@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/rules/cwe/cwe-79-xss.js

@@ -0,0 +1,386 @@
+/**
+ * @fileoverview CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-79-xss
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - Reflected XSS (user input in response)
+ * - Stored XSS (database content in output)
+ * - DOM-based XSS (client-side manipulation)
+ * - innerHTML/outerHTML usage
+ * - document.write usage
+ * - Unsafe template rendering
+ *
+ * CWE-79 is #2 in CWE Top 25 2023.
+ */
+/**
+ * CWE-79 - Cross-site Scripting (XSS)
+ */
+export const cwe79XSS = {
+    id: 'cwe-79-xss',
+    name: 'CWE-79: Cross-site Scripting (XSS)',
+    description: 'Detects XSS vulnerabilities including reflected, stored, and DOM-based XSS',
+    defaultSeverity: 'high',
+    category: 'injection',
+    tags: ['cwe', 'xss', 'injection', 'web', 'security'],
+    owasp: ['A03:2021'],
+    cwe: ['79'],
+    references: [
+        {
+            title: 'CWE-79: Cross-site Scripting',
+            url: 'https://cwe.mitre.org/data/definitions/79.html',
+        },
+        {
+            title: 'OWASP XSS Prevention Cheat Sheet',
+            url: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const sourceCode = context.sourceCode;
+        checkDOMXSS(context, sourceCode, findings);
+        checkReflectedXSS(context, sourceCode, findings);
+        checkUnsafeTemplating(context, sourceCode, findings);
+        checkReactVulnerabilities(context, sourceCode, findings);
+        return findings;
+    },
+};
+/**
+ * Check for DOM-based XSS vulnerabilities
+ */
+function checkDOMXSS(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const domPatterns = [
+        {
+            pattern: /\.innerHTML\s*=\s*(?!['"`]<)/gi,
+            type: 'innerHTML assignment',
+            message: 'innerHTML assignment with dynamic content can lead to DOM XSS',
+            severity: 'high',
+        },
+        {
+            pattern: /\.outerHTML\s*=\s*(?!['"`]<)/gi,
+            type: 'outerHTML assignment',
+            message: 'outerHTML assignment with dynamic content can lead to DOM XSS',
+            severity: 'high',
+        },
+        {
+            pattern: /document\.write\s*\(/gi,
+            type: 'document.write usage',
+            message: 'document.write can execute scripts and is vulnerable to XSS',
+            severity: 'high',
+        },
+        {
+            pattern: /document\.writeln\s*\(/gi,
+            type: 'document.writeln usage',
+            message: 'document.writeln can execute scripts and is vulnerable to XSS',
+            severity: 'high',
+        },
+        {
+            pattern: /\.insertAdjacentHTML\s*\(/gi,
+            type: 'insertAdjacentHTML usage',
+            message: 'insertAdjacentHTML with unsanitized input can lead to XSS',
+            severity: 'medium',
+        },
+        {
+            pattern: /\.outerText\s*=|\.innerText\s*=/gi,
+            type: 'Text content assignment',
+            message: 'innerText/outerText are safer but still review for proper encoding',
+            severity: 'info',
+        },
+        {
+            pattern: /eval\s*\(\s*(?:location\.|document\.|window\.)/gi,
+            type: 'eval with DOM properties',
+            message: 'eval() with DOM properties is highly vulnerable to XSS',
+            severity: 'critical',
+        },
+        {
+            pattern: /new\s+Function\s*\(\s*(?:location\.|document\.|window\.)/gi,
+            type: 'Function constructor with DOM',
+            message: 'Function constructor with DOM properties can execute arbitrary code',
+            severity: 'critical',
+        },
+        {
+            pattern: /setTimeout\s*\(\s*(?:location\.|document\.\w+\.value)/gi,
+            type: 'setTimeout with DOM input',
+            message: 'setTimeout with DOM input can execute injected code',
+            severity: 'high',
+        },
+        {
+            pattern: /setInterval\s*\(\s*(?:location\.|document\.\w+\.value)/gi,
+            type: 'setInterval with DOM input',
+            message: 'setInterval with DOM input can execute injected code',
