@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/rules/cwe/cwe-476-null-deref.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-476-null-deref.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-476-null-deref.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,eAAe,EAAE,YAkD7B,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/rules/cwe/cwe-476-null-deref.js

@@ -0,0 +1,55 @@
+/**
+ * @fileoverview CWE-476: NULL Pointer Dereference
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-476-null-deref
+ * @trace TSK-RULE-005
+ */
+export const cwe476NullDeref = {
+    id: 'cwe-476-null-deref',
+    name: 'CWE-476: NULL Pointer Dereference',
+    description: 'Detects potential null/undefined dereference patterns',
+    defaultSeverity: 'medium',
+    category: 'error-handling',
+    tags: ['cwe', 'null', 'undefined', 'security'],
+    cwe: ['476'],
+    references: [
+        { title: 'CWE-476', url: 'https://cwe.mitre.org/data/definitions/476.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /\w+\.(?:find|findOne)\s*\([^)]+\)\s*\.\w+/gi, type: 'Chained call after find', severity: 'medium' },
+            { pattern: /JSON\.parse\s*\([^)]+\)\.\w+/gi, type: 'Property access after parse', severity: 'medium' },
+            { pattern: /await\s+\w+\s*;[^}]*\w+\.\w+/gi, type: 'Access after await without check', severity: 'low' },
+            { pattern: /\w+\[\d+\]\.\w+/gi, type: 'Property access on array element', severity: 'low' },
+            { pattern: /\.match\s*\([^)]+\)\[\d+\]/gi, type: 'Index access on match result', severity: 'medium' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-476-${findings.length + 1}`,
+                        ruleId: 'cwe-476-null-deref',
+                        severity,
+                        message: `Null Dereference - ${type}: Check for null/undefined`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['476'],
+                        suggestion: {
+                            description: 'Use optional chaining or null checks',
+                            example: `// Use optional chaining
+const value = obj?.property?.nested;
+
+// Or explicit check
+const result = await db.findOne(query);
+if (!result) throw new Error('Not found');`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe476NullDeref;
+//# sourceMappingURL=cwe-476-null-deref.js.map

package/dist/rules/cwe/cwe-476-null-deref.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-476-null-deref.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-476-null-deref.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,eAAe,GAAiB;IAC3C,EAAE,EAAE,oBAAoB;IACxB,IAAI,EAAE,mCAAmC;IACzC,WAAW,EAAE,uDAAuD;IACpE,eAAe,EAAE,QAAQ;IACzB,QAAQ,EAAE,gBAAgB;IAC1B,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC;IAC9C,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,6CAA6C,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,QAAiB,EAAE;YACxH,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC/G,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,kCAAkC,EAAE,QAAQ,EAAE,KAAc,EAAE;YACjH,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,kCAAkC,EAAE,QAAQ,EAAE,KAAc,EAAE;YACpG,EAAE,OAAO,EAAE,8BAA8B,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,QAAiB,EAAE;SAC/G,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,oBAAoB;wBAC5B,QAAQ;wBACR,OAAO,EAAE,sBAAsB,IAAI,4BAA4B;wBAC/D,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,sCAAsC;4BACnD,OAAO,EAAE;;;;;2CAKoB;yBAC9B;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/rules/cwe/cwe-502-deserialization.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview CWE-502: Deserialization of Untrusted Data
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-502-deserialization
+ * @trace TSK-RULE-006
+ */
+import type { SecurityRule } from '../types.js';
+export declare const cwe502Deserialization: SecurityRule;
+export default cwe502Deserialization;
+//# sourceMappingURL=cwe-502-deserialization.d.ts.map

package/dist/rules/cwe/cwe-502-deserialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-502-deserialization.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-502-deserialization.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,qBAAqB,EAAE,YAoDnC,CAAC;AAEF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-502-deserialization.js

