@oculum/scanner 1.0.10 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ai-context/index.d.ts +6 -0
- package/dist/ai-context/index.d.ts.map +1 -0
- package/dist/ai-context/index.js +13 -0
- package/dist/ai-context/index.js.map +1 -0
- package/dist/ai-context/manager.d.ts +67 -0
- package/dist/ai-context/manager.d.ts.map +1 -0
- package/dist/ai-context/manager.js +104 -0
- package/dist/ai-context/manager.js.map +1 -0
- package/dist/baseline/diff.d.ts +32 -0
- package/dist/baseline/diff.d.ts.map +1 -0
- package/dist/baseline/diff.js +119 -0
- package/dist/baseline/diff.js.map +1 -0
- package/dist/baseline/index.d.ts +9 -0
- package/dist/baseline/index.d.ts.map +1 -0
- package/dist/baseline/index.js +19 -0
- package/dist/baseline/index.js.map +1 -0
- package/dist/baseline/manager.d.ts +67 -0
- package/dist/baseline/manager.d.ts.map +1 -0
- package/dist/baseline/manager.js +180 -0
- package/dist/baseline/manager.js.map +1 -0
- package/dist/baseline/types.d.ts +91 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +12 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/category-filter.d.ts +125 -0
- package/dist/category-filter.d.ts.map +1 -0
- package/dist/category-filter.js +360 -0
- package/dist/category-filter.js.map +1 -0
- package/dist/filtering/context-adjustments.d.ts +23 -0
- package/dist/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/filtering/context-adjustments.js +100 -0
- package/dist/filtering/context-adjustments.js.map +1 -0
- package/dist/filtering/index.d.ts +3 -0
- package/dist/filtering/index.d.ts.map +1 -0
- package/dist/filtering/index.js +8 -0
- package/dist/filtering/index.js.map +1 -0
- package/dist/filtering/pipeline.d.ts +48 -0
- package/dist/filtering/pipeline.d.ts.map +1 -0
- package/dist/filtering/pipeline.js +76 -0
- package/dist/filtering/pipeline.js.map +1 -0
- package/dist/formatters/ai-context.d.ts +23 -0
- package/dist/formatters/ai-context.d.ts.map +1 -0
- package/dist/formatters/ai-context.js +238 -0
- package/dist/formatters/ai-context.js.map +1 -0
- package/dist/formatters/cli-terminal.d.ts +38 -0
- package/dist/formatters/cli-terminal.d.ts.map +1 -1
- package/dist/formatters/cli-terminal.js +365 -42
- package/dist/formatters/cli-terminal.js.map +1 -1
- package/dist/formatters/github-comment.d.ts +2 -2
- package/dist/formatters/github-comment.d.ts.map +1 -1
- package/dist/formatters/github-comment.js +77 -13
- package/dist/formatters/github-comment.js.map +1 -1
- package/dist/formatters/ide/claude-code.d.ts +17 -0
- package/dist/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/formatters/ide/claude-code.js +94 -0
- package/dist/formatters/ide/claude-code.js.map +1 -0
- package/dist/formatters/ide/cursor.d.ts +13 -0
- package/dist/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/formatters/ide/cursor.js +125 -0
- package/dist/formatters/ide/cursor.js.map +1 -0
- package/dist/formatters/ide/index.d.ts +62 -0
- package/dist/formatters/ide/index.d.ts.map +1 -0
- package/dist/formatters/ide/index.js +184 -0
- package/dist/formatters/ide/index.js.map +1 -0
- package/dist/formatters/ide/windsurf.d.ts +13 -0
- package/dist/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/formatters/ide/windsurf.js +117 -0
- package/dist/formatters/ide/windsurf.js.map +1 -0
- package/dist/formatters/index.d.ts +3 -1
- package/dist/formatters/index.d.ts.map +1 -1
- package/dist/formatters/index.js +20 -1
- package/dist/formatters/index.js.map +1 -1
- package/dist/index.d.ts +11 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +423 -56
- package/dist/index.js.map +1 -1
- package/dist/layer1/comments.d.ts +4 -1
- package/dist/layer1/comments.d.ts.map +1 -1
- package/dist/layer1/comments.js +1 -1
- package/dist/layer1/comments.js.map +1 -1
- package/dist/layer1/config-audit.d.ts +4 -1
- package/dist/layer1/config-audit.d.ts.map +1 -1
- package/dist/layer1/config-audit.js +65 -14
- package/dist/layer1/config-audit.js.map +1 -1
- package/dist/layer1/config-mcp-audit.d.ts +23 -0
- package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
- package/dist/layer1/config-mcp-audit.js +239 -0
- package/dist/layer1/config-mcp-audit.js.map +1 -0
- package/dist/layer1/entropy.d.ts +4 -1
- package/dist/layer1/entropy.d.ts.map +1 -1
- package/dist/layer1/entropy.js +212 -1
- package/dist/layer1/entropy.js.map +1 -1
- package/dist/layer1/file-flags.d.ts +4 -1
- package/dist/layer1/file-flags.d.ts.map +1 -1
- package/dist/layer1/file-flags.js +12 -5
- package/dist/layer1/file-flags.js.map +1 -1
- package/dist/layer1/index.d.ts +1 -0
- package/dist/layer1/index.d.ts.map +1 -1
- package/dist/layer1/index.js +22 -19
- package/dist/layer1/index.js.map +1 -1
- package/dist/layer1/patterns.d.ts +4 -1
- package/dist/layer1/patterns.d.ts.map +1 -1
- package/dist/layer1/patterns.js +34 -4
- package/dist/layer1/patterns.js.map +1 -1
- package/dist/layer1/urls.d.ts +4 -1
- package/dist/layer1/urls.d.ts.map +1 -1
- package/dist/layer1/urls.js +162 -14
- package/dist/layer1/urls.js.map +1 -1
- package/dist/layer1/weak-crypto.d.ts +4 -1
- package/dist/layer1/weak-crypto.d.ts.map +1 -1
- package/dist/layer1/weak-crypto.js +144 -7
- package/dist/layer1/weak-crypto.js.map +1 -1
- package/dist/layer2/ai-agent-tools.d.ts +4 -1
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
- package/dist/layer2/ai-agent-tools.js +964 -2
- package/dist/layer2/ai-agent-tools.js.map +1 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
- package/dist/layer2/ai-endpoint-protection.js +18 -4
- package/dist/layer2/ai-endpoint-protection.js.map +1 -1
- package/dist/layer2/ai-execution-sinks.d.ts +4 -1
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
- package/dist/layer2/ai-execution-sinks.js +688 -29
- package/dist/layer2/ai-execution-sinks.js.map +1 -1
- package/dist/layer2/ai-fingerprinting.d.ts +4 -1
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
- package/dist/layer2/ai-fingerprinting.js +28 -32
- package/dist/layer2/ai-fingerprinting.js.map +1 -1
- package/dist/layer2/ai-mcp-security.d.ts +20 -0
- package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
- package/dist/layer2/ai-mcp-security.js +877 -0
- package/dist/layer2/ai-mcp-security.js.map +1 -0
- package/dist/layer2/ai-package-hallucination.d.ts +22 -0
- package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
- package/dist/layer2/ai-package-hallucination.js +828 -0
- package/dist/layer2/ai-package-hallucination.js.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.js +817 -17
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
- package/dist/layer2/ai-rag-safety.d.ts +4 -1
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
- package/dist/layer2/ai-rag-safety.js +454 -3
- package/dist/layer2/ai-rag-safety.js.map +1 -1
- package/dist/layer2/ai-schema-validation.d.ts +4 -1
