@oculum/scanner 1.0.12 → 1.0.13

package/dist/model/route-hierarchy.js

@@ -0,0 +1,226 @@
+"use strict";
+/**
+ * Route Hierarchy Utility
+ * Understands framework-specific route hierarchy conventions
+ *
+ * This addresses false positives where routes inside authenticated layouts
+ * are flagged for "missing auth" when they inherit protection from parents.
+ *
+ * Key insight: Modern frameworks use layouts/middleware that protect entire
+ * route subtrees - child routes inherit this protection.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRouteProtectionContext = getRouteProtectionContext;
+exports.isProtectedByRouteHierarchy = isProtectedByRouteHierarchy;
+exports.isAdminRoute = isAdminRoute;
+exports.isAuthenticatedOnlyComponent = isAuthenticatedOnlyComponent;
+/**
+ * Framework-specific route conventions
+ */
+const FRAMEWORK_ROUTE_CONVENTIONS = {
+    remix: {
+        // Pathless layout routes - children inherit from parent
+        protectedLayouts: [
+            { pattern: /_authenticated\+/, name: 'Remix _authenticated+ layout' },
+            { pattern: /\(authenticated\)/, name: 'Remix (authenticated) route group' },
+            { pattern: /_protected\+/, name: 'Remix _protected+ layout' },
+            { pattern: /\(protected\)/, name: 'Remix (protected) route group' },
+            { pattern: /__authenticated/, name: 'Remix __authenticated layout' },
+            { pattern: /_auth\+/, name: 'Remix _auth+ layout' },
+        ],
+        adminLayouts: [
+            { pattern: /admin\+/, name: 'Remix admin+ layout' },
+            { pattern: /\(admin\)/, name: 'Remix (admin) route group' },
+            { pattern: /_admin\+/, name: 'Remix _admin+ layout' },
+            { pattern: /__admin/, name: 'Remix __admin layout' },
+        ],
+        // Detection pattern for Remix routes
+        routeDetection: /routes\//,
+    },
+    nextjs: {
+        protectedGroups: [
+            { pattern: /\(authenticated\)/, name: 'Next.js (authenticated) route group' },
+            { pattern: /\(protected\)/, name: 'Next.js (protected) route group' },
+            { pattern: /\(dashboard\)/, name: 'Next.js (dashboard) route group' },
+            { pattern: /\(private\)/, name: 'Next.js (private) route group' },
+            { pattern: /\(secure\)/, name: 'Next.js (secure) route group' },
+            { pattern: /\(user\)/, name: 'Next.js (user) route group' },
+            { pattern: /\(account\)/, name: 'Next.js (account) route group' },
+            { pattern: /\(app\)/, name: 'Next.js (app) route group' },
+        ],
+        adminGroups: [
+            { pattern: /\(admin\)/, name: 'Next.js (admin) route group' },
+        ],
+        // Detection pattern for Next.js App Router
+        routeDetection: /\/app\//,
+    },
+    sveltekit: {
+        protectedGroups: [
+            { pattern: /\(authenticated\)/, name: 'SvelteKit (authenticated) group' },
+            { pattern: /\(protected\)/, name: 'SvelteKit (protected) group' },
+            { pattern: /\(authed\)/, name: 'SvelteKit (authed) group' },
+        ],
+        adminGroups: [
+            { pattern: /\(admin\)/, name: 'SvelteKit (admin) group' },
+        ],
+        routeDetection: /\/routes\//,
+    },
+};
+/**
+ * Generic protected path patterns (framework-agnostic)
+ */
+const GENERIC_PROTECTED_PATTERNS = [
+    // Dashboard sections typically require auth
+    { pattern: /\/dashboard\//, name: 'Dashboard section' },
+    // Account/settings sections
+    { pattern: /\/account\//, name: 'Account section' },
+    { pattern: /\/settings\//, name: 'Settings section' },
+    { pattern: /\/profile\//, name: 'Profile section' },
+    // Admin sections
+    { pattern: /\/admin\//, name: 'Admin section' },
+    // User-specific routes with dynamic segments
+    { pattern: /\/users\/\[/, name: 'User-specific route' },
+    { pattern: /\/user\/\[/, name: 'User-specific route' },
+    // My-* routes (personal content)
+    { pattern: /\/my-/, name: 'Personal content route' },
+];
+/**
+ * Admin path patterns
+ */
+const ADMIN_PATH_PATTERNS = [
+    /\/admin\//i,
+    /\(admin\)/i,
+    /_admin\+/i,
+    /admin\+/i,
+    /\/backoffice\//i,
+    /\/management\//i,
+];
+/**
+ * Detect which framework this file belongs to
+ */
+function detectFramework(filePath) {
+    // Check for Remix patterns
+    if (FRAMEWORK_ROUTE_CONVENTIONS.remix.routeDetection.test(filePath)) {
+        // Remix uses routes/ directory
+        if (/_authenticated\+|_\w+\+/.test(filePath)) {
+            return 'remix';
+        }
+    }
+    // Check for Next.js App Router patterns
+    if (FRAMEWORK_ROUTE_CONVENTIONS.nextjs.routeDetection.test(filePath)) {
+        return 'nextjs';
+    }
+    // Check for SvelteKit patterns
