@oculum/scanner 1.0.0

package/src/layer2/ai-execution-sinks.ts

@@ -0,0 +1,580 @@
+/**
+ * Layer 2: AI Execution Sink Detection
+ * Detects patterns where LLM output is fed into dangerous execution sinks
+ *
+ * Covers B2: Unsafe execution of model output (LLM02)
+ *
+ * Sinks include:
+ * - Code execution: eval(), Function(), vm.runInContext()
+ * - Shell execution: exec(), spawn(), child_process
+ * - SQL builders: .query(), .execute(), .raw()
+ * - Template rendering: innerHTML, dangerouslySetInnerHTML
+ */
+
+import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+  isExampleDirectory,
+  isLibraryCode,
+} from '../utils/context-helpers'
+import { isLLMContextFile } from './ai-prompt-hygiene'
+
+// ============================================================================
+// LLM Output Variable Detection
+// ============================================================================
+
+/**
+ * Check if line contains LLM API response context
+ */
+function hasLLMResponseContext(lineContent: string, surroundingContext: string): boolean {
+  const llmResponsePatterns = [
+    /\.choices\[0\]\.message\.content/i,     // OpenAI response
+    /\.content\[0\]\.text/i,                  // Anthropic response
+    /completion\.text/i,                       // Generic completion
+    /\.data\.choices/i,                        // API response
+    /await\s+\w+\.(?:chat|messages|completions)\.create/i, // API call
+    /response\.text\s*\(/i,                    // Response text method
+  ]
+
+  const fullContext = lineContent + '\n' + surroundingContext
+  return llmResponsePatterns.some(p => p.test(fullContext))
+}
+
+// ============================================================================
+// UI Suggestion / Template Pattern Detection (False Positive Filters)
+// ============================================================================
+
+/**
+ * Check if this is a UI suggestion/template pattern rather than execution sink
+ * These patterns create display strings for command palettes, autocomplete, etc.
+ */
+function isUITemplateSuggestion(lineContent: string, surroundingContext: string): boolean {
+  const fullContext = lineContent + '\n' + surroundingContext
+
+  // UI suggestion object patterns (command palette, autocomplete suggestions)
+  const uiSuggestionPatterns = [
+    // Object property patterns for suggestion items
+    /(?:id|key|label|title|name|description|completion|display|text|value|placeholder):\s*`[^`]*\$\{/i,
+    // Common suggestion UI patterns
+    /suggestions?\s*[=:]/i,
+    /completions?\s*[=:]/i,
+    /autocomplete/i,
+    /command\s*palette/i,
+    /fuzzy\s*search/i,
+    /search\s*result/i,
+    // UI component context patterns
+    /\.map\s*\(\s*\(?(?:item|result|suggestion|node|entry)/i,
+    /\.filter\s*\(/i,
+    // React/UI state patterns
+    /useState|setItems|setResults|setSuggestions/i,
+    // Template ID generation for UI
+    /id:\s*`[a-z]+-\$\{/i,  // id: `delete-${...}`, id: `edit-${...}`
+  ]
+
+  // These patterns should NOT be considered UI suggestions
+  const notUISuggestionPatterns = [
+    /\.query\s*\(/i,
+    /\.execute\s*\(/i,
+    /\.raw\s*\(/i,
+    /await\s+db\./i,
+    /prisma\./i,
+    /supabase\./i,
+    /knex\./i,
+    /sequelize\./i,
+    /child_process/i,
+    /exec\s*\(/i,
+    /spawn\s*\(/i,
+    /eval\s*\(/i,
+  ]
+
+  // Check if context matches UI pattern but NOT execution pattern
+  const matchesUIPattern = uiSuggestionPatterns.some(p => p.test(fullContext))
+  const matchesExecutionPattern = notUISuggestionPatterns.some(p => p.test(lineContent))
+
+  return matchesUIPattern && !matchesExecutionPattern
+}
+
+/**
+ * Check if this is a static template string (no actual LLM output interpolation)
+ * e.g., `delete ${node.title}` where node is app data, not LLM output
+ */
+function isAppDataInterpolation(lineContent: string, surroundingContext: string): boolean {
+  const fullContext = lineContent + '\n' + surroundingContext
+
+  // Patterns indicating the interpolated variable is app data, not LLM output
+  const appDataPatterns = [
+    // Database result/record properties
+    /\$\{(?:result|item|record|row|entry|node)\.(?:id|title|name|slug|key|label)\}/i,
+    // UI state properties
+    /\$\{(?:selected|current|active|item|node)\.(?:id|title|name|value)\}/i,
+    // Form/input data
