@oculum/scanner 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/formatters/cli-terminal.d.ts +27 -0
- package/dist/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/formatters/cli-terminal.js +412 -0
- package/dist/formatters/cli-terminal.js.map +1 -0
- package/dist/formatters/github-comment.d.ts +41 -0
- package/dist/formatters/github-comment.d.ts.map +1 -0
- package/dist/formatters/github-comment.js +306 -0
- package/dist/formatters/github-comment.js.map +1 -0
- package/dist/formatters/grouping.d.ts +52 -0
- package/dist/formatters/grouping.d.ts.map +1 -0
- package/dist/formatters/grouping.js +152 -0
- package/dist/formatters/grouping.js.map +1 -0
- package/dist/formatters/index.d.ts +9 -0
- package/dist/formatters/index.d.ts.map +1 -0
- package/dist/formatters/index.js +35 -0
- package/dist/formatters/index.js.map +1 -0
- package/dist/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/formatters/vscode-diagnostic.js +151 -0
- package/dist/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/index.d.ts +52 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +648 -0
- package/dist/index.js.map +1 -0
- package/dist/layer1/comments.d.ts +8 -0
- package/dist/layer1/comments.d.ts.map +1 -0
- package/dist/layer1/comments.js +203 -0
- package/dist/layer1/comments.js.map +1 -0
- package/dist/layer1/config-audit.d.ts +8 -0
- package/dist/layer1/config-audit.d.ts.map +1 -0
- package/dist/layer1/config-audit.js +252 -0
- package/dist/layer1/config-audit.js.map +1 -0
- package/dist/layer1/entropy.d.ts +8 -0
- package/dist/layer1/entropy.d.ts.map +1 -0
- package/dist/layer1/entropy.js +500 -0
- package/dist/layer1/entropy.js.map +1 -0
- package/dist/layer1/file-flags.d.ts +7 -0
- package/dist/layer1/file-flags.d.ts.map +1 -0
- package/dist/layer1/file-flags.js +112 -0
- package/dist/layer1/file-flags.js.map +1 -0
- package/dist/layer1/index.d.ts +36 -0
- package/dist/layer1/index.d.ts.map +1 -0
- package/dist/layer1/index.js +132 -0
- package/dist/layer1/index.js.map +1 -0
- package/dist/layer1/patterns.d.ts +8 -0
- package/dist/layer1/patterns.d.ts.map +1 -0
- package/dist/layer1/patterns.js +482 -0
- package/dist/layer1/patterns.js.map +1 -0
- package/dist/layer1/urls.d.ts +8 -0
- package/dist/layer1/urls.d.ts.map +1 -0
- package/dist/layer1/urls.js +296 -0
- package/dist/layer1/urls.js.map +1 -0
- package/dist/layer1/weak-crypto.d.ts +7 -0
- package/dist/layer1/weak-crypto.d.ts.map +1 -0
- package/dist/layer1/weak-crypto.js +291 -0
- package/dist/layer1/weak-crypto.js.map +1 -0
- package/dist/layer2/ai-agent-tools.d.ts +19 -0
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
- package/dist/layer2/ai-agent-tools.js +528 -0
- package/dist/layer2/ai-agent-tools.js.map +1 -0
- package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
- package/dist/layer2/ai-endpoint-protection.js +332 -0
- package/dist/layer2/ai-endpoint-protection.js.map +1 -0
- package/dist/layer2/ai-execution-sinks.d.ts +18 -0
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
- package/dist/layer2/ai-execution-sinks.js +496 -0
- package/dist/layer2/ai-execution-sinks.js.map +1 -0
- package/dist/layer2/ai-fingerprinting.d.ts +7 -0
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
- package/dist/layer2/ai-fingerprinting.js +654 -0
- package/dist/layer2/ai-fingerprinting.js.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.js +356 -0
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
- package/dist/layer2/ai-rag-safety.d.ts +21 -0
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
- package/dist/layer2/ai-rag-safety.js +459 -0
- package/dist/layer2/ai-rag-safety.js.map +1 -0
- package/dist/layer2/ai-schema-validation.d.ts +25 -0
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
- package/dist/layer2/ai-schema-validation.js +375 -0
- package/dist/layer2/ai-schema-validation.js.map +1 -0
- package/dist/layer2/auth-antipatterns.d.ts +20 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
- package/dist/layer2/auth-antipatterns.js +333 -0
- package/dist/layer2/auth-antipatterns.js.map +1 -0
- package/dist/layer2/byok-patterns.d.ts +12 -0
- package/dist/layer2/byok-patterns.d.ts.map +1 -0
- package/dist/layer2/byok-patterns.js +299 -0
- package/dist/layer2/byok-patterns.js.map +1 -0
- package/dist/layer2/dangerous-functions.d.ts +7 -0
- package/dist/layer2/dangerous-functions.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions.js +1375 -0
- package/dist/layer2/dangerous-functions.js.map +1 -0
- package/dist/layer2/data-exposure.d.ts +16 -0
- package/dist/layer2/data-exposure.d.ts.map +1 -0
- package/dist/layer2/data-exposure.js +279 -0
- package/dist/layer2/data-exposure.js.map +1 -0
- package/dist/layer2/framework-checks.d.ts +7 -0
- package/dist/layer2/framework-checks.d.ts.map +1 -0
- package/dist/layer2/framework-checks.js +388 -0
- package/dist/layer2/framework-checks.js.map +1 -0
- package/dist/layer2/index.d.ts +58 -0
- package/dist/layer2/index.d.ts.map +1 -0
- package/dist/layer2/index.js +380 -0
- package/dist/layer2/index.js.map +1 -0
- package/dist/layer2/logic-gates.d.ts +7 -0
- package/dist/layer2/logic-gates.d.ts.map +1 -0
- package/dist/layer2/logic-gates.js +182 -0
- package/dist/layer2/logic-gates.js.map +1 -0
- package/dist/layer2/risky-imports.d.ts +7 -0
- package/dist/layer2/risky-imports.d.ts.map +1 -0
- package/dist/layer2/risky-imports.js +161 -0
- package/dist/layer2/risky-imports.js.map +1 -0
- package/dist/layer2/variables.d.ts +8 -0
- package/dist/layer2/variables.d.ts.map +1 -0
- package/dist/layer2/variables.js +152 -0
- package/dist/layer2/variables.js.map +1 -0
- package/dist/layer3/anthropic.d.ts +83 -0
- package/dist/layer3/anthropic.d.ts.map +1 -0
- package/dist/layer3/anthropic.js +1745 -0
- package/dist/layer3/anthropic.js.map +1 -0
- package/dist/layer3/index.d.ts +24 -0
- package/dist/layer3/index.d.ts.map +1 -0
- package/dist/layer3/index.js +119 -0
- package/dist/layer3/index.js.map +1 -0
- package/dist/layer3/openai.d.ts +25 -0
- package/dist/layer3/openai.d.ts.map +1 -0
- package/dist/layer3/openai.js +238 -0
- package/dist/layer3/openai.js.map +1 -0
- package/dist/layer3/package-check.d.ts +63 -0
- package/dist/layer3/package-check.d.ts.map +1 -0
- package/dist/layer3/package-check.js +508 -0
- package/dist/layer3/package-check.js.map +1 -0
- package/dist/modes/incremental.d.ts +66 -0
- package/dist/modes/incremental.d.ts.map +1 -0
- package/dist/modes/incremental.js +200 -0
- package/dist/modes/incremental.js.map +1 -0
- package/dist/tiers.d.ts +125 -0
- package/dist/tiers.d.ts.map +1 -0
