@oculum/scanner 1.0.0

package/dist/layer2/dangerous-functions.js

@@ -0,0 +1,1375 @@
+"use strict";
+/**
+ * Layer 2: Dangerous Function Call Analysis
+ * Detects usage of dangerous functions that can lead to security vulnerabilities
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectDangerousFunctions = detectDangerousFunctions;
+const context_helpers_1 = require("../utils/context-helpers");
+/**
+ * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
+ * Returns true if this is a child_process exec call that should be flagged
+ */
+function isChildProcessExec(content, lineContent) {
+    // Check for child_process import
+    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]child_process['"]/.test(content) ||
+        /import\s+.*child_process/.test(content) ||
+        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]node:child_process['"]/.test(content);
+    // If no child_process import, this is likely RegExp.exec or similar
+    if (!hasChildProcessImport) {
+        return false;
+    }
+    // Check if this specific line is RegExp.exec pattern
+    // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
+    const isRegExpExec = /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
+        !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')); // Not a standalone exec()
+    // Also check for common RegExp patterns
+    const isRegExpPattern = /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
+        /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
+        /regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
+        /pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
+        /match\.exec\s*\(/i.test(lineContent) || // match.exec()
+        /re\.exec\s*\(/i.test(lineContent); // re.exec()
+    if (isRegExpExec || isRegExpPattern) {
+        return false;
+    }
+    // Check if exec is imported/destructured from child_process
+    const execImported = /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
+        /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
+        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
+        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content);
+    // If exec is directly imported from child_process, standalone exec() is dangerous
+    if (execImported && /\bexec\s*\(/.test(lineContent)) {
+        return true;
+    }
+    // Check for child_process.exec() pattern
+    if (/child_process\.exec\s*\(/.test(lineContent) ||
+        /cp\.exec\s*\(/.test(lineContent) ||
+        /childProcess\.exec\s*\(/.test(lineContent)) {
+        return true;
+    }
+    // If we have child_process import but can't determine usage, be conservative
+    // Only flag if it looks like a standalone exec() call
+    return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent);
+}
+/**
+ * Check if schema validation is applied near a JSON.parse call
+ * Looks for zod, yup, joi, or similar validation patterns
+ */
+function hasSchemaValidationNearby(content, lineNumber) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineNumber - 5);
+    const end = Math.min(lines.length, lineNumber + 10);
+    const context = lines.slice(start, end).join('\n');
+    const schemaValidationPatterns = [
+        // Zod patterns
+        /z\.(object|string|number|array|boolean)\s*\(/i,
+        /\.parse\s*\(/i,
+        /\.safeParse\s*\(/i,
+        /schema\.parse/i,
+        /Schema\.parse/i,
+        // Yup patterns
+        /yup\.(object|string|number|array|boolean)\s*\(/i,
+        /\.validate\s*\(/i,
+        /\.validateSync\s*\(/i,
+        // Joi patterns
+        /Joi\.(object|string|number|array|boolean)\s*\(/i,
+        /\.validateAsync\s*\(/i,
+        // Valibot patterns
+        /v\.(object|string|number|array|boolean)\s*\(/i,
+        // AJV patterns
+        /ajv\.compile/i,
+        /validate\s*\(\s*schema/i,
+        // TypeBox patterns
+        /Type\.(Object|String|Number|Array|Boolean)\s*\(/i,
+        // Generic validation patterns
+        /validateSchema/i,
+        /schemaValidator/i,
+        /parseAndValidate/i,
+    ];
+    return schemaValidationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if path traversal protection is in place
+ * Looks for common sanitization patterns that prevent directory traversal attacks
+ */
+function hasPathTraversalProtection(context, lineContent) {
+    const protectionPatterns = [
+        // Path normalization with base directory check
+        /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
+        /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir)/i,
+        // Explicit ".." rejection
+        /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
+        // Path sanitization libraries
+        /sanitizePath|sanitizeFilename|sanitize-filename/i,
+        /path-sanitizer|secure-path/i,
+        // Explicit path validation
+        /validatePath|isValidPath|checkPath|verifyPath/i,
+        /isPathAllowed|isAllowedPath|pathIsAllowed/i,
+        // Normalize and check pattern
+        /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
+        // Regex validation for safe characters only
+        /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//, // Only alphanumeric, dash, underscore, dot
+        // Allowlist/whitelist patterns
+        /allowedExtensions|allowedTypes|whitelist/i,
+        /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i, // Extension check
+        // Path.basename to strip directory
+        /path\.basename\s*\(/i,
+        // Zod/validation for filename patterns
+        /z\.string\s*\(\s*\)\.regex\s*\(/i,
+    ];
+    return protectionPatterns.some(p => p.test(context) || p.test(lineContent));
+}
+/**
+ * Check if spawn/execFile/execSync is from child_process
+ */
+function isChildProcessSpawn(content, lineContent) {
+    // Check for child_process import
+    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]child_process['"]/.test(content) ||
+        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+        /from\s+['"]node:child_process['"]/.test(content);
+    if (!hasChildProcessImport) {
+        return false;
+    }
+    // These functions are always from child_process when that module is imported
+    return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent);
+}
+/**
+ * Check if a line is inside a try-catch block
+ * Looks for enclosing try { ... } catch pattern
+ */
+function isInsideTryCatch(content, lineNumber) {
+    const lines = content.split('\n');
+    // Track brace depth and whether we're in a try block
+    let tryDepth = 0;
+    let inTryBlock = false;
+    let braceStack = [];
+    // Scan from start to the target line
+    for (let i = 0; i < lineNumber && i < lines.length; i++) {
+        const line = lines[i];
+        // Check for try keyword (not in a comment)
+        if (/\btry\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            inTryBlock = true;
+            tryDepth++;
+            // Count opening braces on this line
+            const openBraces = (line.match(/\{/g) || []).length;
+            const closeBraces = (line.match(/\}/g) || []).length;
+            for (let j = 0; j < openBraces - closeBraces; j++) {
+                braceStack.push('try');
+            }
+        }
+        else if (/\bcatch\s*\(/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            // Entering catch block - still protected
