@oculum/scanner 1.0.0

package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts

@@ -0,0 +1,346 @@
+/**
+ * Framework-Specific Checks Test Fixtures
+ * Tests for detecting framework-specific security issues
+ */
+
+import type { TestGroup } from '../../types'
+
+export const frameworkChecksTests: TestGroup = {
+  name: 'Framework-Specific Security',
+  tier: 'C',
+  layer: 2,
+  description: 'Detection of framework-specific security issues (Next.js, Express, React, Django, Flask)',
+
+  truePositives: [
+    {
+      name: 'Next.js Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Next.js specific security issues that MUST be detected',
+      file: {
+        path: 'src/app/api/data/route.ts',
+        content: `
+import { NextResponse } from 'next/server'
+import { redirect, revalidatePath } from 'next/navigation'
+
+// Next.js API route handler without auth check - MEDIUM
+export default async function handler(req: any, res: any) {
+  const data = await fetchSensitiveData()
+  return res.json(data)
+}
+
+// Server action publicly accessible - MEDIUM
+'use server';
+export async function submitForm(data: FormData) {
+  await db.insert(data)
+}
+
+// revalidatePath with user input - HIGH
+export async function updateCache(request: Request) {
+  const { path } = await request.json()
+  revalidatePath(request.url)
+  revalidatePath(params.path)
+}
+
+// redirect with user input - HIGH
+export async function handleLogin(searchParams: { redirect: string }) {
+  redirect(searchParams.redirect)
+  redirect(url.pathname)
+  redirect(request.nextUrl.pathname)
+}
+
+// getServerSideProps without auth - LOW
+export async function getServerSideProps(context: any) {
+  const data = await fetchData()
+  return { props: { data } }
+}
+
+// unstable_cache without tags
+import { unstable_cache } from 'next/cache'
+const getCachedData = unstable_cache(async () => {
+  return fetchData()
+})
+`,
+        language: 'typescript',
+        size: 900,
+      },
+    },
+    {
+      name: 'Express Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Express specific security issues that MUST be detected',
+      file: {
+        path: 'src/server/app.ts',
+        content: `
+import express from 'express'
+import cors from 'cors'
+import bodyParser from 'body-parser'
+
+const app = express()
+
+// Express without helmet - MEDIUM
+const server = express()
+// No helmet middleware added
+
+// CORS allow all origins - HIGH
+app.use(cors({
+  origin: '*',
+  credentials: true,
+}))
+
+// Body parser without limit - LOW
+app.use(bodyParser.json())
+app.use(bodyParser.urlencoded())
+
+// Trust proxy without verification - MEDIUM
+app.set('trust proxy', true)
+
+// Error handler exposes stack - HIGH
+app.use((err, req, res, next) => {
+  res.json({
+    error: err.message,
+    stack: err.stack,  // Stack trace exposed!