- package/dist/tiers.js +234 -0
- package/dist/tiers.js.map +1 -0
- package/dist/types.d.ts +175 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +50 -0
- package/dist/types.js.map +1 -0
- package/dist/utils/auth-helper-detector.d.ts +56 -0
- package/dist/utils/auth-helper-detector.d.ts.map +1 -0
- package/dist/utils/auth-helper-detector.js +360 -0
- package/dist/utils/auth-helper-detector.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +96 -0
- package/dist/utils/context-helpers.d.ts.map +1 -0
- package/dist/utils/context-helpers.js +493 -0
- package/dist/utils/context-helpers.js.map +1 -0
- package/dist/utils/diff-detector.d.ts +53 -0
- package/dist/utils/diff-detector.d.ts.map +1 -0
- package/dist/utils/diff-detector.js +104 -0
- package/dist/utils/diff-detector.js.map +1 -0
- package/dist/utils/diff-parser.d.ts +80 -0
- package/dist/utils/diff-parser.d.ts.map +1 -0
- package/dist/utils/diff-parser.js +202 -0
- package/dist/utils/diff-parser.js.map +1 -0
- package/dist/utils/imported-auth-detector.d.ts +37 -0
- package/dist/utils/imported-auth-detector.d.ts.map +1 -0
- package/dist/utils/imported-auth-detector.js +251 -0
- package/dist/utils/imported-auth-detector.js.map +1 -0
- package/dist/utils/middleware-detector.d.ts +55 -0
- package/dist/utils/middleware-detector.d.ts.map +1 -0
- package/dist/utils/middleware-detector.js +260 -0
- package/dist/utils/middleware-detector.js.map +1 -0
- package/dist/utils/oauth-flow-detector.d.ts +41 -0
- package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
- package/dist/utils/oauth-flow-detector.js +202 -0
- package/dist/utils/oauth-flow-detector.js.map +1 -0
- package/dist/utils/path-exclusions.d.ts +55 -0
- package/dist/utils/path-exclusions.d.ts.map +1 -0
- package/dist/utils/path-exclusions.js +222 -0
- package/dist/utils/path-exclusions.js.map +1 -0
- package/dist/utils/project-context-builder.d.ts +119 -0
- package/dist/utils/project-context-builder.d.ts.map +1 -0
- package/dist/utils/project-context-builder.js +534 -0
- package/dist/utils/project-context-builder.js.map +1 -0
- package/dist/utils/registry-clients.d.ts +93 -0
- package/dist/utils/registry-clients.d.ts.map +1 -0
- package/dist/utils/registry-clients.js +273 -0
- package/dist/utils/registry-clients.js.map +1 -0
- package/dist/utils/trpc-analyzer.d.ts +78 -0
- package/dist/utils/trpc-analyzer.d.ts.map +1 -0
- package/dist/utils/trpc-analyzer.js +297 -0
- package/dist/utils/trpc-analyzer.js.map +1 -0
- package/package.json +45 -0
- package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
- package/src/__tests__/benchmark/fixtures/index.ts +68 -0
- package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
- package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
- package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
- package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
- package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
- package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
- package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
- package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
- package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
- package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
- package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
- package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
- package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
- package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
- package/src/__tests__/benchmark/index.ts +29 -0
- package/src/__tests__/benchmark/run-benchmark.ts +144 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
- package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
- package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
- package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
- package/src/__tests__/benchmark/types.ts +144 -0
- package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
- package/src/__tests__/regression/known-false-positives.test.ts +467 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
- package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
- package/src/__tests__/validation/analyze-results.ts +542 -0
- package/src/__tests__/validation/extract-for-triage.ts +146 -0
- package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
- package/src/__tests__/validation/run-validation.ts +364 -0
- package/src/__tests__/validation/triage-template.md +132 -0
- package/src/formatters/cli-terminal.ts +446 -0
- package/src/formatters/github-comment.ts +382 -0
- package/src/formatters/grouping.ts +190 -0
- package/src/formatters/index.ts +47 -0
- package/src/formatters/vscode-diagnostic.ts +243 -0
- package/src/index.ts +823 -0
- package/src/layer1/comments.ts +218 -0
- package/src/layer1/config-audit.ts +289 -0
- package/src/layer1/entropy.ts +583 -0
- package/src/layer1/file-flags.ts +127 -0
- package/src/layer1/index.ts +181 -0
- package/src/layer1/patterns.ts +516 -0
- package/src/layer1/urls.ts +334 -0
- package/src/layer1/weak-crypto.ts +328 -0
- package/src/layer2/ai-agent-tools.ts +601 -0
- package/src/layer2/ai-endpoint-protection.ts +387 -0
- package/src/layer2/ai-execution-sinks.ts +580 -0
- package/src/layer2/ai-fingerprinting.ts +758 -0
- package/src/layer2/ai-prompt-hygiene.ts +411 -0
- package/src/layer2/ai-rag-safety.ts +511 -0
- package/src/layer2/ai-schema-validation.ts +421 -0
- package/src/layer2/auth-antipatterns.ts +394 -0
- package/src/layer2/byok-patterns.ts +336 -0
- package/src/layer2/dangerous-functions.ts +1563 -0
- package/src/layer2/data-exposure.ts +315 -0
- package/src/layer2/framework-checks.ts +433 -0
- package/src/layer2/index.ts +473 -0
- package/src/layer2/logic-gates.ts +206 -0
- package/src/layer2/risky-imports.ts +186 -0
- package/src/layer2/variables.ts +166 -0
- package/src/layer3/anthropic.ts +2030 -0
- package/src/layer3/index.ts +130 -0
- package/src/layer3/package-check.ts +604 -0
- package/src/modes/incremental.ts +293 -0
- package/src/tiers.ts +318 -0
- package/src/types.ts +284 -0
- package/src/utils/auth-helper-detector.ts +443 -0
- package/src/utils/context-helpers.ts +535 -0
- package/src/utils/diff-detector.ts +135 -0
- package/src/utils/diff-parser.ts +272 -0
- package/src/utils/imported-auth-detector.ts +320 -0
- package/src/utils/middleware-detector.ts +333 -0
- package/src/utils/oauth-flow-detector.ts +246 -0
- package/src/utils/path-exclusions.ts +266 -0
- package/src/utils/project-context-builder.ts +707 -0
- package/src/utils/registry-clients.ts +351 -0
