@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/secrets/weak-crypto.js

@@ -0,0 +1,432 @@
+"use strict";
+/**
+ * Layer 1: Weak Cryptography Detection
+ * Detects usage of deprecated or weak cryptographic algorithms
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectWeakCrypto = detectWeakCrypto;
+// Base confidence for weak cryptography findings
+const BASE_CONFIDENCE = 0.45;
+// Weak/deprecated cryptographic patterns
+const WEAK_CRYPTO_PATTERNS = [
+    // Weak hash algorithms
+    {
+        pattern: /\bMD5\s*\(/gi,
+        name: 'MD5 Hash Usage',
+        severity: 'high',
+        description: 'MD5 is cryptographically broken and should not be used for security purposes',
+        fix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
+        contextCheck: (line) => {
+            // Only flag as high if used in security context (passwords, tokens, etc.)
+            // Checksum/etag/cache usage is acceptable for non-security purposes
+            const securityContexts = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /key/i, /verify.*user/i, /sign/i];
+            const checksumContexts = [
+                /checksum/i,
+                /hash.*file/i,
+                /file.*hash/i,
+                /etag/i,
+                /content.*hash/i,
+                /integrity/i,
+                /digest/i,
+                /fingerprint/i,
+                /cache.*key/i,
+                /dedup/i,
+                /uniqueId/i,
+                /contentId/i,
+                /gravatar/i, // Gravatar uses MD5 for email hashing
+                /avatar/i, // Avatar URLs often use MD5
+                /blob/i, // Blob hashing
+                /asset/i, // Asset fingerprinting
+                /sprite/i, // Sprite sheet hashing
+                /bundle/i, // Bundle hashing
+                /chunk/i, // Webpack chunk hashing
+                /manifest/i, // Manifest hashing
+            ];
+            const isSecurityContext = securityContexts.some(p => p.test(line));
+            const isChecksumContext = checksumContexts.some(p => p.test(line));
+            // If it's clearly a checksum context, don't flag
+            if (isChecksumContext && !isSecurityContext) {
+                return false;
+            }
+            return true;
+        },
+    },
+    {
+        pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/gi,
+        name: 'MD5 Hash Creation',
+        severity: 'high',
+        description: 'MD5 is cryptographically broken and should not be used for security purposes',
+        fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
+        contextCheck: (line, _match, funcName) => {
+            // Check function name and line context for checksum indicators
+            const checksumIndicators = [
+                /checksum/i,
+                /etag/i,
+                /content.*hash/i,
+                /file.*hash/i,
+                /integrity/i,
+                /digest/i,
+                /fingerprint/i,
+                /verify.*file/i,
+                /cache/i,
+                /dedup/i,
+                /gravatar/i,
+                /avatar/i,
+                /asset/i,
+                /bundle/i,
+                /chunk/i,
+                /manifest/i,
+                /sprite/i,
+            ];
+            const securityIndicators = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /verify.*user/i, /sign/i];
+            const lineAndFunc = funcName ? `${funcName} ${line}` : line;
+            const isChecksum = checksumIndicators.some(p => p.test(lineAndFunc));
+            const isSecurity = securityIndicators.some(p => p.test(lineAndFunc));
+            // Checksum use without security context = acceptable, don't flag
+            if (isChecksum && !isSecurity) {
+                return false;
+            }
+            return true;
+        },
+    },
+    {
+        pattern: /\bSHA1\s*\(/gi,
+        name: 'SHA1 Hash Usage',
+        severity: 'medium',
+        description: 'SHA1 is deprecated and vulnerable to collision attacks',
+        fix: 'Use SHA-256 or SHA-3 for hashing.',
+    },
+    {
+        pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/gi,
+        name: 'SHA1 Hash Creation',
+        severity: 'medium',
+        description: 'SHA1 is deprecated and vulnerable to collision attacks',
+        fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
+    },
+    // Weak encryption algorithms
+    {
+        pattern: /\bDES\b(?!ede3|3)/gi,
+        name: 'DES Encryption',
+        severity: 'high',
+        description: 'DES is obsolete and easily broken. Use AES instead.',
+        fix: 'Use AES-256-GCM for symmetric encryption.',
+        contextCheck: (line) => {
+            // DES must appear in crypto-related context, not natural language
+            // Common French/Spanish word "des" should not trigger this
+            const cryptoContexts = [
+                /cipher/i,
+                /encrypt/i,
+                /decrypt/i,
+                /crypto/i,
+                /algorithm/i,
+                /createCipher/i,
+                /\bDES\s*[.(]/i, // DES function call like DES() or DES.encrypt()
+                /['"]DES['"]/i, // DES as string literal
+                /DES[-_]/i, // DES-CBC, DES_KEY, etc.