+    /\$\{(?:data|values|form|input)\.(?:id|name|value)\}/i,
+    // Array iteration context
+    /\.map\s*\(\s*\(?(?:item|node|row|entry|result)/i,
+    /\.forEach\s*\(\s*\(?(?:item|node|row|entry|result)/i,
+  ]
+
+  // Patterns that suggest LLM output (should not skip)
+  const llmOutputPatterns = [
+    /\$\{(?:response|completion|generated|output|answer|reply|message)\.?/i,
+    /\$\{(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result)/i,
+    /\.choices\[0\]/i,
+    /\.content\[0\]\.text/i,
+  ]
+
+  const isAppData = appDataPatterns.some(p => p.test(fullContext))
+  const isLLMOutput = llmOutputPatterns.some(p => p.test(fullContext))
+
+  return isAppData && !isLLMOutput
+}
+
+// ============================================================================
+// Sandbox and Validation Detection
+// ============================================================================
+
+/**
+ * Check if execution is sandboxed
+ */
+function isSandboxedExecution(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 25)
+  const contextEnd = Math.min(lines.length, lineNumber + 10)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const sandboxPatterns = [
+    /vm2/i,
+    /isolated-vm/i,
+    /safeeval/i,
+    /safe-eval/i,
+    /sandbox/i,
+    /runInNewContext.*\{.*timeout/i,
+    /runInContext.*\{.*timeout/i,
+    /allowedGlobals/i,
+    /allowedModules/i,
+    /quickjs/i,
+    /webworker/i,
+    /iframe.*sandbox/i,
+  ]
+
+  return sandboxPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if output has validation before execution
+ */
+function hasOutputValidation(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const validationPatterns = [
+    /validate/i,
+    /sanitize/i,
+    /escape/i,
+    /filter/i,
+    /parse.*catch/i,
+    /schema\./i,
+    /\.parse\s*\(/i,
+    /allowlist/i,
+    /whitelist/i,
+    /blocklist/i,
+    /blacklist/i,
+    /JSON\.parse.*catch/i,
+    /DOMPurify/i,
+    /xss/i,
+  ]
+
+  return validationPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if this appears to be display-only usage (not execution)
+ */
+function isDisplayOnly(lineContent: string, surroundingContext: string): boolean {
+  const displayPatterns = [
+    /console\.(log|info|debug|warn)/i,
+    /textContent\s*=/i,
+    /innerText\s*=/i,
+    /\.text\s*=/i,
+    /setState.*display/i,
+    /render.*\{/i,
+    /<p>|<div>|<span>/i,
+    /\.send\s*\(/i,
+    /\.json\s*\(/i,
+    /return\s+.*response/i,
+  ]
+
+  const fullContext = lineContent + '\n' + surroundingContext
+  return displayPatterns.some(p => p.test(fullContext))
+}
+
+// ============================================================================
+// Pattern Definitions
+// ============================================================================
+
+type SinkType = 'code_execution' | 'shell_command' | 'sql_builder' | 'template_render'
+
+interface ExecutionSinkPattern {
+  name: string
+  pattern: RegExp
+  sinkType: SinkType
+  baseSeverity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+}
+
+const EXECUTION_SINK_PATTERNS: ExecutionSinkPattern[] = [
+  // ========== Code Execution Sinks ==========
+  {
+    name: 'LLM output to eval()',
+    pattern: /eval\s*\(\s*(?:response|result|output|completion|message|content|answer|generated|text)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'LLM output is passed directly to eval(). This allows arbitrary code execution if the model is manipulated via prompt injection.',
+    suggestedFix: 'Never eval() LLM output. Use structured output (JSON schema) and validate before processing. Consider using a sandboxed environment like vm2 if code execution is required.',
+  },
+  {
+    name: 'LLM output to Function constructor',
+    pattern: /new\s+Function\s*\([^)]*(?:response|result|output|completion|message|content|answer|generated)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'LLM output is passed to Function constructor, which is equivalent to eval().',
+    suggestedFix: 'Use JSON schemas to define expected output structure. Validate output before any processing.',
+  },
+  {
+    name: 'LLM output to vm.runInContext',
+    pattern: /vm\.run(?:InContext|InNewContext|InThisContext)\s*\(\s*(?:response|result|output|completion|content)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'high',
+    description: 'LLM output executed in Node.js VM context. While isolated, VM can still be escaped in some versions.',