- package/src/utils/trpc-analyzer.ts +382 -0
|
@@ -0,0 +1,296 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Layer 1: URL Pattern Matching
|
|
4
|
+
* Detects hardcoded sensitive URLs that may indicate security issues
|
|
5
|
+
*/
|
|
6
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.aggregateLocalhostFindings = aggregateLocalhostFindings;
|
|
8
|
+
exports.detectSensitiveURLs = detectSensitiveURLs;
|
|
9
|
+
// Check if file is documentation/README/example
|
|
10
|
+
function isDocumentationFile(filePath) {
|
|
11
|
+
const docPatterns = [
|
|
12
|
+
/README/i,
|
|
13
|
+
/CHANGELOG/i,
|
|
14
|
+
/CONTRIBUTING/i,
|
|
15
|
+
/LICENSE/i,
|
|
16
|
+
/\.md$/i,
|
|
17
|
+
/\.mdx$/i,
|
|
18
|
+
/\.rst$/i,
|
|
19
|
+
/\.adoc$/i,
|
|
20
|
+
/\/docs\//i,
|
|
21
|
+
/\/documentation\//i,
|
|
22
|
+
/\/wiki\//i,
|
|
23
|
+
/\/guides?\//i,
|
|
24
|
+
/\/tutorials?\//i,
|
|
25
|
+
/\/examples?\//i,
|
|
26
|
+
];
|
|
27
|
+
return docPatterns.some(p => p.test(filePath));
|
|
28
|
+
}
|
|
29
|
+
// Check if file is a config/constants file where localhost is expected
|
|
30
|
+
function isDevConfigFile(filePath) {
|
|
31
|
+
const devConfigPatterns = [
|
|
32
|
+
/\.env\.local$/i,
|
|
33
|
+
/\.env\.development$/i,
|
|
34
|
+
/\.env\.dev$/i,
|
|
35
|
+
/\.env\.example$/i,
|
|
36
|
+
/\.env\.sample$/i,
|
|
37
|
+
/config\.dev\./i,
|
|
38
|
+
/config\.development\./i,
|
|
39
|
+
/config\.local\./i,
|
|
40
|
+
/\/config\/development\//i,
|
|
41
|
+
/\/config\/local\//i,
|
|
42
|
+
/constants\.dev\./i,
|
|
43
|
+
];
|
|
44
|
+
return devConfigPatterns.some(p => p.test(filePath));
|
|
45
|
+
}
|
|
46
|
+
// URL patterns that may indicate security issues
|
|
47
|
+
const URL_PATTERNS = [
|
|
48
|
+
// Internal/staging endpoints in production code
|
|
49
|
+
{
|
|
50
|
+
pattern: /https?:\/\/localhost[:\d]*/gi,
|
|
51
|
+
name: 'Localhost URL',
|
|
52
|
+
severity: 'medium',
|
|
53
|
+
description: 'Hardcoded localhost URL found - may cause issues in production',
|
|
54
|
+
},
|
|
55
|
+
{
|
|
56
|
+
pattern: /https?:\/\/127\.0\.0\.1[:\d]*/gi,
|
|
57
|
+
name: 'Loopback URL',
|
|
58
|
+
severity: 'medium',
|
|
59
|
+
description: 'Hardcoded loopback IP address found',
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
pattern: /https?:\/\/[^\/]*staging[^\/]*\.[a-z]+/gi,
|
|
63
|
+
name: 'Staging URL',
|
|
64
|
+
severity: 'medium',
|
|
65
|
+
description: 'Hardcoded staging environment URL found',
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
pattern: /https?:\/\/[^\/]*\bdev\b[^\/]*\.[a-z]+/gi,
|
|
69
|
+
name: 'Development URL',
|
|
70
|
+
severity: 'low',
|
|
71
|
+
description: 'Hardcoded development environment URL found',
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
pattern: /https?:\/\/[^\/]*internal[^\/]*\.[a-z]+/gi,
|
|
75
|
+
name: 'Internal URL',
|
|
76
|
+
severity: 'high',
|
|
77
|
+
description: 'Hardcoded internal URL found - may expose internal infrastructure',
|
|
78
|
+
},
|
|
79
|
+
{
|
|
80
|
+
pattern: /https?:\/\/[^\/]*\btest\b[^\/]*\.[a-z]+/gi,
|
|
81
|
+
name: 'Test Environment URL',
|
|
82
|
+
severity: 'low',
|
|
83
|
+
description: 'Hardcoded test environment URL found',
|
|
84
|
+
},
|
|
85
|
+
// Admin/sensitive endpoints - downgraded to info (these are often intentional)
|
|
86
|
+
{
|
|
87
|
+
pattern: /['"`]\/admin(?:\/|['"`])/gi,
|
|
88
|
+
name: 'Admin Endpoint',
|
|
89
|
+
severity: 'info',
|
|
90
|
+
description: 'Admin endpoint path found - verify access control',
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
pattern: /['"`]\/api\/admin/gi,
|
|
94
|
+
name: 'Admin API Endpoint',
|
|
95
|
+
severity: 'low', // Downgraded from medium
|
|
96
|
+
description: 'Admin API endpoint found - verify access control',
|
|
97
|
+
},
|
|
98
|
+
// API keys in URLs
|
|
99
|
+
{
|
|
100
|
+
pattern: /\?api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
|
|
101
|
+
name: 'API Key in URL Query',
|
|
102
|
+
severity: 'high',
|
|
103
|
+
description: 'API key exposed in URL query parameter',
|
|
104
|
+
},
|
|
105
|
+
{
|
|
106
|
+
pattern: /&api[_-]?key=[a-zA-Z0-9_-]{10,}/gi,
|
|
107
|
+
name: 'API Key in URL Query',
|
|
108
|
+
severity: 'high',
|
|
109
|
+
description: 'API key exposed in URL query parameter',
|
|
110
|
+
},
|
|
111
|
+
{
|
|
112
|
+
pattern: /\?token=[a-zA-Z0-9_-]{10,}/gi,
|
|
113
|
+
name: 'Token in URL Query',
|
|
114
|
+
severity: 'high',
|
|
115
|
+
description: 'Token exposed in URL query parameter',
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
pattern: /\?secret=[a-zA-Z0-9_-]{10,}/gi,
|
|
119
|
+
name: 'Secret in URL Query',
|
|
120
|
+
severity: 'critical',
|
|
121
|
+
description: 'Secret exposed in URL query parameter',
|
|
122
|
+
},
|
|
123
|
+
// Webhook URLs (may contain secrets)
|
|
124
|
+
{
|
|
125
|
+
pattern: /https:\/\/hooks\.slack\.com\/services\/[a-zA-Z0-9\/]+/gi,
|
|
126
|
+
name: 'Slack Webhook URL',
|
|
127
|
+
severity: 'high',
|
|
128
|
+
description: 'Slack webhook URL found - should be stored as environment variable',
|
|
129
|
+
},
|
|
130
|
+
{
|
|
131
|
+
pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/gi,
|
|
132
|
+
name: 'Discord Webhook URL',
|
|
133
|
+
severity: 'high',
|
|
134
|
+
description: 'Discord webhook URL found - should be stored as environment variable',
|
|
135
|
+
},
|
|
136
|
+
// Debug/test endpoints - downgraded (often in test files or intentional)
|
|
137
|
+
{
|
|
138
|
+
pattern: /['"`]\/debug(?:\/|['"`])/gi,
|
|
139
|
+
name: 'Debug Endpoint',
|
|
140
|
+
severity: 'low', // Downgraded from medium
|
|
141
|
+
description: 'Debug endpoint found - verify not accessible in production',
|
|
142
|
+
},
|
|
143
|
+
{
|
|
144
|
+
pattern: /['"`]\/test(?:\/|['"`])/gi,
|
|
145
|
+
name: 'Test Endpoint',
|
|
146
|
+
severity: 'info', // Downgraded from low
|
|
147
|
+
description: 'Test endpoint found - typically safe in test context',
|
|
148
|
+
},
|
|
149
|
+
];
|
|
150
|
+
// Check if line is a comment
|
|
151
|
+
function isComment(lineContent) {
|
|
152
|
+
const trimmed = lineContent.trim();
|
|
153
|
+
return (trimmed.startsWith('//') ||
|
|
154
|
+
trimmed.startsWith('#') ||
|
|
155
|
+
trimmed.startsWith('*') ||
|
|
156
|
+
trimmed.startsWith('/*'));
|
|
157
|
+
}
|
|
158
|
+
// Check if it's in a test file
|
|
159
|
+
function isTestFile(filePath) {
|
|
160
|
+
return /\.(test|spec)\.(ts|tsx|js|jsx)$/i.test(filePath) ||
|
|
161
|
+
/\/__tests__\//i.test(filePath) ||
|
|
162
|
+
/\/test\//i.test(filePath);
|
|
163
|
+
}
|
|
164
|
+
// Check if URL is in an environment variable reference
|
|
165
|
+