+            // Don't decrement tryDepth yet
+        }
+        else if (/\bfinally\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            // Entering finally block - still protected
+        }
+        else {
+            // Track regular braces
+            const openBraces = (line.match(/\{/g) || []).length;
+            const closeBraces = (line.match(/\}/g) || []).length;
+            for (let j = 0; j < openBraces; j++) {
+                braceStack.push(inTryBlock && tryDepth > 0 ? 'try' : 'other');
+            }
+            for (let j = 0; j < closeBraces; j++) {
+                const popped = braceStack.pop();
+                if (popped === 'try') {
+                    tryDepth--;
+                    if (tryDepth === 0) {
+                        inTryBlock = false;
+                    }
+                }
+            }
+        }
+    }
+    return tryDepth > 0;
+}
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope
+ * Looks for try { before the line and } catch after, within reasonable bounds
+ */
+function hasTryCatchNearby(content, lineNumber, windowSize = 20) {
+    const lines = content.split('\n');
+    const startLine = Math.max(0, lineNumber - windowSize);
+    const endLine = Math.min(lines.length, lineNumber + windowSize);
+    // Look backward for 'try {'
+    let foundTry = false;
+    for (let i = lineNumber - 1; i >= startLine; i--) {
+        const line = lines[i];
+        if (/\btry\s*\{/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            foundTry = true;
+            break;
+        }
+        // Stop if we hit a function boundary
+        if (/\b(function|async function|=>|class)\b/.test(line) && /\{/.test(line)) {
+            break;
+        }
+    }
+    if (!foundTry)
+        return false;
+    // Look forward for '} catch'
+    for (let i = lineNumber; i < endLine; i++) {
+        const line = lines[i];
+        if (/\}\s*catch\s*\(/.test(line) && !(0, context_helpers_1.isComment)(line)) {
+            return true;
+        }
+        // Stop if we hit another function boundary
+        if (i > lineNumber && /\b(function|async function|class)\b/.test(line) && /\{/.test(line)) {
+            break;
+        }
+    }
+    return false;
+}
+/**
+ * Check if file path indicates a low-risk context for JSON.parse
+ */
+function isLowRiskJSONParseFile(filePath) {
+    // Test/mock files - skip or info only
+    if ((0, context_helpers_1.isTestOrMockFile)(filePath)) {
+        return 'test_fixture';
+    }
+    // Settings/preferences components - internal UI state
+    if (/\/(components|pages)\/(settings|preferences|config)/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // Provider/context files - typically storing state in localStorage
+    if (/Provider\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // Modal/Dialog components - typically internal state
+    if (/(Modal|Dialog|Settings|Preferences)\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // __mocks__ directory
+    if (/__mocks__/i.test(filePath)) {
+        return 'test_fixture';
+    }
+    // fixtures directory
+    if (/\/(fixtures?|stubs?|mocks?)\//i.test(filePath)) {
+        return 'test_fixture';
+    }
+    // scripts/tools directories (internal tooling)
+    if (/\/(scripts?|tools?|cli)\//i.test(filePath)) {
+        return 'internal';
+    }
+    // Migration files
+    if (/migration/i.test(filePath)) {
+        return 'migration';
+    }
+    // Config files
+    if (/\/(config|settings|constants)\.(ts|js)/i.test(filePath)) {
+        return 'config';
+    }
+    return null;
+}
+/**
+ * Check if JSON.parse is parsing a trusted SDK response
+ * These are well-defined responses from known APIs and are safe to parse
+ */
+function isTrustedSDKResponse(lineContent, content) {
+    const trustedPatterns = [
+        // OpenAI SDK responses
+        /JSON\.parse\s*\(\s*(?:response|completion|result|message)\.(?:content|text|data)/i,
+        /JSON\.parse\s*\(\s*(?:openai|anthropic|client)\./i,
+        // Fetch response.json() result (already parsed by fetch)
+        /JSON\.parse\s*\(\s*await\s+.*\.json\s*\(\s*\)\s*\)/i,
+        // SDK method results
+        /JSON\.parse\s*\(\s*(?:result|response)\.(?:choices|content|data|body)\[/i,
+        // AI SDK streaming results
+        /JSON\.parse\s*\(\s*(?:chunk|delta|part)\.(?:content|text)/i,
+    ];
+    if (trustedPatterns.some(p => p.test(lineContent))) {
+        return true;
+    }
+    // Check surrounding context for SDK usage
+    const sdkContextPatterns = [
+        /openai\..*\.create/i,
+        /anthropic\..*\.create/i,
+        /\.chat\.completions/i,
+        /\.messages\.create/i,
+    ];
+    return sdkContextPatterns.some(p => p.test(content));
+}
+function classifyJSONParseSource(lineContent, filePath) {
+    // First check file path for low-risk contexts
+    const fileBasedSource = isLowRiskJSONParseFile(filePath);
+    if (fileBasedSource) {
+        return fileBasedSource;
+    }
+    // User input - potentially dangerous
+    const userInputPatterns = [
+        /JSON\.parse\s*\(\s*(req|request)\.(body|query|params)/i,
+        /JSON\.parse\s*\(\s*event\.(body|queryStringParameters)/i, // AWS Lambda
+        /JSON\.parse\s*\(\s*ctx\.(request|body|query)/i, // Koa
+        /JSON\.parse\s*\(\s*(input|userInput|rawInput|payload)/i,
+        /JSON\.parse\s*\(\s*body\b/i, // Generic 'body' often means request body
+    ];
+    if (userInputPatterns.some(p => p.test(lineContent))) {
+        return 'user_input';
+    }
+    // localStorage/sessionStorage - client-side storage
+    const storagePatterns = [
+        /JSON\.parse\s*\(\s*localStorage\.getItem/i,
+        /JSON\.parse\s*\(\s*sessionStorage\.getItem/i,
+        /JSON\.parse\s*\(\s*window\.localStorage/i,
+        /JSON\.parse\s*\(\s*storage\.get/i,
+        /JSON\.parse\s*\(\s*saved\b/i, // Common pattern: const saved = localStorage.getItem(...); JSON.parse(saved)
+        /JSON\.parse\s*\(\s*stored\b/i,
+    ];
+    if (storagePatterns.some(p => p.test(lineContent))) {
+        return 'local_storage';
+    }
+    // Database results - internal data
+    const databasePatterns = [
+        /JSON\.parse\s*\(\s*(row|result|record|doc|document)\./i,
+        /JSON\.parse\s*\(\s*\w+\.(data|json|metadata|embedding)\)/i,
+        /JSON\.parse\s*\(\s*\w+\[['"]?\w+['"]?\]\.(data|json|embedding)/i,
+        /JSON\.parse\s*\(\s*item\.\w+\)/i, // ORM iteration: items.map(item => JSON.parse(item.field))
+        /JSON\.parse\s*\(\s*\w+\.content\)/i, // Parsing content field from DB
+    ];
+    if (databasePatterns.some(p => p.test(lineContent))) {
+        return 'database';
+    }
+    // Editor state, internal caches, UI state
+    const internalPatterns = [
+        /JSON\.parse\s*\(\s*(state|cache|stored|saved|cached)/i,
+        /JSON\.parse\s*\(\s*this\.(state|cache|data)/i,
+        /JSON\.parse\s*\(\s*\w+State\)/i,
+        /JSON\.parse\s*\(\s*editorState/i,
+        /JSON\.parse\s*\(\s*parsed\b/i, // JSON.parse(parsed) - likely already validated
+        /JSON\.parse\s*\(\s*settings\b/i, // Settings data
+        /JSON\.parse\s*\(\s*preferences\b/i,
+    ];
+    if (internalPatterns.some(p => p.test(lineContent))) {
+        return 'internal';
+    }
+    // Node content in editor apps (e.g., noda-os nodes have JSON content)
+    if (/JSON\.parse\s*\(\s*(node|note|document|entry)\.(content|body|data)\)/i.test(lineContent)) {
