@oculum/scanner 1.0.12 → 1.0.13

package/src/detect/structural/security-headers.ts

@@ -0,0 +1,231 @@
+/**
+ * Layer 2: Security Headers Detector
+ * Detects missing HTTP security headers in server configurations
+ *
+ * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
+ * CWE-693: Protection Mechanism Failure
+ */
+
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.35
+
+interface SecurityHeadersOptions {
+  parsed?: ParsedFile
+}
+
+/**
+ * Check if a file is client-side (not a server file)
+ */
+function isClientSideFile(content: string, filePath: string): boolean {
+  // Explicit 'use client' directive
+  if (/['"]use client['"]/.test(content)) return true
+
+  // Client-side file paths
+  const clientPatterns = [
+    /\/components\//i,
+    /\/hooks\//i,
+    /\/pages\/(?!api\/)/i, // pages/ but not pages/api/
+    /\.client\.(ts|js|tsx|jsx)$/i,
+  ]
+
+  // Only apply path heuristics if no server indicators
+  if (clientPatterns.some(p => p.test(filePath))) {
+    // Check for server indicators that override
+    const hasServerIndicators =
+      content.includes('express()') ||
+      content.includes("require('express')") ||
+      content.includes('from \'express\'') ||
+      content.includes('from "express"') ||
+      content.includes('createServer') ||
+      /['"]use server['"]/.test(content)
+    if (!hasServerIndicators) return true
+  }
+
+  return false
+}
+
+/**
+ * Check if a file is a Next.js config file
+ */
+function isNextConfig(filePath: string): boolean {
+  return /next\.config\.(m?js|ts)$/.test(filePath)
+}
+
+/**
+ * Detect missing security headers in server configurations
+ */
+export function detectSecurityHeaders(
+  content: string,
+  filePath: string,
+  options?: SecurityHeadersOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isTestOrMockFile(filePath)) return vulnerabilities
+  if (isClientSideFile(content, filePath)) return vulnerabilities
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  // --- Check 1: Express without helmet ---
+  const hasExpress =
+    content.includes('express()') ||
+    /require\s*\(\s*['"]express['"]\s*\)/.test(content) ||
+    /from\s+['"]express['"]/.test(content)
+
+  if (hasExpress) {
+    const hasHelmet =
+      /require\s*\(\s*['"]helmet['"]\s*\)/.test(content) ||
+      /from\s+['"]helmet['"]/.test(content) ||
+      /require\s*\(\s*['"]@fastify\/helmet['"]\s*\)/.test(content) ||
+      /from\s+['"]@fastify\/helmet['"]/.test(content)
+
+    if (!hasHelmet) {
+      // Find the line where express() is called
+      let expressLine = 0
+      let expressContent = ''
+      for (let i = 0; i < lines.length; i++) {
+        if (/express\s*\(\s*\)/.test(lines[i])) {
+          expressLine = i + 1
+          expressContent = lines[i].trim()
+          break
+        }
+      }
+
+      if (expressLine > 0) {
+        vulnerabilities.push({
+          id: `secheader-${filePath}-express-no-helmet`,
+          filePath,
+          lineNumber: expressLine,
+          lineContent: expressContent,
+          severity: 'medium',
+          category: 'missing_security_headers',
+          title: 'Express app without helmet security headers',
+          description:
+            'Express application does not use helmet middleware. This leaves the app without critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).',
+          suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+          requiresAIValidation: true,
+        })
+      }
+    } else {
+      // --- Check 2: Helmet with CSP disabled ---
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        if (/contentSecurityPolicy\s*:\s*false/.test(line)) {
+          vulnerabilities.push({
+            id: `secheader-${filePath}-${i + 1}-csp-disabled`,
+            filePath,
+            lineNumber: i + 1,
+            lineContent: line.trim(),
