@oculum/scanner 1.0.14 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/index.d.ts +6 -11
- package/dist/detect/ai-code/index.d.ts.map +1 -1
- package/dist/detect/ai-code/index.js +6 -24
- package/dist/detect/ai-code/index.js.map +1 -1
- package/dist/detect/ast-rules/agent-tools-ast.d.ts +14 -0
- package/dist/detect/ast-rules/agent-tools-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/agent-tools-ast.js +809 -0
- package/dist/detect/ast-rules/agent-tools-ast.js.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js +344 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts +14 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js +280 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/byok-ast.d.ts +13 -0
- package/dist/detect/ast-rules/byok-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/byok-ast.js +180 -0
- package/dist/detect/ast-rules/byok-ast.js.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts +13 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.js +252 -0
- package/dist/detect/ast-rules/child-process-ast.js.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts +13 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js +218 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts +13 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.js +158 -0
- package/dist/detect/ast-rules/data-exposure-ast.js.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts +14 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.js +217 -0
- package/dist/detect/ast-rules/dom-xss-ast.js.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts +13 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js +228 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts +17 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.js +265 -0
- package/dist/detect/ast-rules/entropy-ast.js.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts +10 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.js +125 -0
- package/dist/detect/ast-rules/flask-debug-ast.js.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts +13 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.js +185 -0
- package/dist/detect/ast-rules/framework-checks-ast.js.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts +62 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js +217 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts +33 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.js +256 -0
- package/dist/detect/ast-rules/helpers/context-detection.js.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts +40 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.js +174 -0
- package/dist/detect/ast-rules/helpers/control-flow.js.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts +43 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js +149 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/index.d.ts +16 -0
- package/dist/detect/ast-rules/helpers/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/index.js +112 -0
- package/dist/detect/ast-rules/helpers/index.js.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts +215 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js +935 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts +50 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js +194 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts +57 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js +184 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts +44 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js +125 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts +35 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.js +243 -0
- package/dist/detect/ast-rules/helpers/user-input.js.map +1 -0
- package/dist/detect/ast-rules/index.d.ts +112 -0
- package/dist/detect/ast-rules/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/index.js +232 -0
- package/dist/detect/ast-rules/index.js.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts +13 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.js +143 -0
- package/dist/detect/ast-rules/json-parse-ast.js.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts +14 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.js +235 -0
- package/dist/detect/ast-rules/log-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts +14 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.js +312 -0
- package/dist/detect/ast-rules/logic-gates-ast.js.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts +14 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.js +755 -0
- package/dist/detect/ast-rules/mcp-security-ast.js.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts +13 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js +188 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts +13 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js +607 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts +15 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js +332 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts +18 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.js +640 -0
- package/dist/detect/ast-rules/rag-safety-ast.js.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts +13 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.js +116 -0
- package/dist/detect/ast-rules/request-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts +14 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.js +114 -0
- package/dist/detect/ast-rules/risky-imports-ast.js.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts +14 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.js +233 -0
- package/dist/detect/ast-rules/schema-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts +17 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js +199 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts +14 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.js +187 -0
- package/dist/detect/ast-rules/security-headers-ast.js.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts +17 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.js +497 -0
- package/dist/detect/ast-rules/sql-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.js +573 -0
- package/dist/detect/ast-rules/ssrf-ast.js.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts +18 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.js +92 -0
- package/dist/detect/ast-rules/taint-fix-templates.js.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts +24 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.js +340 -0
- package/dist/detect/ast-rules/taint-flow-ast.js.map +1 -0
- package/dist/detect/ast-rules/variables-ast.d.ts +24 -0
- package/dist/detect/ast-rules/variables-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/variables-ast.js +362 -0
- package/dist/detect/ast-rules/variables-ast.js.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts +15 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js +406 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts +13 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.js +157 -0
- package/dist/detect/ast-rules/xxe-ast.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -1
- package/dist/detect/config/agent-skill-injection.js +2 -24
- package/dist/detect/config/agent-skill-injection.js.map +1 -1
- package/dist/detect/config/index.d.ts +1 -0
- package/dist/detect/config/index.d.ts.map +1 -1
- package/dist/detect/config/index.js +3 -1
- package/dist/detect/config/index.js.map +1 -1
- package/dist/detect/config/osv-check.d.ts.map +1 -1
- package/dist/detect/config/osv-check.js +6 -1
- package/dist/detect/config/osv-check.js.map +1 -1
- package/dist/detect/config/package-check.d.ts.map +1 -1
- package/dist/detect/config/package-check.js +6 -1
- package/dist/detect/config/package-check.js.map +1 -1
- package/dist/detect/config/rules-file-backdoor.d.ts +36 -0
- package/dist/detect/config/rules-file-backdoor.d.ts.map +1 -0
- package/dist/detect/config/rules-file-backdoor.js +379 -0
- package/dist/detect/config/rules-file-backdoor.js.map +1 -0
- package/dist/detect/index.d.ts +43 -6
- package/dist/detect/index.d.ts.map +1 -1
- package/dist/detect/index.js +70 -7
- package/dist/detect/index.js.map +1 -1
- package/dist/detect/secrets/config-audit.d.ts.map +1 -1
- package/dist/detect/secrets/config-audit.js +36 -3
- package/dist/detect/secrets/config-audit.js.map +1 -1
- package/dist/detect/secrets/entropy.d.ts.map +1 -1
- package/dist/detect/secrets/entropy.js +180 -0
- package/dist/detect/secrets/entropy.js.map +1 -1
- package/dist/detect/secrets/index.d.ts +0 -2
- package/dist/detect/secrets/index.d.ts.map +1 -1
- package/dist/detect/secrets/index.js +7 -17
- package/dist/detect/secrets/index.js.map +1 -1
- package/dist/detect/structural/index.d.ts +15 -28
- package/dist/detect/structural/index.d.ts.map +1 -1
- package/dist/detect/structural/index.js +20 -497
- package/dist/detect/structural/index.js.map +1 -1
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts.map +1 -1
- package/dist/model/auth-helper-detector.js +2 -7
- package/dist/model/auth-helper-detector.js.map +1 -1
- package/dist/model/import-resolver.d.ts.map +1 -1
- package/dist/model/import-resolver.js +94 -0
- package/dist/model/import-resolver.js.map +1 -1
- package/dist/model/imported-auth-detector.js +8 -8
- package/dist/model/imported-auth-detector.js.map +1 -1
- package/dist/model/index.d.ts +8 -0
- package/dist/model/index.d.ts.map +1 -1
- package/dist/model/index.js +198 -73
- package/dist/model/index.js.map +1 -1
- package/dist/model/module-graph.d.ts.map +1 -1
- package/dist/model/module-graph.js +22 -9
- package/dist/model/module-graph.js.map +1 -1
- package/dist/model/project-context.d.ts +1 -1
- package/dist/model/project-context.d.ts.map +1 -1
- package/dist/model/project-context.js +34 -0
- package/dist/model/project-context.js.map +1 -1
- package/dist/model/route-auth-resolver.d.ts.map +1 -1
- package/dist/model/route-auth-resolver.js +17 -2
- package/dist/model/route-auth-resolver.js.map +1 -1
- package/dist/model/route-discovery/index.js +1 -1
- package/dist/model/route-discovery/index.js.map +1 -1
- package/dist/model/route-discovery/nextjs.js +1 -1
- package/dist/model/route-discovery/nextjs.js.map +1 -1
- package/dist/model/route-discovery/python.d.ts +6 -3
- package/dist/model/route-discovery/python.d.ts.map +1 -1
- package/dist/model/route-discovery/python.js +132 -9
- package/dist/model/route-discovery/python.js.map +1 -1
- package/dist/model/route-discovery/types.d.ts +1 -1
- package/dist/model/route-discovery/types.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.d.ts +8 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.js +70 -0
- package/dist/model/route-discovery/utils.js.map +1 -1
- package/dist/model/taint-types.d.ts +0 -4
- package/dist/model/taint-types.d.ts.map +1 -1
- package/dist/parse/ast.d.ts +58 -0
- package/dist/parse/ast.d.ts.map +1 -0
- package/dist/parse/ast.js +230 -0
- package/dist/parse/ast.js.map +1 -0
- package/dist/parse/call-graph.d.ts +41 -0
- package/dist/parse/call-graph.d.ts.map +1 -0
- package/dist/parse/call-graph.js +386 -0
- package/dist/parse/call-graph.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +11 -0
- package/dist/parse/file-classifier.d.ts.map +1 -1
- package/dist/parse/file-classifier.js +63 -15
- package/dist/parse/file-classifier.js.map +1 -1
- package/dist/parse/node-index.d.ts +32 -0
- package/dist/parse/node-index.d.ts.map +1 -0
- package/dist/parse/node-index.js +103 -0
- package/dist/parse/node-index.js.map +1 -0
- package/dist/parse/type-extractor.d.ts +50 -0
- package/dist/parse/type-extractor.d.ts.map +1 -0
- package/dist/parse/type-extractor.js +243 -0
- package/dist/parse/type-extractor.js.map +1 -0
- package/dist/pipeline/config.d.ts +7 -1
- package/dist/pipeline/config.d.ts.map +1 -1
