@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/ast-rules/secret-patterns-ast.ts

@@ -0,0 +1,223 @@
+/**
+ * AST-Based Hardcoded Secret Pattern Detection
+ *
+ * Migrates secrets/patterns.ts from regex to AST for source code files.
+ * Scans string literals in the AST for known secret patterns (API keys, tokens).
+ *
+ * AST advantages over regex:
+ * - Only scans actual string values (not comments, type annotations, JSDoc)
+ * - Understands assignment context (can check if value is env ref or placeholder)
+ * - Handles template literals with interpolation
+ * - Can detect secrets split across string concatenation
+ *
+ * NOTE: The regex version in secrets/patterns.ts continues to handle
+ * non-AST-parseable files (.env, .yaml, Dockerfile, etc.)
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { extractStringValue } from './helpers/string-analysis'
+import {
+  isExampleFile,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+  isBYOKContext,
+  isServerOnlyFile,
+  isEnvVarReference,
+  isNextPublicEnvVar,
+  getServiceRoleKeyContext,
+} from '../../parse/file-classifier'
+import type { VulnerabilitySeverity } from '../../shared/types'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+function isInsideTypeDeclaration(node: Parser.SyntaxNode): boolean {
+  let current = node.parent
+  while (current) {
+    if (current.type === 'type_alias_declaration' ||
+        current.type === 'interface_declaration' ||
+        current.type === 'type_annotation') return true
+    current = current.parent
+  }
+  return false
+}
+
+// ============================================================================
+// Secret Patterns (same as regex version, but applied to AST string nodes)
+// ============================================================================
+
+interface SecretPatternDef {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  isGeneric?: boolean
+}
+
+const SECRET_PATTERNS: SecretPatternDef[] = [
+  { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/, severity: 'critical', description: 'OpenAI API key detected' },
+  { name: 'OpenAI Project API Key', pattern: /sk-proj-[a-zA-Z0-9]{48,}/, severity: 'critical', description: 'OpenAI project API key detected (new format)' },
+  { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/, severity: 'critical', description: 'Anthropic API key detected' },
+  { name: 'Anthropic API Key (Full)', pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/, severity: 'critical', description: 'Anthropic API key detected (full format)' },
+  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub personal access token detected' },
+  { name: 'GitHub OAuth Token', pattern: /gho_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub OAuth token detected' },
+  { name: 'GitHub App Token', pattern: /ghu_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub App user token detected' },
+  { name: 'GitHub Refresh Token', pattern: /ghr_[a-zA-Z0-9]{36,}/, severity: 'critical', description: 'GitHub refresh token detected' },
+  { name: 'Stripe Secret Key', pattern: /sk_live_[a-zA-Z0-9]{24,}/, severity: 'critical', description: 'Stripe live secret key detected' },
+  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{24,}/, severity: 'medium', description: 'Stripe test secret key detected' },
+  { name: 'Stripe Publishable Key', pattern: /pk_(live|test)_[a-zA-Z0-9]{24,}/, severity: 'low', description: 'Stripe publishable key detected (usually safe but verify)' },
+  { name: 'Square Access Token', pattern: /sq0csp-[a-zA-Z0-9\-_]{43}/, severity: 'critical', description: 'Square access token detected' },
+  { name: 'AWS Access Key ID', pattern: /AKIA[0-9A-Z]{16}/, severity: 'critical', description: 'AWS Access Key ID detected' },
+  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z\-_]{35}/, severity: 'high', description: 'Google API key detected' },
+  { name: 'Slack Token', pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/, severity: 'critical', description: 'Slack token detected' },
+  { name: 'Slack Webhook', pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/, severity: 'high', description: 'Slack webhook URL detected' },
+  { name: 'Discord Webhook', pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/, severity: 'high', description: 'Discord webhook URL detected' },
+  { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/, severity: 'critical', description: 'Twilio API key detected' },
