@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/weak-crypto-ast.js

@@ -0,0 +1,406 @@
+"use strict";
+/**
+ * AST-Based Weak Cryptography Detection (Proof of Concept)
+ *
+ * Detects weak crypto patterns via tree-sitter AST analysis:
+ *  - Math.random() in security contexts
+ *  - createHash('md5') / createHash('sha1')
+ *  - Direct MD5() / SHA1() calls
+ *
+ * Advantages over regex:
+ *  - Handles import aliases: `import { createHash as hash } from 'crypto'`
+ *  - Handles variable indirection: `const r = Math.random; r()`
+ *  - Understands call expression structure (no FP on strings containing "MD5")
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const ast_1 = require("../../parse/ast");
+const index_1 = require("./index");
+const python_helpers_1 = require("./helpers/python-helpers");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Check if a node is inside a comment (shouldn't happen with AST, but safety) */
+function isInsideComment(node) {
+    let current = node.parent;
+    while (current) {
+        if (current.type === 'comment')
+            return true;
+        current = current.parent;
+    }
+    return false;
+}
+/** Check if context indicates HTTP Digest Authentication (MD5 is RFC-mandated there) */
+function isDigestAuthContext(node, content) {
+    const lines = content.split('\n');
+    const lineStart = node.startPosition.row;
+    const start = Math.max(0, lineStart - 5);
+    const end = Math.min(lines.length, lineStart + 6);
+    const window = lines.slice(start, end).join(' ');
+    // Digest Auth protocol markers: realm, nonce, cnonce, qop, HA1, HA2, nc=, WWW-Authenticate, Digest
+    return /\brealm\b.*\bnonce\b|\bnonce\b.*\brealm\b|\bcnonce\b|\bqop\b|\bHA1\b|\bHA2\b|\bnc\s*=|\bWWW-Authenticate\b|\bDigest\s/i.test(window);
+}
+/** Check surrounding function/variable names for security vs checksum context */
+function isSecurityContext(node, content, filePath) {
+    // Build tool files: checksums in Gruntfile/webpack/rollup/vite configs are non-security
+    if (filePath && /Gruntfile|gulpfile|webpack\.config|rollup\.config|vite\.config|\.grunt/i.test(filePath)) {
+        return false;
+    }
+    // HTTP Digest Authentication requires MD5 per RFC 2617 — not a vulnerability
+    if (isDigestAuthContext(node, content)) {
+        return false;
+    }
+    const securityPatterns = /password|token|secret|credential|auth|session|key|verify.*user|sign/i;
+    const checksumPatterns = /checksum|etag|content.*hash|file.*hash|integrity|digest|fingerprint|cache.*key|dedup|uniqueId|gravatar|avatar|blob|asset|sprite|bundle|chunk|manifest/i;
+    // Check enclosing function name
+    const fn = (0, ast_1.findEnclosingFunction)(node);
+    const fnName = fn?.childForFieldName('name')?.text ?? '';
+    if (checksumPatterns.test(fnName) && !securityPatterns.test(fnName))
+        return false;
+    // Check the line content for additional context
+    const lineStart = node.startPosition.row;
+    const lines = content.split('\n');
+    const line = lines[lineStart] ?? '';
+    if (checksumPatterns.test(line) && !securityPatterns.test(line))
+        return false;
+    return true;
+}
+/** Check if Math.random is in a security-relevant context */
+function isMathRandomSecurityContext(node, content) {
+    const lines = content.split('\n');
+    const line = lines[node.startPosition.row] ?? '';
+    // Exclude load balancing / array selection patterns
+    const loadBalancingPatterns = [
+        /Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,
+        /Math\.random\s*\(\s*\)\s*\*\s*\w+\.size/i,
+        /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,
+        /pick|select|choose|shuffle|sample/i,
+    ];
+    if (loadBalancingPatterns.some(p => p.test(line)))
+        return false;
+    // Exclude crypto fallback patterns
+    const prevLines = lines.slice(Math.max(0, node.startPosition.row - 2), node.startPosition.row + 1).join(' ');
+    if (/crypto\??\.?\s*randomUUID/i.test(prevLines))
+        return false;
+    if (/getRandomValues/i.test(prevLines))
+        return false;
+    // Exclude UI context patterns (React keys, toast IDs, notification IDs)
+    if (/enqueueSnackbar|toast|notification|addNotification/i.test(line))
+        return false;
+    // JSX key prop: key={Math.random()} or key: Math.random()
+    if (/\bkey\s*[:=]\s*\{?\s*Math\.random/i.test(line))
+        return false;
+    // Enclosing function is a render/component function
+    const fn = (0, ast_1.findEnclosingFunction)(node);
+    const fnName = fn?.childForFieldName('name')?.text ?? '';
+    if (/render|component|jsx|tsx/i.test(fnName))
+        return false;
+    // Only flag if it's in a security context
+    const securityContexts = /token|secret|key|password|salt|nonce|iv|random.*id|uuid|session/i;
+    const match = securityContexts.exec(line);
+    if (!match)
+        return false;
+    // Disambiguate "key": could be React key (UI) or crypto key (security)
+    if (match[0].toLowerCase() === 'key') {
+        // Crypto context indicators on the same line → flag as security key
+        if (/crypto|encrypt|decrypt|sign|verify|hmac|cipher|hash/i.test(line))
+            return true;