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
- package/dist/layer2/ai-schema-validation.js +2 -2
- package/dist/layer2/ai-schema-validation.js.map +1 -1
- package/dist/layer2/auth-antipatterns.d.ts +2 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
- package/dist/layer2/auth-antipatterns.js +209 -20
- package/dist/layer2/auth-antipatterns.js.map +1 -1
- package/dist/layer2/byok-patterns.d.ts +4 -1
- package/dist/layer2/byok-patterns.d.ts.map +1 -1
- package/dist/layer2/byok-patterns.js +5 -2
- package/dist/layer2/byok-patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
- package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/child-process.js +74 -0
- package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
- package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/layer2/dangerous-functions/index.d.ts +16 -0
- package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/index.js +1152 -0
- package/dist/layer2/dangerous-functions/index.js.map +1 -0
- package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/json-parse.js +319 -0
- package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
- package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/math-random.js +684 -0
- package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
- package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/patterns.js +163 -0
- package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
- package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/request-validation.js +119 -0
- package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/index.js +23 -0
- package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/layer2/data-exposure.d.ts +4 -1
- package/dist/layer2/data-exposure.d.ts.map +1 -1
- package/dist/layer2/data-exposure.js +14 -38
- package/dist/layer2/data-exposure.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts +4 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +5 -2
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +12 -1
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +110 -45
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/logic-gates.d.ts +4 -1
- package/dist/layer2/logic-gates.d.ts.map +1 -1
- package/dist/layer2/logic-gates.js +58 -20
- package/dist/layer2/logic-gates.js.map +1 -1
- package/dist/layer2/model-supply-chain.d.ts +23 -0
- package/dist/layer2/model-supply-chain.d.ts.map +1 -0
- package/dist/layer2/model-supply-chain.js +444 -0
- package/dist/layer2/model-supply-chain.js.map +1 -0
- package/dist/layer2/risky-imports.d.ts +4 -1
- package/dist/layer2/risky-imports.d.ts.map +1 -1
- package/dist/layer2/risky-imports.js +6 -2
- package/dist/layer2/risky-imports.js.map +1 -1
- package/dist/layer2/variables.d.ts +4 -1
- package/dist/layer2/variables.d.ts.map +1 -1
- package/dist/layer2/variables.js +6 -2
- package/dist/layer2/variables.js.map +1 -1
- package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
- package/dist/layer3/anthropic/auto-dismiss.js +199 -0
- package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
- package/dist/layer3/anthropic/clients.d.ts +44 -0
- package/dist/layer3/anthropic/clients.d.ts.map +1 -0
- package/dist/layer3/anthropic/clients.js +81 -0
- package/dist/layer3/anthropic/clients.js.map +1 -0
- package/dist/layer3/anthropic/index.d.ts +41 -0
- package/dist/layer3/anthropic/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/index.js +141 -0
- package/dist/layer3/anthropic/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/index.js +14 -0
- package/dist/layer3/anthropic/prompts/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.js +421 -0
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
- package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/anthropic.js +266 -0
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
- package/dist/layer3/anthropic/providers/index.d.ts +8 -0
- package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/index.js +15 -0
- package/dist/layer3/anthropic/providers/index.js.map +1 -0
- package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/openai.js +340 -0
- package/dist/layer3/anthropic/providers/openai.js.map +1 -0
- package/dist/layer3/anthropic/request-builder.d.ts +20 -0
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
- package/dist/layer3/anthropic/request-builder.js +134 -0
- package/dist/layer3/anthropic/request-builder.js.map +1 -0
- package/dist/layer3/anthropic/types.d.ts +88 -0
- package/dist/layer3/anthropic/types.d.ts.map +1 -0
- package/dist/layer3/anthropic/types.js +38 -0
- package/dist/layer3/anthropic/types.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +9 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/index.js +24 -0
- package/dist/layer3/anthropic/utils/index.js.map +1 -0
- package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
- package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
- package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
- package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
- package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/response-parser.js +285 -0
- package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
- package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
- package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/retry.js +62 -0
- package/dist/layer3/anthropic/utils/retry.js.map +1 -0
- package/dist/layer3/index.d.ts +1 -0
- package/dist/layer3/index.d.ts.map +1 -1
- package/dist/layer3/index.js +16 -6
- package/dist/layer3/index.js.map +1 -1
- package/dist/layer3/osv-check.d.ts +75 -0
- package/dist/layer3/osv-check.d.ts.map +1 -0
- package/dist/layer3/osv-check.js +308 -0
- package/dist/layer3/osv-check.js.map +1 -0
- package/dist/modes/incremental.js +1 -1
- package/dist/rules/framework-fixes.d.ts +48 -0
- package/dist/rules/framework-fixes.d.ts.map +1 -0
- package/dist/rules/framework-fixes.js +439 -0
- package/dist/rules/framework-fixes.js.map +1 -0
- package/dist/rules/index.d.ts +8 -0
- package/dist/rules/index.d.ts.map +1 -0
- package/dist/rules/index.js +18 -0
- package/dist/rules/index.js.map +1 -0
- package/dist/rules/metadata.d.ts +43 -0
- package/dist/rules/metadata.d.ts.map +1 -0
- package/dist/rules/metadata.js +734 -0
- package/dist/rules/metadata.js.map +1 -0
- package/dist/suppression/config-loader.d.ts +74 -0
- package/dist/suppression/config-loader.d.ts.map +1 -0
- package/dist/suppression/config-loader.js +424 -0
- package/dist/suppression/config-loader.js.map +1 -0
- package/dist/suppression/hash.d.ts +48 -0
- package/dist/suppression/hash.d.ts.map +1 -0
- package/dist/suppression/hash.js +88 -0
- package/dist/suppression/hash.js.map +1 -0
- package/dist/suppression/index.d.ts +11 -0
- package/dist/suppression/index.d.ts.map +1 -0
- package/dist/suppression/index.js +39 -0
