@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/structural/security-headers.js

@@ -1,196 +0,0 @@
-"use strict";
-/**
- * Layer 2: Security Headers Detector
- * Detects missing HTTP security headers in server configurations
- *
- * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
- * CWE-693: Protection Mechanism Failure
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectSecurityHeaders = detectSecurityHeaders;
-const file_classifier_1 = require("../../parse/file-classifier");
-const BASE_CONFIDENCE = 0.35;
-/**
- * Check if a file is client-side (not a server file)
- */
-function isClientSideFile(content, filePath) {
-    // Explicit 'use client' directive
-    if (/['"]use client['"]/.test(content))
-        return true;
-    // Client-side file paths
-    const clientPatterns = [
-        /\/components\//i,
-        /\/hooks\//i,
-        /\/pages\/(?!api\/)/i, // pages/ but not pages/api/
-        /\.client\.(ts|js|tsx|jsx)$/i,
-    ];
-    // Only apply path heuristics if no server indicators
-    if (clientPatterns.some(p => p.test(filePath))) {
-        // Check for server indicators that override
-        const hasServerIndicators = content.includes('express()') ||
-            content.includes("require('express')") ||
-            content.includes('from \'express\'') ||
-            content.includes('from "express"') ||
-            content.includes('createServer') ||
-            /['"]use server['"]/.test(content);
-        if (!hasServerIndicators)
-            return true;
-    }
-    return false;
-}
-/**
- * Check if a file is a Next.js config file
- */
-function isNextConfig(filePath) {
-    return /next\.config\.(m?js|ts)$/.test(filePath);
-}
-/**
- * Detect missing security headers in server configurations
- */
-function detectSecurityHeaders(content, filePath, options) {
-    const vulnerabilities = [];
-    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    if ((0, file_classifier_1.isTestOrMockFile)(filePath))
-        return vulnerabilities;
-    if (isClientSideFile(content, filePath))
-        return vulnerabilities;
-    const lines = options?.parsed?.lines ?? content.split('\n');
-    // --- Check 1: Express without helmet ---
-    const hasExpress = content.includes('express()') ||
-        /require\s*\(\s*['"]express['"]\s*\)/.test(content) ||
-        /from\s+['"]express['"]/.test(content);
-    if (hasExpress) {
-        const hasHelmet = /require\s*\(\s*['"]helmet['"]\s*\)/.test(content) ||
-            /from\s+['"]helmet['"]/.test(content) ||
-            /require\s*\(\s*['"]@fastify\/helmet['"]\s*\)/.test(content) ||
-            /from\s+['"]@fastify\/helmet['"]/.test(content);
-        if (!hasHelmet) {
-            // Find the line where express() is called
-            let expressLine = 0;
-            let expressContent = '';
-            for (let i = 0; i < lines.length; i++) {
-                if (/express\s*\(\s*\)/.test(lines[i])) {
-                    expressLine = i + 1;
-                    expressContent = lines[i].trim();
-                    break;
-                }
-            }
-            if (expressLine > 0) {
-                vulnerabilities.push({
-                    id: `secheader-${filePath}-express-no-helmet`,
-                    filePath,
-                    lineNumber: expressLine,
-                    lineContent: expressContent,
-                    severity: 'medium',
-                    category: 'missing_security_headers',
-                    title: 'Express app without helmet security headers',
-                    description: 'Express application does not use helmet middleware. This leaves the app without critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).',
-                    suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
-                    confidence: 'high',
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                    requiresAIValidation: true,
-                });
-            }
-        }
-        else {
-            // --- Check 2: Helmet with CSP disabled ---
-            for (let i = 0; i < lines.length; i++) {
-                const line = lines[i];
-                if (/contentSecurityPolicy\s*:\s*false/.test(line)) {
-                    vulnerabilities.push({
-                        id: `secheader-${filePath}-${i + 1}-csp-disabled`,
-                        filePath,
-                        lineNumber: i + 1,
-                        lineContent: line.trim(),
-                        severity: 'low',
-                        category: 'missing_security_headers',
-                        title: 'Helmet CSP disabled',
