@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/structural/log-injection.js

@@ -0,0 +1,217 @@
+"use strict";
+/**
+ * Layer 2: Log Injection Detector
+ * Detects unsanitized user input flowing into log statements
+ *
+ * OWASP A09:2021 - Security Logging and Monitoring Failures
+ * CWE-117: Improper Output Neutralization for Logs
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectLogInjection = detectLogInjection;
+const file_classifier_1 = require("../../parse/file-classifier");
+const BASE_CONFIDENCE = 0.35;
+/** Log sink patterns */
+const LOG_SINK_PATTERNS = [
+    /console\.(?:log|info|warn|error|debug|trace)\s*\(/,
+    /logger\.(?:log|info|warn|error|debug|trace|fatal|silly|verbose)\s*\(/,
+    /(?:winston|pino|bunyan|log4js|signale)\.(?:log|info|warn|error|debug)\s*\(/,
+    /log\.(?:info|warn|error|debug|trace|fatal)\s*\(/,
+];
+/** User-controlled request data patterns */
+const USER_INPUT_PATTERNS = [
+    /(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[['"][^'"]+['"]\])/,
+    /(?:req|request)\.headers(?:\.\w+|\[['"][^'"]+['"]\])/,
+];
+/** Error/catch variable names to exclude */
+const ERROR_VAR_PATTERN = /\b(?:err|error|e|ex|exception)\b/;
+/** Patterns that are NOT user input (internal/app data) */
+const NOT_USER_INPUT_PATTERNS = [
+    // Error objects in catch blocks
+    /\bcatch\s*\(\s*(?:err|error|e|ex|exception)\b/,
+    // Internal IDs
+    /(?:user|session|tenant|org|account)\.id\b/,
+    /(?:userId|sessionId|tenantId|orgId|accountId)\b/,
+    // Internal state
+    /\.length\b/,
+    /\.count\b/,
+    /\.size\b/,
+    /\.status\b/,
+];
+/** Middleware logging patterns to skip entirely */
+const MIDDLEWARE_LOGGING = /(?:app|server|router)\.use\s*\(\s*(?:morgan|pino|express-winston|express\.logger)/;
+/** Sanitization patterns near log line */
+const SANITIZATION_PATTERNS = [
+    /\.replace\s*\(\s*\/\[\\r\\n\]/,
+    /sanitize\s*\(/,
+    /escape\s*\(/,
+    /encodeURI(?:Component)?\s*\(/,
+    /stripNewlines?\s*\(/,
+    /\.replace\s*\(\s*\/[\r\n]/,
+];
+/**
+ * Check if a log line contains user input (not just error objects)
+ */
+function containsUserInput(line, lines, lineIndex) {
+    // Check for req.headers in log
+    if (/(?:req|request)\.headers/.test(line)) {
+        return { found: true, type: 'header' };
+    }
+    // Check for req.body/query/params in log
+    if (/(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[)/.test(line)) {
+        return { found: true, type: 'body' };
+    }
+    // Check for spread of request body: console.log({ ...req.body })
+    if (/\.\.\.\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
+        return { found: true, type: 'spread' };
+    }
+    // Check for JSON.stringify(req.body) in log
+    if (/JSON\.stringify\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
+        return { found: true, type: 'stringify' };
+    }
+    // Check for template literal with user input
+    if (/`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/.test(line)) {
+        return { found: true, type: 'body' };
+    }
+    // Multi-line log calls: check ±3 lines
+    for (let offset = -3; offset <= 3; offset++) {
+        if (offset === 0)
+            continue;
+        const idx = lineIndex + offset;
+        if (idx < 0 || idx >= lines.length)
+            continue;
+        const nearLine = lines[idx];
+        if (USER_INPUT_PATTERNS.some(p => p.test(nearLine))) {
+            // Only flag if the nearby line is part of the same log call (open paren)
+            const fromStart = Math.min(lineIndex, idx);
+            const toEnd = Math.max(lineIndex, idx);
+            const block = lines.slice(fromStart, toEnd + 1).join('\n');
+            // Check for unclosed paren indicating multi-line call
+            const openParens = (block.match(/\(/g) || []).length;
+            const closeParens = (block.match(/\)/g) || []).length;
+            if (openParens > closeParens) {
+                if (/(?:req|request)\.headers/.test(nearLine)) {
+                    return { found: true, type: 'header' };
+                }
+                return { found: true, type: 'body' };
+            }
+        }
+    }
