@oculum/scanner 1.0.12 → 1.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/agent-tools.d.ts +22 -0
- package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
- package/dist/detect/ai-code/agent-tools.js +1509 -0
- package/dist/detect/ai-code/agent-tools.js.map +1 -0
- package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
- package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
- package/dist/detect/ai-code/byok-patterns.js +313 -0
- package/dist/detect/ai-code/byok-patterns.js.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.js +349 -0
- package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
- package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
- package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
- package/dist/detect/ai-code/execution-sinks.js +1158 -0
- package/dist/detect/ai-code/execution-sinks.js.map +1 -0
- package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
- package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
- package/dist/detect/ai-code/fingerprinting.js +665 -0
- package/dist/detect/ai-code/fingerprinting.js.map +1 -0
- package/dist/detect/ai-code/index.d.ts +12 -0
- package/dist/detect/ai-code/index.d.ts.map +1 -0
- package/dist/detect/ai-code/index.js +26 -0
- package/dist/detect/ai-code/index.js.map +1 -0
- package/dist/detect/ai-code/mcp-security.d.ts +20 -0
- package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
- package/dist/detect/ai-code/mcp-security.js +880 -0
- package/dist/detect/ai-code/mcp-security.js.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.js +447 -0
- package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
- package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
- package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
- package/dist/detect/ai-code/package-hallucination.js +841 -0
- package/dist/detect/ai-code/package-hallucination.js.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
- package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
- package/dist/detect/ai-code/rag-safety.d.ts +24 -0
- package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
- package/dist/detect/ai-code/rag-safety.js +913 -0
- package/dist/detect/ai-code/rag-safety.js.map +1 -0
- package/dist/detect/ai-code/schema-validation.d.ts +28 -0
- package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
- package/dist/detect/ai-code/schema-validation.js +378 -0
- package/dist/detect/ai-code/schema-validation.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts +27 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
- package/dist/detect/config/agent-skill-injection.js +472 -0
- package/dist/detect/config/agent-skill-injection.js.map +1 -0
- package/dist/detect/config/comments.d.ts +11 -0
- package/dist/detect/config/comments.d.ts.map +1 -0
- package/dist/detect/config/comments.js +206 -0
- package/dist/detect/config/comments.js.map +1 -0
- package/dist/detect/config/file-flags.d.ts +10 -0
- package/dist/detect/config/file-flags.d.ts.map +1 -0
- package/dist/detect/config/file-flags.js +124 -0
- package/dist/detect/config/file-flags.js.map +1 -0
- package/dist/detect/config/index.d.ts +7 -0
- package/dist/detect/config/index.d.ts.map +1 -0
- package/dist/detect/config/index.js +17 -0
- package/dist/detect/config/index.js.map +1 -0
- package/dist/detect/config/osv-check.d.ts +75 -0
- package/dist/detect/config/osv-check.d.ts.map +1 -0
- package/dist/detect/config/osv-check.js +309 -0
- package/dist/detect/config/osv-check.js.map +1 -0
- package/dist/detect/config/package-check.d.ts +63 -0
- package/dist/detect/config/package-check.d.ts.map +1 -0
- package/dist/detect/config/package-check.js +509 -0
- package/dist/detect/config/package-check.js.map +1 -0
- package/dist/detect/config/urls.d.ts +11 -0
- package/dist/detect/config/urls.d.ts.map +1 -0
- package/dist/detect/config/urls.js +450 -0
- package/dist/detect/config/urls.js.map +1 -0
- package/dist/detect/index.d.ts +37 -0
- package/dist/detect/index.d.ts.map +1 -0
- package/dist/detect/index.js +77 -0
- package/dist/detect/index.js.map +1 -0
- package/dist/detect/secrets/config-audit.d.ts +11 -0
- package/dist/detect/secrets/config-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-audit.js +315 -0
- package/dist/detect/secrets/config-audit.js.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.js +243 -0
- package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
- package/dist/detect/secrets/entropy.d.ts +11 -0
- package/dist/detect/secrets/entropy.d.ts.map +1 -0
- package/dist/detect/secrets/entropy.js +751 -0
- package/dist/detect/secrets/entropy.js.map +1 -0
- package/dist/detect/secrets/index.d.ts +36 -0
- package/dist/detect/secrets/index.d.ts.map +1 -0
- package/dist/detect/secrets/index.js +174 -0
- package/dist/detect/secrets/index.js.map +1 -0
- package/dist/detect/secrets/patterns.d.ts +11 -0
- package/dist/detect/secrets/patterns.d.ts.map +1 -0
- package/dist/detect/secrets/patterns.js +518 -0
- package/dist/detect/secrets/patterns.js.map +1 -0
- package/dist/detect/secrets/weak-crypto.d.ts +10 -0
- package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
- package/dist/detect/secrets/weak-crypto.js +432 -0
- package/dist/detect/secrets/weak-crypto.js.map +1 -0
- package/dist/detect/structural/auth-patterns.d.ts +22 -0
- package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
- package/dist/detect/structural/auth-patterns.js +533 -0
- package/dist/detect/structural/auth-patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
- package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.js +1193 -0
- package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
- package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
- package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/detect/structural/data-exposure.d.ts +19 -0
- package/dist/detect/structural/data-exposure.d.ts.map +1 -0
- package/dist/detect/structural/data-exposure.js +262 -0
- package/dist/detect/structural/data-exposure.js.map +1 -0
- package/dist/detect/structural/framework-checks.d.ts +10 -0
- package/dist/detect/structural/framework-checks.d.ts.map +1 -0
- package/dist/detect/structural/framework-checks.js +389 -0
- package/dist/detect/structural/framework-checks.js.map +1 -0
- package/dist/detect/structural/index.d.ts +71 -0
- package/dist/detect/structural/index.d.ts.map +1 -0
- package/dist/detect/structural/index.js +510 -0
- package/dist/detect/structural/index.js.map +1 -0
- package/dist/detect/structural/log-injection.d.ts +18 -0
- package/dist/detect/structural/log-injection.d.ts.map +1 -0
- package/dist/detect/structural/log-injection.js +217 -0
- package/dist/detect/structural/log-injection.js.map +1 -0
- package/dist/detect/structural/logic-gates.d.ts +10 -0
- package/dist/detect/structural/logic-gates.d.ts.map +1 -0
- package/dist/detect/structural/logic-gates.js +227 -0
- package/dist/detect/structural/logic-gates.js.map +1 -0
- package/dist/detect/structural/risky-imports.d.ts +10 -0
- package/dist/detect/structural/risky-imports.d.ts.map +1 -0
- package/dist/detect/structural/risky-imports.js +168 -0
- package/dist/detect/structural/risky-imports.js.map +1 -0
- package/dist/detect/structural/security-headers.d.ts +18 -0
- package/dist/detect/structural/security-headers.d.ts.map +1 -0
- package/dist/detect/structural/security-headers.js +196 -0
- package/dist/detect/structural/security-headers.js.map +1 -0
- package/dist/detect/structural/ssrf-detection.d.ts +18 -0
- package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
- package/dist/detect/structural/ssrf-detection.js +263 -0
- package/dist/detect/structural/ssrf-detection.js.map +1 -0
- package/dist/detect/structural/variables.d.ts +11 -0
- package/dist/detect/structural/variables.d.ts.map +1 -0
- package/dist/detect/structural/variables.js +159 -0
- package/dist/detect/structural/variables.js.map +1 -0
- package/dist/detect/structural/xxe-detection.d.ts +18 -0
- package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
- package/dist/detect/structural/xxe-detection.js +245 -0
- package/dist/detect/structural/xxe-detection.js.map +1 -0
- package/dist/index.d.ts +17 -64
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +49 -1034
- package/dist/index.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +1 -8
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +4 -0
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +50 -1
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/log-injection.d.ts +18 -0
- package/dist/layer2/log-injection.d.ts.map +1 -0
- package/dist/layer2/log-injection.js +214 -0
- package/dist/layer2/log-injection.js.map +1 -0
- package/dist/layer2/security-headers.d.ts +18 -0
- package/dist/layer2/security-headers.d.ts.map +1 -0
- package/dist/layer2/security-headers.js +187 -0
- package/dist/layer2/security-headers.js.map +1 -0
- package/dist/layer2/ssrf-detection.d.ts +18 -0
- package/dist/layer2/ssrf-detection.d.ts.map +1 -0
- package/dist/layer2/ssrf-detection.js +252 -0
- package/dist/layer2/ssrf-detection.js.map +1 -0
- package/dist/layer2/xxe-detection.d.ts +18 -0
- package/dist/layer2/xxe-detection.d.ts.map +1 -0
- package/dist/layer2/xxe-detection.js +242 -0
- package/dist/layer2/xxe-detection.js.map +1 -0
- package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/index.js +3 -1
- package/dist/layer3/anthropic/prompts/index.js.map +1 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
- package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
- package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/validation.js +14 -410
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.js +6 -3
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/openai.js +6 -3
- package/dist/layer3/anthropic/providers/openai.js.map +1 -1
- package/dist/layer3/anthropic/request-builder.d.ts +11 -4
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
- package/dist/layer3/anthropic/request-builder.js +32 -16
- package/dist/layer3/anthropic/request-builder.js.map +1 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
- package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +2 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/utils/index.js +4 -1
- package/dist/layer3/anthropic/utils/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts +56 -0
- package/dist/model/auth-helper-detector.d.ts.map +1 -0
- package/dist/model/auth-helper-detector.js +360 -0
- package/dist/model/auth-helper-detector.js.map +1 -0
- package/dist/model/cross-file-taint.d.ts +40 -0
- package/dist/model/cross-file-taint.d.ts.map +1 -0
- package/dist/model/cross-file-taint.js +290 -0
- package/dist/model/cross-file-taint.js.map +1 -0
- package/dist/model/framework-models/django.d.ts +9 -0
- package/dist/model/framework-models/django.d.ts.map +1 -0
- package/dist/model/framework-models/django.js +82 -0
- package/dist/model/framework-models/django.js.map +1 -0
- package/dist/model/framework-models/express.d.ts +9 -0
- package/dist/model/framework-models/express.d.ts.map +1 -0
- package/dist/model/framework-models/express.js +52 -0
- package/dist/model/framework-models/express.js.map +1 -0
- package/dist/model/framework-models/index.d.ts +20 -0
- package/dist/model/framework-models/index.d.ts.map +1 -0
- package/dist/model/framework-models/index.js +102 -0
- package/dist/model/framework-models/index.js.map +1 -0
- package/dist/model/framework-models/nextjs.d.ts +9 -0
- package/dist/model/framework-models/nextjs.d.ts.map +1 -0
- package/dist/model/framework-models/nextjs.js +71 -0
- package/dist/model/framework-models/nextjs.js.map +1 -0
- package/dist/model/framework-models/prisma.d.ts +10 -0
- package/dist/model/framework-models/prisma.d.ts.map +1 -0
- package/dist/model/framework-models/prisma.js +54 -0
- package/dist/model/framework-models/prisma.js.map +1 -0
- package/dist/model/framework-models/react.d.ts +9 -0
- package/dist/model/framework-models/react.d.ts.map +1 -0
- package/dist/model/framework-models/react.js +67 -0
- package/dist/model/framework-models/react.js.map +1 -0
- package/dist/model/framework-models/sequelize.d.ts +9 -0
- package/dist/model/framework-models/sequelize.d.ts.map +1 -0
- package/dist/model/framework-models/sequelize.js +62 -0
- package/dist/model/framework-models/sequelize.js.map +1 -0
- package/dist/model/framework-models/types.d.ts +43 -0
- package/dist/model/framework-models/types.d.ts.map +1 -0
