
+            pattern: /new\s+RegExp\s*\(\s*(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'RegExp from user input',
+            message: 'Creating RegExp from user input can cause ReDoS',
+            severity: 'high',
+        },
+        {
+            pattern: /\.match\s*\(\s*new\s+RegExp\s*\(/gi,
+            type: 'Dynamic regex in match',
+            message: 'Dynamic regex pattern may be vulnerable to ReDoS',
+            severity: 'medium',
+        },
+        {
+            pattern: /\.replace\s*\(\s*new\s+RegExp\s*\(/gi,
+            type: 'Dynamic regex in replace',
+            message: 'Dynamic regex pattern in replace may be vulnerable',
+            severity: 'medium',
+        },
+        {
+            pattern: /\.test\s*\(\s*\w+\s*\)\s*(?:;|\))/gi,
+            type: 'Regex test without anchors',
+            message: 'Regex validation without ^ and $ anchors may be bypassed',
+            severity: 'low',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of regexPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-20-regex-${findings.length + 1}`,
+                    ruleId: 'cwe-20-input-validation',
+                    severity,
+                    message: `Regex Validation - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['20', '1333'],
+                    suggestion: {
+                        description: 'Use safe regex patterns and avoid user-controlled regex',
+                        example: `// Never create RegExp from user input
+// Instead, use fixed patterns:
+const emailRegex = /^[^s@]+@[^s@]+.[^s@]+$/;
+if (!emailRegex.test(email)) {
+  throw new Error('Invalid email');
+}
+
+// For search, escape special chars:
+function escapeRegex(s) { return s.replace(/[.*+?^\${}()|[\\]]/g, '-'); }
+const safePattern = new RegExp(escapeRegex(userInput), 'i');`,
+                    },
+                });
+            }
+        }
+    }
+}
+export default cwe20InputValidation;
+//# sourceMappingURL=cwe-20-input-validation.js.map

package/dist/rules/cwe/cwe-20-input-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-20-input-validation.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-20-input-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAiB;IAChD,EAAE,EAAE,yBAAyB;IAC7B,IAAI,EAAE,mCAAmC;IACzC,WAAW,EACT,2DAA2D;IAC7D,eAAe,EAAE,QAAQ;IACzB,QAAQ,EAAE,kBAAkB;IAC5B,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC;IAChD,GAAG,EAAE,CAAC,IAAI,CAAC;IACX,UAAU,EAAE;QACV;YACE,KAAK,EAAE,mCAAmC;YAC1C,GAAG,EAAE,gDAAgD;SACtD;QACD;YACE,KAAK,EAAE,oCAAoC;YAC3C,GAAG,EAAE,kFAAkF;SACxF;KACF;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,oBAAoB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACpD,iBAAiB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACjD,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACxD,oBAAoB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEpD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,wCAAwC;YACjD,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,4CAA4C;YACrD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,yCAAyC;YAClD,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,yCAAyC;YAClD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,0CAA0C;YACnD,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE,uCAAuC;YAChD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,yCAAyC;YAClD,IAAI,EAAE,mBAAmB;YACzB,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,gDAAgD;YACzD,IAAI,EAAE,4BAA4B;YAClC,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,8CAA8C;YACvD,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,yDAAyD;YAClE,QAAQ,EAAE,KAAc;SACzB;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACzC,MAAM,EAAE,yBAAyB;oBACjC,QAAQ;oBACR,OAAO,EAAE,sBAAsB,IAAI,KAAK,OAAO,EAAE;oBACjD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,8CAA8C;wBAC3D,OAAO,EAAE;;;;;;;;;;;;oCAYe;qBACzB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB;YACE,OAAO,EAAE,wDAAwD;YACjE,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,2BAA2B;YACpC,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,sDAAsD;YAC/D,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,4CAA4C;YACrD,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,sCAAsC;YAC/C,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,8DAA8D;YACvE,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,6CAA6C;YACtD,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,+CAA+C;YACxD,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,gBAAgB,EAAE,CAAC;YACpE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ;oBACR,OAAO,EAAE,mBAAmB,IAAI,KAAK,OAAO,EAAE;oBAC9C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,gDAAgD;wBAC7D,OAAO,EAAE;;;;;;;;;;oCAUe;qBACzB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAC/B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,cAAc,GAAG;QACrB;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,uCAAuC;YAC7C,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,+DAA+D;YACxE,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,mDAAmD;YAC5D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,8BAA8B;YACvC,IAAI,EAAE,gCAAgC;YACtC,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,uDAAuD;YAChE,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,2DAA2D;YACpE,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YAClE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ;oBACR,OAAO,EAAE,0BAA0B,IAAI,KAAK,OAAO,EAAE;oBACrD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE;wBACV,WAAW,EAAE,sCAAsC;wBACnD,OAAO,EAAE;;;;;;;;;;;;;;EAcnB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,oCAAoC;YAC7C,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EAAE,kDAAkD;YAC3D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,sCAAsC;YAC/C,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,qCAAqC;YAC9C,IAAI,EAAE,4BAA4B;YAClC,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,KAAc;SACzB;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACzC,MAAM,EAAE,yBAAyB;oBACjC,QAAQ;oBACR,OAAO,EAAE,sBAAsB,IAAI,KAAK,OAAO,EAAE;oBACjD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,yDAAyD;wBACtE,OAAO,EAAE;;;;;;;;;6DASwC;qBAClD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,oBAAoB,CAAC"}

package/dist/rules/cwe/cwe-22-path-traversal.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-22-path-traversal
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - Path concatenation with user input
+ * - Missing path normalization
+ * - Directory escape attempts
+ * - Symlink attacks
+ *
+ * CWE-22 is #8 in CWE Top 25 2023.
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * CWE-22 - Path Traversal
+ */
+export declare const cwe22PathTraversal: SecurityRule;
+export default cwe22PathTraversal;
+//# sourceMappingURL=cwe-22-path-traversal.d.ts.map

package/dist/rules/cwe/cwe-22-path-traversal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-22-path-traversal.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-22-path-traversal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,YA8BhC,CAAC;AA+RF,eAAe,kBAAkB,CAAC"}