@oculum/scanner 1.0.13 → 1.0.15

package/dist/detect/structural/auth-patterns.js

@@ -1,533 +0,0 @@
-"use strict";
-/**
- * Layer 2: Authentication Anti-Pattern Detection
- * Identifies weak or missing authentication/authorization patterns
- *
- * Key improvements:
- * - Respects global middleware protection (caps severity at info)
- * - Detects throwing auth helpers and suppresses redundant null checks
- * - Properly classifies public endpoints
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectAuthAntipatterns = detectAuthAntipatterns;
-const middleware_detector_1 = require("../../model/middleware-detector");
-const auth_helper_detector_1 = require("../../model/auth-helper-detector");
-const file_classifier_1 = require("../../parse/file-classifier");
-const route_hierarchy_1 = require("../../model/route-hierarchy");
-const schema_semantics_1 = require("../../shared/schema-semantics");
-const intent_detector_1 = require("../../shared/intent-detector");
-const BASE_CONFIDENCE = 0.40;
-const AUTH_ANTIPATTERNS = [
-    // Missing auth checks
-    {
-        name: 'Unprotected API route',
-        pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/gi,
-        severity: 'medium',
-        description: 'API route handler may lack authentication - verify auth is checked',
-        suggestedFix: 'Add authentication middleware or check session at the start of the handler',
-    },
-    {
-        name: 'Express route without auth middleware',
-        pattern: /\.(get|post|put|delete|patch)\s*\(\s*['"][^'"]+['"]\s*,\s*(async\s*)?\(\s*(req|request)/gi,
-        severity: 'medium',
-        description: 'Express route may lack authentication middleware',
-        suggestedFix: 'Add authentication middleware before the route handler',
-    },
-    // Weak authentication patterns
-    {
-        name: 'Hardcoded credentials check',
-        pattern: /if\s*\(\s*(username|user|email)\s*===?\s*['"][^'"]+['"]\s*&&\s*(password|pass|pwd)\s*===?\s*['"][^'"]+['"]/gi,
-        severity: 'critical',
-        description: 'Hardcoded credentials in authentication logic',
-        suggestedFix: 'Use a proper user database with hashed passwords',
-    },
-    {
-        name: 'Password in plain text comparison',
-        pattern: /password\s*===?\s*user\.password|user\.password\s*===?\s*password/gi,
-        severity: 'high',
-        description: 'Plain text password comparison detected',
-        suggestedFix: 'Use bcrypt.compare() or similar for password verification',
-    },
-    {
-        name: 'JWT without verification',
-        pattern: /jwt\.decode\s*\([^)]+\)(?!.*verify)/gi,
-        severity: 'high',
-        description: 'JWT decoded without signature verification',
-        suggestedFix: 'Use jwt.verify() instead of jwt.decode() for authentication',
-    },
-    {
-        name: 'Weak JWT secret',
-        pattern: /jwt\.sign\s*\([^)]+,\s*['"][^'"]{1,20}['"]/gi,
-        severity: 'high',
-        description: 'JWT signed with a short/weak secret',
-        suggestedFix: 'Use a strong, random secret of at least 256 bits from environment variables',
-    },
-    // Session issues
-    {
-        name: 'Session without secure flag',
-        pattern: /session\s*\(\s*\{[^}]*(?!secure\s*:\s*true)[^}]*\}/gi,
-        severity: 'medium',
-        description: 'Session configuration may lack secure flag',
-        suggestedFix: 'Set secure: true for cookies in production',
-    },
-    // NOTE: Cookie httpOnly detection removed - causes false positives
-    // Client-side code (document.cookie) cannot set httpOnly - it's a server-only flag
-    // Server-side cookie libraries have proper defaults
-    // The pattern was triggering on client-side cookie access which is conceptually wrong
-    // Authorization issues
-    // NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
-    // when throwing auth helpers are in use. Those helpers guarantee the user exists.
-    // This pattern is now much more targeted.
-    {
-        name: 'Missing role check for admin operation',
-        pattern: /\b(admin|superuser|moderator|owner)\b.*(?:delete|remove|update|modify|grant|revoke)/gi,
-        severity: 'low',
-        description: 'Potentially privileged operation - verify role/permission checks are in place',
-        suggestedFix: 'Add role-based access control for sensitive operations',
-    },
-    {
-        name: 'Client-side only auth check',
-        pattern: /if\s*\(\s*!?\s*(isAuthenticated|isLoggedIn|user)\s*\)\s*\{?\s*(router\.push|navigate|redirect|window\.location)/gi,
-        severity: 'medium',
-        description: 'Client-side only authentication redirect detected',
-        suggestedFix: 'Implement server-side authentication checks as well',
-    },
-    // Insecure token handling
-    {
-        name: 'Token in URL',
-        pattern: /\?.*token=|&token=|\?.*api_key=|&api_key=/gi,
-        severity: 'high',
-        description: 'Sensitive token passed in URL query parameter',
-        suggestedFix: 'Pass tokens in Authorization header or request body',
-    },
-    {
-        name: 'Token in localStorage',
-        pattern: /localStorage\.(setItem|getItem)\s*\(\s*['"](token|jwt|auth|session|apiKey)/gi,
-        severity: 'medium',
-        description: 'Sensitive token stored in localStorage (XSS vulnerable)',
-        suggestedFix: 'Use httpOnly cookies for token storage',
-    },
-    // OAuth/Social auth issues
-    // NOTE: OAuth detection narrowed significantly to reduce false positives.