+  { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, severity: 'critical', description: 'SendGrid API key detected' },
+  { name: 'Mailgun API Key', pattern: /key-[a-zA-Z0-9]{32}/, severity: 'critical', description: 'Mailgun API key detected' },
+  { name: 'NPM Token', pattern: /npm_[a-zA-Z0-9]{36}/, severity: 'critical', description: 'NPM access token detected' },
+  { name: 'PyPI Token', pattern: /pypi-[a-zA-Z0-9]{32,}/, severity: 'critical', description: 'PyPI API token detected' },
+  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, severity: 'critical', description: 'Private key detected' },
+  { name: 'Database Connection String', pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:@\s"']+:[^@\s"']+@/, severity: 'high', description: 'Database connection string with credentials detected' },
+  { name: 'Hardcoded JWT Token', pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, severity: 'high', description: 'Hardcoded JWT token detected' },
+  { name: 'Generic Password in URL', pattern: /[a-zA-Z]{3,10}:\/\/[^:]+:[^@]+@/, severity: 'high', description: 'Password in URL detected' },
+  { name: 'Vercel Token', pattern: /vercel_[a-zA-Z0-9]{24,}/i, severity: 'critical', description: 'Vercel API token detected' },
+  { name: 'Netlify Token', pattern: /nfp_[a-zA-Z0-9]{40,}/i, severity: 'critical', description: 'Netlify personal access token detected' },
+  { name: 'Generic API Key Assignment', pattern: /api[_-]?key.*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/i, severity: 'medium', description: 'Possible API key assignment detected', isGeneric: true },
+  { name: 'Generic Secret Key Assignment', pattern: /secret[_-]?key.*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/i, severity: 'medium', description: 'Possible secret key assignment detected', isGeneric: true },
+]
+
+// ============================================================================
+// Filters
+// ============================================================================
+
+const PLACEHOLDER_PATTERNS = [
+  /^your[-_]/i, /^my[-_]/i, /^test[-_]/i, /^sample[-_]/i,
+  /^example[-_]/i, /^demo[-_]/i, /^placeholder/i,
+  /^xxx+$/i, /^yyy+$/i, /^\*+$/, /^\.{3,}$/,
+  /^<.*>$/, /^\[.*\]$/, /^\{.*\}$/,
+]
+
+function isPlaceholder(value: string, lineContent: string): boolean {
+  if (PLACEHOLDER_PATTERNS.some(p => p.test(value))) return true
+  if (/example|sample|demo|test|dummy|fake|mock/i.test(value)) return true
+  if (/^[a-z]+_[a-z]+_[a-z]+$/i.test(value) || /^your[_-]/i.test(value)) return true
+  if (/\[REDACTED\]|\[MASKED\]|\[HIDDEN\]|\*{3,}/i.test(value)) return true
+  return false
+}
+
+function hasTestVarName(line: string): boolean {
+  const match = line.match(/(?:const|let|var|export\s+const)\s+([A-Z_][A-Z0-9_]*)\s*=/i)
+  if (!match) return false
+  const name = match[1]
+  return /^(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE|PLACEHOLDER|DEMO)/i.test(name) ||
+         /_(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)$/i.test(name)
+}
+
+function isDocFile(filePath: string): boolean {
+  return /README|CHANGELOG|CONTRIBUTING|LICENSE|\.md$|\.mdx$|\.rst$|\/docs\/|\/examples?\//i.test(filePath)
+}
+
+// ============================================================================
+// AST Rule: Secret Patterns
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-secret-pattern',
+  title: 'Hardcoded secret detected',
+  description: 'Known secret pattern found in string literal',
+  severity: 'critical',
+  category: 'hardcoded_secret',
+  suggestedFix: 'Move this secret to an environment variable. Never commit secrets to version control.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.70,
+  layer: 1,
+  source: 'secrets',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isExampleFile(ast.filePath)) return []
+    if (isDocFile(ast.filePath)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+    const lines = content.split('\n')
+    const isServerFile = isServerOnlyFile(ast.filePath)
+    const isTestFile = isTestOrMockFile(ast.filePath)
+
+    // Walk all string nodes in the AST
+    nodeLoop: for (const node of getNodes(nodeIndex!, 'string', 'template_string')) {
+      if (isInsideTypeDeclaration(node)) continue
+
+      const value = extractStringValue(node)
+      if (!value || value.length < 8) continue // skip, too short
+
+      const line = lines[node.startPosition.row] ?? ''
+
+      // Skip placeholders
