@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/ast-rules/weak-crypto-ast.ts

@@ -0,0 +1,441 @@
+/**
+ * AST-Based Weak Cryptography Detection (Proof of Concept)
+ *
+ * Detects weak crypto patterns via tree-sitter AST analysis:
+ *  - Math.random() in security contexts
+ *  - createHash('md5') / createHash('sha1')
+ *  - Direct MD5() / SHA1() calls
+ *
+ * Advantages over regex:
+ *  - Handles import aliases: `import { createHash as hash } from 'crypto'`
+ *  - Handles variable indirection: `const r = Math.random; r()`
+ *  - Understands call expression structure (no FP on strings containing "MD5")
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { walkAST, findEnclosingFunction } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes, isCallTo, getFirstStringArg, collectImportBindings } from './index'
+import type Parser from 'tree-sitter'
+import { resolvePythonCallTarget, hasPythonImport } from './helpers/python-helpers'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/** Check if a node is inside a comment (shouldn't happen with AST, but safety) */
+function isInsideComment(node: Parser.SyntaxNode): boolean {
+  let current = node.parent
+  while (current) {
+    if (current.type === 'comment') return true
+    current = current.parent
+  }
+  return false
+}
+
+/** Check if context indicates HTTP Digest Authentication (MD5 is RFC-mandated there) */
+function isDigestAuthContext(node: Parser.SyntaxNode, content: string): boolean {
+  const lines = content.split('\n')
+  const lineStart = node.startPosition.row
+  const start = Math.max(0, lineStart - 5)
+  const end = Math.min(lines.length, lineStart + 6)
+  const window = lines.slice(start, end).join(' ')
+
+  // Digest Auth protocol markers: realm, nonce, cnonce, qop, HA1, HA2, nc=, WWW-Authenticate, Digest
+  return /\brealm\b.*\bnonce\b|\bnonce\b.*\brealm\b|\bcnonce\b|\bqop\b|\bHA1\b|\bHA2\b|\bnc\s*=|\bWWW-Authenticate\b|\bDigest\s/i.test(window)
+}
+
+/** Check surrounding function/variable names for security vs checksum context */
+function isSecurityContext(node: Parser.SyntaxNode, content: string, filePath?: string): boolean {
+  // Build tool files: checksums in Gruntfile/webpack/rollup/vite configs are non-security
+  if (filePath && /Gruntfile|gulpfile|webpack\.config|rollup\.config|vite\.config|\.grunt/i.test(filePath)) {
+    return false
+  }
+
+  // HTTP Digest Authentication requires MD5 per RFC 2617 — not a vulnerability
+  if (isDigestAuthContext(node, content)) {
+    return false
+  }
+
+  const securityPatterns = /password|token|secret|credential|auth|session|key|verify.*user|sign/i
+  const checksumPatterns = /checksum|etag|content.*hash|file.*hash|integrity|digest|fingerprint|cache.*key|dedup|uniqueId|gravatar|avatar|blob|asset|sprite|bundle|chunk|manifest/i
+
+  // Check enclosing function name
+  const fn = findEnclosingFunction(node)
+  const fnName = fn?.childForFieldName('name')?.text ?? ''
+  if (checksumPatterns.test(fnName) && !securityPatterns.test(fnName)) return false
+
+  // Check the line content for additional context
+  const lineStart = node.startPosition.row
+  const lines = content.split('\n')
+  const line = lines[lineStart] ?? ''
+  if (checksumPatterns.test(line) && !securityPatterns.test(line)) return false
+
+  return true
+}
+
+/** Check if Math.random is in a security-relevant context */
+function isMathRandomSecurityContext(node: Parser.SyntaxNode, content: string): boolean {
+  const lines = content.split('\n')
+  const line = lines[node.startPosition.row] ?? ''
+
+  // Exclude load balancing / array selection patterns
+  const loadBalancingPatterns = [
+    /Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,
+    /Math\.random\s*\(\s*\)\s*\*\s*\w+\.size/i,
+    /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,
+    /pick|select|choose|shuffle|sample/i,
+  ]
+  if (loadBalancingPatterns.some(p => p.test(line))) return false
+
+  // Exclude crypto fallback patterns
+  const prevLines = lines.slice(Math.max(0, node.startPosition.row - 2), node.startPosition.row + 1).join(' ')
+  if (/crypto\??\.?\s*randomUUID/i.test(prevLines)) return false
+  if (/getRandomValues/i.test(prevLines)) return false
+
+  // Exclude UI context patterns (React keys, toast IDs, notification IDs)
+  if (/enqueueSnackbar|toast|notification|addNotification/i.test(line)) return false
+  // JSX key prop: key={Math.random()} or key: Math.random()
+  if (/\bkey\s*[:=]\s*\{?\s*Math\.random/i.test(line)) return false
+  // Enclosing function is a render/component function
+  const fn = findEnclosingFunction(node)
+  const fnName = fn?.childForFieldName('name')?.text ?? ''
+  if (/render|component|jsx|tsx/i.test(fnName)) return false
+
+  // Only flag if it's in a security context
+  const securityContexts = /token|secret|key|password|salt|nonce|iv|random.*id|uuid|session/i
+  const match = securityContexts.exec(line)
+  if (!match) return false
+
+  // Disambiguate "key": could be React key (UI) or crypto key (security)
+  if (match[0].toLowerCase() === 'key') {
