@oculum/scanner 1.0.11 → 1.0.13

package/dist/detect/structural/dangerous-functions/utils/helpers.js

@@ -0,0 +1,147 @@
+"use strict";
+/**
+ * General Helper Utilities
+ *
+ * Small utility functions used across the dangerous functions detection module.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getLineContent = getLineContent;
+exports.getLineRange = getLineRange;
+exports.hasOnlyStaticInputs = hasOnlyStaticInputs;
+exports.hasPathTraversalProtection = hasPathTraversalProtection;
+exports.hasThrowingAuthHelper = hasThrowingAuthHelper;
+/**
+ * Get a specific line from content by line number (0-indexed)
+ */
+function getLineContent(content, lineNumber) {
+    const lines = content.split('\n');
+    return lines[lineNumber] || '';
+}
+/**
+ * Get a range of lines from content
+ */
+function getLineRange(content, startLine, endLine) {
+    const lines = content.split('\n');
+    const start = Math.max(0, startLine);
+    const end = Math.min(lines.length, endLine);
+    return lines.slice(start, end).join('\n');
+}
+/**
+ * Check if eval/exec/Function has only static literal inputs (no user data)
+ * Static inputs like eval('({ mode: "production" })') are low risk
+ *
+ * Returns true ONLY if the argument is a string literal (not a variable)
+ */
+function hasOnlyStaticInputs(lineContent, content, lineNumber) {
+    // Check if the argument to eval/exec/Function is a string literal ONLY
+    // If it's a variable, it's NOT static (could come from anywhere)
+    //
+    // String literal patterns:
+    // - Single quotes: 'content with "double quotes" inside' (no $ interpolation)
+    // - Double quotes: "content" (no $ interpolation)
+    // - Backticks without ${}: `content` (template literal but no interpolation)
+    //
+    // Note: We allow quotes INSIDE the string (e.g., 'text "with" quotes')
+    // but NOT $ (which would indicate interpolation)
+    const staticPatterns = [
+        // Single-quoted string: eval('...') - can contain anything except single quotes and $
+        /eval\s*\(\s*'[^'$]*'\s*\)/,
+        // Double-quoted string: eval("...") - can contain anything except double quotes and $
+        /eval\s*\(\s*"[^"$]*"\s*\)/,
+        // Backtick without interpolation: eval(`...`) - must not have ${ inside
+        /eval\s*\(\s*`[^`$]*`\s*\)/,
+        // Function constructor with string literal
+        /new\s+Function\s*\(\s*'[^'$]*'\s*\)/,
+        /new\s+Function\s*\(\s*"[^"$]*"\s*\)/,
+        // execSync with string literal
+        /execSync\s*\(\s*'[^'$]*'\s*\)/,
+        /execSync\s*\(\s*"[^"$]*"\s*\)/,
+        // exec with string literal
+        /exec\s*\(\s*'[^'$]*'/,
+        /exec\s*\(\s*"[^"$]*"/,
+    ];
+    // Only return true if it matches a static pattern (string literal)
+    // If it's a variable like eval(code), we can't assume it's static
+    return staticPatterns.some(p => p.test(lineContent));
+}
+/**
+ * Check if path traversal protection is in place
+ * Looks for common sanitization patterns that prevent directory traversal attacks
+ */
+function hasPathTraversalProtection(context, lineContent) {
+    const protectionPatterns = [
+        // Path normalization with base directory check (same line)
+        /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
+        // startsWith check with common safe directory variable names
+        /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir|safeDir|SAFE_)/i,
+        // MULTI-LINE PATTERN: path.resolve followed by startsWith check in context
+        // This handles the common case where resolve and startsWith are on separate lines:
+        //   const resolved = path.resolve(baseDir, userPath)
+        //   if (!resolved.startsWith(baseDir)) throw new Error()
+        // We check for BOTH patterns being present in the context
+        // (handled below as combined check)
+        // Explicit ".." rejection
+        /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+        /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
+        // Replace ".." pattern (sanitization)
+        /\.replace\s*\([^)]*\\?\.\\?\.\s*[^)]*,\s*['"`]['"`]\s*\)/i,
+        // Path sanitization libraries
+        /sanitizePath|sanitizeFilename|sanitize-filename/i,
+        /path-sanitizer|secure-path/i,
+        // Explicit path validation
+        /validatePath|isValidPath|checkPath|verifyPath/i,
+        /isPathAllowed|isAllowedPath|pathIsAllowed/i,
+        // Normalize and check pattern
+        /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
+        // Regex validation for safe characters only
+        /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//, // Only alphanumeric, dash, underscore, dot
+        // Allowlist/whitelist patterns
+        /allowedExtensions|allowedTypes|whitelist/i,
+        /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i, // Extension check
+        // Path.basename to strip directory
+        /path\.basename\s*\(/i,
+        // Zod/validation for filename patterns
+        /z\.string\s*\(\s*\)\.regex\s*\(/i,
+    ];
+    // Check single-line patterns
+    if (protectionPatterns.some(p => p.test(context) || p.test(lineContent))) {
+        return true;
+    }
+    // Multi-line pattern: path.resolve + startsWith check on separate lines
+    // This is a very common secure pattern:
+    //   const resolved = path.resolve(safeBaseDir, userInput)
+    //   if (!resolved.startsWith(safeBaseDir)) { throw ... }
+    const hasPathResolve = /path\.resolve\s*\(/i.test(context);
+    const hasStartsWithCheck = /\.startsWith\s*\(/i.test(context);
+    const hasThrowOnFailure = /(throw|return|reject)\s+.*(error|invalid|denied)/i.test(context);
+    if (hasPathResolve && hasStartsWithCheck && hasThrowOnFailure) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
+ * Routes with throwing auth helpers are already protected
+ */
+function hasThrowingAuthHelper(content) {
+    const throwingAuthPatterns = [
+        /\bgetCurrentUserId\s*\(/i,
+        /\brequireAuth\s*\(/i,
+        /\bensureAuth\s*\(/i,
+        /\bauth\s*\(\s*\)\s*\.protect\s*\(/i, // Clerk: auth().protect()
+        /\bcurrentUser\s*\(\s*\)/i, // Clerk: currentUser()
+        /\bgetServerSession\s*\([^)]*\)/i, // NextAuth
+        /\bauth\s*\(\s*\)/i, // Generic auth() call
+        /\bcheckAuth\s*\(/i,
+        /\bverifyAuth\s*\(/i,
+        /\bvalidateAuth\s*\(/i,
+        /\bassertAuth\s*\(/i,
+        /\bgetAuth\s*\(/i,
+        /\brequireUser\s*\(/i,
+        /\bgetUser\s*\(\s*\)/i, // supabase.auth.getUser()
+        /const\s+\{\s*user\s*\}\s*=\s*await/i, // Destructuring pattern
+    ];
+    return throwingAuthPatterns.some(p => p.test(content));
+}
+//# sourceMappingURL=helpers.js.map