-    // Previously matched any line containing "oauth" which flagged variable names, imports, etc.
-    // Now only matches actual OAuth authorization URL construction.
-    {
-        name: 'OAuth state parameter missing',
-        // Only match actual OAuth authorization URL construction without state parameter
-        // Must have: authorize endpoint + client_id/redirect_uri but missing state
-        pattern: /['"`]https?:\/\/[^'"]*\/(?:oauth|authorize|auth)[^'"]*client_id=[^'"]*(?!.*state=)/gi,
-        severity: 'medium',
-        description: 'OAuth authorization URL may lack state parameter for CSRF protection',
-        suggestedFix: 'Include a random state parameter in OAuth authorization requests',
-    },
-    // Password handling issues
-    {
-        name: 'Password logged',
-        pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*password/gi,
-        severity: 'critical',
-        description: 'Password may be logged to console',
-        suggestedFix: 'Never log passwords or sensitive credentials',
-    },
-    // NOTE: 'Password in error message' pattern now uses smart intent detection
-    // Error CODES like 'SAME_PASSWORD' are not flagged (they're codes, not values)
-    // Only actual password values concatenated into errors are flagged
-    // This is handled specially in detectAuthAntipatterns() below
-    // Rate limiting
-    {
-        name: 'Login without rate limiting',
-        pattern: /\/(login|signin|auth|authenticate)\s*['"],\s*(async\s*)?\(/gi,
-        severity: 'medium',
-        description: 'Login endpoint may lack rate limiting',
-        suggestedFix: 'Add rate limiting to prevent brute force attacks',
-    },
-    // 2FA bypass
-    {
-        name: 'Potential 2FA bypass',
-        pattern: /skip2fa|bypass2fa|disable2fa|twoFactor\s*[=:]\s*false/gi,
-        severity: 'high',
-        description: 'Two-factor authentication bypass detected',
-        suggestedFix: 'Remove 2FA bypass options in production',
-    },
-];
-// Check if line is a comment
-function isComment(line) {
-    const trimmed = line.trim();
-    return (trimmed.startsWith('//') ||
-        trimmed.startsWith('#') ||
-        trimmed.startsWith('*') ||
-        trimmed.startsWith('/*'));
-}
-// Check if file is likely an auth-related file
-function isAuthRelatedFile(filePath) {
-    const authKeywords = ['auth', 'login', 'session', 'user', 'account', 'credential', 'password', 'token', 'jwt', 'oauth'];
-    const lowerPath = filePath.toLowerCase();
-    return authKeywords.some(keyword => lowerPath.includes(keyword));
-}
-/**
- * Check if file is an auth implementation/library file
- * These files ARE the auth system - flagging them for "missing auth" is wrong
- *
- * Examples:
- * - packages/auth/src/handlers.ts
- * - lib/auth/middleware.ts
- * - services/authentication/index.ts
- */
-function isAuthImplementationFile(filePath) {
-    const authImplPatterns = [
-        /\/packages\/auth\//i,
-        /\/lib\/auth\//i,
-        /\/utils\/auth\//i,
-        /\/services\/auth/i,
-        /\/authentication\//i,
-        /\/auth-provider/i,
-        /\/auth-helpers/i,
-        /\/auth-utils/i,
-        /\/passport-/i, // Passport.js strategy files
-        /\/next-auth\//i, // NextAuth config
-        /\/lucia\//i, // Lucia auth
-        /\/better-auth\//i, // Better Auth
-        /\/supabase\/auth/i, // Supabase auth
-        /\/clerk\//i, // Clerk auth
-        /\/auth0\//i, // Auth0
-        /\/keycloak\//i, // Keycloak
-    ];
-    return authImplPatterns.some(p => p.test(filePath));
-}
-// Check if endpoint is a known public endpoint (health checks, webhooks, cron)
-function isKnownPublicEndpoint(lineContent, filePath) {
-    const PUBLIC_ENDPOINTS = [
-        // Health checks
-        /\/health\b/i,
-        /\/healthz\b/i,
-        /\/ready\b/i,
-        /\/live\b/i,
-        /\/ping\b/i,
-        /\/status\b/i,
-        /\/_health/i,
-        // Webhooks (receive external calls)
-        /\/webhook\b/i,
-        /\/webhooks\//i,
-        /\/callback\b/i,
-        /\/stripe\/webhook/i,
-        /\/clerk\/webhook/i,
-        /\/svix\//i,
-        // Cron/scheduled tasks
-        /\/cron\//i,
-        /\/scheduled\//i,
-        /\/tasks\//i,
-        /\/jobs?\//i,
-        // Public APIs - intentionally unauthenticated
-        /\/public\//i,
-        /\/openpage/i, // OpenPage API pattern (intentionally public)
-        /\/open-api\//i,
-        /\/api\/public\//i,
-        /\/api\/v\d+\/public\//i,
-        /\bGET\b.*\/api\/\w+\/\[id\]/i, // Public resource reads with ID param
-        // Auth endpoints (must be public for users to authenticate)
-        /\/api\/auth\//i,
-        /\/auth\//i,
-        /\/login\b/i,
-        /\/signup\b/i,
-        /\/register\b/i,
-        /\/forgot-password/i,
-        /\/reset-password/i,
-        /\/verify-email/i,
-        /\/magic-link/i,
-        /\/oauth\//i,