- package/dist/pipeline/config.js.map +1 -1
- package/dist/pipeline/index.d.ts +3 -3
- package/dist/pipeline/index.d.ts.map +1 -1
- package/dist/pipeline/index.js +192 -64
- package/dist/pipeline/index.js.map +1 -1
- package/dist/pipeline/modes/incremental.d.ts.map +1 -1
- package/dist/pipeline/modes/incremental.js +2 -7
- package/dist/pipeline/modes/incremental.js.map +1 -1
- package/dist/postprocess/dedup.d.ts +5 -2
- package/dist/postprocess/dedup.d.ts.map +1 -1
- package/dist/postprocess/dedup.js +47 -16
- package/dist/postprocess/dedup.js.map +1 -1
- package/dist/report/build-result.d.ts +9 -4
- package/dist/report/build-result.d.ts.map +1 -1
- package/dist/report/build-result.js +15 -4
- package/dist/report/build-result.js.map +1 -1
- package/dist/report/formatters/cli-terminal.d.ts +1 -1
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -1
- package/dist/report/formatters/cli-terminal.js +434 -231
- package/dist/report/formatters/cli-terminal.js.map +1 -1
- package/dist/report/sanitize.d.ts +10 -0
- package/dist/report/sanitize.d.ts.map +1 -0
- package/dist/report/sanitize.js +19 -0
- package/dist/report/sanitize.js.map +1 -0
- package/dist/score/adjustments.d.ts +20 -2
- package/dist/score/adjustments.d.ts.map +1 -1
- package/dist/score/adjustments.js +108 -37
- package/dist/score/adjustments.js.map +1 -1
- package/dist/score/confidence.d.ts +6 -0
- package/dist/score/confidence.d.ts.map +1 -1
- package/dist/score/confidence.js +10 -4
- package/dist/score/confidence.js.map +1 -1
- package/dist/score/evidence.d.ts +25 -0
- package/dist/score/evidence.d.ts.map +1 -0
- package/dist/score/evidence.js +51 -0
- package/dist/score/evidence.js.map +1 -0
- package/dist/score/index.d.ts +3 -1
- package/dist/score/index.d.ts.map +1 -1
- package/dist/score/index.js +25 -50
- package/dist/score/index.js.map +1 -1
- package/dist/score/types.d.ts +5 -1
- package/dist/score/types.d.ts.map +1 -1
- package/dist/shared/category-filter.d.ts.map +1 -1
- package/dist/shared/category-filter.js +12 -0
- package/dist/shared/category-filter.js.map +1 -1
- package/dist/shared/regex-utils.d.ts +3 -0
- package/dist/shared/regex-utils.d.ts.map +1 -0
- package/dist/shared/regex-utils.js +8 -0
- package/dist/shared/regex-utils.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +7 -0
- package/dist/shared/registry-clients.d.ts.map +1 -1
- package/dist/shared/registry-clients.js +94 -17
- package/dist/shared/registry-clients.js.map +1 -1
- package/dist/shared/rules/metadata.d.ts.map +1 -1
- package/dist/shared/rules/metadata.js +17 -0
- package/dist/shared/rules/metadata.js.map +1 -1
- package/dist/shared/types.d.ts +59 -15
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +38 -21
- package/dist/shared/types.js.map +1 -1
- package/dist/taint/async-flow.d.ts +44 -0
- package/dist/taint/async-flow.d.ts.map +1 -0
- package/dist/taint/async-flow.js +271 -0
- package/dist/taint/async-flow.js.map +1 -0
- package/dist/taint/cfg-builder.d.ts +35 -0
- package/dist/taint/cfg-builder.d.ts.map +1 -0
- package/dist/taint/cfg-builder.js +980 -0
- package/dist/taint/cfg-builder.js.map +1 -0
- package/dist/taint/cfg-types.d.ts +76 -0
- package/dist/taint/cfg-types.d.ts.map +1 -0
- package/dist/taint/cfg-types.js +13 -0
- package/dist/taint/cfg-types.js.map +1 -0
- package/dist/taint/constant-propagation.d.ts +34 -0
- package/dist/taint/constant-propagation.d.ts.map +1 -0
- package/dist/taint/constant-propagation.js +164 -0
- package/dist/taint/constant-propagation.js.map +1 -0
- package/dist/taint/cross-file-analyzer.d.ts +27 -0
- package/dist/taint/cross-file-analyzer.d.ts.map +1 -0
- package/dist/taint/cross-file-analyzer.js +99 -0
- package/dist/taint/cross-file-analyzer.js.map +1 -0
- package/dist/taint/cross-file-index.d.ts +59 -0
- package/dist/taint/cross-file-index.d.ts.map +1 -0
- package/dist/taint/cross-file-index.js +183 -0
- package/dist/taint/cross-file-index.js.map +1 -0
- package/dist/taint/def-use.d.ts +27 -0
- package/dist/taint/def-use.d.ts.map +1 -0
- package/dist/taint/def-use.js +519 -0
- package/dist/taint/def-use.js.map +1 -0
- package/dist/taint/file-analysis-cache.d.ts +47 -0
- package/dist/taint/file-analysis-cache.d.ts.map +1 -0
- package/dist/taint/file-analysis-cache.js +107 -0
- package/dist/taint/file-analysis-cache.js.map +1 -0
- package/dist/taint/framework-models.d.ts +77 -0
- package/dist/taint/framework-models.d.ts.map +1 -0
- package/dist/taint/framework-models.js +258 -0
- package/dist/taint/framework-models.js.map +1 -0
- package/dist/taint/helpers.d.ts +31 -0
- package/dist/taint/helpers.d.ts.map +1 -0
- package/dist/taint/helpers.js +130 -0
- package/dist/taint/helpers.js.map +1 -0
- package/dist/taint/index.d.ts +28 -0
- package/dist/taint/index.d.ts.map +1 -0
- package/dist/taint/index.js +77 -0
- package/dist/taint/index.js.map +1 -0
- package/dist/taint/llm-registry.d.ts +47 -0
- package/dist/taint/llm-registry.d.ts.map +1 -0
- package/dist/taint/llm-registry.js +152 -0
- package/dist/taint/llm-registry.js.map +1 -0
- package/dist/taint/llm-risk-scoring.d.ts +54 -0
- package/dist/taint/llm-risk-scoring.d.ts.map +1 -0
- package/dist/taint/llm-risk-scoring.js +376 -0
- package/dist/taint/llm-risk-scoring.js.map +1 -0
- package/dist/taint/propagation-types.d.ts +104 -0
- package/dist/taint/propagation-types.d.ts.map +1 -0
- package/dist/taint/propagation-types.js +98 -0
- package/dist/taint/propagation-types.js.map +1 -0
- package/dist/taint/propagation.d.ts +111 -0
- package/dist/taint/propagation.d.ts.map +1 -0
- package/dist/taint/propagation.js +1576 -0
- package/dist/taint/propagation.js.map +1 -0
- package/dist/taint/sanitizer-registry.d.ts +26 -0
- package/dist/taint/sanitizer-registry.d.ts.map +1 -0
- package/dist/taint/sanitizer-registry.js +422 -0
- package/dist/taint/sanitizer-registry.js.map +1 -0
- package/dist/taint/sink-classifier.d.ts +27 -0
- package/dist/taint/sink-classifier.d.ts.map +1 -0
- package/dist/taint/sink-classifier.js +1166 -0
- package/dist/taint/sink-classifier.js.map +1 -0
- package/dist/taint/source-classifier.d.ts +29 -0
- package/dist/taint/source-classifier.d.ts.map +1 -0
- package/dist/taint/source-classifier.js +814 -0
- package/dist/taint/source-classifier.js.map +1 -0
- package/dist/taint/taint-analyzer.d.ts +33 -0
- package/dist/taint/taint-analyzer.d.ts.map +1 -0
- package/dist/taint/taint-analyzer.js +88 -0
- package/dist/taint/taint-analyzer.js.map +1 -0
- package/dist/taint/taint-summary.d.ts +37 -0
- package/dist/taint/taint-summary.d.ts.map +1 -0
- package/dist/taint/taint-summary.js +293 -0
- package/dist/taint/taint-summary.js.map +1 -0
- package/dist/taint/types.d.ts +47 -0
- package/dist/taint/types.d.ts.map +1 -0
- package/dist/taint/types.js +19 -0
- package/dist/taint/types.js.map +1 -0
- package/dist/validate/clients.d.ts +2 -1
- package/dist/validate/clients.d.ts.map +1 -1
- package/dist/validate/clients.js +3 -2
- package/dist/validate/clients.js.map +1 -1
- package/dist/validate/index.d.ts +5 -6
- package/dist/validate/index.d.ts.map +1 -1
- package/dist/validate/index.js +22 -21
- package/dist/validate/index.js.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.js +16 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -1
- package/dist/validate/prompts/modules/common.d.ts +1 -1
- package/dist/validate/prompts/modules/common.d.ts.map +1 -1
- package/dist/validate/prompts/modules/common.js +12 -3
- package/dist/validate/prompts/modules/common.js.map +1 -1
- package/dist/validate/providers/anthropic.d.ts +4 -4
- package/dist/validate/providers/anthropic.d.ts.map +1 -1
- package/dist/validate/providers/anthropic.js +85 -58
- package/dist/validate/providers/anthropic.js.map +1 -1
- package/dist/validate/providers/openai.d.ts +4 -4
- package/dist/validate/providers/openai.d.ts.map +1 -1
- package/dist/validate/providers/openai.js +149 -99
- package/dist/validate/providers/openai.js.map +1 -1
- package/dist/validate/request-builder.d.ts +2 -8
- package/dist/validate/request-builder.d.ts.map +1 -1
- package/dist/validate/request-builder.js +4 -34
- package/dist/validate/request-builder.js.map +1 -1
- package/dist/validate/types.d.ts +9 -0
- package/dist/validate/types.d.ts.map +1 -1
- package/dist/validate/types.js.map +1 -1
- package/dist/validate/utils/path-helpers.js +2 -2
- package/dist/validate/utils/path-helpers.js.map +1 -1
- package/dist/validate/utils/response-parser.d.ts +10 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -1
- package/dist/validate/utils/response-parser.js +21 -2
- package/dist/validate/utils/response-parser.js.map +1 -1
- package/dist/validate/utils/retry.d.ts.map +1 -1
- package/dist/validate/utils/retry.js +19 -4
- package/dist/validate/utils/retry.js.map +1 -1
- package/package.json +7 -4
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1 -1
- package/src/__tests__/benchmark/planted-benchmark.test.ts +337 -0
- package/src/__tests__/benchmark/utils/test-runner.ts +38 -4
- package/src/__tests__/category-filter.test.ts +5 -1
- package/src/__tests__/context-engine/route-discovery/python.test.ts +726 -0
- package/src/__tests__/detect/ast-rules.test.ts +1043 -0
- package/src/__tests__/detect/offline-mode.test.ts +147 -0
- package/src/__tests__/detect/python-ast-rules.test.ts +569 -0
- package/src/__tests__/detect/python-helpers.test.ts +536 -0
- package/src/__tests__/detect/python-sast-rules.test.ts +453 -0
- package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts +151 -0
- package/src/__tests__/detect/rules-file-backdoor.test.ts +284 -0
- package/src/__tests__/detect/taint-fix-templates.test.ts +150 -0
- package/src/__tests__/detect/taint-path-serialization.test.ts +170 -0
- package/src/__tests__/parse/call-graph.test.ts +300 -0
- package/src/__tests__/parse/python-parser.test.ts +274 -0
- package/src/__tests__/regression/known-false-positives.test.ts +491 -9
- package/src/__tests__/regression/rules-file-backdoor.test.ts +137 -0
- package/src/__tests__/score/adjustments.test.ts +34 -16
- package/src/__tests__/score/confidence.test.ts +84 -57
- package/src/__tests__/score/evidence-scoring.test.ts +249 -0
- package/src/__tests__/score/evidence.test.ts +144 -0
- package/src/__tests__/score/scoring-integration.test.ts +56 -34
- package/src/__tests__/score/taint-adjustments.test.ts +14 -228
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +65 -59
- package/src/__tests__/snapshots/scan-depth.test.ts +39 -7
- package/src/__tests__/taint/async-flow.test.ts +247 -0
- package/src/__tests__/taint/cfg-builder.test.ts +835 -0
- package/src/__tests__/taint/constant-propagation.test.ts +302 -0
- package/src/__tests__/taint/cross-file-index.test.ts +683 -0
- package/src/__tests__/taint/cross-file-integration.test.ts +275 -0
- package/src/__tests__/taint/cross-file-propagation.test.ts +910 -0
- package/src/__tests__/taint/def-use.test.ts +132 -0
- package/src/__tests__/taint/field-sensitive-sinks.test.ts +179 -0
- package/src/__tests__/taint/field-sensitivity.test.ts +342 -0
- package/src/__tests__/taint/file-analysis-cache.test.ts +290 -0
- package/src/__tests__/taint/framework-models.test.ts +227 -0
- package/src/__tests__/taint/llm-flow-graph.test.ts +850 -0
- package/src/__tests__/taint/llm-risk-scoring.test.ts +439 -0
- package/src/__tests__/taint/performance-parity.test.ts +315 -0
- package/src/__tests__/taint/propagation.test.ts +621 -0
- package/src/__tests__/taint/python-cross-file.test.ts +494 -0
- package/src/__tests__/taint/python-taint.test.ts +1344 -0
- package/src/__tests__/taint/sanitizer-registry.test.ts +304 -0
- package/src/__tests__/taint/sanitizer-regression.test.ts +111 -0
- package/src/__tests__/taint/sink-classifier.test.ts +537 -0
- package/src/__tests__/taint/source-classifier.test.ts +367 -0
- package/src/__tests__/taint/taint-pipeline.test.ts +418 -0