+    // Crypto context indicators on the same line → flag as security key
+    if (/crypto|encrypt|decrypt|sign|verify|hmac|cipher|hash/i.test(line)) return true
+    // API key naming → flag
+    if (/api_?key|apiKey/i.test(line)) return true
+    // Otherwise "key" is ambiguous (likely React/UI key) → skip
+    return false
+  }
+
+  return true
+}
+
+// ============================================================================
+// Variable Indirection Tracking
+// ============================================================================
+
+/**
+ * Build a map of variable name → assigned value (call expression or member expression text)
+ * for detecting patterns like: `const r = Math.random; r()`
+ */
+function collectVariableAliases(root: Parser.SyntaxNode): Map<string, string> {
+  const aliases = new Map<string, string>()
+
+  walkAST(root, (node) => {
+    if (node.type === 'variable_declarator') {
+      const nameNode = node.childForFieldName('name')
+      const valueNode = node.childForFieldName('value')
+      if (nameNode?.type === 'identifier' && valueNode) {
+        // const r = Math.random
+        if (valueNode.type === 'member_expression') {
+          aliases.set(nameNode.text, valueNode.text)
+        }
+        // const e = eval
+        if (valueNode.type === 'identifier') {
+          aliases.set(nameNode.text, valueNode.text)
+        }
+      }
+    }
+    return false
+  })
+
+  return aliases
+}
+
+// ============================================================================
+// Rule: Math.random() in Security Context
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-weak-crypto-math-random',
+  title: 'Math.random() for Security',
+  description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
+  severity: 'high',
+  category: 'weak_crypto',
+  suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.45,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!/Math\.random/i.test(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+    const aliases = collectVariableAliases(root)
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (isInsideComment(node)) continue
+
+      const fn = node.childForFieldName('function')
+      if (!fn) continue
+
+      let isMathRandom = false
+
+      // Direct: Math.random()
+      if (fn.type === 'member_expression' && fn.text === 'Math.random') {
+        isMathRandom = true
+      }
+
+      // Aliased: const r = Math.random; r()
+      if (fn.type === 'identifier' && aliases.get(fn.text) === 'Math.random') {
+        isMathRandom = true
+      }
+
+      if (isMathRandom && isMathRandomSecurityContext(node, content)) {
+        matches.push({ node })
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// Rule: createHash('md5') / createHash('sha1')
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-weak-crypto-create-hash',
+  title: 'Weak Hash Algorithm',
+  description: 'Weak hash algorithm detected via createHash(). MD5 is cryptographically broken and SHA1 is deprecated.',
+  severity: 'high',
+  category: 'weak_crypto',
+  suggestedFix: "Use createHash('sha256') or createHash('sha3-256') instead.",
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.45,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!/createHash/i.test(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+    const imports = collectImportBindings(root)
+    const aliases = collectVariableAliases(root)
+
+    // Build set of local names that refer to createHash
+    const createHashNames = new Set<string>(['createHash'])
+    for (const [local, binding] of imports) {
+      if (binding.originalName === 'createHash' && binding.module === 'crypto') {
+        createHashNames.add(local)
+      }
+    }
+    // Also track variable aliases: const ch = crypto.createHash → not common but possible
+    for (const [local, value] of aliases) {
+      if (value.endsWith('.createHash') || value === 'createHash') {
+        createHashNames.add(local)
+      }
+    }
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (isInsideComment(node)) continue
+
+      const fn = node.childForFieldName('function')
+      if (!fn) continue
+
+      let isCreateHash = false
+
+      // Direct call: createHash('md5')
+      if (fn.type === 'identifier' && createHashNames.has(fn.text)) {
+        isCreateHash = true
+      }
+
+      // Member call: crypto.createHash('md5')
+      if (fn.type === 'member_expression') {
+        const prop = fn.childForFieldName('property')
+        if (prop?.text === 'createHash') {
+          isCreateHash = true
+        }
+      }
+
+      if (isCreateHash) {
+        const algo = getFirstStringArg(node)?.toLowerCase()
+        if (algo === 'md5') {
+          if (isSecurityContext(node, content, ast.filePath)) {
+            matches.push({
+              node,
+              severity: 'high',
+              note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+            })
+          }
+        } else if (algo === 'sha1') {
+          if (isSecurityContext(node, content, ast.filePath)) {