+    if (FRAMEWORK_ROUTE_CONVENTIONS.sveltekit.routeDetection.test(filePath)) {
+        return 'sveltekit';
+    }
+    return 'unknown';
+}
+/**
+ * Get route protection context for a file path
+ *
+ * @param filePath - The full file path to analyze
+ * @returns RouteProtectionContext with protection information
+ */
+function getRouteProtectionContext(filePath) {
+    const sources = [];
+    const framework = detectFramework(filePath);
+    let isAdminRoute = false;
+    // Check Remix conventions
+    for (const layout of FRAMEWORK_ROUTE_CONVENTIONS.remix.protectedLayouts) {
+        if (layout.pattern.test(filePath)) {
+            sources.push(layout.name);
+        }
+    }
+    for (const layout of FRAMEWORK_ROUTE_CONVENTIONS.remix.adminLayouts) {
+        if (layout.pattern.test(filePath)) {
+            sources.push(layout.name);
+            isAdminRoute = true;
+        }
+    }
+    // Check Next.js conventions
+    for (const group of FRAMEWORK_ROUTE_CONVENTIONS.nextjs.protectedGroups) {
+        if (group.pattern.test(filePath)) {
+            sources.push(group.name);
+        }
+    }
+    for (const group of FRAMEWORK_ROUTE_CONVENTIONS.nextjs.adminGroups) {
+        if (group.pattern.test(filePath)) {
+            sources.push(group.name);
+            isAdminRoute = true;
+        }
+    }
+    // Check SvelteKit conventions
+    for (const group of FRAMEWORK_ROUTE_CONVENTIONS.sveltekit.protectedGroups) {
+        if (group.pattern.test(filePath)) {
+            sources.push(group.name);
+        }
+    }
+    for (const group of FRAMEWORK_ROUTE_CONVENTIONS.sveltekit.adminGroups) {
+        if (group.pattern.test(filePath)) {
+            sources.push(group.name);
+            isAdminRoute = true;
+        }
+    }
+    // Check generic protected patterns
+    for (const pattern of GENERIC_PROTECTED_PATTERNS) {
+        if (pattern.pattern.test(filePath)) {
+            sources.push(pattern.name);
+        }
+    }
+    // Check if this is an admin route
+    if (!isAdminRoute) {
+        isAdminRoute = ADMIN_PATH_PATTERNS.some(pattern => pattern.test(filePath));
+    }
+    return {
+        isInProtectedHierarchy: sources.length > 0,
+        protectionSource: sources,
+        framework,
+        isAdminRoute,
+    };
+}
+/**
+ * Check if a file path is inside a protected route hierarchy
+ *
+ * @param filePath - The full file path
+ * @returns true if the route is protected by its hierarchy
+ */
+function isProtectedByRouteHierarchy(filePath) {
+    const context = getRouteProtectionContext(filePath);
+    return context.isInProtectedHierarchy;
+}
+/**
+ * Check if a file path is inside an admin route section
+ *
+ * @param filePath - The full file path
+ * @returns true if this is an admin route
+ */
+function isAdminRoute(filePath) {
+    const context = getRouteProtectionContext(filePath);
+    return context.isAdminRoute;
+}
+/**
+ * Check if a component is likely used only within authenticated routes
+ * Useful for components in /components/admin/ or similar
+ *
+ * @param filePath - The full file path
+ * @returns true if this component is likely only used in authenticated contexts
+ */
+function isAuthenticatedOnlyComponent(filePath) {
+    const authenticatedComponentPatterns = [
+        /\/components\/admin\//i,
+        /\/components\/dashboard\//i,
+        /\/components\/user\//i,
+        /\/components\/account\//i,
+        /\/components\/settings\//i,
+        /\/components\/protected\//i,
+        /\/components\/private\//i,
+        /\/components\/authenticated\//i,
+        // Features that are inherently authenticated
+        /\/features\/dashboard\//i,
+        /\/features\/admin\//i,
+        /\/features\/account\//i,
+    ];
+    return authenticatedComponentPatterns.some(pattern => pattern.test(filePath));
+}
+//# sourceMappingURL=route-hierarchy.js.map

package/dist/model/route-hierarchy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-hierarchy.js","sourceRoot":"","sources":["../../src/model/route-hierarchy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAkIH,8DA8DC;AAQD,kEAGC;AAQD,oCAGC;AASD,oEAiBC;AAnOD;;GAEG;AACH,MAAM,2BAA2B,GAAG;IAClC,KAAK,EAAE;QACL,wDAAwD;QACxD,gBAAgB,EAAE;YAChB,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,8BAA8B,EAAE;YACrE,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,mCAAmC,EAAE;YAC3E,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,0BAA0B,EAAE;YAC7D,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,+BAA+B,EAAE;YACnE,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,8BAA8B,EAAE;YACpE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,qBAAqB,EAAE;SACpD;QACD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,qBAAqB,EAAE;YACnD,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,2BAA2B,EAAE;YAC3D,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