+    suggestedFix: 'Use vm2 or isolated-vm for proper sandboxing. Add timeout and memory limits. Validate output structure before execution.',
+  },
+  // Generic pattern for code from LLM
+  {
+    name: 'Dynamic code execution from AI',
+    pattern: /(?:eval|exec|execute)\s*\(\s*(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result|Code)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated code is being executed dynamically.',
+    suggestedFix: 'Use a sandboxed code execution environment. Validate and restrict the allowed operations.',
+  },
+
+  // ========== Shell Command Sinks ==========
+  {
+    name: 'LLM output to exec()',
+    pattern: /(?:exec|execSync)\s*\(\s*(?:response|result|output|completion|command|content)(?:\.|\.data\.|\.text)?/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'LLM output is passed to shell exec(). Attackers can execute arbitrary system commands via prompt injection.',
+    suggestedFix: 'Never pass LLM output directly to shell. Use allowlists for permitted commands. Parse structured output and use execFile() with fixed command and arguments.',
+  },
+  {
+    name: 'LLM output to spawn()',
+    pattern: /spawn\s*\(\s*(?:response|result|output|completion|command|content)(?:\.|\.data\.|\.text)?/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'LLM output is passed to spawn(), allowing command execution.',
+    suggestedFix: 'Use a predefined list of allowed commands. Parse LLM output to extract only arguments, not command names.',
+  },
+  {
+    name: 'LLM output in shell template',
+    pattern: /`[^`]*\$\{(?:response|result|output|completion|command|content)[^}]*\}[^`]*`\s*(?:,|\))\s*(?:exec|spawn|child_process)/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'LLM output is interpolated into a shell command template.',
+    suggestedFix: 'Use execFile() with separate command and arguments array. Never interpolate AI output into shell strings.',
+  },
+  {
+    name: 'child_process with AI output',
+    pattern: /child_process\.\w+\s*\([^)]*(?:ai|llm|gpt|claude|chat)(?:Response|Output|Result)/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'AI-generated content passed to child_process module.',
+    suggestedFix: 'Implement strict allowlisting of commands. Parse structured output from LLM.',
+  },
+
+  // ========== SQL Builder Sinks ==========
+  {
+    name: 'LLM output in raw SQL',
+    pattern: /\.(?:query|execute|raw)\s*\(\s*(?:response|result|output|generated|sql|completion)(?:\.|\.data\.|\.text)?/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'critical',
+    description: 'LLM-generated SQL is executed directly. This enables SQL injection via prompt manipulation.',
+    suggestedFix: 'Use parameterized queries. Have LLM generate query parameters, not raw SQL. Validate generated SQL against an allowlist of patterns.',
+  },
+  {
+    name: 'LLM output in SQL template',
+    pattern: /`(?:SELECT|INSERT|UPDATE|DELETE)[^`]*\$\{(?:response|result|output|generated|completion)/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'critical',
+    description: 'LLM output interpolated into SQL query template.',
+    suggestedFix: 'Use parameterized queries. Have LLM output structured data (table names, conditions) that you validate against allowlists.',
+  },
+  {
+    name: 'Dynamic SQL from AI',
+    pattern: /(?:query|execute|sql)\s*\(\s*(?:ai|llm|gpt|claude)(?:Query|Sql|Response)/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'critical',
+    description: 'AI-generated SQL query being executed.',
+    suggestedFix: 'Validate SQL structure. Use read-only database connections. Implement query allowlisting.',
+  },
+
+  // ========== Template/DOM Sinks ==========
+  {
+    name: 'LLM output to innerHTML',
+    pattern: /\.innerHTML\s*=\s*(?:response|result|output|completion|message|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output assigned to innerHTML. If the model outputs malicious HTML/JS, it will execute (XSS).',
+    suggestedFix: 'Use textContent for plain text. Sanitize HTML with DOMPurify before rendering. Use React/Vue which auto-escape by default.',
+  },
+  {
+    name: 'LLM output to dangerouslySetInnerHTML',
+    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*(?:response|result|output|completion|message|content)/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output used in React dangerouslySetInnerHTML without sanitization.',