+        return 'database';
+    }
+    return 'unknown';
+}
+const DANGEROUS_FUNCTIONS = [
+    // Code execution
+    {
+        name: 'eval() usage',
+        pattern: /\beval\s*\(/gi,
+        severity: 'critical',
+        description: 'eval() executes arbitrary code and is a major security risk',
+        suggestedFix: 'Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution',
+    },
+    {
+        name: 'Function constructor',
+        pattern: /new\s+Function\s*\(/gi,
+        severity: 'critical',
+        description: 'Function constructor can execute arbitrary code like eval()',
+        suggestedFix: 'Refactor to use static functions or safe alternatives',
+    },
+    {
+        name: 'setTimeout/setInterval with string',
+        pattern: /set(Timeout|Interval)\s*\(\s*['"`]/gi,
+        severity: 'high',
+        description: 'setTimeout/setInterval with string argument acts like eval()',
+        suggestedFix: 'Pass a function reference instead of a string',
+    },
+    // Command injection
+    {
+        name: 'child_process exec',
+        pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/gi,
+        severity: 'high',
+        description: 'Shell command execution can lead to command injection',
+        suggestedFix: 'Validate and sanitize all inputs, prefer execFile over exec',
+    },
+    {
+        name: 'os.system/subprocess (Python)',
+        pattern: /\b(os\.system|subprocess\.(call|run|Popen|check_output))\s*\(/gi,
+        severity: 'high',
+        description: 'Shell command execution can lead to command injection',
+        suggestedFix: 'Use subprocess with shell=False and pass arguments as a list',
+        languages: ['py'],
+    },
+    // SQL injection risks
+    {
+        name: 'Raw SQL query construction',
+        pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
+        severity: 'critical',
+        description: 'String concatenation in SQL queries can lead to SQL injection',
+        suggestedFix: 'Use parameterized queries or prepared statements',
+    },
+    {
+        name: 'SQL template literal',
+        pattern: /`SELECT.*FROM.*WHERE.*\$\{|`INSERT.*INTO.*VALUES.*\$\{|`UPDATE.*SET.*\$\{|`DELETE.*FROM.*WHERE.*\$\{/gi,
+        severity: 'critical',
+        description: 'Template literals in SQL queries can lead to SQL injection',
+        suggestedFix: 'Use parameterized queries with placeholders (?, $1, etc.)',
+    },
+    // XSS risks
+    {
+        name: 'innerHTML assignment',
+        pattern: /\.innerHTML\s*=|\.outerHTML\s*=/gi,
+        severity: 'high',
+        description: 'Direct innerHTML assignment can lead to XSS vulnerabilities',
+        suggestedFix: 'Use textContent for text, or sanitize HTML with DOMPurify',
+    },
+    {
+        name: 'document.write',
+        pattern: /document\.write\s*\(/gi,
+        severity: 'high',
+        description: 'document.write can introduce XSS vulnerabilities',
+        suggestedFix: 'Use DOM manipulation methods instead',
+    },
+    {
+        name: 'dangerouslySetInnerHTML',
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
+        severity: 'high',
+        description: 'dangerouslySetInnerHTML can lead to XSS if content is not sanitized',
+        suggestedFix: 'Sanitize HTML content with DOMPurify before rendering',
+    },
+    // Deserialization
+    {
+        name: 'Unsafe deserialization',
+        pattern: /\b(pickle\.loads?|yaml\.load\s*\((?!.*Loader)|unserialize|Marshal\.load)\s*\(/gi,
+        severity: 'critical',
+        description: 'Unsafe deserialization can lead to remote code execution',
+        suggestedFix: 'Use safe loaders (yaml.safe_load) or validate input before deserializing',
+    },
+    // Note: JSON.parse is handled specially with source-aware severity - see below
+    // Note: request.json() is NOT a dangerous function - see schema validation rules
+    // File system risks
+    {
+        name: 'Dynamic file path',
+        pattern: /\b(readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\(\s*[^'"]/gi,
+        severity: 'medium',
+        description: 'Dynamic file paths can lead to path traversal attacks',
+        suggestedFix: 'Validate and sanitize file paths, use path.resolve with a base directory',
+    },
+    {
+        name: 'Path traversal risk',
+        pattern: /path\.(join|resolve)\s*\([^)]*req\.(params|query|body)/gi,
+        severity: 'high',
+        description: 'User input in file paths can lead to path traversal attacks',
+        suggestedFix: 'Validate paths and ensure they stay within allowed directories',
+    },
+    // Crypto weaknesses
+    {
+        name: 'Math.random for security',
+        pattern: /Math\.random\s*\(\s*\)/gi,
+        severity: 'medium',
+        description: 'Math.random() is not cryptographically secure',
+        suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive operations',
+    },
+    // Regex DoS
+    {
+        name: 'Potentially unsafe regex',
+        pattern: /new\s+RegExp\s*\(\s*[^'"]/gi,
+        severity: 'medium',
+        description: 'Dynamic regex construction can lead to ReDoS attacks',
+        suggestedFix: 'Validate regex patterns and consider using safe-regex library',
+    },
+    // Prototype pollution
+    {
+        name: 'Object.assign with user input',
+        pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(req\.|request\.|body|params|query)/gi,
+        severity: 'high',
+        description: 'Object.assign with user input can lead to prototype pollution',
+        suggestedFix: 'Validate and sanitize input, or use a safe merge function',
+    },
+    {
+        name: 'Spread operator with user input',
+        pattern: /\{\s*\.\.\.req\.(body|params|query)|\.\.\.request\.(body|params|query)/gi,
+        severity: 'medium',
+        description: 'Spreading user input can lead to mass assignment vulnerabilities',
+        suggestedFix: 'Explicitly pick allowed properties instead of spreading all input',
+    },
+];
+// Check if file matches language filter
+function matchesLanguage(filePath, languages) {
+    if (!languages || languages.length === 0)
+        return true;
+    const ext = filePath.split('.').pop()?.toLowerCase() || '';
+    return languages.some(lang => {
+        if (lang === 'py')
+            return ext === 'py';
+        if (lang === 'js')
+            return ['js', 'jsx', 'mjs', 'cjs'].includes(ext);
+        if (lang === 'ts')
+            return ['ts', 'tsx'].includes(ext);
+        return ext === lang;
+    });
+}
+// Check if innerHTML/dangerouslySetInnerHTML uses static content only
+function isStaticHTMLContent(lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    // Get surrounding context (5 lines before and after)
+    const contextStart = Math.max(0, lineNumber - 6);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Static HTML indicators - string literals only
+    const staticIndicators = [
+        /innerHTML\s*=\s*['"`][^'"`]*['"`]/, // innerHTML = "static string"
+        /innerHTML\s*=\s*`[^$]*`/, // innerHTML = `static template without ${}`
+        /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*['"`]/, // React static string
+    ];
+    // Dynamic content indicators (red flags)
+    const dynamicIndicators = [
+        /\$\{[^}]+\}/, // Template interpolation ${...}
+        /innerHTML\s*=.*\+/, // String concatenation with +