- package/src/__tests__/taint/taint-smoke.test.ts +400 -0
- package/src/__tests__/taint/taint-summary.test.ts +472 -0
- package/src/detect/ai-code/index.ts +6 -11
- package/src/detect/ast-rules/agent-tools-ast.ts +861 -0
- package/src/detect/ast-rules/ai-fingerprinting-ast.ts +451 -0
- package/src/detect/ast-rules/auth-patterns-ast.ts +304 -0
- package/src/detect/ast-rules/byok-ast.ts +195 -0
- package/src/detect/ast-rules/child-process-ast.ts +276 -0
- package/src/detect/ast-rules/dangerous-eval-ast.ts +227 -0
- package/src/detect/ast-rules/data-exposure-ast.ts +162 -0
- package/src/detect/ast-rules/dom-xss-ast.ts +260 -0
- package/src/detect/ast-rules/endpoint-protection-ast.ts +231 -0
- package/src/detect/ast-rules/entropy-ast.ts +268 -0
- package/src/detect/ast-rules/flask-debug-ast.ts +148 -0
- package/src/detect/ast-rules/framework-checks-ast.ts +200 -0
- package/src/detect/ast-rules/helpers/call-analysis.ts +256 -0
- package/src/detect/ast-rules/helpers/context-detection.ts +277 -0
- package/src/detect/ast-rules/helpers/control-flow.ts +179 -0
- package/src/detect/ast-rules/helpers/import-analysis.ts +185 -0
- package/src/detect/ast-rules/helpers/index.ts +133 -0
- package/src/detect/ast-rules/helpers/python-helpers.ts +1054 -0
- package/src/detect/ast-rules/helpers/scope-analysis.ts +224 -0
- package/src/detect/ast-rules/helpers/string-analysis.ts +215 -0
- package/src/detect/ast-rules/helpers/type-extraction.ts +138 -0
- package/src/detect/ast-rules/helpers/user-input.ts +256 -0
- package/src/detect/ast-rules/index.ts +311 -0
- package/src/detect/ast-rules/json-parse-ast.ts +162 -0
- package/src/detect/ast-rules/log-injection-ast.ts +243 -0
- package/src/detect/ast-rules/logic-gates-ast.ts +343 -0
- package/src/detect/ast-rules/mcp-security-ast.ts +808 -0
- package/src/detect/ast-rules/model-supply-chain-ast.ts +202 -0
- package/src/detect/ast-rules/package-hallucination-ast.ts +664 -0
- package/src/detect/ast-rules/prompt-hygiene-ast.ts +329 -0
- package/src/detect/ast-rules/rag-safety-ast.ts +689 -0
- package/src/detect/ast-rules/request-validation-ast.ts +122 -0
- package/src/detect/ast-rules/risky-imports-ast.ts +133 -0
- package/src/detect/ast-rules/schema-validation-ast.ts +244 -0
- package/src/detect/ast-rules/secret-patterns-ast.ts +223 -0
- package/src/detect/ast-rules/security-headers-ast.ts +206 -0
- package/src/detect/ast-rules/sql-injection-ast.ts +614 -0
- package/src/detect/ast-rules/ssrf-ast.ts +601 -0
- package/src/detect/ast-rules/taint-fix-templates.ts +108 -0
- package/src/detect/ast-rules/taint-flow-ast.ts +416 -0
- package/src/detect/ast-rules/variables-ast.ts +446 -0
- package/src/detect/ast-rules/weak-crypto-ast.ts +441 -0
- package/src/detect/ast-rules/xxe-ast.ts +184 -0
- package/src/detect/config/agent-skill-injection.ts +2 -24
- package/src/detect/config/index.ts +1 -0
- package/src/detect/config/osv-check.ts +6 -1
- package/src/detect/config/package-check.ts +6 -1
- package/src/detect/config/rules-file-backdoor.ts +438 -0
- package/src/detect/index.ts +146 -52
- package/src/detect/secrets/config-audit.ts +37 -3
- package/src/detect/secrets/entropy.ts +195 -0
- package/src/detect/secrets/index.ts +7 -16
- package/src/detect/structural/index.ts +23 -566
- package/src/index.ts +7 -0
- package/src/model/auth-helper-detector.ts +1 -7
- package/src/model/import-resolver.ts +104 -0
- package/src/model/imported-auth-detector.ts +1 -1
- package/src/model/index.ts +240 -80
- package/src/model/module-graph.ts +17 -5
- package/src/model/project-context.ts +28 -1
- package/src/model/route-auth-resolver.ts +18 -3
- package/src/model/route-discovery/index.ts +1 -1
- package/src/model/route-discovery/nextjs.ts +1 -1
- package/src/model/route-discovery/python.ts +156 -9
- package/src/model/route-discovery/types.ts +1 -1
- package/src/model/route-discovery/utils.ts +73 -0
- package/src/model/taint-types.ts +1 -6
- package/src/parse/ast.ts +271 -0
- package/src/parse/call-graph.ts +419 -0
- package/src/parse/file-classifier.ts +69 -15
- package/src/parse/node-index.ts +118 -0
- package/src/parse/type-extractor.ts +293 -0
- package/src/pipeline/config.ts +7 -0
- package/src/pipeline/index.ts +464 -199
- package/src/pipeline/modes/incremental.ts +1 -7
- package/src/postprocess/dedup.ts +48 -17
- package/src/report/build-result.ts +57 -29
- package/src/report/formatters/cli-terminal.ts +731 -415
- package/src/report/sanitize.ts +27 -0
- package/src/score/adjustments.ts +113 -40
- package/src/score/confidence.ts +10 -5
- package/src/score/evidence.ts +55 -0
- package/src/score/index.ts +27 -55
- package/src/score/types.ts +4 -0
- package/src/shared/category-filter.ts +12 -0
- package/src/shared/regex-utils.ts +4 -0
- package/src/shared/registry-clients.ts +106 -18
- package/src/shared/rules/__tests__/metadata.test.ts +5 -1
- package/src/shared/rules/metadata.ts +19 -0
- package/src/shared/types.ts +372 -253
- package/src/taint/async-flow.ts +301 -0
- package/src/taint/cfg-builder.ts +1127 -0
- package/src/taint/cfg-types.ts +110 -0
- package/src/taint/constant-propagation.ts +170 -0
- package/src/taint/cross-file-analyzer.ts +118 -0
- package/src/taint/cross-file-index.ts +275 -0
- package/src/taint/def-use.ts +556 -0
- package/src/taint/file-analysis-cache.ts +145 -0
- package/src/taint/framework-models.ts +313 -0
- package/src/taint/helpers.ts +138 -0
- package/src/taint/index.ts +71 -0
- package/src/taint/llm-registry.ts +174 -0
- package/src/taint/llm-risk-scoring.ts +412 -0
- package/src/taint/propagation-types.ts +188 -0
- package/src/taint/propagation.ts +1750 -0
- package/src/taint/sanitizer-registry.ts +490 -0
- package/src/taint/sink-classifier.ts +1402 -0
- package/src/taint/source-classifier.ts +859 -0
- package/src/taint/taint-analyzer.ts +112 -0
- package/src/taint/taint-summary.ts +341 -0
- package/src/taint/types.ts +86 -0
- package/src/validate/clients.ts +3 -2
- package/src/validate/index.ts +89 -53
- package/src/validate/prompts/modules/ai-patterns.ts +16 -0
- package/src/validate/prompts/modules/common.ts +12 -3
- package/src/validate/providers/anthropic.ts +254 -148
- package/src/validate/providers/openai.ts +363 -218
- package/src/validate/request-builder.ts +2 -45
- package/src/validate/types.ts +9 -0
- package/src/validate/utils/path-helpers.ts +2 -2
- package/src/validate/utils/response-parser.ts +32 -3
- package/src/validate/utils/retry.ts +19 -4
- package/dist/ai-context/index.d.ts +0 -6
- package/dist/ai-context/index.d.ts.map +0 -1
- package/dist/ai-context/index.js +0 -13
- package/dist/ai-context/index.js.map +0 -1
- package/dist/ai-context/manager.d.ts +0 -67
- package/dist/ai-context/manager.d.ts.map +0 -1
- package/dist/ai-context/manager.js +0 -104
- package/dist/ai-context/manager.js.map +0 -1
- package/dist/baseline/diff.d.ts +0 -32
- package/dist/baseline/diff.d.ts.map +0 -1
- package/dist/baseline/diff.js +0 -119
- package/dist/baseline/diff.js.map +0 -1
- package/dist/baseline/index.d.ts +0 -9
- package/dist/baseline/index.d.ts.map +0 -1
- package/dist/baseline/index.js +0 -19
- package/dist/baseline/index.js.map +0 -1
- package/dist/baseline/manager.d.ts +0 -67
- package/dist/baseline/manager.d.ts.map +0 -1
- package/dist/baseline/manager.js +0 -180
- package/dist/baseline/manager.js.map +0 -1
- package/dist/baseline/types.d.ts +0 -91
- package/dist/baseline/types.d.ts.map +0 -1
- package/dist/baseline/types.js +0 -12
- package/dist/baseline/types.js.map +0 -1
- package/dist/category-filter.d.ts +0 -125
- package/dist/category-filter.d.ts.map +0 -1
- package/dist/category-filter.js +0 -360
- package/dist/category-filter.js.map +0 -1
- package/dist/detect/ai-code/agent-tools.d.ts +0 -22
- package/dist/detect/ai-code/agent-tools.d.ts.map +0 -1
- package/dist/detect/ai-code/agent-tools.js +0 -1509
- package/dist/detect/ai-code/agent-tools.js.map +0 -1
- package/dist/detect/ai-code/byok-patterns.d.ts +0 -15
- package/dist/detect/ai-code/byok-patterns.d.ts.map +0 -1
- package/dist/detect/ai-code/byok-patterns.js +0 -313
- package/dist/detect/ai-code/byok-patterns.js.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.d.ts +0 -38
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.js +0 -349
- package/dist/detect/ai-code/endpoint-protection.js.map +0 -1
- package/dist/detect/ai-code/execution-sinks.d.ts +0 -21
- package/dist/detect/ai-code/execution-sinks.d.ts.map +0 -1
- package/dist/detect/ai-code/execution-sinks.js +0 -1158
- package/dist/detect/ai-code/execution-sinks.js.map +0 -1
- package/dist/detect/ai-code/fingerprinting.d.ts +0 -10
- package/dist/detect/ai-code/fingerprinting.d.ts.map +0 -1
- package/dist/detect/ai-code/fingerprinting.js +0 -665
- package/dist/detect/ai-code/fingerprinting.js.map +0 -1
- package/dist/detect/ai-code/mcp-security.d.ts +0 -20
- package/dist/detect/ai-code/mcp-security.d.ts.map +0 -1
- package/dist/detect/ai-code/mcp-security.js +0 -880
- package/dist/detect/ai-code/mcp-security.js.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.d.ts +0 -23
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.js +0 -447
- package/dist/detect/ai-code/model-supply-chain.js.map +0 -1
- package/dist/detect/ai-code/package-hallucination.d.ts +0 -22
- package/dist/detect/ai-code/package-hallucination.d.ts.map +0 -1
- package/dist/detect/ai-code/package-hallucination.js +0 -841
- package/dist/detect/ai-code/package-hallucination.js.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.d.ts +0 -22
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.js +0 -1177
- package/dist/detect/ai-code/prompt-hygiene.js.map +0 -1
- package/dist/detect/ai-code/rag-safety.d.ts +0 -24
- package/dist/detect/ai-code/rag-safety.d.ts.map +0 -1
- package/dist/detect/ai-code/rag-safety.js +0 -913
- package/dist/detect/ai-code/rag-safety.js.map +0 -1
- package/dist/detect/ai-code/schema-validation.d.ts +0 -28
- package/dist/detect/ai-code/schema-validation.d.ts.map +0 -1
- package/dist/detect/ai-code/schema-validation.js +0 -378
- package/dist/detect/ai-code/schema-validation.js.map +0 -1
- package/dist/detect/secrets/patterns.d.ts +0 -11
- package/dist/detect/secrets/patterns.d.ts.map +0 -1
- package/dist/detect/secrets/patterns.js +0 -518
- package/dist/detect/secrets/patterns.js.map +0 -1
- package/dist/detect/secrets/weak-crypto.d.ts +0 -10
- package/dist/detect/secrets/weak-crypto.d.ts.map +0 -1
- package/dist/detect/secrets/weak-crypto.js +0 -432
- package/dist/detect/secrets/weak-crypto.js.map +0 -1
- package/dist/detect/structural/auth-patterns.d.ts +0 -22
- package/dist/detect/structural/auth-patterns.d.ts.map +0 -1
- package/dist/detect/structural/auth-patterns.js +0 -533
- package/dist/detect/structural/auth-patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.js +0 -74
- package/dist/detect/structural/dangerous-functions/child-process.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.js +0 -230
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.js +0 -1193
- package/dist/detect/structural/dangerous-functions/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.js +0 -326
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +0 -111
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.js +0 -684
- package/dist/detect/structural/dangerous-functions/math-random.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +0 -21
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.js +0 -163
- package/dist/detect/structural/dangerous-functions/patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.js +0 -126
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +0 -147
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.js +0 -23
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/detect/structural/data-exposure.d.ts +0 -19
- package/dist/detect/structural/data-exposure.d.ts.map +0 -1