+            severity: 'high',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of domPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-79-dom-${findings.length + 1}`,
+                    ruleId: 'cwe-79-xss',
+                    severity,
+                    message: `DOM XSS - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['79'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Use safe DOM manipulation methods',
+                        example: `// Instead of innerHTML, use textContent for text:
+element.textContent = userInput;
+
+// Or use DOM methods for elements:
+const safeElement = document.createElement('div');
+safeElement.textContent = userInput;
+parent.appendChild(safeElement);
+
+// For HTML, use DOMPurify:
+import DOMPurify from 'dompurify';
+element.innerHTML = DOMPurify.sanitize(userInput);`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for reflected XSS patterns (server-side)
+ */
+function checkReflectedXSS(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const reflectedPatterns = [
+        {
+            pattern: /res\.send\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'Direct response with user input',
+            message: 'Sending user input directly in response without encoding',
+            severity: 'high',
+        },
+        {
+            pattern: /res\.write\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'Writing user input to response',
+            message: 'Writing user input directly to response stream without encoding',
+            severity: 'high',
+        },
+        {
+            pattern: /res\.send\s*\(\s*`[^`]*\$\{(?:req\.|params\.|query\.)/gi,
+            type: 'Template literal with user input',
+            message: 'User input in template literal response can cause XSS',
+            severity: 'high',
+        },
+        {
+            pattern: /res\.(?:json|send)\s*\(\s*\{[^}]*:\s*(?:req\.|params\.|query\.)/gi,
+            type: 'User input in JSON response',
+            message: 'Ensure JSON response Content-Type is properly set',
+            severity: 'medium',
+        },
+        {
+            pattern: /render\s*\(\s*['"`]\w+['"`]\s*,\s*\{[^}]*:\s*(?:req\.|params\.|query\.)/gi,
+            type: 'User input passed to template',
+            message: 'User input passed to template without sanitization',
+            severity: 'medium',
+        },
+        {
+            pattern: /\.html\s*\(\s*(?:req\.|params\.|query\.)/gi,
+            type: 'User input in HTML response',
+            message: 'User input in .html() response is vulnerable to XSS',
+            severity: 'high',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of reflectedPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-79-reflected-${findings.length + 1}`,
+                    ruleId: 'cwe-79-xss',
+                    severity,
+                    message: `Reflected XSS - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['79'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Encode output before sending to client',
+                        example: `// Use a templating engine with auto-escaping (EJS, Handlebars)
+// Or encode manually:
+import { encode } from 'html-entities';
+res.send(encode(userInput));
+
+// For JSON responses, ensure Content-Type:
+res.type('application/json').json({ data: userInput });`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for unsafe templating patterns
+ */
+function checkUnsafeTemplating(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const templatePatterns = [
+        {
+            pattern: /\{\{\{\s*\w+\s*\}\}\}/gi,
+            type: 'Triple mustache (unescaped)',
+            message: 'Triple mustache in Handlebars outputs unescaped HTML',
+            severity: 'high',
+        },
+        {
+            pattern: /<%[-=]\s*(?:req\.|params\.|query\.|body\.)/gi,
+            type: 'EJS with user input',
+            message: 'EJS unescaped output (<%-) with user input is vulnerable',
+            severity: 'high',
+        },
+        {
+            pattern: /\|\s*safe\s*\}\}/gi,
+            type: 'Jinja/Nunjucks safe filter',
+            message: 'safe filter disables auto-escaping, verify input is trusted',
+            severity: 'medium',