+        /innerHTML\s*\+=\s*/, // Append operation
+        /\breq\.|\.params|\.query|\.body/, // User input (req.params, req.query, req.body)
+        /\bprops\./, // Component props
+        /\bstate\./, // Component state
+        /\.value\b/, // Input value
+        /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*[^'"`]/, // React dynamic
+    ];
+    const isStatic = staticIndicators.some(p => p.test(lineContent));
+    const isDynamic = dynamicIndicators.some(p => p.test(context));
+    return isStatic && !isDynamic;
+}
+/**
+ * Check if eval/exec/Function has only static literal inputs (no user data)
+ * Static inputs like eval('({ mode: "production" })') are low risk
+ */
+function hasOnlyStaticInputs(lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    // Check if the argument to eval/exec/Function is a string literal only
+    const staticPatterns = [
+        /eval\s*\(\s*['"`][^'"`$]*['"`]\s*\)/, // eval('static string')
+        /eval\s*\(\s*`[^$`]*`\s*\)/, // eval(`static template without ${}`)
+        /new\s+Function\s*\(\s*['"`][^'"`$]*['"`]\s*\)/, // new Function('static')
+        /execSync\s*\(\s*['"`][^'"`$]*['"`]\s*\)/, // execSync('static command')
+        /exec\s*\(\s*['"`][^'"`$]*['"`]/, // exec('static command'
+    ];
+    if (staticPatterns.some(p => p.test(lineContent))) {
+        return true;
+    }
+    // Check surrounding context for user input flowing in
+    const userInputIndicators = [
+        /\$\{/, // Template interpolation
+        /\+\s*\w+/, // String concatenation with variable
+        /req\.|request\.|body\.|params\.|query\./i, // Request data
+        /user[Ii]nput|userCode|userCommand/, // User input variables
+        /args\[|argv\[/, // Command line args
+    ];
+    const contextStart = Math.max(0, lineNumber - 3);
+    const contextEnd = Math.min(lines.length, lineNumber + 1);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // If no user input indicators found, likely static
+    return !userInputIndicators.some(p => p.test(context));
+}
+/**
+ * Check if SQL query uses whitelist validation pattern
+ * e.g., columns validated against allowedColumns array before use
+ */
+function hasSQLWhitelistValidation(content, lineNumber) {
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 15);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Whitelist/allowlist validation patterns
+    const whitelistPatterns = [
+        /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
+        /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
+        /valid\w*\s*=\s*\[/i, // validColumns = [...]
+        /\.filter\s*\([^)]*\.includes\s*\(/i, // .filter(c => allowed.includes(c))
+        /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
+        /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
+        /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
+    ];
+    return whitelistPatterns.some(p => p.test(context));
+}
+/**
+ * Check if dangerouslySetInnerHTML is used with DOMPurify sanitization
+ */
+function hasDOMPurifySanitization(lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 10);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // DOMPurify sanitization patterns
+    const sanitizationPatterns = [
+        /DOMPurify\.sanitize/i,
+        /sanitize\s*\(/i,
+        /purify\s*\(/i,
+        /xss\s*\(/i,
+        /clean\s*\(/i,
+        /sanitizeHtml/i,
+        /escapeHtml/i,
+        /sanitized/i,
+        /purified/i,
+    ];
+    return sanitizationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if data flows to an LLM prompt rather than a DOM sink
+ * LLM prompts are NOT XSS - they're prompt injection (different risk profile)
+ */
+function isLLMPromptContext(lineContent, content, filePath) {
+    // File path indicators of AI/LLM code
+    const aiFilePatterns = [
+        /\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
+        /\/(assistants?|agents?|prompts?)\//i,
+        /(chat|ai|llm|prompt|assistant).*\.(ts|js|tsx|jsx)$/i,
+    ];
+    if (aiFilePatterns.some(p => p.test(filePath))) {
+        return true;
+    }
+    // Content patterns suggesting LLM API usage
+    const llmApiPatterns = [
+        /\.create\s*\(\s*\{[^}]*messages\s*:/i, // OpenAI/Anthropic SDK
+        /openai|anthropic|claude|gpt-4|gpt-3/i, // AI service mentions
+        /\bprompt\s*[=:+]/i, // prompt assignment
+        /\bsystemPrompt|userPrompt|assistantPrompt/i, // Prompt variables
+        /completion|chat\.create|messages\.create/i, // API calls
+        /\bmessages\s*:\s*\[/i, // Messages array
+        /role:\s*['"`](user|assistant|system)['"`]/i, // Message roles
+    ];
+    // Check the line and surrounding context
+    const lines = content.split('\n');
+    const lineIndex = lines.findIndex(l => l === lineContent || l.includes(lineContent.trim()));
+    const startLine = Math.max(0, lineIndex - 10);
+    const endLine = Math.min(lines.length, lineIndex + 10);
+    const context = lines.slice(startLine, endLine).join('\n');
+    return llmApiPatterns.some(p => p.test(lineContent) || p.test(context));
+}
+/**
+ * Check if this is a static bootstrap script (e.g., localStorage theme reader)
+ * These are very low risk even with dangerouslySetInnerHTML
+ */
+function isStaticBootstrapScript(_lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 10);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Bootstrap script indicators (reading from localStorage, setting attributes)
+    const bootstrapPatterns = [
+        /localStorage\.getItem/i,
+        /document\.documentElement\.setAttribute/i,
+        /data-(theme|font|mode)/i,
+        /classList\.(add|remove|toggle)/i,
+        /\.dataset\./i,
+    ];
+    // Dangerous patterns that disqualify as safe bootstrap
+    const dangerousPatterns = [
+        /\$\{.*\}/, // Template interpolation
+        /\+\s*[a-zA-Z]/, // String concatenation with variable
+        /innerHTML\s*=\s*[a-zA-Z]/, // innerHTML set to variable directly
+        /fetch\s*\(/, // Network requests
+        /\.(query|params|body)/, // User input
+        /location\.(search|hash)/, // URL parameters
+        /document\.cookie/, // Cookie access
+    ];
+    const hasBootstrapPatterns = bootstrapPatterns.some(p => p.test(context));
+    const hasDangerousPatterns = dangerousPatterns.some(p => p.test(context));
+    return hasBootstrapPatterns && !hasDangerousPatterns;
+}
+/**
+ * Check if Math.random() is used for cosmetic/UI purposes (not security)
+ * Cosmetic uses: CSS values, animations, UI variations, demo data
+ * Security uses: tokens, IDs, cryptographic operations, session management
+ */
+function isCosmeticMathRandom(lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    // Check the line itself for cosmetic indicators
+    const cosmeticLinePatterns = [
+        // CSS/style values
+        /['"`]\s*\$\{.*Math\.random.*\}\s*%['"`]/, // `${Math.random() * 40 + 50}%`
+        /Math\.random.*\s*\+\s*['"`]%['"`]/, // Math.random() * 40 + '%'
+        /Math\.random.*\)\s*\*\s*\d+\s*\+\s*\d+\s*\}\s*%/, // }) * 40 + 50}%
+        /return\s+`.*Math\.random.*%`/, // return `${...}%`
+        /width:\s*['"`].*Math\.random/i, // width: `${Math.random()...}%`
+        /height:\s*['"`].*Math\.random/i, // height: `${Math.random()...}%`
+        /opacity:\s*['"`]?.*Math\.random/i, // opacity: Math.random()
+        /transform:\s*['"`]?.*Math\.random/i, // transform: translate(...)