+    return { found: false, type: 'body' };
+}
+/**
+ * Check if the log line is just error logging in a catch block
+ */
+function isErrorLogging(line, lines, lineIndex) {
+    // Direct error object logging: console.error(err), console.error(error)
+    if (/console\.(?:error|warn|log)\s*\(\s*(?:['"][^'"]*['"],?\s*)?(?:err|error|e|ex|exception)\s*\)/.test(line)) {
+        return true;
+    }
+    // console.error('message', error) pattern
+    if (/console\.(?:error|warn|log)\s*\(\s*['"][^'"]*['"],\s*(?:err|error|e|ex|exception)\s*\)/.test(line)) {
+        return true;
+    }
+    // error.message logging
+    if (/(?:err|error|e|ex|exception)\.(?:message|stack|name|code)\b/.test(line)) {
+        return true;
+    }
+    // logger.error('msg', { error })
+    if (/logger\.(?:error|warn)\s*\(.*(?:err|error|e)\b/.test(line) && !USER_INPUT_PATTERNS.some(p => p.test(line))) {
+        return true;
+    }
+    // Check if we're inside a catch block
+    for (let j = lineIndex - 1; j >= Math.max(0, lineIndex - 5); j--) {
+        if (/\bcatch\s*\(/.test(lines[j])) {
+            // We're in a catch block — check if the logged value is the error var
+            const catchMatch = lines[j].match(/catch\s*\(\s*(\w+)/);
+            if (catchMatch) {
+                const errorVar = catchMatch[1];
+                if (new RegExp(`\\b${errorVar}\\b`).test(line)) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Check for sanitization near the log line
+ */
+function hasSanitization(lines, lineIndex) {
+    const start = Math.max(0, lineIndex - 3);
+    const end = Math.min(lines.length, lineIndex + 4);
+    const context = lines.slice(start, end).join('\n');
+    return SANITIZATION_PATTERNS.some(p => p.test(context));
+}
+/**
+ * Detect log injection patterns
+ */
+function detectLogInjection(content, filePath, options) {
+    const vulnerabilities = [];
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, file_classifier_1.isTestOrMockFile)(filePath))
+        return vulnerabilities;
+    // Skip Morgan/express middleware logging (intentional request logging)
+    if (MIDDLEWARE_LOGGING.test(content))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, file_classifier_1.isComment)(line))
+            continue;
+        // Check if this line is a log sink
+        const isLogSink = LOG_SINK_PATTERNS.some(p => p.test(line));
+        if (!isLogSink)
+            continue;
+        // Skip error logging (not user input)
+        if (isErrorLogging(line, lines, i))
+            continue;
+        // Check if user input flows to this log call
+        const userInput = containsUserInput(line, lines, i);
+        if (!userInput.found)
+            continue;
+        // Skip if sanitization is nearby
+        if (hasSanitization(lines, i))
+            continue;
+        // Determine severity
+        let severity = 'low';
+        let title = 'Log injection: User input in log statement';
+        let description = '';
+        if (userInput.type === 'header') {
+            severity = 'medium';
+            title = 'Log injection: HTTP headers in log statement';
+            description =
+                'HTTP request headers are logged without sanitization. Headers can contain CRLF sequences that forge log entries or inject malicious content into log processing tools.';
+        }
+        else if (userInput.type === 'spread' || userInput.type === 'stringify') {
+            severity = 'low';
+            title = 'Log injection: Entire request body logged';
+            description =
+                'Entire request body is logged, which may contain unsanitized user input. This can lead to log forging, log injection, or sensitive data exposure in logs.';
+        }
+        else {
+            severity = 'low';
+            title = 'Log injection: Request data in log statement';
+            description =
+                'User-controlled request data flows into a log statement. Unsanitized input can forge log entries or inject newlines to create misleading log records.';
+        }
+        vulnerabilities.push({
+            id: `loginj-${filePath}-${i + 1}`,
+            filePath,
+            lineNumber: i + 1,