- package/dist/suppression/index.js.map +1 -0
- package/dist/suppression/inline-parser.d.ts +39 -0
- package/dist/suppression/inline-parser.d.ts.map +1 -0
- package/dist/suppression/inline-parser.js +218 -0
- package/dist/suppression/inline-parser.js.map +1 -0
- package/dist/suppression/manager.d.ts +94 -0
- package/dist/suppression/manager.d.ts.map +1 -0
- package/dist/suppression/manager.js +292 -0
- package/dist/suppression/manager.js.map +1 -0
- package/dist/suppression/types.d.ts +151 -0
- package/dist/suppression/types.d.ts.map +1 -0
- package/dist/suppression/types.js +28 -0
- package/dist/suppression/types.js.map +1 -0
- package/dist/tiers.d.ts +3 -3
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +34 -7
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +140 -9
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -0
- package/dist/types.js.map +1 -1
- package/dist/utils/code-analysis.d.ts +39 -0
- package/dist/utils/code-analysis.d.ts.map +1 -0
- package/dist/utils/code-analysis.js +159 -0
- package/dist/utils/code-analysis.js.map +1 -0
- package/dist/utils/comment-analyzer.d.ts +38 -0
- package/dist/utils/comment-analyzer.d.ts.map +1 -0
- package/dist/utils/comment-analyzer.js +218 -0
- package/dist/utils/comment-analyzer.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +112 -1
- package/dist/utils/context-helpers.d.ts.map +1 -1
- package/dist/utils/context-helpers.js +364 -11
- package/dist/utils/context-helpers.js.map +1 -1
- package/dist/utils/environment-context.d.ts +76 -0
- package/dist/utils/environment-context.d.ts.map +1 -0
- package/dist/utils/environment-context.js +271 -0
- package/dist/utils/environment-context.js.map +1 -0
- package/dist/utils/intent-detector.d.ts +66 -0
- package/dist/utils/intent-detector.d.ts.map +1 -0
- package/dist/utils/intent-detector.js +282 -0
- package/dist/utils/intent-detector.js.map +1 -0
- package/dist/utils/parsed-file.d.ts +51 -0
- package/dist/utils/parsed-file.d.ts.map +1 -0
- package/dist/utils/parsed-file.js +95 -0
- package/dist/utils/parsed-file.js.map +1 -0
- package/dist/utils/route-hierarchy.d.ts +50 -0
- package/dist/utils/route-hierarchy.d.ts.map +1 -0
- package/dist/utils/route-hierarchy.js +226 -0
- package/dist/utils/route-hierarchy.js.map +1 -0
- package/dist/utils/schema-semantics.d.ts +45 -0
- package/dist/utils/schema-semantics.d.ts.map +1 -0
- package/dist/utils/schema-semantics.js +193 -0
- package/dist/utils/schema-semantics.js.map +1 -0
- package/package.json +4 -2
- package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
- package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
- package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
- package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
- package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
- package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
- package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
- package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
- package/src/__tests__/category-filter.test.ts +478 -0
- package/src/__tests__/regression/known-false-positives.test.ts +490 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
- package/src/__tests__/validation/run-validation.ts +7 -7
- package/src/ai-context/__tests__/manager.test.ts +193 -0
- package/src/ai-context/index.ts +15 -0
- package/src/ai-context/manager.ts +145 -0
- package/src/baseline/__tests__/diff.test.ts +261 -0
- package/src/baseline/__tests__/manager.test.ts +225 -0
- package/src/baseline/diff.ts +135 -0
- package/src/baseline/index.ts +29 -0
- package/src/baseline/manager.ts +230 -0
- package/src/baseline/types.ts +97 -0
- package/src/category-filter.ts +400 -0
- package/src/filtering/__tests__/pipeline.test.ts +134 -0
- package/src/filtering/context-adjustments.ts +111 -0
- package/src/filtering/index.ts +10 -0
- package/src/filtering/pipeline.ts +130 -0
- package/src/formatters/__tests__/ai-context.test.ts +254 -0
- package/src/formatters/ai-context.ts +302 -0
- package/src/formatters/cli-terminal.ts +444 -41
- package/src/formatters/github-comment.ts +82 -14
- package/src/formatters/ide/__tests__/ide.test.ts +319 -0
- package/src/formatters/ide/claude-code.ts +110 -0
- package/src/formatters/ide/cursor.ts +147 -0
- package/src/formatters/ide/index.ts +216 -0
- package/src/formatters/ide/windsurf.ts +135 -0
- package/src/formatters/index.ts +28 -0
- package/src/index.ts +506 -45
- package/src/layer1/comments.ts +3 -1
- package/src/layer1/config-audit.ts +74 -14
- package/src/layer1/config-mcp-audit.ts +278 -0
- package/src/layer1/entropy.ts +234 -1
- package/src/layer1/file-flags.ts +17 -6
- package/src/layer1/index.ts +29 -23
- package/src/layer1/patterns.ts +42 -4
- package/src/layer1/urls.ts +188 -14
- package/src/layer1/weak-crypto.ts +168 -16
- package/src/layer2/ai-agent-tools.ts +1043 -2
- package/src/layer2/ai-endpoint-protection.ts +19 -4
- package/src/layer2/ai-execution-sinks.ts +755 -29
- package/src/layer2/ai-fingerprinting.ts +33 -33
- package/src/layer2/ai-mcp-security.ts +933 -0
- package/src/layer2/ai-package-hallucination.ts +940 -0
- package/src/layer2/ai-prompt-hygiene.ts +898 -17
- package/src/layer2/ai-rag-safety.ts +467 -5
- package/src/layer2/ai-schema-validation.ts +4 -2
- package/src/layer2/auth-antipatterns.ts +235 -20
- package/src/layer2/byok-patterns.ts +9 -3
- package/src/layer2/dangerous-functions/child-process.ts +98 -0
- package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
- package/src/layer2/dangerous-functions/index.ts +1533 -0
- package/src/layer2/dangerous-functions/json-parse.ts +385 -0
- package/src/layer2/dangerous-functions/math-random.ts +789 -0
- package/src/layer2/dangerous-functions/patterns.ts +176 -0
- package/src/layer2/dangerous-functions/request-validation.ts +145 -0
- package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
- package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
- package/src/layer2/dangerous-functions/utils/index.ts +25 -0
- package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
- package/src/layer2/data-exposure.ts +18 -39
- package/src/layer2/framework-checks.ts +9 -2
- package/src/layer2/index.ts +124 -43
- package/src/layer2/logic-gates.ts +64 -22
- package/src/layer2/model-supply-chain.ts +531 -0
- package/src/layer2/risky-imports.ts +9 -2
- package/src/layer2/variables.ts +9 -2
- package/src/layer3/__tests__/osv-check.test.ts +384 -0
- package/src/layer3/anthropic/auto-dismiss.ts +223 -0
- package/src/layer3/anthropic/clients.ts +84 -0
- package/src/layer3/anthropic/index.ts +170 -0
- package/src/layer3/anthropic/prompts/index.ts +14 -0
- package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
- package/src/layer3/anthropic/prompts/validation.ts +419 -0
- package/src/layer3/anthropic/providers/anthropic.ts +310 -0