+        /rotate\(.*Math\.random/i, // rotate(Math.random() * 360)
+        /translate\(.*Math\.random/i, // translate(Math.random() * 100)
+        /scale\(.*Math\.random/i, // scale(Math.random() * 2)
+        // Color/animation values
+        /rgba?\(.*Math\.random/i, // rgb(Math.random() * 255, ...)
+        /hsl\(.*Math\.random/i, // hsl(Math.random() * 360, ...)
+        /Math\.random.*\*\s*360/, // Math.random() * 360 (degrees/hue)
+        /Math\.random.*\*\s*255/, // Math.random() * 255 (RGB values)
+        // Array/list randomization for UI
+        /Math\.floor\(Math\.random.*\.length\)/, // Math.floor(Math.random() * array.length)
+        /\[Math\.floor\(Math\.random/, // array[Math.floor(Math.random()...)]
+        // Demo/placeholder data
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bpx\b/i, // Math.random() * 100 + 50 + 'px'
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bms\b/i, // Math.random() * 1000 + 500 + 'ms'
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bs\b/i, // Math.random() * 5 + 2 + 's'
+        // UI identifier generation (short strings for element IDs, keys, etc.)
+        /Math\.random\(\)\.toString\(36\)\.substring\(/, // .toString(36).substring(2, 9) - short UI IDs
+        /Math\.random\(\)\.toString\(36\)\.substr\(/, // .substr() variant
+        /Math\.random\(\)\.toString\(36\)\.slice\(/, // .slice() variant
+        /Math\.random\(\)\.toString\(16\)\.substring\(/, // .toString(16).substring() - hex UI IDs
+        /Math\.random\(\)\.toString\(16\)\.slice\(/, // hex slice variant
+    ];
+    if (cosmeticLinePatterns.some(p => p.test(lineContent))) {
+        return true;
+    }
+    // Check surrounding context (5 lines before and after)
+    const contextStart = Math.max(0, lineNumber - 5);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Context indicators of cosmetic use
+    const cosmeticContextPatterns = [
+        // UI component files
+        /\/(components?|ui|widgets?|animations?|contexts?)\//i,
+        // Style-related variables/functions
+        /\b(style|styles|css|className|animation|transition)/i,
+        /\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
+        // Demo/example data
+        /\b(demo|example|placeholder|mock|fake|sample|test)Data/i,
+        /\b(random|shuffle|pick|choose).*\b(color|item|element|option)/i,
+        // Animation/timing
+        /setTimeout.*Math\.random/i,
+        /setInterval.*Math\.random/i,
+        /delay.*Math\.random/i,
+        /duration.*Math\.random/i,
+        // UI state variations
+        /\b(variant|theme|layout|position).*Math\.random/i,
+        // UI identifier variable names (toast, notification, element, component IDs)
+        /\b(toast|notification|element|component|widget|modal|dialog|popup).*id\b/i,
+        /\bid\s*=.*Math\.random/i,
+        /\bkey\s*=.*Math\.random/i, // React keys
+        /\btempId|temporaryId|uniqueId\b/i,
+    ];
+    if (cosmeticContextPatterns.some(p => p.test(context))) {
+        return true;
+    }
+    // Security-sensitive patterns that override cosmetic detection
+    const securityPatterns = [
+        /\b(token|secret|key|password|credential|signature)/i,
+        /\b(auth|crypto|encrypt|decrypt|hash)/i,
+        /\b(session|nonce|salt)\b/i,
+        /Math\.random.*\*\s*1e\d+/, // Math.random() * 1e16 (large numbers for IDs)
+    ];
+    if (securityPatterns.some(p => p.test(lineContent) || p.test(context))) {
+        return false; // Not cosmetic - this is security-sensitive
+    }
+    // Check for .toString(36) WITHOUT substring/slice/substr (security token pattern)
+    // If it has substring/slice/substr, it's already caught by cosmeticLinePatterns above
+    const hasToString36WithoutTruncation = /Math\.random\(\)\.toString\(36\)/.test(lineContent) &&
+        !/\.(substring|substr|slice)\(/.test(lineContent);
+    const hasToString16WithoutTruncation = /Math\.random\(\)\.toString\(16\)/.test(lineContent) &&
+        !/\.(substring|substr|slice)\(/.test(lineContent);
+    if (hasToString36WithoutTruncation || hasToString16WithoutTruncation) {
+        return false; // Full-length toString() without truncation - likely security token
+    }
+    return false; // Default to flagging if unclear
+}
+function detectDangerousFunctions(content, filePath) {
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath)) {
+        return vulnerabilities;
+    }
+    const lines = content.split('\n');
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    lines.forEach((line, index) => {
+        // Skip comment lines
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        for (const funcPattern of DANGEROUS_FUNCTIONS) {
+            // Check language filter
+            if (!matchesLanguage(filePath, funcPattern.languages))
+                continue;
+            const regex = new RegExp(funcPattern.pattern.source, funcPattern.pattern.flags);
+            if (regex.test(line)) {
+                // Special handling for innerHTML patterns
+                if (funcPattern.name === 'innerHTML assignment' ||
+                    funcPattern.name === 'dangerouslySetInnerHTML') {
+                    // Check if this uses static content only
+                    if (isStaticHTMLContent(line, content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (static content)',
+                            description: 'Static HTML assignment detected. Generally safe for hardcoded content, but consider using textContent for plain text or proper DOM methods for dynamic content.',
+                            suggestedFix: 'If this is plain text, use textContent instead. If HTML must be used, ensure it is static and does not come from user input.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break; // Only report once per line
+                    }
+                    // Check if DOMPurify or similar sanitization is used
+                    if (hasDOMPurifySanitization(line, content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (sanitized)',
+                            description: 'HTML is sanitized before rendering (DOMPurify or similar detected). This is the recommended pattern for rendering user-generated HTML.',
+                            suggestedFix: 'Ensure DOMPurify is configured correctly and kept up to date.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break; // Only report once per line
+                    }
+                    // Check if this is a static bootstrap script (e.g., theme/font loader)
+                    if (isStaticBootstrapScript(line, content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (static bootstrap script)',
+                            description: 'This appears to be a static bootstrap script (e.g., reading localStorage for theme/font preferences). Low risk as no untrusted data is interpolated into the HTML/JS.',
+                            suggestedFix: 'Verify no user-controlled data is interpolated into the script content.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break; // Only report once per line
+                    }
+                    // Check if this is in LLM prompt context (not XSS - it's prompt injection)
+                    if (isLLMPromptContext(line, content, filePath)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-prompt-injection`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'ai_pattern',
+                            title: 'Potential prompt injection risk',
+                            description: 'User content is being used in an LLM prompt context. This is NOT XSS (the content goes to an AI, not a DOM). However, untrusted content in prompts may lead to prompt injection attacks.',
+                            suggestedFix: 'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break; // Only report once per line
+                    }
+                    // Dynamic content - full severity, needs AI validation
+                    let severity = funcPattern.severity;
+                    if (isTestFile) {
+                        severity = 'low';
+                    }
+                    vulnerabilities.push({
+                        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                        filePath,
+                        lineNumber: index + 1,
+                        lineContent: line.trim(),
+                        severity,
+                        category: 'dangerous_function',
+                        title: funcPattern.name,
+                        description: funcPattern.description + ' This appears to use dynamic content which increases XSS risk.' + (isTestFile ? ' (in test file)' : ''),
+                        suggestedFix: funcPattern.suggestedFix,
+                        confidence: isTestFile ? 'low' : 'high',
+                        layer: 2,
+                        requiresAIValidation: true, // Dynamic HTML needs validation
+                    });
+                    break; // Only report once per line
+                }
