@oculum/scanner 1.0.14 → 1.0.15

package/dist/utils/trpc-analyzer.js

@@ -1,297 +0,0 @@
-"use strict";
-/**
- * tRPC Router Analyzer
- * Analyzes tRPC router definitions to understand which procedures are protected
- * by middleware (e.g., adminProcedure, protectedProcedure).
- *
- * This helps prevent false positives when frontend code calls protected tRPC
- * procedures - the backend already handles authorization.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.analyzeTRPCRouters = analyzeTRPCRouters;
-exports.isProcedureProtected = isProcedureProtected;
-exports.parseTRPCCall = parseTRPCCall;
-exports.isTRPCClientCall = isTRPCClientCall;
-exports.getTRPCSummary = getTRPCSummary;
-/**
- * Patterns that indicate admin-level middleware
- */
-const ADMIN_MIDDLEWARE_PATTERNS = [
-    /adminProcedure/i,
-    /adminMiddleware/i,
-    /requireAdmin/i,
-    /isAdmin\s*:\s*true/i,
-    /role\s*===?\s*['"]admin['"]/i,
-    /\.admin\s*\(/i,
-    /adminRouter/i,
-    /superAdminProcedure/i,
-];
-/**
- * Patterns that indicate authenticated middleware
- */
-const AUTH_MIDDLEWARE_PATTERNS = [
-    /protectedProcedure/i,
-    /authenticatedProcedure/i,
-    /requireAuth/i,
-    /isAuthenticated/i,
-    /privateProcedure/i,
-    /authedProcedure/i,
-    /userProcedure/i,
-    /loggedInProcedure/i,
-];
-/**
- * Patterns that indicate public/unprotected procedures
- */
-const PUBLIC_MIDDLEWARE_PATTERNS = [
-    /publicProcedure/i,
-    /guestProcedure/i,
-    /unauthenticatedProcedure/i,
-    /openProcedure/i,
-];
-/**
- * Detect tRPC usage in files
- */
-function detectTRPCUsage(content) {
-    const trpcPatterns = [
-        /@trpc\/server/i,
-        /@trpc\/client/i,
-        /@trpc\/react-query/i,
-        /@trpc\/next/i,
-        /createTRPCRouter/i,
-        /initTRPC/i,
-        /trpc\.router/i,
-        /t\.router\s*\(/i,
-        /t\.procedure/i,
-    ];
-    return trpcPatterns.some(p => p.test(content));
-}
-/**
- * Extract middleware definitions from a file
- */
-function extractMiddlewares(content, filePath) {
-    const middlewares = [];
-    const lines = content.split('\n');
-    // Look for procedure definitions with middleware
-    const procedureDefPatterns = [
-        /export\s+const\s+(\w+Procedure)\s*=\s*t\.procedure\.use/i,
-        /const\s+(\w+Procedure)\s*=\s*t\.procedure\.use/i,
-        /(\w+Procedure)\s*=\s*publicProcedure\.use/i,
-        /export\s+const\s+(\w+Procedure)\s*=/i,
-    ];
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        for (const pattern of procedureDefPatterns) {
-            const match = line.match(pattern);
-            if (match) {
-                const name = match[1];
-                let type = 'unknown';
-                // Determine type based on name and context
-                if (ADMIN_MIDDLEWARE_PATTERNS.some(p => p.test(name) || p.test(line))) {
-                    type = 'admin';
-                }
-                else if (AUTH_MIDDLEWARE_PATTERNS.some(p => p.test(name) || p.test(line))) {
-                    type = 'authenticated';
-                }
-                else if (PUBLIC_MIDDLEWARE_PATTERNS.some(p => p.test(name) || p.test(line))) {
-                    type = 'public';
-                }
-                middlewares.push({
-                    name,
-                    type,
-                    definedIn: filePath,
-                    lineNumber: i + 1,
-                });
-            }
-        }
-    }
-    return middlewares;
-}
-/**
- * Extract router definitions from a file
- */
-function extractRouters(content, filePath, middlewares) {
-    const routers = [];
-    const lines = content.split('\n');
-    // Pattern to find router definitions
-    const routerDefPatterns = [
-        /export\s+const\s+(\w+Router)\s*=\s*(?:createTRPCRouter|t\.router)\s*\(\s*\{/i,
-        /const\s+(\w+Router)\s*=\s*(?:createTRPCRouter|t\.router)\s*\(\s*\{/i,
-        /(\w+):\s*(?:createTRPCRouter|t\.router)\s*\(\s*\{/i,
-    ];
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        for (const pattern of routerDefPatterns) {
-            const match = line.match(pattern);
-            if (match) {
-                const name = match[1].replace(/Router$/i, '').toLowerCase();