+                /[-_]DES/i, // 3DES, etc.
+            ];
+            return cryptoContexts.some(ctx => ctx.test(line));
+        },
+    },
+    {
+        pattern: /createCipher(?:iv)?\s*\(\s*['"]des['"]/gi,
+        name: 'DES Cipher Creation',
+        severity: 'high',
+        description: 'DES is obsolete and easily broken',
+        fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
+    },
+    {
+        pattern: /\bRC4\b/gi,
+        name: 'RC4 Encryption',
+        severity: 'high',
+        description: 'RC4 is broken and should never be used',
+        fix: 'Use AES-256-GCM for symmetric encryption.',
+    },
+    {
+        pattern: /createCipher(?:iv)?\s*\(\s*['"]rc4['"]/gi,
+        name: 'RC4 Cipher Creation',
+        severity: 'high',
+        description: 'RC4 is broken and should never be used',
+        fix: 'Use createCipheriv(\'aes-256-gcm\', ...) instead.',
+    },
+    {
+        pattern: /\bBlowfish\b/gi,
+        name: 'Blowfish Encryption',
+        severity: 'medium',
+        description: 'Blowfish has a small block size and is not recommended for new applications',
+        fix: 'Use AES-256-GCM for symmetric encryption.',
+    },
+    // Insecure random number generation
+    {
+        pattern: /Math\.random\s*\(\s*\)/g,
+        name: 'Math.random() for Security',
+        severity: 'high',
+        description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
+        fix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
+        contextCheck: (line) => {
+            // Exclude load balancing/array selection patterns (not security-critical)
+            // Pattern: Math.random() * array.length or Math.random() * count
+            const loadBalancingPatterns = [
+                /Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i, // * array.length
+                /Math\.random\s*\(\s*\)\s*\*\s*\w+\.keyLen/i, // * store.keyLen (API key manager)
+                /Math\.random\s*\(\s*\)\s*\*\s*\w+\.size/i, // * collection.size
+                /Math\.random\s*\(\s*\)\s*\*\s*\d+\s*\)/, // * literal number in expression
+                /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i, // Math.floor(Math.random() * arr.length)
+                /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.keyLen/i, // Math.floor(Math.random() * store.keyLen)
+                /\[\s*Math\.floor\s*\(\s*Math\.random/i, // array[Math.floor(Math.random...)]
+                /index\s*=\s*Math\.floor\s*\(\s*Math\.random/i, // index = Math.floor(Math.random...)
+                /pick|select|choose|shuffle|sample/i, // Load balancing keywords
+            ];
+            if (loadBalancingPatterns.some(p => p.test(line))) {
+                return false; // Don't flag - this is load balancing, not security
+            }
+            // Exclude fallback patterns where crypto is the primary method
+            // Pattern: crypto.randomUUID() ?? Math.random() or crypto.getRandomValues() || Math.random()
+            const fallbackPatterns = [
+                /crypto\??\.\s*randomUUID\s*\(\s*\)\s*\?\?/i, // crypto.randomUUID() ??