function isEnvVarReference(lineContent) {
|
|
166
|
+
return lineContent.includes('process.env') ||
|
|
167
|
+
lineContent.includes('${') ||
|
|
168
|
+
lineContent.includes('import.meta.env');
|
|
169
|
+
}
|
|
170
|
+
// Get URL context for smarter detection
|
|
171
|
+
function getURLContext(lineContent, filePath) {
|
|
172
|
+
return {
|
|
173
|
+
isDevOnly: /['"]?BASE_URL['"]?|['"]?API_URL['"]?|['"]?NEXT_PUBLIC_/.test(lineContent),
|
|
174
|
+
isConfigFile: /config|settings|constants/.test(filePath.toLowerCase()),
|
|
175
|
+
isTestFile: isTestFile(filePath),
|
|
176
|
+
isEnvRef: isEnvVarReference(lineContent)
|
|
177
|
+
};
|
|
178
|
+
}
|
|
179
|
+
// Aggregate repeated localhost findings per file
|
|
180
|
+
function aggregateLocalhostFindings(vulnerabilities) {
|
|
181
|
+
const localhostByFile = new Map();
|
|
182
|
+
const result = [];
|
|
183
|
+
for (const vuln of vulnerabilities) {
|
|
184
|
+
// Check if this is a localhost/127.0.0.1 URL
|
|
185
|
+
if (vuln.category === 'sensitive_url' &&
|
|
186
|
+
/localhost|127\.0\.0\.1/i.test(vuln.lineContent)) {
|
|
187
|
+
const key = vuln.filePath;
|
|
188
|
+
if (!localhostByFile.has(key)) {
|
|
189
|
+
localhostByFile.set(key, { lines: [], urls: [], original: vuln });
|
|
190
|
+
}
|
|
191
|
+
const entry = localhostByFile.get(key);
|
|
192
|
+
entry.lines.push(vuln.lineNumber);
|
|
193
|
+
entry.urls.push(vuln.lineContent);
|
|
194
|
+
}
|
|
195
|
+
else {
|
|
196
|
+
result.push(vuln);
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
// Create aggregated findings for localhost URLs
|
|
200
|
+
for (const [filePath, data] of localhostByFile) {
|
|
201
|
+
const aggregated = {
|
|
202
|
+
...data.original,
|
|
203
|
+
title: `Localhost URLs in development code (${data.lines.length} instances)`,
|
|
204
|
+
description: `Found ${data.lines.length} localhost references on lines ${data.lines.join(', ')}. ` +
|
|
205
|
+
`This is typically safe in development but should use environment variables.`,
|
|
206
|
+
lineNumber: data.lines[0],
|
|
207
|
+
severity: 'info', // Downgraded to info
|
|
208
|
+
};
|
|
209
|
+
result.push(aggregated);
|
|
210
|
+
}
|
|
211
|
+
return result;
|
|
212
|
+
}
|
|
213
|
+
function detectSensitiveURLs(content, filePath) {
|
|
214
|
+
const vulnerabilities = [];
|
|
215
|
+
// Skip documentation files entirely - they often contain example URLs
|
|
216
|
+
if (isDocumentationFile(filePath)) {
|
|
217
|
+
return vulnerabilities;
|
|
218
|
+
}
|
|
219
|
+
const lines = content.split('\n');
|
|
220
|
+
const inTestFile = isTestFile(filePath);
|
|
221
|
+
const inDevConfig = isDevConfigFile(filePath);
|
|
222
|
+
for (let i = 0; i < lines.length; i++) {
|
|
223
|
+
const line = lines[i];
|
|
224
|
+
// Skip comments
|
|
225
|
+
if (isComment(line))
|
|
226
|
+
continue;
|
|
227
|
+
// Get context for this line
|
|
228
|
+
const context = getURLContext(line, filePath);
|
|
229
|
+
// Skip environment variable references entirely
|
|
230
|
+
if (context.isEnvRef)
|
|
231
|
+
continue;
|
|
232
|
+
for (const { pattern, name, severity, description } of URL_PATTERNS) {
|
|
233
|
+
// Reset regex state
|
|
234
|
+
const regex = new RegExp(pattern.source, pattern.flags);
|
|
235
|
+
const match = regex.exec(line);
|
|
236
|
+
if (match) {
|
|
237
|
+
const url = match[0];
|
|
238
|
+
// Special handling for localhost URLs
|
|
239
|
+
if (/localhost|127\.0\.0\.1/i.test(url)) {
|
|
240
|
+
// Skip localhost in test files, dev-only contexts, or dev config files
|
|
241
|
+
if (context.isTestFile || context.isDevOnly || inDevConfig) {
|
|
242
|
+
continue;
|
|
243
|
+
}
|
|
244
|
+
// Only flag localhost in production env files as high, otherwise info
|
|
245
|
+
const isProduction = filePath.includes('.env.production');
|
|
246
|
+
const adjustedSeverity = isProduction ? 'high' : 'info';
|
|
247
|
+
vulnerabilities.push({
|
|
248
|
+
id: `url-${filePath}-${i + 1}-${name}`,
|
|
249
|
+
filePath,
|
|
250
|
+
lineNumber: i + 1,
|
|
251
|
+
lineContent: line.trim(),
|
|
252
|
+
severity: adjustedSeverity,
|
|
253
|
+
category: 'sensitive_url',
|
|
254
|
+
title: name,
|
|
255
|
+
description: description + (isProduction ? ' (in production config!)' : ' (in dev/config file)'),
|
|
256
|
+
suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
|
|
257
|
+
confidence: isProduction ? 'high' : 'low',
|
|
258
|
+
layer: 1,
|
|
259
|
+
});
|
|
260
|
+
}
|
|
261
|
+
else {
|
|
262
|
+
// Normal URL handling (non-localhost)
|
|
263
|
+
// Lower severity for test files - downgrade more aggressively
|
|
264
|
+
let adjustedSeverity = severity;
|
|
265
|
+
if (inTestFile) {
|
|
266
|
+
if (severity === 'critical')
|
|
267
|
+
adjustedSeverity = 'high';
|
|
268
|
+
else if (severity === 'high')
|
|
269
|
+
adjustedSeverity = 'low';
|
|
270
|
+
else
|
|
271
|
+
adjustedSeverity = 'info';
|
|
272
|
+
}
|
|
273
|
+
// Non-critical URL findings require AI validation
|
|
274
|
+
const requiresAIValidation = severity !== 'critical';
|
|
275
|
+
vulnerabilities.push({
|
|
276
|
+
id: `url-${filePath}-${i + 1}-${name}`,
|
|
277
|
+
filePath,
|
|
278
|
+
lineNumber: i + 1,
|
|
279
|
+
lineContent: line.trim(),
|
|
280
|
+
severity: adjustedSeverity,
|
|
281
|
+
category: 'sensitive_url',
|
|
282
|
+
title: name,
|
|
283
|
+
description: description + (inTestFile ? ' (in test file)' : ''),
|
|
284
|
+
suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
|
|
285
|
+
confidence: inTestFile ? 'low' : 'medium',
|
|
286
|
+
layer: 1,
|
|
287
|
+
requiresAIValidation,
|
|
288
|
+
});
|
|
289
|
+
}
|
|
290
|
+
break; // Only report one URL issue per line
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
return vulnerabilities;
|
|
295
|
+
}
|
|
296
|
+