+            lineContent: line.trim(),
+            severity,
+            category: 'log_injection',
+            title,
+            description,
+            suggestedFix: 'Sanitize user input before logging (strip newlines and control characters). Use structured logging (JSON format) to prevent log forging.',
+            confidence: severity === 'medium' ? 'high' : 'medium',
+            baseConfidence: BASE_CONFIDENCE,
+            layer: 2,
+            source: 'structural',
+            requiresAIValidation: severity !== 'medium',
+        });
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=log-injection.js.map

package/dist/detect/structural/log-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"log-injection.js","sourceRoot":"","sources":["../../../src/detect/structural/log-injection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA4KH,gDA2EC;AAnPD,iEAIoC;AAEpC,MAAM,eAAe,GAAG,IAAI,CAAA;AAM5B,wBAAwB;AACxB,MAAM,iBAAiB,GAAG;IACxB,mDAAmD;IACnD,sEAAsE;IACtE,4EAA4E;IAC5E,iDAAiD;CAClD,CAAA;AAED,4CAA4C;AAC5C,MAAM,mBAAmB,GAAG;IAC1B,iFAAiF;IACjF,sDAAsD;CACvD,CAAA;AAED,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,kCAAkC,CAAA;AAE5D,2DAA2D;AAC3D,MAAM,uBAAuB,GAAG;IAC9B,gCAAgC;IAChC,+CAA+C;IAC/C,eAAe;IACf,2CAA2C;IAC3C,iDAAiD;IACjD,iBAAiB;IACjB,YAAY;IACZ,WAAW;IACX,UAAU;IACV,YAAY;CACb,CAAA;AAED,mDAAmD;AACnD,MAAM,kBAAkB,GAAG,mFAAmF,CAAA;AAE9G,0CAA0C;AAC1C,MAAM,qBAAqB,GAAG;IAC5B,+BAA+B;IAC/B,eAAe;IACf,aAAa;IACb,8BAA8B;IAC9B,qBAAqB;IACrB,2BAA2B;CAC5B,CAAA;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY,EAAE,KAAe,EAAE,SAAiB;IAIzE,+BAA+B;IAC/B,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IACxC,CAAC;IAED,yCAAyC;IACzC,IAAI,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,iEAAiE;IACjE,IAAI,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9E,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IACxC,CAAC;IAED,4CAA4C;IAC5C,IAAI,4EAA4E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5F,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAA;IAC3C,CAAC;IAED,6CAA6C;IAC7C,IAAI,2EAA2E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3F,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,uCAAuC;IACvC,KAAK,IAAI,MAAM,GAAG,CAAC,CAAC,EAAE,MAAM,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC;QAC5C,IAAI,MAAM,KAAK,CAAC;YAAE,SAAQ;QAC1B,MAAM,GAAG,GAAG,SAAS,GAAG,MAAM,CAAA;QAC9B,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,MAAM;YAAE,SAAQ;QAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACpD,yEAAyE;YACzE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YACtC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC1D,sDAAsD;YACtD,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACpD,MAAM,WAAW,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACrD,IAAI,UAAU,GAAG,WAAW,EAAE,CAAC;gBAC7B,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;gBACxC,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,KAAe,EAAE,SAAiB;IACtE,wEAAwE;IACxE,IAAI,8FAA8F,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9G,OAAO,IAAI,CAAA;IACb,CAAC;IAED,0CAA0C;IAC1C,IAAI,wFAAwF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxG,OAAO,IAAI,CAAA;IACb,CAAC;IAED,wBAAwB;IACxB,IAAI,6DAA6D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7E,OAAO,IAAI,CAAA;IACb,CAAC;IAED,iCAAiC;IACjC,IAAI,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAChH,OAAO,IAAI,CAAA;IACb,CAAC;IAED,sCAAsC;IACtC,KAAK,IAAI,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACjE,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,sEAAsE;YACtE,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;gBAC9B,IAAI,IAAI,MAAM,CAAC,MAAM,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/C,OAAO,IAAI,CAAA;gBACb,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAe,EAAE,SAAiB;IACzD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAClD,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAA6B;IAE7B,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEtD,uEAAuE;IACvE,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,mCAAmC;QACnC,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAC3D,IAAI,CAAC,SAAS;YAAE,SAAQ;QAExB,sCAAsC;QACtC,IAAI,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAAE,SAAQ;QAE5C,6CAA6C;QAC7C,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;QACnD,IAAI,CAAC,SAAS,CAAC,KAAK;YAAE,SAAQ;QAE9B,iCAAiC;QACjC,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,SAAQ;QAEvC,qBAAqB;QACrB,IAAI,QAAQ,GAA0B,KAAK,CAAA;QAC3C,IAAI,KAAK,GAAG,4CAA4C,CAAA;QACxD,IAAI,WAAW,GAAG,EAAE,CAAA;QAEpB,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,QAAQ,GAAG,QAAQ,CAAA;YACnB,KAAK,GAAG,8CAA8C,CAAA;YACtD,WAAW;gBACT,wKAAwK,CAAA;QAC5K,CAAC;aAAM,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACzE,QAAQ,GAAG,KAAK,CAAA;YAChB,KAAK,GAAG,2CAA2C,CAAA;YACnD,WAAW;gBACT,2JAA2J,CAAA;QAC/J,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,KAAK,CAAA;YAChB,KAAK,GAAG,8CAA8C,CAAA;YACtD,WAAW;gBACT,uJAAuJ,CAAA;QAC3J,CAAC;QAED,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,UAAU,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;YACjC,QAAQ;YACR,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK;YACL,WAAW;YACX,YAAY,EACV,0IAA0I;YAC5I,UAAU,EAAE,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACrD,cAAc,EAAE,eAAe;YAC/B,KAAK,EAAE,CAAC;YACN,MAAM,EAAE,YAAqB;YAC/B,oBAAoB,EAAE,QAAQ,KAAK,QAAQ;SAC5C,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/logic-gates.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 2: Logic Gates Detection
+ * Identifies security bypass patterns and dangerous logic flows
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function detectLogicGates(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=logic-gates.d.ts.map

package/dist/detect/structural/logic-gates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic-gates.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/logic-gates.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAoI1D,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAkFjB"}

package/dist/detect/structural/logic-gates.js

@@ -0,0 +1,227 @@
+"use strict";
+/**
+ * Layer 2: Logic Gates Detection
+ * Identifies security bypass patterns and dangerous logic flows
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectLogicGates = detectLogicGates;
+const file_classifier_1 = require("../../parse/file-classifier");
+const comment_analyzer_1 = require("../../shared/comment-analyzer");
+const intent_detector_1 = require("../../shared/intent-detector");
+const BASE_CONFIDENCE = 0.20;
+// Patterns for security bypass logic
+const LOGIC_PATTERNS = [
+    // Development mode bypasses
+    {
+        name: 'Development mode security bypass',
+        pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]production['"]\s*\)\s*(return\s+true|return\s*;|continue|break)/gi,
+        severity: 'high',
+        description: 'Security check bypassed in non-production environments',
+        suggestedFix: 'Remove development-only bypasses or ensure they cannot be triggered in production',
+    },
+    {
+        name: 'Development mode auth skip',
+        pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/gi,
+        severity: 'medium',
+        description: 'Code path that only runs in development - verify no security implications',
+        suggestedFix: 'Ensure this development-only code does not bypass security controls',
+    },
+    // Auth bypasses
+    {
+        name: 'Authentication bypass pattern',
+        pattern: /if\s*\(\s*(true|1|!false)\s*\)\s*{\s*(return|next|resolve)/gi,
+        severity: 'critical',
+        description: 'Hardcoded truthy condition may bypass authentication',
+        suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
+    },
+    // NOTE: 'Commented auth check' pattern has been replaced with smart comment analysis
+    // The isDisabledAuthComment() function distinguishes explanatory comments from disabled code
+    // This is handled specially in detectLogicGates() below
+    // Skip validation patterns
+    {
+        name: 'Validation skip',
+        pattern: /skipValidation\s*[=:]\s*true|validate\s*[=:]\s*false|noValidate\s*[=:]\s*true/gi,
+        severity: 'high',
+        description: 'Input validation explicitly disabled',
+        suggestedFix: 'Enable validation or ensure this is intentional and documented',
+    },
+    // Debug/test bypasses
+    {
+        name: 'Debug bypass',