@@ -0,0 +1,57 @@
+/**
+ * @fileoverview CWE-502: Deserialization of Untrusted Data
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-502-deserialization
+ * @trace TSK-RULE-006
+ */
+export const cwe502Deserialization = {
+    id: 'cwe-502-deserialization',
+    name: 'CWE-502: Deserialization of Untrusted Data',
+    description: 'Detects unsafe deserialization patterns',
+    defaultSeverity: 'critical',
+    category: 'injection',
+    tags: ['cwe', 'deserialization', 'rce', 'security'],
+    cwe: ['502'],
+    owasp: ['A08:2021'],
+    references: [
+        { title: 'CWE-502', url: 'https://cwe.mitre.org/data/definitions/502.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /JSON\.parse\s*\(\s*req\./gi, type: 'JSON.parse on request data', severity: 'high' },
+            { pattern: /eval\s*\(\s*JSON/gi, type: 'eval on JSON data', severity: 'critical' },
+            { pattern: /node-serialize|serialize-javascript/gi, type: 'Unsafe serialization library', severity: 'critical' },
+            { pattern: /yaml\.load\s*\(/gi, type: 'Unsafe YAML load', severity: 'critical' },
+            { pattern: /pickle|marshal/gi, type: 'Unsafe serialization format', severity: 'high' },
+            { pattern: /unserialize\s*\(/gi, type: 'PHP-style unserialize', severity: 'critical' },
+            { pattern: /ObjectInputStream/gi, type: 'Java ObjectInputStream pattern', severity: 'high' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-502-${findings.length + 1}`,
+                        ruleId: 'cwe-502-deserialization',
+                        severity,
+                        message: `Deserialization - ${type}: Validate before deserializing`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['502'],
+                        owasp: ['A08:2021'],
+                        suggestion: {
+                            description: 'Use safe deserialization with schema validation',
+                            example: `// Use schema validation
+import { z } from 'zod';
+const schema = z.object({ name: z.string() });
+const data = schema.parse(JSON.parse(input));`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe502Deserialization;
+//# sourceMappingURL=cwe-502-deserialization.js.map

package/dist/rules/cwe/cwe-502-deserialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-502-deserialization.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-502-deserialization.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,EAAE,EAAE,yBAAyB;IAC7B,IAAI,EAAE,4CAA4C;IAClD,WAAW,EAAE,yCAAyC;IACtD,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,WAAW;IACrB,IAAI,EAAE,CAAC,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE,UAAU,CAAC;IACnD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACxG,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC3F,EAAE,OAAO,EAAE,uCAAuC,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACzH,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACzF,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC/F,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC/F,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,MAAe,EAAE;SACtG,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,yBAAyB;wBACjC,QAAQ;wBACR,OAAO,EAAE,qBAAqB,IAAI,iCAAiC;wBACnE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,iDAAiD;4BAC9D,OAAO,EAAE;;;8CAGuB;yBACjC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-77-command-injection.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview CWE-77: Improper Neutralization of Special Elements (Command Injection)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-77-command-injection
+ * @trace TSK-RULE-006
+ */
+import type { SecurityRule } from '../types.js';
+export declare const cwe77CommandInjection: SecurityRule;
+export default cwe77CommandInjection;
+//# sourceMappingURL=cwe-77-command-injection.d.ts.map

package/dist/rules/cwe/cwe-77-command-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-77-command-injection.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-77-command-injection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,qBAAqB,EAAE,YAkDnC,CAAC;AAEF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-77-command-injection.js

@@ -0,0 +1,55 @@
+/**
+ * @fileoverview CWE-77: Improper Neutralization of Special Elements (Command Injection)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-77-command-injection
+ * @trace TSK-RULE-006
+ */
+export const cwe77CommandInjection = {
+    id: 'cwe-77-command-injection',
+    name: 'CWE-77: Command Injection',
+    description: 'Detects command injection via special element neutralization issues',
+    defaultSeverity: 'critical',
+    category: 'injection',
+    tags: ['cwe', 'command', 'injection', 'security'],
+    cwe: ['77'],
+    owasp: ['A03:2021'],
+    references: [
+        { title: 'CWE-77', url: 'https://cwe.mitre.org/data/definitions/77.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /child_process.*exec\s*\(/gi, type: 'child_process.exec', severity: 'critical' },
+            { pattern: /execSync\s*\(\s*`/gi, type: 'execSync with template', severity: 'critical' },
+            { pattern: /spawn\s*\([^,]+\+/gi, type: 'spawn with concatenation', severity: 'high' },
+            { pattern: /system\s*\(\s*\$/gi, type: 'system() with variable', severity: 'critical' },
+            { pattern: /popen\s*\(/gi, type: 'popen function', severity: 'high' },
+            { pattern: /\$\{.*\}.*\|\s*sh/gi, type: 'Shell pipe with variable', severity: 'critical' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-77-${findings.length + 1}`,
+                        ruleId: 'cwe-77-command-injection',
+                        severity,
+                        message: `Command Injection - ${type}: Sanitize command arguments`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['77'],
+                        owasp: ['A03:2021'],
+                        suggestion: {
+                            description: 'Use spawn with array arguments instead of exec',
+                            example: `// Safe: use spawn with array
+const { spawn } = require('child_process');
+spawn('command', [arg1, arg2], { shell: false });`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe77CommandInjection;
+//# sourceMappingURL=cwe-77-command-injection.js.map