+            matches.push({
+              node,
+              severity: 'medium',
+              note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+            })
+          }
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// Rule: Direct MD5() / SHA1() calls
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-weak-crypto-direct-hash',
+  title: 'Direct Weak Hash Function Call',
+  description: 'Direct call to a weak hash function detected.',
+  severity: 'high',
+  category: 'weak_crypto',
+  suggestedFix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.45,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!/\bMD5\b|\bmd5\b|\bSHA1\b|\bsha1\b/.test(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (isInsideComment(node)) continue
+
+      // MD5() or SHA1() direct calls
+      if (isCallTo(node, 'MD5') || isCallTo(node, 'md5')) {
+        if (isSecurityContext(node, content, ast.filePath)) {
+          matches.push({
+            node,
+            severity: 'high',
+            note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+          })
+        }
+      }
+
+      if (isCallTo(node, 'SHA1') || isCallTo(node, 'sha1')) {
+        if (isSecurityContext(node, content, ast.filePath)) {
+          matches.push({
+            node,
+            severity: 'medium',
+            note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+          })
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// Rule: createCipheriv with weak cipher algorithm
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-weak-crypto-weak-cipher',
+  title: 'Weak Cipher Algorithm',
+  description: 'Weak cipher algorithm detected via createCipheriv(). DES has a 56-bit key and is brute-forceable.',
+  severity: 'high',
+  category: 'weak_crypto',
+  suggestedFix: "Use createCipheriv('aes-256-gcm', ...) or another AES variant instead.",
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.45,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!/createCipheriv|createDecipheriv/i.test(content)) return []
+
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+    const imports = collectImportBindings(root)
+    const aliases = collectVariableAliases(root)
+
+    const cipherNames = new Set<string>(['createCipheriv', 'createDecipheriv'])
+    for (const [local, binding] of imports) {
+      if ((binding.originalName === 'createCipheriv' || binding.originalName === 'createDecipheriv') && binding.module === 'crypto') {
+        cipherNames.add(local)
+      }
+    }
+
+    const weakCiphers = /^(des|des-ecb|des-cbc|des-ede|des-ede3|des-ede-cbc|des-ede3-cbc|rc4|rc2|blowfish|bf|bf-cbc|bf-ecb)$/i
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      if (isInsideComment(node)) continue
+
+      const fn = node.childForFieldName('function')
+      if (!fn) continue
+
+      let isCipher = false
+      if (fn.type === 'identifier' && cipherNames.has(fn.text)) isCipher = true
+      if (fn.type === 'member_expression') {
+        const prop = fn.childForFieldName('property')
+        if (prop && (prop.text === 'createCipheriv' || prop.text === 'createDecipheriv')) isCipher = true
+      }
+
+      if (isCipher) {
+        const algo = getFirstStringArg(node)?.toLowerCase()
+        if (algo && weakCiphers.test(algo)) {
+          matches.push({
+            node,
+            severity: 'high',
+            note: `${algo.toUpperCase()} cipher is cryptographically weak. Use AES-256-GCM instead.`,
+          })
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// Rule: Python hashlib.md5() / hashlib.sha1()
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-weak-crypto-python-hashlib',
+  title: 'Weak Hash Algorithm (Python)',
+  description: 'Weak hash algorithm detected via hashlib. MD5 is cryptographically broken and SHA1 is deprecated.',
+  severity: 'high',
+  category: 'weak_crypto',
+  suggestedFix: 'Use hashlib.sha256() or hashlib.sha3_256() instead.',
+  languages: ['python'],
+  confidence: 'high',
+  baseConfidence: 0.45,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (!/hashlib/i.test(content)) return []
+    if (!hasPythonImport(ast.tree.rootNode, 'hashlib')) return []
+
+    const matches: ASTRuleMatch[] = []
+
+    for (const node of getNodes(nodeIndex!, 'call')) {
+      const target = resolvePythonCallTarget(node)
+      if (!target) continue
+
+      if (target.type !== 'member' || !/^hashlib$/.test(target.object ?? '')) continue
+
+      if (/^md5$/i.test(target.name)) {
+        if (isSecurityContext(node, content, ast.filePath)) {
+          matches.push({
+            node,
+            severity: 'high',
+            note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+          })
+        }
+      } else if (/^sha1$/i.test(target.name)) {
+        if (isSecurityContext(node, content, ast.filePath)) {
+          matches.push({
+            node,
+            severity: 'medium',
+            note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+          })
+        }
+      }
+    }
+
+    return matches
+  },
+})

