@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/ast-rules/ssrf-ast.ts

@@ -0,0 +1,601 @@
+/**
+ * AST-Based SSRF (Server-Side Request Forgery) Detection
+ *
+ * Migrates structural/ssrf-detection.ts from regex to AST.
+ * Detects user input flowing to HTTP request sinks.
+ *
+ * AST advantages:
+ * - Tracks variable-mediated taint through assignments and destructuring
+ * - Resolves function call targets (fetch, axios.get, got, etc.) from AST
+ * - Detects template literal interpolation with user input in URLs
+ * - Understands allowlist mitigation patterns from AST
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { walkAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, getCallArguments, isMethodCallOn } from './helpers/call-analysis'
+import { isUserInputExpression } from './helpers/user-input'
+import { isScannerOrFixtureFile, isTestOrMockFile, isExampleDirectory, isExampleFile } from '../../parse/file-classifier'
+import { getFileDirective } from './helpers/context-detection'
+import { resolvePythonCallTarget, isPythonUserInputExpression, isPythonFString, getPythonFStringParts, getPythonCallArguments, collectPythonVariableDeclarations } from './helpers/python-helpers'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/** HTTP request sinks */
+function isHTTPSink(node: Parser.SyntaxNode): boolean {
+  const target = resolveCallTarget(node)
+  if (!target) return false
+
+  // fetch(...) — skip if inside a framework fetch wrapper (tRPC, Apollo, etc.)
+  if (target.name === 'fetch' && !target.object) {
+    if (isFrameworkFetchWrapper(node)) return false
+    return true
+  }
+
+  // axios.get/post/put/delete/patch/head/options/request(...)
+  if (/^axios$/.test(target.object ?? '') && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name)) return true
+
+  // got(...)
+  if (target.name === 'got' && !target.object) return true
+
+  // undici.request(...)
+  if (target.object === 'undici' && target.name === 'request') return true
+
+  // http.get/request(...), https.get/request(...)
+  if (/^https?$/.test(target.object ?? '') && /^(get|request)$/.test(target.name)) return true
+
+  return false
+}
+
+/** Redirect sinks */
+function isRedirectSink(node: Parser.SyntaxNode): boolean {
+  const target = resolveCallTarget(node)
+  if (!target) return false
+
+  // res.redirect(...)
+  if (/^(res|response)$/.test(target.object ?? '') && target.name === 'redirect') return true
+
+  // redirect(...)
+  if (target.name === 'redirect' && !target.object) return true
+
+  return false
+}
+
+/** Check if client-side file */
+function isClientSideFile(root: Parser.SyntaxNode, filePath: string, content: string): boolean {
+  if (getFileDirective(root) === 'use client') return true
+  if (/\/components\//.test(filePath) && !/express\(\)/.test(content) && getFileDirective(root) !== 'use server') {
+    return true
+  }
+  return false
+}
+
+/** Check for SSRF mitigations in surrounding context */
+function hasSSRFMitigation(root: Parser.SyntaxNode, node: Parser.SyntaxNode): boolean {
+  // Walk up to enclosing function
+  let current: Parser.SyntaxNode | null = node.parent
+  let fnBody: Parser.SyntaxNode | null = null
+  while (current) {
+    if (current.type === 'function_declaration' || current.type === 'arrow_function' || current.type === 'function_expression' || current.type === 'method_definition' || current.type === 'function_definition') {
+      fnBody = current.childForFieldName('body') ?? current
+      break
+    }
+    current = current.parent
+  }
+  if (!fnBody) fnBody = root
+
+  const bodyText = fnBody.text
+
+  // Allowlist validation
+  if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(bodyText)) return true
+  if (/allowList|allowlist|whitelist|whiteList/.test(bodyText)) return true
+  // Inline allowlist: allowed.some/includes + startsWith/includes/===
+  if (/\b(?:allowed|valid|safe|permitted)\b.*\.(?:some|includes|every)\b/.test(bodyText) &&
+      /(?:startsWith|includes|===|match)/.test(bodyText)) return true
+  // Guard clause: if (url not in array) return/throw