+                // Note: JSON.parse is now handled by standalone detectJSONParseSafe() function
+                // which provides better source-aware severity classification
+                // Special handling for eval and Function constructor
+                if (funcPattern.name === 'eval() usage' || funcPattern.name === 'Function constructor') {
+                    // Suppress entirely in test files - test files legitimately test eval behavior
+                    if (isTestFile) {
+                        break; // Skip reporting entirely
+                    }
+                    // Check if eval is inside a test assertion (expect(), test(), it(), describe())
+                    const testAssertionPattern = /\b(expect|test|it|describe)\s*\(/;
+                    if (testAssertionPattern.test(line)) {
+                        break; // Skip reporting - this is testing eval behavior
+                    }
+                    // Check if inputs are static literals (low risk)
+                    if (hasOnlyStaticInputs(line, content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (static input)',
+                            description: 'eval/Function with static string literal input. Lower risk than dynamic input, but consider refactoring to avoid eval entirely.',
+                            suggestedFix: 'Consider using JSON.parse() for JSON data or refactoring to avoid eval.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break;
+                    }
+                    vulnerabilities.push({
+                        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                        filePath,
+                        lineNumber: index + 1,
+                        lineContent: line.trim(),
+                        severity: funcPattern.severity,
+                        category: 'dangerous_function',
+                        title: funcPattern.name,
+                        description: funcPattern.description,
+                        suggestedFix: funcPattern.suggestedFix,
+                        confidence: 'high',
+                        layer: 2,
+                        requiresAIValidation: true, // Code execution patterns need validation
+                    });
+                    break;
+                }
+                // Special handling for child_process exec - verify it's not RegExp.exec
+                if (funcPattern.name === 'child_process exec') {
+                    // First check if this is actually from child_process (not RegExp.exec)
+                    const isExecMatch = /\bexec\s*\(/.test(line);
+                    const isOtherMatch = /\b(execSync|spawn|spawnSync|execFile)\s*\(/.test(line);
+                    if (isExecMatch && !isOtherMatch) {
+                        // This matched 'exec(' - verify it's from child_process
+                        if (!isChildProcessExec(content, line)) {
+                            // This is RegExp.exec or similar - skip
+                            break;
+                        }
+                    }
+                    else if (isOtherMatch) {
+                        // This matched spawn/execSync/etc - verify child_process import
+                        if (!isChildProcessSpawn(content, line)) {
+                            // No child_process import - skip
+                            break;
+                        }
+                    }
+                    if (hasOnlyStaticInputs(line, content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (static command)',
+                            description: 'exec/execSync with hardcoded command. Lower risk than dynamic commands, but ensure command does not change based on user input.',
+                            suggestedFix: 'If command is truly static, this is generally acceptable. For dynamic commands, validate and sanitize inputs.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break;
+                    }
+                }
+                // Special handling for SQL patterns - check for whitelist validation
+                if (funcPattern.name === 'Raw SQL query construction' || funcPattern.name === 'SQL template literal') {
+                    if (hasSQLWhitelistValidation(content, index)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (whitelist validated)',
+                            description: 'SQL query with dynamic content, but whitelist/allowlist validation detected. This is a safer pattern that limits injection risk.',
+                            suggestedFix: 'Ensure the whitelist is comprehensive and cannot be bypassed. Consider using parameterized queries for additional safety.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break;
+                    }
+                }
+                // Special handling for Dynamic file path - skip for utility files
+                // Utility functions designed to work with file paths are expected to take path parameters
+                if (funcPattern.name === 'Dynamic file path') {
+                    // Skip for utility/lib/helper files - these are internal functions, not API handlers
+                    const isUtilityFile = /\/(utils?|lib|helpers?|services?|modules?)\//i.test(filePath);
+                    // Skip if function name suggests it's designed for file operations
+                    const isFileOperationFunction = /\b(checksum|hash|digest|fingerprint|read|write|load|save|get|set|copy|move|delete)File/i.test(content.slice(Math.max(0, index - 200), index + 100));
+                    // Skip CLI command files - these take paths from command-line args (controlled inputs)
+                    const isCLIFile = /\/(cli|commands?|bin)\//i.test(filePath) ||
+                        /\/src\/(index|main|cli)\.(ts|js)$/i.test(filePath);
+                    // Skip GitHub Action files - these process repo files (controlled environment)
+                    const isGitHubAction = /github-action/i.test(filePath) ||
+                        /action\.(ts|js|yml|yaml)$/i.test(filePath);
+                    // Check for schema validation patterns in the surrounding context
+                    // Zod, Yup, Joi, or regex validation on the input
+                    const contextWindow = content.slice(Math.max(0, content.indexOf(line) - 500), content.indexOf(line) + line.length);
+                    const hasSchemaValidation = /z\.(string|object)\s*\(\s*\)\.regex\s*\(/i.test(contextWindow) ||
+                        /z\.enum\s*\(/i.test(contextWindow) ||
+                        /\.regex\s*\(\s*\/.*\/\s*\)/i.test(contextWindow) || // .regex(/.../)
+                        /\.match\s*\(\s*\/.*\/\s*\)/i.test(contextWindow) || // .match(/.../)
+                        /\.(schema|validate)\s*\(/i.test(contextWindow) ||
+                        /joi\./i.test(contextWindow) ||
+                        /yup\./i.test(contextWindow);
+                    // Check for path sanitization patterns
+                    const hasPathSanitization = hasPathTraversalProtection(contextWindow, line);
+                    if (isUtilityFile || isFileOperationFunction || isTestFile || isCLIFile || isGitHubAction || hasSchemaValidation || hasPathSanitization) {
+                        // Skip entirely for utility functions or when schema validation is present
+                        break;
+                    }
+                }
+                // Special handling for Path traversal risk - check for sanitization
+                if (funcPattern.name === 'Path traversal risk') {
+                    const contextWindow = content.slice(Math.max(0, content.indexOf(line) - 500), content.indexOf(line) + line.length + 200);
+                    // Check for path sanitization patterns
+                    if (hasPathTraversalProtection(contextWindow, line)) {
+                        vulnerabilities.push({
+                            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                            filePath,
+                            lineNumber: index + 1,
+                            lineContent: line.trim(),
+                            severity: 'info',
+                            category: 'dangerous_function',
+                            title: funcPattern.name + ' (sanitized)',
+                            description: 'User input in file path, but path traversal protection detected. Verify sanitization is comprehensive.',
+                            suggestedFix: 'Ensure path.resolve() result is checked against base directory and ".." sequences are rejected.',
+                            confidence: 'low',
+                            layer: 2,
+                        });
+                        break;
+                    }
+                }
+                // Special handling for Math.random() - skip cosmetic/UI uses
+                if (funcPattern.name === 'Math.random for security') {
+                    // Check if this is cosmetic use (CSS, animations, UI variations)