+        // API key naming → flag
+        if (/api_?key|apiKey/i.test(line))
+            return true;
+        // Otherwise "key" is ambiguous (likely React/UI key) → skip
+        return false;
+    }
+    return true;
+}
+// ============================================================================
+// Variable Indirection Tracking
+// ============================================================================
+/**
+ * Build a map of variable name → assigned value (call expression or member expression text)
+ * for detecting patterns like: `const r = Math.random; r()`
+ */
+function collectVariableAliases(root) {
+    const aliases = new Map();
+    (0, ast_1.walkAST)(root, (node) => {
+        if (node.type === 'variable_declarator') {
+            const nameNode = node.childForFieldName('name');
+            const valueNode = node.childForFieldName('value');
+            if (nameNode?.type === 'identifier' && valueNode) {
+                // const r = Math.random
+                if (valueNode.type === 'member_expression') {
+                    aliases.set(nameNode.text, valueNode.text);
+                }
+                // const e = eval
+                if (valueNode.type === 'identifier') {
+                    aliases.set(nameNode.text, valueNode.text);
+                }
+            }
+        }
+        return false;
+    });
+    return aliases;
+}
+// ============================================================================
+// Rule: Math.random() in Security Context
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-weak-crypto-math-random',
+    title: 'Math.random() for Security',
+    description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
+    severity: 'high',
+    category: 'weak_crypto',
+    suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.45,
+    detect(ast, content, nodeIndex) {
+        if (!/Math\.random/i.test(content))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        const aliases = collectVariableAliases(root);
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (isInsideComment(node))
+                continue;
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                continue;
+            let isMathRandom = false;
+            // Direct: Math.random()
+            if (fn.type === 'member_expression' && fn.text === 'Math.random') {
+                isMathRandom = true;
+            }
+            // Aliased: const r = Math.random; r()
+            if (fn.type === 'identifier' && aliases.get(fn.text) === 'Math.random') {
+                isMathRandom = true;
+            }
+            if (isMathRandom && isMathRandomSecurityContext(node, content)) {
+                matches.push({ node });
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// Rule: createHash('md5') / createHash('sha1')
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-weak-crypto-create-hash',
+    title: 'Weak Hash Algorithm',
+    description: 'Weak hash algorithm detected via createHash(). MD5 is cryptographically broken and SHA1 is deprecated.',
+    severity: 'high',
+    category: 'weak_crypto',
+    suggestedFix: "Use createHash('sha256') or createHash('sha3-256') instead.",
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.45,
+    detect(ast, content, nodeIndex) {
+        if (!/createHash/i.test(content))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        const imports = (0, index_1.collectImportBindings)(root);
+        const aliases = collectVariableAliases(root);
+        // Build set of local names that refer to createHash
+        const createHashNames = new Set(['createHash']);
+        for (const [local, binding] of imports) {
+            if (binding.originalName === 'createHash' && binding.module === 'crypto') {
+                createHashNames.add(local);
+            }
+        }
+        // Also track variable aliases: const ch = crypto.createHash → not common but possible
+        for (const [local, value] of aliases) {
+            if (value.endsWith('.createHash') || value === 'createHash') {
+                createHashNames.add(local);
+            }
+        }
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (isInsideComment(node))
+                continue;
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                continue;
+            let isCreateHash = false;
+            // Direct call: createHash('md5')
+            if (fn.type === 'identifier' && createHashNames.has(fn.text)) {
+                isCreateHash = true;
+            }
+            // Member call: crypto.createHash('md5')
+            if (fn.type === 'member_expression') {
+                const prop = fn.childForFieldName('property');
+                if (prop?.text === 'createHash') {
+                    isCreateHash = true;
+                }
+            }
+            if (isCreateHash) {
+                const algo = (0, index_1.getFirstStringArg)(node)?.toLowerCase();
+                if (algo === 'md5') {
+                    if (isSecurityContext(node, content, ast.filePath)) {
+                        matches.push({
+                            node,
+                            severity: 'high',