package/src/detect/ast-rules/xxe-ast.ts

@@ -0,0 +1,184 @@
+/**
+ * AST-Based XXE (XML External Entity) Detection
+ *
+ * Migrates structural/xxe-detection.ts from regex to AST.
+ * Detects XML parsing without entity expansion protection.
+ *
+ * AST advantages:
+ * - Resolves actual function calls and constructors from AST nodes
+ * - Checks for safe configuration in surrounding scope, not just nearby lines
+ * - Handles import aliasing (import { Parser as XmlParser } from 'fast-xml-parser')
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, isConstructorCall, getCallArguments, getCallArgument, getObjectLiteralProperty } from './helpers/call-analysis'
+import { hasImport, collectRequireCalls } from './helpers/import-analysis'
+import { isScannerOrFixtureFile, isTestOrMockFile } from '../../parse/file-classifier'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+interface XXECheck {
+  /** Description of the library for reporting */
+  lib: string
+  /** Check function: returns true if this node is a vulnerable XML call */
+  check: (node: Parser.SyntaxNode, content: string, root: Parser.SyntaxNode) => boolean
+  /** Check if safe configuration exists (using cached content string) */
+  isSafe: (content: string) => boolean
+  /** Default severity */
+  severity: 'high' | 'medium' | 'low'
+  /** Suggested fix */
+  fix: string
+}
+
+/** Check for text in cached file content (avoids repeated root.text calls) */
+function contentHasText(content: string, pattern: RegExp): boolean {
+  return pattern.test(content)
+}
+
+/** File-level early exit: does this file reference any XML library? */
+const XML_LIBRARY_QUICK_CHECK = /xml2js|libxmljs|DOMParser|xmldom|fast-xml-parser|XMLParser/
+
+interface XXEFileCheck extends XXECheck {
+  /** Quick check on content string (called once per file) */
+  fileHasLib: (content: string) => boolean
+}
+
+const XXE_CHECKS: XXEFileCheck[] = [
+  // xml2js
+  {
+    lib: 'xml2js',
+    fileHasLib: (content) => content.includes('xml2js'),
+    check: (node) => {
+      if (node.type !== 'call_expression') return false
+      const text = node.text
+      return /xml2js\.parseString|new\s+xml2js\.Parser/.test(text)
+    },
+    isSafe: (content) => contentHasText(content, /explicitCharkey|xmlMode/),
+    severity: 'medium',
+    fix: 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false',
+  },
+  // libxmljs — only vulnerable when noent: true is explicitly set
+  {
+    lib: 'libxmljs',
+    fileHasLib: (content) => content.includes('libxmljs'),
+    check: (node) => {
+      if (node.type !== 'call_expression') return false
+      if (!/libxmljs\.parseXml/.test(node.text)) return false
+      // Check the options argument (2nd arg) for noent: true
+      const optionsArg = getCallArgument(node, 1)
+      if (!optionsArg || optionsArg.type !== 'object') return false
+      const noentVal = getObjectLiteralProperty(optionsArg, 'noent')
+      return noentVal?.text === 'true'
+    },
+    isSafe: () => false, // Safety check is now node-level in `check`
+    severity: 'high',
+    fix: 'Remove noent: true or set noent: false to disable external entity processing',
+  },
+  // DOMParser
+  {
+    lib: 'DOMParser',
+    fileHasLib: (content) => content.includes('DOMParser'),
+    check: (node) => {
+      if (node.type !== 'call_expression') return false
+      return /new\s+DOMParser\(\)\.parseFromString/.test(node.text)
+    },