//# sourceMappingURL=urls.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"urls.js","sourceRoot":"","sources":["../../src/layer1/urls.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAiMH,gEA0CC;AAED,kDA6FC;AAtUD,gDAAgD;AAChD,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,WAAW,GAAG;QAClB,SAAS;QACT,YAAY;QACZ,eAAe;QACf,UAAU;QACV,QAAQ;QACR,SAAS;QACT,SAAS;QACT,UAAU;QACV,WAAW;QACX,oBAAoB;QACpB,WAAW;QACX,cAAc;QACd,iBAAiB;QACjB,gBAAgB;KACjB,CAAA;IACD,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,uEAAuE;AACvE,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,iBAAiB,GAAG;QACxB,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;QACd,kBAAkB;QAClB,iBAAiB;QACjB,gBAAgB;QAChB,wBAAwB;QACxB,kBAAkB;QAClB,0BAA0B;QAC1B,oBAAoB;QACpB,mBAAmB;KACpB,CAAA;IACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED,iDAAiD;AACjD,MAAM,YAAY,GAAG;IACnB,gDAAgD;IAChD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,gEAAgE;KAC9E;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,qCAAqC;KACnD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,KAAc;QACxB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,mEAAmE;KACjF;IACD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,KAAc;QACxB,WAAW,EAAE,sCAAsC;KACpD;IAED,+EAA+E;IAC/E;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,mDAAmD;KACjE;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,KAAc,EAAG,yBAAyB;QACpD,WAAW,EAAE,kDAAkD;KAChE;IAED,mBAAmB;IACnB;QACE,OAAO,EAAE,oCAAoC;QAC7C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,UAAmB;QAC7B,WAAW,EAAE,uCAAuC;KACrD;IAED,qCAAqC;IACrC;QACE,OAAO,EAAE,yDAAyD;QAClE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,OAAO,EAAE,yEAAyE;QAClF,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,sEAAsE;KACpF;IAED,yEAAyE;IACzE;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,KAAc,EAAG,yBAAyB;QACpD,WAAW,EAAE,4DAA4D;KAC1E;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAe,EAAG,sBAAsB;QAClD,WAAW,EAAE,sDAAsD;KACpE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,WAAmB;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,+BAA+B;AAC/B,SAAS,UAAU,CAAC,QAAgB;IAClC,OAAO,kCAAkC,CAAC,IAAI,CAAC,QAAQ,CAAC;QACjD,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/B,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACnC,CAAC;AAED,uDAAuD;AACvD,SAAS,iBAAiB,CAAC,WAAmB;IAC5C,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC;QACnC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC1B,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAA;AAChD,CAAC;AAED,wCAAwC;AACxC,SAAS,aAAa,CAAC,WAAmB,EAAE,QAAgB;IAM1D,OAAO;QACL,SAAS,EAAE,wDAAwD,CAAC,IAAI,CAAC,WAAW,CAAC;QACrF,YAAY,EAAE,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACtE,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC;QAChC,QAAQ,EAAE,iBAAiB,CAAC,WAAW,CAAC;KACzC,CAAA;AACH,CAAC;AAED,iDAAiD;AACjD,SAAgB,0BAA0B,CACxC,eAAgC;IAEhC,MAAM,eAAe,GAAG,IAAI,GAAG,EAI3B,CAAA;IAEJ,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,6CAA6C;QAC7C,IAAI,IAAI,CAAC,QAAQ,KAAK,eAAe;YACjC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAErD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAA;YACzB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;YACnE,CAAC;YACD,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAE,CAAA;YACvC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;YACjC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACnC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACnB,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,eAAe,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAkB;YAChC,GAAG,IAAI,CAAC,QAAQ;YAChB,KAAK,EAAE,uCAAuC,IAAI,CAAC,KAAK,CAAC,MAAM,aAAa;YAC5E,WAAW,EAAE,SAAS,IAAI,CAAC,KAAK,CAAC,MAAM,kCAAkC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBAChG,6EAA6E;YAC/E,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACzB,QAAQ,EAAE,MAAM,EAAG,qBAAqB;SACzC,CAAA;QACD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACzB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAgB,mBAAmB,CACjC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,sEAAsE;IACtE,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IACvC,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IAE7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,4BAA4B;QAC5B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAE7C,gDAAgD;QAChD,IAAI,OAAO,CAAC,QAAQ;YAAE,SAAQ;QAE9B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,YAAY,EAAE,CAAC;YACpE,oBAAoB;YACpB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC9B,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBAEpB,sCAAsC;gBACtC,IAAI,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxC,uEAAuE;oBACvE,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,SAAS,IAAI,WAAW,EAAE,CAAC;wBAC3D,SAAQ;oBACV,CAAC;oBAED,sEAAsE;oBACtE,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAA;oBACzD,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,MAAe,CAAC,CAAC,CAAC,MAAe,CAAA;oBAEzE,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;wBACtC,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,eAAe;wBACzB,KAAK,EAAE,IAAI;wBACX,WAAW,EAAE,WAAW,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,uBAAuB,CAAC;wBAChG,YAAY,EAAE,6FAA6F;wBAC3G,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;wBACzC,KAAK,EAAE,CAAC;qBACT,CAAC,CAAA;gBACJ,CAAC;qBAAM,CAAC;oBACN,sCAAsC;oBACtC,8DAA8D;oBAC9D,IAAI,gBAAgB,GAAG,QAAQ,CAAA;oBAC/B,IAAI,UAAU,EAAE,CAAC;wBACf,IAAI,QAAQ,KAAK,UAAU;4BAAE,gBAAgB,GAAG,MAAM,CAAA;6BACjD,IAAI,QAAQ,KAAK,MAAM;4BAAE,gBAAgB,GAAG,KAAK,CAAA;;4BACjD,gBAAgB,GAAG,MAAM,CAAA;oBAChC,CAAC;oBAED,kDAAkD;oBAClD,MAAM,oBAAoB,GAAG,QAAQ,KAAK,UAAU,CAAA;oBAEpD,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;wBACtC,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,eAAe;wBACzB,KAAK,EAAE,IAAI;wBACX,WAAW,EAAE,WAAW,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;wBAChE,YAAY,EAAE,6FAA6F;wBAC3G,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;wBACzC,KAAK,EAAE,CAAC;wBACR,oBAAoB;qBACrB,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,qCAAqC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Layer 1: Weak Cryptography Detection
|
|
3
|
+
* Detects usage of deprecated or weak cryptographic algorithms
|
|
4
|
+
*/
|
|
5
|
+
import type { Vulnerability } from '../types';
|
|
6
|
+
export declare function detectWeakCrypto(content: string, filePath: string): Vulnerability[];
|
|
7
|
+
//# sourceMappingURL=weak-crypto.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"weak-crypto.d.ts","sourceRoot":"","sources":["../../src/layer1/weak-crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAsQ7C,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CAyDjB"}
|
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Layer 1: Weak Cryptography Detection
|
|
4
|
+
* Detects usage of deprecated or weak cryptographic algorithms
|
|
5
|
+
*/
|
|
6
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.detectWeakCrypto = detectWeakCrypto;
|
|
8
|
+
// Weak/deprecated cryptographic patterns
|
|
9
|
+
const WEAK_CRYPTO_PATTERNS = [
|
|
10
|
+
// Weak hash algorithms
|
|
11
|
+
{
|
|
12
|
+
pattern: /\bMD5\s*\(/gi,
|
|
13
|
+
name: 'MD5 Hash Usage',
|
|
14
|
+
severity: 'high',
|
|
15
|
+
description: 'MD5 is cryptographically broken and should not be used for security purposes',
|
|
16
|
+
fix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
|
|
17
|
+
contextCheck: (line) => {
|
|
18
|
+
// Only flag as high if used in security context (passwords, tokens, etc.)