+        },
+        {
+            pattern: /v-html\s*=\s*["']/gi,
+            type: 'Vue v-html directive',
+            message: 'v-html renders raw HTML and can cause XSS if content is untrusted',
+            severity: 'high',
+        },
+        {
+            pattern: /\[innerHTML\]\s*=\s*["']/gi,
+            type: 'Angular innerHTML binding',
+            message: 'Angular innerHTML binding with untrusted content is vulnerable',
+            severity: 'high',
+        },
+        {
+            pattern: /bypassSecurityTrust(?:Html|Script|Style|Url|ResourceUrl)\s*\(/gi,
+            type: 'Angular security bypass',
+            message: 'Bypassing Angular sanitization is dangerous with untrusted content',
+            severity: 'critical',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of templatePatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-79-template-${findings.length + 1}`,
+                    ruleId: 'cwe-79-xss',
+                    severity,
+                    message: `Template XSS - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['79'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Use escaped output in templates',
+                        example: `// Handlebars: Use double mustache for escaped output
+{{ safeVariable }}
+
+// EJS: Use <%= for escaped output
+<%= userInput %>
+
+// Vue: Use v-text or {{ }} for text content
+<span>{{ userInput }}</span>
+
+// Angular: Trust only after sanitization
+this.sanitizer.sanitize(SecurityContext.HTML, content)`,
+                    },
+                });
+            }
+        }
+    }
+}
+/**
+ * Check for React-specific XSS vulnerabilities
+ */
+function checkReactVulnerabilities(context, sourceCode, findings) {
+    const lines = sourceCode.split('\n');
+    const reactPatterns = [
+        {
+            pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{/gi,
+            type: 'dangerouslySetInnerHTML usage',
+            message: 'dangerouslySetInnerHTML can cause XSS if content is not sanitized',
+            severity: 'high',
+        },
+        {
+            pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|state\.|data\.)/gi,
+            type: 'dangerouslySetInnerHTML with props/state',
+            message: 'Using props or state in dangerouslySetInnerHTML without sanitization',
+            severity: 'critical',
+        },
+        {
+            pattern: /href\s*=\s*\{\s*`javascript:/gi,
+            type: 'JavaScript URL in href',
+            message: 'JavaScript URLs in href attributes can execute scripts',
+            severity: 'critical',
+        },
+        {
+            pattern: /href\s*=\s*\{\s*(?:props\.|state\.|data\.)/gi,
+            type: 'Dynamic href from props/state',
+            message: 'Dynamic href values should be validated against javascript: protocol',
+            severity: 'medium',
+        },
+        {
+            pattern: /createRef\(\).*\.current\.innerHTML\s*=/gi,
+            type: 'Ref innerHTML assignment',
+            message: 'Setting innerHTML via ref bypasses React protection',
+            severity: 'high',
+        },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, type, message, severity } of reactPatterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `cwe-79-react-${findings.length + 1}`,
+                    ruleId: 'cwe-79-xss',
+                    severity,
+                    message: `React XSS - ${type}: ${message}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['79'],
+                    owasp: ['A03:2021'],
+                    suggestion: {
+                        description: 'Use React safe patterns',
+                        example: `// Sanitize before using dangerouslySetInnerHTML
+import DOMPurify from 'dompurify';
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />
+
+// Validate URLs before using in href
+const safeUrl = url.startsWith('javascript:') ? '#' : url;
+<a href={safeUrl}>Link</a>
+
+// Prefer textContent for text
+<span>{userInput}</span>`,
+                    },
+                });
+            }
+        }
+    }
+}
+export default cwe79XSS;
+//# sourceMappingURL=cwe-79-xss.js.map