- package/dist/detect/structural/data-exposure.js +0 -262
- package/dist/detect/structural/data-exposure.js.map +0 -1
- package/dist/detect/structural/framework-checks.d.ts +0 -10
- package/dist/detect/structural/framework-checks.d.ts.map +0 -1
- package/dist/detect/structural/framework-checks.js +0 -389
- package/dist/detect/structural/framework-checks.js.map +0 -1
- package/dist/detect/structural/log-injection.d.ts +0 -18
- package/dist/detect/structural/log-injection.d.ts.map +0 -1
- package/dist/detect/structural/log-injection.js +0 -217
- package/dist/detect/structural/log-injection.js.map +0 -1
- package/dist/detect/structural/logic-gates.d.ts +0 -10
- package/dist/detect/structural/logic-gates.d.ts.map +0 -1
- package/dist/detect/structural/logic-gates.js +0 -227
- package/dist/detect/structural/logic-gates.js.map +0 -1
- package/dist/detect/structural/risky-imports.d.ts +0 -10
- package/dist/detect/structural/risky-imports.d.ts.map +0 -1
- package/dist/detect/structural/risky-imports.js +0 -168
- package/dist/detect/structural/risky-imports.js.map +0 -1
- package/dist/detect/structural/security-headers.d.ts +0 -18
- package/dist/detect/structural/security-headers.d.ts.map +0 -1
- package/dist/detect/structural/security-headers.js +0 -196
- package/dist/detect/structural/security-headers.js.map +0 -1
- package/dist/detect/structural/ssrf-detection.d.ts +0 -18
- package/dist/detect/structural/ssrf-detection.d.ts.map +0 -1
- package/dist/detect/structural/ssrf-detection.js +0 -263
- package/dist/detect/structural/ssrf-detection.js.map +0 -1
- package/dist/detect/structural/variables.d.ts +0 -11
- package/dist/detect/structural/variables.d.ts.map +0 -1
- package/dist/detect/structural/variables.js +0 -159
- package/dist/detect/structural/variables.js.map +0 -1
- package/dist/detect/structural/xxe-detection.d.ts +0 -18
- package/dist/detect/structural/xxe-detection.d.ts.map +0 -1
- package/dist/detect/structural/xxe-detection.js +0 -245
- package/dist/detect/structural/xxe-detection.js.map +0 -1
- package/dist/filtering/context-adjustments.d.ts +0 -23
- package/dist/filtering/context-adjustments.d.ts.map +0 -1
- package/dist/filtering/context-adjustments.js +0 -100
- package/dist/filtering/context-adjustments.js.map +0 -1
- package/dist/filtering/index.d.ts +0 -3
- package/dist/filtering/index.d.ts.map +0 -1
- package/dist/filtering/index.js +0 -8
- package/dist/filtering/index.js.map +0 -1
- package/dist/filtering/pipeline.d.ts +0 -48
- package/dist/filtering/pipeline.d.ts.map +0 -1
- package/dist/filtering/pipeline.js +0 -76
- package/dist/filtering/pipeline.js.map +0 -1
- package/dist/formatters/ai-context.d.ts +0 -23
- package/dist/formatters/ai-context.d.ts.map +0 -1
- package/dist/formatters/ai-context.js +0 -238
- package/dist/formatters/ai-context.js.map +0 -1
- package/dist/formatters/cli-terminal.d.ts +0 -65
- package/dist/formatters/cli-terminal.d.ts.map +0 -1
- package/dist/formatters/cli-terminal.js +0 -735
- package/dist/formatters/cli-terminal.js.map +0 -1
- package/dist/formatters/github-comment.d.ts +0 -41
- package/dist/formatters/github-comment.d.ts.map +0 -1
- package/dist/formatters/github-comment.js +0 -370
- package/dist/formatters/github-comment.js.map +0 -1
- package/dist/formatters/grouping.d.ts +0 -52
- package/dist/formatters/grouping.d.ts.map +0 -1
- package/dist/formatters/grouping.js +0 -152
- package/dist/formatters/grouping.js.map +0 -1
- package/dist/formatters/ide/claude-code.d.ts +0 -17
- package/dist/formatters/ide/claude-code.d.ts.map +0 -1
- package/dist/formatters/ide/claude-code.js +0 -94
- package/dist/formatters/ide/claude-code.js.map +0 -1
- package/dist/formatters/ide/cursor.d.ts +0 -13
- package/dist/formatters/ide/cursor.d.ts.map +0 -1
- package/dist/formatters/ide/cursor.js +0 -125
- package/dist/formatters/ide/cursor.js.map +0 -1
- package/dist/formatters/ide/index.d.ts +0 -62
- package/dist/formatters/ide/index.d.ts.map +0 -1
- package/dist/formatters/ide/index.js +0 -184
- package/dist/formatters/ide/index.js.map +0 -1
- package/dist/formatters/ide/windsurf.d.ts +0 -13
- package/dist/formatters/ide/windsurf.d.ts.map +0 -1
- package/dist/formatters/ide/windsurf.js +0 -117
- package/dist/formatters/ide/windsurf.js.map +0 -1
- package/dist/formatters/index.d.ts +0 -11
- package/dist/formatters/index.d.ts.map +0 -1
- package/dist/formatters/index.js +0 -54
- package/dist/formatters/index.js.map +0 -1
- package/dist/formatters/vscode-diagnostic.d.ts +0 -103
- package/dist/formatters/vscode-diagnostic.d.ts.map +0 -1
- package/dist/formatters/vscode-diagnostic.js +0 -151
- package/dist/formatters/vscode-diagnostic.js.map +0 -1
- package/dist/layer1/comments.d.ts +0 -11
- package/dist/layer1/comments.d.ts.map +0 -1
- package/dist/layer1/comments.js +0 -203
- package/dist/layer1/comments.js.map +0 -1
- package/dist/layer1/config-audit.d.ts +0 -11
- package/dist/layer1/config-audit.d.ts.map +0 -1
- package/dist/layer1/config-audit.js +0 -311
- package/dist/layer1/config-audit.js.map +0 -1
- package/dist/layer1/config-mcp-audit.d.ts +0 -23
- package/dist/layer1/config-mcp-audit.d.ts.map +0 -1
- package/dist/layer1/config-mcp-audit.js +0 -239
- package/dist/layer1/config-mcp-audit.js.map +0 -1
- package/dist/layer1/entropy.d.ts +0 -11
- package/dist/layer1/entropy.d.ts.map +0 -1
- package/dist/layer1/entropy.js +0 -741
- package/dist/layer1/entropy.js.map +0 -1
- package/dist/layer1/file-flags.d.ts +0 -10
- package/dist/layer1/file-flags.d.ts.map +0 -1
- package/dist/layer1/file-flags.js +0 -119
- package/dist/layer1/file-flags.js.map +0 -1
- package/dist/layer1/index.d.ts +0 -38
- package/dist/layer1/index.d.ts.map +0 -1
- package/dist/layer1/index.js +0 -170
- package/dist/layer1/index.js.map +0 -1
- package/dist/layer1/patterns.d.ts +0 -11
- package/dist/layer1/patterns.d.ts.map +0 -1
- package/dist/layer1/patterns.js +0 -512
- package/dist/layer1/patterns.js.map +0 -1
- package/dist/layer1/urls.d.ts +0 -11
- package/dist/layer1/urls.d.ts.map +0 -1
- package/dist/layer1/urls.js +0 -444
- package/dist/layer1/urls.js.map +0 -1
- package/dist/layer1/weak-crypto.d.ts +0 -10
- package/dist/layer1/weak-crypto.d.ts.map +0 -1
- package/dist/layer1/weak-crypto.js +0 -428
- package/dist/layer1/weak-crypto.js.map +0 -1
- package/dist/layer2/ai-agent-tools.d.ts +0 -22
- package/dist/layer2/ai-agent-tools.d.ts.map +0 -1
- package/dist/layer2/ai-agent-tools.js +0 -1490
- package/dist/layer2/ai-agent-tools.js.map +0 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +0 -38
- package/dist/layer2/ai-endpoint-protection.d.ts.map +0 -1
- package/dist/layer2/ai-endpoint-protection.js +0 -346
- package/dist/layer2/ai-endpoint-protection.js.map +0 -1
- package/dist/layer2/ai-execution-sinks.d.ts +0 -21
- package/dist/layer2/ai-execution-sinks.d.ts.map +0 -1
- package/dist/layer2/ai-execution-sinks.js +0 -1155
- package/dist/layer2/ai-execution-sinks.js.map +0 -1
- package/dist/layer2/ai-fingerprinting.d.ts +0 -10
- package/dist/layer2/ai-fingerprinting.d.ts.map +0 -1
- package/dist/layer2/ai-fingerprinting.js +0 -650
- package/dist/layer2/ai-fingerprinting.js.map +0 -1
- package/dist/layer2/ai-mcp-security.d.ts +0 -20
- package/dist/layer2/ai-mcp-security.d.ts.map +0 -1
- package/dist/layer2/ai-mcp-security.js +0 -877
- package/dist/layer2/ai-mcp-security.js.map +0 -1
- package/dist/layer2/ai-package-hallucination.d.ts +0 -22
- package/dist/layer2/ai-package-hallucination.d.ts.map +0 -1
- package/dist/layer2/ai-package-hallucination.js +0 -828
- package/dist/layer2/ai-package-hallucination.js.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts +0 -22
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.js +0 -1156
- package/dist/layer2/ai-prompt-hygiene.js.map +0 -1
- package/dist/layer2/ai-rag-safety.d.ts +0 -24
- package/dist/layer2/ai-rag-safety.d.ts.map +0 -1
- package/dist/layer2/ai-rag-safety.js +0 -910
- package/dist/layer2/ai-rag-safety.js.map +0 -1
- package/dist/layer2/ai-schema-validation.d.ts +0 -28
- package/dist/layer2/ai-schema-validation.d.ts.map +0 -1
- package/dist/layer2/ai-schema-validation.js +0 -375
- package/dist/layer2/ai-schema-validation.js.map +0 -1
- package/dist/layer2/auth-antipatterns.d.ts +0 -22
- package/dist/layer2/auth-antipatterns.d.ts.map +0 -1
- package/dist/layer2/auth-antipatterns.js +0 -522
- package/dist/layer2/auth-antipatterns.js.map +0 -1
- package/dist/layer2/byok-patterns.d.ts +0 -15
- package/dist/layer2/byok-patterns.d.ts.map +0 -1
- package/dist/layer2/byok-patterns.js +0 -302
- package/dist/layer2/byok-patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.d.ts +0 -16
- package/dist/layer2/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.js +0 -74
- package/dist/layer2/dangerous-functions/child-process.js.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.js +0 -230
- package/dist/layer2/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/layer2/dangerous-functions/index.d.ts +0 -16
- package/dist/layer2/dangerous-functions/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/index.js +0 -1152
- package/dist/layer2/dangerous-functions/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/layer2/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.js +0 -319
- package/dist/layer2/dangerous-functions/json-parse.js.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.d.ts +0 -111
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.js +0 -684
- package/dist/layer2/dangerous-functions/math-random.js.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.d.ts +0 -21
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.js +0 -163
- package/dist/layer2/dangerous-functions/patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/layer2/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.js +0 -119
- package/dist/layer2/dangerous-functions/request-validation.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.js +0 -147
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/layer2/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.js +0 -23
- package/dist/layer2/dangerous-functions/utils/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/layer2/data-exposure.d.ts +0 -19
- package/dist/layer2/data-exposure.d.ts.map +0 -1
- package/dist/layer2/data-exposure.js +0 -255
- package/dist/layer2/data-exposure.js.map +0 -1
- package/dist/layer2/framework-checks.d.ts +0 -10
- package/dist/layer2/framework-checks.d.ts.map +0 -1
- package/dist/layer2/framework-checks.js +0 -384
- package/dist/layer2/framework-checks.js.map +0 -1
- package/dist/layer2/index.d.ts +0 -74
- package/dist/layer2/index.d.ts.map +0 -1
- package/dist/layer2/index.js +0 -544
- package/dist/layer2/index.js.map +0 -1
- package/dist/layer2/log-injection.d.ts +0 -18
- package/dist/layer2/log-injection.d.ts.map +0 -1
- package/dist/layer2/log-injection.js +0 -214
- package/dist/layer2/log-injection.js.map +0 -1
- package/dist/layer2/logic-gates.d.ts +0 -10
- package/dist/layer2/logic-gates.d.ts.map +0 -1
- package/dist/layer2/logic-gates.js +0 -220
- package/dist/layer2/logic-gates.js.map +0 -1
- package/dist/layer2/model-supply-chain.d.ts +0 -23
- package/dist/layer2/model-supply-chain.d.ts.map +0 -1
- package/dist/layer2/model-supply-chain.js +0 -444
- package/dist/layer2/model-supply-chain.js.map +0 -1
- package/dist/layer2/risky-imports.d.ts +0 -10
- package/dist/layer2/risky-imports.d.ts.map +0 -1
- package/dist/layer2/risky-imports.js +0 -165
- package/dist/layer2/risky-imports.js.map +0 -1
- package/dist/layer2/security-headers.d.ts +0 -18
- package/dist/layer2/security-headers.d.ts.map +0 -1
- package/dist/layer2/security-headers.js +0 -187
- package/dist/layer2/security-headers.js.map +0 -1
- package/dist/layer2/ssrf-detection.d.ts +0 -18
- package/dist/layer2/ssrf-detection.d.ts.map +0 -1
- package/dist/layer2/ssrf-detection.js +0 -252