package/dist/rules/cwe/cwe-77-command-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-77-command-injection.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-77-command-injection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,EAAE,EAAE,0BAA0B;IAC9B,IAAI,EAAE,2BAA2B;IACjC,WAAW,EAAE,qEAAqE;IAClF,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,WAAW;IACrB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,CAAC;IACjD,GAAG,EAAE,CAAC,IAAI,CAAC;IACX,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,gDAAgD,EAAE;KAC3E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACpG,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACjG,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC/F,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAChG,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC9E,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAmB,EAAE;SACpG,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,UAAU,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACnC,MAAM,EAAE,0BAA0B;wBAClC,QAAQ;wBACR,OAAO,EAAE,uBAAuB,IAAI,8BAA8B;wBAClE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,IAAI,CAAC;wBACX,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,gDAAgD;4BAC7D,OAAO,EAAE;;kDAE2B;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-78-command-injection.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-78-command-injection
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - exec/execSync with user input
+ * - spawn/spawnSync with shell:true
+ * - Template literals in commands
+ * - Child process with unsanitized arguments
+ *
+ * CWE-78 is #5 in CWE Top 25 2023.
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * CWE-78 - OS Command Injection
+ */
+export declare const cwe78CommandInjection: SecurityRule;
+export default cwe78CommandInjection;
+//# sourceMappingURL=cwe-78-command-injection.d.ts.map

package/dist/rules/cwe/cwe-78-command-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-78-command-injection.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-78-command-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,YA+BnC,CAAC;AA+OF,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-78-command-injection.js