- package/dist/model/framework-models/types.js +10 -0
- package/dist/model/framework-models/types.js.map +1 -0
- package/dist/model/function-classifier.d.ts +32 -0
- package/dist/model/function-classifier.d.ts.map +1 -0
- package/dist/model/function-classifier.js +143 -0
- package/dist/model/function-classifier.js.map +1 -0
- package/dist/model/import-resolver.d.ts +45 -0
- package/dist/model/import-resolver.d.ts.map +1 -0
- package/dist/model/import-resolver.js +410 -0
- package/dist/model/import-resolver.js.map +1 -0
- package/dist/model/imported-auth-detector.d.ts +38 -0
- package/dist/model/imported-auth-detector.d.ts.map +1 -0
- package/dist/model/imported-auth-detector.js +199 -0
- package/dist/model/imported-auth-detector.js.map +1 -0
- package/dist/model/index.d.ts +63 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +272 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware-detector.d.ts +55 -0
- package/dist/model/middleware-detector.d.ts.map +1 -0
- package/dist/model/middleware-detector.js +382 -0
- package/dist/model/middleware-detector.js.map +1 -0
- package/dist/model/module-graph.d.ts +46 -0
- package/dist/model/module-graph.d.ts.map +1 -0
- package/dist/model/module-graph.js +187 -0
- package/dist/model/module-graph.js.map +1 -0
- package/dist/model/oauth-flow-detector.d.ts +41 -0
- package/dist/model/oauth-flow-detector.d.ts.map +1 -0
- package/dist/model/oauth-flow-detector.js +202 -0
- package/dist/model/oauth-flow-detector.js.map +1 -0
- package/dist/model/project-context.d.ts +119 -0
- package/dist/model/project-context.d.ts.map +1 -0
- package/dist/model/project-context.js +534 -0
- package/dist/model/project-context.js.map +1 -0
- package/dist/model/route-auth-resolver.d.ts +27 -0
- package/dist/model/route-auth-resolver.d.ts.map +1 -0
- package/dist/model/route-auth-resolver.js +182 -0
- package/dist/model/route-auth-resolver.js.map +1 -0
- package/dist/model/route-discovery/express.d.ts +25 -0
- package/dist/model/route-discovery/express.d.ts.map +1 -0
- package/dist/model/route-discovery/express.js +225 -0
- package/dist/model/route-discovery/express.js.map +1 -0
- package/dist/model/route-discovery/index.d.ts +21 -0
- package/dist/model/route-discovery/index.d.ts.map +1 -0
- package/dist/model/route-discovery/index.js +67 -0
- package/dist/model/route-discovery/index.js.map +1 -0
- package/dist/model/route-discovery/nextjs.d.ts +16 -0
- package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
- package/dist/model/route-discovery/nextjs.js +179 -0
- package/dist/model/route-discovery/nextjs.js.map +1 -0
- package/dist/model/route-discovery/python.d.ts +16 -0
- package/dist/model/route-discovery/python.d.ts.map +1 -0
- package/dist/model/route-discovery/python.js +181 -0
- package/dist/model/route-discovery/python.js.map +1 -0
- package/dist/model/route-discovery/types.d.ts +36 -0
- package/dist/model/route-discovery/types.d.ts.map +1 -0
- package/dist/model/route-discovery/types.js +16 -0
- package/dist/model/route-discovery/types.js.map +1 -0
- package/dist/model/route-discovery/utils.d.ts +18 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -0
- package/dist/model/route-discovery/utils.js +55 -0
- package/dist/model/route-discovery/utils.js.map +1 -0
- package/dist/model/route-hierarchy.d.ts +50 -0
- package/dist/model/route-hierarchy.d.ts.map +1 -0
- package/dist/model/route-hierarchy.js +226 -0
- package/dist/model/route-hierarchy.js.map +1 -0
- package/dist/model/sanitiser-detection.d.ts +27 -0
- package/dist/model/sanitiser-detection.d.ts.map +1 -0
- package/dist/model/sanitiser-detection.js +224 -0
- package/dist/model/sanitiser-detection.js.map +1 -0
- package/dist/model/sink-matcher.d.ts +17 -0
- package/dist/model/sink-matcher.d.ts.map +1 -0
- package/dist/model/sink-matcher.js +141 -0
- package/dist/model/sink-matcher.js.map +1 -0
- package/dist/model/sink-patterns.d.ts +19 -0
- package/dist/model/sink-patterns.d.ts.map +1 -0
- package/dist/model/sink-patterns.js +88 -0
- package/dist/model/sink-patterns.js.map +1 -0
- package/dist/model/source-discovery.d.ts +15 -0
- package/dist/model/source-discovery.d.ts.map +1 -0
- package/dist/model/source-discovery.js +170 -0
- package/dist/model/source-discovery.js.map +1 -0
- package/dist/model/taint-tracker.d.ts +21 -0
- package/dist/model/taint-tracker.d.ts.map +1 -0
- package/dist/model/taint-tracker.js +281 -0
- package/dist/model/taint-tracker.js.map +1 -0
- package/dist/model/taint-types.d.ts +74 -0
- package/dist/model/taint-types.d.ts.map +1 -0
- package/dist/model/taint-types.js +9 -0
- package/dist/model/taint-types.js.map +1 -0
- package/dist/model/trpc-analyzer.d.ts +78 -0
- package/dist/model/trpc-analyzer.d.ts.map +1 -0
- package/dist/model/trpc-analyzer.js +297 -0
- package/dist/model/trpc-analyzer.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +228 -0
- package/dist/parse/file-classifier.d.ts.map +1 -0
- package/dist/parse/file-classifier.js +933 -0
- package/dist/parse/file-classifier.js.map +1 -0
- package/dist/parse/path-exclusions.d.ts +55 -0
- package/dist/parse/path-exclusions.d.ts.map +1 -0
- package/dist/parse/path-exclusions.js +224 -0
- package/dist/parse/path-exclusions.js.map +1 -0
- package/dist/pipeline/config.d.ts +39 -0
- package/dist/pipeline/config.d.ts.map +1 -0
- package/dist/pipeline/config.js +46 -0
- package/dist/pipeline/config.js.map +1 -0
- package/dist/pipeline/index.d.ts +34 -0
- package/dist/pipeline/index.d.ts.map +1 -0
- package/dist/pipeline/index.js +377 -0
- package/dist/pipeline/index.js.map +1 -0
- package/dist/pipeline/modes/incremental.d.ts +66 -0
- package/dist/pipeline/modes/incremental.d.ts.map +1 -0
- package/dist/pipeline/modes/incremental.js +200 -0
- package/dist/pipeline/modes/incremental.js.map +1 -0
- package/dist/postprocess/aggregation.d.ts +14 -0
- package/dist/postprocess/aggregation.d.ts.map +1 -0
- package/dist/postprocess/aggregation.js +63 -0
- package/dist/postprocess/aggregation.js.map +1 -0
- package/dist/postprocess/contradictions.d.ts +18 -0
- package/dist/postprocess/contradictions.d.ts.map +1 -0
- package/dist/postprocess/contradictions.js +99 -0
- package/dist/postprocess/contradictions.js.map +1 -0
- package/dist/postprocess/dedup.d.ts +13 -0
- package/dist/postprocess/dedup.d.ts.map +1 -0
- package/dist/postprocess/dedup.js +58 -0
- package/dist/postprocess/dedup.js.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.js +100 -0
- package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
- package/dist/postprocess/filtering/index.d.ts +3 -0
- package/dist/postprocess/filtering/index.d.ts.map +1 -0
- package/dist/postprocess/filtering/index.js +8 -0
- package/dist/postprocess/filtering/index.js.map +1 -0
- package/dist/postprocess/filtering/pipeline.d.ts +48 -0
- package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
- package/dist/postprocess/filtering/pipeline.js +76 -0
- package/dist/postprocess/filtering/pipeline.js.map +1 -0
- package/dist/postprocess/index.d.ts +41 -0
- package/dist/postprocess/index.d.ts.map +1 -0
- package/dist/postprocess/index.js +85 -0
- package/dist/postprocess/index.js.map +1 -0
- package/dist/postprocess/suppression/config-loader.d.ts +74 -0
- package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
- package/dist/postprocess/suppression/config-loader.js +424 -0
- package/dist/postprocess/suppression/config-loader.js.map +1 -0
- package/dist/postprocess/suppression/hash.d.ts +48 -0
- package/dist/postprocess/suppression/hash.d.ts.map +1 -0
- package/dist/postprocess/suppression/hash.js +88 -0
- package/dist/postprocess/suppression/hash.js.map +1 -0
- package/dist/postprocess/suppression/index.d.ts +11 -0
- package/dist/postprocess/suppression/index.d.ts.map +1 -0
- package/dist/postprocess/suppression/index.js +39 -0
- package/dist/postprocess/suppression/index.js.map +1 -0
- package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
- package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
- package/dist/postprocess/suppression/inline-parser.js +218 -0
- package/dist/postprocess/suppression/inline-parser.js.map +1 -0
- package/dist/postprocess/suppression/manager.d.ts +94 -0
- package/dist/postprocess/suppression/manager.d.ts.map +1 -0
- package/dist/postprocess/suppression/manager.js +292 -0
- package/dist/postprocess/suppression/manager.js.map +1 -0
- package/dist/postprocess/suppression/types.d.ts +151 -0
- package/dist/postprocess/suppression/types.d.ts.map +1 -0
- package/dist/postprocess/suppression/types.js +28 -0
- package/dist/postprocess/suppression/types.js.map +1 -0
- package/dist/postprocess/validation-cap.d.ts +17 -0
- package/dist/postprocess/validation-cap.d.ts.map +1 -0
- package/dist/postprocess/validation-cap.js +64 -0
- package/dist/postprocess/validation-cap.js.map +1 -0
- package/dist/report/build-result.d.ts +33 -0
- package/dist/report/build-result.d.ts.map +1 -0
- package/dist/report/build-result.js +59 -0
- package/dist/report/build-result.js.map +1 -0
- package/dist/report/enrichment.d.ts +19 -0
- package/dist/report/enrichment.d.ts.map +1 -0
- package/dist/report/enrichment.js +44 -0
- package/dist/report/enrichment.js.map +1 -0
- package/dist/report/formatters/ai-context.d.ts +23 -0
- package/dist/report/formatters/ai-context.d.ts.map +1 -0
- package/dist/report/formatters/ai-context.js +238 -0
- package/dist/report/formatters/ai-context.js.map +1 -0
- package/dist/report/formatters/cli-terminal.d.ts +65 -0
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/report/formatters/cli-terminal.js +735 -0
- package/dist/report/formatters/cli-terminal.js.map +1 -0
- package/dist/report/formatters/github-comment.d.ts +41 -0
- package/dist/report/formatters/github-comment.d.ts.map +1 -0
- package/dist/report/formatters/github-comment.js +370 -0
- package/dist/report/formatters/github-comment.js.map +1 -0
- package/dist/report/formatters/grouping.d.ts +52 -0
- package/dist/report/formatters/grouping.d.ts.map +1 -0
- package/dist/report/formatters/grouping.js +152 -0
- package/dist/report/formatters/grouping.js.map +1 -0
- package/dist/report/formatters/ide/claude-code.d.ts +17 -0
- package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/report/formatters/ide/claude-code.js +94 -0
- package/dist/report/formatters/ide/claude-code.js.map +1 -0
- package/dist/report/formatters/ide/cursor.d.ts +13 -0
- package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/report/formatters/ide/cursor.js +125 -0
- package/dist/report/formatters/ide/cursor.js.map +1 -0
- package/dist/report/formatters/ide/index.d.ts +62 -0
- package/dist/report/formatters/ide/index.d.ts.map +1 -0
- package/dist/report/formatters/ide/index.js +184 -0
- package/dist/report/formatters/ide/index.js.map +1 -0
- package/dist/report/formatters/ide/windsurf.d.ts +13 -0
- package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/report/formatters/ide/windsurf.js +117 -0
- package/dist/report/formatters/ide/windsurf.js.map +1 -0
- package/dist/report/formatters/index.d.ts +11 -0
- package/dist/report/formatters/index.d.ts.map +1 -0
- package/dist/report/formatters/index.js +54 -0
- package/dist/report/formatters/index.js.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.js +151 -0
- package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/report/summary.d.ts +27 -0
- package/dist/report/summary.d.ts.map +1 -0
- package/dist/report/summary.js +57 -0
- package/dist/report/summary.js.map +1 -0
- package/dist/rules/metadata.d.ts.map +1 -1
- package/dist/rules/metadata.js +66 -0
- package/dist/rules/metadata.js.map +1 -1
- package/dist/score/adjustments.d.ts +22 -0
- package/dist/score/adjustments.d.ts.map +1 -0
- package/dist/score/adjustments.js +373 -0
- package/dist/score/adjustments.js.map +1 -0
- package/dist/score/auto-dismiss.d.ts +28 -0
- package/dist/score/auto-dismiss.d.ts.map +1 -0
- package/dist/score/auto-dismiss.js +200 -0
- package/dist/score/auto-dismiss.js.map +1 -0
- package/dist/score/confidence.d.ts +19 -0
- package/dist/score/confidence.d.ts.map +1 -0
- package/dist/score/confidence.js +52 -0
- package/dist/score/confidence.js.map +1 -0
- package/dist/score/index.d.ts +61 -0
- package/dist/score/index.d.ts.map +1 -0
- package/dist/score/index.js +250 -0
- package/dist/score/index.js.map +1 -0
- package/dist/score/types.d.ts +160 -0
- package/dist/score/types.d.ts.map +1 -0
- package/dist/score/types.js +14 -0