package/dist/detect/structural/dangerous-functions/utils/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../../../src/detect/structural/dangerous-functions/utils/helpers.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAKH,wCAGC;AAKD,oCASC;AAQD,kDAoCC;AAMD,gEAoEC;AAMD,sDAmBC;AAnKD;;GAEG;AACH,SAAgB,cAAc,CAAC,OAAe,EAAE,UAAkB;IAChE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAA;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAC1B,OAAe,EACf,SAAiB,EACjB,OAAe;IAEf,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC3C,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,WAAmB,EACnB,OAAe,EACf,UAAkB;IAElB,uEAAuE;IACvE,iEAAiE;IACjE,EAAE;IACF,2BAA2B;IAC3B,8EAA8E;IAC9E,kDAAkD;IAClD,6EAA6E;IAC7E,EAAE;IACF,uEAAuE;IACvE,iDAAiD;IACjD,MAAM,cAAc,GAAG;QACrB,sFAAsF;QACtF,2BAA2B;QAC3B,sFAAsF;QACtF,2BAA2B;QAC3B,wEAAwE;QACxE,2BAA2B;QAC3B,2CAA2C;QAC3C,qCAAqC;QACrC,qCAAqC;QACrC,+BAA+B;QAC/B,+BAA+B;QAC/B,+BAA+B;QAC/B,2BAA2B;QAC3B,sBAAsB;QACtB,sBAAsB;KACvB,CAAA;IAED,mEAAmE;IACnE,kEAAkE;IAClE,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,OAAe,EACf,WAAmB;IAEnB,MAAM,kBAAkB,GAAG;QACzB,2DAA2D;QAC3D,+CAA+C;QAE/C,6DAA6D;QAC7D,wFAAwF;QAExF,2EAA2E;QAC3E,mFAAmF;QACnF,qDAAqD;QACrD,yDAAyD;QACzD,0DAA0D;QAC1D,oCAAoC;QAEpC,0BAA0B;QAC1B,wCAAwC;QACxC,uCAAuC;QACvC,gDAAgD;QAChD,sCAAsC;QACtC,2DAA2D;QAE3D,8BAA8B;QAC9B,kDAAkD;QAClD,6BAA6B;QAE7B,2BAA2B;QAC3B,gDAAgD;QAChD,4CAA4C;QAE5C,8BAA8B;QAC9B,+DAA+D;QAE/D,4CAA4C;QAC5C,oCAAoC,EAAE,2CAA2C;QAEjF,+BAA+B;QAC/B,2CAA2C;QAC3C,yCAAyC,EAAE,kBAAkB;QAE7D,mCAAmC;QACnC,sBAAsB;QAEtB,uCAAuC;QACvC,kCAAkC;KACnC,CAAA;IAED,6BAA6B;IAC7B,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACzE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,wEAAwE;IACxE,wCAAwC;IACxC,0DAA0D;IAC1D,yDAAyD;IACzD,MAAM,cAAc,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC1D,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC7D,MAAM,iBAAiB,GAAG,mDAAmD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAE3F,IAAI,cAAc,IAAI,kBAAkB,IAAI,iBAAiB,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,oBAAoB,GAAG;QAC3B,0BAA0B;QAC1B,qBAAqB;QACrB,oBAAoB;QACpB,oCAAoC,EAAE,0BAA0B;QAChE,0BAA0B,EAAE,uBAAuB;QACnD,iCAAiC,EAAE,WAAW;QAC9C,mBAAmB,EAAE,sBAAsB;QAC3C,mBAAmB;QACnB,oBAAoB;QACpB,sBAAsB;QACtB,oBAAoB;QACpB,iBAAiB;QACjB,qBAAqB;QACrB,sBAAsB,EAAE,0BAA0B;QAClD,qCAAqC,EAAE,wBAAwB;KAChE,CAAA;IACD,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/detect/structural/dangerous-functions/utils/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Utility Functions Index
+ *
+ * Re-exports all utility functions from the dangerous-functions module.
+ */
+export { isInsideTryCatch, hasTryCatchNearby, extractFunctionContext, } from './control-flow';
+export { hasSchemaValidationNearby, hasManualValidation, hasSQLWhitelistValidation, } from './schema-validation';
+export { getLineContent, getLineRange, hasOnlyStaticInputs, hasPathTraversalProtection, hasThrowingAuthHelper, } from './helpers';
+//# sourceMappingURL=index.d.ts.map