@@ -0,0 +1,259 @@
+/**
+ * @fileoverview CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-78-command-injection
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - exec/execSync with user input
+ * - spawn/spawnSync with shell:true
+ * - Template literals in commands
+ * - Child process with unsanitized arguments
+ *
+ * CWE-78 is #5 in CWE Top 25 2023.
+ */
+/**
+ * CWE-78 - OS Command Injection
+ */
+export const cwe78CommandInjection = {
+    id: 'cwe-78-command-injection',
+    name: 'CWE-78: OS Command Injection',
+    description: 'Detects OS command injection vulnerabilities from unsafe command execution',
+    defaultSeverity: 'critical',
+    category: 'injection',
+    tags: ['cwe', 'command', 'injection', 'shell', 'security'],
+    owasp: ['A03:2021'],
+    cwe: ['78'],
+    references: [
+        {
+            title: 'CWE-78: OS Command Injection',
+            url: 'https://cwe.mitre.org/data/definitions/78.html',
+        },
+        {
+            title: 'OWASP Command Injection',
+            url: 'https://owasp.org/www-community/attacks/Command_Injection',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceCode = context.sourceCode;
+        checkExecUsage(context, sourceCode, findings);
+        checkSpawnUsage(context, sourceCode, findings);
+        checkShellExecution(context, sourceCode, findings);
+        return findings;
+    },
+};
+/**
+ * Check for exec/execSync with user input
+ */
+function checkExecUsage(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const execPatterns = [
+        {
+            pattern: /exec\s*\(\s*['"`].*\+\s*(?:req\.|params\.|query\.|body\.|user)/gi,
+            type: 'exec with user input concatenation',
+            message: 'exec() with user input allows command injection',
+            severity: 'critical',
+        },
+        {
+            pattern: /exec\s*\(\s*`[^`]*\$\{(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'exec with user input interpolation',
+            message: 'exec() with template literal user input is vulnerable',
+            severity: 'critical',
+        },
+        {
+            pattern: /execSync\s*\(\s*['"`].*\+/gi,
+            type: 'execSync with concatenation',
+            message: 'execSync() with string concatenation may allow injection',
+            severity: 'high',
+        },
+        {
+            pattern: /execSync\s*\(\s*`[^`]*\$\{/gi,
+            type: 'execSync with interpolation',
+            message: 'execSync() with template interpolation is risky',
+            severity: 'high',
+        },
+        {
+            pattern: /execFile\s*\(\s*(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'execFile with user-controlled command',
+            message: 'execFile() with user-controlled command path is dangerous',
+            severity: 'critical',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of execPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-78-exec-${findings.length + 1}`,
+                    ruleId: 'cwe-78-command-injection',
+                    severity,
+                    message: `Command Injection - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['78'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Use execFile with argument array or sanitize input',
+                        example: `// Use execFile with separate arguments (no shell)
+const { execFile } = require('child_process');
+execFile('ls', ['-la', safeDir], (err, stdout) => {});
+
+// Or validate/whitelist commands
+const allowedCommands = ['list', 'status'];
+if (!allowedCommands.includes(userCommand)) {
+  throw new Error('Invalid command');
+}`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for spawn with shell:true
+ */
+function checkSpawnUsage(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const spawnPatterns = [
+        {
+            pattern: /spawn\s*\([^)]*shell\s*:\s*true/gi,
+            type: 'spawn with shell:true',
+            message: 'spawn() with shell:true enables shell command injection',
+            severity: 'high',
+        },
+        {
+            pattern: /spawnSync\s*\([^)]*shell\s*:\s*true/gi,
+            type: 'spawnSync with shell:true',
+            message: 'spawnSync() with shell:true enables shell command injection',
+            severity: 'high',
+        },
+        {
+            pattern: /spawn\s*\(\s*(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'spawn with user-controlled command',
+            message: 'spawn() with user-controlled command is dangerous',
+            severity: 'critical',
+        },
+        {
+            pattern: /spawn\s*\(\s*['"`]\w+['"`]\s*,\s*\[.*(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'spawn with user-controlled arguments',
+            message: 'spawn() arguments from user input should be validated',
+            severity: 'medium',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of spawnPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-78-spawn-${findings.length + 1}`,
+                    ruleId: 'cwe-78-command-injection',
+                    severity,
+                    message: `Command Injection - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['78'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Avoid shell:true and validate arguments',
+                        example: `// Use spawn without shell (default)
+const { spawn } = require('child_process');
+spawn('git', ['status']);
+
+// Validate user arguments
+const allowedArgs = ['--version', '--help'];
+const safeArgs = userArgs.filter(arg => 
+  allowedArgs.includes(arg) || /^[a-zA-Z0-9_-]+$/.test(arg)
+);
+spawn('command', safeArgs);`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for other shell execution patterns
+ */
+function checkShellExecution(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const shellPatterns = [
+        {
+            pattern: /child_process.*require.*exec/gi,
+            type: 'child_process exec import',
+            message: 'child_process exec should be used carefully',
+            severity: 'info',
+        },
+        {
+            pattern: /\$\(\s*['"`][^'"`]*(?:req\.|params\.|query\.)/gi,
+            type: 'Shell substitution with user input',
+            message: 'Shell substitution with user input is vulnerable',
+            severity: 'critical',
+        },
+        {
+            pattern: /eval\s*\(\s*['"`].*(?:sh|bash|cmd|powershell)/gi,
+            type: 'eval with shell command',
+            message: 'eval() containing shell commands is extremely dangerous',
+            severity: 'critical',
+        },
+        {
+            pattern: /\.run\s*\(\s*['"`](?:sh|bash|cmd)\s+/gi,
+            type: 'Direct shell invocation',
+            message: 'Direct shell invocation is risky',
+            severity: 'high',
+        },
+        {
+            pattern: /shelljs|execa|cross-spawn.*(?:req\.|params\.|query\.)/gi,
+            type: 'Shell library with user input',
+            message: 'Shell execution library with user input needs validation',
+            severity: 'high',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of shellPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-78-shell-${findings.length + 1}`,
+                    ruleId: 'cwe-78-command-injection',
+                    severity,
+                    message: `Command Injection - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['78'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Use safe alternatives to shell execution',
+                        example: `// Use specific APIs instead of shell commands
+// Instead of: exec('rm -rf ' + dir)
+const fs = require('fs');
+fs.rmSync(dir, { recursive: true });
+
+// For git operations, use a library
+const simpleGit = require('simple-git');
+await git.status();`,
+                    },
+                });
+            }
+        }
+    }
+}
+export default cwe78CommandInjection;
+//# sourceMappingURL=cwe-78-command-injection.js.map