|
|
19
|
+
// Checksum/etag usage is acceptable for non-security purposes
|
|
20
|
+
const securityContexts = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /key/i];
|
|
21
|
+
const checksumContexts = [/checksum/i, /hash.*file/i, /file.*hash/i, /etag/i, /content.*hash/i, /integrity/i, /digest/i, /fingerprint/i];
|
|
22
|
+
const isSecurityContext = securityContexts.some(p => p.test(line));
|
|
23
|
+
const isChecksumContext = checksumContexts.some(p => p.test(line));
|
|
24
|
+
// If it's clearly a checksum context, don't flag
|
|
25
|
+
if (isChecksumContext && !isSecurityContext) {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
return true;
|
|
29
|
+
},
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/gi,
|
|
33
|
+
name: 'MD5 Hash Creation',
|
|
34
|
+
severity: 'high',
|
|
35
|
+
description: 'MD5 is cryptographically broken and should not be used for security purposes',
|
|
36
|
+
fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
|
|
37
|
+
contextCheck: (line, _match, funcName) => {
|
|
38
|
+
// Check function name and line context for checksum indicators
|
|
39
|
+
const checksumIndicators = [/checksum/i, /etag/i, /content.*hash/i, /file.*hash/i, /integrity/i, /digest/i, /fingerprint/i, /verify.*file/i];
|
|
40
|
+
const securityIndicators = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i];
|
|
41
|
+
const lineAndFunc = funcName ? `${funcName} ${line}` : line;
|
|
42
|
+
const isChecksum = checksumIndicators.some(p => p.test(lineAndFunc));
|
|
43
|
+
const isSecurity = securityIndicators.some(p => p.test(lineAndFunc));
|
|
44
|
+
// Checksum use without security context = acceptable, don't flag
|
|
45
|
+
if (isChecksum && !isSecurity) {
|
|
46
|
+
return false;
|
|
47
|
+
}
|
|
48
|
+
return true;
|
|
49
|
+
},
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
pattern: /\bSHA1\s*\(/gi,
|
|
53
|
+
name: 'SHA1 Hash Usage',
|
|
54
|
+
severity: 'medium',
|
|
55
|
+
description: 'SHA1 is deprecated and vulnerable to collision attacks',
|
|
56
|
+
fix: 'Use SHA-256 or SHA-3 for hashing.',
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/gi,
|
|
60
|
+
name: 'SHA1 Hash Creation',
|
|
61
|
+
severity: 'medium',
|
|
62
|
+
description: 'SHA1 is deprecated and vulnerable to collision attacks',
|
|
63
|
+
fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
|
|
64
|
+
},
|
|
65
|
+
// Weak encryption algorithms
|
|
66
|
+
{
|
|
67
|
+
pattern: /\bDES\b(?!ede3|3)/gi,
|
|
68
|
+
name: 'DES Encryption',
|
|
69
|
+
severity: 'high',
|
|
70
|
+
description: 'DES is obsolete and easily broken. Use AES instead.',
|
|
71
|
+
fix: 'Use AES-256-GCM for symmetric encryption.',
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
pattern: /createCipher(?:iv)?\s*\(\s*['"]des['"]/gi,
|
|
75
|
+
name: 'DES Cipher Creation',
|
|
76
|
+
severity: 'high',
|
|
77
|
+
description: 'DES is obsolete and easily broken',
|
|
78
|
+
fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
pattern: /\bRC4\b/gi,
|
|
82
|
+
name: 'RC4 Encryption',
|
|
83
|
+
severity: 'high',
|
|
84
|
+
description: 'RC4 is broken and should never be used',
|
|
85
|
+
fix: 'Use AES-256-GCM for symmetric encryption.',
|
|
86
|
+
},
|
|
87
|
+
{
|
|
88
|
+
pattern: /createCipher(?:iv)?\s*\(\s*['"]rc4['"]/gi,
|
|
89
|
+
name: 'RC4 Cipher Creation',
|
|
90
|
+
severity: 'high',
|
|
91
|
+
description: 'RC4 is broken and should never be used',
|
|
92
|
+
fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
pattern: /\bBlowfish\b/gi,
|
|
96
|
+
name: 'Blowfish Encryption',
|
|
97
|
+
severity: 'medium',
|
|
98
|
+
description: 'Blowfish has a small block size and is not recommended for new applications',
|
|
99
|
+
fix: 'Use AES-256-GCM for symmetric encryption.',
|
|
100
|
+
},
|
|
101
|
+
// Insecure random number generation
|
|
102
|
+
{
|
|
103
|
+
pattern: /Math\.random\s*\(\s*\)/g,
|
|
104
|
+
name: 'Math.random() for Security',
|
|
105
|
+
severity: 'high',
|
|
106
|
+
description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
|
|
107
|
+
fix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
|
|
108
|
+
contextCheck: (line) => {
|
|
109
|
+
// Only flag if it looks like it's being used for security
|
|
110
|
+
const securityContexts = [
|
|
111
|
+
/token/i, /secret/i, /key/i, /password/i, /salt/i,
|
|
112
|
+
/nonce/i, /iv/i, /random.*id/i, /uuid/i, /session/i,
|
|
113
|
+
];
|
|
114
|
+
return securityContexts.some(ctx => ctx.test(line));
|
|
115
|
+
},
|
|
116
|
+
},
|
|
117
|
+
// Weak key derivation
|
|
118
|
+
{
|
|
119
|
+
pattern: /pbkdf2.*iterations?\s*[=:]\s*(\d+)/gi,
|
|
120
|
+
name: 'Weak PBKDF2 Iterations',
|
|
121
|
+
severity: 'medium',
|
|
122
|
+
description: 'PBKDF2 with low iteration count is vulnerable to brute force attacks',
|
|
123
|
+
fix: 'Use at least 100,000 iterations for PBKDF2, or switch to Argon2.',
|
|
124
|
+
contextCheck: (line, match) => {
|
|
125
|
+
const iterations = parseInt(match[1], 10);
|
|
126
|
+
return iterations < 10000;
|
|
127
|
+
},
|
|
128
|
+
},
|
|
129
|
+
// Weak bcrypt rounds
|
|
130
|
+
{
|
|
131
|
+
pattern: /bcrypt\.hash\s*\([^,]+,\s*(\d+)/gi,
|
|
132
|
+
name: 'Weak bcrypt Rounds',
|
|
133
|
+
severity: 'medium',
|
|
134
|
+
description: 'bcrypt with low cost factor is vulnerable to brute force attacks',
|
|
135
|
+
fix: 'Use at least 10 rounds for bcrypt (12 recommended).',
|
|
136
|
+
contextCheck: (line, match) => {
|
|
137
|
+
const rounds = parseInt(match[1], 10);
|
|
138
|
+
return rounds < 10;
|
|
139
|
+
},
|
|
140
|
+
},
|
|
141
|
+
// ECB mode (insecure)
|
|
142
|
+
{
|
|
143
|
+
pattern: /['"]aes-\d+-ecb['"]/gi,
|
|
144
|
+
name: 'AES ECB Mode',
|
|
145
|
+
severity: 'high',
|
|
146
|
+
description: 'ECB mode is insecure as it does not provide semantic security',
|
|
147
|
+
fix: 'Use AES-GCM or AES-CBC with proper IV handling.',
|
|
148
|
+
},
|
|
149
|
+
// Deprecated createCipher (no IV)
|
|
150
|
+
{
|
|
151
|
+
pattern: /createCipher\s*\(/g,
|
|
152
|
+
name: 'Deprecated createCipher',
|
|
153
|
+
severity: 'high',
|
|
154
|
+
description: 'createCipher is deprecated and does not use an IV, making it insecure',
|
|
155
|
+
fix: 'Use createCipheriv() with a random IV instead.',
|
|
156
|
+
},
|
|
157
|
+
// Hardcoded encryption keys
|
|
158
|
+
{
|
|
159
|
+
pattern: /(?:encryption|cipher|aes)[_-]?key\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
|
|
160
|
+
name: 'Hardcoded Encryption Key',
|
|
161
|
+
severity: 'critical',
|
|
162
|
+