-        // RSS/Atom feeds (typically public)
-        /\/feed\b/i,
-        /\/rss\b/i,
-        /\/atom\b/i,
-        // Sitemap/robots (always public)
-        /\/sitemap/i,
-        /\/robots/i,
-        // OpenGraph/meta endpoints
-        /\/og\//i,
-        /\/opengraph/i,
-        /\/meta\//i,
-        // Share/embed endpoints
-        /\/share\//i,
-        /\/embed\//i,
-        /\/widget\//i,
-    ];
-    return PUBLIC_ENDPOINTS.some(pattern => pattern.test(lineContent) || pattern.test(filePath));
-}
-// Check if there are auth indicators in nearby lines (within 15 lines)
-function hasAuthCheckNearby(lines, lineIndex) {
-    const startLine = Math.max(0, lineIndex);
-    const endLine = Math.min(lines.length, lineIndex + 15);
-    const searchWindow = lines.slice(startLine, endLine);
-    const authIndicators = [
-        /authorization/i,
-        /bearer\s+token/i,
-        /req\.user/,
-        /request\.user/,
-        /isAuthenticated/,
-        /requireAuth/,
-        /verifyToken/,
-        /checkPermission/,
-        /getServerSession/,
-        /auth\(\)/,
-        /middleware.*auth/i,
-        /session\s*\.\s*user/,
-        // Internal secret checks (network-level auth)
-        /internal.?secret/i,
-        /INTERNAL_SECRET/,
-        /x-internal-secret/i,
-        /admin.?secret/i,
-        /service.?token/i,
-        // BYOK patterns - user provides their own API key (implicit auth)
-        /userApiKey|user_api_key|clientApiKey/i,
-        /req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
-        /headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
-        // Next.js / React auth patterns (expanded)
-        /const\s+session\s*=\s*await\s+auth\s*\(\)/, // const session = await auth()
-        /const\s+\{\s*session\s*\}\s*=\s*await\s+auth\s*\(\)/, // const { session } = await auth()
-        /if\s*\(\s*!session\?\.user/, // if (!session?.user)
-        /if\s*\(\s*!session\s*\)/, // if (!session)
-        /session\s*\?\.\s*user/, // session?.user
-        /getServerSession\s*\(\s*authOptions/, // getServerSession(authOptions)
-        /getServerSession\s*\(\s*req\s*,\s*res/, // getServerSession(req, res, ...)
-        /useSession\s*\(\)/, // useSession()
-        /signIn\s*\(/, // signIn()
-        /signOut\s*\(/, // signOut()
-        // Clerk auth patterns
-        /currentUser\s*\(\)/, // currentUser()
-        /auth\s*\(\)\s*\.\s*protect/, // auth().protect
-        /auth\s*\(\)\s*\.\s*userId/, // auth().userId
-        /clerkClient/i,
-        /getAuth\s*\(/,
-        /ClerkProvider/,
-        // Supabase auth patterns
-        /supabase\s*\.\s*auth\s*\.\s*getUser/, // supabase.auth.getUser()
-        /supabase\s*\.\s*auth\s*\.\s*getSession/, // supabase.auth.getSession()
-        /createServerClient/, // Supabase server client
-        /createRouteHandlerClient/,
-        // Lucia auth patterns
-        /lucia\s*\.\s*validateSession/,
-        /validateRequest/,
-        // Better Auth patterns
-        /betterAuth/,
-        /auth\.api\./,
-        // Throwing auth helpers (if these are called, route is authenticated)
-        /throw\s+new\s+Error\s*\(\s*['"]unauthorized/i,
-        /throw\s+new\s+Error\s*\(\s*['"]unauthenticated/i,
-        /ChatSDKError\s*\(\s*['"]unauthorized/i,
-        /return\s+new\s+Response\s*\(\s*.*401/,
-        /return\s+NextResponse\s*\.\s*json\s*\(\s*.*401/,
-    ];
-    return searchWindow.some(line => authIndicators.some(pattern => pattern.test(line)));
-}
-function detectAuthAntipatterns(content, filePath, options = {}) {
-    const { middlewareConfig, authHelpers, fileAuthImports, parsed } = options;
-    const vulnerabilities = [];
-    // Skip scanner/fixture files to avoid self-detection
-    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    const lines = parsed?.lines ?? content.split('\n');
-    const isAuthFile = isAuthRelatedFile(filePath);
-    const isAuthImpl = isAuthImplementationFile(filePath);
-    // Check framework route hierarchy protection (Remix, Next.js route groups)
-    const routeHierarchy = (0, route_hierarchy_1.getRouteProtectionContext)(filePath);
-    // Check if this route is protected by global middleware
-    const routePath = (0, middleware_detector_1.getRoutePathFromFile)(filePath);
-    const middlewareProtection = routePath && middlewareConfig
-        ? (0, middleware_detector_1.isRouteProtectedByMiddleware)(routePath, middlewareConfig)
-        : { isProtected: false, reason: '' };
-    // Check if file uses imported auth middleware/helpers
-    const importedAuthProtection = fileAuthImports?.get(filePath);
-    const usesImportedAuth = importedAuthProtection?.usesImportedAuth ?? false;
-    // Check if file uses throwing auth helpers
-    const helpersList = authHelpers?.helpers || [];
-    // Check if this is a component only used in authenticated contexts