+    suggestedFix: 'Sanitize with DOMPurify: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}',
+  },
+  {
+    name: 'LLM output to document.write',
+    pattern: /document\.write\s*\(\s*(?:response|result|output|completion|message|content)/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to document.write, allowing script injection.',
+    suggestedFix: 'Use DOM manipulation methods with proper escaping. Never use document.write with dynamic content.',
+  },
+
+  // ========== M5: File System Sinks ==========
+  {
+    name: 'LLM output in file path',
+    pattern: /(?:readFile|writeFile|readFileSync|writeFileSync|unlink|unlinkSync|mkdir|mkdirSync|rmdir|rmSync)\s*\(\s*(?:response|result|output|completion|message|content|path)(?:\.|\.data\.|\.path)?/gi,
+    sinkType: 'code_execution', // Path traversal is code-level risk
+    baseSeverity: 'critical',
+    description: 'LLM-generated value used as file path. Path traversal attack possible - model could access or modify arbitrary files.',
+    suggestedFix: 'Validate AI output against allowed paths: if (!allowedPaths.some(p => path.resolve(output).startsWith(p))) throw. Use path.resolve() and check the result is within allowed directory.',
+  },
+  {
+    name: 'LLM output in fs operation',
+    pattern: /fs\.(?:read|write|append|unlink|mkdir|rm|stat|access)\w*\s*\(\s*(?:response|result|output|completion|aiPath|generatedPath)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated path passed to filesystem operation. Model could traverse to sensitive directories.',
+    suggestedFix: 'Create allowlist of permitted paths/directories. Use path.resolve() and validate result is within allowed boundaries.',
+  },
+  {
+    name: 'LLM output in path.join',
+    pattern: /path\.(?:join|resolve)\s*\([^)]*(?:response|result|output|completion|content|aiPath)[^)]*\).*(?:fs\.|readFile|writeFile)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'high',
+    description: 'AI output used in path construction before file operation. Validate the final path.',
+    suggestedFix: 'After path.join/resolve, check result is within allowed directory: const resolved = path.resolve(base, aiPath); if (!resolved.startsWith(allowedRoot)) throw',
+  },
+
+  // ========== M5: Dynamic Import Sinks ==========
+  {
+    name: 'LLM output in dynamic import',
+    pattern: /import\s*\(\s*(?:response|result|output|completion|message|content|moduleName|aiModule)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated value used in dynamic import(). Arbitrary module loading enables code execution.',
+    suggestedFix: 'Use allowlist for permitted modules: const allowed = ["lodash", "moment"]; if (!allowed.includes(moduleName)) throw. Never dynamically import AI-generated module paths.',
+  },
+  {
+    name: 'LLM output in require()',
+    pattern: /require\s*\(\s*(?:response|result|output|completion|message|content|moduleName|aiModule)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated value used in require(). Can load arbitrary modules including native code.',
+    suggestedFix: 'Use allowlist for permitted modules. Consider using import maps or module aliases instead of dynamic require.',
+  },
+  {
+    name: 'LLM output in module resolution',
+    pattern: /(?:require\.resolve|import\.meta\.resolve)\s*\(\s*(?:response|result|output|completion|moduleName)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'high',
+    description: 'AI output used in module path resolution. Could leak information about file system or enable module confusion attacks.',
+    suggestedFix: 'Validate module name against allowlist before resolution.',
+  },
+]
+
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+
+/**
+ * Get surrounding context for analysis
+ */
+function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 15): string {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize)
+  return lines.slice(start, end).join('\n')
+}
+
+/**
+ * Calculate severity based on sandbox and validation status
+ */
+function calculateSeverity(
+  baseSeverity: VulnerabilitySeverity,
+  sinkType: SinkType,
+  isSandboxed: boolean,
+  hasValidation: boolean,
+  isTestFile: boolean,
+  isExample: boolean = false,
+  isLibrary: boolean = false
+): VulnerabilitySeverity {