+                            note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+                        });
+                    }
+                }
+                else if (algo === 'sha1') {
+                    if (isSecurityContext(node, content, ast.filePath)) {
+                        matches.push({
+                            node,
+                            severity: 'medium',
+                            note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+                        });
+                    }
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// Rule: Direct MD5() / SHA1() calls
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-weak-crypto-direct-hash',
+    title: 'Direct Weak Hash Function Call',
+    description: 'Direct call to a weak hash function detected.',
+    severity: 'high',
+    category: 'weak_crypto',
+    suggestedFix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.45,
+    detect(ast, content, nodeIndex) {
+        if (!/\bMD5\b|\bmd5\b|\bSHA1\b|\bsha1\b/.test(content))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (isInsideComment(node))
+                continue;
+            // MD5() or SHA1() direct calls
+            if ((0, index_1.isCallTo)(node, 'MD5') || (0, index_1.isCallTo)(node, 'md5')) {
+                if (isSecurityContext(node, content, ast.filePath)) {
+                    matches.push({
+                        node,
+                        severity: 'high',
+                        note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+                    });
+                }
+            }
+            if ((0, index_1.isCallTo)(node, 'SHA1') || (0, index_1.isCallTo)(node, 'sha1')) {
+                if (isSecurityContext(node, content, ast.filePath)) {
+                    matches.push({
+                        node,
+                        severity: 'medium',
+                        note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+                    });
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// Rule: createCipheriv with weak cipher algorithm
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-weak-crypto-weak-cipher',
+    title: 'Weak Cipher Algorithm',
+    description: 'Weak cipher algorithm detected via createCipheriv(). DES has a 56-bit key and is brute-forceable.',
+    severity: 'high',
+    category: 'weak_crypto',
+    suggestedFix: "Use createCipheriv('aes-256-gcm', ...) or another AES variant instead.",
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.45,
+    detect(ast, content, nodeIndex) {
+        if (!/createCipheriv|createDecipheriv/i.test(content))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        const imports = (0, index_1.collectImportBindings)(root);
+        const aliases = collectVariableAliases(root);
+        const cipherNames = new Set(['createCipheriv', 'createDecipheriv']);
+        for (const [local, binding] of imports) {
+            if ((binding.originalName === 'createCipheriv' || binding.originalName === 'createDecipheriv') && binding.module === 'crypto') {
+                cipherNames.add(local);
+            }
+        }
+        const weakCiphers = /^(des|des-ecb|des-cbc|des-ede|des-ede3|des-ede-cbc|des-ede3-cbc|rc4|rc2|blowfish|bf|bf-cbc|bf-ecb)$/i;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (isInsideComment(node))
+                continue;
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                continue;
+            let isCipher = false;
+            if (fn.type === 'identifier' && cipherNames.has(fn.text))
+                isCipher = true;
+            if (fn.type === 'member_expression') {
+                const prop = fn.childForFieldName('property');
+                if (prop && (prop.text === 'createCipheriv' || prop.text === 'createDecipheriv'))
+                    isCipher = true;
+            }
+            if (isCipher) {
+                const algo = (0, index_1.getFirstStringArg)(node)?.toLowerCase();
+                if (algo && weakCiphers.test(algo)) {
+                    matches.push({
+                        node,
+                        severity: 'high',
+                        note: `${algo.toUpperCase()} cipher is cryptographically weak. Use AES-256-GCM instead.`,
+                    });
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// Rule: Python hashlib.md5() / hashlib.sha1()
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-weak-crypto-python-hashlib',
+    title: 'Weak Hash Algorithm (Python)',
+    description: 'Weak hash algorithm detected via hashlib. MD5 is cryptographically broken and SHA1 is deprecated.',
+    severity: 'high',
+    category: 'weak_crypto',
+    suggestedFix: 'Use hashlib.sha256() or hashlib.sha3_256() instead.',
+    languages: ['python'],
+    confidence: 'high',
+    baseConfidence: 0.45,
+    detect(ast, content, nodeIndex) {
+        if (!/hashlib/i.test(content))
+            return [];
+        if (!(0, python_helpers_1.hasPythonImport)(ast.tree.rootNode, 'hashlib'))
+            return [];
+        const matches = [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+            const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+            if (!target)