-    const isAuthOnlyComponent = (0, route_hierarchy_1.isAuthenticatedOnlyComponent)(filePath);
-    lines.forEach((line, index) => {
-        // Skip comment lines
-        if (isComment(line))
-            return;
-        for (const pattern of AUTH_ANTIPATTERNS) {
-            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-            if (regex.test(line)) {
-                // Special handling for unprotected route patterns
-                if (pattern.name === 'Unprotected API route' ||
-                    pattern.name === 'Express route without auth middleware') {
-                    // PRIORITY -1: Skip auth implementation files entirely
-                    // These files ARE the auth system - flagging them for "missing auth" is conceptually wrong
-                    if (isAuthImpl) {
-                        break; // Skip this pattern
-                    }
-                    // PRIORITY 0: Check if this is actually a route file
-                    // In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
-                    // `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
-                    // export GET/POST functions.
-                    const isActualRouteFile = /\/(route|page)\.(ts|js|tsx|jsx)$/i.test(filePath) ||
-                        /\/(api|routes?)\/.*\/(index|route)\.(ts|js)$/i.test(filePath) ||
-                        // Express/Koa routes typically have 'routes' or 'router' in path
-                        /\/(routes?|router|controllers?)\.[tj]s$/i.test(filePath);
-                    // Files explicitly named as handlers, helpers, utils are not routes
-                    const isUtilityFile = /(handler|helper|util|mock|test|fixture|safe|example)/i.test(filePath);
-                    if (!isActualRouteFile || isUtilityFile) {
-                        // Not an actual route file - skip this finding
-                        break;
-                    }
-                    // PRIORITY 0.5: Check if route is in a protected route hierarchy
-                    // Framework route conventions (Remix _authenticated+, Next.js route groups)
-                    if (routeHierarchy.isInProtectedHierarchy) {
-                        // Route is in a protected hierarchy - cap severity at info
-                        vulnerabilities.push({
-                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
-                            filePath,
-                            lineNumber: index + 1,
-                            lineContent: line.trim(),
-                            severity: 'info',
-                            category: 'missing_auth',
-                            title: pattern.name + ' (in protected route hierarchy)',
-                            description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
-                            suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
-                            confidence: 'low',
-                            baseConfidence: BASE_CONFIDENCE,
-                            layer: 2,
-                            source: 'structural',
-                        });
-                        break; // Only report once per line
-                    }
-                    // PRIORITY 0.75: Check if this is a component only used in authenticated contexts
-                    if (isAuthOnlyComponent) {
-                        // Component is in admin/dashboard/etc - skip entirely
-                        break;
-                    }
-                    // PRIORITY 1: Check if route is protected by global middleware
-                    // This is the STRONGEST signal - if middleware protects the route, suppress entirely
-                    if (middlewareProtection.isProtected) {
-                        // Route is authenticated by middleware - no finding needed
-                        break; // Skip this pattern, route is protected
-                    }
-                    // PRIORITY 1.5: Check if file imports and uses auth middleware
-                    // e.g., import { authMiddleware } from '@/lib/auth' + wraps handlers
-                    if (usesImportedAuth) {
-                        // File imports auth middleware and uses it - no finding needed
-                        break; // Skip this pattern, route is protected via imported auth
-                    }
-                    // PRIORITY 2: Check if file uses throwing auth helpers
-                    // If getCurrentUserId() or similar is called, the route is authenticated
-                    const authHelperCall = (0, auth_helper_detector_1.hasAuthHelperCallBefore)(content, index, helpersList);
-                    if (authHelperCall.hasCall && authHelperCall.helper) {
-                        // Route uses a throwing auth helper - no finding needed
-                        // The auth helper guarantees authenticated context