+  if (/\bnot\s+in\b|\bnot_in\b|\.(?:some|includes)\(/.test(bodyText) &&
+      /\breturn\b.*(?:4\d\d|forbidden|not.?allowed)/i.test(bodyText)) return true
+
+  // URL validation with host/origin check
+  if (/new\s+URL\(/.test(bodyText) && /\.(?:hostname|host|origin)/.test(bodyText)) return true
+
+  // IP range checking
+  if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(bodyText)) return true
+
+  // Python URL validation
+  if (/urlparse|urllib\.parse|validators\.url|validate_url/i.test(bodyText)) return true
+
+  return false
+}
+
+/** Config object name patterns */
+const CONFIG_OBJECT_RE = /^(appCfg|config|settings|cfg|appConfig|dify_config|serverConfig|envConfig)$/i
+/** Config URL property patterns */
+const CONFIG_URL_PROP_RE = /url|host|base|origin|endpoint|domain|callback|redirect/i
+
+/** Check if a node represents a config-controlled URL (not user input) */
+function isConfigControlledURL(node: Parser.SyntaxNode): boolean {
+  // Config object access: appCfg.SITE_URL, config.API_BASE, settings.callbackUrl
+  if (node.type === 'member_expression') {
+    const obj = node.childForFieldName('object')
+    const prop = node.childForFieldName('property')
+    if (obj && prop) {
+      if (CONFIG_OBJECT_RE.test(obj.text) && CONFIG_URL_PROP_RE.test(prop.text)) return true
+    }
+  }
+
+  // Env var URL patterns: process.env.*_URL, *_BASE, *_HOST, *_ORIGIN
+  if (node.type === 'member_expression' && /^process\.env\.\w+(?:_URL|_BASE|_HOST|_ORIGIN|_ENDPOINT|_DOMAIN)$/i.test(node.text)) {
+    return true
+  }
+
+  // Template literals / concatenation where first part is config-controlled
+  if (node.type === 'template_string') {
+    const firstChild = node.children[0]
+    // Check first interpolation for config access
+    for (const child of node.children) {
+      if (child.type === 'template_substitution') {
+        const expr = child.namedChildren[0]
+        if (expr && isConfigControlledURL(expr)) return true
+        break // only check the first interpolation (the base URL part)
+      }
+    }
+  }
+
+  if (node.type === 'binary_expression') {
+    const left = node.childForFieldName('left')
+    if (left && isConfigControlledURL(left)) return true
+  }
+
+  return false
+}
+
+/** Check if a fetch() call is inside a framework fetch wrapper (tRPC, Apollo, etc.) */
+function isFrameworkFetchWrapper(node: Parser.SyntaxNode): boolean {
+  let current: Parser.SyntaxNode | null = node.parent
+  while (current) {
+    if (current.type === 'function_declaration' || current.type === 'arrow_function' ||
+        current.type === 'function_expression' || current.type === 'method_definition') {
+      const bodyNode = current.childForFieldName('body') ?? current
+      const bodyText = bodyNode.text
+
+      // tRPC fetch wrappers
+      if (/httpLink|httpBatchLink|httpBatchStreamLink|splitLink/.test(bodyText)) return true
+      // Apollo fetch wrappers
+      if (/createHttpLink|ApolloLink|new HttpLink/.test(bodyText)) return true
+      // Generic fetch wrappers with baseUrl
+      const fnName = current.childForFieldName('name')?.text ?? ''
+      if (/^(fetcher|customFetch)$/i.test(fnName) && /baseUrl|baseURL/.test(bodyText)) return true
+    }
+    current = current.parent
+  }
+  return false
+}
+
+/** Check if argument contains user input (directly or via template literal) */
+function argHasUserInput(arg: Parser.SyntaxNode): boolean {
+  if (isUserInputExpression(arg)) return true
+
+  // Template literal with user input interpolation
+  if (arg.type === 'template_string') {
+    let found = false
+    walkAST(arg, (n) => {
+      if (n.type === 'template_substitution') {
+        const expr = n.namedChildren[0]
+        if (expr && isUserInputExpression(expr)) found = true
+      }
+      return false
+    })
+    return found
+  }
+
+  // String concatenation with user input
+  if (arg.type === 'binary_expression') {
+    let found = false
+    walkAST(arg, (n) => {
+      if (isUserInputExpression(n)) found = true
+      return false
+    })
+    return found
+  }
+
+  // Identifier: resolve variable assignment to check for user input