- package/dist/score/types.js.map +1 -0
- package/dist/shared/ai-context/index.d.ts +6 -0
- package/dist/shared/ai-context/index.d.ts.map +1 -0
- package/dist/shared/ai-context/index.js +13 -0
- package/dist/shared/ai-context/index.js.map +1 -0
- package/dist/shared/ai-context/manager.d.ts +67 -0
- package/dist/shared/ai-context/manager.d.ts.map +1 -0
- package/dist/shared/ai-context/manager.js +104 -0
- package/dist/shared/ai-context/manager.js.map +1 -0
- package/dist/shared/baseline/diff.d.ts +32 -0
- package/dist/shared/baseline/diff.d.ts.map +1 -0
- package/dist/shared/baseline/diff.js +119 -0
- package/dist/shared/baseline/diff.js.map +1 -0
- package/dist/shared/baseline/index.d.ts +9 -0
- package/dist/shared/baseline/index.d.ts.map +1 -0
- package/dist/shared/baseline/index.js +19 -0
- package/dist/shared/baseline/index.js.map +1 -0
- package/dist/shared/baseline/manager.d.ts +67 -0
- package/dist/shared/baseline/manager.d.ts.map +1 -0
- package/dist/shared/baseline/manager.js +180 -0
- package/dist/shared/baseline/manager.js.map +1 -0
- package/dist/shared/baseline/types.d.ts +91 -0
- package/dist/shared/baseline/types.d.ts.map +1 -0
- package/dist/shared/baseline/types.js +12 -0
- package/dist/shared/baseline/types.js.map +1 -0
- package/dist/shared/category-filter.d.ts +125 -0
- package/dist/shared/category-filter.d.ts.map +1 -0
- package/dist/shared/category-filter.js +360 -0
- package/dist/shared/category-filter.js.map +1 -0
- package/dist/shared/code-analysis.d.ts +39 -0
- package/dist/shared/code-analysis.d.ts.map +1 -0
- package/dist/shared/code-analysis.js +159 -0
- package/dist/shared/code-analysis.js.map +1 -0
- package/dist/shared/comment-analyzer.d.ts +38 -0
- package/dist/shared/comment-analyzer.d.ts.map +1 -0
- package/dist/shared/comment-analyzer.js +218 -0
- package/dist/shared/comment-analyzer.js.map +1 -0
- package/dist/shared/diff-detector.d.ts +53 -0
- package/dist/shared/diff-detector.d.ts.map +1 -0
- package/dist/shared/diff-detector.js +104 -0
- package/dist/shared/diff-detector.js.map +1 -0
- package/dist/shared/diff-parser.d.ts +80 -0
- package/dist/shared/diff-parser.d.ts.map +1 -0
- package/dist/shared/diff-parser.js +202 -0
- package/dist/shared/diff-parser.js.map +1 -0
- package/dist/shared/environment-context.d.ts +76 -0
- package/dist/shared/environment-context.d.ts.map +1 -0
- package/dist/shared/environment-context.js +271 -0
- package/dist/shared/environment-context.js.map +1 -0
- package/dist/shared/intent-detector.d.ts +66 -0
- package/dist/shared/intent-detector.d.ts.map +1 -0
- package/dist/shared/intent-detector.js +282 -0
- package/dist/shared/intent-detector.js.map +1 -0
- package/dist/shared/parsed-file.d.ts +51 -0
- package/dist/shared/parsed-file.d.ts.map +1 -0
- package/dist/shared/parsed-file.js +95 -0
- package/dist/shared/parsed-file.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +93 -0
- package/dist/shared/registry-clients.d.ts.map +1 -0
- package/dist/shared/registry-clients.js +273 -0
- package/dist/shared/registry-clients.js.map +1 -0
- package/dist/shared/rules/framework-fixes.d.ts +48 -0
- package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
- package/dist/shared/rules/framework-fixes.js +439 -0
- package/dist/shared/rules/framework-fixes.js.map +1 -0
- package/dist/shared/rules/index.d.ts +8 -0
- package/dist/shared/rules/index.d.ts.map +1 -0
- package/dist/shared/rules/index.js +18 -0
- package/dist/shared/rules/index.js.map +1 -0
- package/dist/shared/rules/metadata.d.ts +43 -0
- package/dist/shared/rules/metadata.d.ts.map +1 -0
- package/dist/shared/rules/metadata.js +819 -0
- package/dist/shared/rules/metadata.js.map +1 -0
- package/dist/shared/schema-semantics.d.ts +45 -0
- package/dist/shared/schema-semantics.d.ts.map +1 -0
- package/dist/shared/schema-semantics.js +193 -0
- package/dist/shared/schema-semantics.js.map +1 -0
- package/dist/shared/types.d.ts +337 -0
- package/dist/shared/types.d.ts.map +1 -0
- package/dist/shared/types.js +126 -0
- package/dist/shared/types.js.map +1 -0
- package/dist/tiers.d.ts +2 -2
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +10 -0
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +1 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/validate/clients.d.ts +44 -0
- package/dist/validate/clients.d.ts.map +1 -0
- package/dist/validate/clients.js +81 -0
- package/dist/validate/clients.js.map +1 -0
- package/dist/validate/index.d.ts +41 -0
- package/dist/validate/index.d.ts.map +1 -0
- package/dist/validate/index.js +141 -0
- package/dist/validate/index.js.map +1 -0
- package/dist/validate/prompts/index.d.ts +8 -0
- package/dist/validate/prompts/index.d.ts.map +1 -0
- package/dist/validate/prompts/index.js +16 -0
- package/dist/validate/prompts/index.js.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.js +156 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
- package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/validate/prompts/modules/auth-access.js +25 -0
- package/dist/validate/prompts/modules/auth-access.js.map +1 -0
- package/dist/validate/prompts/modules/common.d.ts +11 -0
- package/dist/validate/prompts/modules/common.d.ts.map +1 -0
- package/dist/validate/prompts/modules/common.js +186 -0
- package/dist/validate/prompts/modules/common.js.map +1 -0
- package/dist/validate/prompts/modules/index.d.ts +54 -0
- package/dist/validate/prompts/modules/index.d.ts.map +1 -0
- package/dist/validate/prompts/modules/index.js +186 -0
- package/dist/validate/prompts/modules/index.js.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.js +84 -0
- package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
- package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.js +22 -0
- package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
- package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/validate/prompts/semantic-analysis.js +169 -0
- package/dist/validate/prompts/semantic-analysis.js.map +1 -0
- package/dist/validate/prompts/validation.d.ts +18 -0
- package/dist/validate/prompts/validation.d.ts.map +1 -0
- package/dist/validate/prompts/validation.js +25 -0
- package/dist/validate/prompts/validation.js.map +1 -0
- package/dist/validate/providers/anthropic.d.ts +17 -0
- package/dist/validate/providers/anthropic.d.ts.map +1 -0
- package/dist/validate/providers/anthropic.js +260 -0
- package/dist/validate/providers/anthropic.js.map +1 -0
- package/dist/validate/providers/index.d.ts +8 -0
- package/dist/validate/providers/index.d.ts.map +1 -0
- package/dist/validate/providers/index.js +13 -0
- package/dist/validate/providers/index.js.map +1 -0
- package/dist/validate/providers/openai.d.ts +14 -0
- package/dist/validate/providers/openai.d.ts.map +1 -0
- package/dist/validate/providers/openai.js +336 -0
- package/dist/validate/providers/openai.js.map +1 -0
- package/dist/validate/request-builder.d.ts +61 -0
- package/dist/validate/request-builder.d.ts.map +1 -0
- package/dist/validate/request-builder.js +346 -0
- package/dist/validate/request-builder.js.map +1 -0
- package/dist/validate/types.d.ts +88 -0
- package/dist/validate/types.d.ts.map +1 -0
- package/dist/validate/types.js +38 -0
- package/dist/validate/types.js.map +1 -0
- package/dist/validate/utils/context-extractor.d.ts +55 -0
- package/dist/validate/utils/context-extractor.d.ts.map +1 -0
- package/dist/validate/utils/context-extractor.js +161 -0
- package/dist/validate/utils/context-extractor.js.map +1 -0
- package/dist/validate/utils/index.d.ts +11 -0
- package/dist/validate/utils/index.d.ts.map +1 -0
- package/dist/validate/utils/index.js +27 -0
- package/dist/validate/utils/index.js.map +1 -0
- package/dist/validate/utils/path-helpers.d.ts +21 -0
- package/dist/validate/utils/path-helpers.d.ts.map +1 -0
- package/dist/validate/utils/path-helpers.js +69 -0
- package/dist/validate/utils/path-helpers.js.map +1 -0
- package/dist/validate/utils/response-parser.d.ts +40 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -0
- package/dist/validate/utils/response-parser.js +286 -0
- package/dist/validate/utils/response-parser.js.map +1 -0
- package/dist/validate/utils/retry.d.ts +15 -0
- package/dist/validate/utils/retry.d.ts.map +1 -0
- package/dist/validate/utils/retry.js +62 -0
- package/dist/validate/utils/retry.js.map +1 -0
- package/package.json +8 -7
- package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +15 -0
- package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
- package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
- package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +3 -3
- package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
- package/src/__tests__/benchmark/types.ts +1 -1
- package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
- package/src/__tests__/category-filter.test.ts +2 -2
- package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
- package/src/__tests__/context-engine/framework-models.test.ts +457 -0
- package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
- package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
- package/src/__tests__/context-engine/integration.test.ts +320 -0
- package/src/__tests__/context-engine/module-graph.test.ts +159 -0
- package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
- package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
- package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
- package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
- package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
- package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
- package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
- package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
- package/src/__tests__/regression/known-false-positives.test.ts +312 -4
- package/src/__tests__/score/adjustments.test.ts +385 -0
- package/src/__tests__/score/confidence.test.ts +283 -0
- package/src/__tests__/score/framework-scoring.test.ts +275 -0
- package/src/__tests__/score/route-scoring.test.ts +156 -0
- package/src/__tests__/score/scoring-integration.test.ts +165 -0
- package/src/__tests__/score/taint-adjustments.test.ts +244 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +37 -49
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -3
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +2 -2
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
- package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
- package/src/__tests__/validate/route-annotations.test.ts +138 -0
- package/src/__tests__/validation/analyze-results.ts +1 -1
- package/src/__tests__/validation/extract-for-triage.ts +1 -1
- package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
- package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +23 -3
- package/src/{layer2 → detect/ai-code}/byok-patterns.ts +17 -5
- package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +8 -4
- package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +8 -4
- package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +20 -4
- package/src/detect/ai-code/index.ts +11 -0
- package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +7 -3
- package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +7 -3
- package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +18 -3
- package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +25 -3
- package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +7 -3
- package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +7 -3
- package/src/detect/config/agent-skill-injection.ts +551 -0
- package/src/{layer1 → detect/config}/comments.ts +6 -2
- package/src/{layer1 → detect/config}/file-flags.ts +9 -3
- package/src/detect/config/index.ts +6 -0
- package/src/{layer3 → detect/config}/osv-check.ts +3 -2
- package/src/{layer3 → detect/config}/package-check.ts +3 -2
- package/src/{layer1 → detect/config}/urls.ts +12 -5
- package/src/detect/index.ts +131 -0
- package/src/{layer1 → detect/secrets}/config-audit.ts +7 -2
- package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +8 -3
- package/src/{layer1 → detect/secrets}/entropy.ts +23 -11
- package/src/{layer1 → detect/secrets}/index.ts +31 -30
- package/src/{layer1 → detect/secrets}/patterns.ts +10 -3
- package/src/{layer1 → detect/secrets}/weak-crypto.ts +7 -2
- package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +23 -11
- package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +47 -24