+  })
+})
+
+// Another stack exposure pattern
+app.get('/error', (req, res) => {
+  try {
+    throw new Error('Oops')
+  } catch (err) {
+    res.send({ stack: err.stack })
+  }
+})
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+    {
+      name: 'React Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'React specific security issues that MUST be detected',
+      file: {
+        path: 'src/components/Form.tsx',
+        content: `
+import { useState, useEffect } from 'react'
+
+// useEffect with async (memory leak) - LOW
+function Component() {
+  useEffect(async () => {
+    const data = await fetchData()
+    setData(data)
+  }, [])
+
+  // State with sensitive data - MEDIUM
+  const [password, setPassword] = useState('initial-password')
+  const [secret, setSecret] = useState('')
+  const [token, setToken] = useState('')
+  const [apiKey, setApiKey] = useState('')
+  const [api_key, setApiKey2] = useState('')
+
+  // href javascript: XSS - HIGH
+  return (
+    <div>
+      <a href="javascript:alert('xss')">Click me</a>
+      <a href='javascript:void(0)'>Another</a>
+    </div>
+  )
+}
+
+// Uncontrolled input with sensitive defaultValue - MEDIUM
+function LoginForm({ savedPassword }) {
+  return (
+    <input
+      type="password"
+      defaultValue={password}
+    />
+  )
+}
+
+function TokenForm({ savedToken }) {
+  return <input defaultValue={token} />
+}
+`,
+        language: 'typescript',
+        size: 750,
+      },
+    },
+    {
+      name: 'Django/Flask Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Python framework security issues that MUST be detected',
+      file: {
+        path: 'src/settings.py',
+        content: `
+from django.conf import settings
+
+# Django DEBUG in production - CRITICAL
+DEBUG = True
+
+# ALLOWED_HOSTS wildcard - HIGH
+ALLOWED_HOSTS = ['*']
+
+# Django SECRET_KEY hardcoded - CRITICAL
+SECRET_KEY = 'django-insecure-abc123def456ghi789jkl'
+
+# ========== Flask patterns ==========
+
+from flask import Flask
+
+app = Flask(__name__)
+
+# Flask debug mode - CRITICAL
+app.run(debug=True, host='0.0.0.0')
+
+# Flask secret key hardcoded - CRITICAL
+app.secret_key = 'super-secret-flask-key'
+`,
+        language: 'python',
+        size: 500,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Framework Checks - False Negatives',
+      expectFindings: false,
+      description: 'Safe framework patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'insecure_config',
+          maxCount: 2,
+          reason: 'Some framework patterns may still generate low-severity findings',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 2,
+          reason: 'Framework patterns may trigger AI detection',
+        },
+        {
+          category: 'data_exposure',
+          maxCount: 2,
+          reason: 'Error handling patterns may trigger data exposure detection',
+        },
+        {
+          category: 'sensitive_url',
+          maxCount: 2,
+          reason: 'URLs in CORS config may trigger URL detection',
+        },
+      ],
+      file: {
+        path: 'src/config/server-config.ts',
+        content: `
+// Server configuration with proper defaults - SAFE
+export const serverConfig = {
+  port: process.env.PORT || 3000,
+  host: process.env.HOST || 'localhost',
+  bodyLimit: '100kb',
+}
+`,
+        language: 'typescript',
+        size: 150,
+      },
+    },
+    {
+      name: 'Safe Python Framework Patterns',
+      expectFindings: false,
+      description: 'Safe Django/Flask patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'insecure_config',
+          maxCount: 2,
+          reason: 'Environment checks may still generate low-severity findings',
+        },
+        {
+          category: 'sensitive_variable',
+          maxCount: 2,
+          reason: 'Variable names like SECRET_KEY may trigger sensitive variable detection',
+        },
+      ],
+      file: {
+        path: 'src/safe_settings.py',
+        content: `
+import os
+from django.conf import settings