+                /crypto\??\.\s*getRandomValues\s*\([^)]*\)\s*\?\?/i, // crypto.getRandomValues() ??
+                /globalThis\.crypto\??\.\s*randomUUID/i, // globalThis.crypto.randomUUID
+                /window\.crypto\??\.\s*randomUUID/i, // window.crypto.randomUUID
+                /\?\.\s*randomUUID\s*\(\s*\)\s*\?\?/i, // ?.randomUUID() ??
+                /randomUUID\s*\(\s*\)\s*\?\?.*Math\.random/i, // randomUUID() ?? ...Math.random
+            ];
+            if (fallbackPatterns.some(p => p.test(line))) {
+                return false; // Don't flag - Math.random is only a fallback for missing crypto API
+            }
+            // Only flag if it looks like it's being used for security
+            const securityContexts = [
+                /token/i, /secret/i, /key/i, /password/i, /salt/i,
+                /nonce/i, /iv/i, /random.*id/i, /uuid/i, /session/i,
+            ];
+            return securityContexts.some(ctx => ctx.test(line));
+        },
+    },
+    // Weak key derivation
+    {
+        pattern: /pbkdf2.*iterations?\s*[=:]\s*(\d+)/gi,
+        name: 'Weak PBKDF2 Iterations',
+        severity: 'medium',
+        description: 'PBKDF2 with low iteration count is vulnerable to brute force attacks',
+        fix: 'Use at least 100,000 iterations for PBKDF2, or switch to Argon2.',
+        contextCheck: (line, match) => {
+            const iterations = parseInt(match[1], 10);
+            return iterations < 10000;
+        },
+    },
+    // Weak bcrypt rounds
+    {
+        pattern: /bcrypt\.hash\s*\([^,]+,\s*(\d+)/gi,
+        name: 'Weak bcrypt Rounds',
+        severity: 'medium',
+        description: 'bcrypt with low cost factor is vulnerable to brute force attacks',
+        fix: 'Use at least 10 rounds for bcrypt (12 recommended).',
+        contextCheck: (line, match) => {
+            const rounds = parseInt(match[1], 10);
+            return rounds < 10;
+        },
+    },
+    // ECB mode (insecure)
+    {
+        pattern: /['"]aes-\d+-ecb['"]/gi,
+        name: 'AES ECB Mode',
+        severity: 'high',
+        description: 'ECB mode is insecure as it does not provide semantic security',
+        fix: 'Use AES-GCM or AES-CBC with proper IV handling.',
+    },
+    // Deprecated createCipher (no IV)
+    {
+        pattern: /createCipher\s*\(/g,
+        name: 'Deprecated createCipher',
+        severity: 'high',
+        description: 'createCipher is deprecated and does not use an IV, making it insecure',
+        fix: 'Use createCipheriv() with a random IV instead.',
+    },
+    // Hardcoded encryption keys
+    {
+        pattern: /(?:encryption|cipher|aes)[_-]?key\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
+        name: 'Hardcoded Encryption Key',
+        severity: 'critical',
+        description: 'Encryption key is hardcoded in source code',
+        fix: 'Store encryption keys in environment variables or a secure key management system.',
+    },
+    // Hardcoded IVs
+    {
+        pattern: /\biv\s*[=:]\s*['"][a-zA-Z0-9+/=]{16,}['"]/gi,
+        name: 'Hardcoded IV',
+        severity: 'high',
+        description: 'Initialization vector (IV) should be random for each encryption operation',
+        fix: 'Generate a random IV using crypto.randomBytes() for each encryption.',
+    },
+];
+// Check if line is a comment
+function isComment(lineContent) {
+    const trimmed = lineContent.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+// Check if this is a Python file
+function isPythonFile(filePath) {
+    return /\.py$/i.test(filePath);
+}
+/**