- package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +2 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/utils/control-flow.ts +2 -2
- package/src/{layer2 → detect/structural}/data-exposure.ts +11 -3
- package/src/{layer2 → detect/structural}/framework-checks.ts +10 -11
- package/src/{layer2 → detect/structural}/index.ts +80 -77
- package/src/detect/structural/log-injection.ts +254 -0
- package/src/{layer2 → detect/structural}/logic-gates.ts +13 -5
- package/src/{layer2 → detect/structural}/risky-imports.ts +7 -3
- package/src/detect/structural/security-headers.ts +231 -0
- package/src/detect/structural/ssrf-detection.ts +300 -0
- package/src/{layer2 → detect/structural}/variables.ts +7 -3
- package/src/detect/structural/xxe-detection.ts +295 -0
- package/src/index.ts +39 -1291
- package/src/{utils → model}/auth-helper-detector.ts +1 -1
- package/src/model/cross-file-taint.ts +374 -0
- package/src/model/framework-models/django.ts +82 -0
- package/src/model/framework-models/express.ts +54 -0
- package/src/model/framework-models/index.ts +116 -0
- package/src/model/framework-models/nextjs.ts +69 -0
- package/src/model/framework-models/prisma.ts +57 -0
- package/src/model/framework-models/react.ts +63 -0
- package/src/model/framework-models/sequelize.ts +63 -0
- package/src/model/framework-models/types.ts +46 -0
- package/src/model/function-classifier.ts +184 -0
- package/src/model/import-resolver.ts +453 -0
- package/src/{utils → model}/imported-auth-detector.ts +21 -85
- package/src/model/index.ts +353 -0
- package/src/{utils → model}/middleware-detector.ts +156 -17
- package/src/model/module-graph.ts +254 -0
- package/src/{utils → model}/oauth-flow-detector.ts +1 -1
- package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
- package/src/model/route-auth-resolver.ts +216 -0
- package/src/model/route-discovery/express.ts +251 -0
- package/src/model/route-discovery/index.ts +83 -0
- package/src/model/route-discovery/nextjs.ts +216 -0
- package/src/model/route-discovery/python.ts +214 -0
- package/src/model/route-discovery/types.ts +48 -0
- package/src/model/route-discovery/utils.ts +54 -0
- package/src/model/sanitiser-detection.ts +268 -0
- package/src/model/sink-matcher.ts +178 -0
- package/src/model/sink-patterns.ts +109 -0
- package/src/model/source-discovery.ts +209 -0
- package/src/model/taint-tracker.ts +333 -0
- package/src/model/taint-types.ts +149 -0
- package/src/{utils → model}/trpc-analyzer.ts +1 -1
- package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +54 -0
- package/src/{utils → parse}/path-exclusions.ts +1 -1
- package/src/pipeline/config.ts +81 -0
- package/src/pipeline/index.ts +437 -0
- package/src/{modes → pipeline/modes}/incremental.ts +5 -5
- package/src/postprocess/aggregation.ts +74 -0
- package/src/postprocess/contradictions.ts +128 -0
- package/src/postprocess/dedup.ts +62 -0
- package/src/{filtering → postprocess/filtering}/__tests__/pipeline.test.ts +1 -1
- package/src/{filtering → postprocess/filtering}/context-adjustments.ts +2 -2
- package/src/{filtering → postprocess/filtering}/pipeline.ts +2 -2
- package/src/postprocess/index.ts +118 -0
- package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
- package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
- package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
- package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
- package/src/{suppression → postprocess/suppression}/types.ts +2 -2
- package/src/postprocess/validation-cap.ts +66 -0
- package/src/report/build-result.ts +94 -0
- package/src/report/enrichment.ts +52 -0
- package/src/{formatters → report/formatters}/ai-context.ts +1 -1
- package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
- package/src/{formatters → report/formatters}/github-comment.ts +1 -1
- package/src/{formatters → report/formatters}/grouping.ts +8 -8
- package/src/{formatters → report/formatters}/ide/claude-code.ts +1 -1
- package/src/{formatters → report/formatters}/ide/cursor.ts +1 -1
- package/src/{formatters → report/formatters}/ide/windsurf.ts +1 -1
- package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
- package/src/report/summary.ts +70 -0
- package/src/score/adjustments.ts +387 -0
- package/src/{layer3/anthropic → score}/auto-dismiss.ts +15 -14
- package/src/score/confidence.ts +66 -0
- package/src/score/index.ts +316 -0
- package/src/score/types.ts +187 -0
- package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
- package/src/{baseline → shared/baseline}/diff.ts +1 -1
- package/src/{baseline → shared/baseline}/manager.ts +1 -1
- package/src/{category-filter.ts → shared/category-filter.ts} +1 -1
- package/src/{utils → shared}/code-analysis.ts +1 -1
- package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
- package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
- package/src/{rules → shared/rules}/metadata.ts +94 -0
- package/src/{types.ts → shared/types.ts} +22 -5
- package/src/tiers.ts +18 -1
- package/src/validate/__tests__/context-extractor.test.ts +191 -0
- package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
- package/src/validate/__tests__/request-builder.test.ts +347 -0
- package/src/{layer3/anthropic → validate}/index.ts +8 -7
- package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
- package/src/validate/prompts/modules/ai-patterns.ts +153 -0
- package/src/validate/prompts/modules/auth-access.ts +22 -0
- package/src/validate/prompts/modules/common.ts +183 -0
- package/src/validate/prompts/modules/index.ts +204 -0
- package/src/validate/prompts/modules/owasp-classic.ts +81 -0
- package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
- package/src/validate/prompts/modules/xss-prompt.ts +19 -0
- package/src/validate/prompts/validation.ts +20 -0
- package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
- package/src/validate/providers/index.ts +8 -0
- package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
- package/src/validate/request-builder.ts +448 -0
- package/src/{layer3/anthropic → validate}/types.ts +1 -1
- package/src/validate/utils/context-extractor.ts +220 -0
- package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
- package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
- package/src/layer3/anthropic/prompts/validation.ts +0 -419
- package/src/layer3/anthropic/providers/index.ts +0 -8
- package/src/layer3/anthropic/request-builder.ts +0 -150
- package/src/layer3/index.ts +0 -168
- /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +0 -0
- /package/src/{utils → model}/route-hierarchy.ts +0 -0
- /package/src/{filtering → postprocess/filtering}/index.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
- /package/src/{formatters → report/formatters}/__tests__/ai-context.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/__tests__/ide.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/index.ts +0 -0
- /package/src/{formatters → report/formatters}/index.ts +0 -0
- /package/src/{utils → shared}/__tests__/code-analysis.test.ts +0 -0
- /package/src/{utils → shared}/__tests__/parsed-file.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/__tests__/manager.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/index.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/manager.ts +0 -0
- /package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +0 -0
- /package/src/{baseline → shared/baseline}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/types.ts +0 -0
- /package/src/{utils → shared}/comment-analyzer.ts +0 -0
- /package/src/{utils → shared}/diff-detector.ts +0 -0
- /package/src/{utils → shared}/diff-parser.ts +0 -0
- /package/src/{utils → shared}/environment-context.ts +0 -0
- /package/src/{utils → shared}/intent-detector.ts +0 -0
- /package/src/{utils → shared}/parsed-file.ts +0 -0
- /package/src/{utils → shared}/registry-clients.ts +0 -0
- /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
- /package/src/{rules → shared/rules}/index.ts +0 -0
- /package/src/{utils → shared}/schema-semantics.ts +0 -0
- /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
- /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
|
@@ -0,0 +1,533 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Layer 2: Authentication Anti-Pattern Detection
|
|
4
|
+
* Identifies weak or missing authentication/authorization patterns
|
|
5
|
+
*
|
|
6
|
+
* Key improvements:
|
|
7
|
+
* - Respects global middleware protection (caps severity at info)
|
|
8
|
+
* - Detects throwing auth helpers and suppresses redundant null checks
|
|
9
|
+
* - Properly classifies public endpoints
|
|
10
|
+
*/
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.detectAuthAntipatterns = detectAuthAntipatterns;
|
|
13
|
+
const middleware_detector_1 = require("../../model/middleware-detector");
|
|
14
|
+
const auth_helper_detector_1 = require("../../model/auth-helper-detector");
|
|
15
|
+
const file_classifier_1 = require("../../parse/file-classifier");
|
|
16
|
+
const route_hierarchy_1 = require("../../model/route-hierarchy");
|
|
17
|
+
const schema_semantics_1 = require("../../shared/schema-semantics");
|
|
18
|
+
const intent_detector_1 = require("../../shared/intent-detector");
|
|
19
|
+
const BASE_CONFIDENCE = 0.40;
|
|
20
|
+
const AUTH_ANTIPATTERNS = [
|
|
21
|
+
// Missing auth checks
|
|
22
|
+
{
|
|
23
|
+
name: 'Unprotected API route',
|
|
24
|
+
pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/gi,
|
|
25
|
+
severity: 'medium',
|
|
26
|
+
description: 'API route handler may lack authentication - verify auth is checked',
|
|
27
|
+
suggestedFix: 'Add authentication middleware or check session at the start of the handler',
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
name: 'Express route without auth middleware',
|
|
31
|
+
pattern: /\.(get|post|put|delete|patch)\s*\(\s*['"][^'"]+['"]\s*,\s*(async\s*)?\(\s*(req|request)/gi,
|
|
32
|
+
severity: 'medium',
|
|
33
|
+
description: 'Express route may lack authentication middleware',
|
|
34
|
+
suggestedFix: 'Add authentication middleware before the route handler',
|
|
35
|
+
},
|
|
36
|
+
// Weak authentication patterns
|
|
37
|
+
{
|
|
38
|
+
name: 'Hardcoded credentials check',
|
|
39
|
+
pattern: /if\s*\(\s*(username|user|email)\s*===?\s*['"][^'"]+['"]\s*&&\s*(password|pass|pwd)\s*===?\s*['"][^'"]+['"]/gi,
|
|
40
|
+
severity: 'critical',
|
|
41
|
+
description: 'Hardcoded credentials in authentication logic',
|
|
42
|
+
suggestedFix: 'Use a proper user database with hashed passwords',
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
name: 'Password in plain text comparison',
|
|
46
|
+
pattern: /password\s*===?\s*user\.password|user\.password\s*===?\s*password/gi,
|
|
47
|
+
severity: 'high',
|
|
48
|
+
description: 'Plain text password comparison detected',
|
|
49
|
+
suggestedFix: 'Use bcrypt.compare() or similar for password verification',
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
name: 'JWT without verification',
|
|
53
|
+
pattern: /jwt\.decode\s*\([^)]+\)(?!.*verify)/gi,
|
|
54
|
+
severity: 'high',
|
|
55
|
+
description: 'JWT decoded without signature verification',
|
|
56
|
+
suggestedFix: 'Use jwt.verify() instead of jwt.decode() for authentication',
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
name: 'Weak JWT secret',
|
|
60
|
+
pattern: /jwt\.sign\s*\([^)]+,\s*['"][^'"]{1,20}['"]/gi,
|
|
61
|
+
severity: 'high',
|
|
62
|
+
description: 'JWT signed with a short/weak secret',
|
|
63
|
+
suggestedFix: 'Use a strong, random secret of at least 256 bits from environment variables',
|
|
64
|
+
},
|
|
65
|
+
// Session issues
|
|
66
|
+
{
|
|
67
|
+
name: 'Session without secure flag',
|
|
68
|
+
pattern: /session\s*\(\s*\{[^}]*(?!secure\s*:\s*true)[^}]*\}/gi,
|
|
69
|
+
severity: 'medium',
|
|
70
|
+
description: 'Session configuration may lack secure flag',
|
|
71
|
+
suggestedFix: 'Set secure: true for cookies in production',
|
|
72
|
+
},
|
|
73
|
+
// NOTE: Cookie httpOnly detection removed - causes false positives
|
|
74
|
+
// Client-side code (document.cookie) cannot set httpOnly - it's a server-only flag
|
|
75
|
+
// Server-side cookie libraries have proper defaults
|
|
76
|
+
// The pattern was triggering on client-side cookie access which is conceptually wrong
|
|
77
|
+
// Authorization issues
|
|
78
|
+
// NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
|
|
79
|
+
// when throwing auth helpers are in use. Those helpers guarantee the user exists.