package/dist/rules/cwe/cwe-79-xss.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-79-xss.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-79-xss.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAiB;IACpC,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,oCAAoC;IAC1C,WAAW,EACT,4EAA4E;IAC9E,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,WAAW;IACrB,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,CAAC;IACpD,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,IAAI,CAAC;IACX,UAAU,EAAE;QACV;YACE,KAAK,EAAE,8BAA8B;YACrC,GAAG,EAAE,gDAAgD;SACtD;QACD;YACE,KAAK,EAAE,kCAAkC;YACzC,GAAG,EAAE,iGAAiG;SACvG;KACF;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC3C,iBAAiB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACjD,qBAAqB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACrD,yBAAyB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEzD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,WAAW,CAClB,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,WAAW,GAAG;QAClB;YACE,OAAO,EAAE,gCAAgC;YACzC,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EACL,+DAA+D;YACjE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,gCAAgC;YACzC,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EACL,+DAA+D;YACjE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,wBAAwB;YACjC,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EACL,6DAA6D;YAC/D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,0BAA0B;YACnC,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EACL,+DAA+D;YACjE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,6BAA6B;YACtC,IAAI,EAAE,0BAA0B;YAChC,OAAO,EACL,2DAA2D;YAC7D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,mCAAmC;YAC5C,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EACL,oEAAoE;YACtE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,kDAAkD;YAC3D,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,wDAAwD;YACjE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,4DAA4D;YACrE,IAAI,EAAE,+BAA+B;YACrC,OAAO,EACL,qEAAqE;YACvE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,qDAAqD;YAC9D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,0DAA0D;YACnE,IAAI,EAAE,4BAA4B;YAClC,OAAO,EAAE,sDAAsD;YAC/D,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,WAAW,EAAE,CAAC;YAC/D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,cAAc,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACvC,MAAM,EAAE,YAAY;oBACpB,QAAQ;oBACR,OAAO,EAAE,aAAa,IAAI,KAAK,OAAO,EAAE;oBACxC,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,mCAAmC;wBAChD,OAAO,EAAE;;;;;;;;;;mDAU8B;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,iBAAiB,GAAG;QACxB;YACE,OAAO,EAAE,+CAA+C;YACxD,IAAI,EAAE,iCAAiC;YACvC,OAAO,EACL,0DAA0D;YAC5D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,gDAAgD;YACzD,IAAI,EAAE,gCAAgC;YACtC,OAAO,EACL,iEAAiE;YACnE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,yDAAyD;YAClE,IAAI,EAAE,kCAAkC;YACxC,OAAO,EACL,uDAAuD;YACzD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,mEAAmE;YAC5E,IAAI,EAAE,6BAA6B;YACnC,OAAO,EACL,mDAAmD;YACrD,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EACL,2EAA2E;YAC7E,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,oDAAoD;YAC7D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,4CAA4C;YACrD,IAAI,EAAE,6BAA6B;YACnC,OAAO,EACL,qDAAqD;YACvD,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;YACrE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,oBAAoB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC7C,MAAM,EAAE,YAAY;oBACpB,QAAQ;oBACR,OAAO,EAAE,mBAAmB,IAAI,KAAK,OAAO,EAAE;oBAC9C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,wCAAwC;wBACrD,OAAO,EAAE;;;;;;wDAMmC;qBAC7C;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB;YACE,OAAO,EAAE,yBAAyB;YAClC,IAAI,EAAE,6BAA6B;YACnC,OAAO,EACL,sDAAsD;YACxD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,8CAA8C;YACvD,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EACL,0DAA0D;YAC5D,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,oBAAoB;YAC7B,IAAI,EAAE,4BAA4B;YAClC,OAAO,EACL,6DAA6D;YAC/D,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,qBAAqB;YAC9B,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EACL,mEAAmE;YACrE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,4BAA4B;YACrC,IAAI,EAAE,2BAA2B;YACjC,OAAO,EACL,gEAAgE;YAClE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,iEAAiE;YAC1E,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EACL,oEAAoE;YACtE,QAAQ,EAAE,UAAmB;SAC9B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,gBAAgB,EAAE,CAAC;YACpE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC5C,MAAM,EAAE,YAAY;oBACpB,QAAQ;oBACR,OAAO,EAAE,kBAAkB,IAAI,KAAK,OAAO,EAAE;oBAC7C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,iCAAiC;wBAC9C,OAAO,EAAE;;;;;;;;;;uDAUkC;qBAC5C;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAChC,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,yCAAyC;YAClD,IAAI,EAAE,+BAA+B;YACrC,OAAO,EACL,mEAAmE;YACrE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EACL,mFAAmF;YACrF,IAAI,EAAE,0CAA0C;YAChD,OAAO,EACL,sEAAsE;YACxE,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,gCAAgC;YACzC,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EACL,wDAAwD;YAC1D,QAAQ,EAAE,UAAmB;SAC9B;QACD;YACE,OAAO,EAAE,8CAA8C;YACvD,IAAI,EAAE,+BAA+B;YACrC,OAAO,EACL,sEAAsE;YACxE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,2CAA2C;YACpD,IAAI,EAAE,0BAA0B;YAChC,OAAO,EACL,qDAAqD;YACvD,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,gBAAgB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBACzC,MAAM,EAAE,YAAY;oBACpB,QAAQ;oBACR,OAAO,EAAE,eAAe,IAAI,KAAK,OAAO,EAAE;oBAC1C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,IAAI,CAAC;oBACX,KAAK,EAAE,CAAC,UAAU,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,yBAAyB;wBACtC,OAAO,EAAE;;;;;;;;;yBASI;qBACd;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,QAAQ,CAAC"}