+
+# DEBUG from environment - SAFE
+DEBUG = os.environ.get('DEBUG', 'False') == 'True'
+
+# ALLOWED_HOSTS from environment - SAFE
+ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')
+
+# SECRET_KEY from environment - SAFE
+SECRET_KEY = os.environ.get('SECRET_KEY')
+SECRET_KEY = os.getenv('DJANGO_SECRET_KEY')
+
+# ========== Safe Flask patterns ==========
+
+from flask import Flask
+
+app = Flask(__name__)
+
+# Debug from environment - SAFE
+app.run(debug=os.environ.get('FLASK_DEBUG') == 'true')
+
+# Secret key from environment - SAFE
+app.secret_key = os.environ.get('SECRET_KEY')
+app.config['SECRET_KEY'] = os.getenv('FLASK_SECRET')
+`,
+        language: 'python',
+        size: 500,
+      },
+    },
+    {
+      name: 'Safe React Patterns',
+      expectFindings: false,
+      description: 'Safe React patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'insecure_config',
+          maxCount: 1,
+          reason: 'Some patterns may generate info findings',
+        },
+        {
+          category: 'sensitive_url',
+          maxCount: 2,
+          reason: 'URLs in href may trigger URL detection',
+        },
+        {
+          category: 'sensitive_variable',
+          maxCount: 2,
+          reason: 'Variable names like password may trigger sensitive variable detection',
+        },
+      ],
+      file: {
+        path: 'src/components/SafeForm.tsx',
+        content: `
+import { useState, useEffect } from 'react'
+
+// Proper useEffect with async - SAFE
+function Component() {
+  useEffect(() => {
+    loadData()
+  }, [])
+
+  // Non-sensitive state - SAFE
+  const [name, setName] = useState('')
+
+  return (
+    <div>
+      <a href="/dashboard">Dashboard</a>
+      <button onClick={handleClick}>Click</button>
+    </div>
+  )
+}
+`,
+        language: 'typescript',
+        size: 300,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/index.ts

@@ -0,0 +1,67 @@
+/**
+ * Layer 2 Test Fixtures Index
+ * Exports all Layer 2 (Structural Scan) test fixtures
+ */
+
+export { dangerousFunctionsTests } from './dangerous-functions'
+export { byokTests } from './byok-patterns'
+export { aiExecutionSinksTests } from './ai-execution-sinks'
+export { aiAgentToolsTests } from './ai-agent-tools'
+export { authAntipatternsTests } from './auth-antipatterns'
+export { aiPromptHygieneTests } from './ai-prompt-hygiene'
+export { dataExposureTests } from './data-exposure'
+export { injectionTests } from './injection-vulnerabilities'
+// M5: New AI-era detector fixtures
+export { aiRagSafetyTests } from './ai-rag-safety'
+export { aiEndpointProtectionTests } from './ai-endpoint-protection'
+export { aiSchemaValidationTests } from './ai-schema-validation'
+// M6: New Layer 2 fixtures (5 untested detectors)
+export { aiFingerprintingTests } from './ai-fingerprinting'
+export { logicGatesTests } from './logic-gates'
+export { sensitiveVariablesTests } from './variables'
+export { riskyImportsTests } from './risky-imports'
+export { frameworkChecksTests } from './framework-checks'
+
+import type { TestGroup } from '../../types'
+import { dangerousFunctionsTests } from './dangerous-functions'
+import { byokTests } from './byok-patterns'
+import { aiExecutionSinksTests } from './ai-execution-sinks'
+import { aiAgentToolsTests } from './ai-agent-tools'
+import { authAntipatternsTests } from './auth-antipatterns'
+import { aiPromptHygieneTests } from './ai-prompt-hygiene'
+import { dataExposureTests } from './data-exposure'
+import { injectionTests } from './injection-vulnerabilities'
+// M5: New AI-era detector fixtures
+import { aiRagSafetyTests } from './ai-rag-safety'
+import { aiEndpointProtectionTests } from './ai-endpoint-protection'
+import { aiSchemaValidationTests } from './ai-schema-validation'
+// M6: New Layer 2 fixtures (5 untested detectors)
+import { aiFingerprintingTests } from './ai-fingerprinting'
+import { logicGatesTests } from './logic-gates'
+import { sensitiveVariablesTests } from './variables'