,sBAAsB,EAAE;YACrD,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,sBAAsB,EAAE;SACrD;QACD,qCAAqC;QACrC,cAAc,EAAE,UAAU;KAC3B;IAED,MAAM,EAAE;QACN,eAAe,EAAE;YACf,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,qCAAqC,EAAE;YAC7E,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,iCAAiC,EAAE;YACrE,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,iCAAiC,EAAE;YACrE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,+BAA+B,EAAE;YACjE,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,8BAA8B,EAAE;YAC/D,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,4BAA4B,EAAE;YAC3D,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,+BAA+B,EAAE;YACjE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,2BAA2B,EAAE;SAC1D;QACD,WAAW,EAAE;YACX,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,6BAA6B,EAAE;SAC9D;QACD,2CAA2C;QAC3C,cAAc,EAAE,SAAS;KAC1B;IAED,SAAS,EAAE;QACT,eAAe,EAAE;YACf,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,iCAAiC,EAAE;YACzE,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,6BAA6B,EAAE;YACjE,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,0BAA0B,EAAE;SAC5D;QACD,WAAW,EAAE;YACX,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,yBAAyB,EAAE;SAC1D;QACD,cAAc,EAAE,YAAY;KAC7B;CACF,CAAA;AAED;;GAEG;AACH,MAAM,0BAA0B,GAAG;IACjC,4CAA4C;IAC5C,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,mBAAmB,EAAE;IACvD,4BAA4B;IAC5B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACnD,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,kBAAkB,EAAE;IACrD,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACnD,iBAAiB;IACjB,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,eAAe,EAAE;IAC/C,6CAA6C;IAC7C,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,qBAAqB,EAAE;IACvD,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,qBAAqB,EAAE;IACtD,iCAAiC;IACjC,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE;CACrD,CAAA;AAED;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,UAAU;IACV,iBAAiB;IACjB,iBAAiB;CAClB,CAAA;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,2BAA2B;IAC3B,IAAI,2BAA2B,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpE,+BAA+B;QAC/B,IAAI,yBAAyB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7C,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,2BAA2B,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrE,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,+BAA+B;IAC/B,IAAI,2BAA2B,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,yBAAyB,CAAC,QAAgB;IACxD,MAAM,OAAO,GAAa,EAAE,CAAA;IAC5B,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IAC3C,IAAI,YAAY,GAAG,KAAK,CAAA;IAExB,0BAA0B;IAC1B,KAAK,MAAM,MAAM,IAAI,2BAA2B,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;QAC3B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,2BAA2B,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACpE,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YACzB,YAAY,GAAG,IAAI,CAAA;QACrB,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,KAAK,IAAI,2BAA2B,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;QACvE,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAC1B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,2BAA2B,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YACxB,YAAY,GAAG,IAAI,CAAA;QACrB,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,KAAK,MAAM,KAAK,IAAI,2BAA2B,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC;QAC1E,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAC1B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,2BAA2B,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QACtE,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YACxB,YAAY,GAAG,IAAI,CAAA;QACrB,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;QACjD,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QAC5B,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;IAC5E,CAAC;IAED,OAAO;QACL,sBAAsB,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAC1C,gBAAgB,EAAE,OAAO;QACzB,SAAS;QACT,YAAY;KACb,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,QAAgB;IAC1D,MAAM,OAAO,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAA;IACnD,OAAO,OAAO,CAAC,sBAAsB,CAAA;AACvC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,MAAM,OAAO,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAA;IACnD,OAAO,OAAO,CAAC,YAAY,CAAA;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,4BAA4B,CAAC,QAAgB;IAC3D,MAAM,8BAA8B,GAAG;QACrC,wBAAwB;QACxB,4BAA4B;QAC5B,uBAAuB;QACvB,0BAA0B;QAC1B,2BAA2B;QAC3B,4BAA4B;QAC5B,0BAA0B;QAC1B,gCAAgC;QAChC,6CAA6C;QAC7C,0BAA0B;QAC1B,sBAAsB;QACtB,wBAAwB;KACzB,CAAA;IAED,OAAO,8BAA8B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAC/E,CAAC"}

package/dist/model/sanitiser-detection.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Sanitiser Detection — Identifies sanitisation functions in code.