package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/detect/structural/dangerous-functions/utils/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,gBAAgB,CAAA;AAEvB,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,EACnB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,WAAW,CAAA"}

package/dist/detect/structural/dangerous-functions/utils/index.js

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * Utility Functions Index
+ *
+ * Re-exports all utility functions from the dangerous-functions module.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasThrowingAuthHelper = exports.hasPathTraversalProtection = exports.hasOnlyStaticInputs = exports.getLineRange = exports.getLineContent = exports.hasSQLWhitelistValidation = exports.hasManualValidation = exports.hasSchemaValidationNearby = exports.extractFunctionContext = exports.hasTryCatchNearby = exports.isInsideTryCatch = void 0;
+var control_flow_1 = require("./control-flow");
+Object.defineProperty(exports, "isInsideTryCatch", { enumerable: true, get: function () { return control_flow_1.isInsideTryCatch; } });
+Object.defineProperty(exports, "hasTryCatchNearby", { enumerable: true, get: function () { return control_flow_1.hasTryCatchNearby; } });
+Object.defineProperty(exports, "extractFunctionContext", { enumerable: true, get: function () { return control_flow_1.extractFunctionContext; } });
+var schema_validation_1 = require("./schema-validation");
+Object.defineProperty(exports, "hasSchemaValidationNearby", { enumerable: true, get: function () { return schema_validation_1.hasSchemaValidationNearby; } });
+Object.defineProperty(exports, "hasManualValidation", { enumerable: true, get: function () { return schema_validation_1.hasManualValidation; } });
+Object.defineProperty(exports, "hasSQLWhitelistValidation", { enumerable: true, get: function () { return schema_validation_1.hasSQLWhitelistValidation; } });
+var helpers_1 = require("./helpers");
+Object.defineProperty(exports, "getLineContent", { enumerable: true, get: function () { return helpers_1.getLineContent; } });
+Object.defineProperty(exports, "getLineRange", { enumerable: true, get: function () { return helpers_1.getLineRange; } });
+Object.defineProperty(exports, "hasOnlyStaticInputs", { enumerable: true, get: function () { return helpers_1.hasOnlyStaticInputs; } });
+Object.defineProperty(exports, "hasPathTraversalProtection", { enumerable: true, get: function () { return helpers_1.hasPathTraversalProtection; } });
+Object.defineProperty(exports, "hasThrowingAuthHelper", { enumerable: true, get: function () { return helpers_1.hasThrowingAuthHelper; } });
+//# sourceMappingURL=index.js.map

package/dist/detect/structural/dangerous-functions/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/detect/structural/dangerous-functions/utils/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,+CAIuB;AAHrB,gHAAA,gBAAgB,OAAA;AAChB,iHAAA,iBAAiB,OAAA;AACjB,sHAAA,sBAAsB,OAAA;AAGxB,yDAI4B;AAH1B,8HAAA,yBAAyB,OAAA;AACzB,wHAAA,mBAAmB,OAAA;AACnB,8HAAA,yBAAyB,OAAA;AAG3B,qCAMkB;AALhB,yGAAA,cAAc,OAAA;AACd,uGAAA,YAAY,OAAA;AACZ,8GAAA,mBAAmB,OAAA;AACnB,qHAAA,0BAA0B,OAAA;AAC1B,gHAAA,qBAAqB,OAAA"}

package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Schema Validation Detection Utilities
+ *
+ * Functions for detecting schema validation patterns (zod, yup, joi, etc.)
+ * and manual validation patterns.
+ */
+/**
+ * Check if schema validation is applied near a JSON.parse call
+ * Looks for zod, yup, joi, or similar validation patterns
+ */
+export declare function hasSchemaValidationNearby(content: string, lineNumber: number): boolean;
+/**
+ * Check if this file appears to have form/input validation elsewhere
+ * (manual checks on body fields, type guards, etc.)
+ */
+export declare function hasManualValidation(content: string): boolean;
+/**
+ * Check if SQL query uses whitelist validation pattern
+ * e.g., columns validated against allowedColumns array before use
+ */
+export declare function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean;
+//# sourceMappingURL=schema-validation.d.ts.map

package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-validation.d.ts","sourceRoot":"","sources":["../../../../../src/detect/structural/dangerous-functions/utils/schema-validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAkCtF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAe5D;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAiCtF"}