- package/dist/layer2/ssrf-detection.js.map +0 -1
- package/dist/layer2/variables.d.ts +0 -11
- package/dist/layer2/variables.d.ts.map +0 -1
- package/dist/layer2/variables.js +0 -156
- package/dist/layer2/variables.js.map +0 -1
- package/dist/layer2/xxe-detection.d.ts +0 -18
- package/dist/layer2/xxe-detection.d.ts.map +0 -1
- package/dist/layer2/xxe-detection.js +0 -242
- package/dist/layer2/xxe-detection.js.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.d.ts +0 -24
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.js +0 -199
- package/dist/layer3/anthropic/auto-dismiss.js.map +0 -1
- package/dist/layer3/anthropic/clients.d.ts +0 -44
- package/dist/layer3/anthropic/clients.d.ts.map +0 -1
- package/dist/layer3/anthropic/clients.js +0 -81
- package/dist/layer3/anthropic/clients.js.map +0 -1
- package/dist/layer3/anthropic/index.d.ts +0 -41
- package/dist/layer3/anthropic/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/index.js +0 -141
- package/dist/layer3/anthropic/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/index.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/index.js +0 -16
- package/dist/layer3/anthropic/prompts/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +0 -19
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +0 -156
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +0 -9
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +0 -25
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +0 -11
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.js +0 -152
- package/dist/layer3/anthropic/prompts/modules/common.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +0 -54
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.js +0 -185
- package/dist/layer3/anthropic/prompts/modules/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +0 -84
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +0 -68
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +0 -22
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +0 -15
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.js +0 -169
- package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.d.ts +0 -18
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.js +0 -25
- package/dist/layer3/anthropic/prompts/validation.js.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts +0 -21
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.js +0 -269
- package/dist/layer3/anthropic/providers/anthropic.js.map +0 -1
- package/dist/layer3/anthropic/providers/index.d.ts +0 -8
- package/dist/layer3/anthropic/providers/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/index.js +0 -15
- package/dist/layer3/anthropic/providers/index.js.map +0 -1
- package/dist/layer3/anthropic/providers/openai.d.ts +0 -18
- package/dist/layer3/anthropic/providers/openai.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/openai.js +0 -343
- package/dist/layer3/anthropic/providers/openai.js.map +0 -1
- package/dist/layer3/anthropic/request-builder.d.ts +0 -27
- package/dist/layer3/anthropic/request-builder.d.ts.map +0 -1
- package/dist/layer3/anthropic/request-builder.js +0 -150
- package/dist/layer3/anthropic/request-builder.js.map +0 -1
- package/dist/layer3/anthropic/types.d.ts +0 -88
- package/dist/layer3/anthropic/types.d.ts.map +0 -1
- package/dist/layer3/anthropic/types.js +0 -38
- package/dist/layer3/anthropic/types.js.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +0 -55
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.js +0 -161
- package/dist/layer3/anthropic/utils/context-extractor.js.map +0 -1
- package/dist/layer3/anthropic/utils/index.d.ts +0 -11
- package/dist/layer3/anthropic/utils/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/index.js +0 -27
- package/dist/layer3/anthropic/utils/index.js.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.d.ts +0 -21
- package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.js +0 -69
- package/dist/layer3/anthropic/utils/path-helpers.js.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.d.ts +0 -40
- package/dist/layer3/anthropic/utils/response-parser.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.js +0 -285
- package/dist/layer3/anthropic/utils/response-parser.js.map +0 -1
- package/dist/layer3/anthropic/utils/retry.d.ts +0 -15
- package/dist/layer3/anthropic/utils/retry.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/retry.js +0 -62
- package/dist/layer3/anthropic/utils/retry.js.map +0 -1
- package/dist/layer3/index.d.ts +0 -27
- package/dist/layer3/index.d.ts.map +0 -1
- package/dist/layer3/index.js +0 -150
- package/dist/layer3/index.js.map +0 -1
- package/dist/layer3/osv-check.d.ts +0 -75
- package/dist/layer3/osv-check.d.ts.map +0 -1
- package/dist/layer3/osv-check.js +0 -308
- package/dist/layer3/osv-check.js.map +0 -1
- package/dist/layer3/package-check.d.ts +0 -63
- package/dist/layer3/package-check.d.ts.map +0 -1
- package/dist/layer3/package-check.js +0 -508
- package/dist/layer3/package-check.js.map +0 -1
- package/dist/model/cross-file-taint.d.ts +0 -40
- package/dist/model/cross-file-taint.d.ts.map +0 -1
- package/dist/model/cross-file-taint.js +0 -290
- package/dist/model/cross-file-taint.js.map +0 -1
- package/dist/model/function-classifier.d.ts +0 -32
- package/dist/model/function-classifier.d.ts.map +0 -1
- package/dist/model/function-classifier.js +0 -143
- package/dist/model/function-classifier.js.map +0 -1
- package/dist/model/sanitiser-detection.d.ts +0 -27
- package/dist/model/sanitiser-detection.d.ts.map +0 -1
- package/dist/model/sanitiser-detection.js +0 -224
- package/dist/model/sanitiser-detection.js.map +0 -1
- package/dist/model/sink-matcher.d.ts +0 -17
- package/dist/model/sink-matcher.d.ts.map +0 -1
- package/dist/model/sink-matcher.js +0 -141
- package/dist/model/sink-matcher.js.map +0 -1
- package/dist/model/sink-patterns.d.ts +0 -19
- package/dist/model/sink-patterns.d.ts.map +0 -1
- package/dist/model/sink-patterns.js +0 -88
- package/dist/model/sink-patterns.js.map +0 -1
- package/dist/model/source-discovery.d.ts +0 -15
- package/dist/model/source-discovery.d.ts.map +0 -1
- package/dist/model/source-discovery.js +0 -170
- package/dist/model/source-discovery.js.map +0 -1
- package/dist/model/taint-tracker.d.ts +0 -21
- package/dist/model/taint-tracker.d.ts.map +0 -1
- package/dist/model/taint-tracker.js +0 -281
- package/dist/model/taint-tracker.js.map +0 -1
- package/dist/modes/incremental.d.ts +0 -66
- package/dist/modes/incremental.d.ts.map +0 -1
- package/dist/modes/incremental.js +0 -200
- package/dist/modes/incremental.js.map +0 -1
- package/dist/rules/framework-fixes.d.ts +0 -48
- package/dist/rules/framework-fixes.d.ts.map +0 -1
- package/dist/rules/framework-fixes.js +0 -439
- package/dist/rules/framework-fixes.js.map +0 -1
- package/dist/rules/index.d.ts +0 -8
- package/dist/rules/index.d.ts.map +0 -1
- package/dist/rules/index.js +0 -18
- package/dist/rules/index.js.map +0 -1
- package/dist/rules/metadata.d.ts +0 -43
- package/dist/rules/metadata.d.ts.map +0 -1
- package/dist/rules/metadata.js +0 -800
- package/dist/rules/metadata.js.map +0 -1
- package/dist/score/auto-dismiss.d.ts +0 -28
- package/dist/score/auto-dismiss.d.ts.map +0 -1
- package/dist/score/auto-dismiss.js +0 -200
- package/dist/score/auto-dismiss.js.map +0 -1
- package/dist/suppression/config-loader.d.ts +0 -74
- package/dist/suppression/config-loader.d.ts.map +0 -1
- package/dist/suppression/config-loader.js +0 -424
- package/dist/suppression/config-loader.js.map +0 -1
- package/dist/suppression/hash.d.ts +0 -48
- package/dist/suppression/hash.d.ts.map +0 -1
- package/dist/suppression/hash.js +0 -88
- package/dist/suppression/hash.js.map +0 -1
- package/dist/suppression/index.d.ts +0 -11
- package/dist/suppression/index.d.ts.map +0 -1
- package/dist/suppression/index.js +0 -39
- package/dist/suppression/index.js.map +0 -1
- package/dist/suppression/inline-parser.d.ts +0 -39
- package/dist/suppression/inline-parser.d.ts.map +0 -1
- package/dist/suppression/inline-parser.js +0 -218
- package/dist/suppression/inline-parser.js.map +0 -1
- package/dist/suppression/manager.d.ts +0 -94
- package/dist/suppression/manager.d.ts.map +0 -1
- package/dist/suppression/manager.js +0 -292
- package/dist/suppression/manager.js.map +0 -1
- package/dist/suppression/types.d.ts +0 -151
- package/dist/suppression/types.d.ts.map +0 -1
- package/dist/suppression/types.js +0 -28
- package/dist/suppression/types.js.map +0 -1
- package/dist/types.d.ts +0 -331
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -124
- package/dist/types.js.map +0 -1
- package/dist/utils/auth-helper-detector.d.ts +0 -56
- package/dist/utils/auth-helper-detector.d.ts.map +0 -1
- package/dist/utils/auth-helper-detector.js +0 -360
- package/dist/utils/auth-helper-detector.js.map +0 -1
- package/dist/utils/code-analysis.d.ts +0 -39
- package/dist/utils/code-analysis.d.ts.map +0 -1
- package/dist/utils/code-analysis.js +0 -159
- package/dist/utils/code-analysis.js.map +0 -1
- package/dist/utils/comment-analyzer.d.ts +0 -38
- package/dist/utils/comment-analyzer.d.ts.map +0 -1
- package/dist/utils/comment-analyzer.js +0 -218
- package/dist/utils/comment-analyzer.js.map +0 -1
- package/dist/utils/context-helpers.d.ts +0 -219
- package/dist/utils/context-helpers.d.ts.map +0 -1
- package/dist/utils/context-helpers.js +0 -886
- package/dist/utils/context-helpers.js.map +0 -1
- package/dist/utils/diff-detector.d.ts +0 -53
- package/dist/utils/diff-detector.d.ts.map +0 -1
- package/dist/utils/diff-detector.js +0 -104
- package/dist/utils/diff-detector.js.map +0 -1
- package/dist/utils/diff-parser.d.ts +0 -80
- package/dist/utils/diff-parser.d.ts.map +0 -1
- package/dist/utils/diff-parser.js +0 -202
- package/dist/utils/diff-parser.js.map +0 -1
- package/dist/utils/environment-context.d.ts +0 -76
- package/dist/utils/environment-context.d.ts.map +0 -1
- package/dist/utils/environment-context.js +0 -271
- package/dist/utils/environment-context.js.map +0 -1
- package/dist/utils/imported-auth-detector.d.ts +0 -37
- package/dist/utils/imported-auth-detector.d.ts.map +0 -1
- package/dist/utils/imported-auth-detector.js +0 -251
- package/dist/utils/imported-auth-detector.js.map +0 -1
- package/dist/utils/intent-detector.d.ts +0 -66
- package/dist/utils/intent-detector.d.ts.map +0 -1
- package/dist/utils/intent-detector.js +0 -282
- package/dist/utils/intent-detector.js.map +0 -1
- package/dist/utils/middleware-detector.d.ts +0 -55
- package/dist/utils/middleware-detector.d.ts.map +0 -1
- package/dist/utils/middleware-detector.js +0 -260
- package/dist/utils/middleware-detector.js.map +0 -1
- package/dist/utils/oauth-flow-detector.d.ts +0 -41
- package/dist/utils/oauth-flow-detector.d.ts.map +0 -1
- package/dist/utils/oauth-flow-detector.js +0 -202
- package/dist/utils/oauth-flow-detector.js.map +0 -1
- package/dist/utils/parsed-file.d.ts +0 -51
- package/dist/utils/parsed-file.d.ts.map +0 -1
- package/dist/utils/parsed-file.js +0 -95
- package/dist/utils/parsed-file.js.map +0 -1
- package/dist/utils/path-exclusions.d.ts +0 -55
- package/dist/utils/path-exclusions.d.ts.map +0 -1
- package/dist/utils/path-exclusions.js +0 -224
- package/dist/utils/path-exclusions.js.map +0 -1
- package/dist/utils/project-context-builder.d.ts +0 -119
- package/dist/utils/project-context-builder.d.ts.map +0 -1
- package/dist/utils/project-context-builder.js +0 -534
- package/dist/utils/project-context-builder.js.map +0 -1
- package/dist/utils/registry-clients.d.ts +0 -93
- package/dist/utils/registry-clients.d.ts.map +0 -1
- package/dist/utils/registry-clients.js +0 -273
- package/dist/utils/registry-clients.js.map +0 -1
- package/dist/utils/route-hierarchy.d.ts +0 -50
- package/dist/utils/route-hierarchy.d.ts.map +0 -1
- package/dist/utils/route-hierarchy.js +0 -226