+ *
+ * Two-pass approach:
+ * 1. Scan imports to know which sanitisation libraries are available
+ * 2. Scan for sanitiser calls (context-sensitive)
+ */
+import type { SanitiserInfo, SanitiserTarget } from './taint-types';
+/**
+ * Detect sanitisation functions available in a file.
+ *
+ * Pass 1: Scan imports to determine which libraries are available.
+ * Pass 2: Find sanitiser call sites.
+ */
+export declare function detectSanitisers(content: string, _filePath: string): SanitiserInfo[];
+/**
+ * Check if a specific line contains a sanitiser call.
+ *
+ * Used during taint propagation to determine if a variable is sanitised
+ * at a particular assignment.
+ */
+export declare function isSanitiserCall(line: string, sanitisers: SanitiserInfo[]): {
+    sanitised: boolean;
+    method?: string;
+    target?: SanitiserTarget;
+};
+//# sourceMappingURL=sanitiser-detection.d.ts.map

package/dist/model/sanitiser-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitiser-detection.d.ts","sourceRoot":"","sources":["../../src/model/sanitiser-detection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAqInE;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,aAAa,EAAE,CAqFpF;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,aAAa,EAAE,GAC1B;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,eAAe,CAAA;CAAE,CAwBnE"}

package/dist/model/sanitiser-detection.js

@@ -0,0 +1,224 @@
+"use strict";
+/**
+ * Sanitiser Detection — Identifies sanitisation functions in code.
+ *
+ * Two-pass approach:
+ * 1. Scan imports to know which sanitisation libraries are available
+ * 2. Scan for sanitiser calls (context-sensitive)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectSanitisers = detectSanitisers;
+exports.isSanitiserCall = isSanitiserCall;
+const KNOWN_SANITISERS = [
+    {
+        library: 'dompurify',
+        importPatterns: [/\bDOMPurify\b/, /\bdompurify\b/, /\bisomorphic-dompurify\b/],
+        callPatterns: [
+            { pattern: /DOMPurify\.sanitize\s*\(/, sanitises: 'html', name: 'DOMPurify.sanitize' },
+            { pattern: /\bsanitize\s*\(/, sanitises: 'html', name: 'sanitize' },
+        ],
+    },
+    {
+        library: 'validator',
+        importPatterns: [/\bvalidator\b/],
+        callPatterns: [
+            { pattern: /validator\.escape\s*\(/, sanitises: 'html', name: 'validator.escape' },
+        ],
+    },
+    {
+        library: 'escape-html',
+        importPatterns: [/\bescape-html\b/, /\bescapeHtml\b/],
+        callPatterns: [
+            { pattern: /\bescapeHtml\s*\(/, sanitises: 'html', name: 'escapeHtml' },
+            { pattern: /\bescapeHTML\s*\(/, sanitises: 'html', name: 'escapeHTML' },
+        ],
+    },
+    {
+        library: 'xss',
+        importPatterns: [/\bxss\b/],
+        callPatterns: [
+            { pattern: /\bxss\s*\(/, sanitises: 'html', name: 'xss' },
+            { pattern: /\bfilterXSS\s*\(/, sanitises: 'html', name: 'filterXSS' },
+        ],
+    },
+    {
+        library: 'zod',
+        importPatterns: [/\bzod\b/, /\bfrom\s+['"]zod['"]/],
+        callPatterns: [
+            { pattern: /\.parse\s*\(/, sanitises: 'all', name: 'zod.parse' },
+            { pattern: /\.safeParse\s*\(/, sanitises: 'all', name: 'zod.safeParse' },
+        ],
+    },
+    {
+        library: 'joi',
+        importPatterns: [/\bjoi\b/, /\bfrom\s+['"]joi['"]/],
+        callPatterns: [