-                // Look ahead to find procedures in this router
-                const procedures = [];
-                let isProtected = false;
-                let defaultMiddleware;
-                // Check if router name suggests admin protection
-                if (/admin/i.test(name)) {
-                    isProtected = true;
-                    defaultMiddleware = 'adminProcedure';
-                }
-                // Scan the router body for procedures
-                let braceDepth = 0;
-                let inRouter = false;
-                for (let j = i; j < Math.min(i + 100, lines.length); j++) {
-                    const routerLine = lines[j];
-                    if (routerLine.includes('{')) {
-                        braceDepth += (routerLine.match(/\{/g) || []).length;
-                        inRouter = true;
-                    }
-                    if (routerLine.includes('}')) {
-                        braceDepth -= (routerLine.match(/\}/g) || []).length;
-                    }
-                    if (inRouter && braceDepth === 0)
-                        break;
-                    // Look for procedure definitions
-                    const procMatch = routerLine.match(/(\w+)\s*:\s*(\w+Procedure)\./i);
-                    if (procMatch) {
-                        procedures.push(procMatch[1]);
-                        const middlewareName = procMatch[2];
-                        const middleware = middlewares.get(middlewareName);
-                        if (middleware && (middleware.type === 'admin' || middleware.type === 'authenticated')) {
-                            isProtected = true;
-                        }
-                    }
-                    // Check for admin/protected procedure usage
-                    if (ADMIN_MIDDLEWARE_PATTERNS.some(p => p.test(routerLine))) {
-                        isProtected = true;
-                    }
-                    else if (AUTH_MIDDLEWARE_PATTERNS.some(p => p.test(routerLine))) {
-                        isProtected = true;
-                    }
-                }
-                routers.push({
-                    name,
-                    file: filePath,
-                    procedures,
-                    defaultMiddleware,
-                    isProtected,
-                });
-            }
-        }
-    }
-    return routers;
-}
-/**
- * Analyze tRPC routers across all files
- */
-function analyzeTRPCRouters(files) {
-    const context = {
-        routers: new Map(),
-        procedures: new Map(),
-        middlewares: new Map(),
-        hasTRPC: false,
-    };
-    // First pass: detect if tRPC is used
-    for (const file of files) {
-        if (detectTRPCUsage(file.content)) {
-            context.hasTRPC = true;
-            break;
-        }
-    }
-    if (!context.hasTRPC) {
-        return context;
-    }
-    // Second pass: extract middlewares
-    for (const file of files) {
-        const middlewares = extractMiddlewares(file.content, file.path);
-        for (const middleware of middlewares) {
-            context.middlewares.set(middleware.name, middleware);
-        }
-    }
-    // Third pass: extract routers
-    for (const file of files) {
-        const routers = extractRouters(file.content, file.path, context.middlewares);
-        for (const router of routers) {
-            context.routers.set(router.name, router);
-            // Add procedures to the procedures map
-            for (const procName of router.procedures) {
-                context.procedures.set(`${router.name}.${procName}`, {
-                    name: procName,
-                    router: router.name,
-                    hasAuthMiddleware: router.isProtected,
-                    middlewareType: router.isProtected ? 'authenticated' : 'public',
-                    definedIn: router.file,
-                });
-            }
-        }
-    }
-    return context;
-}
-/**
- * Check if a tRPC procedure is protected by middleware
- */
-function isProcedureProtected(context, routerName, procedureName) {
-    // Check if the router itself is protected
-    const router = context.routers.get(routerName.toLowerCase());
-    if (router?.isProtected) {
-        return true;
-    }
-    // Check specific procedure if provided