+                    if (isCosmeticMathRandom(line, content, index)) {
+                        // Skip entirely - this is not a security concern
+                        break;
+                    }
+                }
+                // Standard handling for all other patterns
+                let severity = funcPattern.severity;
+                let confidence = 'high';
+                if (isTestFile) {
+                    if (severity === 'critical') {
+                        severity = 'medium';
+                    }
+                    else if (severity === 'high') {
+                        severity = 'low';
+                    }
+                    else {
+                        severity = 'info';
+                    }
+                    confidence = 'low';
+                }
+                vulnerabilities.push({
+                    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity,
+                    category: 'dangerous_function',
+                    title: funcPattern.name,
+                    description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+                    suggestedFix: funcPattern.suggestedFix,
+                    confidence,
+                    layer: 2,
+                });
+                break; // Only report once per line
+            }
+        }
+    });
+    // Additional standalone checks (not in DANGEROUS_FUNCTIONS array)
+    // JSON.parse source-aware detection
+    detectJSONParseSafe(content, filePath, isTestFile, vulnerabilities);
+    // request.json() / req.json() schema validation suggestion
+    detectRequestJsonValidation(content, filePath, isTestFile, vulnerabilities);
+    return vulnerabilities;
+}
+/**
+ * Detect JSON.parse usage with source-aware severity
+ * Much smarter than simple pattern matching - considers try/catch and data source
+ */
+function detectJSONParseSafe(content, filePath, isTestFile, vulnerabilities) {
+    const lines = content.split('\n');
+    const jsonParsePattern = /JSON\.parse\s*\(/gi;
+    // Track instances per file to aggregate noisy patterns
+    const instances = [];
+    lines.forEach((line, index) => {
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        jsonParsePattern.lastIndex = 0;
+        if (!jsonParsePattern.test(line))
+            return;
+        const jsonSource = classifyJSONParseSource(line, filePath);
+        // Skip migration files entirely - they're internal tooling
+        if (jsonSource === 'migration')
+            return;
+        // Skip test fixtures entirely - they're intentionally parsing test data
+        if (jsonSource === 'test_fixture')
+            return;
+        // Skip trusted SDK responses - these are well-defined and safe to parse
+        if (isTrustedSDKResponse(line, content))
+            return;
+        // Check if JSON.parse is inside a try-catch block
+        const insideTryCatch = isInsideTryCatch(content, index) || hasTryCatchNearby(content, index);
+        // Check if schema validation is applied after JSON.parse
+        const hasSchemaValidation = hasSchemaValidationNearby(content, index);
+        // If inside try-catch with safe source, suppress entirely - this is perfectly fine
+        if (insideTryCatch && ['local_storage', 'database', 'config', 'internal', 'ui_state'].includes(jsonSource)) {
+            return;
+        }
+        // If schema validation is present, this is properly handled
+        if (hasSchemaValidation) {
+            return;
+        }
+        // UI state (settings, providers, modals) - very low risk, aggregate or skip
+        if (jsonSource === 'ui_state') {
+            // Only track for aggregation, don't report individually
+            instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource });
+            return;
+        }
+        // Determine severity based on source and error handling
+        let severity;
+        let description;
+        let suggestedFix;
+        let confidence = 'medium';
+        if (insideTryCatch) {
+            // Already has error handling
+            switch (jsonSource) {
+                case 'user_input':
+                    severity = 'low';
+                    description = 'JSON.parse on user input is wrapped in try-catch. Consider adding schema validation (zod/yup) to validate the parsed structure.';
+                    suggestedFix = 'Add schema validation after parsing: const validated = schema.parse(JSON.parse(input))';
+                    confidence = 'low';
+                    break;
+                default:
+                    // With try-catch and non-user source, this is fine - don't report
+                    return;
+            }
+        }
+        else {
+            // No try-catch
+            switch (jsonSource) {
+                case 'user_input':
+                    severity = 'medium';
+                    description = 'JSON.parse on user input without schema validation. Malformed input will crash; malicious input may have unexpected shape.';
+                    suggestedFix = 'Use a schema validation library (zod, yup, joi): try { const data = schema.parse(JSON.parse(body)) } catch (e) { return 400 }';
+                    confidence = 'high';
+                    break;
+                case 'local_storage':
+                    severity = 'info';
+                    description = 'JSON.parse on localStorage data. Consider adding try-catch for robustness against corrupted data.';
+                    suggestedFix = 'Wrap in try-catch to handle corrupted localStorage gracefully.';
+                    confidence = 'low';
+                    break;
+                case 'database':
+                    // Database content parsing is very common and low-risk
+                    instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource });
+                    return; // Will be aggregated below
+                case 'config':
+                case 'internal':
+                    severity = 'info';
+                    description = `JSON.parse on ${jsonSource.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.`;
+                    suggestedFix = 'Consider adding try-catch for robustness.';
+                    confidence = 'low';
+                    break;
+                default:
+                    // Unknown source - track for potential aggregation
+                    instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource });
+                    return; // Will be evaluated below based on aggregation
+            }
+        }
+        // Downgrade test files
+        if (isTestFile) {
+            severity = 'info';
+            confidence = 'low';
+            description += ' (in test file)';
+        }
+        vulnerabilities.push({
+            id: `json-parse-${filePath}-${index + 1}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity,
+            category: 'dangerous_function',
+            title: 'JSON.parse usage',
+            description,
+            suggestedFix,
+            confidence,
+            layer: 2,
+        });
+    });
+    // Aggregate low-risk JSON.parse instances if there are many
+    if (instances.length >= 3) {
+        // Create single aggregated finding instead of N individual findings
+        const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5);
+        const moreText = instances.length > 5 ? `... (${instances.length} total)` : '';
+        vulnerabilities.push({
+            id: `json-parse-aggregated-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: `${instances.length} instances across this file`,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: `JSON.parse usage (${instances.length} instances)`,
+            description: `JSON.parse detected. Consider adding error handling and schema validation if parsing user input.${isTestFile ? ' (in test file)' : ''}\n\nFound ${instances.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
+            suggestedFix: 'Add try-catch for error handling. If parsing user input, add schema validation.',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+    else if (instances.length > 0 && instances.length < 3) {
+        // Report individually for small counts
+        for (const instance of instances) {
+            vulnerabilities.push({
+                id: `json-parse-${filePath}-${instance.lineNumber}`,
+                filePath,
+                lineNumber: instance.lineNumber,
+                lineContent: instance.lineContent,
+                severity: 'info',
+                category: 'dangerous_function',
+                title: 'JSON.parse usage',
+                description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
+                suggestedFix: 'Consider adding try-catch for robustness.',
+                confidence: 'low',
+                layer: 2,
+            });
+        }
+    }
+}
+/**
+ * Check if this file appears to have form/input validation elsewhere
+ * (manual checks on body fields, type guards, etc.)