-                        description: 'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
-                        suggestedFix: 'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
-                        confidence: 'high',
-                        baseConfidence: BASE_CONFIDENCE,
-                        layer: 2,
-                        source: 'structural',
-                    });
-                }
-            }
-        }
-    }
-    // --- Check 3: Next.js config missing headers ---
-    if (isNextConfig(filePath)) {
-        const hasHeadersExport = /headers\s*\(\s*\)/.test(content) ||
-            /headers\s*:\s*(?:async\s*)?\(?\s*\)?\s*=>/.test(content) ||
-            /async\s+headers\s*\(\s*\)/.test(content);
-        if (!hasHeadersExport) {
-            vulnerabilities.push({
-                id: `secheader-${filePath}-nextjs-no-headers`,
-                filePath,
-                lineNumber: 1,
-                lineContent: lines[0]?.trim() || '',
-                severity: 'medium',
-                category: 'missing_security_headers',
-                title: 'Next.js config missing security headers',
-                description: 'next.config does not export a headers() function. Security headers (CSP, HSTS, X-Frame-Options) should be configured in Next.js config or middleware.',
-                suggestedFix: 'Add a headers() function to next.config.js that returns security headers array',
-                confidence: 'medium',
-                baseConfidence: BASE_CONFIDENCE,
-                layer: 2,
-                source: 'structural',
-                requiresAIValidation: true,
-            });
-        }
-    }
-    // --- Check 4: Server setting some headers but missing critical ones ---
-    // Only check files that explicitly set response headers
-    const setsHeaders = /res\.setHeader\s*\(/.test(content) ||
-        /response\.setHeader\s*\(/.test(content) ||
-        /res\.set\s*\(/.test(content) ||
-        /response\.headers\.set\s*\(/.test(content);
-    if (setsHeaders && !hasExpress) {
-        const criticalHeaders = [
-            { name: 'Content-Security-Policy', pattern: /content-security-policy/i },
-            { name: 'Strict-Transport-Security', pattern: /strict-transport-security/i },
-            { name: 'X-Content-Type-Options', pattern: /x-content-type-options/i },
-            { name: 'X-Frame-Options', pattern: /x-frame-options/i },
-        ];
-        const missingHeaders = criticalHeaders.filter(h => !h.pattern.test(content));
-        // Only flag if file sets SOME headers but omits critical ones
-        const presentHeaders = criticalHeaders.filter(h => h.pattern.test(content));
-        if (presentHeaders.length > 0 && missingHeaders.length > 0) {
-            // Find a line where headers are being set for reporting
-            let headerLine = 0;
-            let headerContent = '';
-            for (let i = 0; i < lines.length; i++) {
-                if (/(?:res|response)\.(?:setHeader|set|headers\.set)\s*\(/.test(lines[i])) {
-                    headerLine = i + 1;
-                    headerContent = lines[i].trim();
-                    break;
-                }
-            }
-            if (headerLine > 0) {
-                const missing = missingHeaders.map(h => h.name).join(', ');
-                vulnerabilities.push({
-                    id: `secheader-${filePath}-${headerLine}-missing-headers`,
-                    filePath,
-                    lineNumber: headerLine,
-                    lineContent: headerContent,
-                    severity: 'low',
-                    category: 'missing_security_headers',
-                    title: 'Incomplete security headers',
-                    description: `Server sets some response headers but is missing: ${missing}. Consider adding these critical security headers.`,
-                    suggestedFix: `Add missing security headers: ${missing}`,
-                    confidence: 'medium',
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                    requiresAIValidation: true,
-                });
-            }
-        }
-    }
-    return vulnerabilities;
-}
-//# sourceMappingURL=security-headers.js.map