+ * Check if Python's usedforsecurity=False flag is present
+ * Python 3.9+ allows explicitly marking hash usage as non-security
+ * Example: hashlib.md5(data, usedforsecurity=False)
+ */
+function hasUsedForSecurityFalse(line) {
+    return /usedforsecurity\s*=\s*False/i.test(line);
+}
+// Check if line is a pattern definition (regex or string literal in detector code)
+function isPatternDefinition(lineContent) {
+    const trimmed = lineContent.trim();
+    // Pattern definitions typically look like:
+    // pattern: /regex/
+    // name: 'string'
+    // description: 'string'
+    // fix: 'string'
+    return (trimmed.startsWith('pattern:') ||
+        trimmed.startsWith('name:') ||
+        trimmed.startsWith('description:') ||
+        trimmed.startsWith('fix:') ||
+        // Also check for object property assignments with these names
+        /^\s*(pattern|name|description|fix|severity)\s*:/.test(lineContent));
+}
+// Check if file is part of the scanner's own detection code
+function isScannerDetectorFile(filePath) {
+    return (filePath.includes('scanner/src/layer1/') ||
+        filePath.includes('scanner/src/layer2/') ||
+        filePath.includes('scanner/src/layer3/') ||
+        filePath.includes('/lib/scanner/layer1/') ||
+        filePath.includes('/lib/scanner/layer2/') ||
+        filePath.includes('/lib/scanner/layer3/'));
+}
+// Check if file is a test file or fixture
+function isTestOrFixtureFile(filePath) {
+    const lowerPath = filePath.toLowerCase();
+    return (lowerPath.includes('__tests__') ||
+        lowerPath.includes('__mocks__') ||
+        lowerPath.includes('/test/') ||
+        lowerPath.includes('/tests/') ||
+        lowerPath.includes('/fixtures/') ||
+        lowerPath.includes('/fixture/') ||
+        lowerPath.includes('.test.') ||
+        lowerPath.includes('.spec.') ||
+        lowerPath.includes('-test.') ||
+        lowerPath.includes('-spec.') ||
+        lowerPath.includes('benchmark'));
+}
+// Check if file is a locale/translation file
+function isLocaleFile(filePath) {
+    const lowerPath = filePath.toLowerCase();
+    return (lowerPath.includes('/locales/') ||
+        lowerPath.includes('/locale/') ||
+        lowerPath.includes('/translations/') ||
+        lowerPath.includes('/i18n/') ||
+        lowerPath.includes('/lang/') ||
+        lowerPath.includes('/languages/') ||
+        // Common locale file patterns
+        /\/(en|fr|de|es|it|pt|ja|ko|zh|ru|ar|nl|pl|tr|vi|th|id|ms|fil|hi|bn|ta|te|ml|kn|gu|mr|pa|ur|sw|am|or|si|ne|km|my|lo|ka|mk|sr|hr|sl|sk|cs|hu|ro|bg|uk|el|he|fa|ps|ku|ug|yi|mn|bo|dz|dv)[-_][a-z]{2,}\.json$/i.test(lowerPath) ||
+        /locale.*\.json$/i.test(lowerPath));
+}
+/**
+ * Find the enclosing function name for a given line
+ */
+function findEnclosingFunctionName(lines, lineIndex) {
+    // Look backwards for function declaration
+    for (let i = lineIndex; i >= 0 && i >= lineIndex - 20; i--) {
+        const line = lines[i];
+        // Match function declarations: function name(), const name = (), async function name()
+        const funcMatch = line.match(/(?:function\s+|const\s+|let\s+|var\s+)(\w+)\s*(?:=\s*(?:async\s*)?\(|=\s*(?:async\s+)?function|\()/);
+        if (funcMatch) {
+            return funcMatch[1];
+        }
+        // Match method declarations: name() { or name: function()
+        const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/);
+        if (methodMatch) {
+            return methodMatch[1];
+        }
+    }
+    return undefined;
+}
+function detectWeakCrypto(content, filePath, options) {
+    const vulnerabilities = [];