+            { pattern: /\.validate\s*\(/, sanitises: 'all', name: 'joi.validate' },
+        ],
+    },
+    {
+        library: 'yup',
+        importPatterns: [/\byup\b/, /\bfrom\s+['"]yup['"]/],
+        callPatterns: [
+            { pattern: /\.validate\s*\(/, sanitises: 'all', name: 'yup.validate' },
+            { pattern: /\.validateSync\s*\(/, sanitises: 'all', name: 'yup.validateSync' },
+        ],
+    },
+    {
+        library: 'shell-escape',
+        importPatterns: [/\bshell-escape\b/, /\bshellescape\b/],
+        callPatterns: [
+            { pattern: /\bshellescape\s*\(/, sanitises: 'command', name: 'shellescape' },
+        ],
+    },
+];
+const UNIVERSAL_SANITISERS = [
+    // Type coercion (always sanitises)
+    { pattern: /\bNumber\s*\(/, sanitises: 'all', name: 'Number', detection: 'known_library' },
+    { pattern: /\bparseInt\s*\(/, sanitises: 'all', name: 'parseInt', detection: 'known_library' },
+    { pattern: /\bparseFloat\s*\(/, sanitises: 'all', name: 'parseFloat', detection: 'known_library' },
+    { pattern: /\bBoolean\s*\(/, sanitises: 'all', name: 'Boolean', detection: 'known_library' },
+    { pattern: /\bString\s*\(/, sanitises: 'all', name: 'String', detection: 'known_library' },
+    // Path sanitisation
+    { pattern: /\bpath\.normalize\s*\(/, sanitises: 'path', name: 'path.normalize', detection: 'known_library' },
+    { pattern: /\bpath\.basename\s*\(/, sanitises: 'path', name: 'path.basename', detection: 'known_library' },
+    // Python
+    { pattern: /\bshlex\.quote\s*\(/, sanitises: 'command', name: 'shlex.quote', detection: 'known_library' },
+    { pattern: /\bhtml\.escape\s*\(/, sanitises: 'html', name: 'html.escape', detection: 'known_library' },
+    { pattern: /\bmarkup_safe\.escape\s*\(/, sanitises: 'html', name: 'markupsafe.escape', detection: 'known_library' },
+    // Name heuristic — functions with "sanitize", "escape", "encode" in name
+    { pattern: /\bsanitize\w*\s*\(/, sanitises: 'all', name: 'sanitize*', detection: 'name_heuristic' },
+    { pattern: /\bescape\w*\s*\(/, sanitises: 'html', name: 'escape*', detection: 'name_heuristic' },
+    { pattern: /\bencode(?:URI|URIComponent)\s*\(/, sanitises: 'url', name: 'encodeURI*', detection: 'known_library' },
+];
+// ============================================================================
+// Parameterised Query Detection
+// ============================================================================
+const PARAMETERISED_QUERY_PATTERNS = [
+    // Placeholder-based: .query('SELECT ... WHERE id = ?', [value])
+    /\.query\s*\(\s*['"`][^'"`]*\?\s*[^'"`]*['"`]\s*,\s*\[/,
+    // $1-style: .query('SELECT ... WHERE id = $1', [value])
+    /\.query\s*\(\s*['"`][^'"`]*\$\d+\s*[^'"`]*['"`]\s*,\s*\[/,
+    // Sequelize replacements: .query('...', { replacements: ... })
+    /\.query\s*\([^)]*\breplacements\s*:/,
+    // Knex parameterised: .where('id', value) or .where({ id: value })
+    /\.where\s*\(\s*['"`]\w+['"`]\s*,/,
+    /\.where\s*\(\s*\{/,
+];
+// ============================================================================
+// Main Detection Functions
+// ============================================================================
+/**
+ * Detect sanitisation functions available in a file.
+ *
+ * Pass 1: Scan imports to determine which libraries are available.
+ * Pass 2: Find sanitiser call sites.