package/dist/detect/structural/security-headers.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../../src/detect/structural/security-headers.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAwDH,sDAwKC;AA5ND,iEAGoC;AAEpC,MAAM,eAAe,GAAG,IAAI,CAAA;AAM5B;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,kCAAkC;IAClC,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnD,yBAAyB;IACzB,MAAM,cAAc,GAAG;QACrB,iBAAiB;QACjB,YAAY;QACZ,qBAAqB,EAAE,4BAA4B;QACnD,6BAA6B;KAC9B,CAAA;IAED,qDAAqD;IACrD,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,4CAA4C;QAC5C,MAAM,mBAAmB,GACvB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC7B,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YACtC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAClC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACpC,IAAI,CAAC,mBAAmB;YAAE,OAAO,IAAI,CAAA;IACvC,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAClD,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,OAAe,EACf,QAAgB,EAChB,OAAgC;IAEhC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IACtD,IAAI,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE/D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,0CAA0C;IAC1C,MAAM,UAAU,GACd,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7B,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC;QACnD,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAExC,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,GACb,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC;YAClD,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC;YACrC,8CAA8C,CAAC,IAAI,CAAC,OAAO,CAAC;YAC5D,iCAAiC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAEjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,0CAA0C;YAC1C,IAAI,WAAW,GAAG,CAAC,CAAA;YACnB,IAAI,cAAc,GAAG,EAAE,CAAA;YACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,WAAW,GAAG,CAAC,GAAG,CAAC,CAAA;oBACnB,cAAc,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;oBAChC,MAAK;gBACP,CAAC;YACH,CAAC;YAED,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,aAAa,QAAQ,oBAAoB;oBAC7C,QAAQ;oBACR,UAAU,EAAE,WAAW;oBACvB,WAAW,EAAE,cAAc;oBAC3B,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,0BAA0B;oBACpC,KAAK,EAAE,6CAA6C;oBACpD,WAAW,EACT,sKAAsK;oBACxK,YAAY,EAAE,4EAA4E;oBAC1F,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;oBAC3B,oBAAoB,EAAE,IAAI;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,4CAA4C;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBACrB,IAAI,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnD,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,aAAa,QAAQ,IAAI,CAAC,GAAG,CAAC,eAAe;wBACjD,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,KAAK;wBACf,QAAQ,EAAE,0BAA0B;wBACpC,KAAK,EAAE,qBAAqB;wBAC5B,WAAW,EACT,wHAAwH;wBAC1H,YAAY,EACV,yHAAyH;wBAC3H,UAAU,EAAE,MAAM;wBAClB,cAAc,EAAE,eAAe;wBAC/B,KAAK,EAAE,CAAC;wBACZ,MAAM,EAAE,YAAqB;qBAC1B,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,MAAM,gBAAgB,GACpB,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC;YACjC,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC;YACzD,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAE3C,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,aAAa,QAAQ,oBAAoB;gBAC7C,QAAQ;gBACR,UAAU,EAAE,CAAC;gBACb,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;gBACnC,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,0BAA0B;gBACpC,KAAK,EAAE,yCAAyC;gBAChD,WAAW,EACT,uJAAuJ;gBACzJ,YAAY,EACV,gFAAgF;gBAClF,UAAU,EAAE,QAAQ;gBACpB,cAAc,EAAE,eAAe;gBAC/B,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,YAAqB;gBAC7B,oBAAoB,EAAE,IAAI;aAC3B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,wDAAwD;IACxD,MAAM,WAAW,GACf,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC;QACnC,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC;QACxC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAC7B,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAE7C,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,eAAe,GAAG;YACtB,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,0BAA0B,EAAE;YACxE,EAAE,IAAI,EAAE,2BAA2B,EAAE,OAAO,EAAE,4BAA4B,EAAE;YAC5E,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,yBAAyB,EAAE;YACtE,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,kBAAkB,EAAE;SACzD,CAAA;QAED,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAE5E,8DAA8D;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3D,wDAAwD;YACxD,IAAI,UAAU,GAAG,CAAC,CAAA;YAClB,IAAI,aAAa,GAAG,EAAE,CAAA;YACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,uDAAuD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3E,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;oBAClB,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;oBAC/B,MAAK;gBACP,CAAC;YACH,CAAC;YAED,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;gBACnB,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC1D,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,aAAa,QAAQ,IAAI,UAAU,kBAAkB;oBACzD,QAAQ;oBACR,UAAU,EAAE,UAAU;oBACtB,WAAW,EAAE,aAAa;oBAC1B,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,0BAA0B;oBACpC,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,qDAAqD,OAAO,oDAAoD;oBAC7H,YAAY,EAAE,iCAAiC,OAAO,EAAE;oBACxD,UAAU,EAAE,QAAQ;oBACpB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;oBAC3B,oBAAoB,EAAE,IAAI;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/ssrf-detection.d.ts