+        pattern: /if\s*\(\s*(DEBUG|TEST|SKIP_AUTH|BYPASS|DISABLE_AUTH)\s*\)/gi,
+        severity: 'high',
+        description: 'Debug/test flag may bypass security controls',
+        suggestedFix: 'Remove debug bypasses before deploying to production',
+    },
+    // Unsafe defaults
+    {
+        name: 'Unsafe default allow',
+        pattern: /default\s*:\s*(return\s+true|allow|permit|grant)/gi,
+        severity: 'medium',
+        description: 'Default case allows access - should default to deny',
+        suggestedFix: 'Change default behavior to deny access (fail-safe defaults)',
+    },
+    // Empty catch blocks
+    {
+        name: 'Empty error handler',
+        pattern: /catch\s*\([^)]*\)\s*{\s*(\/\/.*)?}/gi,
+        severity: 'medium',
+        description: 'Empty catch block may hide security errors',
+        suggestedFix: 'Log the error or handle it appropriately',
+    },
+    // Disabled security features
+    {
+        name: 'Disabled CSRF protection',
+        pattern: /csrf\s*[=:]\s*false|disableCsrf|csrfProtection\s*[=:]\s*false/gi,
+        severity: 'high',
+        description: 'CSRF protection explicitly disabled',
+        suggestedFix: 'Enable CSRF protection for state-changing requests',
+    },
+    {
+        name: 'Disabled SSL verification',
+        pattern: /rejectUnauthorized\s*[=:]\s*false|verify\s*[=:]\s*false|ssl\s*[=:]\s*false|NODE_TLS_REJECT_UNAUTHORIZED/gi,
+        severity: 'critical',
+        description: 'SSL/TLS certificate verification disabled',
+        suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
+    },
+    // Insecure comparisons - ONLY flag actual secret comparisons
+    // Timing attacks are only relevant when comparing cryptographic secrets
+    // Do NOT flag: error codes, UI state, null checks, empty strings, route IDs, type checks
+    {
+        name: 'Timing attack vulnerable comparison',
+        // Only match explicit secret-related variable names being compared with ===
+        // This avoids flagging general string comparisons which are not timing-sensitive
+        pattern: /\b(password|secret|token|apiKey|api_key|credential|hash|digest|signature|privateKey|private_key|secretKey|secret_key)\s*===?\s*['"][^'"]+['"]/gi,
+        severity: 'medium',
+        description: 'Direct comparison of secret value may be vulnerable to timing attacks',
+        suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
+    },
+    // Unsafe redirects - NOTE: Now uses intent detection to distinguish from React state setters
+    // The pattern is checked, but isReactStateSetter() is used to skip false positives
+    {
+        name: 'Open redirect vulnerability',
+        pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
+        severity: 'high',
+        description: 'Redirect URL from user input may allow open redirect attacks',
+        suggestedFix: 'Validate redirect URLs against an allowlist of trusted domains',
+    },
+    // Admin/superuser bypasses
+    {
+        name: 'Admin bypass pattern',
+        pattern: /if\s*\(\s*(isAdmin|isSuperUser|isRoot|role\s*===?\s*['"]admin['"])\s*\)\s*(return|continue|break)/gi,
+        severity: 'medium',
+        description: 'Admin role bypasses normal security checks',
+        suggestedFix: 'Ensure admin bypass is intentional and properly audited',
+    },
+];
+// Check if line is a comment
+function isComment(line) {
+    const trimmed = line.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+function detectLogicGates(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    // Check each line against patterns
+    lines.forEach((line, index) => {
+        // Skip comment lines (handled separately below for auth comments)
+        if (isComment(line)) {
+            return;
+        }
+        for (const logicPattern of LOGIC_PATTERNS) {
+            const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags);
+            if (regex.test(line)) {
+                // Special handling for redirect patterns - check if it's actually a React state setter
+                if (logicPattern.name === 'Open redirect vulnerability') {
+                    if ((0, intent_detector_1.isReactStateSetter)(line)) {