package/dist/detect/structural/dangerous-functions/utils/schema-validation.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * Schema Validation Detection Utilities
+ *
+ * Functions for detecting schema validation patterns (zod, yup, joi, etc.)
+ * and manual validation patterns.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasSchemaValidationNearby = hasSchemaValidationNearby;
+exports.hasManualValidation = hasManualValidation;
+exports.hasSQLWhitelistValidation = hasSQLWhitelistValidation;
+/**
+ * Check if schema validation is applied near a JSON.parse call
+ * Looks for zod, yup, joi, or similar validation patterns
+ */
+function hasSchemaValidationNearby(content, lineNumber) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineNumber - 5);
+    const end = Math.min(lines.length, lineNumber + 10);
+    const context = lines.slice(start, end).join('\n');
+    const schemaValidationPatterns = [
+        // Zod patterns
+        /z\.(object|string|number|array|boolean)\s*\(/i,
+        /\.parse\s*\(/i,
+        /\.safeParse\s*\(/i,
+        /schema\.parse/i,
+        /Schema\.parse/i,
+        // Yup patterns
+        /yup\.(object|string|number|array|boolean)\s*\(/i,
+        /\.validate\s*\(/i,
+        /\.validateSync\s*\(/i,
+        // Joi patterns
+        /Joi\.(object|string|number|array|boolean)\s*\(/i,
+        /\.validateAsync\s*\(/i,
+        // Valibot patterns
+        /v\.(object|string|number|array|boolean)\s*\(/i,
+        // AJV patterns
+        /ajv\.compile/i,
+        /validate\s*\(\s*schema/i,
+        // TypeBox patterns
+        /Type\.(Object|String|Number|Array|Boolean)\s*\(/i,
+        // Generic validation patterns
+        /validateSchema/i,
+        /schemaValidator/i,
+        /parseAndValidate/i,
+    ];
+    return schemaValidationPatterns.some(p => p.test(context));
+}
+/**
+ * Check if this file appears to have form/input validation elsewhere
+ * (manual checks on body fields, type guards, etc.)
+ */
+function hasManualValidation(content) {
+    const manualValidationPatterns = [
+        // Type checking / type guards
+        /typeof\s+\w+\s*[!=]==?\s*['"](?:string|number|boolean|object)['"]|Array\.isArray\s*\(/i,
+        // Field existence checks followed by throws/returns
+        /if\s*\(\s*!(?:body|data|input)\.\w+\s*\)\s*\{?\s*(throw|return)/i,
+        // Property access with type assertion comments or inline validation
+        /\b(body|data|input)\s*as\s+\w+/i, // Type assertion
+        // Manual validation with error handling
+        /if\s*\(\s*![\w.]+\s*\|\|\s*typeof\s+[\w.]+/i,
+        // Using type predicates
+        /is\w+\s*\([\w.]+\)/i, // isFoo(bar) pattern
+    ];
+    return manualValidationPatterns.some(p => p.test(content));
+}
+/**
+ * Check if SQL query uses whitelist validation pattern
+ * e.g., columns validated against allowedColumns array before use
+ */
+function hasSQLWhitelistValidation(content, lineNumber) {
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, lineNumber - 20);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Whitelist/allowlist validation patterns
+    const whitelistPatterns = [
+        // Array-based whitelists
+        /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
+        /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
+        /valid\w*\s*=\s*\[/i, // validColumns = [...]
+        /\.filter\s*\([^)]*\.includes\s*\(/i, // .filter(c => allowed.includes(c))
+        /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
+        /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
+        /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
+        // Object-based whitelists (Record<string, string>)
+        /\w+\s+in\s+\w*(?:sortable|allowed|valid|whitelist)\w*/i, // sorter in sortableFields
+        /\w+\s+in\s+\w+Fields/i, // key in someFields
+        /:\s*Record<string,\s*string>/i, // Type annotation: Record<string, string>
+        /const\s+\w+Fields\s*:\s*\{[^}]*\}\s*=/i, // const xyzFields: {...} = (inline type)
+        /const\s+\w+Fields\s*=\s*\{[^}]*\}/i, // const xyzFields = { ... }
+        /if\s*\([^)]*\s+in\s+\w+Fields\s*\)/i, // if (x in yFields)
+        /&&\s*\w+\s+in\s+\w+/i, // && sorter in sortableFields
+        // Enum-based validation (ASC/DESC, etc.)
+        /===?\s*['"](?:ASC|DESC)['"]/i, // === 'ASC' or === 'DESC'
+        /===?\s*\w+\.(?:Asc|Desc|ASC|DESC)/i, // === SortType.Asc
+        /toLowerCase\s*\(\s*\)\s*===?\s*\w+\.(?:asc|desc)/i, // .toLowerCase() === SortType.asc
+    ];
+    return whitelistPatterns.some(p => p.test(context));
+}
+//# sourceMappingURL=schema-validation.js.map