-    if (procedureName) {
-        const procedure = context.procedures.get(`${routerName.toLowerCase()}.${procedureName}`);
-        if (procedure?.hasAuthMiddleware) {
-            return true;
-        }
-    }
-    // Check if router name suggests admin protection
-    if (/admin/i.test(routerName)) {
-        return true;
-    }
-    return false;
-}
-/**
- * Parse a tRPC client call to extract router and procedure names
- * e.g., trpc.admin.getUsers.useQuery() -> { router: 'admin', procedure: 'getUsers' }
- */
-function parseTRPCCall(lineContent) {
-    // Pattern: trpc.routerName.procedureName
-    const patterns = [
-        /trpc\.(\w+)\.(\w+)\./i,
-        /api\.(\w+)\.(\w+)\./i,
-        /client\.(\w+)\.(\w+)\./i,
-    ];
-    for (const pattern of patterns) {
-        const match = lineContent.match(pattern);
-        if (match) {
-            return {
-                router: match[1],
-                procedure: match[2],
-            };
-        }
-    }
-    return null;
-}
-/**
- * Check if a line contains a tRPC client call
- */
-function isTRPCClientCall(lineContent) {
-    const patterns = [
-        /trpc\.\w+\.\w+\.(useQuery|useMutation|useInfiniteQuery)/i,
-        /api\.\w+\.\w+\.(useQuery|useMutation|useInfiniteQuery)/i,
-        /trpc\.\w+\.\w+\.query\(/i,
-        /trpc\.\w+\.\w+\.mutate\(/i,
-    ];
-    return patterns.some(p => p.test(lineContent));
-}
-/**
- * Get a summary of tRPC context for logging
- */
-function getTRPCSummary(context) {
-    if (!context.hasTRPC) {
-        return 'No tRPC detected';
-    }
-    const parts = [];
-    parts.push(`tRPC detected: ${context.routers.size} routers, ${context.procedures.size} procedures`);
-    const protectedRouters = Array.from(context.routers.values()).filter(r => r.isProtected);
-    if (protectedRouters.length > 0) {
-        parts.push(`Protected routers: ${protectedRouters.map(r => r.name).join(', ')}`);
-    }
-    return parts.join('; ');
-}
-//# sourceMappingURL=trpc-analyzer.js.map

package/dist/utils/trpc-analyzer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"trpc-analyzer.js","sourceRoot":"","sources":["../../src/utils/trpc-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AA+OH,gDAgDC;AAKD,oDAyBC;AAMD,sCAmBC;AAKD,4CAQC;AAKD,wCAcC;AAlUD;;GAEG;AACH,MAAM,yBAAyB,GAAG;IAChC,iBAAiB;IACjB,kBAAkB;IAClB,eAAe;IACf,qBAAqB;IACrB,8BAA8B;IAC9B,eAAe;IACf,cAAc;IACd,sBAAsB;CACvB,CAAA;AAED;;GAEG;AACH,MAAM,wBAAwB,GAAG;IAC/B,qBAAqB;IACrB,yBAAyB;IACzB,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,kBAAkB;IAClB,gBAAgB;IAChB,oBAAoB;CACrB,CAAA;AAED;;GAEG;AACH,MAAM,0BAA0B,GAAG;IACjC,kBAAkB;IAClB,iBAAiB;IACjB,2BAA2B;IAC3B,gBAAgB;CACjB,CAAA;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,YAAY,GAAG;QACnB,gBAAgB;QAChB,gBAAgB;QAChB,qBAAqB;QACrB,cAAc;QACd,mBAAmB;QACnB,WAAW;QACX,eAAe;QACf,iBAAiB;QACjB,eAAe;KAChB,CAAA;IACD,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAe,EAAE,QAAgB;IAC3D,MAAM,WAAW,GAAqB,EAAE,CAAA;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,iDAAiD;IACjD,MAAM,oBAAoB,GAAG;QAC3B,0DAA0D;QAC1D,iDAAiD;QACjD,4CAA4C;QAC5C,sCAAsC;KACvC,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;YACjC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBACrB,IAAI,IAAI,GAAqD,SAAS,CAAA;gBAEtE,2CAA2C;gBAC3C,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBACtE,IAAI,GAAG,OAAO,CAAA;gBAChB,CAAC;qBAAM,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC5E,IAAI,GAAG,eAAe,CAAA;gBACxB,CAAC;qBAAM,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC9E,IAAI,GAAG,QAAQ,CAAA;gBACjB,CAAC;gBAED,WAAW,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,IAAI;oBACJ,SAAS,EAAE,QAAQ;oBACnB,UAAU,EAAE,CAAC,GAAG,CAAC;iBAClB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAA;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAe,EAAE,QAAgB,EAAE,WAAwC;IACjG,MAAM,OAAO,GAAiB,EAAE,CAAA;IAChC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,qCAAqC;IACrC,MAAM,iBAAiB,GAAG;QACxB,8EAA8E;QAC9E,qEAAqE;QACrE,oDAAoD;KACrD,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAErB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;YACjC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;gBAE3D,+CAA+C;gBAC/C,MAAM,UAAU,GAAa,EAAE,CAAA;gBAC/B,IAAI,WAAW,GAAG,KAAK,CAAA;gBACvB,IAAI,iBAAqC,