+            severity: 'low',
+            category: 'missing_security_headers',
+            title: 'Helmet CSP disabled',
+            description:
+              'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
+            suggestedFix:
+              'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
+            confidence: 'high',
+            baseConfidence: BASE_CONFIDENCE,
+            layer: 2,
+        source: 'structural' as const,
+          })
+        }
+      }
+    }
+  }
+
+  // --- Check 3: Next.js config missing headers ---
+  if (isNextConfig(filePath)) {
+    const hasHeadersExport =
+      /headers\s*\(\s*\)/.test(content) ||
+      /headers\s*:\s*(?:async\s*)?\(?\s*\)?\s*=>/.test(content) ||
+      /async\s+headers\s*\(\s*\)/.test(content)
+
+    if (!hasHeadersExport) {
+      vulnerabilities.push({
+        id: `secheader-${filePath}-nextjs-no-headers`,
+        filePath,
+        lineNumber: 1,
+        lineContent: lines[0]?.trim() || '',
+        severity: 'medium',
+        category: 'missing_security_headers',
+        title: 'Next.js config missing security headers',
+        description:
+          'next.config does not export a headers() function. Security headers (CSP, HSTS, X-Frame-Options) should be configured in Next.js config or middleware.',
+        suggestedFix:
+          'Add a headers() function to next.config.js that returns security headers array',
+        confidence: 'medium',
+        baseConfidence: BASE_CONFIDENCE,
+        layer: 2,
+        source: 'structural' as const,
+        requiresAIValidation: true,
+      })
+    }
+  }
+
+  // --- Check 4: Server setting some headers but missing critical ones ---
+  // Only check files that explicitly set response headers
+  const setsHeaders =
+    /res\.setHeader\s*\(/.test(content) ||
+    /response\.setHeader\s*\(/.test(content) ||
+    /res\.set\s*\(/.test(content) ||
+    /response\.headers\.set\s*\(/.test(content)
+
+  if (setsHeaders && !hasExpress) {
+    const criticalHeaders = [
+      { name: 'Content-Security-Policy', pattern: /content-security-policy/i },
+      { name: 'Strict-Transport-Security', pattern: /strict-transport-security/i },
+      { name: 'X-Content-Type-Options', pattern: /x-content-type-options/i },
+      { name: 'X-Frame-Options', pattern: /x-frame-options/i },
+    ]
+
+    const missingHeaders = criticalHeaders.filter(h => !h.pattern.test(content))
+
+    // Only flag if file sets SOME headers but omits critical ones
+    const presentHeaders = criticalHeaders.filter(h => h.pattern.test(content))
+    if (presentHeaders.length > 0 && missingHeaders.length > 0) {
+      // Find a line where headers are being set for reporting
+      let headerLine = 0
+      let headerContent = ''
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:res|response)\.(?:setHeader|set|headers\.set)\s*\(/.test(lines[i])) {
+          headerLine = i + 1
+          headerContent = lines[i].trim()
+          break
+        }
+      }
+
+      if (headerLine > 0) {
+        const missing = missingHeaders.map(h => h.name).join(', ')
+        vulnerabilities.push({
+          id: `secheader-${filePath}-${headerLine}-missing-headers`,
+          filePath,
+          lineNumber: headerLine,
+          lineContent: headerContent,
+          severity: 'low',
+          category: 'missing_security_headers',
+          title: 'Incomplete security headers',
+          description: `Server sets some response headers but is missing: ${missing}. Consider adding these critical security headers.`,
+          suggestedFix: `Add missing security headers: ${missing}`,
+          confidence: 'medium',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+          requiresAIValidation: true,
+        })
+      }
+    }
+  }
+
+  return vulnerabilities
+}