@@ -1,18 +0,0 @@
-/**
- * Layer 2: SSRF (Server-Side Request Forgery) Detector
- * Detects user input flowing to server-side HTTP request sinks
- *
- * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
- * CWE-918: Server-Side Request Forgery
- */
-import type { Vulnerability } from '../../shared/types';
-import type { ParsedFile } from '../../shared/parsed-file';
-interface SSRFOptions {
-    parsed?: ParsedFile;
-}
-/**
- * Detect SSRF patterns in server-side code
- */
-export declare function detectSSRFPatterns(content: string, filePath: string, options?: SSRFOptions): Vulnerability[];
-export {};
-//# sourceMappingURL=ssrf-detection.d.ts.map

package/dist/detect/structural/ssrf-detection.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ssrf-detection.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/ssrf-detection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAS1D,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AA6CD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,WAAW,GACpB,aAAa,EAAE,CAmOjB"}

package/dist/detect/structural/ssrf-detection.js

@@ -1,263 +0,0 @@
-"use strict";
-/**
- * Layer 2: SSRF (Server-Side Request Forgery) Detector
- * Detects user input flowing to server-side HTTP request sinks
- *
- * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
- * CWE-918: Server-Side Request Forgery
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectSSRFPatterns = detectSSRFPatterns;
-const file_classifier_1 = require("../../parse/file-classifier");
-const BASE_CONFIDENCE = 0.40;
-/** User input source patterns */
-const USER_INPUT_PATTERN = /(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/;
-/** Check if file is client-side (SSRF is server-only) */
-function isClientSideFile(content, filePath) {
-    if (/['"]use client['"]/.test(content))
-        return true;
-    // .tsx/.jsx in components dir without server indicators
-    if (/\/components\//.test(filePath) && !content.includes('express()') && !/['"]use server['"]/.test(content)) {
-        return true;
-    }
-    return false;
-}
-/**
- * Check surrounding context for SSRF mitigations
- */
-function hasSSRFMitigation(lines, lineIndex, windowSize = 15) {
-    const start = Math.max(0, lineIndex - windowSize);
-    const end = Math.min(lines.length, lineIndex + windowSize + 1);
-    const context = lines.slice(start, end).join('\n');
-    // Allowlist validation
-    if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(context))
-        return true;
-    if (/allowList|allowlist|whitelist|whiteList/.test(context))
-        return true;
-    // URL validation with host/origin check
-    if (/new\s+URL\(/.test(context) && /\.(?:hostname|host|origin)/.test(context))
-        return true;
-    // IP range checking
-    if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(context))
-        return true;
-    if (/(?:127\.0\.0\.1|10\.\d|192\.168\.|169\.254\.)/.test(context) && /(?:block|reject|deny|forbidden)/i.test(context))
-        return true;
-    // Environment variable source
-    if (/process\.env\./i.test(context)) {
-        // Check if the URL comes from env var, not just any env var in context
-        const envLineCount = lines.slice(start, end).filter(l => /process\.env\./.test(l)).length;
-        const userInputCount = lines.slice(start, end).filter(l => USER_INPUT_PATTERN.test(l)).length;
-        if (envLineCount > 0 && userInputCount <= 1)
-            return false; // Don't suppress just because env vars exist
-    }
-    return false;
-}
-/**
- * Detect SSRF patterns in server-side code
- */
-function detectSSRFPatterns(content, filePath, options) {
-    const vulnerabilities = [];
-    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
-        return vulnerabilities;
-    if ((0, file_classifier_1.isTestOrMockFile)(filePath))
-        return vulnerabilities;
-    if (isClientSideFile(content, filePath))
-        return vulnerabilities;
-    const lines = options?.parsed?.lines ?? content.split('\n');
-    // ========== Pass 1: Direct taint — user input in HTTP sinks ==========
-    const DIRECT_SSRF_PATTERNS = [
-        // fetch(req.body.url), fetch(req.query.endpoint)
-        /(?:fetch|got|undici\.request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/,
-        // axios.get(req.body.url)
-        /axios\.(?:get|post|put|delete|patch|head|options|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
-        // http.get(req.body.url), https.get(...)