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    // Skip scanner's own detector files to avoid self-detection
+    if (isScannerDetectorFile(filePath)) {
+        return vulnerabilities;
+    }
+    // Skip test files and fixtures (intentional vulnerable code for testing)
+    if (isTestOrFixtureFile(filePath)) {
+        return vulnerabilities;
+    }
+    // Skip locale/translation files (natural language text, not crypto code)
+    if (isLocaleFile(filePath)) {
+        return vulnerabilities;
+    }
+    const isPython = isPythonFile(filePath);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Skip comments
+        if (isComment(line))
+            continue;
+        // Skip pattern definitions (detector rule definitions)
+        if (isPatternDefinition(line))
+            continue;
+        // Skip Python code with usedforsecurity=False flag
+        // Python 3.9+ allows explicitly marking non-security hash usage
+        if (isPython && hasUsedForSecurityFalse(line)) {
+            continue;
+        }
+        for (const cryptoPattern of WEAK_CRYPTO_PATTERNS) {
+            const { pattern, name, severity, description, fix, contextCheck } = cryptoPattern;
+            // Reset regex state
+            const regex = new RegExp(pattern.source, pattern.flags);
+            const match = regex.exec(line);
+            if (match) {
+                // Special handling for Math.random - check multi-line fallback patterns
+                if (name === 'Math.random() for Security') {
+                    // Check previous 2 lines for crypto.randomUUID fallback pattern
+                    // Pattern: crypto?.randomUUID?.() ?? `...${Math.random()}...`
+                    const prevLines = lines.slice(Math.max(0, i - 2), i + 1).join(' ');
+                    const multiLineFallbackPatterns = [
+                        /crypto\??\.?\s*randomUUID\??\s*\(\s*\)\s*\?\?/i, // crypto.randomUUID() ??
+                        /globalThis\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i, // globalThis.crypto?.randomUUID?.()
+                        /window\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i, // window.crypto?.randomUUID?.()
+                        /\?\.\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i, // ?.randomUUID?.() ??
+                        /crypto\??\.?\s*getRandomValues\s*\(/i, // crypto.getRandomValues()
+                        /randomUUID\??\.?\s*\(\s*\)\s*\?\?/i, // randomUUID?.() ?? (generic)
+                    ];
+                    if (multiLineFallbackPatterns.some(p => p.test(prevLines))) {
+                        continue; // Skip - Math.random is only a fallback for missing crypto API
+                    }
+                }
+                // If there's a context check, apply it
+                // Pass function name for additional context
+                const funcName = findEnclosingFunctionName(lines, i);
+                if (contextCheck && !contextCheck(line, match, funcName)) {
+                    continue;
+                }
+                vulnerabilities.push({
+                    id: `weak-crypto-${filePath}-${i + 1}-${name}`,
+                    filePath,
+                    lineNumber: i + 1,
+                    lineContent: line.trim(),
+                    severity,
+                    category: 'weak_crypto',
+                    title: name,
+                    description,
+                    suggestedFix: fix,
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 1,
+                    source: 'secrets',
+                });