|
|
80
|
+
// This pattern is now much more targeted.
|
|
81
|
+
{
|
|
82
|
+
name: 'Missing role check for admin operation',
|
|
83
|
+
pattern: /\b(admin|superuser|moderator|owner)\b.*(?:delete|remove|update|modify|grant|revoke)/gi,
|
|
84
|
+
severity: 'low',
|
|
85
|
+
description: 'Potentially privileged operation - verify role/permission checks are in place',
|
|
86
|
+
suggestedFix: 'Add role-based access control for sensitive operations',
|
|
87
|
+
},
|
|
88
|
+
{
|
|
89
|
+
name: 'Client-side only auth check',
|
|
90
|
+
pattern: /if\s*\(\s*!?\s*(isAuthenticated|isLoggedIn|user)\s*\)\s*\{?\s*(router\.push|navigate|redirect|window\.location)/gi,
|
|
91
|
+
severity: 'medium',
|
|
92
|
+
description: 'Client-side only authentication redirect detected',
|
|
93
|
+
suggestedFix: 'Implement server-side authentication checks as well',
|
|
94
|
+
},
|
|
95
|
+
// Insecure token handling
|
|
96
|
+
{
|
|
97
|
+
name: 'Token in URL',
|
|
98
|
+
pattern: /\?.*token=|&token=|\?.*api_key=|&api_key=/gi,
|
|
99
|
+
severity: 'high',
|
|
100
|
+
description: 'Sensitive token passed in URL query parameter',
|
|
101
|
+
suggestedFix: 'Pass tokens in Authorization header or request body',
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
name: 'Token in localStorage',
|
|
105
|
+
pattern: /localStorage\.(setItem|getItem)\s*\(\s*['"](token|jwt|auth|session|apiKey)/gi,
|
|
106
|
+
severity: 'medium',
|
|
107
|
+
description: 'Sensitive token stored in localStorage (XSS vulnerable)',
|
|
108
|
+
suggestedFix: 'Use httpOnly cookies for token storage',
|
|
109
|
+
},
|
|
110
|
+
// OAuth/Social auth issues
|
|
111
|
+
// NOTE: OAuth detection narrowed significantly to reduce false positives.
|
|
112
|
+
// Previously matched any line containing "oauth" which flagged variable names, imports, etc.
|
|
113
|
+
// Now only matches actual OAuth authorization URL construction.
|
|
114
|
+
{
|
|
115
|
+
name: 'OAuth state parameter missing',
|
|
116
|
+
// Only match actual OAuth authorization URL construction without state parameter
|
|
117
|
+
// Must have: authorize endpoint + client_id/redirect_uri but missing state
|
|
118
|
+
pattern: /['"`]https?:\/\/[^'"]*\/(?:oauth|authorize|auth)[^'"]*client_id=[^'"]*(?!.*state=)/gi,
|
|
119
|
+
severity: 'medium',
|
|
120
|
+
description: 'OAuth authorization URL may lack state parameter for CSRF protection',
|
|
121
|
+
suggestedFix: 'Include a random state parameter in OAuth authorization requests',
|
|
122
|
+
},
|
|
123
|
+
// Password handling issues
|
|
124
|
+
{
|
|
125
|
+
name: 'Password logged',
|
|
126
|
+
pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*password/gi,
|
|
127
|
+
severity: 'critical',
|
|
128
|
+
description: 'Password may be logged to console',
|
|
129
|
+
suggestedFix: 'Never log passwords or sensitive credentials',
|
|
130
|
+
},
|
|
131
|
+
// NOTE: 'Password in error message' pattern now uses smart intent detection
|
|
132
|
+
// Error CODES like 'SAME_PASSWORD' are not flagged (they're codes, not values)
|
|
133
|
+
// Only actual password values concatenated into errors are flagged
|
|
134
|
+
// This is handled specially in detectAuthAntipatterns() below
|
|
135
|
+
// Rate limiting
|
|
136
|
+
{
|
|
137
|
+
name: 'Login without rate limiting',
|
|
138
|
+
pattern: /\/(login|signin|auth|authenticate)\s*['"],\s*(async\s*)?\(/gi,
|
|
139
|
+
severity: 'medium',
|
|
140
|
+
description: 'Login endpoint may lack rate limiting',
|
|
141
|
+
suggestedFix: 'Add rate limiting to prevent brute force attacks',
|
|
142
|
+
},
|
|
143
|
+
// 2FA bypass
|
|
144
|
+
{
|
|
145
|
+
name: 'Potential 2FA bypass',
|
|
146
|
+
pattern: /skip2fa|bypass2fa|disable2fa|twoFactor\s*[=:]\s*false/gi,
|
|
147
|
+
severity: 'high',
|
|
148
|
+
description: 'Two-factor authentication bypass detected',
|
|
149
|
+
suggestedFix: 'Remove 2FA bypass options in production',
|
|
150
|
+
},
|
|
151
|
+
];
|
|
152
|
+
// Check if line is a comment
|
|
153
|
+
function isComment(line) {
|
|
154
|
+
const trimmed = line.trim();
|
|
155
|
+
return (trimmed.startsWith('//') ||
|
|
156
|
+
trimmed.startsWith('#') ||
|
|
157
|
+
trimmed.startsWith('*') ||
|
|
158
|
+
trimmed.startsWith('/*'));
|
|
159
|
+
}
|
|
160
|
+
// Check if file is likely an auth-related file
|
|
161
|
+
function isAuthRelatedFile(filePath) {
|
|
162
|
+
const authKeywords = ['auth', 'login', 'session', 'user', 'account', 'credential', 'password', 'token', 'jwt', 'oauth'];
|
|
163
|
+
const lowerPath = filePath.toLowerCase();
|
|
164
|
+
return authKeywords.some(keyword => lowerPath.includes(keyword));
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Check if file is an auth implementation/library file
|
|
168
|
+
* These files ARE the auth system - flagging them for "missing auth" is wrong
|
|
169
|
+
*
|
|
170
|
+
* Examples:
|
|
171
|
+
* - packages/auth/src/handlers.ts
|
|
172
|
+
* - lib/auth/middleware.ts
|
|
173
|
+
* - services/authentication/index.ts
|
|
174
|
+
*/
|
|
175
|
+
function isAuthImplementationFile(filePath) {
|
|
176
|
+
const authImplPatterns = [
|
|
177
|
+
/\/packages\/auth\//i,
|
|
178
|
+
/\/lib\/auth\//i,
|
|
179
|
+
/\/utils\/auth\//i,
|
|
180
|
+
/\/services\/auth/i,
|
|
181
|
+
/\/authentication\//i,
|
|
182
|
+
/\/auth-provider/i,
|
|
183
|
+
/\/auth-helpers/i,
|
|
184
|
+
/\/auth-utils/i,
|
|
185
|
+
/\/passport-/i, // Passport.js strategy files
|
|
186
|
+
/\/next-auth\//i, // NextAuth config
|
|
187
|
+
/\/lucia\//i, // Lucia auth
|
|
188
|
+
/\/better-auth\//i, // Better Auth
|
|
189
|
+
/\/supabase\/auth/i, // Supabase auth
|
|
190
|
+
/\/clerk\//i, // Clerk auth
|
|
191
|
+
/\/auth0\//i, // Auth0
|
|
192
|
+
/\/keycloak\//i, // Keycloak
|
|
193
|
+
];
|
|
194
|
+
return authImplPatterns.some(p => p.test(filePath));
|
|
195
|
+
}
|
|
196
|
+
// Check if endpoint is a known public endpoint (health checks, webhooks, cron)
|
|
197
|
+
function isKnownPublicEndpoint(lineContent, filePath) {
|
|
198
|
+
const PUBLIC_ENDPOINTS = [
|
|
199
|
+
// Health checks
|
|
200
|
+
/\/health\b/i,
|
|
201
|
+
/\/healthz\b/i,
|
|
202
|
+
/\/ready\b/i,
|
|
203
|
+
/\/live\b/i,
|
|
204
|
+
/\/ping\b/i,
|
|
205
|
+
/\/status\b/i,
|
|
206
|
+
/\/_health/i,
|
|
207
|
+
// Webhooks (receive external calls)
|
|
208
|
+
/\/webhook\b/i,
|
|
209
|
+
/\/webhooks\//i,
|
|
210
|
+
/\/callback\b/i,
|
|
211
|
+
/\/stripe\/webhook/i,
|
|
212
|
+
/\/clerk\/webhook/i,
|
|
213
|
+
/\/svix\//i,
|
|
214
|
+
// Cron/scheduled tasks
|
|
215
|
+
/\/cron\//i,
|
|
216
|
+
/\/scheduled\//i,
|
|
217
|
+
/\/tasks\//i,
|
|
218
|
+
/\/jobs?\//i,
|
|
219
|
+
// Public APIs - intentionally unauthenticated
|
|
220
|
+
/\/public\//i,
|
|
221
|
+
/\/openpage/i, // OpenPage API pattern (intentionally public)
|
|
222
|
+
/\/open-api\//i,
|
|
223
|
+
/\/api\/public\//i,
|
|
224
|
+
/\/api\/v\d+\/public\//i,
|
|
225
|
+