CAAA;gBAEzC,iDAAiD;gBACjD,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxB,WAAW,GAAG,IAAI,CAAA;oBAClB,iBAAiB,GAAG,gBAAgB,CAAA;gBACtC,CAAC;gBAED,sCAAsC;gBACtC,IAAI,UAAU,GAAG,CAAC,CAAA;gBAClB,IAAI,QAAQ,GAAG,KAAK,CAAA;gBACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBACzD,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;oBAE3B,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC7B,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;wBACpD,QAAQ,GAAG,IAAI,CAAA;oBACjB,CAAC;oBACD,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC7B,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;oBACtD,CAAC;oBAED,IAAI,QAAQ,IAAI,UAAU,KAAK,CAAC;wBAAE,MAAK;oBAEvC,iCAAiC;oBACjC,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAA;oBACnE,IAAI,SAAS,EAAE,CAAC;wBACd,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAA;wBAC7B,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,CAAC,CAAA;wBACnC,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;wBAClD,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe,CAAC,EAAE,CAAC;4BACvF,WAAW,GAAG,IAAI,CAAA;wBACpB,CAAC;oBACH,CAAC;oBAED,4CAA4C;oBAC5C,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;wBAC5D,WAAW,GAAG,IAAI,CAAA;oBACpB,CAAC;yBAAM,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;wBAClE,WAAW,GAAG,IAAI,CAAA;oBACpB,CAAC;gBACH,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,IAAI,EAAE,QAAQ;oBACd,UAAU;oBACV,iBAAiB;oBACjB,WAAW;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,KAAiB;IAClD,MAAM,OAAO,GAAsB;QACjC,OAAO,EAAE,IAAI,GAAG,EAAE;QAClB,UAAU,EAAE,IAAI,GAAG,EAAE;QACrB,WAAW,EAAE,IAAI,GAAG,EAAE;QACtB,OAAO,EAAE,KAAK;KACf,CAAA;IAED,qCAAqC;IACrC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAA;YACtB,MAAK;QACP,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,mCAAmC;IACnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/D,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACrC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;QACtD,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,CAAA;QAC5E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;YAExC,uCAAuC;YACvC,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACzC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,QAAQ,EAAE,EAAE;oBACnD,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,iBAAiB,EAAE,MAAM,CAAC,WAAW;oBACrC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ;oBAC/D,SAAS,EAAE,MAAM,CAAC,IAAI;iBACvB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,OAA0B,EAC1B,UAAkB,EAClB,aAAsB;IAEtB,0CAA0C;IAC1C,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IAC5D,IAAI,MAAM,EAAE,WAAW,EAAE,CAAC;QACxB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uCAAuC;IACvC,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,WAAW,EAAE,IAAI,aAAa,EAAE,CAAC,CAAA;QACxF,IAAI,SAAS,EAAE,iBAAiB,EAAE,CAAC;YACjC,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,WAAmB;IAC/C,yCAAyC;IACzC,MAAM,QAAQ,GAAG;QACf,uBAAuB;QACvB,sBAAsB;QACtB,yBAAyB;KAC1B,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChB,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;aACpB,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,WAAmB;IAClD,MAAM,QAAQ,GAAG;QACf,0DAA0D;QAC1D,yDAAyD;QACzD,0BAA0B;QAC1B,2BAA2B;KAC5B,CAAA;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AAChD,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,OAA0B;IACvD,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,KAAK,CAAC,IAAI,CAAC,kBAAkB,OAAO,CAAC,OAAO,CAAC,IAAI,aAAa,OAAO,CAAC,UAAU,CAAC,IAAI,aAAa,CAAC,CAAA;IAEnG,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;IACxF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,sBAAsB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAClF,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC"}

package/src/__tests__/context-engine/cross-file-taint.test.ts

@@ -1,284 +0,0 @@
-/**
- * Tests for Cross-File Taint Analysis — analyzeCrossFileTaint
- */
-
-import { analyzeCrossFileTaint } from '../../model/cross-file-taint'
-import { buildModuleGraph } from '../../model/module-graph'
-import { buildFunctionProfiles } from '../../model/function-classifier'
-import { discoverSources } from '../../model/source-discovery'
-import { propagateTaint } from '../../model/taint-tracker'
-import { matchSinks } from '../../model/sink-matcher'