package/src/detect/structural/ssrf-detection.ts

@@ -0,0 +1,300 @@
+/**
+ * Layer 2: SSRF (Server-Side Request Forgery) Detector
+ * Detects user input flowing to server-side HTTP request sinks
+ *
+ * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
+ * CWE-918: Server-Side Request Forgery
+ */
+
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.40
+
+interface SSRFOptions {
+  parsed?: ParsedFile
+}
+
+/** User input source patterns */
+const USER_INPUT_PATTERN = /(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/
+
+/** Check if file is client-side (SSRF is server-only) */
+function isClientSideFile(content: string, filePath: string): boolean {
+  if (/['"]use client['"]/.test(content)) return true
+  // .tsx/.jsx in components dir without server indicators
+  if (/\/components\//.test(filePath) && !content.includes('express()') && !/['"]use server['"]/.test(content)) {
+    return true
+  }
+  return false
+}
+
+/**
+ * Check surrounding context for SSRF mitigations
+ */
+function hasSSRFMitigation(lines: string[], lineIndex: number, windowSize: number = 15): boolean {
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize + 1)
+  const context = lines.slice(start, end).join('\n')
+
+  // Allowlist validation
+  if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(context)) return true
+  if (/allowList|allowlist|whitelist|whiteList/.test(context)) return true
+
+  // URL validation with host/origin check
+  if (/new\s+URL\(/.test(context) && /\.(?:hostname|host|origin)/.test(context)) return true
+
+  // IP range checking
+  if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(context)) return true
+  if (/(?:127\.0\.0\.1|10\.\d|192\.168\.|169\.254\.)/.test(context) && /(?:block|reject|deny|forbidden)/i.test(context)) return true
+
+  // Environment variable source
+  if (/process\.env\./i.test(context)) {
+    // Check if the URL comes from env var, not just any env var in context
+    const envLineCount = lines.slice(start, end).filter(l => /process\.env\./.test(l)).length
+    const userInputCount = lines.slice(start, end).filter(l => USER_INPUT_PATTERN.test(l)).length
+    if (envLineCount > 0 && userInputCount <= 1) return false // Don't suppress just because env vars exist
+  }
+
+  return false
+}
+
+/**
+ * Detect SSRF patterns in server-side code
+ */
+export function detectSSRFPatterns(
+  content: string,
+  filePath: string,
+  options?: SSRFOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isTestOrMockFile(filePath)) return vulnerabilities
+  if (isClientSideFile(content, filePath)) return vulnerabilities
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  // ========== Pass 1: Direct taint — user input in HTTP sinks ==========
+  const DIRECT_SSRF_PATTERNS = [
+    // fetch(req.body.url), fetch(req.query.endpoint)
+    /(?:fetch|got|undici\.request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/,
+    // axios.get(req.body.url)
+    /axios\.(?:get|post|put|delete|patch|head|options|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // http.get(req.body.url), https.get(...)
+    /https?\.(?:get|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // got(req.body.url)
+    /got\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // Python: requests.get(request.args.get('url'))
+    /requests\.(?:get|post|put|delete|patch|head|options)\s*\(\s*(?:request\.(?:args|form|json|data)\.get|request\.(?:args|form|json|data)\[)/,
+    // Python: urllib.request.urlopen(request.args.get('url'))
+    /urllib\.request\.urlopen\s*\(\s*(?:request\.(?:args|form|json))/,
+  ]
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    for (const pattern of DIRECT_SSRF_PATTERNS) {
+      if (pattern.test(line)) {
+        if (hasSSRFMitigation(lines, i)) continue
+
+        vulnerabilities.push({
+          id: `ssrf-${filePath}-${i + 1}-direct`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'ssrf',
+          title: 'SSRF: User input in HTTP request',
+          description:
+            'User-controlled input flows directly to a server-side HTTP request. An attacker could force the server to make requests to internal services, cloud metadata endpoints (169.254.169.254), or other sensitive resources.',
+          suggestedFix:
+            'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+        break
+      }
+    }
+  }
+
+  // ========== Pass 2: Open redirect ==========
+  const OPEN_REDIRECT_PATTERNS = [
+    // res.redirect(req.query.next)
+    /res\.redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+    // redirect(req.query.returnTo)
+    /(?<!\w)redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+  ]
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    for (const pattern of OPEN_REDIRECT_PATTERNS) {
+      if (pattern.test(line)) {
+        if (hasSSRFMitigation(lines, i)) continue
+
+        vulnerabilities.push({
+          id: `ssrf-${filePath}-${i + 1}-redirect`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'ssrf',
+          title: 'Open redirect: User input in redirect',
+          description:
+            'User-controlled input is used in a server redirect. An attacker could craft a URL that redirects users to a malicious site for phishing.',
+          suggestedFix:
+            'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+        break
+      }
+    }
+  }
+
+  // ========== Pass 3: Variable-mediated taint ==========
+  // Track: const url = req.body.url; ... fetch(url)
+  const taintedVars = new Map<string, number>() // varName -> lineIndex
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    // Detect taint sources: const/let/var url = req.body.url
+    const taintMatch = line.match(