+ */
+function detectSanitisers(content, _filePath) {
+    const lines = content.split('\n');
+    const sanitisers = [];
+    const seen = new Set();
+    // Pass 1: Determine which libraries are imported (only check import/require lines)
+    const availableLibraries = new Set();
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith('import') && !trimmed.includes('require(') && !trimmed.startsWith('from')) {
+            continue;
+        }
+        for (const lib of KNOWN_SANITISERS) {
+            if (lib.importPatterns.some(p => p.test(line))) {
+                availableLibraries.add(lib.library);
+            }
+        }
+    }
+    // Pass 2: Find sanitiser calls
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        // Skip comments
+        if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
+            continue;
+        }
+        // Check known library sanitisers (only if library is imported)
+        for (const lib of KNOWN_SANITISERS) {
+            if (!availableLibraries.has(lib.library))
+                continue;
+            for (const cp of lib.callPatterns) {
+                if (cp.pattern.test(line)) {
+                    const key = `${lineNumber}:${cp.name}`;
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    sanitisers.push({
+                        name: cp.name,
+                        line: lineNumber,
+                        sanitises: cp.sanitises,
+                        detection: 'known_library',
+                        library: lib.library,
+                    });
+                }
+            }
+        }
+        // Check universal sanitisers (always available)
+        for (const us of UNIVERSAL_SANITISERS) {
+            if (us.pattern.test(line)) {
+                const key = `${lineNumber}:${us.name}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                sanitisers.push({
+                    name: us.name,
+                    line: lineNumber,
+                    sanitises: us.sanitises,
+                    detection: us.detection,
+                });
+            }
+        }
+        // Check parameterised queries
+        for (const pqp of PARAMETERISED_QUERY_PATTERNS) {
+            if (pqp.test(line)) {
+                const key = `${lineNumber}:parameterised_query`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                sanitisers.push({
+                    name: 'parameterised_query',
+                    line: lineNumber,
+                    sanitises: 'sql',
+                    detection: 'known_library',
+                });
+            }
+        }
+    }
+    return sanitisers;
+}
+/**
+ * Check if a specific line contains a sanitiser call.
+ *
+ * Used during taint propagation to determine if a variable is sanitised
+ * at a particular assignment.
+ */
+function isSanitiserCall(line, sanitisers) {
+    // Check against known sanitisers found in the file
+    for (const s of sanitisers) {
+        // Check both by exact name match and by pattern
+        if (line.includes(s.name.replace('*', ''))) {
+            return { sanitised: true, method: s.name, target: s.sanitises };
+        }
+    }
+    // Check universal sanitisers directly
+    for (const us of UNIVERSAL_SANITISERS) {
+        if (us.pattern.test(line)) {
+            return { sanitised: true, method: us.name, target: us.sanitises };
+        }
+    }
+    // Check parameterised queries
+    for (const pqp of PARAMETERISED_QUERY_PATTERNS) {
+        if (pqp.test(line)) {
+            return { sanitised: true, method: 'parameterised_query', target: 'sql' };
+        }
+    }
+    return { sanitised: false };
+}
+//# sourceMappingURL=sanitiser-detection.js.map

package/dist/model/sanitiser-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitiser-detection.js","sourceRoot":"","sources":["../../src/model/sanitiser-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6IH,4CAqFC;AAQD,0CA2BC;AApPD,MAAM,gBAAgB,GAAqB;IACzC;QACE,OAAO,EAAE,WAAW;QACpB,cAAc,EAAE,CAAC,eAAe,EAAE,eAAe,EAAE,0BAA0B,CAAC;QAC9E,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,0BAA0B,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,EAAE;YACtF,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE;SACpE;KACF;IACD;QACE,OAAO,EAAE,WAAW;QACpB,cAAc,EAAE,CAAC,eAAe,CAAC;QACjC,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,wBAAwB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE;SACnF;KACF;IACD;QACE,OAAO,EAAE,aAAa;QACtB,cAAc,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QACrD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE;YACvE,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE;SACxE;KACF;IACD;QACE,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,CAAC,SAAS,CAAC;QAC3B,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE;YACzD,EAAE,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE;SACtE;KACF;IACD;QACE,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,CAAC,SAAS,EAAE,sBAAsB,CAAC;QACnD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE;YAChE,EAAE,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE;SACzE;KACF;IACD;QACE,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,CAAC,SAAS,EAAE,sBAAsB,CAAC;QACnD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE;SACvE;KACF;IACD;QACE,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,CAAC,SAAS,EAAE,sBAAsB,CAAC;QACnD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE;YACtE,EAAE,OAAO,EAAE,qBAAqB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE;SAC/E;KACF;IACD;QACE,OAAO,EAAE,cAAc;QACvB,cAAc,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,CAAC;QACvD,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE;SAC7E;KACF;CACF,CAAA;AAaD,MAAM,oBAAoB,GAAyB;IACjD,mCAAmC;IACnC,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE;IAC1F,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,eAAe,EAAE;IAC9F,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE;IAClG,EAAE,