-                        break; // Skip this pattern, route is protected
-                    }
-                    // PRIORITY 3: Check if this is a known public endpoint
-                    if (isKnownPublicEndpoint(line, filePath)) {
-                        vulnerabilities.push({
-                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
-                            filePath,
-                            lineNumber: index + 1,
-                            lineContent: line.trim(),
-                            severity: 'info',
-                            category: 'missing_auth',
-                            title: pattern.name + ' (public endpoint)',
-                            description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
-                            suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
-                            confidence: 'low',
-                            baseConfidence: BASE_CONFIDENCE,
-                            layer: 2,
-                            source: 'structural',
-                        });
-                        break; // Only report once per line
-                    }
-                    // PRIORITY 4: Check if auth check exists nearby (inline check)
-                    if (hasAuthCheckNearby(lines, index)) {
-                        vulnerabilities.push({
-                            id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
-                            filePath,
-                            lineNumber: index + 1,
-                            lineContent: line.trim(),
-                            severity: 'low',
-                            category: 'missing_auth',
-                            title: pattern.name,
-                            description: pattern.description + ' (auth check detected in nearby lines)',
-                            suggestedFix: pattern.suggestedFix,
-                            confidence: 'low',
-                            baseConfidence: BASE_CONFIDENCE,
-                            layer: 2,
-                            source: 'structural',
-                        });
-                        break; // Only report once per line
-                    }
-                }
-                // Standard handling for all patterns (or fallback for route patterns)
-                // Boost confidence for auth-related files
-                const confidence = isAuthFile ? 'high' : 'medium';
-                vulnerabilities.push({
-                    id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
-                    filePath,
-                    lineNumber: index + 1,
-                    lineContent: line.trim(),
-                    severity: pattern.severity,
-                    category: 'missing_auth',
-                    title: pattern.name,
-                    description: pattern.description,
-                    suggestedFix: pattern.suggestedFix,
-                    confidence,
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                });
-                break; // Only report once per line
-            }
-        }
-    });
-    // Special handling: Password in error message with smart intent detection
-    // Only flag actual password VALUES, not error CODES like 'SAME_PASSWORD'
-    const passwordErrorPattern = /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi;
-    lines.forEach((line, index) => {
-        if (isComment(line))
-            return;
-        if (passwordErrorPattern.test(line)) {
-            // Reset regex state
-            passwordErrorPattern.lastIndex = 0;
-            // Skip if this is an error CODE, not a VALUE
-            if ((0, intent_detector_1.isPasswordErrorCode)(line)) {
-                return; // This is fine - 'SAME_PASSWORD' is a code, not a value
-            }
-            // Only flag if actual password value is in the error
-            if ((0, intent_detector_1.hasPasswordValueInError)(line)) {
-                vulnerabilities.push({
-                    id: `auth-antipattern-${filePath}-${index + 1}-password-in-error`,
-                    filePath,
-                    lineNumber: index + 1,
-                    lineContent: line.trim(),
-                    severity: 'high',
-                    category: 'missing_auth',
-                    title: 'Password value in error message',
-                    description: 'Actual password value may be included in error message, exposing sensitive data.',
-                    suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
-                    confidence: 'high',
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                });
-            }
-        }
-    });
-    // Special handling: 2FA optional fields with OR validation
-    // Don't flag .optional() on 2FA fields if there's .refine() enforcing OR logic