+                break; // Only report one crypto issue per line
+            }
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=weak-crypto.js.map

package/dist/detect/secrets/weak-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-crypto.js","sourceRoot":"","sources":["../../../src/detect/secrets/weak-crypto.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAmYH,4CA8FC;AA5dD,iDAAiD;AACjD,MAAM,eAAe,GAAG,IAAI,CAAA;AAE5B,yCAAyC;AACzC,MAAM,oBAAoB,GAAG;IAC3B,uBAAuB;IACvB;QACE,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,8EAA8E;QAC3F,GAAG,EAAE,iFAAiF;QACtF,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,0EAA0E;YAC1E,oEAAoE;YACpE,MAAM,gBAAgB,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,CAAC,CAAA;YACjI,MAAM,gBAAgB,GAAG;gBACvB,WAAW;gBACX,aAAa;gBACb,aAAa;gBACb,OAAO;gBACP,gBAAgB;gBAChB,YAAY;gBACZ,SAAS;gBACT,cAAc;gBACd,aAAa;gBACb,QAAQ;gBACR,WAAW;gBACX,YAAY;gBACZ,WAAW,EAAS,sCAAsC;gBAC1D,SAAS,EAAW,4BAA4B;gBAChD,OAAO,EAAa,eAAe;gBACnC,QAAQ,EAAY,uBAAuB;gBAC3C,SAAS,EAAW,uBAAuB;gBAC3C,SAAS,EAAW,iBAAiB;gBACrC,QAAQ,EAAY,wBAAwB;gBAC5C,WAAW,EAAS,mBAAmB;aACxC,CAAA;YAED,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAClE,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAElE,iDAAiD;YACjD,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5C,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;KACF;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,8EAA8E;QAC3F,GAAG,EAAE,iEAAiE;QACtE,YAAY,EAAE,CAAC,IAAY,EAAE,MAAwB,EAAE,QAAiB,EAAE,EAAE;YAC1E,+DAA+D;YAC/D,MAAM,kBAAkB,GAAG;gBACzB,WAAW;gBACX,OAAO;gBACP,gBAAgB;gBAChB,aAAa;gBACb,YAAY;gBACZ,SAAS;gBACT,cAAc;gBACd,eAAe;gBACf,QAAQ;gBACR,QAAQ;gBACR,WAAW;gBACX,SAAS;gBACT,QAAQ;gBACR,SAAS;gBACT,QAAQ;gBACR,WAAW;gBACX,SAAS;aACV,CAAA;YACD,MAAM,kBAAkB,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,OAAO,CAAC,CAAA;YAE3H,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;YAE3D,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YACpE,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAEpE,iEAAiE;YACjE,IAAI,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC9B,OAAO,KAAK,CAAA;YACd,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;KACF;IACD;QACE,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,wDAAwD;QACrE,GAAG,EAAE,mCAAmC;KACzC;IACD;QACE,OAAO,EAAE,uCAAuC;QAChD,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,wDAAwD;QACrE,GAAG,EAAE,iEAAiE;KACvE;IAED,6BAA6B;IAC7B;QACE,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,qDAAqD;QAClE,GAAG,EAAE,2CAA2C;QAChD,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,kEAAkE;YAClE,2DAA2D;YAC3D,MAAM,cAAc,GAAG;gBACrB,SAAS;gBACT,UAAU;gBACV,UAAU;gBACV,SAAS;gBACT,YAAY;gBACZ,eAAe;gBACf,eAAe,EAAS,gDAAgD;gBACxE,cAAc,EAAU,wBAAwB;gBAChD,UAAU,EAAc,yBAAyB;gBACjD,UAAU,EAAc,aAAa;aACtC,CAAA;YACD,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACnD,CAAC;KACF;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,mCAAmC;QAChD,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;QACrD,GAAG,EAAE,2CAA2C;KACjD;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,wCAAwC;QACrD,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,6EAA6E;QAC1F,GAAG,EAAE,2CAA2C;KACjD;IAED,oCAAoC;IACpC;QACE,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,4FAA4F;QACzG,GAAG,EAAE,oFAAoF;QACzF,YAAY,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,0EAA0E;YAC1E,iEAAiE;YACjE,MAAM,qBAAqB,GAAG;gBAC5B,4CAA4C,EAAS,iBAAiB;gBACtE,4CAA4C,EAAS,mCAAmC;gBACxF,0CAA0C,EAAW,oBAAoB;gBACzE,wCAAwC,EAAa,iCAAiC;gBACtF,+DAA+D,EAAG,yCAAyC;gBAC3G,+DAA+D,EAAG,2CAA2C;gBAC7G,uCAAuC,EAAc,oCAAoC;gBACzF,8CAA8C,EAAO,qCAAqC;gBAC1F,oCAAoC,EAAkB,0BAA0B;aACjF,CAAA;YAED,