package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-validation.js","sourceRoot":"","sources":["../../../../../src/detect/structural/dangerous-functions/utils/schema-validation.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAMH,8DAkCC;AAMD,kDAeC;AAMD,8DAiCC;AAlGD;;;GAGG;AACH,SAAgB,yBAAyB,CAAC,OAAe,EAAE,UAAkB;IAC3E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACnD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,MAAM,wBAAwB,GAAG;QAC/B,eAAe;QACf,+CAA+C;QAC/C,eAAe;QACf,mBAAmB;QACnB,gBAAgB;QAChB,gBAAgB;QAChB,eAAe;QACf,iDAAiD;QACjD,kBAAkB;QAClB,sBAAsB;QACtB,eAAe;QACf,iDAAiD;QACjD,uBAAuB;QACvB,mBAAmB;QACnB,+CAA+C;QAC/C,eAAe;QACf,eAAe;QACf,yBAAyB;QACzB,mBAAmB;QACnB,kDAAkD;QAClD,8BAA8B;QAC9B,iBAAiB;QACjB,kBAAkB;QAClB,mBAAmB;KACpB,CAAA;IAED,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AAC5D,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,OAAe;IACjD,MAAM,wBAAwB,GAAG;QAC/B,8BAA8B;QAC9B,wFAAwF;QACxF,oDAAoD;QACpD,kEAAkE;QAClE,oEAAoE;QACpE,iCAAiC,EAAE,iBAAiB;QACpD,wCAAwC;QACxC,6CAA6C;QAC7C,wBAAwB;QACxB,qBAAqB,EAAE,qBAAqB;KAC7C,CAAA;IAED,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AAC5D,CAAC;AAED;;;GAGG;AACH,SAAgB,yBAAyB,CAAC,OAAe,EAAE,UAAkB;IAC3E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IACzD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,0CAA0C;IAC1C,MAAM,iBAAiB,GAAG;QACxB,yBAAyB;QACzB,sBAAsB,EAAE,yBAAyB;QACjD,wBAAwB,EAAE,0BAA0B;QACpD,oBAAoB,EAAE,uBAAuB;QAC7C,oCAAoC,EAAE,oCAAoC;QAC1E,yBAAyB,EAAE,+BAA+B;QAC1D,8BAA8B,EAAE,0CAA0C;QAC1E,0BAA0B,EAAE,8BAA8B;QAE1D,mDAAmD;QACnD,wDAAwD,EAAE,2BAA2B;QACrF,uBAAuB,EAAE,oBAAoB;QAC7C,+BAA+B,EAAE,0CAA0C;QAC3E,wCAAwC,EAAE,yCAAyC;QACnF,oCAAoC,EAAE,4BAA4B;QAClE,qCAAqC,EAAE,oBAAoB;QAC3D,sBAAsB,EAAE,8BAA8B;QAEtD,yCAAyC;QACzC,8BAA8B,EAAE,0BAA0B;QAC1D,oCAAoC,EAAE,mBAAmB;QACzD,mDAAmD,EAAE,kCAAkC;KACxF,CAAA;IAED,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACrD,CAAC"}

package/dist/detect/structural/data-exposure.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Layer 2: Data Exposure Detection
+ * Identifies sensitive data in logs vs API responses with appropriate severity
+ * Separates "logging concerns" from "response exposure" which have different risk profiles
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+/**
+ * Detect sensitive data exposure in logs and API responses
+ */
+export declare function detectDataExposure(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+/**
+ * Check if error handling follows safe patterns
+ * Returns true if the error handling appears safe
+ */
+export declare function isSafeErrorHandling(lineContent: string, surroundingLines: string[]): boolean;
+//# sourceMappingURL=data-exposure.d.ts.map

package/dist/detect/structural/data-exposure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-exposure.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/data-exposure.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,oBAAoB,CAAA;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAyI1D;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAqIjB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,GAAG,OAAO,CAW5F"}