-    const twoFAOptionalPattern = /\.(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa).*\.optional\s*\(\)/gi;
-    lines.forEach((line, index) => {
-        if (isComment(line))
-            return;
-        if (twoFAOptionalPattern.test(line)) {
-            // Reset regex state
-            twoFAOptionalPattern.lastIndex = 0;
-            // Check if this is legitimate OR validation (either TOTP or backup code required)
-            if ((0, schema_semantics_1.is2FAOrValidation)(content, index)) {
-                // This is legitimate OR validation - skip or report as info
-                return;
-            }
-            // Only flag if this truly allows bypassing 2FA
-            // Most cases with .refine() are fine - this is handled by schema-semantics.ts
-        }
-    });
-    return vulnerabilities;
-}
-//# sourceMappingURL=auth-patterns.js.map

package/dist/detect/structural/auth-patterns.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-patterns.js","sourceRoot":"","sources":["../../../src/detect/structural/auth-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAiXH,wDAmPC;AA/lBD,yEAAoG;AAEpG,2EAAoG;AAEpG,iEAAoE;AACpE,iEAAqG;AACrG,oEAAiE;AACjE,kEAA2F;AAE3F,MAAM,eAAe,GAAG,IAAI,CAAA;AAU5B,MAAM,iBAAiB,GAAsB;IAC3C,sBAAsB;IACtB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,mEAAmE;QAC5E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oEAAoE;QACjF,YAAY,EAAE,4EAA4E;KAC3F;IACD;QACE,IAAI,EAAE,uCAAuC;QAC7C,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,wDAAwD;KACvE;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8GAA8G;QACvH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,kDAAkD;KACjE;IACD;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,YAAY,EAAE,2DAA2D;KAC1E;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,6DAA6D;KAC5E;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,6EAA6E;KAC5F;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,4CAA4C;KAC3D;IACD,mEAAmE;IACnE,mFAAmF;IACnF,oDAAoD;IACpD,sFAAsF;IAEtF,uBAAuB;IACvB,uFAAuF;IACvF,kFAAkF;IAClF,0CAA0C;IAC1C;QACE,IAAI,EAAE,wCAAwC;QAC9C,OAAO,EAAE,uFAAuF;QAChG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,+EAA+E;QAC5F,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,mHAAmH;QAC5H,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mDAAmD;QAChE,YAAY,EAAE,qDAAqD;KACpE;IAED,0BAA0B;IAC1B;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+CAA+C;QAC5D,YAAY,EAAE,qDAAqD;KACpE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,wCAAwC;KACvD;IAED,2BAA2B;IAC3B,0EAA0E;IAC1E,6FAA6F;IAC7F,gEAAgE;IAChE;QACE,IAAI,EAAE,+BAA+B;QACrC,iFAAiF;QACjF,2EAA2E;QAC3E,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,kEAAkE;KACjF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mCAAmC;QAChD,YAAY,EAAE,8CAA8C;KAC7D;IACD,4EAA4E;IAC5E,+EAA+E;IAC/E,mEAAmE;IACnE,8DAA8D;IAE9D,gBAAgB;IAChB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uCAAuC;QACpD,YAAY,EAAE,kDAAkD;KACjE;IAED,aAAa;IACb;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,yCAAyC;KACxD;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;IACvH,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAA;IACxC,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,wBAAwB,CAAC,QAAgB;IAChD,MAAM,gBAAgB,GAAG;QACvB,qBAAqB;QACrB,gBAAgB;QAChB,kBAAkB;QAClB,mBAAmB;QACnB,qBAAqB;QACrB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,cAAc,EAAe,6BAA6B;QAC1D,gBAAgB,EAAa,kBAAkB;QAC/C,YAAY,EAAiB,aAAa;QAC1C,kBAAkB,EAAW,cAAc;QAC3C,mBAAmB,EAAU,gBAAgB;QAC7C,YAAY,EAAiB,aAAa;QAC1C,YAAY,EAAiB,QAAQ;QACrC,eAAe,EAAc,WAAW;KACzC,CAAA;IACD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,+EAA+E;AAC/E,SAAS,qBAAqB,CAAC,WAAmB,EAAE,QAAgB;IAClE,MAAM,gBAAgB,GAAG;QACvB,gBAAgB;QAChB,aAAa;QACb,cAAc;QACd,YAAY;QACZ,WAAW;QACX,WAAW;QACX,aAAa;QACb,YAAY;QAEZ,oCAAoC;QACpC,cAAc;QACd,eAAe;QACf,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,WAAW;QAEX,uBAAuB;QACvB,WAAW;QACX,gBAAgB;QAChB,YAAY;QACZ,YAAY;QAEZ,8CAA8C;QAC9C,aAAa;QACb,aAAa,EAAS,8CAA8C;QACpE,eAAe;QACf,kBAAkB;QAClB,wBAAwB;QACxB,8BAA8B,EAAG,sCAAsC;QAEvE,4DAA4D;QAC5D,gBAAgB;QAChB,WAAW;QACX,YAAY;QACZ,aAAa;QACb,eAAe;QACf,oBAAoB;QACpB,mBAAmB;QACnB,iBAAiB;QACjB,eAAe;QACf,YAAY;QAEZ,oCAAoC;QACpC,WAAW;QACX,UAAU;QACV,WAAW;QAEX,iCAAiC;QACjC,YAAY;QACZ,WAAW;QAEX,2BAA2B;QAC3B,SAAS;QACT,cAAc;QACd,WAAW;QAEX,wBAAwB;QACxB,YAAY;QACZ,YAAY;QACZ,aAAa;KACd,CAAA;IAED,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACrC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CACpD,CAAA;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,kBAAkB,CAAC,KAAe,EAAE,SAAiB;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;IACtD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAEpD,MAAM,cAAc,GAAG;QACrB,gBAAgB;QAChB,iBAAiB;QACjB,WAAW;QACX,eAAe;QACf,iBAAiB;QACjB,aAAa;QACb,aAAa;QACb,iBAAiB;QACjB,kBAAkB;QAClB,UAAU;QACV,mBAAmB;QACnB,qBAAqB;QACrB,8CAA8C;QAC9C,mBAAmB;QACnB,iBAAiB;QACjB,oBAAoB;QACpB,gBAAgB;QAChB,iBAAiB;QACjB,kEAAkE;QAClE,uCAAuC;QACvC,uDAAuD;QACvD,sDAAsD;QAEtD,2CAA2C;QAC3C,2CAA2C,EAAW,+BAA+B;QACrF,qDAAqD,EAAE,mCAAmC;QAC1F,4BAA4B,EAA2B,sBAAsB;QAC7E,yBAAyB,EAA8B,gBAAgB;QACvE,uBAAuB,EAAgC,gBAAgB;QACvE,qCAAqC,EAAkB,gCAAgC;QACvF,uCAAuC,EAAe,kCAAkC;QACxF,mBAAmB,EAAoC,eAAe;QACtE,aAAa,EAA0C,WAAW;QAClE,cAAc,EAAyC,YAAY;QAEnE,sBAAsB;QACtB,oBAAoB,EAAmC,gBAAgB;QACvE,4BAA4B,EAA0B,iBAAiB;QACvE,2BAA2B,EAA2B,gBAAgB;QACtE,cAAc;QACd,cAAc;QACd,eAAe;QAEf,yBAAyB;QACzB,qCAAqC,EAAgB,0BAA0B;QAC/E,wCAAwC,EAAa,6BAA6B;QAClF,oBAAoB,EAAmC,yBAAyB;QAChF,0BAA0B;QAE1B,sBAAsB;QACtB,8BAA8B;QAC9B,iBAAiB;QAEjB,uBAAuB;QACvB,YAAY;QACZ,aAAa;QAEb,sEAAsE;QACtE,8CAA8C;QAC9C,iDAAiD;QACjD,uCAAuC;QACvC,sCAAsC;QACtC,gDAAgD;KACjD,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9B,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CACnD,CAAA;AACH,CAAC;AASD,SAAgB,sBAAsB,CACpC,OAAe,EACf,QAAgB,EAChB,UAAkC,EAAE;IAEpC,MAAM,EAAE,gBAAgB,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAC1E,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAClD,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;IAC9C,MAAM,UAAU,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAA;IAErD,2EAA2E;IAC3E,MAAM,cAAc,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;IAE1D,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAA,0CAAoB,EAAC,QAAQ,CAAC,CAAA;IAChD,MAAM,oBAAoB,GAAG,SAAS,IAAI,gBAAgB;QACxD,CAAC,CAAC,IAAA,kDAA4B,EAAC,SAAS,EAAE,gBAAgB,CAAC;QAC3D,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAA;IAEtC,sDAAsD;IACtD,MAAM,sBAAsB,GAAG,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAA;IAC7D,MAAM,gBAAgB,GAAG,sBAAsB,EAAE,gBAAgB,IAAI,KAAK,CAAA;IAE1E,2CAA2C;IAC3C,MAAM,WAAW,GAAG,WAAW,EAAE,OAAO,IAAI,EAAE,CAAA;IAE9C,mEAAmE;IACnE,MAAM,mBAAmB,GAAG,IAAA,8CAA4B,EAAC,QAAQ,CAAC,CAAA;IAElE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,kDAAkD;gBAClD,IAAI,OAAO,CAAC,IAAI,KAAK,uBAAuB;oBACxC,OAAO,CAAC,IAAI,KAAK,uCAAuC,EAAE,CAAC;oBAE7D,uDAAuD;oBACvD,2FAA2F;oBAC3F,IAAI,UAAU,EAAE,CAAC;wBACf,MAAK,CAAC,oBAAoB;oBAC5B,CAAC;oBAED,qDAAqD;oBACrD,+EAA+E;oBAC/E,6EAA6E;oBAC7E,6BAA6B;oBAC7B,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC1E,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC9D,iEAAiE;wBACjE,0CAA0C,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE3D,oEAAoE;oBACpE,MAAM,aAAa,GAAG,uDAAuD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAE5F,IAAI,CAAC,iBAAiB,IAAI,aAAa,EAAE,CAAC;wBACxC,+CAA+C;wBAC/C,MAAK;oBACP,CAAC;oBAED,iEAAiE;oBACjE,4EAA4E;oBAC5E,IAAI,cAAc,CAAC,sBAAsB,EAAE,CAAC;wBAC1C,2DAA2D;wBAC3D,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,iCAAiC;4BACvD,WAAW,EAAE,qDAAqD,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,kEAAkE;4BAC9K,YAAY,EAAE,4EAA4E;4BAC1F,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,kFAAkF;oBAClF,IAAI,mBAAmB,EAAE,CAAC;wBACxB,sDAAsD;wBACtD,MAAK;oBACP,CAAC;oBAED,+DAA+D;oBAC/D,qFAAqF;oBACrF,IAAI,oBAAoB,CAAC,WAAW,EAAE,CAAC;wBACrC,2DAA2D;wBAC3D,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,+DAA+D;oBAC/D,qEAAqE;oBACrE,IAAI,gBAAgB,EAAE,CAAC;wBACrB,+DAA+D;wBAC/D,MAAK,CAAC,0DAA0D;oBAClE,CAAC;oBAED,uDAAuD;oBACvD,yEAAyE;oBACzE,MAAM,cAAc,GAAG,IAAA,8CAAuB,EAAC,OAAO,EAAE,KAAK,EAAE,WAAW,CAAC,CAAA;oBAC3E,IAAI,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;wBACpD,wDAAwD;wBACxD,mDAAmD;wBACnD,MAAK,CAAC,wCAAwC;oBAChD,CAAC;oBAED,uDAAuD;oBACvD,IAAI,qBAAqB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;wBAC1C,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI,GAAG,oBAAoB;4BAC1C,WAAW,EAAE,qJAAqJ;4BAClK,YAAY,EAAE,yJAAyJ;4BACvK,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;oBAED,+DAA+D;oBAC/D,IAAI,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;wBACrC,eAAe,CAAC,IAAI,CAAC;4BACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;4BAC/D,QAAQ;4BACR,UAAU,EAAE,KAAK,GAAG,CAAC;4BACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,QAAQ,EAAE,KAAK;4BACf,QAAQ,EAAE,cAAc;4BACxB,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,wCAAwC;4BAC3E,YAAY,EAAE,OAAO,CAAC,YAAY;4BAClC,UAAU,EAAE,KAAK;4BACjB,cAAc,EAAE,eAAe;4BAC/B,KAAK,EAAE,CAAC;4BACd,MAAM,EAAE,YAAqB;yBACxB,CAAC,CAAA;wBACF,MAAK,CAAC,4BAA4B;oBACpC,CAAC;gBACH,CAAC;gBAED,sEAAsE;gBACtE,0CAA0C;gBAC1C,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;gBAEjD,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE;oBAC/D,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,OAAO,CAAC,IAAI;oBACnB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU;oBACV,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,0EAA0E;IAC1E,yEAAyE;IACzE,MAAM,oBAAoB,GAAG,iEAAiE,CAAA;IAC9F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,6CAA6C;YAC7C,IAAI,IAAA,qCAAmB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,OAAM,CAAC,wDAAwD;YACjE,CAAC;YAED,qDAAqD;YACrD,IAAI,IAAA,yCAAuB,EAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,oBAAoB,QAAQ,IAAI,KAAK,GAAG,CAAC,oBAAoB;oBACjE,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EAAE,kFAAkF;oBAC/F,YAAY,EAAE,kFAAkF;oBAChG,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,+EAA+E;IAC/E,MAAM,oBAAoB,GAAG,6EAA6E,CAAA;IAC1G,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,oBAAoB;YACpB,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAA;YAElC,kFAAkF;YAClF,IAAI,IAAA,oCAAiB,EAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;gBACtC,4DAA4D;gBAC5D,OAAM;YACR,CAAC;YAED,+CAA+C;YAC/C,8EAA8E;QAChF,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/dangerous-functions/child-process.d.ts