- package/dist/utils/route-hierarchy.js.map +0 -1
- package/dist/utils/schema-semantics.d.ts +0 -45
- package/dist/utils/schema-semantics.d.ts.map +0 -1
- package/dist/utils/schema-semantics.js +0 -193
- package/dist/utils/schema-semantics.js.map +0 -1
- package/dist/utils/trpc-analyzer.d.ts +0 -78
- package/dist/utils/trpc-analyzer.d.ts.map +0 -1
- package/dist/utils/trpc-analyzer.js +0 -297
- package/dist/utils/trpc-analyzer.js.map +0 -1
- package/src/__tests__/context-engine/cross-file-taint.test.ts +0 -284
- package/src/__tests__/context-engine/function-classifier.test.ts +0 -146
- package/src/__tests__/context-engine/integration.test.ts +0 -320
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +0 -187
- package/src/__tests__/context-engine/sink-matcher.test.ts +0 -251
- package/src/__tests__/context-engine/source-discovery.test.ts +0 -186
- package/src/__tests__/context-engine/taint-tracker.test.ts +0 -182
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +0 -750
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +0 -555
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +0 -321
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +0 -439
- package/src/detect/ai-code/agent-tools.ts +0 -1662
- package/src/detect/ai-code/byok-patterns.ts +0 -354
- package/src/detect/ai-code/endpoint-protection.ts +0 -406
- package/src/detect/ai-code/execution-sinks.ts +0 -1310
- package/src/detect/ai-code/fingerprinting.ts +0 -774
- package/src/detect/ai-code/mcp-security.ts +0 -937
- package/src/detect/ai-code/model-supply-chain.ts +0 -535
- package/src/detect/ai-code/package-hallucination.ts +0 -955
- package/src/detect/ai-code/prompt-hygiene.ts +0 -1314
- package/src/detect/ai-code/rag-safety.ts +0 -977
- package/src/detect/ai-code/schema-validation.ts +0 -427
- package/src/detect/secrets/patterns.ts +0 -561
- package/src/detect/secrets/weak-crypto.ts +0 -485
- package/src/detect/structural/__tests__/math-random-enhanced.test.ts +0 -405
- package/src/detect/structural/auth-patterns.ts +0 -621
- package/src/detect/structural/dangerous-functions/child-process.ts +0 -98
- package/src/detect/structural/dangerous-functions/dom-xss.ts +0 -292
- package/src/detect/structural/dangerous-functions/index.ts +0 -1556
- package/src/detect/structural/dangerous-functions/json-parse.ts +0 -393
- package/src/detect/structural/dangerous-functions/math-random.ts +0 -789
- package/src/detect/structural/dangerous-functions/patterns.ts +0 -176
- package/src/detect/structural/dangerous-functions/request-validation.ts +0 -153
- package/src/detect/structural/dangerous-functions/utils/control-flow.ts +0 -35
- package/src/detect/structural/dangerous-functions/utils/helpers.ts +0 -170
- package/src/detect/structural/dangerous-functions/utils/index.ts +0 -25
- package/src/detect/structural/dangerous-functions/utils/schema-validation.ts +0 -106
- package/src/detect/structural/data-exposure.ts +0 -302
- package/src/detect/structural/framework-checks.ts +0 -439
- package/src/detect/structural/log-injection.ts +0 -254
- package/src/detect/structural/logic-gates.ts +0 -256
- package/src/detect/structural/risky-imports.ts +0 -197
- package/src/detect/structural/security-headers.ts +0 -231
- package/src/detect/structural/ssrf-detection.ts +0 -300
- package/src/detect/structural/variables.ts +0 -177
- package/src/detect/structural/xxe-detection.ts +0 -295
- package/src/model/cross-file-taint.ts +0 -374
- package/src/model/function-classifier.ts +0 -184
- package/src/model/sanitiser-detection.ts +0 -268
- package/src/model/sink-matcher.ts +0 -178
- package/src/model/sink-patterns.ts +0 -109
- package/src/model/source-discovery.ts +0 -209
- package/src/model/taint-tracker.ts +0 -333
- package/src/score/auto-dismiss.ts +0 -224
|
@@ -1,214 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: Log Injection Detector
|
|
4
|
-
* Detects unsanitized user input flowing into log statements
|
|
5
|
-
*
|
|
6
|
-
* OWASP A09:2021 - Security Logging and Monitoring Failures
|
|
7
|
-
* CWE-117: Improper Output Neutralization for Logs
|
|
8
|
-
*/
|
|
9
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
-
exports.detectLogInjection = detectLogInjection;
|
|
11
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
12
|
-
/** Log sink patterns */
|
|
13
|
-
const LOG_SINK_PATTERNS = [
|
|
14
|
-
/console\.(?:log|info|warn|error|debug|trace)\s*\(/,
|
|
15
|
-
/logger\.(?:log|info|warn|error|debug|trace|fatal|silly|verbose)\s*\(/,
|
|
16
|
-
/(?:winston|pino|bunyan|log4js|signale)\.(?:log|info|warn|error|debug)\s*\(/,
|
|
17
|
-
/log\.(?:info|warn|error|debug|trace|fatal)\s*\(/,
|
|
18
|
-
];
|
|
19
|
-
/** User-controlled request data patterns */
|
|
20
|
-
const USER_INPUT_PATTERNS = [
|
|
21
|
-
/(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[['"][^'"]+['"]\])/,
|
|
22
|
-
/(?:req|request)\.headers(?:\.\w+|\[['"][^'"]+['"]\])/,
|
|
23
|
-
];
|
|
24
|
-
/** Error/catch variable names to exclude */
|
|
25
|
-
const ERROR_VAR_PATTERN = /\b(?:err|error|e|ex|exception)\b/;
|
|
26
|
-
/** Patterns that are NOT user input (internal/app data) */
|
|
27
|
-
const NOT_USER_INPUT_PATTERNS = [
|
|
28
|
-
// Error objects in catch blocks
|
|
29
|
-
/\bcatch\s*\(\s*(?:err|error|e|ex|exception)\b/,
|
|
30
|
-
// Internal IDs
|
|
31
|
-
/(?:user|session|tenant|org|account)\.id\b/,
|
|
32
|
-
/(?:userId|sessionId|tenantId|orgId|accountId)\b/,
|
|
33
|
-
// Internal state
|
|
34
|
-
/\.length\b/,
|
|
35
|
-
/\.count\b/,
|
|
36
|
-
/\.size\b/,
|
|
37
|
-
/\.status\b/,
|
|
38
|
-
];
|
|
39
|
-
/** Middleware logging patterns to skip entirely */
|
|
40
|
-
const MIDDLEWARE_LOGGING = /(?:app|server|router)\.use\s*\(\s*(?:morgan|pino|express-winston|express\.logger)/;
|
|
41
|
-
/** Sanitization patterns near log line */
|
|
42
|
-
const SANITIZATION_PATTERNS = [
|
|
43
|
-
/\.replace\s*\(\s*\/\[\\r\\n\]/,
|
|
44
|
-
/sanitize\s*\(/,
|
|
45
|
-
/escape\s*\(/,
|
|
46
|
-
/encodeURI(?:Component)?\s*\(/,
|
|
47
|
-
/stripNewlines?\s*\(/,
|
|
48
|
-
/\.replace\s*\(\s*\/[\r\n]/,
|
|
49
|
-
];
|
|
50
|
-
/**
|
|
51
|
-
* Check if a log line contains user input (not just error objects)
|
|
52
|
-
*/
|
|
53
|
-
function containsUserInput(line, lines, lineIndex) {
|
|
54
|
-
// Check for req.headers in log
|
|
55
|
-
if (/(?:req|request)\.headers/.test(line)) {
|
|
56
|
-
return { found: true, type: 'header' };
|
|
57
|
-
}
|
|
58
|
-
// Check for req.body/query/params in log
|
|
59
|
-
if (/(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[)/.test(line)) {
|
|
60
|
-
return { found: true, type: 'body' };
|
|
61
|
-
}
|
|
62
|
-
// Check for spread of request body: console.log({ ...req.body })
|
|
63
|
-
if (/\.\.\.\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
|
|
64
|
-
return { found: true, type: 'spread' };
|
|
65
|
-
}
|
|
66
|
-
// Check for JSON.stringify(req.body) in log
|
|
67
|
-
if (/JSON\.stringify\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
|
|
68
|
-
return { found: true, type: 'stringify' };
|
|
69
|
-
}
|
|
70
|
-
// Check for template literal with user input
|
|
71
|
-
if (/`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/.test(line)) {
|
|
72
|
-
return { found: true, type: 'body' };
|
|
73
|
-
}
|
|
74
|
-
// Multi-line log calls: check ±3 lines
|
|
75
|
-
for (let offset = -3; offset <= 3; offset++) {
|
|
76
|
-
if (offset === 0)
|
|
77
|
-
continue;
|
|
78
|
-
const idx = lineIndex + offset;
|
|
79
|
-
if (idx < 0 || idx >= lines.length)
|
|
80
|
-
continue;
|
|
81
|
-
const nearLine = lines[idx];
|
|
82
|
-
if (USER_INPUT_PATTERNS.some(p => p.test(nearLine))) {
|
|
83
|
-
// Only flag if the nearby line is part of the same log call (open paren)
|
|
84
|
-
const fromStart = Math.min(lineIndex, idx);
|
|
85
|
-
const toEnd = Math.max(lineIndex, idx);
|
|
86
|
-
const block = lines.slice(fromStart, toEnd + 1).join('\n');
|
|
87
|
-
// Check for unclosed paren indicating multi-line call
|
|
88
|
-
const openParens = (block.match(/\(/g) || []).length;
|
|
89
|
-
const closeParens = (block.match(/\)/g) || []).length;
|
|
90
|
-
if (openParens > closeParens) {
|
|
91
|
-
if (/(?:req|request)\.headers/.test(nearLine)) {
|
|
92
|
-
return { found: true, type: 'header' };
|
|
93
|
-
}
|
|
94
|
-
return { found: true, type: 'body' };
|
|
95
|
-
}
|
|
96
|
-
}
|
|
97
|
-
}
|
|
98
|
-
return { found: false, type: 'body' };
|
|
99
|
-
}
|
|
100
|
-
/**
|
|
101
|
-
* Check if the log line is just error logging in a catch block
|
|
102
|
-
*/
|
|
103
|
-
function isErrorLogging(line, lines, lineIndex) {
|
|
104
|
-
// Direct error object logging: console.error(err), console.error(error)
|
|
105
|
-
if (/console\.(?:error|warn|log)\s*\(\s*(?:['"][^'"]*['"],?\s*)?(?:err|error|e|ex|exception)\s*\)/.test(line)) {
|
|
106
|
-
return true;
|
|
107
|
-
}
|
|
108
|
-
// console.error('message', error) pattern
|
|
109
|
-
if (/console\.(?:error|warn|log)\s*\(\s*['"][^'"]*['"],\s*(?:err|error|e|ex|exception)\s*\)/.test(line)) {
|
|
110
|
-
return true;
|
|
111
|
-
}
|
|
112
|
-
// error.message logging
|
|
113
|
-
if (/(?:err|error|e|ex|exception)\.(?:message|stack|name|code)\b/.test(line)) {
|
|
114
|
-
return true;
|
|
115
|
-
}
|
|
116
|
-
// logger.error('msg', { error })
|
|
117
|
-
if (/logger\.(?:error|warn)\s*\(.*(?:err|error|e)\b/.test(line) && !USER_INPUT_PATTERNS.some(p => p.test(line))) {
|
|
118
|
-
return true;
|
|
119
|
-
}
|
|
120
|
-
// Check if we're inside a catch block
|
|
121
|
-
for (let j = lineIndex - 1; j >= Math.max(0, lineIndex - 5); j--) {
|
|
122
|
-
if (/\bcatch\s*\(/.test(lines[j])) {
|
|
123
|
-
// We're in a catch block — check if the logged value is the error var
|
|
124
|
-
const catchMatch = lines[j].match(/catch\s*\(\s*(\w+)/);
|
|
125
|
-
if (catchMatch) {
|
|
126
|
-
const errorVar = catchMatch[1];
|
|
127
|
-
if (new RegExp(`\\b${errorVar}\\b`).test(line)) {
|
|
128
|
-
return true;
|
|
129
|
-
}
|
|
130
|
-
}
|
|
131
|
-
}
|
|
132
|
-
}
|
|
133
|
-
return false;
|
|
134
|
-
}
|
|
135
|
-
/**
|
|
136
|
-
* Check for sanitization near the log line
|
|
137
|
-
*/
|
|
138
|
-
function hasSanitization(lines, lineIndex) {
|
|
139
|
-
const start = Math.max(0, lineIndex - 3);
|
|
140
|
-
const end = Math.min(lines.length, lineIndex + 4);
|
|
141
|
-
const context = lines.slice(start, end).join('\n');
|
|
142
|
-
return SANITIZATION_PATTERNS.some(p => p.test(context));
|
|
143
|
-
}
|
|
144
|
-
/**
|
|
145
|
-
* Detect log injection patterns
|
|
146
|
-
*/
|
|
147
|
-
function detectLogInjection(content, filePath, options) {
|
|
148
|
-
const vulnerabilities = [];
|
|
149
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
150
|
-
return vulnerabilities;
|
|
151
|
-
if ((0, context_helpers_1.isTestOrMockFile)(filePath))
|
|
152
|
-
return vulnerabilities;
|
|
153
|
-
// Skip Morgan/express middleware logging (intentional request logging)
|
|
154
|
-
if (MIDDLEWARE_LOGGING.test(content))
|
|
155
|
-
return vulnerabilities;
|
|
156
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
157
|
-
for (let i = 0; i < lines.length; i++) {
|
|
158
|
-
const line = lines[i];
|
|
159
|
-
if ((0, context_helpers_1.isComment)(line))
|
|
160
|
-
continue;
|
|
161
|
-
// Check if this line is a log sink
|
|
162
|
-
const isLogSink = LOG_SINK_PATTERNS.some(p => p.test(line));
|
|
163
|
-
if (!isLogSink)
|
|
164
|
-
continue;
|
|
165
|
-
// Skip error logging (not user input)
|
|
166
|
-
if (isErrorLogging(line, lines, i))
|
|
167
|
-
continue;
|
|
168
|
-
// Check if user input flows to this log call
|
|
169
|
-
const userInput = containsUserInput(line, lines, i);
|
|
170
|
-
if (!userInput.found)
|
|
171
|
-
continue;
|
|
172
|
-
// Skip if sanitization is nearby
|
|
173
|
-
if (hasSanitization(lines, i))
|
|
174
|
-
continue;
|
|
175
|
-
// Determine severity
|
|
176
|
-
