@oculum/scanner 1.0.0

package/src/layer1/urls.ts

@@ -0,0 +1,334 @@
+/**
+ * Layer 1: URL Pattern Matching
+ * Detects hardcoded sensitive URLs that may indicate security issues
+ */
+
+import type { Vulnerability } from '../types'
+
+// Check if file is documentation/README/example
+function isDocumentationFile(filePath: string): boolean {
+  const docPatterns = [
+    /README/i,
+    /CHANGELOG/i,
+    /CONTRIBUTING/i,
+    /LICENSE/i,
+    /\.md$/i,
+    /\.mdx$/i,
+    /\.rst$/i,
+    /\.adoc$/i,
+    /\/docs\//i,
+    /\/documentation\//i,
+    /\/wiki\//i,
+    /\/guides?\//i,
+    /\/tutorials?\//i,
+    /\/examples?\//i,
+  ]
+  return docPatterns.some(p => p.test(filePath))
+}
+
+// Check if file is a config/constants file where localhost is expected
+function isDevConfigFile(filePath: string): boolean {
+  const devConfigPatterns = [
+    /\.env\.local$/i,
+    /\.env\.development$/i,
+    /\.env\.dev$/i,
+    /\.env\.example$/i,
+    /\.env\.sample$/i,
+    /config\.dev\./i,
+    /config\.development\./i,
+    /config\.local\./i,
+    /\/config\/development\//i,
+    /\/config\/local\//i,
+    /constants\.dev\./i,
+  ]
+  return devConfigPatterns.some(p => p.test(filePath))
+}
+
+// URL patterns that may indicate security issues
+const URL_PATTERNS = [
+  // Internal/staging endpoints in production code
+  {
+    pattern: /https?:\/\/localhost[:\d]*/gi,
+    name: 'Localhost URL',
+    severity: 'medium' as const,
+    description: 'Hardcoded localhost URL found - may cause issues in production',
+  },
+  {
+    pattern: /https?:\/\/127\.0\.0\.1[:\d]*/gi,
+    name: 'Loopback URL',
+    severity: 'medium' as const,
+    description: 'Hardcoded loopback IP address found',
+  },
+  {
+    pattern: /https?:\/\/[^\/]*staging[^\/]*\.[a-z]+/gi,
+    name: 'Staging URL',
+    severity: 'medium' as const,
+    description: 'Hardcoded staging environment URL found',
+  },
+  {
+    pattern: /https?:\/\/[^\/]*\bdev\b[^\/]*\.[a-z]+/gi,
+    name: 'Development URL',
+    severity: 'low' as const,
+    description: 'Hardcoded development environment URL found',
+  },
+  {
+    pattern: /https?:\/\/[^\/]*internal[^\/]*\.[a-z]+/gi,
+    name: 'Internal URL',
+    severity: 'high' as const,
+    description: 'Hardcoded internal URL found - may expose internal infrastructure',
+  },
+  {
+    pattern: /https?:\/\/[^\/]*\btest\b[^\/]*\.[a-z]+/gi,
+    name: 'Test Environment URL',
+    severity: 'low' as const,
+    description: 'Hardcoded test environment URL found',
+  },
+
+  // Admin/sensitive endpoints - downgraded to info (these are often intentional)
+  {
+    pattern: /['"`]\/admin(?:\/|['"`])/gi,
+    name: 'Admin Endpoint',
+    severity: 'info' as const,
+    description: 'Admin endpoint path found - verify access control',
+  },
+  {
+    pattern: /['"`]\/api\/admin/gi,
+    name: 'Admin API Endpoint',
+    severity: 'low' as const,  // Downgraded from medium
+    description: 'Admin API endpoint found - verify access control',
+  },
+
+  // API keys in URLs
+  {
+    pattern: /\?api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
+    name: 'API Key in URL Query',
+    severity: 'high' as const,
+    description: 'API key exposed in URL query parameter',
+  },
+  {
+    pattern: /&api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
+    name: 'API Key in URL Query',
+    severity: 'high' as const,
+    description: 'API key exposed in URL query parameter',
+  },
+  {
+    pattern: /\?token=[a-zA-Z0-9_-]{10,}/gi,
+    name: 'Token in URL Query',
+    severity: 'high' as const,
+    description: 'Token exposed in URL query parameter',
+  },
+  {
+    pattern: /\?secret=[a-zA-Z0-9_-]{10,}/gi,
+    name: 'Secret in URL Query',
+    severity: 'critical' as const,
+    description: 'Secret exposed in URL query parameter',
+  },
+
+  // Webhook URLs (may contain secrets)
+  {
+    pattern: /https:\/\/hooks\.slack\.com\/services\/[a-zA-Z0-9\/]+/gi,
+    name: 'Slack Webhook URL',
+    severity: 'high' as const,
+    description: 'Slack webhook URL found - should be stored as environment variable',
+  },
+  {
+    pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/gi,
+    name: 'Discord Webhook URL',
+    severity: 'high' as const,
+    description: 'Discord webhook URL found - should be stored as environment variable',
+  },
+
+  // Debug/test endpoints - downgraded (often in test files or intentional)
+  {