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,eAAe,EAAE;IAC5F,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE;IAE1F,oBAAoB;IACpB,EAAE,OAAO,EAAE,wBAAwB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE,eAAe,EAAE;IAC5G,EAAE,OAAO,EAAE,uBAAuB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,eAAe,EAAE;IAE1G,SAAS;IACT,EAAE,OAAO,EAAE,qBAAqB,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,eAAe,EAAE;IACzG,EAAE,OAAO,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,eAAe,EAAE;IACtG,EAAE,OAAO,EAAE,4BAA4B,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,EAAE,SAAS,EAAE,eAAe,EAAE;IAEnH,yEAAyE;IACzE,EAAE,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,gBAAgB,EAAE;IACnG,EAAE,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,gBAAgB,EAAE;IAChG,EAAE,OAAO,EAAE,mCAAmC,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE;CACnH,CAAA;AAED,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E,MAAM,4BAA4B,GAAa;IAC7C,gEAAgE;IAChE,uDAAuD;IACvD,wDAAwD;IACxD,0DAA0D;IAC1D,+DAA+D;IAC/D,qCAAqC;IACrC,mEAAmE;IACnE,kCAAkC;IAClC,mBAAmB;CACpB,CAAA;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,OAAe,EAAE,SAAiB;IACjE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,UAAU,GAAoB,EAAE,CAAA;IACtC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAE9B,mFAAmF;IACnF,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAA;IAC5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAClG,SAAQ;QACV,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;YACnC,IAAI,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC/C,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;YACrC,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QAE3B,gBAAgB;QAChB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACpF,SAAQ;QACV,CAAC;QAED,+DAA+D;QAC/D,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;YACnC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,SAAQ;YAElD,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;gBAClC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,EAAE,CAAC,IAAI,EAAE,CAAA;oBACtC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAQ;oBAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;oBAEb,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,EAAE,CAAC,IAAI;wBACb,IAAI,EAAE,UAAU;wBAChB,SAAS,EAAE,EAAE,CAAC,SAAS;wBACvB,SAAS,EAAE,eAAe;wBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;qBACrB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,KAAK,MAAM,EAAE,IAAI,oBAAoB,EAAE,CAAC;YACtC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,EAAE,CAAC,IAAI,EAAE,CAAA;gBACtC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAQ;gBAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;gBAEb,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,IAAI,EAAE,UAAU;oBAChB,SAAS,EAAE,EAAE,CAAC,SAAS;oBACvB,SAAS,EAAE,EAAE,CAAC,SAAS;iBACxB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,KAAK,MAAM,GAAG,IAAI,4BAA4B,EAAE,CAAC;YAC/C,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnB,MAAM,GAAG,GAAG,GAAG,UAAU,sBAAsB,CAAA;gBAC/C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAQ;gBAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;gBAEb,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,qBAAqB;oBAC3B,IAAI,EAAE,UAAU;oBAChB,SAAS,EAAE,KAAK;oBAChB,SAAS,EAAE,eAAe;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAC7B,IAAY,EACZ,UAA2B;IAE3B,mDAAmD;IACnD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,gDAAgD;QAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YAC3C,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,SAAS,EAAE,CAAA;QACjE,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,KAAK,MAAM,EAAE,IAAI,oBAAoB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,EAAE,CAAA;QACnE,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,KAAK,MAAM,GAAG,IAAI,4BAA4B,EAAE,CAAC;QAC/C,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,qBAAqB,EAAE,MAAM,EAAE,KAAK,EAAE,CAAA;QAC1E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;AAC7B,CAAC"}

package/dist/model/sink-matcher.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Sink Matcher — Matches tainted variables to dangerous sinks.
+ *
+ * Scans each line for known dangerous sink patterns, then checks if
+ * any tainted variable name appears on that line. Builds complete
+ * taint paths from source → propagation chain → sink.
+ */
+import type { TaintedVariable, TaintPath } from './taint-types';
+import type { SanitiserInfo } from './taint-types';
+/**
+ * Match tainted variables to dangerous sinks and build taint paths.
+ *
+ * For each line that matches a sink pattern, checks if any tainted variable
+ * appears on that line. Builds a complete TaintPath with source, chain, and sink.
+ */
+export declare function matchSinks(content: string, _filePath: string, taintedVariables: TaintedVariable[], sanitisers: SanitiserInfo[]): TaintPath[];
+//# sourceMappingURL=sink-matcher.d.ts.map

package/dist/model/sink-matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-matcher.d.ts","sourceRoot":"","sources":["../../src/model/sink-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,SAAS,EAAuB,MAAM,eAAe,CAAA;AACpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AA2FlD;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,eAAe,EAAE,EACnC,UAAU,EAAE,aAAa,EAAE,GAC1B,SAAS,EAAE,CAkEb"}

package/dist/model/sink-matcher.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Sink Matcher — Matches tainted variables to dangerous sinks.
+ *
+ * Scans each line for known dangerous sink patterns, then checks if
+ * any tainted variable name appears on that line. Builds complete
+ * taint paths from source → propagation chain → sink.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchSinks = matchSinks;
+const sanitiser_detection_1 = require("./sanitiser-detection");
+const sink_patterns_1 = require("./sink-patterns");
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Check if a tainted variable appears on a line (using word boundaries).