description: 'Encryption key is hardcoded in source code',
|
|
163
|
+
fix: 'Store encryption keys in environment variables or a secure key management system.',
|
|
164
|
+
},
|
|
165
|
+
// Hardcoded IVs
|
|
166
|
+
{
|
|
167
|
+
pattern: /\biv\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
|
|
168
|
+
name: 'Hardcoded IV',
|
|
169
|
+
severity: 'high',
|
|
170
|
+
description: 'Initialization vector (IV) should be random for each encryption operation',
|
|
171
|
+
fix: 'Generate a random IV using crypto.randomBytes() for each encryption.',
|
|
172
|
+
},
|
|
173
|
+
];
|
|
174
|
+
// Check if line is a comment
|
|
175
|
+
function isComment(lineContent) {
|
|
176
|
+
const trimmed = lineContent.trim();
|
|
177
|
+
return (trimmed.startsWith('//') ||
|
|
178
|
+
trimmed.startsWith('#') ||
|
|
179
|
+
trimmed.startsWith('*') ||
|
|
180
|
+
trimmed.startsWith('/*'));
|
|
181
|
+
}
|
|
182
|
+
// Check if line is a pattern definition (regex or string literal in detector code)
|
|
183
|
+
function isPatternDefinition(lineContent) {
|
|
184
|
+
const trimmed = lineContent.trim();
|
|
185
|
+
// Pattern definitions typically look like:
|
|
186
|
+
// pattern: /regex/
|
|
187
|
+
// name: 'string'
|
|
188
|
+
// description: 'string'
|
|
189
|
+
// fix: 'string'
|
|
190
|
+
return (trimmed.startsWith('pattern:') ||
|
|
191
|
+
trimmed.startsWith('name:') ||
|
|
192
|
+
trimmed.startsWith('description:') ||
|
|
193
|
+
trimmed.startsWith('fix:') ||
|
|
194
|
+
// Also check for object property assignments with these names
|
|
195
|
+
/^\s*(pattern|name|description|fix|severity)\s*:/.test(lineContent));
|
|
196
|
+
}
|
|
197
|
+
// Check if file is part of the scanner's own detection code
|
|
198
|
+
function isScannerDetectorFile(filePath) {
|
|
199
|
+
return (filePath.includes('scanner/src/layer1/') ||
|
|
200
|
+
filePath.includes('scanner/src/layer2/') ||
|
|
201
|
+
filePath.includes('scanner/src/layer3/') ||
|
|
202
|
+
filePath.includes('/lib/scanner/layer1/') ||
|
|
203
|
+
filePath.includes('/lib/scanner/layer2/') ||
|
|
204
|
+
filePath.includes('/lib/scanner/layer3/'));
|
|
205
|
+
}
|
|
206
|
+
// Check if file is a test file or fixture
|
|
207
|
+
function isTestOrFixtureFile(filePath) {
|
|
208
|
+
const lowerPath = filePath.toLowerCase();
|
|
209
|
+
return (lowerPath.includes('__tests__') ||
|
|
210
|
+
lowerPath.includes('__mocks__') ||
|
|
211
|
+
lowerPath.includes('/test/') ||
|
|
212
|
+
lowerPath.includes('/tests/') ||
|
|
213
|
+
lowerPath.includes('/fixtures/') ||
|
|
214
|
+
lowerPath.includes('/fixture/') ||
|
|
215
|
+
lowerPath.includes('.test.') ||
|
|
216
|
+
lowerPath.includes('.spec.') ||
|
|
217
|
+
lowerPath.includes('-test.') ||
|
|
218
|
+
lowerPath.includes('-spec.') ||
|
|
219
|
+
lowerPath.includes('benchmark'));
|
|
220
|
+
}
|
|
221
|
+
/**
|
|
222
|
+
* Find the enclosing function name for a given line
|
|
223
|
+
*/
|
|
224
|
+
function findEnclosingFunctionName(lines, lineIndex) {
|
|
225
|
+
// Look backwards for function declaration
|
|
226
|
+
for (let i = lineIndex; i >= 0 && i >= lineIndex - 20; i--) {
|
|
227
|
+
const line = lines[i];
|
|
228
|
+
// Match function declarations: function name(), const name = (), async function name()
|
|
229
|
+
const funcMatch = line.match(/(?:function\s+|const\s+|let\s+|var\s+)(\w+)\s*(?:=\s*(?:async\s*)?\(|=\s*(?:async\s+)?function|\()/);
|
|
230
|
+
if (funcMatch) {
|
|
231
|
+
return funcMatch[1];
|
|
232
|
+
}
|
|
233
|
+
// Match method declarations: name() { or name: function()
|
|
234
|
+
const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/);
|
|
235
|
+
if (methodMatch) {
|
|
236
|
+
return methodMatch[1];
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
return undefined;
|
|
240
|
+
}
|
|
241
|
+
function detectWeakCrypto(content, filePath) {
|
|
242
|
+
const vulnerabilities = [];
|
|
243
|
+
const lines = content.split('\n');
|
|
244
|
+
// Skip scanner's own detector files to avoid self-detection
|
|
245
|
+
if (isScannerDetectorFile(filePath)) {
|
|
246
|
+
return vulnerabilities;
|
|
247
|
+
}
|
|
248
|
+
// Skip test files and fixtures (intentional vulnerable code for testing)
|
|
249
|
+
if (isTestOrFixtureFile(filePath)) {
|
|
250
|
+
return vulnerabilities;
|
|
251
|
+
}
|
|
252
|
+
for (let i = 0; i < lines.length; i++) {
|
|
253
|
+
const line = lines[i];
|
|
254
|
+
// Skip comments
|
|
255
|
+
if (isComment(line))
|
|
256
|
+
continue;
|
|
257
|
+
// Skip pattern definitions (detector rule definitions)
|
|
258
|
+
if (isPatternDefinition(line))
|
|
259
|
+
continue;
|
|
260
|
+
for (const cryptoPattern of WEAK_CRYPTO_PATTERNS) {
|
|
261
|
+
const { pattern, name, severity, description, fix, contextCheck } = cryptoPattern;
|
|
262
|
+
// Reset regex state
|
|
263
|
+
const regex = new RegExp(pattern.source, pattern.flags);
|
|
264
|
+
const match = regex.exec(line);
|
|
265
|
+
if (match) {
|
|
266
|
+
// If there's a context check, apply it
|
|
267
|
+
// Pass function name for additional context
|
|
268
|
+
const funcName = findEnclosingFunctionName(lines, i);
|
|
269
|
+
if (contextCheck && !contextCheck(line, match, funcName)) {
|
|
270
|
+
continue;
|
|
271
|
+
}
|
|
272
|
+
vulnerabilities.push({
|
|
273
|
+
id: `weak-crypto-${filePath}-${i + 1}-${name}`,
|
|
274
|
+
filePath,
|
|
275
|
+
lineNumber: i + 1,
|
|
276
|
+
lineContent: line.trim(),
|
|
277
|
+
severity,
|
|
278
|
+
category: 'weak_crypto',
|
|
279
|
+
title: name,
|
|
280
|
+
description,
|
|
281
|
+
suggestedFix: fix,
|
|
282
|
+
confidence: 'high',
|
|
283
|
+
layer: 1,
|
|
284
|
+
});
|
|
285
|
+
break; // Only report one crypto issue per line
|
|
286
|
+
}
|
|
287
|
+
}
|
|
288
|
+
}
|
|
289
|
+
return vulnerabilities;
|
|
290
|
+
}
|
|
291
|
+