-import { detectSanitisers } from '../../model/sanitiser-detection'
-import type { FileTaintAnalysis } from '../../model/taint-types'
-import type { ScanFile } from '../../shared/types'
-
-function makeFile(path: string, content: string): ScanFile {
-  return { path, content, language: 'typescript' }
-}
-
-function buildTaintAnalyses(files: ScanFile[]): Map<string, FileTaintAnalysis> {
-  const analyses = new Map<string, FileTaintAnalysis>()
-  for (const file of files) {
-    const sources = discoverSources(file.content, file.path)
-    if (sources.length === 0) continue
-    const sanitisers = detectSanitisers(file.content, file.path)
-    const taintedVariables = propagateTaint(file.content, file.path, sources, sanitisers)
-    const taintPaths = matchSinks(file.content, file.path, taintedVariables, sanitisers)
-    analyses.set(file.path, { filePath: file.path, sources, taintedVariables, taintPaths, sanitisers })
-  }
-  return analyses
-}
-
-describe('analyzeCrossFileTaint', () => {
-  describe('Scenario 1: Source in A, sink in imported function B', () => {
-    it('detects cross-file taint from route to DB query helper', () => {
-      const files = [
-        makeFile('src/routes/users.ts', [
-          `import { getUser } from '../lib/db'`,
-          ``,
-          `export async function GET(req) {`,
-          `  const id = req.params.id`,
-          `  const user = await getUser(id)`,
-          `  return Response.json(user)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/db.ts', [
-          `export function getUser(id: string) {`,
-          `  return db.query('SELECT * FROM users WHERE id = ' + id)`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      expect(paths.length).toBeGreaterThan(0)
-      const path = paths[0]
-      expect(path.sourceFile).toBe('src/routes/users.ts')
-      expect(path.sinkFile).toBe('src/lib/db.ts')
-      expect(path.sink.sinkType).toBe('sql_query')
-      expect(path.importLink.symbolName).toBe('getUser')
-      expect(path.confidence).toBe('medium')
-    })
-
-    it('detects cross-file taint with command execution', () => {
-      const files = [
-        makeFile('src/api/run.ts', [
-          `import { execute } from '../lib/runner'`,
-          ``,
-          `export async function POST(req) {`,
-          `  const { command } = req.body`,
-          `  const result = await execute(command)`,
-          `  return Response.json({ result })`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/runner.ts', [
-          `export function execute(cmd: string) {`,
-          `  return exec(cmd)`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      expect(paths.length).toBeGreaterThan(0)
-      expect(paths[0].sink.sinkType).toBe('exec')
-    })
-
-    it('marks sanitised paths when imported function has sanitisation', () => {
-      const files = [
-        makeFile('src/routes/users.ts', [
-          `import { getUser } from '../lib/db'`,
-          `export async function GET(req) {`,
-          `  const id = req.params.id`,
-          `  const user = await getUser(id)`,
-          `  return Response.json(user)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/db.ts', [
-          `export function getUser(id: string) {`,
-          `  const safeId = parseInt(id)`,
-          `  return db.query('SELECT * FROM users WHERE id = ' + safeId)`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      expect(paths.length).toBeGreaterThan(0)
-      expect(paths[0].sanitised).toBe(true)
-    })
-  })
-
-  describe('Scenario 2: Imported function returns user data', () => {
-    it('detects when imported function return value flows to local sink', () => {
-      const files = [
-        makeFile('src/api/search.ts', [
-          `import { getUserInput } from '../lib/input'`,
-          ``,
-          `export async function POST(req) {`,
-          `  const data = req.body`,
-          `  const input = await getUserInput(req)`,
-          `  db.query('SELECT * FROM items WHERE name = ' + input)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/input.ts', [
-          `export function getUserInput(req) {`,
-          `  return req.body`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      // Should detect at least the scenario 2 path