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBAClD,OAAO,KAAK,CAAA,CAAE,oDAAoD;YACpE,CAAC;YAED,+DAA+D;YAC/D,6FAA6F;YAC7F,MAAM,gBAAgB,GAAG;gBACvB,4CAA4C,EAAM,yBAAyB;gBAC3E,mDAAmD,EAAE,8BAA8B;gBACnF,uCAAuC,EAAW,+BAA+B;gBACjF,mCAAmC,EAAe,2BAA2B;gBAC7E,qCAAqC,EAAa,oBAAoB;gBACtE,4CAA4C,EAAM,iCAAiC;aACpF,CAAA;YAED,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC7C,OAAO,KAAK,CAAA,CAAE,qEAAqE;YACrF,CAAC;YAED,0DAA0D;YAC1D,MAAM,gBAAgB,GAAG;gBACvB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO;gBACjD,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU;aACpD,CAAA;YACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QACrD,CAAC;KACF;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,sEAAsE;QACnF,GAAG,EAAE,kEAAkE;QACvE,YAAY,EAAE,CAAC,IAAY,EAAE,KAAuB,EAAE,EAAE;YACtD,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACzC,OAAO,UAAU,GAAG,KAAK,CAAA;QAC3B,CAAC;KACF;IAED,qBAAqB;IACrB;QACE,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,kEAAkE;QAC/E,GAAG,EAAE,qDAAqD;QAC1D,YAAY,EAAE,CAAC,IAAY,EAAE,KAAuB,EAAE,EAAE;YACtD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACrC,OAAO,MAAM,GAAG,EAAE,CAAA;QACpB,CAAC;KACF;IAED,sBAAsB;IACtB;QACE,OAAO,EAAE,uBAAuB;QAChC,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,+DAA+D;QAC5E,GAAG,EAAE,iDAAiD;KACvD;IAED,kCAAkC;IAClC;QACE,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,uEAAuE;QACpF,GAAG,EAAE,gDAAgD;KACtD;IAED,4BAA4B;IAC5B;QACE,OAAO,EAAE,0EAA0E;QACnF,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAmB;QAC7B,WAAW,EAAE,4CAA4C;QACzD,GAAG,EAAE,mFAAmF;KACzF;IAED,gBAAgB;IAChB;QACE,OAAO,EAAE,6CAA6C;QACtD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,MAAe;QACzB,WAAW,EAAE,2EAA2E;QACxF,GAAG,EAAE,sEAAsE;KAC5E;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,WAAmB;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,iCAAiC;AACjC,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAChC,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAClD,CAAC;AAED,mFAAmF;AACnF,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAA;IAClC,2CAA2C;IAC3C,mBAAmB;IACnB,iBAAiB;IACjB,wBAAwB;IACxB,gBAAgB;IAChB,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAC3B,OAAO,CAAC,UAAU,CAAC,cAAc,CAAC;QAClC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1B,8DAA8D;QAC9D,iDAAiD,CAAC,IAAI,CAAC,WAAW,CAAC,CACpE,CAAA;AACH,CAAC;AAED,4DAA4D;AAC5D,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,OAAO,CACL,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACxC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACzC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACzC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAC1C,CAAA;AACH,CAAC;AAED,0CAA0C;AAC1C,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;QAChC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAChC,CAAA;AACH,CAAC;AAED,6CAA6C;AAC7C,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC9B,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QACpC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;QACjC,8BAA8B;QAC9B,4MAA4M,CAAC,IAAI,CAAC,SAAS,CAAC;QAC5N,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CACnC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAAC,KAAe,EAAE,SAAiB;IACnE,0CAA0C;IAC1C,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3D,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,uFAAuF;QACvF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,oGAAoG,CAAC,CAAA;QAClI,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC,CAAC,CAAC,CAAA;QACrB,CAAC;QACD,0DAA0D;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAA;QACzE,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC,CAAC,CAAC,CAAA;QACvB