+    isSafe: () => false, // Browsers block XXE by default
+    severity: 'low',
+    fix: 'DOMParser in browsers blocks XXE by default. If running server-side, use a dedicated XML library with entity protection.',
+  },
+  // xmldom
+  {
+    lib: 'xmldom',
+    fileHasLib: (content) => /xmldom|@xmldom/.test(content),
+    check: (node, content) => {
+      if (node.type !== 'new_expression' && node.type !== 'call_expression') return false
+      return /xmldom|@xmldom/.test(content) && /DOMParser/.test(node.text)
+    },
+    isSafe: (content) => contentHasText(content, /entityExpansionEnabled\s*:\s*false/),
+    severity: 'medium',
+    fix: 'Set entityExpansionEnabled: false in parser options',
+  },
+  // fast-xml-parser / XMLParser
+  {
+    lib: 'fast-xml-parser',
+    fileHasLib: (content) => content.includes('XMLParser') || content.includes('fast-xml-parser'),
+    check: (node, content, root) => {
+      if (node.type !== 'new_expression' && node.type !== 'call_expression') return false
+      const text = node.text
+      return /XMLParser|fast-xml-parser/.test(text) || (
+        hasImport(root, 'fast-xml-parser') && /XMLParser/.test(text)
+      )
+    },
+    isSafe: (content) => contentHasText(content, /processEntities\s*:\s*false/),
+    severity: 'medium',
+    fix: 'Disable entity processing: new XMLParser({ processEntities: false })',
+  },
+]
+
+function getSuggestedFix(lib: string): string {
+  const check = XXE_CHECKS.find(c => c.lib === lib)
+  return check?.fix ?? 'Disable external entity processing in the XML parser configuration'
+}
+
+// ============================================================================
+// AST Rule: XXE Detection
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-xxe',
+  title: 'XXE risk: XML parser without entity protection',
+  description: 'XML parser used without disabling external entity processing, risking file read, SSRF, or DoS',
+  severity: 'high',
+  category: 'xxe',
+  suggestedFix: 'Disable external entity processing in the XML parser configuration.',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'high',
+  baseConfidence: 0.55,
+  layer: 2,
+  source: 'structural',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    // Early exit: no XML library references in file
+    if (!XML_LIBRARY_QUICK_CHECK.test(content)) return []
+
+    // Pre-filter to only relevant checks for this file
+    const applicableChecks = XXE_CHECKS.filter(c => c.fileHasLib(content))
+    if (applicableChecks.length === 0) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+    const root = ast.tree.rootNode
+
+    for (const node of getNodes(nodeIndex!, 'call_expression', 'new_expression')) {
+      for (const xxeCheck of applicableChecks) {
+        if (!xxeCheck.check(node, content, root)) continue
+
+        // Check for safe configuration
+        if (xxeCheck.isSafe(content)) continue
+
+        let severity = xxeCheck.severity
+        if (isTestFile) severity = 'info' as any
+
+        // DOMParser in .tsx/.jsx client files is inherently safe
+        if (xxeCheck.lib === 'DOMParser' && /\.(tsx|jsx)$/.test(ast.filePath)) {
+          severity = 'info' as any
+        }
+
+        matches.push({
+          node,
+          severity,
+          note: `${xxeCheck.lib} XML parser without entity protection. ${xxeCheck.fix}`,
+        })
+
+        break // One finding per node
+      }
+    }
+
+    return matches
+  },
+})