+    pattern: /['"`]\/debug(?:\/|['"`])/gi,
+    name: 'Debug Endpoint',
+    severity: 'low' as const,  // Downgraded from medium
+    description: 'Debug endpoint found - verify not accessible in production',
+  },
+  {
+    pattern: /['"`]\/test(?:\/|['"`])/gi,
+    name: 'Test Endpoint',
+    severity: 'info' as const,  // Downgraded from low
+    description: 'Test endpoint found - typically safe in test context',
+  },
+]
+
+// Check if line is a comment
+function isComment(lineContent: string): boolean {
+  const trimmed = lineContent.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  )
+}
+
+// Check if it's in a test file
+function isTestFile(filePath: string): boolean {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/i.test(filePath) ||
+         /\/__tests__\//i.test(filePath) ||
+         /\/test\//i.test(filePath)
+}
+
+// Check if URL is in an environment variable reference
+function isEnvVarReference(lineContent: string): boolean {
+  return lineContent.includes('process.env') ||
+         lineContent.includes('${') ||
+         lineContent.includes('import.meta.env')
+}
+
+// Get URL context for smarter detection
+function getURLContext(lineContent: string, filePath: string): {
+  isDevOnly: boolean
+  isConfigFile: boolean
+  isTestFile: boolean
+  isEnvRef: boolean
+} {
+  return {
+    isDevOnly: /['"]?BASE_URL['"]?|['"]?API_URL['"]?|['"]?NEXT_PUBLIC_/.test(lineContent),
+    isConfigFile: /config|settings|constants/.test(filePath.toLowerCase()),
+    isTestFile: isTestFile(filePath),
+    isEnvRef: isEnvVarReference(lineContent)
+  }
+}
+
+// Aggregate repeated localhost findings per file
+export function aggregateLocalhostFindings(
+  vulnerabilities: Vulnerability[]
+): Vulnerability[] {
+  const localhostByFile = new Map<string, {
+    lines: number[]
+    urls: string[]
+    original: Vulnerability
+  }>()
+
+  const result: Vulnerability[] = []
+
+  for (const vuln of vulnerabilities) {
+    // Check if this is a localhost/127.0.0.1 URL
+    if (vuln.category === 'sensitive_url' &&
+        /localhost|127\.0\.0\.1/i.test(vuln.lineContent)) {
+
+      const key = vuln.filePath
+      if (!localhostByFile.has(key)) {
+        localhostByFile.set(key, { lines: [], urls: [], original: vuln })
+      }
+      const entry = localhostByFile.get(key)!
+      entry.lines.push(vuln.lineNumber)
+      entry.urls.push(vuln.lineContent)
+    } else {
+      result.push(vuln)
+    }
+  }
+
+  // Create aggregated findings for localhost URLs
+  for (const [filePath, data] of localhostByFile) {
+    const aggregated: Vulnerability = {
+      ...data.original,
+      title: `Localhost URLs in development code (${data.lines.length} instances)`,
+      description: `Found ${data.lines.length} localhost references on lines ${data.lines.join(', ')}. ` +
+        `This is typically safe in development but should use environment variables.`,
+      lineNumber: data.lines[0],
+      severity: 'info',  // Downgraded to info
+    }
+    result.push(aggregated)
+  }
+
+  return result
+}
+
+export function detectSensitiveURLs(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  // Skip documentation files entirely - they often contain example URLs
+  if (isDocumentationFile(filePath)) {
+    return vulnerabilities
+  }
+
+  const lines = content.split('\n')
+  const inTestFile = isTestFile(filePath)
+  const inDevConfig = isDevConfigFile(filePath)
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+
+    // Skip comments
+    if (isComment(line)) continue
+
+    // Get context for this line
+    const context = getURLContext(line, filePath)
+
+    // Skip environment variable references entirely
+    if (context.isEnvRef) continue
+
+    for (const { pattern, name, severity, description } of URL_PATTERNS) {
+      // Reset regex state
+      const regex = new RegExp(pattern.source, pattern.flags)
+
+      const match = regex.exec(line)
+      if (match) {
+        const url = match[0]
+
+        // Special handling for localhost URLs
+        if (/localhost|127\.0\.0\.1/i.test(url)) {
+          // Skip localhost in test files, dev-only contexts, or dev config files
+          if (context.isTestFile || context.isDevOnly || inDevConfig) {
+            continue
+          }
+
+          // Only flag localhost in production env files as high, otherwise info
+          const isProduction = filePath.includes('.env.production')