- package/src/layer3/anthropic/providers/index.ts +8 -0
- package/src/layer3/anthropic/providers/openai.ts +384 -0
- package/src/layer3/anthropic/request-builder.ts +150 -0
- package/src/layer3/anthropic/types.ts +148 -0
- package/src/layer3/anthropic/utils/index.ts +26 -0
- package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
- package/src/layer3/anthropic/utils/response-parser.ts +322 -0
- package/src/layer3/anthropic/utils/retry.ts +75 -0
- package/src/layer3/index.ts +18 -5
- package/src/layer3/osv-check.ts +420 -0
- package/src/modes/incremental.ts +1 -1
- package/src/rules/__tests__/framework-fixes.test.ts +689 -0
- package/src/rules/__tests__/metadata.test.ts +218 -0
- package/src/rules/framework-fixes.ts +470 -0
- package/src/rules/index.ts +21 -0
- package/src/rules/metadata.ts +831 -0
- package/src/suppression/__tests__/config-loader.test.ts +382 -0
- package/src/suppression/__tests__/hash.test.ts +166 -0
- package/src/suppression/__tests__/inline-parser.test.ts +212 -0
- package/src/suppression/__tests__/manager.test.ts +415 -0
- package/src/suppression/config-loader.ts +462 -0
- package/src/suppression/hash.ts +95 -0
- package/src/suppression/index.ts +51 -0
- package/src/suppression/inline-parser.ts +273 -0
- package/src/suppression/manager.ts +379 -0
- package/src/suppression/types.ts +174 -0
- package/src/tiers.ts +45 -9
- package/src/types.ts +212 -8
- package/src/utils/__tests__/code-analysis.test.ts +165 -0
- package/src/utils/__tests__/parsed-file.test.ts +124 -0
- package/src/utils/code-analysis.ts +179 -0
- package/src/utils/comment-analyzer.ts +249 -0
- package/src/utils/context-helpers.ts +421 -11
- package/src/utils/environment-context.ts +304 -0
- package/src/utils/intent-detector.ts +318 -0
- package/src/utils/parsed-file.ts +103 -0
- package/src/utils/route-hierarchy.ts +250 -0
- package/src/utils/schema-semantics.ts +233 -0
- package/dist/layer2/dangerous-functions.d.ts +0 -7
- package/dist/layer2/dangerous-functions.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions.js +0 -1701
- package/dist/layer2/dangerous-functions.js.map +0 -1
- package/dist/layer3/anthropic.d.ts +0 -87
- package/dist/layer3/anthropic.d.ts.map +0 -1
- package/dist/layer3/anthropic.js +0 -1948
- package/dist/layer3/anthropic.js.map +0 -1
- package/dist/layer3/openai.d.ts +0 -25
- package/dist/layer3/openai.d.ts.map +0 -1
- package/dist/layer3/openai.js +0 -238
- package/dist/layer3/openai.js.map +0 -1
- package/src/layer2/dangerous-functions.ts +0 -1940
- package/src/layer3/anthropic.ts +0 -2257
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Child Process Detection
|
|
3
|
+
*
|
|
4
|
+
* Detection logic for child_process functions (exec, spawn, execFile, etc.)
|
|
5
|
+
* that can lead to command injection vulnerabilities.
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
|
|
9
|
+
* Returns true if this is a child_process exec call that should be flagged
|
|
10
|
+
*/
|
|
11
|
+
export declare function isChildProcessExec(content: string, lineContent: string): boolean;
|
|
12
|
+
/**
|
|
13
|
+
* Check if spawn/execFile/execSync is from child_process
|
|
14
|
+
*/
|
|
15
|
+
export declare function isChildProcessSpawn(content: string, lineContent: string): boolean;
|
|
16
|
+
//# sourceMappingURL=child-process.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/child-process.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAiEhF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAgBjF"}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Child Process Detection
|
|
4
|
+
*
|
|
5
|
+
* Detection logic for child_process functions (exec, spawn, execFile, etc.)
|
|
6
|
+
* that can lead to command injection vulnerabilities.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.isChildProcessExec = isChildProcessExec;
|
|
10
|
+
exports.isChildProcessSpawn = isChildProcessSpawn;
|
|
11
|
+
/**
|
|
12
|
+
* Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
|
|
13
|
+
* Returns true if this is a child_process exec call that should be flagged
|
|
14
|
+
*/
|
|
15
|
+
function isChildProcessExec(content, lineContent) {
|
|
16
|
+
// Check for child_process import
|
|
17
|
+
const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
|
|
18
|
+
/from\s+['"]child_process['"]/.test(content) ||
|
|
19
|
+
/import\s+.*child_process/.test(content) ||
|
|
20
|
+
/require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
|
|
21
|
+
/from\s+['"]node:child_process['"]/.test(content);
|
|
22
|
+
// If no child_process import, this is likely RegExp.exec or similar
|
|
23
|
+
if (!hasChildProcessImport) {
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
// Check if this specific line is RegExp.exec pattern
|
|
27
|
+
// RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
|
|
28
|
+
const isRegExpExec = /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
|
|
29
|
+
!/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')); // Not a standalone exec()
|
|
30
|
+
// Also check for common RegExp patterns
|
|
31
|
+
const isRegExpPattern = /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
|
|
32
|
+
/new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
|
|
33
|
+
/regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
|
|
34
|
+
/pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
|
|
35
|
+
/match\.exec\s*\(/i.test(lineContent) || // match.exec()
|
|
36
|
+
/re\.exec\s*\(/i.test(lineContent); // re.exec()
|
|
37
|
+
if (isRegExpExec || isRegExpPattern) {
|
|
38
|
+
return false;
|
|
39
|
+
}
|
|
40
|
+
// Check if exec is imported/destructured from child_process
|
|
41
|
+
const execImported = /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
|
|
42
|
+
/\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
|
|
43
|
+
/import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
|
|
44
|
+
/import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content);
|
|
45
|
+
// If exec is directly imported from child_process, standalone exec() is dangerous
|
|
46
|
+
if (execImported && /\bexec\s*\(/.test(lineContent)) {
|
|
47
|
+
return true;
|
|
48
|
+
}
|
|
49
|
+
// Check for child_process.exec() pattern
|
|
50
|
+
if (/child_process\.exec\s*\(/.test(lineContent) ||
|
|
51
|
+
/cp\.exec\s*\(/.test(lineContent) ||
|
|
52
|
+
/childProcess\.exec\s*\(/.test(lineContent)) {
|
|
53
|
+
return true;
|
|
54
|
+
}
|
|
55
|
+
// If we have child_process import but can't determine usage, be conservative
|
|
56
|
+
// Only flag if it looks like a standalone exec() call
|
|
57
|
+
return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent);
|
|
58
|
+
}
|
|
59
|
+
/**
|
|
60
|
+
* Check if spawn/execFile/execSync is from child_process
|
|
61
|
+
*/
|
|
62
|
+
function isChildProcessSpawn(content, lineContent) {
|
|
63
|
+
// Check for child_process import