+import { riskyImportsTests } from './risky-imports'
+import { frameworkChecksTests } from './framework-checks'
+
+/**
+ * All Layer 2 test groups
+ */
+export const layer2TestGroups: TestGroup[] = [
+  dangerousFunctionsTests,
+  byokTests,
+  aiExecutionSinksTests,
+  aiAgentToolsTests,
+  authAntipatternsTests,
+  aiPromptHygieneTests,
+  dataExposureTests,
+  injectionTests,
+  // M5: New AI-era detectors
+  aiRagSafetyTests,
+  aiEndpointProtectionTests,
+  aiSchemaValidationTests,
+  // M6: New Layer 2 fixtures (5 untested detectors)
+  aiFingerprintingTests,
+  logicGatesTests,
+  sensitiveVariablesTests,
+  riskyImportsTests,
+  frameworkChecksTests,
+]

package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts

@@ -0,0 +1,239 @@
+/**
+ * Injection Vulnerabilities Test Fixtures
+ * Comprehensive tests for SQL injection, XSS, command injection, and template injection
+ */
+
+import type { TestGroup } from '../../types'
+
+export const injectionTests: TestGroup = {
+  name: 'Injection Vulnerabilities',
+  tier: 'A',
+  layer: 2,
+  description: 'Comprehensive detection of SQL injection, XSS, command injection, and template injection',
+  
+  truePositives: [
+    {
+      name: 'SQL Injection - Various Patterns',
+      expectFindings: true,
+      expectedCategories: ['dangerous_function'],
+      description: 'Various SQL injection patterns across different frameworks',
+      file: {
+        path: 'src/api/sql-injection.ts',
+        content: `
+// Basic string concatenation
+export async function getUserByName(name: string) {
+  return db.query("SELECT * FROM users WHERE name = '" + name + "'")
+}
+
+// Template literal injection
+export async function searchProducts(term: string) {
+  return db.query(\`SELECT * FROM products WHERE name LIKE '%\${term}%'\`)
+}
+
+// ORDER BY injection (often overlooked)
+export async function getSortedUsers(sortColumn: string) {
+  return db.query(\`SELECT * FROM users ORDER BY \${sortColumn}\`)
+}
+
+// LIMIT/OFFSET injection
+export async function getPaginatedData(limit: string, offset: string) {
+  return db.query(\`SELECT * FROM items LIMIT \${limit} OFFSET \${offset}\`)
+}
+
+// IN clause injection
+export async function getUsersByIds(ids: string) {
+  return db.query(\`SELECT * FROM users WHERE id IN (\${ids})\`)
+}
+
+// Table name injection
+export async function getFromTable(tableName: string, id: string) {
+  return db.query(\`SELECT * FROM \${tableName} WHERE id = '\${id}'\`)
+}
+
+// Multi-statement injection
+export async function updateAndSelect(userId: string, newName: string) {
+  const query = \`UPDATE users SET name = '\${newName}' WHERE id = '\${userId}'; SELECT * FROM users\`
+  return db.query(query)
+}
+
+// Stored procedure injection
+export async function callProcedure(procName: string, param: string) {
+  return db.query(\`CALL \${procName}('\${param}')\`)
+}
+`,
+        language: 'typescript',
+        size: 1200,
+      },
+    },
+    {
+      name: 'XSS - Various Patterns',
+      expectFindings: true,
+      expectedCategories: ['dangerous_function'],
+      description: 'Various XSS patterns in different contexts',
+      file: {
+        path: 'src/components/xss-vulnerable.tsx',
+        content: `
+import React from 'react'
+
+// Direct innerHTML assignment
+export function RenderUserHTML({ html }: { html: string }) {
+  const divRef = useRef<HTMLDivElement>(null)
+  useEffect(() => {
+    if (divRef.current) {
+      divRef.current.innerHTML = html // XSS!
+    }
+  }, [html])
+  return <div ref={divRef} />
+}
+
+// dangerouslySetInnerHTML without sanitization
+export function UserBio({ bioHtml }: { bioHtml: string }) {
+  return <div dangerouslySetInnerHTML={{ __html: bioHtml }} />
+}
+
+// document.write
+export function InjectScript(content: string) {
+  document.write(content) // XSS!
+}
+
+// createElement with user content
+export function CreateElement(tagName: string, content: string) {
+  const el = document.createElement(tagName)
+  el.innerHTML = content // XSS!