+          const adjustedSeverity = isProduction ? 'high' as const : 'info' as const
+
+          vulnerabilities.push({
+            id: `url-${filePath}-${i + 1}-${name}`,
+            filePath,
+            lineNumber: i + 1,
+            lineContent: line.trim(),
+            severity: adjustedSeverity,
+            category: 'sensitive_url',
+            title: name,
+            description: description + (isProduction ? ' (in production config!)' : ' (in dev/config file)'),
+            suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
+            confidence: isProduction ? 'high' : 'low',
+            layer: 1,
+          })
+        } else {
+          // Normal URL handling (non-localhost)
+          // Lower severity for test files - downgrade more aggressively
+          let adjustedSeverity = severity
+          if (inTestFile) {
+            if (severity === 'critical') adjustedSeverity = 'high'
+            else if (severity === 'high') adjustedSeverity = 'low'
+            else adjustedSeverity = 'info'
+          }
+
+          // Non-critical URL findings require AI validation
+          const requiresAIValidation = severity !== 'critical'
+
+          vulnerabilities.push({
+            id: `url-${filePath}-${i + 1}-${name}`,
+            filePath,
+            lineNumber: i + 1,
+            lineContent: line.trim(),
+            severity: adjustedSeverity,
+            category: 'sensitive_url',
+            title: name,
+            description: description + (inTestFile ? ' (in test file)' : ''),
+            suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
+            confidence: inTestFile ? 'low' : 'medium',
+            layer: 1,
+            requiresAIValidation,
+          })
+        }
+        break // Only report one URL issue per line
+      }
+    }
+  }
+
+  return vulnerabilities
+}

package/src/layer1/weak-crypto.ts

@@ -0,0 +1,328 @@
+/**
+ * Layer 1: Weak Cryptography Detection
+ * Detects usage of deprecated or weak cryptographic algorithms
+ */
+
+import type { Vulnerability } from '../types'
+
+// Weak/deprecated cryptographic patterns
+const WEAK_CRYPTO_PATTERNS = [
+  // Weak hash algorithms
+  {
+    pattern: /\bMD5\s*\(/gi,
+    name: 'MD5 Hash Usage',
+    severity: 'high' as const,
+    description: 'MD5 is cryptographically broken and should not be used for security purposes',
+    fix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
+    contextCheck: (line: string) => {
+      // Only flag as high if used in security context (passwords, tokens, etc.)
+      // Checksum/etag usage is acceptable for non-security purposes
+      const securityContexts = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /key/i]
+      const checksumContexts = [/checksum/i, /hash.*file/i, /file.*hash/i, /etag/i, /content.*hash/i, /integrity/i, /digest/i, /fingerprint/i]
+      
+      const isSecurityContext = securityContexts.some(p => p.test(line))
+      const isChecksumContext = checksumContexts.some(p => p.test(line))
+      
+      // If it's clearly a checksum context, don't flag
+      if (isChecksumContext && !isSecurityContext) {
+        return false
+      }
+      return true
+    },
+  },
+  {
+    pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/gi,
+    name: 'MD5 Hash Creation',
+    severity: 'high' as const,
+    description: 'MD5 is cryptographically broken and should not be used for security purposes',
+    fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
+    contextCheck: (line: string, _match: RegExpMatchArray, funcName?: string) => {
+      // Check function name and line context for checksum indicators
+      const checksumIndicators = [/checksum/i, /etag/i, /content.*hash/i, /file.*hash/i, /integrity/i, /digest/i, /fingerprint/i, /verify.*file/i]
+      const securityIndicators = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i]
+      
+      const lineAndFunc = funcName ? `${funcName} ${line}` : line
+      
+      const isChecksum = checksumIndicators.some(p => p.test(lineAndFunc))
+      const isSecurity = securityIndicators.some(p => p.test(lineAndFunc))
+      
+      // Checksum use without security context = acceptable, don't flag
+      if (isChecksum && !isSecurity) {
+        return false
+      }
+      return true
+    },
+  },
+  {
+    pattern: /\bSHA1\s*\(/gi,
+    name: 'SHA1 Hash Usage',
+    severity: 'medium' as const,