+                        // This is a React state setter like setState(), not a redirect
+                        continue;
+                    }
+                    if (!(0, intent_detector_1.isActualRedirect)(line)) {
+                        // This doesn't look like an actual redirect function
+                        continue;
+                    }
+                }
+                vulnerabilities.push({
+                    id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: logicPattern.severity,
+                    category: 'security_bypass',
+                    title: logicPattern.name,
+                    description: logicPattern.description,
+                    suggestedFix: logicPattern.suggestedFix,
+                    confidence: 'medium',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+                break; // Only report once per line
+            }
+        }
+    });
+    // Smart comment analysis for disabled auth patterns
+    // Only flag comments that are genuinely disabled code, not explanatory comments
+    lines.forEach((line, index) => {
+        // Check if this is a comment line with auth-related content
+        if (isComment(line) && /auth|permission|verify|check|token/i.test(line)) {
+            // Use smart analysis to determine if this is disabled code
+            if ((0, comment_analyzer_1.isDisabledAuthComment)(lines, index)) {
+                vulnerabilities.push({
+                    id: `logic-${filePath}-${index + 1}-commented-auth-check`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: 'high',
+                    category: 'security_bypass',
+                    title: 'Commented auth check',
+                    description: 'Commented out authentication/authorization code detected. This may indicate disabled security controls.',
+                    suggestedFix: 'Remove commented code or restore the security check',
+                    confidence: 'medium',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+            }
+        }
+    });
+    // Multi-line pattern detection (for more complex patterns)
+    const multiLineFindings = detectMultiLinePatterns(content, filePath);
+    vulnerabilities.push(...multiLineFindings);
+    return vulnerabilities;
+}
+// Detect patterns that span multiple lines
+function detectMultiLinePatterns(content, filePath) {
+    const vulnerabilities = [];
+    const lines = content.split('\n');
+    // Detect try-catch with empty or minimal error handling
+    const tryCatchPattern = /try\s*{[\s\S]*?}\s*catch\s*\([^)]*\)\s*{\s*(\n\s*)*(\/\/[^\n]*)?\s*}/g;
+    let match;
+    while ((match = tryCatchPattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split('\n').length;
+        vulnerabilities.push({
+            id: `logic-multiline-${filePath}-${lineNumber}`,
+            filePath,
+            lineNumber,
+            lineContent: lines[lineNumber - 1]?.trim() || 'try {',
+            severity: 'medium',
+            category: 'security_bypass',
+            title: 'Silent error handling',
+            description: 'Try-catch block with minimal error handling may hide security issues',
+            suggestedFix: 'Log errors appropriately and handle them based on type',
+            confidence: 'low',
+            baseConfidence: BASE_CONFIDENCE,
+            layer: 2,
+            source: 'structural',
+        });
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=logic-gates.js.map

package/dist/detect/structural/logic-gates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic-gates.js","sourceRoot":"","sources":["../../../src/detect/structural/logic-gates.