|
|
64
|
+
const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
|
|
65
|
+
/from\s+['"]child_process['"]/.test(content) ||
|
|
66
|
+
/require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
|
|
67
|
+
/from\s+['"]node:child_process['"]/.test(content);
|
|
68
|
+
if (!hasChildProcessImport) {
|
|
69
|
+
return false;
|
|
70
|
+
}
|
|
71
|
+
// These functions are always from child_process when that module is imported
|
|
72
|
+
return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent);
|
|
73
|
+
}
|
|
74
|
+
//# sourceMappingURL=child-process.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"child-process.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/child-process.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAMH,gDAiEC;AAKD,kDAgBC;AA1FD;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,OAAe,EAAE,WAAmB;IACrE,iCAAiC;IACjC,MAAM,qBAAqB,GACzB,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC;QACzD,8BAA8B,CAAC,IAAI,CAAC,OAAO,CAAC;QAC5C,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC;QACxC,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC;QAC9D,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAEnD,oEAAoE;IACpE,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,qDAAqD;IACrD,yEAAyE;IACzE,MAAM,YAAY,GAChB,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,2BAA2B;QACjE,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC,CAAA,CAAC,0BAA0B;IAE3F,wCAAwC;IACxC,MAAM,eAAe,GACnB,+BAA+B,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,mBAAmB;QACxE,qCAAqC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,sBAAsB;QACjF,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe;QACxD,qBAAqB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,iBAAiB;QAC5D,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe;QACxD,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA,CAAC,YAAY;IAEjD,IAAI,YAAY,IAAI,eAAe,EAAE,CAAC;QACpC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,4DAA4D;IAC5D,MAAM,YAAY,GAChB,sEAAsE,CAAC,IAAI,CACzE,OAAO,CACR;QACD,2EAA2E,CAAC,IAAI,CAC9E,OAAO,CACR;QACD,mEAAmE,CAAC,IAAI,CACtE,OAAO,CACR;QACD,wEAAwE,CAAC,IAAI,CAC3E,OAAO,CACR,CAAA;IAEH,kFAAkF;IAClF,IAAI,YAAY,IAAI,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACpD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,yCAAyC;IACzC,IACE,0BAA0B,CAAC,IAAI,CAAC,WAAW,CAAC;QAC5C,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC;QACjC,yBAAyB,CAAC,IAAI,CAAC,WAAW,CAAC,EAC3C,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6EAA6E;IAC7E,sDAAsD;IACtD,OAAO,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;AAC/E,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAe,EAAE,WAAmB;IACtE,iCAAiC;IACjC,MAAM,qBAAqB,GACzB,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC;QACzD,8BAA8B,CAAC,IAAI,CAAC,OAAO,CAAC;QAC5C,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC;QAC9D,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAEnD,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,6EAA6E;IAC7E,OAAO,yDAAyD,CAAC,IAAI,CACnE,WAAW,CACZ,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* DOM/XSS Detection
|
|
3
|
+
*
|
|
4
|
+
* Detection logic for XSS-related patterns like innerHTML, dangerouslySetInnerHTML,
|
|
5
|
+
* and document.write.
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Check if innerHTML is being used on a style element (CSS injection is not XSS)
|
|
9
|
+
*/
|
|
10
|
+
export declare function isStyleElementInnerHTML(lineContent: string, content: string, lineNumber: number, lines?: string[]): boolean;
|
|
11
|
+
/**
|
|
12
|
+
* Check if innerHTML/dangerouslySetInnerHTML uses static content only
|
|
13
|
+
*/
|
|
14
|
+
export declare function isStaticHTMLContent(lineContent: string, content: string, lineNumber: number, lines?: string[]): boolean;
|
|
15
|
+
/**
|
|
16
|
+
* Check if dangerouslySetInnerHTML is used with DOMPurify sanitization
|
|
17
|
+
*/
|
|
18
|
+
export declare function hasDOMPurifySanitization(lineContent: string, content: string, lineNumber: number, lines?: string[]): boolean;
|
|
19
|
+
/**
|
|
20
|
+
* Check if data flows to an LLM prompt rather than a DOM sink
|
|
21
|
+
* LLM prompts are NOT XSS - they're prompt injection (different risk profile)
|
|
22
|
+
*/
|
|
23
|
+
export declare function isLLMPromptContext(lineContent: string, content: string, filePath: string): boolean;
|
|
24
|
+
/**
|
|
25
|
+
* Check if innerHTML uses output from trusted HTML rendering libraries
|
|
26
|
+
* Libraries like Shiki, highlight.js, marked, etc. produce sanitized HTML
|
|
27
|
+
*/
|
|
28
|
+
export declare function isTrustedLibraryHTMLOutput(lineContent: string, content: string, lineNumber: number, lines?: string[]): boolean;
|
|
29
|
+
/**
|
|
30
|
+
* Check if this is a static bootstrap script (e.g., localStorage theme reader)
|
|
31
|
+
* These are very low risk even with dangerouslySetInnerHTML
|
|
32
|
+
*/
|
|
33
|
+
export declare function isStaticBootstrapScript(_lineContent: string, content: string, lineNumber: number, lines?: string[]): boolean;
|
|
34
|
+
//# sourceMappingURL=dom-xss.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dom-xss.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/dom-xss.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAgCT;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAoDT;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAoBT;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAiCT;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAuDT;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CA8BT"}
|
|
@@ -0,0 +1,230 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* DOM/XSS Detection
|
|
4
|
+
*
|
|
5
|
+
* Detection logic for XSS-related patterns like innerHTML, dangerouslySetInnerHTML,
|
|
6
|
+
* and document.write.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.isStyleElementInnerHTML = isStyleElementInnerHTML;
|
|
10
|
+
exports.isStaticHTMLContent = isStaticHTMLContent;
|
|
11
|
+
exports.hasDOMPurifySanitization = hasDOMPurifySanitization;
|
|
12
|
+
exports.isLLMPromptContext = isLLMPromptContext;
|
|
13
|
+
exports.isTrustedLibraryHTMLOutput = isTrustedLibraryHTMLOutput;
|
|
14
|
+
exports.isStaticBootstrapScript = isStaticBootstrapScript;
|
|
15
|
+
/**
|
|
16
|
+
* Check if innerHTML is being used on a style element (CSS injection is not XSS)
|
|
17
|
+
*/
|
|
18
|
+
function isStyleElementInnerHTML(lineContent, content, lineNumber, lines) {
|
|
19
|
+
const _lines = lines ?? content.split('\n');
|
|
20
|
+
// Direct style element patterns on the line
|
|
21
|
+
const stylePatterns = [
|
|
22
|
+
/stylesheet\.innerHTML/i, // stylesheet.innerHTML = ...
|
|
23
|
+
/styleElement\.innerHTML/i, // styleElement.innerHTML = ...
|
|
24
|
+
/styleEl\.innerHTML/i, // styleEl.innerHTML = ...
|
|
25
|
+
/style\.innerHTML/i, // style.innerHTML = ...