+      if (isPlaceholder(value, line)) continue
+      if (hasTestVarName(line)) continue
+
+      // Check BYOK context
+      if (isBYOKContext(line, ast.filePath)) {
+        if (isServerFile && isEnvVarReference(line)) continue
+        if (!/['"`][a-zA-Z0-9_-]{20,}['"`]/.test(line)) continue
+      }
+
+      // Test each secret pattern
+      for (const secret of SECRET_PATTERNS) {
+        if (!secret.pattern.test(value)) continue
+
+        let adjustedSeverity = secret.severity
+        let adjustedDescription = secret.description
+        let requiresAI = secret.isGeneric ?? false
+
+        // JWT / Supabase context handling
+        const isJWT = secret.name.includes('Supabase') || secret.name.includes('JWT') || /eyJ[a-zA-Z0-9_-]+\.eyJ/.test(value)
+        if (isJWT) {
+          const ctx = getServiceRoleKeyContext(line, ast.filePath)
+          if (ctx === 'safe_server') continue nodeLoop
+          if (ctx === 'client_exposure') {
+            adjustedSeverity = 'critical'
+            requiresAI = true
+            adjustedDescription = isNextPublicEnvVar(line)
+              ? `${secret.description} - EXPOSED via NEXT_PUBLIC_ prefix`
+              : `${secret.description} - may be exposed to client bundle`
+          } else {
+            if (isEnvVarReference(line)) {
+              adjustedSeverity = 'medium'
+              requiresAI = true
+              adjustedDescription = `${secret.description} - verify this is not exposed to client`
+            } else if (isServerFile) {
+              adjustedSeverity = 'high'
+              requiresAI = true
+              adjustedDescription = `${secret.description} - hardcoded in server file, should use env var`
+            } else {
+              adjustedSeverity = 'critical'
+              requiresAI = true
+            }
+          }
+        }
+
+        // Test file downgrade
+        if (isTestFile) {
+          adjustedSeverity = adjustedSeverity === 'critical' ? 'medium'
+            : adjustedSeverity === 'high' ? 'low' : 'info'
+          adjustedDescription += ' (in test file)'
+        }
+
+        matches.push({
+          node,
+          severity: adjustedSeverity,
+          note: adjustedDescription,
+        })
+        break // one match per string
+      }
+    }
+
+    return matches
+  },
+})

package/src/detect/ast-rules/security-headers-ast.ts

@@ -0,0 +1,206 @@
+/**
+ * AST-Based Security Headers Detection
+ *
+ * Migrates structural/security-headers.ts from regex to AST.
+ * Detects missing HTTP security headers in server configurations.
+ *
+ * AST advantages over regex:
+ * - Understands import structure (Express vs Fastify vs custom)
+ * - Can verify helmet middleware is actually registered (not just imported)
+ * - Can check CSP config object structure
+ * - Understands 'use client' directives from AST
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { findNodesOfType } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import { hasImport, getImportedModules } from './helpers/import-analysis'
+import { isMethodCallOn, getObjectLiteralProperty } from './helpers/call-analysis'
+import { getFileDirective } from './helpers/context-detection'
+import {
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+function isClientSideFile(root: Parser.SyntaxNode, filePath: string, content: string): boolean {
+  if (getFileDirective(root) === 'use client') return true
+
+  const clientPaths = [/\/components\//i, /\/hooks\//i, /\/pages\/(?!api\/)/i, /\.client\./i]
+  if (!clientPaths.some(p => p.test(filePath))) return false
+
+  // Check for server indicators that override (use content pre-check before AST walk)
+  if (/\b(express|http|https)\b/.test(content)) {
+    const modules = getImportedModules(root)
+    if (modules.has('express') || modules.has('http') || modules.has('https')) return false
+  }
+  if (getFileDirective(root) === 'use server') return false
+
+  return true
+}
+
+function isNextConfig(filePath: string): boolean {
+  return /next\.config\.(m?js|ts)$/.test(filePath)
+}
+
+import type Parser from 'tree-sitter'
+
+// ============================================================================
+// AST Rule: Express without Helmet
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-security-headers-no-helmet',
+  title: 'Express app without helmet security headers',
+  description: 'Express application does not use helmet middleware, missing critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)',