+  if (arg.type === 'identifier') {
+    const name = arg.text
+    // Walk up to find enclosing function body
+    let fnBody: Parser.SyntaxNode | null = null
+    let cur: Parser.SyntaxNode | null = arg.parent
+    while (cur) {
+      if (/function_declaration|arrow_function|function_expression|method_definition/.test(cur.type)) {
+        fnBody = cur.childForFieldName('body') ?? cur
+        break
+      }
+      cur = cur.parent
+    }
+    if (fnBody) {
+      // Search for `name = <expr>` where <expr> is user input
+      let resolved = false
+      walkAST(fnBody, (n) => {
+        if (resolved) return true
+        if (n.type === 'variable_declarator') {
+          const declName = n.childForFieldName('name')
+          const declValue = n.childForFieldName('value')
+          if (declName?.text === name && declValue) {
+            // Unwrap `as` / `satisfies` type assertions
+            let val = declValue
+            if (val.type === 'as_expression' || val.type === 'satisfies_expression') {
+              val = val.namedChildren[0] ?? val
+            }
+            if (isUserInputExpression(val) || /\bformData\.get\b|\breq\.(query|body|params)\b|\brequest\.\b/i.test(val.text)) {
+              resolved = true
+            }
+          }
+        }
+        return false
+      })
+      if (resolved) return true
+    }
+  }
+
+  return false
+}
+
+/** Python HTTP request sinks */
+function isPythonHTTPSink(node: Parser.SyntaxNode): boolean {
+  const target = resolvePythonCallTarget(node)
+  if (!target) return false
+
+  // requests.get/post/put/delete/patch/head/options/request(...)
+  if (target.object === 'requests' && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name)) return true
+
+  // httpx.get/post/...
+  if (target.object === 'httpx' && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name)) return true
+
+  // urllib.request.urlopen(...)
+  if (/urllib/.test(node.text) && /urlopen/.test(node.text)) return true
+
+  // aiohttp session: session.get/post(...)
+  if (/aiohttp/.test(node.text) && /\.(get|post|put|delete|patch|head)\(/.test(node.text)) return true
+
+  return false
+}
+
+/** Python redirect sinks */
+function isPythonRedirectSink(node: Parser.SyntaxNode): boolean {
+  const target = resolvePythonCallTarget(node)
+  if (!target) return false
+
+  // Flask/Django: redirect(url)
+  if (target.name === 'redirect' && target.type === 'direct') return true
+
+  // Django: HttpResponseRedirect(url)
+  if (target.name === 'HttpResponseRedirect' && target.type === 'direct') return true
+
+  return false
+}
+
+/** Check if a Python argument contains user input (directly or via f-string/concat) */
+function pyArgHasUserInput(arg: Parser.SyntaxNode): boolean {
+  if (isPythonUserInputExpression(arg)) return true
+
+  // f-string with user input interpolation
+  if (isPythonFString(arg)) {
+    const { dynamicParts } = getPythonFStringParts(arg)
+    return dynamicParts.some(p => {
+      const expr = p.namedChildren[0]
+      return expr ? isPythonUserInputExpression(expr) : false
+    })
+  }
+
+  // String concatenation with user input
+  if (arg.type === 'binary_operator') {
+    let found = false
+    walkAST(arg, (n) => {
+      if (isPythonUserInputExpression(n)) found = true
+      return false
+    })
+    return found
+  }
+
+  return false
+}
+
+// ============================================================================
+// AST Rule: Direct SSRF (user input in HTTP sinks)
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-ssrf-direct',
+  title: 'SSRF: User input in HTTP request',
+  description: 'User-controlled input flows to a server-side HTTP request, risking SSRF attacks against internal services or cloud metadata endpoints',
+  severity: 'high',
+  category: 'ssrf',
+  suggestedFix: 'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'high',
+  baseConfidence: 0.40,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+    if (isExampleDirectory(ast.filePath) || isExampleFile(ast.filePath)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+
+    // --- Python ---