|
|
26
|
+
/\.style\b.*\.innerHTML/i, // element.style.innerHTML
|
|
27
|
+
/createElement\s*\(\s*['"`]style['"`]\s*\)/i, // createElement('style')
|
|
28
|
+
];
|
|
29
|
+
if (stylePatterns.some(p => p.test(lineContent))) {
|
|
30
|
+
return true;
|
|
31
|
+
}
|
|
32
|
+
// Check surrounding context for style element creation
|
|
33
|
+
const contextStart = Math.max(0, lineNumber - 10);
|
|
34
|
+
const contextEnd = lineNumber;
|
|
35
|
+
const contextBefore = _lines.slice(contextStart, contextEnd).join('\n');
|
|
36
|
+
// Look for style element creation that flows into innerHTML
|
|
37
|
+
const styleCreationPatterns = [
|
|
38
|
+
/document\.createElement\s*\(\s*['"`]style['"`]\s*\)/i,
|
|
39
|
+
/\.appendChild\s*\([^)]*style/i,
|
|
40
|
+
/const\s+\w*(style|stylesheet)\w*\s*=/i,
|
|
41
|
+
/let\s+\w*(style|stylesheet)\w*\s*=/i,
|
|
42
|
+
/var\s+\w*(style|stylesheet)\w*\s*=/i,
|
|
43
|
+
];
|
|
44
|
+
return styleCreationPatterns.some(p => p.test(contextBefore));
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Check if innerHTML/dangerouslySetInnerHTML uses static content only
|
|
48
|
+
*/
|
|
49
|
+
function isStaticHTMLContent(lineContent, content, lineNumber, lines) {
|
|
50
|
+
const _lines = lines ?? content.split('\n');
|
|
51
|
+
// Get surrounding context (5 lines before and after)
|
|
52
|
+
const contextStart = Math.max(0, lineNumber - 6);
|
|
53
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
54
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
55
|
+
// Static HTML indicators - string literals only
|
|
56
|
+
const staticIndicators = [
|
|
57
|
+
/innerHTML\s*=\s*['"][^'"]*['"]/, // innerHTML = "static string" (single line)
|
|
58
|
+
/innerHTML\s*=\s*`[^`]*`/, // innerHTML = `static template` (single line, no ${})
|
|
59
|
+
/dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*['"`]/, // React static string
|
|
60
|
+
];
|
|
61
|
+
// Check for multi-line template literals assigned to innerHTML
|
|
62
|
+
// Look for: innerHTML = ` at the start
|
|
63
|
+
const multilineTemplateStart = /innerHTML\s*=\s*`/;
|
|
64
|
+
if (multilineTemplateStart.test(lineContent)) {
|
|
65
|
+
// Find the closing backtick in subsequent lines
|
|
66
|
+
let templateContent = '';
|
|
67
|
+
let foundClosing = false;
|
|
68
|
+
for (let i = lineNumber - 1; i < _lines.length && i < lineNumber + 50; i++) {
|
|
69
|
+
templateContent += _lines[i] + '\n';
|
|
70
|
+
if (_lines[i].includes('`') && i > lineNumber - 1) {
|
|
71
|
+
foundClosing = true;
|
|
72
|
+
break;
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
// If template has no ${...} interpolations, it's static
|
|
76
|
+
if (foundClosing && !/\$\{[^}]*\}/.test(templateContent)) {
|
|
77
|
+
return true;
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
// Dynamic content indicators (red flags)
|
|
81
|
+
const dynamicIndicators = [
|
|
82
|
+
/\$\{[^}]*\}/, // Template interpolation ${...}
|
|
83
|
+
/innerHTML\s*=.*\+/, // String concatenation with +
|
|
84
|
+
/innerHTML\s*\+=\s*/, // Append operation
|
|
85
|
+
/\breq\.|\.params|\.query|\.body/, // User input (req.params, req.query, req.body)
|
|
86
|
+
/\bprops\./, // Component props
|
|
87
|
+
/\bstate\./, // Component state
|
|
88
|
+
/\.value\b/, // Input value
|
|
89
|
+
/dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*[^'"`]/, // React dynamic
|
|
90
|
+
];
|
|
91
|
+
const isStatic = staticIndicators.some(p => p.test(lineContent));
|
|
92
|
+
const isDynamic = dynamicIndicators.some(p => p.test(context));
|
|
93
|
+
return isStatic && !isDynamic;
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Check if dangerouslySetInnerHTML is used with DOMPurify sanitization
|
|
97
|
+
*/
|
|
98
|
+
function hasDOMPurifySanitization(lineContent, content, lineNumber, lines) {
|
|
99
|
+
const _lines = lines ?? content.split('\n');
|
|
100
|
+
const contextStart = Math.max(0, lineNumber - 10);
|
|
101
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
102
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
103
|
+
// DOMPurify sanitization patterns
|
|
104
|
+
const sanitizationPatterns = [
|
|
105
|
+
/DOMPurify\.sanitize/i,
|
|
106
|
+
/sanitize\s*\(/i,
|
|
107
|
+
/purify\s*\(/i,
|
|
108
|
+
/xss\s*\(/i,
|
|
109
|
+
/clean\s*\(/i,
|
|
110
|
+
/sanitizeHtml/i,
|
|
111
|
+
/escapeHtml/i,
|
|
112
|
+
/sanitized/i,
|
|
113
|
+
/purified/i,
|
|
114
|
+
];
|
|
115
|
+
return sanitizationPatterns.some(p => p.test(context));
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Check if data flows to an LLM prompt rather than a DOM sink
|
|
119
|
+
* LLM prompts are NOT XSS - they're prompt injection (different risk profile)
|
|
120
|
+
*/
|
|
121
|
+
function isLLMPromptContext(lineContent, content, filePath) {
|
|
122
|
+
// File path indicators of AI/LLM code
|
|
123
|
+
const aiFilePatterns = [
|
|
124
|
+
/\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
|
|
125
|
+
/\/(assistants?|agents?|prompts?)\//i,
|
|
126
|
+
/(chat|ai|llm|prompt|assistant).*\.(ts|js|tsx|jsx)$/i,
|
|
127
|
+
];
|
|
128
|
+
if (aiFilePatterns.some(p => p.test(filePath))) {
|
|
129
|
+
return true;
|
|
130
|
+
}
|
|
131
|
+
// Content patterns suggesting LLM API usage
|
|
132
|
+
const llmApiPatterns = [
|
|
133
|
+
/\.create\s*\(\s*\{[^}]*messages\s*:/i, // OpenAI/Anthropic SDK
|
|
134
|
+
/openai|anthropic|claude|gpt-4|gpt-3/i, // AI service mentions
|
|
135
|
+
/\bprompt\s*[=:+]/i, // prompt assignment
|
|
136
|
+