+  let severity = baseSeverity
+
+  // Test files get significant downgrade
+  if (isTestFile) {
+    return 'info'
+  }
+
+  // Example/demo code - not production, for tutorials
+  if (isExample) {
+    return 'info'
+  }
+
+  // Library code - base utilities, consumers add restrictions
+  if (isLibrary) {
+    return 'info'
+  }
+
+  // Sandboxing provides major protection for code execution
+  if (isSandboxed) {
+    if (sinkType === 'code_execution') {
+      severity = hasValidation ? 'low' : 'medium'
+    } else {
+      // Sandboxing less relevant for SQL/shell
+      severity = hasValidation ? 'medium' : 'high'
+    }
+  } else if (hasValidation) {
+    // Validation alone helps but doesn't eliminate risk
+    if (baseSeverity === 'critical') {
+      severity = 'high'
+    } else if (baseSeverity === 'high') {
+      severity = 'medium'
+    }
+  }
+
+  return severity
+}
+
+/**
+ * Main detection function for LLM output execution sinks
+ */
+export function detectAIExecutionSinks(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  // Skip non-applicable files
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+
+  // Only deeply scan files that appear to be in LLM context
+  // But still do basic scanning on all files for obvious patterns
+  const isLLMFile = isLLMContextFile(filePath, content)
+  const lines = content.split('\n')
+  const isTestFile = isTestOrMockFile(filePath)
+  const isExample = isExampleDirectory(filePath)
+  const isLibrary = isLibraryCode(filePath)
+
+  for (const pattern of EXECUTION_SINK_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      const surroundingContext = getSurroundingContext(content, lineNumber - 1)
+
+      // Check if this is actually in an LLM context
+      const hasLLMContext = isLLMFile || hasLLMResponseContext(lineContent, surroundingContext)
+
+      // ===== FALSE POSITIVE FILTERS =====
+
+      // Skip UI suggestion/template patterns (command palettes, autocomplete, etc.)
+      // These are display strings, not execution sinks
+      if (isUITemplateSuggestion(lineContent, surroundingContext)) {
+        continue
+      }
+
+      // Skip app data interpolation (e.g., ${node.title}, ${item.id})
+      // where the interpolated data is from the app, not LLM output
+      if (isAppDataInterpolation(lineContent, surroundingContext)) {
+        continue
+      }
+
+      // For non-LLM files, require stronger signal
+      if (!hasLLMContext) {
+        // Check if the matched variable looks like LLM output
+        const matchText = match[0]
+        const variableMatch = matchText.match(/(?:response|result|output|completion|message|content|answer|generated|text)/i)
+        if (!variableMatch) continue
+
+        // Skip if this looks like display-only usage
+        if (isDisplayOnly(lineContent, surroundingContext)) continue
+      }
+
+      // Check for sandboxing and validation
+      const isSandboxed = isSandboxedExecution(content, lineNumber)
+      const hasValidation = hasOutputValidation(content, lineNumber)
+
+      // Calculate final severity
+      const severity = calculateSeverity(
+        pattern.baseSeverity,
+        pattern.sinkType,
+        isSandboxed,
+        hasValidation,
+        isTestFile,
+        isExample,
+        isLibrary
+      )
+
+      // Build description with context
+      let description = pattern.description
+      if (isSandboxed) {
+        description += ' (Sandbox detected - risk somewhat mitigated.)'
+      }
+      if (hasValidation) {
+        description += ' (Some validation detected nearby.)'
+      }
+      if (isTestFile) {
+        description += ' (In test file.)'
+      } else if (isExample) {
+        description += ' (In example/demo directory - tutorial code.)'
+      } else if (isLibrary) {
+        description += ' (Library code - consumers add restrictions.)'
+      }
+
+      // Skip info-level in non-LLM files to reduce noise
+      if (severity === 'info' && !isLLMFile) continue
+
+      vulnerabilities.push({
+        id: `ai-exec-${filePath}-${lineNumber}-${pattern.sinkType}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_unsafe_execution',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: hasLLMContext ? 'high' : 'medium',
+        layer: 2,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+      })
+    }
+  }
+
+  return vulnerabilities
+}