+    if (ast.language === 'python') {
+      if (!/requests\.|httpx\.|urllib|aiohttp|urlopen/.test(content)) return []
+
+      for (const node of getNodes(nodeIndex!, 'call')) {
+        if (!isPythonHTTPSink(node)) continue
+
+        const args = getPythonCallArguments(node)
+        if (args.length === 0) continue
+
+        if (pyArgHasUserInput(args[0])) {
+          if (hasSSRFMitigation(root, node)) continue
+
+          matches.push({
+            node,
+            severity: 'high',
+            note: 'User-controlled input flows directly to a server-side HTTP request.',
+          })
+        }
+      }
+
+      return matches
+    }
+
+    // --- JavaScript/TypeScript ---
+    if (isClientSideFile(root, ast.filePath, content)) return []
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (!isHTTPSink(node)) continue
+
+      const args = getCallArguments(node)
+      if (args.length === 0) continue
+
+      // Skip config-controlled URLs (not user input)
+      if (isConfigControlledURL(args[0])) continue
+
+      // Check if first arg (URL) contains user input
+      if (argHasUserInput(args[0])) {
+        if (hasSSRFMitigation(root, node)) continue
+
+        matches.push({
+          node,
+          severity: 'high',
+          note: 'User-controlled input flows directly to a server-side HTTP request.',
+        })
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Open Redirect
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-ssrf-redirect',
+  title: 'Open redirect: User input in redirect',
+  description: 'User-controlled input is used in a server redirect, risking phishing via open redirect',
+  severity: 'high',
+  category: 'ssrf',
+  suggestedFix: 'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'high',
+  baseConfidence: 0.40,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+    if (isExampleDirectory(ast.filePath) || isExampleFile(ast.filePath)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+
+    // --- Python ---
+    if (ast.language === 'python') {
+      if (!/\bredirect\b|HttpResponseRedirect/.test(content)) return []
+
+      for (const node of getNodes(nodeIndex!, 'call')) {
+        if (!isPythonRedirectSink(node)) continue
+
+        const args = getPythonCallArguments(node)
+        if (args.length === 0) continue
+
+        if (pyArgHasUserInput(args[0])) {
+          if (hasSSRFMitigation(root, node)) continue
+
+          matches.push({
+            node,
+            severity: 'high',
+            note: 'User-controlled input used in redirect call.',
+          })
+        }
+      }
+
+      return matches
+    }
+
+    // --- JavaScript/TypeScript ---
+    if (isClientSideFile(root, ast.filePath, content)) return []
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (!isRedirectSink(node)) continue
+
+      const args = getCallArguments(node)
+      if (args.length === 0) continue
+
+      // Skip config-controlled redirect URLs
+      if (isConfigControlledURL(args[0])) continue
+
+      if (argHasUserInput(args[0])) {
+        if (hasSSRFMitigation(root, node)) continue
+
+        matches.push({
+          node,
+          severity: 'high',
+          note: 'User-controlled input used in redirect call.',
+        })
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Variable-mediated SSRF
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-ssrf-mediated',
+  title: 'SSRF: Variable-mediated user input in HTTP request',
+  description: 'User input assigned to a variable flows to an HTTP request sink',
+  severity: 'medium',
+  category: 'ssrf',
+  suggestedFix: 'Validate the URL against an allowlist before making the request. Block private IP ranges.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.40,
+  layer: 2,
+  source: 'structural',
+  requiresAIValidation: false,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+    if (isTestOrMockFile(ast.filePath)) return []
+    if (isExampleDirectory(ast.filePath) || isExampleFile(ast.filePath)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+
+    // --- Python ---
+    if (ast.language === 'python') {