package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview CWE-798: Use of Hard-coded Credentials
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-798-hardcoded-credentials
+ * @trace TSK-RULE-006
+ */
+import type { SecurityRule } from '../types.js';
+export declare const cwe798HardcodedCredentials: SecurityRule;
+export default cwe798HardcodedCredentials;
+//# sourceMappingURL=cwe-798-hardcoded-credentials.d.ts.map

package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-798-hardcoded-credentials.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-798-hardcoded-credentials.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,0BAA0B,EAAE,YAqDxC,CAAC;AAEF,eAAe,0BAA0B,CAAC"}

package/dist/rules/cwe/cwe-798-hardcoded-credentials.js

@@ -0,0 +1,58 @@
+/**
+ * @fileoverview CWE-798: Use of Hard-coded Credentials
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-798-hardcoded-credentials
+ * @trace TSK-RULE-006
+ */
+export const cwe798HardcodedCredentials = {
+    id: 'cwe-798-hardcoded-credentials',
+    name: 'CWE-798: Hard-coded Credentials',
+    description: 'Detects hard-coded passwords, API keys, and secrets',
+    defaultSeverity: 'critical',
+    category: 'secrets',
+    tags: ['cwe', 'credentials', 'secrets', 'security'],
+    cwe: ['798'],
+    owasp: ['A07:2021'],
+    references: [
+        { title: 'CWE-798', url: 'https://cwe.mitre.org/data/definitions/798.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /password\s*[:=]\s*['"`][^'"`]{4,}['"`]/gi, type: 'Hardcoded password', severity: 'critical' },
+            { pattern: /api[_-]?key\s*[:=]\s*['"`][^'"`]{8,}['"`]/gi, type: 'Hardcoded API key', severity: 'critical' },
+            { pattern: /secret\s*[:=]\s*['"`][^'"`]{8,}['"`]/gi, type: 'Hardcoded secret', severity: 'critical' },
+            { pattern: /token\s*[:=]\s*['"`][A-Za-z0-9_-]{20,}['"`]/gi, type: 'Hardcoded token', severity: 'critical' },
+            { pattern: /private[_-]?key\s*[:=]\s*['"`]/gi, type: 'Hardcoded private key', severity: 'critical' },
+            { pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi, type: 'Embedded private key', severity: 'critical' },
+            { pattern: /aws[_-]?(?:access|secret)[_-]?key\s*[:=]/gi, type: 'AWS credentials', severity: 'critical' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-798-${findings.length + 1}`,
+                        ruleId: 'cwe-798-hardcoded-credentials',
+                        severity,
+                        message: `Hardcoded Credentials - ${type}: Use environment variables`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['798'],
+                        owasp: ['A07:2021'],
+                        suggestion: {
+                            description: 'Use environment variables or secrets manager',
+                            example: `// Use environment variables
+const apiKey = process.env.API_KEY;
+
+// Or use a secrets manager
+const secret = await secretsManager.getSecret('my-secret');`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe798HardcodedCredentials;
+//# sourceMappingURL=cwe-798-hardcoded-credentials.js.map

package/dist/rules/cwe/cwe-798-hardcoded-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-798-hardcoded-credentials.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-798-hardcoded-credentials.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,0BAA0B,GAAiB;IACtD,EAAE,EAAE,+BAA+B;IACnC,IAAI,EAAE,iCAAiC;IACvC,WAAW,EAAE,qDAAqD;IAClE,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,CAAC;IACnD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAClH,EAAE,OAAO,EAAE,6CAA6C,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACpH,EAAE,OAAO,EAAE,wCAAwC,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC9G,EAAE,OAAO,EAAE,+CAA+C,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACpH,EAAE,OAAO,EAAE,kCAAkC,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC7G,EAAE,OAAO,EAAE,8CAA8C,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YACxH,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAmB,EAAE;SAClH,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,+BAA+B;wBACvC,QAAQ;wBACR,OAAO,EAAE,2BAA2B,IAAI,6BAA6B;wBACrE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,8CAA8C;4BAC3D,OAAO,EAAE;;;;4DAIqC;yBAC/C;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,0BAA0B,CAAC"}

package/dist/rules/cwe/cwe-862-missing-auth.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview CWE-862: Missing Authorization
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-862-missing-auth
+ * @trace TSK-RULE-005
+ */
+import type { SecurityRule } from '../types.js';
+export declare const cwe862MissingAuth: SecurityRule;
+export default cwe862MissingAuth;
+//# sourceMappingURL=cwe-862-missing-auth.d.ts.map

package/dist/rules/cwe/cwe-862-missing-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-862-missing-auth.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-862-missing-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,iBAAiB,EAAE,YAkD/B,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/rules/cwe/cwe-862-missing-auth.js