let severity = 'low';
|
|
177
|
-
let title = 'Log injection: User input in log statement';
|
|
178
|
-
let description = '';
|
|
179
|
-
if (userInput.type === 'header') {
|
|
180
|
-
severity = 'medium';
|
|
181
|
-
title = 'Log injection: HTTP headers in log statement';
|
|
182
|
-
description =
|
|
183
|
-
'HTTP request headers are logged without sanitization. Headers can contain CRLF sequences that forge log entries or inject malicious content into log processing tools.';
|
|
184
|
-
}
|
|
185
|
-
else if (userInput.type === 'spread' || userInput.type === 'stringify') {
|
|
186
|
-
severity = 'low';
|
|
187
|
-
title = 'Log injection: Entire request body logged';
|
|
188
|
-
description =
|
|
189
|
-
'Entire request body is logged, which may contain unsanitized user input. This can lead to log forging, log injection, or sensitive data exposure in logs.';
|
|
190
|
-
}
|
|
191
|
-
else {
|
|
192
|
-
severity = 'low';
|
|
193
|
-
title = 'Log injection: Request data in log statement';
|
|
194
|
-
description =
|
|
195
|
-
'User-controlled request data flows into a log statement. Unsanitized input can forge log entries or inject newlines to create misleading log records.';
|
|
196
|
-
}
|
|
197
|
-
vulnerabilities.push({
|
|
198
|
-
id: `loginj-${filePath}-${i + 1}`,
|
|
199
|
-
filePath,
|
|
200
|
-
lineNumber: i + 1,
|
|
201
|
-
lineContent: line.trim(),
|
|
202
|
-
severity,
|
|
203
|
-
category: 'log_injection',
|
|
204
|
-
title,
|
|
205
|
-
description,
|
|
206
|
-
suggestedFix: 'Sanitize user input before logging (strip newlines and control characters). Use structured logging (JSON format) to prevent log forging.',
|
|
207
|
-
confidence: severity === 'medium' ? 'high' : 'medium',
|
|
208
|
-
layer: 2,
|
|
209
|
-
requiresAIValidation: severity !== 'medium',
|
|
210
|
-
});
|
|
211
|
-
}
|
|
212
|
-
return vulnerabilities;
|
|
213
|
-
}
|
|
214
|
-
//# sourceMappingURL=log-injection.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"log-injection.js","sourceRoot":"","sources":["../../src/layer2/log-injection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA0KH,gDAyEC;AA/OD,8DAIiC;AAMjC,wBAAwB;AACxB,MAAM,iBAAiB,GAAG;IACxB,mDAAmD;IACnD,sEAAsE;IACtE,4EAA4E;IAC5E,iDAAiD;CAClD,CAAA;AAED,4CAA4C;AAC5C,MAAM,mBAAmB,GAAG;IAC1B,iFAAiF;IACjF,sDAAsD;CACvD,CAAA;AAED,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,kCAAkC,CAAA;AAE5D,2DAA2D;AAC3D,MAAM,uBAAuB,GAAG;IAC9B,gCAAgC;IAChC,+CAA+C;IAC/C,eAAe;IACf,2CAA2C;IAC3C,iDAAiD;IACjD,iBAAiB;IACjB,YAAY;IACZ,WAAW;IACX,UAAU;IACV,YAAY;CACb,CAAA;AAED,mDAAmD;AACnD,MAAM,kBAAkB,GAAG,mFAAmF,CAAA;AAE9G,0CAA0C;AAC1C,MAAM,qBAAqB,GAAG;IAC5B,+BAA+B;IAC/B,eAAe;IACf,aAAa;IACb,8BAA8B;IAC9B,qBAAqB;IACrB,2BAA2B;CAC5B,CAAA;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY,EAAE,KAAe,EAAE,SAAiB;IAIzE,+BAA+B;IAC/B,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IACxC,CAAC;IAED,yCAAyC;IACzC,IAAI,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,iEAAiE;IACjE,IAAI,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9E,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IACxC,CAAC;IAED,4CAA4C;IAC5C,IAAI,4EAA4E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5F,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAA;IAC3C,CAAC;IAED,6CAA6C;IAC7C,IAAI,2EAA2E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3F,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAED,uCAAuC;IACvC,KAAK,IAAI,MAAM,GAAG,CAAC,CAAC,EAAE,MAAM,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC;QAC5C,IAAI,MAAM,KAAK,CAAC;YAAE,SAAQ;QAC1B,MAAM,GAAG,GAAG,SAAS,GAAG,MAAM,CAAA;QAC9B,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,MAAM;YAAE,SAAQ;QAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACpD,yEAAyE;YACzE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;YACtC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC1D,sDAAsD;YACtD,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACpD,MAAM,WAAW,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;YACrD,IAAI,UAAU,GAAG,WAAW,EAAE,CAAC;gBAC7B,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;gBACxC,CAAC;gBACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,KAAe,EAAE,SAAiB;IACtE,wEAAwE;IACxE,IAAI,8FAA8F,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9G,OAAO,IAAI,CAAA;IACb,CAAC;IAED,0CAA0C;IAC1C,IAAI,wFAAwF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxG,OAAO,IAAI,CAAA;IACb,CAAC;IAED,wBAAwB;IACxB,IAAI,6DAA6D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7E,OAAO,IAAI,CAAA;IACb,CAAC;IAED,iCAAiC;IACjC,IAAI,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAChH,OAAO,IAAI,CAAA;IACb,CAAC;IAED,sCAAsC;IACtC,KAAK,IAAI,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACjE,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,sEAAsE;YACtE,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;gBAC9B,IAAI,IAAI,MAAM,CAAC,MAAM,QAAQ,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/C,OAAO,IAAI,CAAA;gBACb,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAe,EAAE,SAAiB;IACzD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAClD,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAA6B;IAE7B,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEtD,uEAAuE;IACvE,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,mCAAmC;QACnC,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAC3D,IAAI,CAAC,SAAS;YAAE,SAAQ;QAExB,sCAAsC;QACtC,IAAI,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAAE,SAAQ;QAE5C,6CAA6C;QAC7C,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAA;QACnD,IAAI,CAAC,SAAS,CAAC,KAAK;YAAE,SAAQ;QAE9B,iCAAiC;QACjC,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,SAAQ;QAEvC,qBAAqB;QACrB,IAAI,QAAQ,GAA0B,KAAK,CAAA;QAC3C,IAAI,KAAK,GAAG,4CAA4C,CAAA;QACxD,IAAI,WAAW,GAAG,EAAE,CAAA;QAEpB,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,QAAQ,GAAG,QAAQ,CAAA;YACnB,KAAK,GAAG,8CAA8C,CAAA;YACtD,WAAW;gBACT,wKAAwK,CAAA;QAC5K,CAAC;aAAM,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACzE,QAAQ,GAAG,KAAK,CAAA;YAChB,KAAK,GAAG,2CAA2C,CAAA;YACnD,WAAW;gBACT,2JAA2J,CAAA;QAC/J,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,KAAK,CAAA;YAChB,KAAK,GAAG,8CAA8C,CAAA;YACtD,WAAW;gBACT,uJAAuJ,CAAA;QAC3J,CAAC;QAED,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,UAAU,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;YACjC,QAAQ;YACR,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK;YACL,WAAW;YACX,YAAY,EACV,0IAA0I;YAC5I,UAAU,EAAE,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACrD,KAAK,EAAE,CAAC;YACR,oBAAoB,EAAE,QAAQ,KAAK,QAAQ;SAC5C,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Layer 2: Logic Gates Detection
|
|
3
|
-
* Identifies security bypass patterns and dangerous logic flows
|
|
4
|
-
*/
|
|
5
|
-
import type { Vulnerability } from '../types';
|
|
6
|
-
import type { ParsedFile } from '../utils/parsed-file';
|
|
7
|
-
export declare function detectLogicGates(content: string, filePath: string, options?: {
|
|
8
|
-
parsed?: ParsedFile;
|
|
9
|
-
}): Vulnerability[];
|
|
10
|
-
//# sourceMappingURL=logic-gates.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"logic-gates.d.ts","sourceRoot":"","sources":["../../src/layer2/logic-gates.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAC7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAkItD,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA8EjB"}
|
|
@@ -1,220 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: Logic Gates Detection
|
|
4
|
-
* Identifies security bypass patterns and dangerous logic flows
|
|
5
|
-
*/
|
|
6
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
-
exports.detectLogicGates = detectLogicGates;
|
|
8
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
9
|
-
const comment_analyzer_1 = require("../utils/comment-analyzer");
|
|
10
|
-
const intent_detector_1 = require("../utils/intent-detector");
|
|
11
|
-
// Patterns for security bypass logic
|
|
12
|
-
const LOGIC_PATTERNS = [
|
|
13
|
-
// Development mode bypasses
|
|
14
|
-
{
|
|
15
|
-
name: 'Development mode security bypass',
|
|
16
|
-
pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]production['"]\s*\)\s*(return\s+true|return\s*;|continue|break)/gi,
|
|
17
|
-
severity: 'high',
|
|
18
|
-
description: 'Security check bypassed in non-production environments',
|
|
19
|
-
suggestedFix: 'Remove development-only bypasses or ensure they cannot be triggered in production',
|
|
20
|
-
},
|
|
21
|
-
{
|
|
22
|
-
name: 'Development mode auth skip',
|
|
23
|
-
pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/gi,
|
|
24
|
-
severity: 'medium',
|
|
25
|
-
description: 'Code path that only runs in development - verify no security implications',
|
|
26
|
-
suggestedFix: 'Ensure this development-only code does not bypass security controls',
|
|
27
|
-
},
|
|
28
|
-
// Auth bypasses
|
|
29
|
-
{
|
|
30
|
-
name: 'Authentication bypass pattern',
|
|
31
|
-
pattern: /if\s*\(\s*(true|1|!false)\s*\)\s*{\s*(return|next|resolve)/gi,
|
|
32
|
-
severity: 'critical',
|
|
33
|
-
description: 'Hardcoded truthy condition may bypass authentication',
|
|
34
|
-
suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
|
|
35
|
-
},
|
|
36
|
-
// NOTE: 'Commented auth check' pattern has been replaced with smart comment analysis
|
|
37
|
-
// The isDisabledAuthComment() function distinguishes explanatory comments from disabled code
|
|
38
|
-
// This is handled specially in detectLogicGates() below
|
|
39
|
-
// Skip validation patterns
|
|
40
|
-
{
|
|
41
|
-
name: 'Validation skip',
|
|
42
|
-
pattern: /skipValidation\s*[=:]\s*true|validate\s*[=:]\s*false|noValidate\s*[=:]\s*true/gi,
|
|
43
|
-
severity: 'high',
|
|
44
|
-
description: 'Input validation explicitly disabled',
|
|
45
|
-
suggestedFix: 'Enable validation or ensure this is intentional and documented',
|
|
46
|
-
},
|
|
47
|
-
// Debug/test bypasses
|
|
48
|
-
{
|
|
49
|
-
name: 'Debug bypass',
|
|
50
|
-
pattern: /if\s*\(\s*(DEBUG|TEST|SKIP_AUTH|BYPASS|DISABLE_AUTH)\s*\)/gi,
|
|
51
|
-
severity: 'high',
|
|
52
|
-
description: 'Debug/test flag may bypass security controls',
|
|
53
|
-
suggestedFix: 'Remove debug bypasses before deploying to production',
|
|
54
|
-
},
|
|
55
|
-
// Unsafe defaults
|
|
56
|
-
{
|
|
57
|
-
name: 'Unsafe default allow',
|
|
58
|
-
pattern: /default\s*:\s*(return\s+true|allow|permit|grant)/gi,
|
|
59
|
-
severity: 'medium',
|
|
60
|
-
description: 'Default case allows access - should default to deny',
|
|
61
|
-
suggestedFix: 'Change default behavior to deny access (fail-safe defaults)',
|
|
62
|
-
},
|
|
63
|
-
// Empty catch blocks
|
|
64
|
-
{
|
|
65
|
-
name: 'Empty error handler',
|
|
66
|
-
pattern: /catch\s*\([^)]*\)\s*{\s*(\/\/.*)?}/gi,
|
|
67
|
-
severity: 'medium',
|
|
68
|
-
description: 'Empty catch block may hide security errors',
|
|
69
|
-
suggestedFix: 'Log the error or handle it appropriately',
|
|
70
|
-
},
|
|
71
|
-
// Disabled security features
|
|
72
|
-
{
|
|
73
|
-
name: 'Disabled CSRF protection',
|
|
74
|
-
pattern: /csrf\s*[=:]\s*false|disableCsrf|csrfProtection\s*[=:]\s*false/gi,
|
|
75
|
-
severity: 'high',
|
|
76
|
-
description: 'CSRF protection explicitly disabled',
|
|
77
|
-
suggestedFix: 'Enable CSRF protection for state-changing requests',
|
|
78
|
-
},
|
|
79
|
-
{
|
|
80
|
-
name: 'Disabled SSL verification',
|
|
81
|
-
pattern: /rejectUnauthorized\s*[=:]\s*false|verify\s*[=:]\s*false|ssl\s*[=:]\s*false|NODE_TLS_REJECT_UNAUTHORIZED/gi,
|
|
82
|
-
severity: 'critical',
|
|
83
|
-
description: 'SSL/TLS certificate verification disabled',
|
|
84
|
-
suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
|
|
85
|
-
},
|
|
86
|
-
// Insecure comparisons - ONLY flag actual secret comparisons
|
|
87
|
-
// Timing attacks are only relevant when comparing cryptographic secrets
|
|
88
|
-
// Do NOT flag: error codes, UI state, null checks, empty strings, route IDs, type checks
|
|
89
|
-
{