package/dist/detect/structural/data-exposure.js

@@ -0,0 +1,262 @@
+"use strict";
+/**
+ * Layer 2: Data Exposure Detection
+ * Identifies sensitive data in logs vs API responses with appropriate severity
+ * Separates "logging concerns" from "response exposure" which have different risk profiles
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectDataExposure = detectDataExposure;
+exports.isSafeErrorHandling = isSafeErrorHandling;
+const file_classifier_1 = require("../../parse/file-classifier");
+const BASE_CONFIDENCE = 0.40;
+const DATA_EXPOSURE_PATTERNS = [
+    // ============================================================================
+    // LOG SINKS - DISABLED
+    // Server logs are never exposed to users. After analysis of real codebases,
+    // 100% of console.error/warn findings were false positives.
+    // Logging is a standard debugging practice, not a security vulnerability.
+    // ============================================================================
+    // NOTE: The following patterns have been REMOVED to eliminate false positives:
+    // - 'Logging user ID' - user IDs in logs are standard practice
+    // - 'Logging error objects' - console.error(err) is correct error handling
+    // - 'Logging request body' - server logs are not exposed to clients
+    // - 'JSON.stringify error to log' - serializing errors for logs is fine
+    // ============================================================================
+    // RESPONSE SINKS (higher severity - exposed to clients)
+    // These are actual information disclosure risks
+    // ============================================================================
+    // Error stack traces in responses - CRITICAL
+    {
+        name: 'Stack trace in response',
+        pattern: /res\.(json|send|status\(\d+\)\.json)\s*\([^)]*\.stack|NextResponse\.json\s*\([^)]*\.stack/gi,
+        sink: 'response',
+        severity: 'high',
+        description: 'Stack trace exposed in API response. Reveals internal code paths and file structure to clients.',
+        suggestedFix: 'Never return stack traces to clients. Log server-side, return generic error message.',
+    },
+    {
+        name: 'Full error object in response',
+        pattern: /res\.(json|send)\s*\(\s*(err|error|e)\s*\)|NextResponse\.json\s*\(\s*(err|error|e)\s*\)/gi,
+        sink: 'response',
+        severity: 'high',
+        description: 'Entire error object returned to client. May expose stack traces, internal paths, and sensitive details.',
+        suggestedFix: 'Return only { error: message } or a structured error response. Never return raw error objects.',
+    },
+    {
+        name: 'Error object spread in response',
+        pattern: /res\.(json|send)\s*\(\s*\{[^}]*\.\.\.\s*(err|error|e)[^}]*\}|NextResponse\.json\s*\(\s*\{[^}]*\.\.\.\s*(err|error|e)/gi,
+        sink: 'response',
+        severity: 'high',
+        description: 'Error object spread into response. May expose stack traces and internal details.',
+        suggestedFix: 'Pick only safe properties: { error: err.message, code: err.code }',
+    },
+    {
+        name: 'Detailed error in response',
+        pattern: /res\.(json|send|status\(\d+\)\.json)\s*\(\s*\{[^}]*(details|internal|debug|trace|stack)/gi,
+        sink: 'response',
+        severity: 'medium',
+        description: 'Detailed/internal error information in response may leak implementation details.',
+        suggestedFix: 'Remove detailed/internal/debug/trace information from client-facing error responses.',
+    },
+    // Error message in response - SAFE PATTERN (info only)
+    {
+        name: 'Error message in response (safe pattern)',
+        pattern: /res\.(json|send)\s*\([^)]*error:\s*(error|err|e)\.message|NextResponse\.json\s*\([^)]*error:\s*(error|err|e)\.message/gi,
+        sink: 'response',
+        severity: 'info',
+        description: 'Error message returned to client. Generally safe - this is the recommended error response pattern.',
+        suggestedFix: 'Verify error messages don\'t contain sensitive data. Consider using generic messages for auth errors.',
+    },
+    {
+        name: 'Error message with toString',
+        pattern: /res\.(json|send)\s*\([^)]*error:\s*(error|err|e)\.toString|NextResponse\.json\s*\([^)]*error:\s*(error|err|e)\.toString/gi,
+        sink: 'response',
+        severity: 'low',
+        description: 'Error.toString() returned to client. May include error name and message - verify no sensitive data.',
+        suggestedFix: 'Prefer error.message over error.toString() for cleaner output.',
+    },
+    {
+        name: 'String error message in response',
+        pattern: /res\.(json|send|status\(\d+\)\.json)\s*\(\s*\{\s*(error|message):\s*['"`][^'"`]+['"`]\s*\}/gi,
+        sink: 'response',
+        severity: 'info',
+        description: 'Static/string error message returned to client. This is the safest error response pattern.',
+        suggestedFix: 'No action needed - static error messages are safe.',
+    },
+    // ============================================================================
+    // BOTH SINKS (depends on context)
+    // ============================================================================
+    // Sensitive data exposure patterns
+    {
+        name: 'Exposing user object',
+        pattern: /res\.(json|send)\s*\([^)]*user\s*\)|NextResponse\.json\s*\([^)]*user\s*\)/gi,
+        sink: 'response',
+        severity: 'low',
+        description: 'User object returned in response. Ensure password hashes and sensitive fields are excluded.',
+        suggestedFix: 'Select only necessary user fields. Never expose password hashes, tokens, or internal IDs.',
+    },
+];
+/**
+ * Check if file path indicates low-risk logging context
+ */
+function isLowRiskLoggingFile(filePath) {
+    // Test files
+    if ((0, file_classifier_1.isTestOrMockFile)(filePath)) {
+        return true;
+    }
+    // Scripts, tools, CLI utilities
+    if (/\/(scripts?|tools?|cli|bin)\//i.test(filePath)) {
+        return true;
+    }
+    // Internal services/utilities (not API-facing)
+    if (/\/(services?|lib|utils?|helpers?)\//i.test(filePath) &&