package/dist/rules/cwe/cwe-78-command-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-78-command-injection.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-78-command-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,EAAE,EAAE,0BAA0B;IAC9B,IAAI,EAAE,8BAA8B;IACpC,WAAW,EACT,4EAA4E;IAC9E,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,WAAW;IACrB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,CAAC;IAC1D,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,IAAI,CAAC;IACX,UAAU,EAAE;QACV;YACE,KAAK,EAAE,8BAA8B;YACrC,GAAG,EAAE,gDAAgD;SACtD;QACD;YACE,KAAK,EAAE,yBAAyB;YAChC,GAAG,EAAE,2DAA2D;SACjE;KACF;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC9C,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC/C,mBAAmB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEnD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,cAAc,CACrB,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB;YACE,OAAO,EAAE,kEAAkE;YAC3E,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,2DAA2D;YACpE,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,6BAA6B;YACtC,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,8BAA8B;YACvC,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,qDAAqD;YAC9D,IAAI,EAAE,uCAAuC;YAC7C,OAAO,EAAE,2DAA2D;YACpE,QAAQ,EAAE,UAAmB;SAC9B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;YAChE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,eAAe,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACxC,MAAM,EAAE,0BAA0B;oBAClC,QAAQ;oBACR,OAAO,EAAE,uBAAuB,IAAI,KAAK,OAAO,EAAE;oBAClD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,oDAAoD;wBACjE,OAAO,EAAE;;;;;;;;EAQnB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,mCAAmC;YAC5C,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,yDAAyD;YAClE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,uCAAuC;YAChD,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,6DAA6D;YACtE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,kDAAkD;YAC3D,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE,mDAAmD;YAC5D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,0EAA0E;YACnF,IAAI,EAAE,sCAAsC;YAC5C,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,QAAiB;SAC5B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACzC,MAAM,EAAE,0BAA0B;oBAClC,QAAQ;oBACR,OAAO,EAAE,uBAAuB,IAAI,KAAK,OAAO,EAAE;oBAClD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,yCAAyC;wBACtD,OAAO,EAAE;;;;;;;;;4BASO;qBACjB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,gCAAgC;YACzC,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,6CAA6C;YACtD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,iDAAiD;YAC1D,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE,kDAAkD;YAC3D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,iDAAiD;YAC1D,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,yDAAyD;YAClE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,wCAAwC;YACjD,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,kCAAkC;YAC3C,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACzC,MAAM,EAAE,0BAA0B;oBAClC,QAAQ;oBACR,OAAO,EAAE,uBAAuB,IAAI,KAAK,OAAO,EAAE;oBAClD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,0CAA0C;wBACvD,OAAO,EAAE;;;;;;;oBAOD;qBACT;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,qBAAqB,CAAC"}

package/dist/rules/cwe/cwe-787-oob-write.d.ts

@@ -0,0 +1,21 @@
+/**
+ * @fileoverview CWE-787: Out-of-bounds Write
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-787-oob-write
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - Buffer overflow patterns
+ * - Array index out of bounds
+ * - Unsafe array operations
+ * - TypedArray boundary violations
+ * - Unchecked array growth
+ *
+ * CWE-787 is #1 in CWE Top 25 2023.
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * CWE-787 - Out-of-bounds Write
+ */
+export declare const cwe787OutOfBoundsWrite: SecurityRule;
+export default cwe787OutOfBoundsWrite;
+//# sourceMappingURL=cwe-787-oob-write.d.ts.map

package/dist/rules/cwe/cwe-787-oob-write.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-787-oob-write.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-787-oob-write.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,YA+BpC,CAAC;AAoUF,eAAe,sBAAsB,CAAC"}