/\bGET\b.*\/api\/\w+\/\[id\]/i, // Public resource reads with ID param
|
|
226
|
+
// Auth endpoints (must be public for users to authenticate)
|
|
227
|
+
/\/api\/auth\//i,
|
|
228
|
+
/\/auth\//i,
|
|
229
|
+
/\/login\b/i,
|
|
230
|
+
/\/signup\b/i,
|
|
231
|
+
/\/register\b/i,
|
|
232
|
+
/\/forgot-password/i,
|
|
233
|
+
/\/reset-password/i,
|
|
234
|
+
/\/verify-email/i,
|
|
235
|
+
/\/magic-link/i,
|
|
236
|
+
/\/oauth\//i,
|
|
237
|
+
// RSS/Atom feeds (typically public)
|
|
238
|
+
/\/feed\b/i,
|
|
239
|
+
/\/rss\b/i,
|
|
240
|
+
/\/atom\b/i,
|
|
241
|
+
// Sitemap/robots (always public)
|
|
242
|
+
/\/sitemap/i,
|
|
243
|
+
/\/robots/i,
|
|
244
|
+
// OpenGraph/meta endpoints
|
|
245
|
+
/\/og\//i,
|
|
246
|
+
/\/opengraph/i,
|
|
247
|
+
/\/meta\//i,
|
|
248
|
+
// Share/embed endpoints
|
|
249
|
+
/\/share\//i,
|
|
250
|
+
/\/embed\//i,
|
|
251
|
+
/\/widget\//i,
|
|
252
|
+
];
|
|
253
|
+
return PUBLIC_ENDPOINTS.some(pattern => pattern.test(lineContent) || pattern.test(filePath));
|
|
254
|
+
}
|
|
255
|
+
// Check if there are auth indicators in nearby lines (within 15 lines)
|
|
256
|
+
function hasAuthCheckNearby(lines, lineIndex) {
|
|
257
|
+
const startLine = Math.max(0, lineIndex);
|
|
258
|
+
const endLine = Math.min(lines.length, lineIndex + 15);
|
|
259
|
+
const searchWindow = lines.slice(startLine, endLine);
|
|
260
|
+
const authIndicators = [
|
|
261
|
+
/authorization/i,
|
|
262
|
+
/bearer\s+token/i,
|
|
263
|
+
/req\.user/,
|
|
264
|
+
/request\.user/,
|
|
265
|
+
/isAuthenticated/,
|
|
266
|
+
/requireAuth/,
|
|
267
|
+
/verifyToken/,
|
|
268
|
+
/checkPermission/,
|
|
269
|
+
/getServerSession/,
|
|
270
|
+
/auth\(\)/,
|
|
271
|
+
/middleware.*auth/i,
|
|
272
|
+
/session\s*\.\s*user/,
|
|
273
|
+
// Internal secret checks (network-level auth)
|
|
274
|
+
/internal.?secret/i,
|
|
275
|
+
/INTERNAL_SECRET/,
|
|
276
|
+
/x-internal-secret/i,
|
|
277
|
+
/admin.?secret/i,
|
|
278
|
+
/service.?token/i,
|
|
279
|
+
// BYOK patterns - user provides their own API key (implicit auth)
|
|
280
|
+
/userApiKey|user_api_key|clientApiKey/i,
|
|
281
|
+
/req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
|
|
282
|
+
/headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
|
|
283
|
+
// Next.js / React auth patterns (expanded)
|
|
284
|
+
/const\s+session\s*=\s*await\s+auth\s*\(\)/, // const session = await auth()
|
|
285
|
+
/const\s+\{\s*session\s*\}\s*=\s*await\s+auth\s*\(\)/, // const { session } = await auth()
|
|
286
|
+
/if\s*\(\s*!session\?\.user/, // if (!session?.user)
|
|
287
|
+
/if\s*\(\s*!session\s*\)/, // if (!session)
|
|
288
|
+
/session\s*\?\.\s*user/, // session?.user
|
|
289
|
+
/getServerSession\s*\(\s*authOptions/, // getServerSession(authOptions)
|
|
290
|
+
/getServerSession\s*\(\s*req\s*,\s*res/, // getServerSession(req, res, ...)
|
|
291
|
+
/useSession\s*\(\)/, // useSession()
|
|
292
|
+
/signIn\s*\(/, // signIn()
|
|
293
|
+
/signOut\s*\(/, // signOut()
|
|
294
|
+
// Clerk auth patterns
|
|
295
|
+
/currentUser\s*\(\)/, // currentUser()
|
|
296
|
+
/auth\s*\(\)\s*\.\s*protect/, // auth().protect
|
|
297
|
+
/auth\s*\(\)\s*\.\s*userId/, // auth().userId
|
|
298
|
+
/clerkClient/i,
|
|
299
|
+
/getAuth\s*\(/,
|
|
300
|
+
/ClerkProvider/,
|
|
301
|
+
// Supabase auth patterns
|
|
302
|
+
/supabase\s*\.\s*auth\s*\.\s*getUser/, // supabase.auth.getUser()
|
|
303
|
+
/supabase\s*\.\s*auth\s*\.\s*getSession/, // supabase.auth.getSession()
|
|
304
|
+
/createServerClient/, // Supabase server client
|
|
305
|
+
/createRouteHandlerClient/,
|
|
306
|
+
// Lucia auth patterns
|
|
307
|
+
/lucia\s*\.\s*validateSession/,
|
|
308
|
+
/validateRequest/,
|
|
309
|
+
// Better Auth patterns
|
|
310
|
+
/betterAuth/,
|
|
311
|
+
/auth\.api\./,
|
|
312
|
+
// Throwing auth helpers (if these are called, route is authenticated)
|
|
313
|
+
/throw\s+new\s+Error\s*\(\s*['"]unauthorized/i,
|
|
314
|
+
/throw\s+new\s+Error\s*\(\s*['"]unauthenticated/i,
|
|
315
|
+
/ChatSDKError\s*\(\s*['"]unauthorized/i,
|
|
316
|
+
/return\s+new\s+Response\s*\(\s*.*401/,
|
|
317
|
+
/return\s+NextResponse\s*\.\s*json\s*\(\s*.*401/,
|
|
318
|
+
];
|
|
319
|
+
return searchWindow.some(line => authIndicators.some(pattern => pattern.test(line)));
|
|
320
|
+
}
|
|
321
|
+
function detectAuthAntipatterns(content, filePath, options = {}) {
|
|
322
|
+
const { middlewareConfig, authHelpers, fileAuthImports, parsed } = options;
|
|
323
|
+
const vulnerabilities = [];
|
|
324
|
+
// Skip scanner/fixture files to avoid self-detection
|
|
325
|
+
if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
|
|
326
|
+
return vulnerabilities;
|
|
327
|
+
const lines = parsed?.lines ?? content.split('\n');
|
|
328
|
+
const isAuthFile = isAuthRelatedFile(filePath);
|
|
329
|
+
const isAuthImpl = isAuthImplementationFile(filePath);
|
|
330
|
+
// Check framework route hierarchy protection (Remix, Next.js route groups)
|
|
331
|
+
const routeHierarchy = (0, route_hierarchy_1.getRouteProtectionContext)(filePath);
|
|
332
|
+
// Check if this route is protected by global middleware
|
|
333
|
+
const routePath = (0, middleware_detector_1.getRoutePathFromFile)(filePath);
|
|
334
|
+
const middlewareProtection = routePath && middlewareConfig
|
|
335
|
+
? (0, middleware_detector_1.isRouteProtectedByMiddleware)(routePath, middlewareConfig)
|
|
336
|
+
: { isProtected: false, reason: '' };
|
|
337
|
+
// Check if file uses imported auth middleware/helpers
|
|
338
|
+
const importedAuthProtection = fileAuthImports?.get(filePath);
|
|
339
|
+
const usesImportedAuth = importedAuthProtection?.usesImportedAuth ?? false;
|
|
340
|
+
// Check if file uses throwing auth helpers
|
|
341
|
+
const helpersList = authHelpers?.helpers || [];
|
|
342
|
+
// Check if this is a component only used in authenticated contexts
|
|
343
|
+
const isAuthOnlyComponent = (0, route_hierarchy_1.isAuthenticatedOnlyComponent)(filePath);
|
|
344
|
+
lines.forEach((line, index) => {
|
|
345
|
+
// Skip comment lines
|
|
346
|
+
if (isComment(line))
|
|
347
|
+
return;
|
|
348
|
+
for (const pattern of AUTH_ANTIPATTERNS) {
|
|
349
|
+
const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
|
|
350
|
+
if (regex.test(line)) {
|
|
351
|
+
// Special handling for unprotected route patterns
|
|
352
|
+
if (pattern.name === 'Unprotected API route' ||
|
|
353
|
+
pattern.name === 'Express route without auth middleware') {
|
|
354
|
+
// PRIORITY -1: Skip auth implementation files entirely
|
|
355
|
+
// These files ARE the auth system - flagging them for "missing auth" is conceptually wrong
|
|
356
|
+
if (isAuthImpl) {
|
|
357
|
+
break; // Skip this pattern
|
|
358
|
+
}
|
|
359
|
+
// PRIORITY 0: Check if this is actually a route file
|
|
360
|
+
// In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
|
|
361
|
+
// `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
|
|
362
|
+
// export GET/POST functions.