+  document.body.appendChild(el)
+}
+
+// URL-based XSS
+export function RedirectWithMessage(url: string) {
+  window.location.href = \`javascript:alert('\${url}')\` // XSS via javascript: URL
+}
+
+// Event handler injection
+export function AddHandler(element: HTMLElement, handler: string) {
+  element.setAttribute('onclick', handler) // XSS!
+}
+
+// SVG injection
+export function RenderSVG({ svgContent }: { svgContent: string }) {
+  return <div dangerouslySetInnerHTML={{ __html: svgContent }} />
+}
+`,
+        language: 'typescript',
+        size: 1100,
+      },
+    },
+    {
+      name: 'Command Injection - Various Patterns',
+      expectFindings: true,
+      expectedCategories: ['dangerous_function'],
+      description: 'Command injection patterns in Node.js and shell contexts',
+      file: {
+        path: 'src/utils/command-injection.ts',
+        content: `
+import { exec, execSync, spawn } from 'child_process'
+
+// Basic exec with user input
+export function runUserCommand(cmd: string) {
+  exec(cmd, (err, stdout) => console.log(stdout))
+}
+
+// exec with template literal
+export function processFile(filename: string) {
+  exec(\`cat \${filename}\`)
+}
+
+// execSync with concatenation
+export function getFileInfo(path: string) {
+  return execSync('ls -la ' + path)
+}
+
+// Shell option enabled
+export function runWithShell(command: string) {
+  spawn(command, { shell: true })
+}
+
+// Backtick command substitution vulnerability
+export function generateReport(date: string) {
+  exec(\`echo "Report for \${date}" > /tmp/report.txt\`)
+}
+
+// Chained commands
+export function chainedCommands(input: string) {
+  exec(\`echo \${input} && whoami\`) // User can inject "; rm -rf /"
+}
+
+// Environment variable injection
+export function setEnvAndRun(value: string) {
+  exec(\`export VAR="\${value}" && ./script.sh\`)
+}
+`,
+        language: 'typescript',
+        size: 900,
+      },
+    },
+  ],
+  
+  falseNegatives: [
+    {
+      name: 'Injection - Safe Patterns',
+      expectFindings: false,
+      description: 'Safe patterns that prevent injection attacks',
+      allowedInfoFindings: [
+        {
+          category: 'dangerous_function',
+          maxCount: 5,
+          reason: 'SQL with allowlist validation and static commands generate info-level findings',
+        },
+      ],
+      file: {
+        path: 'src/api/safe-injection.ts',
+        content: `
+import { execFile } from 'child_process'
+import DOMPurify from 'dompurify'
+
+// Parameterized SQL - SAFE
+export async function getUserById(id: string) {
+  return db.query('SELECT * FROM users WHERE id = $1', [id])
+}
+
+// Query builder with escaping - SAFE
+export async function searchProducts(term: string) {
+  return knex('products').where('name', 'ilike', \`%\${term}%\`)
+}
+
+// ORM - SAFE
+export async function findUser(email: string) {
+  return prisma.user.findUnique({ where: { email } })
+}
+
+// DOMPurify sanitized HTML - SAFE
+export function SafeHTML({ html }: { html: string }) {
+  const clean = DOMPurify.sanitize(html)
+  return <div dangerouslySetInnerHTML={{ __html: clean }} />
+}
+
+// execFile with array args - SAFE
+export function safeExec(filename: string) {
+  execFile('ls', ['-la', filename])
+}
+
+// Allowlist validation - SAFE
+export async function getSortedUsers(column: string) {
+  const allowed = ['name', 'email', 'created_at']
+  if (!allowed.includes(column)) {
+    column = 'created_at'
+  }
+  return db.query(\`SELECT * FROM users ORDER BY \${column}\`)
+}
+
+// Static command - SAFE
+export function getVersion() {
+  return execSync('node --version')
+}
+`,
+        language: 'typescript',
+        size: 1000,
+      },
+    },
+  ],
+}