//# sourceMappingURL=weak-crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"weak-crypto.js","sourceRoot":"","sources":["../../src/layer1/weak-crypto.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAwQH,4CA4DC;AAhUD,yCAAyC;AACzC,MAAM,oBAAoB,GAAG;IAC3B,uBAAuB;IACvB;QACE,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,8EAA8E;QAC3F,GAAG,EAAE,iFAAiF;QACtF,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,0EAA0E;YAC1E,8DAA8D;YAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;YACvG,MAAM,gBAAgB,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,CAAA;YAExI,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAClE,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAElE,iDAAiD;YACjD,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5C,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;KACF;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,8EAA8E;QAC3F,GAAG,EAAE,iEAAiE;QACtE,YAAY,EAAE,CAAC,IAAY,EAAE,MAAwB,EAAE,QAAiB,EAAE,EAAE;YAC1E,+DAA+D;YAC/D,MAAM,kBAAkB,GAAG,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,eAAe,CAAC,CAAA;YAC5I,MAAM,kBAAkB,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA;YAEjG,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;YAE3D,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YACpE,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAEpE,iEAAiE;YACjE,IAAI,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC9B,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;KACF;IACD;QACE,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,wDAAwD;QACrE,GAAG,EAAE,mCAAmC;KACzC;IACD;QACE,OAAO,EAAE,uCAAuC;QAChD,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,wDAAwD;QACrE,GAAG,EAAE,iEAAiE;KACvE;IAED,6BAA6B;IAC7B;QACE,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,qDAAqD;QAClE,GAAG,EAAE,2CAA2C;KACjD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,mCAAmC;QAChD,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;QACrD,GAAG,EAAE,2CAA2C;KACjD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;QACrD,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,6EAA6E;QAC1F,GAAG,EAAE,2CAA2C;KACjD;IAED,oCAAoC;IACpC;QACE,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,4FAA4F;QACzG,GAAG,EAAE,oFAAoF;QACzF,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,0DAA0D;YAC1D,MAAM,gBAAgB,GAAG;gBACvB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO;gBACjD,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU;aACpD,CAAA;YACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACrD,CAAC;KACF;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,sEAAsE;QACnF,GAAG,EAAE,kEAAkE;QACvE,YAAY,EAAE,CAAC,IAAY,EAAE,KAAuB,EAAE,EAAE;YACtD,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACzC,OAAO,UAAU,GAAG,KAAK,CAAA;QAC3B,CAAC;KACF;IAED,qBAAqB;IACrB;QACE,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,kEAAkE;QAC/E,GAAG,EAAE,qDAAqD;QAC1D,YAAY,EAAE,CAAC,IAAY,EAAE,KAAuB,EAAE,EAAE;YACtD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACrC,OAAO,MAAM,GAAG,EAAE,CAAA;QACpB,CAAC;KACF;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,uBAAuB;QAChC,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,+DAA+D;QAC5E,GAAG,EAAE,iDAAiD;KACvD;IAED,kCAAkC;IAClC;QACE,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,uEAAuE;QACpF,GAAG,EAAE,gDAAgD;KACtD;IAED,4BAA4B;IAC5B;QACE,OAAO,EAAE,0EAA0E;QACnF,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAmB;QAC7B,WAAW,EAAE,4CAA4C;QACzD,GAAG,EAAE,mFAAmF;KACzF;IAED,gBAAgB;IAChB;QACE,OAAO,EAAE,6CAA6C;QACtD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,2EAA2E;QACxF,GAAG,EAAE,sEAAsE;KAC5E;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,WAAmB;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,mFAAmF;AACnF,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,2CAA2C;IAC3C,mBAAmB;IACnB,iBAAiB;IACjB,wBAAwB;IACxB,gBAAgB;IAChB,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAC3B,OAAO,CAAC,UAAU,CAAC,cAAc,CAAC;QAClC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1B,8DAA8D;QAC9D,iDAAiD,CAAC,IAAI,CAAC,WAAW,CAAC,CACpE,CAAA;AACH,CAAC;AAED,4DAA4D;AAC5D,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,OAAO,CACL,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACzC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACzC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAC1C,CAAA;AACH,CAAC;AAED,0CAA0C;AAC1C,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;QAChC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAChC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAAC,KAAe,EAAE,SAAiB;IACnE,0CAA0C;IAC1C,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3D,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,uFAAuF;QACvF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,oGAAoG,CAAC,CAAA;QAClI,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC,CAAC,CAAC,CAAA;QACrB,CAAC;QACD,0DAA0D;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAA;QACzE,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACvB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAgB,gBAAgB,CAC9B,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,4DAA4D;IAC5D,IAAI,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,yEAAyE;IACzE,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,uDAAuD;QACvD,IAAI,mBAAmB,CAAC,IAAI,CAAC;YAAE,SAAQ;QAEvC,KAAK,MAAM,aAAa,IAAI,oBAAoB,EAAE,CAAC;YACjD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,aAAa,CAAA;YAEjF,oBAAoB;YACpB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YACvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAE9B,IAAI,KAAK,EAAE,CAAC;gBACV,uCAAuC;gBACvC,4CAA4C;gBAC5C,MAAM,QAAQ,GAAG,yBAAyB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;gBACpD,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACzD,SAAQ;gBACV,CAAC;gBAED,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,eAAe,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;oBAC9C,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ;oBACR,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,IAAI;oBACX,WAAW;oBACX,YAAY,EAAE,GAAG;oBACjB,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK,CAAC,wCAAwC;YAChD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Layer 2: AI Agent Tool Permission Detection
|
|
3
|
+
* Detects overly permissive agent tools and missing authorization checks
|
|
4
|
+
*
|
|
5
|
+
* Covers B4: Agent/tool orchestration logic
|
|
6
|
+
*
|
|
7
|
+
* Issues detected:
|
|
8
|
+
* - Tools with unrestricted file system access
|
|
9
|
+
* - Tools with unrestricted network access
|
|
10
|
+
* - Tools with shell/code execution capability
|
|
11
|
+
* - Tools without user/tenant context verification
|
|
12
|
+
* - Database tools without proper scoping
|
|
13
|
+
*/
|
|
14
|
+
import type { Vulnerability } from '../types';
|
|
15
|
+
/**
|
|
16
|
+
* Main detection function for AI agent tool permission issues
|
|
17
|
+
*/
|
|
18
|
+
export declare function detectAIAgentTools(content: string, filePath: string): Vulnerability[];
|
|
19
|
+
//# sourceMappingURL=ai-agent-tools.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ai-agent-tools.d.ts","sourceRoot":"","sources":["../../src/layer2/ai-agent-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AAmapE;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CAiKjB"}
|