@@ -0,0 +1,55 @@
+/**
+ * @fileoverview CWE-862: Missing Authorization
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-862-missing-auth
+ * @trace TSK-RULE-005
+ */
+export const cwe862MissingAuth = {
+    id: 'cwe-862-missing-auth',
+    name: 'CWE-862: Missing Authorization',
+    description: 'Detects missing authorization checks',
+    defaultSeverity: 'high',
+    category: 'access-control',
+    tags: ['cwe', 'authorization', 'access-control', 'security'],
+    owasp: ['A01:2021'],
+    cwe: ['862'],
+    references: [
+        { title: 'CWE-862', url: 'https://cwe.mitre.org/data/definitions/862.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /app\.(?:get|post|put|delete)\s*\(\s*['"`]\/admin/gi, type: 'Admin route', severity: 'high' },
+            { pattern: /\.findByIdAndUpdate\s*\(\s*req\.params/gi, type: 'Direct ID update', severity: 'high' },
+            { pattern: /\.findByIdAndDelete\s*\(\s*req\.params/gi, type: 'Direct ID delete', severity: 'high' },
+            { pattern: /\.destroy\s*\(\s*\{\s*where\s*:\s*\{\s*id\s*:\s*req\.params/gi, type: 'Direct destroy', severity: 'high' },
+            { pattern: /req\.user\.id\s*!==?\s*req\.params\.id/gi, type: 'Ownership check found', severity: 'info' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-862-${findings.length + 1}`,
+                        ruleId: 'cwe-862-missing-auth',
+                        severity,
+                        message: `Authorization - ${type}: Verify user has permission`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['862'],
+                        owasp: ['A01:2021'],
+                        suggestion: {
+                            description: 'Add authorization middleware',
+                            example: `// Check ownership before update
+if (resource.userId !== req.user.id) {
+  return res.status(403).json({ error: 'Forbidden' });
+}`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe862MissingAuth;
+//# sourceMappingURL=cwe-862-missing-auth.js.map

package/dist/rules/cwe/cwe-862-missing-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-862-missing-auth.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-862-missing-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,iBAAiB,GAAiB;IAC7C,EAAE,EAAE,sBAAsB;IAC1B,IAAI,EAAE,gCAAgC;IACtC,WAAW,EAAE,sCAAsC;IACnD,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,gBAAgB;IAC1B,IAAI,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,CAAC;IAC5D,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,oDAAoD,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAe,EAAE;YACjH,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC5G,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC5G,EAAE,OAAO,EAAE,+DAA+D,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAC/H,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,MAAe,EAAE;SAClH,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,sBAAsB;wBAC9B,QAAQ;wBACR,OAAO,EAAE,mBAAmB,IAAI,8BAA8B;wBAC9D,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,8BAA8B;4BAC3C,OAAO,EAAE;;;EAGrB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview CWE-863: Incorrect Authorization
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-863-incorrect-auth
+ * @trace TSK-RULE-006
+ */
+import type { SecurityRule } from '../types.js';
+export declare const cwe863IncorrectAuth: SecurityRule;
+export default cwe863IncorrectAuth;
+//# sourceMappingURL=cwe-863-incorrect-auth.d.ts.map

package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-863-incorrect-auth.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-863-incorrect-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,mBAAmB,EAAE,YAqDjC,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/dist/rules/cwe/cwe-863-incorrect-auth.js