package/src/detect/config/agent-skill-injection.ts

@@ -361,30 +361,8 @@ const HIDDEN_EXECUTION_PATTERNS: PatternDef[] = [
     requiresAIValidation: false,
     group: 'hidden_execution',
   },
-  {
-    pattern: /[\u200B-\u200F]/,
-    title: 'Hidden execution: zero-width Unicode characters',
-    description: 'Agent skill file contains invisible zero-width Unicode characters that may hide malicious content.',
-    severity: 'high',
-    requiresAIValidation: false,
-    group: 'hidden_execution',
-  },
-  {
-    pattern: /[\u202A-\u202E]/,
-    title: 'Hidden execution: RTL override characters',
-    description: 'Agent skill file contains bidirectional text override characters that can visually hide code direction.',
-    severity: 'high',
-    requiresAIValidation: false,
-    group: 'hidden_execution',
-  },
-  {
-    pattern: /[\uFEFF]/,
-    title: 'Hidden execution: BOM character mid-file',
-    description: 'Agent skill file contains a Byte Order Mark character in an unexpected position, potentially hiding content.',
-    severity: 'high',
-    requiresAIValidation: false,
-    group: 'hidden_execution',
-  },
+  // Unicode patterns (zero-width, bidi, BOM) removed — now handled with
+  // much better coverage by rules-file-backdoor.ts (ai_rules_file_backdoor category)
 ]
 
 // Group 4: Tool/Function Description Poisoning (JSON/YAML)

package/src/detect/config/index.ts

@@ -4,3 +4,4 @@ export { detectAICommentPatterns } from './comments'
 export { checkPackageAdvisories } from './osv-check'
 export { checkPackages } from './package-check'
 export { detectAgentSkillInjection } from './agent-skill-injection'
+export { detectRulesFileBackdoor } from './rules-file-backdoor'

package/src/detect/config/osv-check.ts

@@ -12,6 +12,7 @@ import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
 import {
   extractNpmDependencies,
   extractPythonRequirements,
+  extractPyprojectDependencies,
   getPackageFileType,
   rateLimitDelay,
   type ExtractedDependency,
@@ -325,7 +326,11 @@ export async function checkPackageAdvisories(
   if (fileType === 'npm' && filePath.endsWith('package.json')) {
     dependencies = extractNpmDependencies(content)
   } else if (fileType === 'python') {
-    dependencies = extractPythonRequirements(content)
+    if (filePath.endsWith('pyproject.toml')) {
+      dependencies = extractPyprojectDependencies(content)
+    } else {
+      dependencies = extractPythonRequirements(content)
+    }
   }
 
   if (dependencies.length === 0) {