+  severity: 'medium',
+  category: 'missing_security_headers',
+  suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.35,
+  layer: 2,
+  source: 'structural',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+
+    // Content pre-check: skip files without express mention
+    if (!/express/i.test(content)) return []
+
+    const root = ast.tree.rootNode
+    if (isClientSideFile(root, ast.filePath, content)) return []
+
+    // Check if file uses Express
+    const hasExpress = hasImport(root, 'express') ||
+      hasImport(root, /^express$/)
+
+    if (!hasExpress) return []
+
+    // Check if file imports helmet
+    const hasHelmet = hasImport(root, 'helmet') ||
+      hasImport(root, '@fastify/helmet')
+
+    if (hasHelmet) return []
+
+    // Find the express() call for reporting
+    const matches: ASTRuleMatch[] = []
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const fn = node.childForFieldName('function')
+      if (fn?.text === 'express' && node.childForFieldName('arguments')?.namedChildren.length === 0) {
+        matches.push({ node })
+        break
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Helmet with CSP Disabled
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-security-headers-csp-disabled',
+  title: 'Helmet CSP disabled',
+  description: 'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
+  severity: 'low',
+  category: 'missing_security_headers',
+  suggestedFix: 'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.35,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+
+    // Content pre-check: skip files without helmet mention
+    if (!/helmet/i.test(content)) return []
+
+    const root = ast.tree.rootNode
+    if (!hasImport(root, 'helmet') && !hasImport(root, '@fastify/helmet')) return []
+
+    const matches: ASTRuleMatch[] = []
+
+    // Find helmet() calls and check for contentSecurityPolicy: false
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const fn = node.childForFieldName('function')
+      if (!fn) continue
+
+      // helmet({...}) or app.use(helmet({...}))
+      const isHelmetCall = fn.text === 'helmet' ||
+        (fn.type === 'identifier' && fn.text === 'helmet')
+
+      if (!isHelmetCall) continue
+
+      const args = node.childForFieldName('arguments')
+      const configArg = args?.namedChildren[0]
+      if (configArg?.type === 'object') {
+        const cspProp = getObjectLiteralProperty(configArg, 'contentSecurityPolicy')
+        if (cspProp && (cspProp.text === 'false' || cspProp.type === 'false')) {
+          matches.push({ node: cspProp })
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Next.js Config Missing Headers
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-security-headers-nextjs',
+  title: 'Next.js config missing security headers',
+  description: 'next.config does not export a headers() function. Security headers should be configured in Next.js config or middleware.',
+  severity: 'medium',
+  category: 'missing_security_headers',
+  suggestedFix: 'Add a headers() function to next.config.js that returns security headers array',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'medium',
+  baseConfidence: 0.35,
+  layer: 2,
+  source: 'structural',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, _content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!isNextConfig(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+
+    // Look for headers property or method in the exported config
+    let hasHeadersConfig = false
+    for (const node of getNodes(nodeIndex!, 'method_definition', 'pair', 'shorthand_property_identifier')) {
+      // headers() method or headers: async () =>
+      if (node.type === 'method_definition' || node.type === 'pair') {
+        const name = node.type === 'method_definition'
+          ? node.childForFieldName('name')?.text
+          : node.childForFieldName('key')?.text
+        if (name === 'headers') {
+          hasHeadersConfig = true
+          break
+        }
+      }
+      // Property shorthand
+      if (node.type === 'shorthand_property_identifier') {
+        if (node.text === 'headers') {
+          hasHeadersConfig = true
+          break
+        }
+      }
+    }
+
+    if (hasHeadersConfig) return []
+
+    // Report on the first line (the config file itself)
+    return [{ node: root.firstChild ?? root }]
+  },
+})