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAgB,gBAAgB,CAC9B,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,4DAA4D;IAC5D,IAAI,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,yEAAyE;IACzE,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,yEAAyE;IACzE,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAA;IAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,uDAAuD;QACvD,IAAI,mBAAmB,CAAC,IAAI,CAAC;YAAE,SAAQ;QAEvC,mDAAmD;QACnD,gEAAgE;QAChE,IAAI,QAAQ,IAAI,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,SAAQ;QACV,CAAC;QAED,KAAK,MAAM,aAAa,IAAI,oBAAoB,EAAE,CAAC;YACjD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,aAAa,CAAA;YAEjF,oBAAoB;YACpB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;YACvD,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAE9B,IAAI,KAAK,EAAE,CAAC;gBACV,wEAAwE;gBACxE,IAAI,IAAI,KAAK,4BAA4B,EAAE,CAAC;oBAC1C,gEAAgE;oBAChE,8DAA8D;oBAC9D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAClE,MAAM,yBAAyB,GAAG;wBAChC,gDAAgD,EAAU,yBAAyB;wBACnF,mDAAmD,EAAO,oCAAoC;wBAC9F,+CAA+C,EAAW,gCAAgC;wBAC1F,2CAA2C,EAAe,sBAAsB;wBAChF,sCAAsC,EAAqB,2BAA2B;wBACtF,oCAAoC,EAAuB,8BAA8B;qBAC1F,CAAA;oBACD,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;wBAC3D,SAAQ,CAAE,+DAA+D;oBAC3E,CAAC;gBACH,CAAC;gBAED,uCAAuC;gBACvC,4CAA4C;gBAC5C,MAAM,QAAQ,GAAG,yBAAyB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;gBACpD,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACzD,SAAQ;gBACV,CAAC;gBAED,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,eAAe,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE;oBAC9C,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ;oBACR,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,IAAI;oBACX,WAAW;oBACX,YAAY,EAAE,GAAG;oBACjB,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,SAAkB;iBACzB,CAAC,CAAA;gBACF,MAAK,CAAC,wCAAwC;YAChD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/auth-patterns.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Layer 2: Authentication Anti-Pattern Detection
+ * Identifies weak or missing authentication/authorization patterns
+ *
+ * Key improvements:
+ * - Respects global middleware protection (caps severity at info)
+ * - Detects throwing auth helpers and suppresses redundant null checks
+ * - Properly classifies public endpoints
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+import type { MiddlewareAuthConfig } from '../../model/middleware-detector';
+import type { AuthHelperContext } from '../../model/auth-helper-detector';
+import type { FileAuthImports } from '../../model/imported-auth-detector';
+export interface AuthAntipatternOptions {
+    middlewareConfig?: MiddlewareAuthConfig;
+    authHelpers?: AuthHelperContext;
+    fileAuthImports?: Map<string, FileAuthImports>;
+    parsed?: ParsedFile;
+}
+export declare function detectAuthAntipatterns(content: string, filePath: string, options?: AuthAntipatternOptions): Vulnerability[];
+//# sourceMappingURL=auth-patterns.d.ts.map

package/dist/detect/structural/auth-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-patterns.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/auth-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,oBAAoB,CAAA;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAA;AAE3E,OAAO,KAAK,EAAc,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AAErF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAA;AAkWzE,MAAM,WAAW,sBAAsB;IACrC,gBAAgB,CAAC,EAAE,oBAAoB,CAAA;IACvC,WAAW,CAAC,EAAE,iBAAiB,CAAA;IAC/B,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;IAC9C,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,aAAa,EAAE,CA+OjB"}