/\bsystemPrompt|userPrompt|assistantPrompt/i, // Prompt variables
|
|
137
|
+
/completion|chat\.create|messages\.create/i, // API calls
|
|
138
|
+
/\bmessages\s*:\s*\[/i, // Messages array
|
|
139
|
+
/role:\s*['"`](user|assistant|system)['"`]/i, // Message roles
|
|
140
|
+
];
|
|
141
|
+
// Check the line and surrounding context
|
|
142
|
+
const _lines = content.split('\n');
|
|
143
|
+
const lineIndex = _lines.findIndex(l => l === lineContent || l.includes(lineContent.trim()));
|
|
144
|
+
const startLine = Math.max(0, lineIndex - 10);
|
|
145
|
+
const endLine = Math.min(_lines.length, lineIndex + 10);
|
|
146
|
+
const context = _lines.slice(startLine, endLine).join('\n');
|
|
147
|
+
return llmApiPatterns.some(p => p.test(lineContent) || p.test(context));
|
|
148
|
+
}
|
|
149
|
+
/**
|
|
150
|
+
* Check if innerHTML uses output from trusted HTML rendering libraries
|
|
151
|
+
* Libraries like Shiki, highlight.js, marked, etc. produce sanitized HTML
|
|
152
|
+
*/
|
|
153
|
+
function isTrustedLibraryHTMLOutput(lineContent, content, lineNumber, lines) {
|
|
154
|
+
const _lines = lines ?? content.split('\n');
|
|
155
|
+
const contextStart = Math.max(0, lineNumber - 15);
|
|
156
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
157
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
158
|
+
// Trusted HTML rendering library patterns
|
|
159
|
+
const trustedLibraryPatterns = [
|
|
160
|
+
// Syntax highlighting
|
|
161
|
+
/\bshiki\b/i,
|
|
162
|
+
/\bcodeToHtml\s*\(/i, // Shiki's codeToHtml()
|
|
163
|
+
/\bhighlight(?:er)?\.highlight/i, // highlight.js
|
|
164
|
+
/\bhljs\.highlight/i,
|
|
165
|
+
/\bPrism\.highlight/i, // Prism.js
|
|
166
|
+
/\bPrismJS/i,
|
|
167
|
+
// Markdown rendering
|
|
168
|
+
/\bmarked\s*\(/i, // marked library
|
|
169
|
+
/\bmarkdownIt/i, // markdown-it
|
|
170
|
+
/\bremark/i, // remark
|
|
171
|
+
/\brehype/i, // rehype
|
|
172
|
+
/\bMDX/i,
|
|
173
|
+
/\bserialize\s*\(.*mdx/i, // next-mdx-remote
|
|
174
|
+
/\bcompileMDX/i,
|
|
175
|
+
// Rich text editors (output is sanitized)
|
|
176
|
+
/\bTiptap/i,
|
|
177
|
+
/\bProseMirror/i,
|
|
178
|
+
/\bQuill/i,
|
|
179
|
+
/\bSlate/i,
|
|
180
|
+
/\bLexical/i,
|
|
181
|
+
/\bDraft(?:JS)?/i,
|
|
182
|
+
/\.getHTML\s*\(\)/i, // Editor getHTML() output
|
|
183
|
+
// React components that handle sanitization
|
|
184
|
+
/\brenderToString\s*\(/i, // Server-rendered React
|
|
185
|
+
/\brenderToStaticMarkup\s*\(/i,
|
|
186
|
+
// Code formatting/display libraries
|
|
187
|
+
/\bprettier/i,
|
|
188
|
+
/\bbeautify/i,
|
|
189
|
+
// SVG rendering
|
|
190
|
+
/\bcanvg/i,
|
|
191
|
+
/\.toSVG\s*\(/i,
|
|
192
|
+
];
|
|
193
|
+
// Also check imports at top of file
|
|
194
|
+
const fullContent = content.substring(0, 2000); // First 2000 chars for imports
|
|
195
|
+
return (trustedLibraryPatterns.some(p => p.test(lineContent)) ||
|
|
196
|
+
trustedLibraryPatterns.some(p => p.test(context)) ||
|
|
197
|
+
trustedLibraryPatterns.some(p => p.test(fullContent)));
|
|
198
|
+
}
|
|
199
|
+
/**
|
|
200
|
+
* Check if this is a static bootstrap script (e.g., localStorage theme reader)
|
|
201
|
+
* These are very low risk even with dangerouslySetInnerHTML
|
|
202
|
+
*/
|
|
203
|
+
function isStaticBootstrapScript(_lineContent, content, lineNumber, lines) {
|
|
204
|
+
const _lines = lines ?? content.split('\n');
|
|
205
|
+
const contextStart = Math.max(0, lineNumber - 10);
|
|
206
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
207
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
208
|
+
// Bootstrap script indicators (reading from localStorage, setting attributes)
|
|
209
|
+
const bootstrapPatterns = [
|
|
210
|
+
/localStorage\.getItem/i,
|
|
211
|
+
/document\.documentElement\.setAttribute/i,
|
|
212
|
+
/data-(theme|font|mode)/i,
|
|
213
|
+
/classList\.(add|remove|toggle)/i,
|
|
214
|
+
/\.dataset\./i,
|
|
215
|
+
];
|
|
216
|
+
// Dangerous patterns that disqualify as safe bootstrap
|
|
217
|
+
const dangerousPatterns = [
|
|
218
|
+
/\$\{.*\}/, // Template interpolation
|
|
219
|
+
/\+\s*[a-zA-Z]/, // String concatenation with variable
|
|
220
|
+
/innerHTML\s*=\s*[a-zA-Z]/, // innerHTML set to variable directly
|
|
221
|
+
/fetch\s*\(/, // Network requests
|
|
222
|
+
/\.(query|params|body)/, // User input
|
|
223
|
+
/location\.(search|hash)/, // URL parameters
|
|
224
|
+
/document\.cookie/, // Cookie access
|
|
225
|
+
];
|
|
226
|
+
const hasBootstrapPatterns = bootstrapPatterns.some(p => p.test(context));
|
|
227
|
+
const hasDangerousPatterns = dangerousPatterns.some(p => p.test(context));
|
|
228
|
+
return hasBootstrapPatterns && !hasDangerousPatterns;
|
|
229
|
+
}
|
|
230
|
+