-        /https?\.(?:get|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
-        // got(req.body.url)
-        /got\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
-        // Python: requests.get(request.args.get('url'))
-        /requests\.(?:get|post|put|delete|patch|head|options)\s*\(\s*(?:request\.(?:args|form|json|data)\.get|request\.(?:args|form|json|data)\[)/,
-        // Python: urllib.request.urlopen(request.args.get('url'))
-        /urllib\.request\.urlopen\s*\(\s*(?:request\.(?:args|form|json))/,
-    ];
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        for (const pattern of DIRECT_SSRF_PATTERNS) {
-            if (pattern.test(line)) {
-                if (hasSSRFMitigation(lines, i))
-                    continue;
-                vulnerabilities.push({
-                    id: `ssrf-${filePath}-${i + 1}-direct`,
-                    filePath,
-                    lineNumber: i + 1,
-                    lineContent: line.trim(),
-                    severity: 'high',
-                    category: 'ssrf',
-                    title: 'SSRF: User input in HTTP request',
-                    description: 'User-controlled input flows directly to a server-side HTTP request. An attacker could force the server to make requests to internal services, cloud metadata endpoints (169.254.169.254), or other sensitive resources.',
-                    suggestedFix: 'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
-                    confidence: 'high',
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                });
-                break;
-            }
-        }
-    }
-    // ========== Pass 2: Open redirect ==========
-    const OPEN_REDIRECT_PATTERNS = [
-        // res.redirect(req.query.next)
-        /res\.redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
-        // redirect(req.query.returnTo)
-        /(?<!\w)redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
-    ];
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        for (const pattern of OPEN_REDIRECT_PATTERNS) {
-            if (pattern.test(line)) {
-                if (hasSSRFMitigation(lines, i))
-                    continue;
-                vulnerabilities.push({
-                    id: `ssrf-${filePath}-${i + 1}-redirect`,
-                    filePath,
-                    lineNumber: i + 1,
-                    lineContent: line.trim(),
-                    severity: 'high',
-                    category: 'ssrf',
-                    title: 'Open redirect: User input in redirect',
-                    description: 'User-controlled input is used in a server redirect. An attacker could craft a URL that redirects users to a malicious site for phishing.',
-                    suggestedFix: 'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
-                    confidence: 'high',
-                    baseConfidence: BASE_CONFIDENCE,
-                    layer: 2,
-                    source: 'structural',
-                });
-                break;
-            }
-        }
-    }
-    // ========== Pass 3: Variable-mediated taint ==========
-    // Track: const url = req.body.url; ... fetch(url)
-    const taintedVars = new Map(); // varName -> lineIndex
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        // Detect taint sources: const/let/var url = req.body.url
-        const taintMatch = line.match(/(?:const|let|var)\s+(\w+)\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/);
-        if (taintMatch) {
-            taintedVars.set(taintMatch[1], i);
-            continue;
-        }
-        // Also detect destructuring: const { url } = req.body
-        const destructMatch = line.match(/(?:const|let|var)\s*\{([^}]+)\}\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params)/);
-        if (destructMatch) {
-            const vars = destructMatch[1].split(',').map(v => v.trim().split(':')[0].trim());
-            for (const v of vars) {
-                if (v)
-                    taintedVars.set(v, i);
-            }
-            continue;
-        }
-        // Check if tainted variable flows to HTTP sink (within 20 lines)
-        if (taintedVars.size > 0) {
-            const httpSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request)|undici\.request)\s*\(/;
-            if (httpSinkPattern.test(line)) {
-                for (const [varName, sourceLineIdx] of taintedVars) {
-                    if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
-                        // Check if the variable is used in this sink call
-                        const varPattern = new RegExp(`\\b${varName}\\b`);
-                        if (varPattern.test(line)) {
-                            if (hasSSRFMitigation(lines, i))
-                                continue;
-                            vulnerabilities.push({
-                                id: `ssrf-${filePath}-${i + 1}-mediated`,
-                                filePath,
-                                lineNumber: i + 1,
-                                lineContent: line.trim(),
-                                severity: 'medium',
-                                category: 'ssrf',
-                                title: 'SSRF: Variable-mediated user input in HTTP request',