+    description: 'SHA1 is deprecated and vulnerable to collision attacks',
+    fix: 'Use SHA-256 or SHA-3 for hashing.',
+  },
+  {
+    pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/gi,
+    name: 'SHA1 Hash Creation',
+    severity: 'medium' as const,
+    description: 'SHA1 is deprecated and vulnerable to collision attacks',
+    fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
+  },
+
+  // Weak encryption algorithms
+  {
+    pattern: /\bDES\b(?!ede3|3)/gi,
+    name: 'DES Encryption',
+    severity: 'high' as const,
+    description: 'DES is obsolete and easily broken. Use AES instead.',
+    fix: 'Use AES-256-GCM for symmetric encryption.',
+  },
+  {
+    pattern: /createCipher(?:iv)?\s*\(\s*['"]des['"]/gi,
+    name: 'DES Cipher Creation',
+    severity: 'high' as const,
+    description: 'DES is obsolete and easily broken',
+    fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
+  },
+  {
+    pattern: /\bRC4\b/gi,
+    name: 'RC4 Encryption',
+    severity: 'high' as const,
+    description: 'RC4 is broken and should never be used',
+    fix: 'Use AES-256-GCM for symmetric encryption.',
+  },
+  {
+    pattern: /createCipher(?:iv)?\s*\(\s*['"]rc4['"]/gi,
+    name: 'RC4 Cipher Creation',
+    severity: 'high' as const,
+    description: 'RC4 is broken and should never be used',
+    fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
+  },
+  {
+    pattern: /\bBlowfish\b/gi,
+    name: 'Blowfish Encryption',
+    severity: 'medium' as const,
+    description: 'Blowfish has a small block size and is not recommended for new applications',
+    fix: 'Use AES-256-GCM for symmetric encryption.',
+  },
+
+  // Insecure random number generation
+  {
+    pattern: /Math\.random\s*\(\s*\)/g,
+    name: 'Math.random() for Security',
+    severity: 'high' as const,
+    description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
+    fix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
+    contextCheck: (line: string) => {
+      // Only flag if it looks like it's being used for security
+      const securityContexts = [
+        /token/i, /secret/i, /key/i, /password/i, /salt/i,
+        /nonce/i, /iv/i, /random.*id/i, /uuid/i, /session/i,
+      ]
+      return securityContexts.some(ctx => ctx.test(line))
+    },
+  },
+
+  // Weak key derivation
+  {
+    pattern: /pbkdf2.*iterations?\s*[=:]\s*(\d+)/gi,
+    name: 'Weak PBKDF2 Iterations',
+    severity: 'medium' as const,
+    description: 'PBKDF2 with low iteration count is vulnerable to brute force attacks',
+    fix: 'Use at least 100,000 iterations for PBKDF2, or switch to Argon2.',
+    contextCheck: (line: string, match: RegExpMatchArray) => {
+      const iterations = parseInt(match[1], 10)
+      return iterations < 10000
+    },
+  },
+
+  // Weak bcrypt rounds
+  {
+    pattern: /bcrypt\.hash\s*\([^,]+,\s*(\d+)/gi,
+    name: 'Weak bcrypt Rounds',
+    severity: 'medium' as const,
+    description: 'bcrypt with low cost factor is vulnerable to brute force attacks',
+    fix: 'Use at least 10 rounds for bcrypt (12 recommended).',
+    contextCheck: (line: string, match: RegExpMatchArray) => {
+      const rounds = parseInt(match[1], 10)
+      return rounds < 10
+    },
+  },
+
+  // ECB mode (insecure)
+  {
+    pattern: /['"]aes-\d+-ecb['"]/gi,
+    name: 'AES ECB Mode',
+    severity: 'high' as const,
+    description: 'ECB mode is insecure as it does not provide semantic security',
+    fix: 'Use AES-GCM or AES-CBC with proper IV handling.',
+  },
+
+  // Deprecated createCipher (no IV)
+  {
+    pattern: /createCipher\s*\(/g,
+    name: 'Deprecated createCipher',
+    severity: 'high' as const,
+    description: 'createCipher is deprecated and does not use an IV, making it insecure',
+    fix: 'Use createCipheriv() with a random IV instead.',
+  },
+
+  // Hardcoded encryption keys
+  {
+    pattern: /(?:encryption|cipher|aes)[_-]?key\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
+    name: 'Hardcoded Encryption Key',
+    severity: 'critical' as const,
+    description: 'Encryption key is hardcoded in source code',
+    fix: 'Store encryption keys in environment variables or a secure key management system.',
+  },
+
+  // Hardcoded IVs
+  {
+    pattern: /\biv\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
+    name: 'Hardcoded IV',
+    severity: 'high' as const,