+      /(?:const|let|var)\s+(\w+)\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/
+    )
+    if (taintMatch) {
+      taintedVars.set(taintMatch[1], i)
+      continue
+    }
+
+    // Also detect destructuring: const { url } = req.body
+    const destructMatch = line.match(
+      /(?:const|let|var)\s*\{([^}]+)\}\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params)/
+    )
+    if (destructMatch) {
+      const vars = destructMatch[1].split(',').map(v => v.trim().split(':')[0].trim())
+      for (const v of vars) {
+        if (v) taintedVars.set(v, i)
+      }
+      continue
+    }
+
+    // Check if tainted variable flows to HTTP sink (within 20 lines)
+    if (taintedVars.size > 0) {
+      const httpSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request)|undici\.request)\s*\(/
+      if (httpSinkPattern.test(line)) {
+        for (const [varName, sourceLineIdx] of taintedVars) {
+          if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+            // Check if the variable is used in this sink call
+            const varPattern = new RegExp(`\\b${varName}\\b`)
+            if (varPattern.test(line)) {
+              if (hasSSRFMitigation(lines, i)) continue
+
+              vulnerabilities.push({
+                id: `ssrf-${filePath}-${i + 1}-mediated`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity: 'medium',
+                category: 'ssrf',
+                title: 'SSRF: Variable-mediated user input in HTTP request',
+                description:
+                  `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to an HTTP request sink. An attacker could control the request destination.`,
+                suggestedFix:
+                  'Validate the URL against an allowlist before making the request. Block private IP ranges.',
+                confidence: 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 2,
+        source: 'structural' as const,
+                requiresAIValidation: true,
+              })
+              break
+            }
+          }
+        }
+      }
+
+      // Check for redirect sinks too
+      const redirectSinkPattern = /(?:res\.redirect|redirect)\s*\(/
+      if (redirectSinkPattern.test(line)) {
+        for (const [varName, sourceLineIdx] of taintedVars) {
+          if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+            const varPattern = new RegExp(`\\b${varName}\\b`)
+            if (varPattern.test(line)) {
+              if (hasSSRFMitigation(lines, i)) continue
+
+              vulnerabilities.push({
+                id: `ssrf-${filePath}-${i + 1}-redirect-mediated`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity: 'medium',
+                category: 'ssrf',
+                title: 'Open redirect: Variable-mediated user input',
+                description:
+                  `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to a redirect call.`,
+                suggestedFix: 'Validate redirect URL against an allowlist of permitted paths.',
+                confidence: 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 2,
+        source: 'structural' as const,
+                requiresAIValidation: true,
+              })
+              break
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // ========== Pass 4: Template literal with user input in URL ==========
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    // fetch(`${req.query.baseUrl}/api`) or fetch(`http://${req.body.host}/path`)
+    const templateSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request))\s*\(\s*`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/
+    if (templateSinkPattern.test(line)) {
+      // Avoid duplicate with direct taint
+      const alreadyFound = vulnerabilities.some(
+        v => v.lineNumber === i + 1 && v.filePath === filePath
+      )
+      if (alreadyFound) continue
+      if (hasSSRFMitigation(lines, i)) continue
+
+      vulnerabilities.push({
+        id: `ssrf-${filePath}-${i + 1}-template`,
+        filePath,
+        lineNumber: i + 1,
+        lineContent: line.trim(),
+        severity: 'high',
+        category: 'ssrf',
+        title: 'SSRF: User input interpolated in HTTP request URL',
+        description:
+          'User-controlled request data is interpolated into an HTTP request URL via template literal. An attacker could manipulate the request destination.',
+        suggestedFix:
+          'Extract and validate the user input before constructing the URL. Use an allowlist of permitted domains.',
+        confidence: 'high',
+        baseConfidence: BASE_CONFIDENCE,
+        layer: 2,
+        source: 'structural' as const,
+      })
+    }
+  }
+
+  return vulnerabilities
+}

package/src/{layer2 → detect/structural}/variables.ts

@@ -3,9 +3,11 @@
  * Identifies variable names associated with sensitive data
  */
 
-import type { Vulnerability, SensitiveVariablePattern } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, SensitiveVariablePattern } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.20
 
 // Patterns for sensitive variable names
 export const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[] = [
@@ -161,7 +163,9 @@ export function detectSensitiveVariables(
             description: pattern.description + '. The value appears to be hardcoded rather than loaded from environment.',
             suggestedFix: 'Move this sensitive value to an environment variable or secure secrets manager.',
             confidence: 'medium',
+            baseConfidence: BASE_CONFIDENCE,
             layer: 2,
+        source: 'structural' as const,
           })
         }
         break // Only report once per line