+ */
+function taintedVarAppearsOnLine(line, taintedVars) {
+    for (const tv of taintedVars) {
+        const regex = new RegExp(`\\b${(0, sink_patterns_1.escapeRegex)(tv.name)}\\b`);
+        if (regex.test(line)) {
+            return tv;
+        }
+    }
+    return null;
+}
+/**
+ * Build a taint chain from a tainted variable back to its source.
+ * Follows the propagation chain through assignments.
+ */
+function buildChain(target, allVars) {
+    const chain = [target];
+    let current = target;
+    const visited = new Set();
+    visited.add(current.name);
+    // Walk back through the propagation chain
+    while (current.source) {
+        const sourceVar = allVars.find(v => v.name === current.source.variable &&
+            v.taintedAt < current.taintedAt &&
+            !visited.has(v.name));
+        if (!sourceVar)
+            break;
+        visited.add(sourceVar.name);
+        chain.unshift(sourceVar);
+        current = sourceVar;
+    }
+    return chain;
+}
+/**
+ * Compute confidence for a taint path based on source confidence and chain length.
+ */
+function computePathConfidence(chain, sourceConfidence) {
+    const chainLen = chain.length;
+    if (sourceConfidence === 'high' && chainLen <= 3)
+        return 'high';
+    if (sourceConfidence === 'low' || chainLen > 5)
+        return 'low';
+    return 'medium';
+}
+/**
+ * Check if the line is a parameterised query (where the tainted var
+ * is in the parameter array, not interpolated into the query string).
+ */
+function isParameterisedQueryUsage(line, varName) {
+    // Pattern: .query('...', [varName]) — var is in the parameter array
+    const paramArrayPattern = new RegExp(`\\.query\\s*\\([^,]+,\\s*\\[[^\\]]*\\b${(0, sink_patterns_1.escapeRegex)(varName)}\\b[^\\]]*\\]`);
+    if (paramArrayPattern.test(line))
+        return true;
+    // Pattern: .where('column', varName) — Knex parameterised
+    const knexWherePattern = new RegExp(`\\.where\\s*\\(\\s*['"][^'"]+['"]\\s*,\\s*\\b${(0, sink_patterns_1.escapeRegex)(varName)}\\b`);
+    if (knexWherePattern.test(line))
+        return true;
+    return false;
+}
+// ============================================================================
+// Main Matching Function
+// ============================================================================
+/**
+ * Match tainted variables to dangerous sinks and build taint paths.
+ *
+ * For each line that matches a sink pattern, checks if any tainted variable
+ * appears on that line. Builds a complete TaintPath with source, chain, and sink.
+ */
+function matchSinks(content, _filePath, taintedVariables, sanitisers) {
+    if (taintedVariables.length === 0)
+        return [];
+    const lines = content.split('\n');
+    const taintPaths = [];
+    const seen = new Set();
+    // Get only unsanitised tainted variables (and all for chain building)
+    const activeTaintedVars = taintedVariables.filter(tv => !tv.sanitised);
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        // Skip comments
+        if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
+            continue;
+        }
+        // Check each sink pattern
+        for (const sp of sink_patterns_1.SINK_PATTERNS) {
+            if (!sp.pattern.test(line))
+                continue;
+            // Check if any tainted variable appears on this line
+            const taintedVar = taintedVarAppearsOnLine(line, activeTaintedVars);
+            if (!taintedVar)
+                continue;
+            // Dedup: one taint path per source-sink-line combination
+            const key = `${taintedVar.source.variable}:${sp.sinkType}:${lineNumber}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            // Build the sink
+            const sink = {
+                line: lineNumber,
+                expression: trimmed,
+                sinkType: sp.sinkType,
+            };
+            // Build the chain from source to this variable
+            const chain = buildChain(taintedVar, taintedVariables);
+            // Check if sanitised at the sink line itself
+            const sinkSanitResult = (0, sanitiser_detection_1.isSanitiserCall)(line, sanitisers);
+            const isSanitised = sinkSanitResult.sanitised || taintedVar.sanitised;
+            // Special case: parameterised SQL queries
+            const isParamQuery = sp.sinkType === 'sql_query' && isParameterisedQueryUsage(line, taintedVar.name);
+            const sanitised = isSanitised || isParamQuery;
+            // Compute confidence
+            const confidence = computePathConfidence(chain, taintedVar.source.confidence);
+            taintPaths.push({
+                source: taintedVar.source,
+                chain,
+                sink,
+                sanitised,
+                confidence,
+            });
+        }
+    }
+    return taintPaths;
+}
+//# sourceMappingURL=sink-matcher.js.map