@@ -1,16 +0,0 @@
-/**
- * Child Process Detection
- *
- * Detection logic for child_process functions (exec, spawn, execFile, etc.)
- * that can lead to command injection vulnerabilities.
- */
-/**
- * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
- * Returns true if this is a child_process exec call that should be flagged
- */
-export declare function isChildProcessExec(content: string, lineContent: string): boolean;
-/**
- * Check if spawn/execFile/execSync is from child_process
- */
-export declare function isChildProcessSpawn(content: string, lineContent: string): boolean;
-//# sourceMappingURL=child-process.d.ts.map

package/dist/detect/structural/dangerous-functions/child-process.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../../../src/detect/structural/dangerous-functions/child-process.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAiEhF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAgBjF"}

package/dist/detect/structural/dangerous-functions/child-process.js

@@ -1,74 +0,0 @@
-"use strict";
-/**
- * Child Process Detection
- *
- * Detection logic for child_process functions (exec, spawn, execFile, etc.)
- * that can lead to command injection vulnerabilities.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isChildProcessExec = isChildProcessExec;
-exports.isChildProcessSpawn = isChildProcessSpawn;
-/**
- * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
- * Returns true if this is a child_process exec call that should be flagged
- */
-function isChildProcessExec(content, lineContent) {
-    // Check for child_process import
-    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
-        /from\s+['"]child_process['"]/.test(content) ||
-        /import\s+.*child_process/.test(content) ||
-        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
-        /from\s+['"]node:child_process['"]/.test(content);
-    // If no child_process import, this is likely RegExp.exec or similar
-    if (!hasChildProcessImport) {
-        return false;
-    }
-    // Check if this specific line is RegExp.exec pattern
-    // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
-    const isRegExpExec = /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
-        !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')); // Not a standalone exec()
-    // Also check for common RegExp patterns
-    const isRegExpPattern = /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
-        /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
-        /regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
-        /pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
-        /match\.exec\s*\(/i.test(lineContent) || // match.exec()
-        /re\.exec\s*\(/i.test(lineContent); // re.exec()
-    if (isRegExpExec || isRegExpPattern) {
-        return false;
-    }
-    // Check if exec is imported/destructured from child_process
-    const execImported = /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
-        /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
-        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
-        /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content);
-    // If exec is directly imported from child_process, standalone exec() is dangerous
-    if (execImported && /\bexec\s*\(/.test(lineContent)) {
-        return true;
-    }
-    // Check for child_process.exec() pattern
-    if (/child_process\.exec\s*\(/.test(lineContent) ||
-        /cp\.exec\s*\(/.test(lineContent) ||
-        /childProcess\.exec\s*\(/.test(lineContent)) {
-        return true;
-    }
-    // If we have child_process import but can't determine usage, be conservative
-    // Only flag if it looks like a standalone exec() call
-    return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent);
-}
-/**
- * Check if spawn/execFile/execSync is from child_process
- */
-function isChildProcessSpawn(content, lineContent) {
-    // Check for child_process import
-    const hasChildProcessImport = /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
-        /from\s+['"]child_process['"]/.test(content) ||
-        /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
-        /from\s+['"]node:child_process['"]/.test(content);
-    if (!hasChildProcessImport) {
-        return false;
-    }
-    // These functions are always from child_process when that module is imported
-    return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent);
-}
-//# sourceMappingURL=child-process.js.map