-                                description: `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to an HTTP request sink. An attacker could control the request destination.`,
-                                suggestedFix: 'Validate the URL against an allowlist before making the request. Block private IP ranges.',
-                                confidence: 'medium',
-                                baseConfidence: BASE_CONFIDENCE,
-                                layer: 2,
-                                source: 'structural',
-                                requiresAIValidation: true,
-                            });
-                            break;
-                        }
-                    }
-                }
-            }
-            // Check for redirect sinks too
-            const redirectSinkPattern = /(?:res\.redirect|redirect)\s*\(/;
-            if (redirectSinkPattern.test(line)) {
-                for (const [varName, sourceLineIdx] of taintedVars) {
-                    if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
-                        const varPattern = new RegExp(`\\b${varName}\\b`);
-                        if (varPattern.test(line)) {
-                            if (hasSSRFMitigation(lines, i))
-                                continue;
-                            vulnerabilities.push({
-                                id: `ssrf-${filePath}-${i + 1}-redirect-mediated`,
-                                filePath,
-                                lineNumber: i + 1,
-                                lineContent: line.trim(),
-                                severity: 'medium',
-                                category: 'ssrf',
-                                title: 'Open redirect: Variable-mediated user input',
-                                description: `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to a redirect call.`,
-                                suggestedFix: 'Validate redirect URL against an allowlist of permitted paths.',
-                                confidence: 'medium',
-                                baseConfidence: BASE_CONFIDENCE,
-                                layer: 2,
-                                source: 'structural',
-                                requiresAIValidation: true,
-                            });
-                            break;
-                        }
-                    }
-                }
-            }
-        }
-    }
-    // ========== Pass 4: Template literal with user input in URL ==========
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        if ((0, file_classifier_1.isComment)(line))
-            continue;
-        // fetch(`${req.query.baseUrl}/api`) or fetch(`http://${req.body.host}/path`)
-        const templateSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request))\s*\(\s*`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/;
-        if (templateSinkPattern.test(line)) {
-            // Avoid duplicate with direct taint
-            const alreadyFound = vulnerabilities.some(v => v.lineNumber === i + 1 && v.filePath === filePath);
-            if (alreadyFound)
-                continue;
-            if (hasSSRFMitigation(lines, i))
-                continue;
-            vulnerabilities.push({
-                id: `ssrf-${filePath}-${i + 1}-template`,
-                filePath,
-                lineNumber: i + 1,
-                lineContent: line.trim(),
-                severity: 'high',
-                category: 'ssrf',
-                title: 'SSRF: User input interpolated in HTTP request URL',
-                description: 'User-controlled request data is interpolated into an HTTP request URL via template literal. An attacker could manipulate the request destination.',
-                suggestedFix: 'Extract and validate the user input before constructing the URL. Use an allowlist of permitted domains.',
-                confidence: 'high',
-                baseConfidence: BASE_CONFIDENCE,
-                layer: 2,
-                source: 'structural',
-            });
-        }
-    }
-    return vulnerabilities;
-}
-//# sourceMappingURL=ssrf-detection.js.map

package/dist/detect/structural/ssrf-detection.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ssrf-detection.js","sourceRoot":"","sources":["../../../src/detect/structural/ssrf-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA8DH,gDAuOC;AAjSD,iEAIoC;AAEpC,MAAM,eAAe,GAAG,IAAI,CAAA;AAM5B,iCAAiC;AACjC,MAAM,kBAAkB,GAAG,yEAAyE,CAAA;AAEpG,yDAAyD;AACzD,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IACnD,wDAAwD;IACxD,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7G,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAe,EAAE,SAAiB,EAAE,aAAqB,EAAE;IACpF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,uBAAuB;IACvB,IAAI,iEAAiE,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAChG,IAAI,yCAAyC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAExE,wCAAwC;IACxC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAE1F,oBAAoB;IACpB,IAAI,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAC9E,IAAI,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAElI,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,uEAAuE;QACvE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;QACzF,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;QAC7F,IAAI,YAAY,GAAG,CAAC,IAAI,cAAc,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA,CAAC,6CAA6C;IACzG,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAqB;IAErB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IACtD,IAAI,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE/D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,wEAAwE;IACxE,MAAM,oBAAoB,GAAG;QAC3B,iDAAiD;QACjD,8GAA8G;QAC9G,0BAA0B;QAC1B,sHAAsH;QACtH,yCAAyC;QACzC,oFAAoF;QACpF,oBAAoB;QACpB,gEAAgE;QAChE,gDAAgD;QAChD,0IAA0I;QAC1I,0DAA0D;QAC1D,iEAAiE;KAClE,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;YAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;oBAAE,SAAQ;gBAEzC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,SAAS;oBACtC,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,kCAAkC;oBACzC,WAAW,EACT,yNAAyN;oBAC3N,YAAY,EACV,+HAA+H;oBACjI,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,MAAM,sBAAsB,GAAG;QAC7B,+BAA+B;QAC/B,yEAAyE;QACzE,+BAA+B;QAC/B,2EAA2E;KAC5E,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;oBAAE,SAAQ;gBAEzC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;oBACxC,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EACT,0IAA0I;oBAC5I,YAAY,EACV,yHAAyH;oBAC3H,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,kDAAkD;IAClD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAA,CAAC,uBAAuB;IAErE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,yDAAyD;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC3B,yGAAyG,CAC1G,CAAA;QACD,IAAI,UAAU,EAAE,CAAC;YACf,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YACjC,SAAQ;QACV,CAAC;QAED,sDAAsD;QACtD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAC9B,2FAA2F,CAC5F,CAAA;QACD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YAChF,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC;oBAAE,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YAC9B,CAAC;YACD,SAAQ;QACV,CAAC;QAED,iEAAiE;QACjE,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,eAAe,GAAG,yGAAyG,CAAA;YACjI,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,KAAK,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,WAAW,EAAE,CAAC;oBACnD,IAAI,CAAC,GAAG,aAAa,IAAI,EAAE,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;wBACrD,kDAAkD;wBAClD,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAA;wBACjD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gCAAE,SAAQ;4BAEzC,eAAe,CAAC,IAAI,CAAC;gCACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;gCACxC,QAAQ;gCACR,UAAU,EAAE,CAAC,GAAG,CAAC;gCACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gCACxB,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,MAAM;gCAChB,KAAK,EAAE,oDAAoD;gCAC3D,WAAW,EACT,oCAAoC,OAAO,WAAW,aAAa,GAAG,CAAC,qFAAqF;gCAC9J,YAAY,EACV,2FAA2F;gCAC7F,UAAU,EAAE,QAAQ;gCACpB,cAAc,EAAE,eAAe;gCAC/B,KAAK,EAAE,CAAC;gCAChB,MAAM,EAAE,YAAqB;gCACrB,oBAAoB,EAAE,IAAI;6BAC3B,CAAC,CAAA;4BACF,MAAK;wBACP,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,+BAA+B;YAC/B,MAAM,mBAAmB,GAAG,iCAAiC,CAAA;YAC7D,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,KAAK,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,WAAW,EAAE,CAAC;oBACnD,IAAI,CAAC,GAAG,aAAa,IAAI,EAAE,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;wBACrD,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAA;wBACjD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gCAAE,SAAQ;4BAEzC,eAAe,CAAC,IAAI,CAAC;gCACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,oBAAoB;gCACjD,QAAQ;gCACR,UAAU,EAAE,CAAC,GAAG,CAAC;gCACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gCACxB,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,MAAM;gCAChB,KAAK,EAAE,6CAA6C;gCACpD,WAAW,EACT,oCAAoC,OAAO,WAAW,aAAa,GAAG,CAAC,6BAA6B;gCACtG,YAAY,EAAE,gEAAgE;gCAC9E,UAAU,EAAE,QAAQ;gCACpB,cAAc,EAAE,eAAe;gCAC/B,KAAK,EAAE,CAAC;gCAChB,MAAM,EAAE,YAAqB;gCACrB,oBAAoB,EAAE,IAAI;6BAC3B,CAAC,CAAA;4BACF,MAAK;wBACP,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,6EAA6E;QAC7E,MAAM,mBAAmB,GAAG,qKAAqK,CAAA;QACjM,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,oCAAoC;YACpC,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CACvD,CAAA;YACD,IAAI,YAAY;gBAAE,SAAQ;YAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gBAAE,SAAQ;YAEzC,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;gBACxC,QAAQ;gBACR,UAAU,EAAE,CAAC,GAAG,CAAC;gBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,mDAAmD;gBAC1D,WAAW,EACT,mJAAmJ;gBACrJ,YAAY,EACV,yGAAyG;gBAC3G,UAAU,EAAE,MAAM;gBAClB,cAAc,EAAE,eAAe;gBAC/B,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,YAAqB;aAC9B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/variables.d.ts

@@ -1,11 +0,0 @@
-/**
- * Layer 2: Variable Heuristics
- * Identifies variable names associated with sensitive data
- */
-import type { Vulnerability, SensitiveVariablePattern } from '../../shared/types';
-import type { ParsedFile } from '../../shared/parsed-file';
-export declare const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[];
-export declare function detectSensitiveVariables(content: string, filePath: string, options?: {
-    parsed?: ParsedFile;
-}): Vulnerability[];
-//# sourceMappingURL=variables.d.ts.map

package/dist/detect/structural/variables.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"variables.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/variables.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAA;AACjF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAM1D,eAAO,MAAM,2BAA2B,EAAE,wBAAwB,EA0DjE,CAAA;AAqDD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAiDjB"}