@@ -0,0 +1,58 @@
+/**
+ * @fileoverview CWE-863: Incorrect Authorization
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-863-incorrect-auth
+ * @trace TSK-RULE-006
+ */
+export const cwe863IncorrectAuth = {
+    id: 'cwe-863-incorrect-auth',
+    name: 'CWE-863: Incorrect Authorization',
+    description: 'Detects incorrect authorization implementation patterns',
+    defaultSeverity: 'high',
+    category: 'authorization',
+    tags: ['cwe', 'authorization', 'access-control', 'security'],
+    cwe: ['863'],
+    owasp: ['A01:2021'],
+    references: [
+        { title: 'CWE-863', url: 'https://cwe.mitre.org/data/definitions/863.html' },
+    ],
+    async analyze(context) {
+        const findings = [];
+        const lines = context.sourceCode.split('\n');
+        const patterns = [
+            { pattern: /if\s*\(\s*user\.id\s*===?\s*req\.params/gi, type: 'Client-side ID comparison', severity: 'high' },
+            { pattern: /req\.user\.role\s*===?\s*['"`]admin['"`]\s*\|\|/gi, type: 'OR-based permission check', severity: 'medium' },
+            { pattern: /\.findById\s*\(\s*req\.params/gi, type: 'Direct ID access without ownership', severity: 'high' },
+            { pattern: /canAccess\s*=\s*true/gi, type: 'Hardcoded access grant', severity: 'high' },
+            { pattern: /authorization.*skip|bypass.*auth/gi, type: 'Authorization bypass', severity: 'critical' },
+            { pattern: /user\.permissions\.includes\s*\(\s*req\./gi, type: 'Permission from user input', severity: 'critical' },
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const { pattern, type, severity } of patterns) {
+                pattern.lastIndex = 0;
+                if (pattern.test(lines[i])) {
+                    findings.push({
+                        id: `cwe-863-${findings.length + 1}`,
+                        ruleId: 'cwe-863-incorrect-auth',
+                        severity,
+                        message: `Incorrect Authorization - ${type}: Implement proper access control`,
+                        location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
+                        cwe: ['863'],
+                        owasp: ['A01:2021'],
+                        suggestion: {
+                            description: 'Use centralized authorization with ownership checks',
+                            example: `// Proper authorization
+const resource = await Resource.findById(id);
+if (!resource) throw new NotFoundError();
+if (resource.ownerId !== user.id && !user.isAdmin) {
+  throw new ForbiddenError();
+}`,
+                        },
+                    });
+                }
+            }
+        }
+        return findings;
+    },
+};
+export default cwe863IncorrectAuth;
+//# sourceMappingURL=cwe-863-incorrect-auth.js.map

package/dist/rules/cwe/cwe-863-incorrect-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwe-863-incorrect-auth.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-863-incorrect-auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,mBAAmB,GAAiB;IAC/C,EAAE,EAAE,wBAAwB;IAC5B,IAAI,EAAE,kCAAkC;IACxC,WAAW,EAAE,yDAAyD;IACtE,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,CAAC;IAC5D,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,2CAA2C,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACtH,EAAE,OAAO,EAAE,mDAAmD,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAChI,EAAE,OAAO,EAAE,iCAAiC,EAAE,IAAI,EAAE,oCAAoC,EAAE,QAAQ,EAAE,MAAe,EAAE;YACrH,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,MAAe,EAAE;YAChG,EAAE,OAAO,EAAE,oCAAoC,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC9G,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAmB,EAAE;SAC7H,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,wBAAwB;wBAChC,QAAQ;wBACR,OAAO,EAAE,6BAA6B,IAAI,mCAAmC;wBAC7E,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,KAAK,EAAE,CAAC,UAAU,CAAC;wBACnB,UAAU,EAAE;4BACV,WAAW,EAAE,qDAAqD;4BAClE,OAAO,EAAE;;;;;EAKrB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/dist/rules/cwe/cwe-89-sql-injection.d.ts

@@ -0,0 +1,21 @@
+/**
+ * @fileoverview CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
+ * @module @nahisaho/musubix-security/rules/cwe/cwe-89-sql-injection
+ * @trace TSK-RULE-005
+ *
+ * Detects:
+ * - String concatenation in SQL queries
+ * - Template literals with user input in SQL
+ * - Raw/unsafe query methods
+ * - ORM bypass patterns
+ * - Stored procedure injection
+ *
+ * CWE-89 is #3 in CWE Top 25 2023.
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * CWE-89 - SQL Injection
+ */
+export declare const cwe89SQLInjection: SecurityRule;
+export default cwe89SQLInjection;
+//# sourceMappingURL=cwe-89-sql-injection.d.ts.map