+        !/\/(api|routes?)\//i.test(filePath)) {
+        return true;
+    }
+    // Component files (client-side, not API)
+    if (/\/(components?|pages?|views?)\//i.test(filePath) &&
+        !/route\.(ts|js)$/i.test(filePath)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Detect sensitive data exposure in logs and API responses
+ */
+function detectDataExposure(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isLowRiskFile = isLowRiskLoggingFile(filePath);
+    // Determine if this is likely an API route file
+    const isApiFile = /\/(api|routes?|handlers?|controllers?)\//i.test(filePath) ||
+        /route\.(ts|js)$/i.test(filePath);
+    // Track log findings for aggregation
+    const logFindings = [];
+    lines.forEach((line, index) => {
+        // Skip comments
+        if ((0, file_classifier_1.isComment)(line))
+            return;
+        for (const pattern of DATA_EXPOSURE_PATTERNS) {
+            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+            if (regex.test(line)) {
+                let severity = pattern.severity;
+                let description = pattern.description;
+                // Adjust severity based on context
+                if (isTestFile) {
+                    severity = 'info';
+                    description = `${description} (in test file)`;
+                }
+                // Log sinks get special handling for aggregation
+                if (pattern.sink === 'log') {
+                    // In low-risk files, just aggregate without reporting individual findings
+                    if (isLowRiskFile && severity === 'info') {
+                        logFindings.push({ lineNumber: index + 1, lineContent: line.trim(), name: pattern.name });
+                        break;
+                    }
+                    // Log sinks in non-API files are lower priority
+                    if (!isApiFile) {
+                        if (severity === 'low')
+                            severity = 'info';
+                    }
+                    // Track for aggregation if info severity
+                    if (severity === 'info') {
+                        logFindings.push({ lineNumber: index + 1, lineContent: line.trim(), name: pattern.name });
+                        break;
+                    }
+                }
+                // Response sinks in API files are higher priority
+                if (pattern.sink === 'response' && isApiFile) {
+                    // Keep original severity - these are more critical in API routes
+                }
+                vulnerabilities.push({
+                    id: `data-exposure-${filePath}-${index + 1}-${pattern.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity,
+                    category: 'data_exposure',
+                    title: pattern.name,
+                    description,
+                    suggestedFix: pattern.suggestedFix,
+                    confidence: isTestFile ? 'low' : 'medium',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+                break; // Only one finding per line
+            }
+        }
+    });
+    // Aggregate info-level log findings if there are many
+    if (logFindings.length >= 3) {
+        const lineNumbers = logFindings.map(f => f.lineNumber).slice(0, 5);
+        const moreText = logFindings.length > 5 ? `... (${logFindings.length} total)` : '';
+        // Group by pattern name
+        const patternCounts = new Map();
+        for (const finding of logFindings) {
+            patternCounts.set(finding.name, (patternCounts.get(finding.name) || 0) + 1);
+        }
+        const patternSummary = Array.from(patternCounts.entries())
+            .map(([name, count]) => `${count}x ${name}`)
+            .join(', ');
+        vulnerabilities.push({
+            id: `data-exposure-aggregated-${filePath}`,
+            filePath,
+            lineNumber: logFindings[0].lineNumber,
+            lineContent: `${logFindings.length} instances across this file`,
+            severity: 'info',
+            category: 'data_exposure',
+            title: `Logging patterns (${logFindings.length} instances)`,
+            description: `${patternSummary}. Review for sensitive data exposure.\n\nFound ${logFindings.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
+            suggestedFix: 'Ensure logs have appropriate access controls and do not contain sensitive user data.',
+            confidence: 'low',
+            baseConfidence: BASE_CONFIDENCE,
+            layer: 2,
+            source: 'structural',
+        });
+    }
+    else if (logFindings.length > 0) {
+        // Report individually for small counts
+        for (const finding of logFindings) {
+            const pattern = DATA_EXPOSURE_PATTERNS.find(p => p.name === finding.name);
+            if (pattern) {
+                vulnerabilities.push({
+                    id: `data-exposure-${filePath}-${finding.lineNumber}-${finding.name}`,
+                    filePath,
+                    lineNumber: finding.lineNumber,
+                    lineContent: finding.lineContent,
+                    severity: 'info',
+                    category: 'data_exposure',
+                    title: pattern.name,
+                    description: pattern.description,
+                    suggestedFix: pattern.suggestedFix,
+                    confidence: 'low',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+            }
+        }
+    }
+    return vulnerabilities;
+}
+/**
+ * Check if error handling follows safe patterns
+ * Returns true if the error handling appears safe
+ */
+function isSafeErrorHandling(lineContent, surroundingLines) {
+    // Safe patterns: only returning error.message, using generic messages
+    const safePatterns = [
+        /error:\s*['"`].*['"`]/, // Generic string message
+        /error:\s*error\.message/, // Only message property
+        /error:\s*err\.message/,
+        /message:\s*(error|err)\.message/,
+        /status\(\d+\)\.json\(\s*\{\s*error:/, // Status code + error object (common pattern)
+    ];
+    return safePatterns.some(p => p.test(lineContent));
+}
+//# sourceMappingURL=data-exposure.js.map