-      const scenario2 = paths.filter(p => p.sinkFile === 'src/api/search.ts')
-      expect(scenario2.length).toBeGreaterThan(0)
-    })
-  })
-
-  describe('Safety', () => {
-    it('skips files involved in circular imports', () => {
-      const files = [
-        makeFile('src/a.ts', [
-          `import { b } from './b'`,
-          `export function a(req) {`,
-          `  const id = req.params.id`,
-          `  return b(id)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/b.ts', [
-          `import { a } from './a'`,
-          `export function b(input: string) {`,
-          `  return db.query('SELECT * WHERE id = ' + input)`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      // Should not crash and should produce no results for circular imports
-      expect(paths).toBeDefined()
-    })
-
-    it('returns empty array when no taint sources exist', () => {
-      const files = [
-        makeFile('src/app.ts', `import { getUser } from './db'\nconst user = getUser('1')`),
-        makeFile('src/db.ts', `export function getUser(id) { return db.query('SELECT * FROM users WHERE id = ' + id) }`),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      expect(paths).toEqual([])
-    })
-
-    it('handles empty file list', () => {
-      const graph = buildModuleGraph([])
-      const profiles = buildFunctionProfiles([], graph)
-      const analyses = new Map()
-      const paths = analyzeCrossFileTaint([], graph, profiles, analyses)
-
-      expect(paths).toEqual([])
-    })
-  })
-
-  describe('False positive prevention', () => {
-    it('does not flag when tainted arg is passed to a non-dangerous param', () => {
-      // File A passes tainted 'id' as second arg, but only first param 'query' is dangerous
-      const files = [
-        makeFile('src/routes/users.ts', [
-          `import { searchUser } from '../lib/db'`,
-          ``,
-          `export async function GET(req) {`,
-          `  const id = req.params.id`,
-          `  const user = await searchUser('SELECT * FROM users', id)`,
-          `  return Response.json(user)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/db.ts', [
-          `export function searchUser(query: string, safeId: string) {`,
-          `  return db.query(query)`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      // 'id' is passed as second arg (safeId), which is NOT dangerous.
-      // Only 'query' (first param) appears on the sink line.
-      // With the tightened fallback, this should not produce a cross-file taint path
-      // for the tainted variable 'id'.
-      const idPaths = paths.filter(p => p.source.variable === 'id')
-      expect(idPaths).toHaveLength(0)
-    })
-
-    it('does not flag functions with no sinks', () => {
-      const files = [
-        makeFile('src/routes/users.ts', [
-          `import { formatUser } from '../lib/format'`,
-          ``,
-          `export async function GET(req) {`,
-          `  const id = req.params.id`,
-          `  const formatted = formatUser(id)`,
-          `  return Response.json(formatted)`,
-          `}`,
-        ].join('\n')),
-        makeFile('src/lib/format.ts', [
-          `export function formatUser(id: string) {`,
-          `  return { id: id, displayName: 'User ' + id }`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      // formatUser has no sinks, so no cross-file taint path should exist
-      expect(paths).toHaveLength(0)
-    })
-
-    it('does not resolve imports from node_modules', () => {
-      const files = [
-        makeFile('src/routes/users.ts', [
-          `import { sanitize } from 'dompurify'`,
-          ``,
-          `export async function GET(req) {`,
-          `  const input = req.body.html`,
-          `  const clean = sanitize(input)`,
-          `  return Response.json({ clean })`,
-          `}`,
-        ].join('\n')),
-      ]
-
-      const graph = buildModuleGraph(files)
-      const profiles = buildFunctionProfiles(files, graph)
-      const analyses = buildTaintAnalyses(files)
-      const paths = analyzeCrossFileTaint(files, graph, profiles, analyses)
-
-      // 'dompurify' is a node_modules import, should not resolve to any profiled file
-      expect(paths).toHaveLength(0)
-    })
-  })
-})