|
|
363
|
+
const isActualRouteFile = /\/(route|page)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
|
|
364
|
+
/\/(api|routes?)\/.*\/(index|route)\.(ts|js)$/i.test(filePath) ||
|
|
365
|
+
// Express/Koa routes typically have 'routes' or 'router' in path
|
|
366
|
+
/\/(routes?|router|controllers?)\.[tj]s$/i.test(filePath);
|
|
367
|
+
// Files explicitly named as handlers, helpers, utils are not routes
|
|
368
|
+
const isUtilityFile = /(handler|helper|util|mock|test|fixture|safe|example)/i.test(filePath);
|
|
369
|
+
if (!isActualRouteFile || isUtilityFile) {
|
|
370
|
+
// Not an actual route file - skip this finding
|
|
371
|
+
break;
|
|
372
|
+
}
|
|
373
|
+
// PRIORITY 0.5: Check if route is in a protected route hierarchy
|
|
374
|
+
// Framework route conventions (Remix _authenticated+, Next.js route groups)
|
|
375
|
+
if (routeHierarchy.isInProtectedHierarchy) {
|
|
376
|
+
// Route is in a protected hierarchy - cap severity at info
|
|
377
|
+
vulnerabilities.push({
|
|
378
|
+
id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
|
|
379
|
+
filePath,
|
|
380
|
+
lineNumber: index + 1,
|
|
381
|
+
lineContent: line.trim(),
|
|
382
|
+
severity: 'info',
|
|
383
|
+
category: 'missing_auth',
|
|
384
|
+
title: pattern.name + ' (in protected route hierarchy)',
|
|
385
|
+
description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
|
|
386
|
+
suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
|
|
387
|
+
confidence: 'low',
|
|
388
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
389
|
+
layer: 2,
|
|
390
|
+
source: 'structural',
|
|
391
|
+
});
|
|
392
|
+
break; // Only report once per line
|
|
393
|
+
}
|
|
394
|
+
// PRIORITY 0.75: Check if this is a component only used in authenticated contexts
|
|
395
|
+
if (isAuthOnlyComponent) {
|
|
396
|
+
// Component is in admin/dashboard/etc - skip entirely
|
|
397
|
+
break;
|
|
398
|
+
}
|
|
399
|
+
// PRIORITY 1: Check if route is protected by global middleware
|
|
400
|
+
// This is the STRONGEST signal - if middleware protects the route, suppress entirely
|
|
401
|
+
if (middlewareProtection.isProtected) {
|
|
402
|
+
// Route is authenticated by middleware - no finding needed
|
|
403
|
+
break; // Skip this pattern, route is protected
|
|
404
|
+
}
|
|
405
|
+
// PRIORITY 1.5: Check if file imports and uses auth middleware
|
|
406
|
+
// e.g., import { authMiddleware } from '@/lib/auth' + wraps handlers
|
|
407
|
+
if (usesImportedAuth) {
|
|
408
|
+
// File imports auth middleware and uses it - no finding needed
|
|
409
|
+
break; // Skip this pattern, route is protected via imported auth
|
|
410
|
+
}
|
|
411
|
+
// PRIORITY 2: Check if file uses throwing auth helpers
|
|
412
|
+
// If getCurrentUserId() or similar is called, the route is authenticated
|
|
413
|
+
const authHelperCall = (0, auth_helper_detector_1.hasAuthHelperCallBefore)(content, index, helpersList);
|
|
414
|
+
if (authHelperCall.hasCall && authHelperCall.helper) {
|
|
415
|
+
// Route uses a throwing auth helper - no finding needed
|
|
416
|
+
// The auth helper guarantees authenticated context
|
|
417
|
+
break; // Skip this pattern, route is protected
|
|
418
|
+
}
|
|
419
|
+
// PRIORITY 3: Check if this is a known public endpoint
|
|
420
|
+
if (isKnownPublicEndpoint(line, filePath)) {
|
|
421
|
+
vulnerabilities.push({
|
|
422
|
+
id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
|
|
423
|
+
filePath,
|
|
424
|
+
lineNumber: index + 1,
|
|
425
|
+
lineContent: line.trim(),
|
|
426
|
+
severity: 'info',
|
|
427
|
+
category: 'missing_auth',
|
|
428
|
+
title: pattern.name + ' (public endpoint)',
|
|
429
|
+
description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
|
|
430
|
+
suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
|
|
431
|
+
confidence: 'low',
|
|
432
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
433
|
+
layer: 2,
|
|
434
|
+
source: 'structural',
|
|
435
|
+
});
|
|
436
|
+
break; // Only report once per line
|
|
437
|
+
}
|
|
438
|
+
// PRIORITY 4: Check if auth check exists nearby (inline check)
|
|
439
|
+
if (hasAuthCheckNearby(lines, index)) {
|
|
440
|
+
vulnerabilities.push({
|
|
441
|
+
id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
|
|
442
|
+
filePath,
|
|
443
|
+
lineNumber: index + 1,
|
|
444
|
+
lineContent: line.trim(),
|
|
445
|
+
severity: 'low',
|
|
446
|
+
category: 'missing_auth',
|
|
447
|
+
title: pattern.name,
|
|
448
|
+
description: pattern.description + ' (auth check detected in nearby lines)',
|
|
449
|
+
suggestedFix: pattern.suggestedFix,
|
|
450
|
+
confidence: 'low',
|
|
451
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
452
|
+
layer: 2,
|
|
453
|
+
source: 'structural',
|
|
454
|
+
});
|
|
455
|
+
break; // Only report once per line
|
|
456
|
+
}
|
|
457
|
+
}
|
|
458
|
+
// Standard handling for all patterns (or fallback for route patterns)
|
|
459
|
+
// Boost confidence for auth-related files
|
|
460
|
+
const confidence = isAuthFile ? 'high' : 'medium';
|
|
461
|
+
vulnerabilities.push({
|
|
462
|
+
id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
|
|
463
|
+
filePath,
|
|
464
|
+
lineNumber: index + 1,
|
|
465
|
+
lineContent: line.trim(),
|
|
466
|
+
severity: pattern.severity,
|
|
467
|
+
category: 'missing_auth',
|
|
468
|
+
title: pattern.name,
|
|
469
|
+
description: pattern.description,
|
|
470
|
+
suggestedFix: pattern.suggestedFix,
|
|
471
|
+
confidence,
|
|
472
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
473
|
+
layer: 2,
|
|
474
|
+
source: 'structural',
|
|
475
|
+
});
|
|
476
|
+
break; // Only report once per line
|
|
477
|
+
}
|
|
478
|
+
}
|
|
479
|
+
});
|
|
480
|
+
// Special handling: Password in error message with smart intent detection
|
|
481
|
+
// Only flag actual password VALUES, not error CODES like 'SAME_PASSWORD'
|
|
482
|
+
const passwordErrorPattern = /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi;
|
|
483
|
+
lines.forEach((line, index) => {
|
|
484
|
+
if (isComment(line))
|
|
485
|
+
return;
|
|
486
|
+
if (passwordErrorPattern.test(line)) {
|
|
487
|
+
// Reset regex state
|
|
488
|
+
passwordErrorPattern.lastIndex = 0;
|
|
489
|
+
// Skip if this is an error CODE, not a VALUE
|
|
490
|
+
if ((0, intent_detector_1.isPasswordErrorCode)(line)) {
|
|
491
|
+
return; // This is fine - 'SAME_PASSWORD' is a code, not a value
|
|
492
|
+
}
|
|
493
|
+
// Only flag if actual password value is in the error
|
|
494
|
+
if ((0, intent_detector_1.hasPasswordValueInError)(line)) {
|
|
495
|
+
vulnerabilities.push({
|
|
496
|
+
id: `auth-antipattern-${filePath}-${index + 1}-password-in-error`,
|
|
497
|
+
filePath,
|
|
498
|
+
lineNumber: index + 1,
|
|
499
|
+
lineContent: line.trim(),
|
|
500
|
+
severity: 'high',
|
|
501
|
+
category: 'missing_auth',
|
|
502
|
+
title: 'Password value in error message',
|
|
503
|
+
description: 'Actual password value may be included in error message, exposing sensitive data.',
|
|
504
|
+
suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
|
|
505
|
+
confidence: 'high',
|
|
506
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
507
|
+
layer: 2,
|
|
508
|
+
source: 'structural',
|
|
509
|
+
});
|
|
510
|
+
}
|
|
511
|
+
}
|
|
512
|
+
});
|
|
513
|
+
// Special handling: 2FA optional fields with OR validation
|
|
514
|
+
// Don't flag .optional() on 2FA fields if there's .refine() enforcing OR logic
|
|
515
|
+
const twoFAOptionalPattern = /\.(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa).*\.optional\s*\(\)/gi;
|
|
516
|
+
lines.forEach((line, index) => {
|
|
517
|
+
if (isComment(line))
|
|
518
|
+
return;
|
|
519
|
+
if (twoFAOptionalPattern.test(line)) {
|
|
520
|
+
// Reset regex state
|
|
521
|
+
twoFAOptionalPattern.lastIndex = 0;
|
|
522
|
+
// Check if this is legitimate OR validation (either TOTP or backup code required)
|
|
523
|
+
if ((0, schema_semantics_1.is2FAOrValidation)(content, index)) {
|
|
524
|
+
// This is legitimate OR validation - skip or report as info
|
|
525
|
+
return;
|
|
526
|
+
}
|
|
527
|
+
// Only flag if this truly allows bypassing 2FA
|
|
528
|
+
// Most cases with .refine() are fine - this is handled by schema-semantics.ts
|
|
529
|
+
}
|
|
530
|
+
});
|
|
531
|
+
return vulnerabilities;
|
|
532
|
+
}
|
|
533
|
+
//# sourceMappingURL=auth-patterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-patterns.js","sourceRoot":"","sources":["../../../src/detect/structural/auth-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAiXH,wDAmPC;AA/lBD,yEAAoG;AAEpG,2EAAoG;AAEpG,iEAAoE;AACpE,iEAAqG;AACrG,oEAAiE;AACjE,kEAA2F;AAE3F,MAAM,eAAe,GAAG,IAAI,CAAA;AAU5B,MAAM,iBAAiB,GAAsB;IAC3C,sBAAsB;IACtB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,mEAAmE;QAC5E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oEAAoE;QACjF,YAAY,EAAE,4EAA4E;KAC3F;IACD;QACE,IAAI,EAAE,uCAAuC;QAC7C,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,wDAAwD;KACvE;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8GAA8G;QACvH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,kDAAkD;KACjE;IACD;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,YAAY,EAAE,2DAA2D;KAC1E;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,6DAA6D;KAC5E;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,6EAA6E;KAC5F;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,4CAA4C;KAC3D;IACD,mEAAmE;IACnE,mFAAmF;IACnF,oDAAoD;IACpD,sFAAsF;IAEtF,uBAAuB;IACvB,uFAAuF;IACvF,kFAAkF;IAClF,0CAA0C;IAC1C;QACE,IAAI,EAAE,wCAAwC;QAC9C,OAAO,EAAE,uFAAuF;QAChG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,+EAA+E;QAC5F,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,mHAAmH;QAC5H,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mDAAmD;QAChE,YAAY,EAAE,qDAAqD;KACpE;IAED,0BAA0B;IAC1B;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,qDAAqD;KACpE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,wCAAwC;KACvD;IAED,2BAA2B;IAC3B,0EAA0E;IAC1E,6FAA6F;IAC7F,gEAAgE;IAChE;QACE,IAAI,EAAE,+BAA+B;QACrC,iFAAiF;QACjF,2EAA2E;QAC3E,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,kEAAkE;KACjF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mCAAmC;QAChD,YAAY,EAAE,8CAA8C;KAC7D;IACD,4EAA4E;IAC5E,+EAA+E;IAC/E,mEAAmE;IACnE,8DAA8D;IAE9D,gBAAgB;IAChB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uCAAuC;QACpD,YAAY,EAAE,kDAAkD;KACjE;IAED,aAAa;IACb;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,yCAAyC;KACxD;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;IACvH,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,wBAAwB,CAAC,QAAgB;IAChD,MAAM,gBAAgB,GAAG;QACvB,qBAAqB;QACrB,gBAAgB;QAChB,kBAAkB;QAClB,mBAAmB;QACnB,qBAAqB;QACrB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,cAAc,EAAe,6BAA6B;QAC1D,gBAAgB,EAAa,kBAAkB;QAC/C,YAAY,EAAiB,aAAa;QAC1C,kBAAkB,EAAW,cAAc;QAC3C,mBAAmB,EAAU,gBAAgB;QAC7C,YAAY,EAAiB,aAAa;QAC1C,YAAY,EAAiB,QAAQ;QACrC,eAAe,EAAc,WAAW;KACzC,CAAA;IACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,+EAA+E;AAC/E,SAAS,qBAAqB,CAAC,WAAmB,EAAE,QAAgB;IAClE,MAAM,gBAAgB,GAAG;QACvB,gBAAgB;QAChB,aAAa;QACb,cAAc;QACd,YAAY;QACZ,WAAW;QACX,