+ */
+function hasManualValidation(content) {
+    const manualValidationPatterns = [
+        // Type checking / type guards
+        /typeof\s+\w+\s*[!=]==?\s*['"](?:string|number|boolean|object)['"]|Array\.isArray\s*\(/i,
+        // Field existence checks followed by throws/returns
+        /if\s*\(\s*!(?:body|data|input)\.\w+\s*\)\s*\{?\s*(throw|return)/i,
+        // Property access with type assertion comments or inline validation
+        /\b(body|data|input)\s*as\s+\w+/i, // Type assertion
+        // Manual validation with error handling
+        /if\s*\(\s*![\w.]+\s*\|\|\s*typeof\s+[\w.]+/i,
+        // Using type predicates
+        /is\w+\s*\([\w.]+\)/i, // isFoo(bar) pattern
+    ];
+    return manualValidationPatterns.some(p => p.test(content));
+}
+/**
+ * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
+ * Routes with throwing auth helpers are already protected
+ */
+function hasThrowingAuthHelper(content) {
+    const throwingAuthPatterns = [
+        /\bgetCurrentUserId\s*\(/i,
+        /\brequireAuth\s*\(/i,
+        /\bensureAuth\s*\(/i,
+        /\bauth\s*\(\s*\)\s*\.protect\s*\(/i, // Clerk: auth().protect()
+        /\bcurrentUser\s*\(\s*\)/i, // Clerk: currentUser()
+        /\bgetServerSession\s*\([^)]*\)/i, // NextAuth
+        /\bauth\s*\(\s*\)/i, // Generic auth() call
+        /\bcheckAuth\s*\(/i,
+        /\bverifyAuth\s*\(/i,
+        /\bvalidateAuth\s*\(/i,
+        /\bassertAuth\s*\(/i,
+        /\bgetAuth\s*\(/i,
+        /\brequireUser\s*\(/i,
+        /\bgetUser\s*\(\s*\)/i, // supabase.auth.getUser()
+        /const\s+\{\s*user\s*\}\s*=\s*await/i, // Destructuring pattern
+    ];
+    return throwingAuthPatterns.some(p => p.test(content));
+}
+/**
+ * Detect request.json() / req.json() and suggest schema validation
+ * This is NOT a dangerous function - it's a prompt for best practices
+ */
+function detectRequestJsonValidation(content, filePath, isTestFile, vulnerabilities) {
+    // Only check API route files
+    if (!/\/(api|routes?|handlers?|controllers?)\//i.test(filePath) &&
+        !/route\.(ts|js)$/i.test(filePath)) {
+        return;
+    }
+    // Skip if route has throwing auth helper - these are already protected routes
+    // and the schema validation suggestion is lower priority
+    if (hasThrowingAuthHelper(content)) {
+        return;
+    }
+    const lines = content.split('\n');
+    // Matches: request.json(), req.json(), await request.json(), etc.
+    const requestJsonPattern = /\b(request|req)\.json\s*\(\s*\)/gi;
+    // Check if file has schema validation (library-based)
+    const hasSchemaLibrary = /\b(zod|yup|joi|ajv|superstruct|valibot|typebox)\b/i.test(content) ||
+        /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(/i.test(content);
+    // If file has schema library validation, don't report
+    if (hasSchemaLibrary)
+        return;
+    // Check for manual validation patterns (less robust but still indicates intent)
+    const hasManualCheck = hasManualValidation(content);
+    // Track instances for potential aggregation
+    const instances = [];
+    lines.forEach((line, index) => {
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        requestJsonPattern.lastIndex = 0;
+        if (!requestJsonPattern.test(line))
+            return;
+        // Check if there's validation nearby (within 10 lines after)
+        const startCheck = index;
+        const endCheck = Math.min(lines.length, index + 10);
+        const nearbyContent = lines.slice(startCheck, endCheck).join('\n');
+        // If there's validation in the nearby lines, skip
+        if (/\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(|schema\./i.test(nearbyContent)) {
+            return;
+        }
+        // If manual validation is present, skip individual reporting but track for aggregate
+        if (hasManualCheck) {
+            instances.push({ lineNumber: index + 1, lineContent: line.trim() });
+            return;
+        }
+        if (isTestFile) {
+            return; // Don't report in test files
+        }
+        instances.push({ lineNumber: index + 1, lineContent: line.trim() });
+    });
+    // Don't report if no instances found
+    if (instances.length === 0)
+        return;
+    // If manual validation exists, create a single info-level note
+    if (hasManualCheck && instances.length > 0) {
+        vulnerabilities.push({
+            id: `request-json-manual-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: instances[0].lineContent,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: 'Request body with manual validation',
+            description: `API endpoint parses request body with manual validation patterns detected. Consider using a schema library (zod, yup) for more robust type-safe validation.`,
+            suggestedFix: 'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // Aggregate if multiple instances without validation
+    if (instances.length >= 2) {
+        const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5);
+        vulnerabilities.push({
+            id: `request-json-aggregated-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: `${instances.length} instances`,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: `Request body without schema validation (${instances.length} instances)`,
+            description: `API endpoint parses request body without visible schema validation at lines: ${lineNumbers.join(', ')}. Consider validating the shape of incoming data.`,
+            suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+    else {
+        // Single instance
+        vulnerabilities.push({
+            id: `request-json-${filePath}-${instances[0].lineNumber}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: instances[0].lineContent,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: 'Request body without schema validation',
+            description: 'API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.',
+            suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+}
+//# sourceMappingURL=dangerous-functions.js.map