+    description: 'Initialization vector (IV) should be random for each encryption operation',
+    fix: 'Generate a random IV using crypto.randomBytes() for each encryption.',
+  },
+]
+
+// Check if line is a comment
+function isComment(lineContent: string): boolean {
+  const trimmed = lineContent.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  )
+}
+
+// Check if line is a pattern definition (regex or string literal in detector code)
+function isPatternDefinition(lineContent: string): boolean {
+  const trimmed = lineContent.trim()
+  // Pattern definitions typically look like:
+  // pattern: /regex/
+  // name: 'string'
+  // description: 'string'
+  // fix: 'string'
+  return (
+    trimmed.startsWith('pattern:') ||
+    trimmed.startsWith('name:') ||
+    trimmed.startsWith('description:') ||
+    trimmed.startsWith('fix:') ||
+    // Also check for object property assignments with these names
+    /^\s*(pattern|name|description|fix|severity)\s*:/.test(lineContent)
+  )
+}
+
+// Check if file is part of the scanner's own detection code
+function isScannerDetectorFile(filePath: string): boolean {
+  return (
+    filePath.includes('scanner/src/layer1/') ||
+    filePath.includes('scanner/src/layer2/') ||
+    filePath.includes('scanner/src/layer3/') ||
+    filePath.includes('/lib/scanner/layer1/') ||
+    filePath.includes('/lib/scanner/layer2/') ||
+    filePath.includes('/lib/scanner/layer3/')
+  )
+}
+
+// Check if file is a test file or fixture
+function isTestOrFixtureFile(filePath: string): boolean {
+  const lowerPath = filePath.toLowerCase()
+  return (
+    lowerPath.includes('__tests__') ||
+    lowerPath.includes('__mocks__') ||
+    lowerPath.includes('/test/') ||
+    lowerPath.includes('/tests/') ||
+    lowerPath.includes('/fixtures/') ||
+    lowerPath.includes('/fixture/') ||
+    lowerPath.includes('.test.') ||
+    lowerPath.includes('.spec.') ||
+    lowerPath.includes('-test.') ||
+    lowerPath.includes('-spec.') ||
+    lowerPath.includes('benchmark')
+  )
+}
+
+/**
+ * Find the enclosing function name for a given line
+ */
+function findEnclosingFunctionName(lines: string[], lineIndex: number): string | undefined {
+  // Look backwards for function declaration
+  for (let i = lineIndex; i >= 0 && i >= lineIndex - 20; i--) {
+    const line = lines[i]
+    // Match function declarations: function name(), const name = (), async function name()
+    const funcMatch = line.match(/(?:function\s+|const\s+|let\s+|var\s+)(\w+)\s*(?:=\s*(?:async\s*)?\(|=\s*(?:async\s+)?function|\()/)
+    if (funcMatch) {
+      return funcMatch[1]
+    }
+    // Match method declarations: name() { or name: function()
+    const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/)
+    if (methodMatch) {
+      return methodMatch[1]
+    }
+  }
+  return undefined
+}
+
+export function detectWeakCrypto(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  
+  // Skip scanner's own detector files to avoid self-detection
+  if (isScannerDetectorFile(filePath)) {
+    return vulnerabilities
+  }
+  
+  // Skip test files and fixtures (intentional vulnerable code for testing)
+  if (isTestOrFixtureFile(filePath)) {
+    return vulnerabilities
+  }
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    
+    // Skip comments
+    if (isComment(line)) continue
+    
+    // Skip pattern definitions (detector rule definitions)
+    if (isPatternDefinition(line)) continue
+
+    for (const cryptoPattern of WEAK_CRYPTO_PATTERNS) {
+      const { pattern, name, severity, description, fix, contextCheck } = cryptoPattern
+      
+      // Reset regex state
+      const regex = new RegExp(pattern.source, pattern.flags)
+      const match = regex.exec(line)
+      
+      if (match) {
+        // If there's a context check, apply it
+        // Pass function name for additional context
+        const funcName = findEnclosingFunctionName(lines, i)
+        if (contextCheck && !contextCheck(line, match, funcName)) {
+          continue
+        }
+
+        vulnerabilities.push({
+          id: `weak-crypto-${filePath}-${i + 1}-${name}`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity,
+          category: 'weak_crypto',
+          title: name,
+          description,
+          suggestedFix: fix,
+          confidence: 'high',
+          layer: 1,
+        })
+        break // Only report one crypto issue per line
+      }
+    }
+  }
+
+  return vulnerabilities
+}