WAAW;QACX,aAAa;QACb,YAAY;QAEZ,oCAAoC;QACpC,cAAc;QACd,eAAe;QACf,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,WAAW;QAEX,uBAAuB;QACvB,WAAW;QACX,gBAAgB;QAChB,YAAY;QACZ,YAAY;QAEZ,8CAA8C;QAC9C,aAAa;QACb,aAAa,EAAS,8CAA8C;QACpE,eAAe;QACf,kBAAkB;QAClB,wBAAwB;QACxB,8BAA8B,EAAG,sCAAsC;QAEvE,4DAA4D;QAC5D,gBAAgB;QAChB,WAAW;QACX,YAAY;QACZ,aAAa;QACb,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,iBAAiB;QACjB,eAAe;QACf,YAAY;QAEZ,oCAAoC;QACpC,WAAW;QACX,UAAU;QACV,WAAW;QAEX,iCAAiC;QACjC,YAAY;QACZ,WAAW;QAEX,2BAA2B;QAC3B,SAAS;QACT,cAAc;QACd,WAAW;QAEX,wBAAwB;QACxB,YAAY;QACZ,YAAY;QACZ,aAAa;KACd,CAAA;IAED,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACrC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CACpD,CAAA;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,kBAAkB,CAAC,KAAe,EAAE,SAAiB;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IACtD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAEpD,MAAM,cAAc,GAAG;QACrB,gBAAgB;QAChB,iBAAiB;QACjB,WAAW;QACX,eAAe;QACf,iBAAiB;QACjB,aAAa;QACb,aAAa;QACb,iBAAiB;QACjB,kBAAkB;QAClB,UAAU;QACV,mBAAmB;QACnB,qBAAqB;QACrB,8CAA8C;QAC9C,mBAAmB;QACnB,iBAAiB;QACjB,oBAAoB;QACpB,gBAAgB;QAChB,iBAAiB;QACjB,kEAAkE;QAClE,uCAAuC;QACvC,uDAAuD;QACvD,sDAAsD;QAEtD,2CAA2C;QAC3C,2CAA2C,EAAW,+BAA+B;QACrF,qDAAqD,EAAE,mCAAmC;QAC1F,4BAA4B,EAA2B,sBAAsB;QAC7E,yBAAyB,EAA8B,gBAAgB;QACvE,uBAAuB,EAAgC,gBAAgB;QACvE,qCAAqC,EAAkB,gCAAgC;QACvF,uCAAuC,EAAe,kCAAkC;QACxF,mBAAmB,EAAoC,eAAe;QACtE,aAAa,EAA0C,WAAW;QAClE,cAAc,EAAyC,YAAY;QAEnE,sBAAsB;QACtB,oBAAoB,EAAmC,gBAAgB;QACvE,4BAA4B,EAA0B,iBAAiB;QACvE,2BAA2B,EAA2B,gBAAgB;QACtE,cAAc;QACd,cAAc;QACd,eAAe;QAEf,yBAAyB;QACzB,qCAAqC,EAAgB,0BAA0B;QAC/E,wCAAwC,EAAa,6BAA6B;QAClF,oBAAoB,EAAmC,yBAAyB;QAChF,0BAA0B;QAE1B,sBAAsB;QACtB,8BAA8B;QAC9B,iBAAiB;QAEjB,uBAAuB;QACvB,YAAY;QACZ,aAAa;QAEb,sEAAsE;QACtE,8CAA8C;QAC9C,iDAAiD;QACjD,uCAAuC;QACvC,sCAAsC;QACtC,gDAAgD;KACjD,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9B,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CACnD,CAAA;AACH,CAAC;AASD,SAAgB,sBAAsB,CACpC,OAAe,EACf,QAAgB,EAChB,UAAkC,EAAE;IAEpC,MAAM,EAAE,gBAAgB,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAC1E,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAClD,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;IAC9C,MAAM,UAAU,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAA;IAErD,2EAA2E;IAC3E,MAAM,cAAc,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;IAE1D,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAA,0CAAoB,EAAC,QAAQ,CAAC,CAAA;IAChD,MAAM,oBAAoB,GAAG,SAAS,IAAI,gBAAgB;QACxD,CAAC,CAAC,IAAA,kDAA4B,EAAC,SAAS,EAAE,gBAAgB,CAAC;QAC3D,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAA;IAEtC,sDAAsD;IACtD,MAAM,sBAAsB,GAAG,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAA;IAC7D,MAAM,gBAAgB,GAAG,sBAAsB,EAAE,gBAAgB,IAAI,KAAK,CAAA;IAE1E,2CAA2C;IAC3C,MAAM,WAAW,GAAG,WAAW,EAAE,OAAO,IAAI,EAAE,CAAA;IAE9C,mEAAmE;IACnE,MAAM,mBAAmB,GAAG,IAAA,8CAA4B,EAAC,QAAQ,CAAC,CAAA;IAElE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,kDAAkD;gBAClD,IAAI,OAAO,CAAC,IAAI,KAAK,uBAAuB;oBACxC,OAAO,CAAC,IAAI,KAAK,uCAAuC,EAAE,CAAC;oBAE7D,uDAAuD;oBACvD,2FAA2F;oBAC3F,IAAI,UAAU,EAAE,CAAC;wBACf,MAAK,CAAC,oBAAoB;oBAC5B,CAAC;oBAED,qDAAqD;oBACrD,+EAA+E;oBAC/E,6EAA6E;oBAC7E,6BAA6B;oBAC7B,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC1E,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC9D,iEAAiE;wBACjE,0CAA0C,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE3D,oEAAoE;oBACpE,MAAM,aAAa,GAAG,uDAAuD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE5F,IAAI,CAAC,iBAAiB,IAAI,aAAa,EAAE,CAAC;wBACxC,+CAA+C;wBAC/C,MAAK;oBACP,CAAC;oBAED,iEAAiE;oBACjE,4EAA4E;oBAC5E,IAAI,cAAc,CAAC,sBAAsB,EAAE,CAAC;wBAC1C,2DAA2D;wBAC3D,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,iCAAiC;4BACvD,WAAW,EAAE,qDAAqD,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,kEAAkE;4BAC9K,YAAY,EAAE,4EAA4E;4BAC1F,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,kFAAkF;oBAClF,IAAI,mBAAmB,EAAE,CAAC;wBACxB,sDAAsD;wBACtD,MAAK;oBACP,CAAC;oBAED,+DAA+D;oBAC/D,qFAAqF;oBACrF,IAAI,oBAAoB,CAAC,WAAW,EAAE,CAAC;wBACrC,2DAA2D;wBAC3D,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,+DAA+D;oBAC/D,qEAAqE;oBACrE,IAAI,gBAAgB,EAAE,CAAC;wBACrB,+DAA+D;wBAC/D,MAAK,CAAC,0DAA0D;oBAClE,CAAC;oBAED,uDAAuD;oBACvD,yEAAyE;oBACzE,MAAM,cAAc,GAAG,IAAA,8CAAuB,EAAC,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,CAAA;oBAC3E,IAAI,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;wBACpD,wDAAwD;wBACxD,mDAAmD;wBACnD,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,uDAAuD;oBACvD,IAAI,qBAAqB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;wBAC1C,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,oBAAoB;4BAC1C,WAAW,EAAE,qJAAqJ;4BAClK,YAAY,EAAE,yJAAyJ;4BACvK,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,+DAA+D;oBAC/D,IAAI,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;wBACrC,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,KAAK;4BACf,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,wCAAwC;4BAC3E,YAAY,EAAE,OAAO,CAAC,YAAY;4BAClC,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;gBACH,CAAC;gBAED,sEAAsE;gBACtE,0CAA0C;gBAC1C,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;gBAEjD,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;oBAC/D,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,OAAO,CAAC,IAAI;oBACnB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU;oBACV,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,yEAAyE;IACzE,MAAM,oBAAoB,GAAG,iEAAiE,CAAA;IAC9F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,6CAA6C;YAC7C,IAAI,IAAA,qCAAmB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,OAAM,CAAC,wDAAwD;YACjE,CAAC;YAED,qDAAqD;YACrD,IAAI,IAAA,yCAAuB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,oBAAoB;oBACjE,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EAAE,kFAAkF;oBAC/F,YAAY,EAAE,kFAAkF;oBAChG,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,+EAA+E;IAC/E,MAAM,oBAAoB,GAAG,6EAA6E,CAAA;IAC1G,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,kFAAkF;YAClF,IAAI,IAAA,oCAAiB,EAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;gBACtC,4DAA4D;gBAC5D,OAAM;YACR,CAAC;YAED,+CAA+C;YAC/C,8EAA8E;QAChF,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Child Process Detection
|
|
3
|
+
*
|
|
4
|
+
* Detection logic for child_process functions (exec, spawn, execFile, etc.)
|
|
5
|
+
* that can lead to command injection vulnerabilities.
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
|
|
9
|
+
* Returns true if this is a child_process exec call that should be flagged
|
|
10
|
+
*/
|
|
11
|
+
export declare function isChildProcessExec(content: string, lineContent: string): boolean;
|
|
12
|
+
/**
|
|
13
|
+
* Check if spawn/execFile/execSync is from child_process
|
|
14
|
+
*/
|
|
15
|
+
export declare function isChildProcessSpawn(content: string, lineContent: string): boolean;
|
|
16
|
+
//# sourceMappingURL=child-process.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../../../src/detect/structural/dangerous-functions/child-process.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAiEhF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAgBjF"}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Child Process Detection
|
|
4
|
+
*
|
|
5
|
+
* Detection logic for child_process functions (exec, spawn, execFile, etc.)
|
|
6
|
+
* that can lead to command injection vulnerabilities.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.isChildProcessExec = isChildProcessExec;
|
|
10
|
+
exports.isChildProcessSpawn = isChildProcessSpawn;
|
|
11
|
+
/**
|
|
12
|
+
* Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
|
|
13
|
+
* Returns true if this is a child_process exec call that should be flagged
|
|
14
|
+
*/
|
|
15
|
+
function isChildProcessExec(content, lineContent) {
|
|
16
|
+
// Check for child_process import
|
|
17
|
+
const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
|
|
18
|
+
/from\s+['"]child_process['"]/.test(content) ||
|
|
19
|
+
/import\s+.*child_process/.test(content) ||
|
|
20
|
+
/require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
|
|
21
|
+
/from\s+['"]node:child_process['"]/.test(content);
|
|
22
|
+
// If no child_process import, this is likely RegExp.exec or similar
|
|
23
|
+
if (!hasChildProcessImport) {
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
// Check if this specific line is RegExp.exec pattern
|
|
27
|
+
// RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
|
|
28
|
+
const isRegExpExec = /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
|
|
29
|
+
!/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')); // Not a standalone exec()
|
|
30
|
+
// Also check for common RegExp patterns
|
|
31
|
+
const isRegExpPattern = /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
|
|
32
|
+
/new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
|
|
33
|
+
/regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
|
|
34
|
+
/pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
|
|
35
|
+
/match\.exec\s*\(/i.test(lineContent) || // match.exec()
|
|
36
|
+
/re\.exec\s*\(/i.test(lineContent); // re.exec()
|
|
37
|
+
if (isRegExpExec || isRegExpPattern) {
|
|
38
|
+
return false;
|
|
39
|
+
}
|
|
40
|
+
// Check if exec is imported/destructured from child_process
|
|
41
|
+
const execImported = /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
|
|
42
|
+
/\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
|
|
43
|
+
/import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
|
|
44
|
+
/import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content);
|
|
45
|
+
// If exec is directly imported from child_process, standalone exec() is dangerous
|
|
46
|
+
if (execImported && /\bexec\s*\(/.test(lineContent)) {
|
|
47
|
+
return true;
|
|
48
|
+
}
|
|
49
|
+
// Check for child_process.exec() pattern
|
|
50
|
+
if (/child_process\.exec\s*\(/.test(lineContent) ||
|
|
51
|
+
/cp\.exec\s*\(/.test(lineContent) ||
|
|
52
|
+
/childProcess\.exec\s*\(/.test(lineContent)) {
|
|
53
|
+
return true;
|
|
54
|
+
}
|
|
55
|
+
// If we have child_process import but can't determine usage, be conservative
|
|
56
|
+
// Only flag if it looks like a standalone exec() call
|
|
57
|
+
return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent);
|
|
58
|
+
}
|
|
59
|
+
/**
|
|
60
|
+
* Check if spawn/execFile/execSync is from child_process
|
|
61
|
+
*/
|
|
62
|
+
function isChildProcessSpawn(content, lineContent) {
|
|
63
|
+
// Check for child_process import
|
|
64
|
+
const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
|
|
65
|
+
/from\s+['"]child_process['"]/.test(content) ||
|
|
66
|
+
/require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
|
|
67
|
+
/from\s+['"]node:child_process['"]/.test(content);
|
|
68
|
+
if (!hasChildProcessImport) {
|
|
69
|
+
return false;
|
|
70
|
+
}
|
|
71
|
+
// These functions are always from child_process when that module is imported
|
|
72
|
+
return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent);
|
|
73
|
+
}
|
|
74
|
+
//# sourceMappingURL=child-process.js.map
|