//# sourceMappingURL=dom-xss.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dom-xss.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/dom-xss.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAOH,0DAqCC;AAKD,kDAyDC;AAKD,4DAyBC;AAMD,gDAqCC;AAMD,gEA4DC;AAMD,0DAmCC;AA1RD;;GAEG;AACH,SAAgB,uBAAuB,CACrC,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,KAAgB;IAEhB,MAAM,MAAM,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3C,4CAA4C;IAC5C,MAAM,aAAa,GAAG;QACpB,wBAAwB,EAAE,6BAA6B;QACvD,0BAA0B,EAAE,+BAA+B;QAC3D,qBAAqB,EAAE,0BAA0B;QACjD,mBAAmB,EAAE,wBAAwB;QAC7C,yBAAyB,EAAE,0BAA0B;QACrD,4CAA4C,EAAE,yBAAyB;KACxE,CAAA;IAED,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uDAAuD;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,UAAU,CAAA;IAC7B,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEvE,4DAA4D;IAC5D,MAAM,qBAAqB,GAAG;QAC5B,sDAAsD;QACtD,+BAA+B;QAC/B,uCAAuC;QACvC,qCAAqC;QACrC,qCAAqC;KACtC,CAAA;IAED,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAA;AAC/D,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CACjC,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,KAAgB;IAEhB,MAAM,MAAM,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3C,qDAAqD;IACrD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEjE,gDAAgD;IAChD,MAAM,gBAAgB,GAAG;QACvB,gCAAgC,EAAE,4CAA4C;QAC9E,yBAAyB,EAAE,sDAAsD;QACjF,yDAAyD,EAAE,sBAAsB;KAClF,CAAA;IAED,+DAA+D;IAC/D,uCAAuC;IACvC,MAAM,sBAAsB,GAAG,mBAAmB,CAAA;IAClD,IAAI,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7C,gDAAgD;QAChD,IAAI,eAAe,GAAG,EAAE,CAAA;QACxB,IAAI,YAAY,GAAG,KAAK,CAAA;QACxB,KAAK,IAAI,CAAC,GAAG,UAAU,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,UAAU,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3E,eAAe,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAA;YACnC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,UAAU,GAAG,CAAC,EAAE,CAAC;gBAClD,YAAY,GAAG,IAAI,CAAA;gBACnB,MAAK;YACP,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,IAAI,YAAY,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;YACzD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,MAAM,iBAAiB,GAAG;QACxB,aAAa,EAAE,gCAAgC;QAC/C,mBAAmB,EAAE,8BAA8B;QACnD,oBAAoB,EAAE,mBAAmB;QACzC,iCAAiC,EAAE,+CAA+C;QAClF,WAAW,EAAE,kBAAkB;QAC/B,WAAW,EAAE,kBAAkB;QAC/B,WAAW,EAAE,cAAc;QAC3B,0DAA0D,EAAE,gBAAgB;KAC7E,CAAA;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;IAChE,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IAE9D,OAAO,QAAQ,IAAI,CAAC,SAAS,CAAA;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CACtC,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,KAAgB;IAEhB,MAAM,MAAM,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEjE,kCAAkC;IAClC,MAAM,oBAAoB,GAAG;QAC3B,sBAAsB;QACtB,gBAAgB;QAChB,cAAc;QACd,WAAW;QACX,aAAa;QACb,eAAe;QACf,aAAa;QACb,YAAY;QACZ,WAAW;KACZ,CAAA;IAED,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACxD,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,WAAmB,EACnB,OAAe,EACf,QAAgB;IAEhB,sCAAsC;IACtC,MAAM,cAAc,GAAG;QACrB,gDAAgD;QAChD,qCAAqC;QACrC,qDAAqD;KACtD,CAAA;IAED,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,4CAA4C;IAC5C,MAAM,cAAc,GAAG;QACrB,sCAAsC,EAAE,uBAAuB;QAC/D,sCAAsC,EAAE,sBAAsB;QAC9D,mBAAmB,EAAE,oBAAoB;QACzC,4CAA4C,EAAE,mBAAmB;QACjE,2CAA2C,EAAE,YAAY;QACzD,sBAAsB,EAAE,iBAAiB;QACzC,4CAA4C,EAAE,gBAAgB;KAC/D,CAAA;IAED,yCAAyC;IACzC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAClC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAChC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,WAAW,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CACzD,CAAA;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IACvD,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAE3D,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACzE,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,KAAgB;IAEhB,MAAM,MAAM,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEjE,0CAA0C;IAC1C,MAAM,sBAAsB,GAAG;QAC7B,sBAAsB;QACtB,YAAY;QACZ,oBAAoB,EAAW,uBAAuB;QACtD,gCAAgC,EAAG,eAAe;QAClD,oBAAoB;QACpB,qBAAqB,EAAU,WAAW;QAC1C,YAAY;QAEZ,qBAAqB;QACrB,gBAAgB,EAAe,iBAAiB;QAChD,eAAe,EAAgB,cAAc;QAC7C,WAAW,EAAoB,SAAS;QACxC,WAAW,EAAoB,SAAS;QACxC,QAAQ;QACR,wBAAwB,EAAO,kBAAkB;QACjD,eAAe;QAEf,0CAA0C;QAC1C,WAAW;QACX,gBAAgB;QAChB,UAAU;QACV,UAAU;QACV,YAAY;QACZ,iBAAiB;QACjB,mBAAmB,EAAY,0BAA0B;QAEzD,4CAA4C;QAC5C,wBAAwB,EAAQ,wBAAwB;QACxD,8BAA8B;QAE9B,oCAAoC;QACpC,aAAa;QACb,aAAa;QAEb,gBAAgB;QAChB,UAAU;QACV,eAAe;KAChB,CAAA;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA,CAAC,+BAA+B;IAE9E,OAAO,CACL,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrD,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CACtD,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,uBAAuB,CACrC,YAAoB,EACpB,OAAe,EACf,UAAkB,EAClB,KAAgB;IAEhB,MAAM,MAAM,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEjE,8EAA8E;IAC9E,MAAM,iBAAiB,GAAG;QACxB,wBAAwB;QACxB,0CAA0C;QAC1C,yBAAyB;QACzB,iCAAiC;QACjC,cAAc;KACf,CAAA;IAED,uDAAuD;IACvD,MAAM,iBAAiB,GAAG;QACxB,UAAU,EAAE,yBAAyB;QACrC,eAAe,EAAE,qCAAqC;QACtD,0BAA0B,EAAE,qCAAqC;QACjE,YAAY,EAAE,mBAAmB;QACjC,uBAAuB,EAAE,aAAa;QACtC,yBAAyB,EAAE,iBAAiB;QAC5C,kBAAkB,EAAE,gBAAgB;KACrC,CAAA;IAED,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IACzE,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IAEzE,OAAO,oBAAoB,IAAI,CAAC,oBAAoB,CAAA;AACtD,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Layer 2: Dangerous Function Call Analysis
|
|
3
|
+
*
|
|
4
|
+
* Detects usage of dangerous functions that can lead to security vulnerabilities.
|
|
5
|
+
* This module orchestrates detection across multiple specialized modules.
|
|
6
|
+
*/
|
|
7
|
+
import type { Vulnerability } from '../../types';
|
|
8
|
+
import type { ParsedFile } from '../../utils/parsed-file';
|
|
9
|
+
export { DANGEROUS_FUNCTIONS, type DangerousFunctionPattern } from './patterns';
|
|
10
|
+
/**
|
|
11
|
+
* Main detection function for dangerous function calls
|
|
12
|
+
*/
|
|
13
|
+
export declare function detectDangerousFunctions(content: string, filePath: string, options?: {
|
|
14
|
+
parsed?: ParsedFile;
|
|
15
|
+
}): Vulnerability[];
|
|
16
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,aAAa,CAAA;AACvE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAsDzD,OAAO,EAAE,mBAAmB,EAAE,KAAK,wBAAwB,EAAE,MAAM,YAAY,CAAA;AAE/E;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA4MjB"}
|