+      if (!/requests\.|httpx\.|urllib|aiohttp|urlopen|redirect|HttpResponseRedirect/.test(content)) return []
+
+      // Pass 1: Collect tainted variables (assigned from user input)
+      const taintedVars = new Map<string, Parser.SyntaxNode>()
+
+      for (const node of getNodes(nodeIndex!, 'assignment')) {
+        const left = node.childForFieldName('left')
+        const right = node.childForFieldName('right')
+        if (left?.type === 'identifier' && right && isPythonUserInputExpression(right)) {
+          taintedVars.set(left.text, node)
+        }
+      }
+
+      if (taintedVars.size === 0) return []
+
+      // Pass 2: Check if tainted vars flow to HTTP/redirect sinks
+      for (const node of getNodes(nodeIndex!, 'call')) {
+        if (!isPythonHTTPSink(node) && !isPythonRedirectSink(node)) continue
+
+        const args = getPythonCallArguments(node)
+        if (args.length === 0) continue
+
+        const firstArg = args[0]
+
+        let taintedVar: string | null = null
+        walkAST(firstArg, (n) => {
+          if (n.type === 'identifier' && taintedVars.has(n.text)) {
+            taintedVar = n.text
+          }
+          return false
+        })
+
+        if (taintedVar && !hasSSRFMitigation(root, node)) {
+          matches.push({
+            node,
+            severity: 'medium',
+            note: `User input assigned to '${taintedVar}' flows to HTTP request sink.`,
+          })
+        }
+      }
+
+      return matches
+    }
+
+    // --- JavaScript/TypeScript ---
+    if (isClientSideFile(root, ast.filePath, content)) return []
+
+    // Pass 1: Collect tainted variables (assigned from user input)
+    const taintedVars = new Map<string, Parser.SyntaxNode>() // varName -> assignment node
+
+    for (const node of getNodes(nodeIndex!, 'variable_declarator', 'assignment_expression')) {
+      // const url = req.body.url
+      if (node.type === 'variable_declarator') {
+        const nameNode = node.childForFieldName('name')
+        const valueNode = node.childForFieldName('value')
+        if (nameNode && valueNode && isUserInputExpression(valueNode)) {
+          taintedVars.set(nameNode.text, node)
+        }
+
+        // Destructuring: const { url } = req.body
+        if (nameNode?.type === 'object_pattern' && valueNode && isUserInputExpression(valueNode)) {
+          for (const prop of nameNode.namedChildren) {
+            if (prop.type === 'shorthand_property_identifier_pattern') {
+              taintedVars.set(prop.text, node)
+            } else if (prop.type === 'pair_pattern') {
+              const value = prop.childForFieldName('value')
+              if (value) taintedVars.set(value.text, node)
+            }
+          }
+        }
+      }
+
+      // url = req.body.url (assignment)
+      if (node.type === 'assignment_expression') {
+        const left = node.childForFieldName('left')
+        const right = node.childForFieldName('right')
+        if (left && right && left.type === 'identifier' && isUserInputExpression(right)) {
+          taintedVars.set(left.text, node)
+        }
+      }
+    }
+
+    if (taintedVars.size === 0) return []
+
+    // Pass 2: Check if tainted vars flow to HTTP sinks
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (!isHTTPSink(node) && !isRedirectSink(node)) continue
+
+      const args = getCallArguments(node)
+      if (args.length === 0) continue
+
+      const firstArg = args[0]
+
+      // Skip config-controlled URLs
+      if (isConfigControlledURL(firstArg)) continue
+
+      // Check if the argument references a tainted variable
+      let taintedVar: string | null = null
+      walkAST(firstArg, (n) => {
+        if (n.type === 'identifier' && taintedVars.has(n.text)) {
+          taintedVar = n.text
+        }
+        return false
+      })
+
+      if (taintedVar && !hasSSRFMitigation(root, node)) {
+        matches.push({
+          node,
+          severity: 'medium',
+          note: `User input assigned to '${taintedVar}' flows to HTTP request sink.`,
+        })
+      }
+    }
+
+    return matches
+  },
+})