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAuIH,4CAsFC;AAzND,iEAAoE;AACpE,oEAAqE;AACrE,kEAAmF;AAEnF,MAAM,eAAe,GAAG,IAAI,CAAA;AAU5B,qCAAqC;AACrC,MAAM,cAAc,GAAmB;IACrC,4BAA4B;IAC5B;QACE,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,oHAAoH;QAC7H,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wDAAwD;QACrE,YAAY,EAAE,mFAAmF;KAClG;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,yEAAyE;QAClF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,2EAA2E;QACxF,YAAY,EAAE,qEAAqE;KACpF;IACD,gBAAgB;IAChB;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,YAAY,EAAE,mEAAmE;KAClF;IACD,qFAAqF;IACrF,6FAA6F;IAC7F,wDAAwD;IACxD,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;QACnD,YAAY,EAAE,gEAAgE;KAC/E;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6DAA6D;QACtE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,sDAAsD;KACrE;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,qDAAqD;QAClE,YAAY,EAAE,6DAA6D;KAC5E;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,0CAA0C;KACzD;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,oDAAoD;KACnE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2GAA2G;QACpH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,8DAA8D;KAC7E;IACD,6DAA6D;IAC7D,wEAAwE;IACxE,yFAAyF;IACzF;QACE,IAAI,EAAE,qCAAqC;QAC3C,4EAA4E;QAC5E,iFAAiF;QACjF,OAAO,EAAE,iJAAiJ;QAC1J,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uEAAuE;QACpF,YAAY,EAAE,yEAAyE;KACxF;IACD,6FAA6F;IAC7F,mFAAmF;IACnF;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,gEAAgE;KAC/E;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,qGAAqG;QAC9G,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,gBAAgB,CAC9B,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,mCAAmC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,kEAAkE;QAClE,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,OAAM;QACR,CAAC;QAED,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEjF,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,uFAAuF;gBACvF,IAAI,YAAY,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBACxD,IAAI,IAAA,oCAAkB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,+DAA+D;wBAC/D,SAAQ;oBACV,CAAC;oBACD,IAAI,CAAC,IAAA,kCAAgB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,qDAAqD;wBACrD,SAAQ;oBACV,CAAC;gBACH,CAAC;gBAED,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,SAAS,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,EAAE;oBACzD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,YAAY,CAAC,QAAQ;oBAC/B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,YAAY,CAAC,IAAI;oBACxB,WAAW,EAAE,YAAY,CAAC,WAAW;oBACrC,YAAY,EAAE,YAAY,CAAC,YAAY;oBACvC,UAAU,EAAE,QAAQ;oBACpB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,oDAAoD;IACpD,gFAAgF;IAChF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,4DAA4D;QAC5D,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACxE,2DAA2D;YAC3D,IAAI,IAAA,wCAAqB,EAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;gBACxC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,SAAS,QAAQ,IAAI,KAAK,GAAG,CAAC,uBAAuB;oBACzD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,sBAAsB;oBAC7B,WAAW,EAAE,yGAAyG;oBACtH,YAAY,EAAE,qDAAqD;oBACnE,UAAU,EAAE,QAAQ;oBACpB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACpE,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAA;IAE1C,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,2CAA2C;AAC3C,SAAS,uBAAuB,CAAC,OAAe,EAAE,QAAgB;IAChE,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,wDAAwD;IACxD,MAAM,eAAe,GAAG,uEAAuE,CAAA;IAC/F,IAAI,KAAK,CAAA;IAET,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACvE,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,mBAAmB,QAAQ,IAAI,UAAU,EAAE;YAC/C,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,OAAO;YACrD,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,iBAAiB;YAC3B,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,sEAAsE;YACnF,YAAY,EAAE,wDAAwD;YACtE,UAAU,EAAE,KAAK;YACjB,cAAc,EAAE,eAAe;YAC/B,KAAK,EAAE,CAAC;YACN,MAAM,EAAE,YAAqB;SAChC,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/risky-imports.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 2: Risky Import/Package Analysis
+ * Detects imports of packages known to have security concerns or deprecated
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function detectRiskyImports(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=risky-imports.d.ts.map

package/dist/detect/structural/risky-imports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risky-imports.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/risky-imports.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,oBAAoB,CAAA;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAqJ1D,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAqCjB"}