|
|
90
|
-
name: 'Timing attack vulnerable comparison',
|
|
91
|
-
// Only match explicit secret-related variable names being compared with ===
|
|
92
|
-
// This avoids flagging general string comparisons which are not timing-sensitive
|
|
93
|
-
pattern: /\b(password|secret|token|apiKey|api_key|credential|hash|digest|signature|privateKey|private_key|secretKey|secret_key)\s*===?\s*['"][^'"]+['"]/gi,
|
|
94
|
-
severity: 'medium',
|
|
95
|
-
description: 'Direct comparison of secret value may be vulnerable to timing attacks',
|
|
96
|
-
suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
|
|
97
|
-
},
|
|
98
|
-
// Unsafe redirects - NOTE: Now uses intent detection to distinguish from React state setters
|
|
99
|
-
// The pattern is checked, but isReactStateSetter() is used to skip false positives
|
|
100
|
-
{
|
|
101
|
-
name: 'Open redirect vulnerability',
|
|
102
|
-
pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
|
|
103
|
-
severity: 'high',
|
|
104
|
-
description: 'Redirect URL from user input may allow open redirect attacks',
|
|
105
|
-
suggestedFix: 'Validate redirect URLs against an allowlist of trusted domains',
|
|
106
|
-
},
|
|
107
|
-
// Admin/superuser bypasses
|
|
108
|
-
{
|
|
109
|
-
name: 'Admin bypass pattern',
|
|
110
|
-
pattern: /if\s*\(\s*(isAdmin|isSuperUser|isRoot|role\s*===?\s*['"]admin['"])\s*\)\s*(return|continue|break)/gi,
|
|
111
|
-
severity: 'medium',
|
|
112
|
-
description: 'Admin role bypasses normal security checks',
|
|
113
|
-
suggestedFix: 'Ensure admin bypass is intentional and properly audited',
|
|
114
|
-
},
|
|
115
|
-
];
|
|
116
|
-
// Check if line is a comment
|
|
117
|
-
function isComment(line) {
|
|
118
|
-
const trimmed = line.trim();
|
|
119
|
-
return (trimmed.startsWith('//') ||
|
|
120
|
-
trimmed.startsWith('#') ||
|
|
121
|
-
trimmed.startsWith('*') ||
|
|
122
|
-
trimmed.startsWith('/*'));
|
|
123
|
-
}
|
|
124
|
-
function detectLogicGates(content, filePath, options) {
|
|
125
|
-
const vulnerabilities = [];
|
|
126
|
-
// Skip scanner/fixture files to avoid self-detection
|
|
127
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
128
|
-
return vulnerabilities;
|
|
129
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
130
|
-
// Check each line against patterns
|
|
131
|
-
lines.forEach((line, index) => {
|
|
132
|
-
// Skip comment lines (handled separately below for auth comments)
|
|
133
|
-
if (isComment(line)) {
|
|
134
|
-
return;
|
|
135
|
-
}
|
|
136
|
-
for (const logicPattern of LOGIC_PATTERNS) {
|
|
137
|
-
const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags);
|
|
138
|
-
if (regex.test(line)) {
|
|
139
|
-
// Special handling for redirect patterns - check if it's actually a React state setter
|
|
140
|
-
if (logicPattern.name === 'Open redirect vulnerability') {
|
|
141
|
-
if ((0, intent_detector_1.isReactStateSetter)(line)) {
|
|
142
|
-
// This is a React state setter like setState(), not a redirect
|
|
143
|
-
continue;
|
|
144
|
-
}
|
|
145
|
-
if (!(0, intent_detector_1.isActualRedirect)(line)) {
|
|
146
|
-
// This doesn't look like an actual redirect function
|
|
147
|
-
continue;
|
|
148
|
-
}
|
|
149
|
-
}
|
|
150
|
-
vulnerabilities.push({
|
|
151
|
-
id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
|
|
152
|
-
filePath,
|
|
153
|
-
lineNumber: index + 1,
|
|
154
|
-
lineContent: line.trim(),
|
|
155
|
-
severity: logicPattern.severity,
|
|
156
|
-
category: 'security_bypass',
|
|
157
|
-
title: logicPattern.name,
|
|
158
|
-
description: logicPattern.description,
|
|
159
|
-
suggestedFix: logicPattern.suggestedFix,
|
|
160
|
-
confidence: 'medium',
|
|
161
|
-
layer: 2,
|
|
162
|
-
});
|
|
163
|
-
break; // Only report once per line
|
|
164
|
-
}
|
|
165
|
-
}
|
|
166
|
-
});
|
|
167
|
-
// Smart comment analysis for disabled auth patterns
|
|
168
|
-
// Only flag comments that are genuinely disabled code, not explanatory comments
|
|
169
|
-
lines.forEach((line, index) => {
|
|
170
|
-
// Check if this is a comment line with auth-related content
|
|
171
|
-
if (isComment(line) && /auth|permission|verify|check|token/i.test(line)) {
|
|
172
|
-
// Use smart analysis to determine if this is disabled code
|
|
173
|
-
if ((0, comment_analyzer_1.isDisabledAuthComment)(lines, index)) {
|
|
174
|
-
vulnerabilities.push({
|
|
175
|
-
id: `logic-${filePath}-${index + 1}-commented-auth-check`,
|
|
176
|
-
filePath,
|
|
177
|
-
lineNumber: index + 1,
|
|
178
|
-
lineContent: line.trim(),
|
|
179
|
-
severity: 'high',
|
|
180
|
-
category: 'security_bypass',
|
|
181
|
-
title: 'Commented auth check',
|
|
182
|
-
description: 'Commented out authentication/authorization code detected. This may indicate disabled security controls.',
|
|
183
|
-
suggestedFix: 'Remove commented code or restore the security check',
|
|
184
|
-
confidence: 'medium',
|
|
185
|
-
layer: 2,
|
|
186
|
-
});
|
|
187
|
-
}
|
|
188
|
-
}
|
|
189
|
-
});
|
|
190
|
-
// Multi-line pattern detection (for more complex patterns)
|
|
191
|
-
const multiLineFindings = detectMultiLinePatterns(content, filePath);
|
|
192
|
-
vulnerabilities.push(...multiLineFindings);
|
|
193
|
-
return vulnerabilities;
|
|
194
|
-
}
|
|
195
|
-
// Detect patterns that span multiple lines
|
|
196
|
-
function detectMultiLinePatterns(content, filePath) {
|
|
197
|
-
const vulnerabilities = [];
|
|
198
|
-
const lines = content.split('\n');
|
|
199
|
-
// Detect try-catch with empty or minimal error handling
|
|
200
|
-
const tryCatchPattern = /try\s*{[\s\S]*?}\s*catch\s*\([^)]*\)\s*{\s*(\n\s*)*(\/\/[^\n]*)?\s*}/g;
|
|
201
|
-
let match;
|
|
202
|
-
while ((match = tryCatchPattern.exec(content)) !== null) {
|
|
203
|
-
const lineNumber = content.substring(0, match.index).split('\n').length;
|
|
204
|
-
vulnerabilities.push({
|
|
205
|
-
id: `logic-multiline-${filePath}-${lineNumber}`,
|
|
206
|
-
filePath,
|
|
207
|
-
lineNumber,
|
|
208
|
-
lineContent: lines[lineNumber - 1]?.trim() || 'try {',
|
|
209
|
-
severity: 'medium',
|
|
210
|
-
category: 'security_bypass',
|
|
211
|
-
title: 'Silent error handling',
|
|
212
|
-
description: 'Try-catch block with minimal error handling may hide security issues',
|
|
213
|
-
suggestedFix: 'Log errors appropriately and handle them based on type',
|
|
214
|
-
confidence: 'low',
|
|
215
|
-
layer: 2,
|
|
216
|
-
});
|
|
217
|
-
}
|
|
218
|
-
return vulnerabilities;
|
|
219
|
-
}
|
|
220
|
-
//# sourceMappingURL=logic-gates.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"logic-gates.js","sourceRoot":"","sources":["../../src/layer2/logic-gates.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAqIH,4CAkFC;AAnND,8DAAiE;AACjE,gEAAiE;AACjE,8DAA+E;AAU/E,qCAAqC;AACrC,MAAM,cAAc,GAAmB;IACrC,4BAA4B;IAC5B;QACE,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,oHAAoH;QAC7H,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wDAAwD;QACrE,YAAY,EAAE,mFAAmF;KAClG;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,yEAAyE;QAClF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,2EAA2E;QACxF,YAAY,EAAE,qEAAqE;KACpF;IACD,gBAAgB;IAChB;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,YAAY,EAAE,mEAAmE;KAClF;IACD,qFAAqF;IACrF,6FAA6F;IAC7F,wDAAwD;IACxD,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;QACnD,YAAY,EAAE,gEAAgE;KAC/E;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6DAA6D;QACtE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,sDAAsD;KACrE;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,qDAAqD;QAClE,YAAY,EAAE,6DAA6D;KAC5E;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,0CAA0C;KACzD;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,oDAAoD;KACnE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2GAA2G;QACpH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,8DAA8D;KAC7E;IACD,6DAA6D;IAC7D,wEAAwE;IACxE,yFAAyF;IACzF;QACE,IAAI,EAAE,qCAAqC;QAC3C,4EAA4E;QAC5E,iFAAiF;QACjF,OAAO,EAAE,iJAAiJ;QAC1J,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uEAAuE;QACpF,YAAY,EAAE,yEAAyE;KACxF;IACD,6FAA6F;IAC7F,mFAAmF;IACnF;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,gEAAgE;KAC/E;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,qGAAqG;QAC9G,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,gBAAgB,CAC9B,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,mCAAmC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,kEAAkE;QAClE,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,OAAM;QACR,CAAC;QAED,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEjF,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,uFAAuF;gBACvF,IAAI,YAAY,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBACxD,IAAI,IAAA,oCAAkB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,+DAA+D;wBAC/D,SAAQ;oBACV,CAAC;oBACD,IAAI,CAAC,IAAA,kCAAgB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,qDAAqD;wBACrD,SAAQ;oBACV,CAAC;gBACH,CAAC;gBAED,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,SAAS,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,EAAE;oBACzD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,YAAY,CAAC,QAAQ;oBAC/B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,YAAY,CAAC,IAAI;oBACxB,WAAW,EAAE,YAAY,CAAC,WAAW;oBACrC,YAAY,EAAE,YAAY,CAAC,YAAY;oBACvC,UAAU,EAAE,QAAQ;oBACpB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,oDAAoD;IACpD,gFAAgF;IAChF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,4DAA4D;QAC5D,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACxE,2DAA2D;YAC3D,IAAI,IAAA,wCAAqB,EAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;gBACxC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,SAAS,QAAQ,IAAI,KAAK,GAAG,CAAC,uBAAuB;oBACzD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,sBAAsB;oBAC7B,WAAW,EAAE,yGAAyG;oBACtH,YAAY,EAAE,qDAAqD;oBACnE,UAAU,EAAE,QAAQ;oBACpB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACpE,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAA;IAE1C,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,2CAA2C;AAC3C,SAAS,uBAAuB,CAAC,OAAe,EAAE,QAAgB;IAChE,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,wDAAwD;IACxD,MAAM,eAAe,GAAG,uEAAuE,CAAA;IAC/F,IAAI,KAAK,CAAA;IAET,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACvE,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,mBAAmB,QAAQ,IAAI,UAAU,EAAE;YAC/C,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,OAAO;YACrD,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,iBAAiB;YAC3B,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,sEAAsE;YACnF,YAAY,EAAE,wDAAwD;YACtE,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Layer 2: Model Supply Chain Security Detection
|
|
3
|
-
* Detects unsafe model loading patterns that can lead to arbitrary code execution
|
|
4
|
-
*
|
|
5
|
-
* Covers AI Detection Roadmap Phase 2:
|
|
6
|
-
* - Pickle/joblib deserialization RCE
|
|
7
|
-
* - torch.load without weights_only=True
|
|
8
|
-
* - Unverified model sources
|
|
9
|
-
* - Unsafe fine-tuning on user data
|
|
10
|
-
*
|
|
11
|
-
* References:
|
|
12
|
-
* - OWASP LLM05: Supply Chain Vulnerabilities
|
|
13
|
-
* - CWE-502: Deserialization of Untrusted Data
|
|
14
|
-
*/
|
|
15
|
-
import type { Vulnerability } from '../types';
|
|
16
|
-
import type { ParsedFile } from '../utils/parsed-file';
|
|
17
|
-
/**
|
|
18
|
-
* Main detection function for model supply chain security issues
|
|
19
|
-
*/
|
|
20
|
-
export declare function detectModelSupplyChain(content: string, filePath: string, options?: {
|
|
21
|
-
parsed?: ParsedFile;
|
|
22
|
-
}): Vulnerability[];
|
|
23
|
-
//# sourceMappingURL=model-supply-chain.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"model-supply-chain.d.ts","sourceRoot":"","sources":["../../src/layer2/model-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAgD,MAAM,UAAU,CAAA;AAC3F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAgYtD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA2HjB"}
|