package/dist/detect/structural/data-exposure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-exposure.js","sourceRoot":"","sources":["../../../src/detect/structural/data-exposure.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AA+IH,gDAyIC;AAMD,kDAWC;AArSD,iEAAiG;AAEjG,MAAM,eAAe,GAAG,IAAI,CAAA;AAW5B,MAAM,sBAAsB,GAA0B;IACpD,+EAA+E;IAC/E,uBAAuB;IACvB,4EAA4E;IAC5E,4DAA4D;IAC5D,0EAA0E;IAC1E,+EAA+E;IAE/E,+EAA+E;IAC/E,+DAA+D;IAC/D,2EAA2E;IAC3E,oEAAoE;IACpE,wEAAwE;IAExE,+EAA+E;IAC/E,wDAAwD;IACxD,gDAAgD;IAChD,+EAA+E;IAE/E,6CAA6C;IAC7C;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,6FAA6F;QACtG,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iGAAiG;QAC9G,YAAY,EAAE,sFAAsF;KACrG;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,2FAA2F;QACpG,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yGAAyG;QACtH,YAAY,EAAE,gGAAgG;KAC/G;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,wHAAwH;QACjI,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,mEAAmE;KAClF;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,2FAA2F;QACpG,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,sFAAsF;KACrG;IAED,uDAAuD;IACvD;QACE,IAAI,EAAE,0CAA0C;QAChD,OAAO,EAAE,yHAAyH;QAClI,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oGAAoG;QACjH,YAAY,EAAE,uGAAuG;KACtH;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,2HAA2H;QACpI,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,qGAAqG;QAClH,YAAY,EAAE,gEAAgE;KAC/E;IACD;QACE,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,8FAA8F;QACvG,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4FAA4F;QACzG,YAAY,EAAE,oDAAoD;KACnE;IAED,+EAA+E;IAC/E,kCAAkC;IAClC,+EAA+E;IAE/E,mCAAmC;IACnC;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,6EAA6E;QACtF,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6FAA6F;QAC1G,YAAY,EAAE,2FAA2F;KAC1G;CACF,CAAA;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,aAAa;IACb,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gCAAgC;IAChC,IAAI,gCAAgC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,+CAA+C;IAC/C,IAAI,sCAAsC,CAAC,IAAI,CAAC,QAAQ,CAAC;QACrD,CAAC,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,yCAAyC;IACzC,IAAI,kCAAkC,CAAC,IAAI,CAAC,QAAQ,CAAC;QACjD,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,aAAa,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAA;IAEpD,gDAAgD;IAChD,MAAM,SAAS,GAAG,2CAA2C,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC1D,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEnD,qCAAqC;IACrC,MAAM,WAAW,GAAgE,EAAE,CAAA;IAEnF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,gBAAgB;QAChB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,IAAI,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;gBAC/B,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;gBAErC,mCAAmC;gBACnC,IAAI,UAAU,EAAE,CAAC;oBACf,QAAQ,GAAG,MAAM,CAAA;oBACjB,WAAW,GAAG,GAAG,WAAW,iBAAiB,CAAA;gBAC/C,CAAC;gBAED,iDAAiD;gBACjD,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;oBAC3B,0EAA0E;oBAC1E,IAAI,aAAa,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;wBACzC,WAAW,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;wBACzF,MAAK;oBACP,CAAC;oBAED,gDAAgD;oBAChD,IAAI,CAAC,SAAS,EAAE,CAAC;wBACf,IAAI,QAAQ,KAAK,KAAK;4BAAE,QAAQ,GAAG,MAAM,CAAA;oBAC3C,CAAC;oBAED,yCAAyC;oBACzC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;wBACxB,WAAW,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;wBACzF,MAAK;oBACP,CAAC;gBACH,CAAC;gBAED,kDAAkD;gBAClD,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU,IAAI,SAAS,EAAE,CAAC;oBAC7C,iEAAiE;gBACnE,CAAC;gBAED,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,iBAAiB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;oBAC5D,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ;oBACR,QAAQ,EAAE,eAAe;oBACzB,KAAK,EAAE,OAAO,CAAC,IAAI;oBACnB,WAAW;oBACX,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;oBACzC,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,sDAAsD;IACtD,IAAI,WAAW,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAClE,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,WAAW,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,EAAE,CAAA;QAElF,wBAAwB;QACxB,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAA;QAC/C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAC7E,CAAC;QACD,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;aACvD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,KAAK,IAAI,EAAE,CAAC;aAC3C,IAAI,CAAC,IAAI,CAAC,CAAA;QAEb,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,4BAA4B,QAAQ,EAAE;YAC1C,QAAQ;YACR,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,UAAU;YACrC,WAAW,EAAE,GAAG,WAAW,CAAC,MAAM,6BAA6B;YAC/D,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE,qBAAqB,WAAW,CAAC,MAAM,aAAa;YAC3D,WAAW,EAAE,GAAG,cAAc,kDAAkD,WAAW,CAAC,MAAM,0BAA0B,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,EAAE;YAC/J,YAAY,EAAE,sFAAsF;YACpG,UAAU,EAAE,KAAK;YACjB,cAAc,EAAE,eAAe;YAC/B,KAAK,EAAE,CAAC;YACN,MAAM,EAAE,YAAqB;SAChC,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,uCAAuC;QACvC,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;YACzE,IAAI,OAAO,EAAE,CAAC;gBACZ,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,iBAAiB,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,IAAI,EAAE;oBACrE,QAAQ;oBACR,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,eAAe;oBACzB,KAAK,EAAE,OAAO,CAAC,IAAI;oBACnB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU,EAAE,KAAK;oBACjB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,WAAmB,EAAE,gBAA0B;IACjF,sEAAsE;IACtE,MAAM,YAAY,GAAG;QACnB,uBAAuB,EAAG,yBAAyB;QACnD,yBAAyB,EAAG,wBAAwB;QACpD,uBAAuB;QACvB,iCAAiC;QACjC,qCAAqC,EAAG,8CAA8C;KACvF,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AACpD,CAAC"}

package/dist/detect/structural/framework-checks.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 2: Framework-Specific Security Checks
+ * Detects security issues specific to popular frameworks (Next.js, Express, React, etc.)
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function detectFrameworkIssues(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=framework-checks.d.ts.map