+                continue;
+            if (target.type !== 'member' || !/^hashlib$/.test(target.object ?? ''))
+                continue;
+            if (/^md5$/i.test(target.name)) {
+                if (isSecurityContext(node, content, ast.filePath)) {
+                    matches.push({
+                        node,
+                        severity: 'high',
+                        note: 'MD5 is cryptographically broken and should not be used for security purposes.',
+                    });
+                }
+            }
+            else if (/^sha1$/i.test(target.name)) {
+                if (isSecurityContext(node, content, ast.filePath)) {
+                    matches.push({
+                        node,
+                        severity: 'medium',
+                        note: 'SHA1 is deprecated and vulnerable to collision attacks.',
+                    });
+                }
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=weak-crypto-ast.js.map

package/dist/detect/ast-rules/weak-crypto-ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-crypto-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/weak-crypto-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AAGH,yCAAgE;AAChE,mCAA0I;AAE1I,6DAAmF;AAEnF,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,kFAAkF;AAClF,SAAS,eAAe,CAAC,IAAuB;IAC9C,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAA;IACzB,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QAC3C,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;IAC1B,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,wFAAwF;AACxF,SAAS,mBAAmB,CAAC,IAAuB,EAAE,OAAe;IACnE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAA;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,CAAC,CAAC,CAAA;IACjD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAEhD,mGAAmG;IACnG,OAAO,wHAAwH,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;AAC9I,CAAC;AAED,iFAAiF;AACjF,SAAS,iBAAiB,CAAC,IAAuB,EAAE,OAAe,EAAE,QAAiB;IACpF,wFAAwF;IACxF,IAAI,QAAQ,IAAI,yEAAyE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzG,OAAO,KAAK,CAAA;IACd,CAAC;IAED,6EAA6E;IAC7E,IAAI,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;QACvC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,gBAAgB,GAAG,sEAAsE,CAAA;IAC/F,MAAM,gBAAgB,GAAG,wJAAwJ,CAAA;IAEjL,gCAAgC;IAChC,MAAM,EAAE,GAAG,IAAA,2BAAqB,EAAC,IAAI,CAAC,CAAA;IACtC,MAAM,MAAM,GAAG,EAAE,EAAE,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAA;IACxD,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAEjF,gDAAgD;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAA;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAA;IACnC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IAE7E,OAAO,IAAI,CAAA;AACb,CAAC;AAED,6DAA6D;AAC7D,SAAS,2BAA2B,CAAC,IAAuB,EAAE,OAAe;IAC3E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;IAEhD,oDAAoD;IACpD,MAAM,qBAAqB,GAAG;QAC5B,4CAA4C;QAC5C,0CAA0C;QAC1C,+DAA+D;QAC/D,oCAAoC;KACrC,CAAA;IACD,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAA;IAE/D,mCAAmC;IACnC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5G,IAAI,4BAA4B,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAA;IAC9D,IAAI,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAA;IAEpD,wEAAwE;IACxE,IAAI,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IAClF,0DAA0D;IAC1D,IAAI,oCAAoC,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IACjE,oDAAoD;IACpD,MAAM,EAAE,GAAG,IAAA,2BAAqB,EAAC,IAAI,CAAC,CAAA;IACtC,MAAM,MAAM,GAAG,EAAE,EAAE,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAA;IACxD,IAAI,2BAA2B,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAE1D,0CAA0C;IAC1C,MAAM,gBAAgB,GAAG,kEAAkE,CAAA;IAC3F,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAA;IAExB,uEAAuE;IACvE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;QACrC,oEAAoE;QACpE,IAAI,sDAAsD,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAA;QAClF,wBAAwB;QACxB,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAA;QAC9C,4DAA4D;QAC5D,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,sBAAsB,CAAC,IAAuB;IACrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAA;IAEzC,IAAA,aAAO,EAAC,IAAI,EAAE,CAAC,IAAI,EAAE,EAAE;QACrB,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;YACjD,IAAI,QAAQ,EAAE,IAAI,KAAK,YAAY,IAAI,SAAS,EAAE,CAAC;gBACjD,wBAAwB;gBACxB,IAAI,SAAS,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;oBAC3C,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAA;gBAC5C,CAAC;gBACD,iBAAiB;gBACjB,IAAI,SAAS,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBACpC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAA;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,+EAA+E;AAC/E,0CAA0C;AAC1C,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,4BAA4B;IACnC,WAAW,EAAE,4FAA4F;IACzG,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,YAAY,EAAE,oFAAoF;IAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;QAE5C,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,eAAe,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEnC,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;YAC7C,IAAI,CAAC,EAAE;gBAAE,SAAQ;YAEjB,IAAI,YAAY,GAAG,KAAK,CAAA;YAExB,wBAAwB;YACxB,IAAI,EAAE,CAAC,IAAI,KAAK,mBAAmB,IAAI,EAAE,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBACjE,YAAY,GAAG,IAAI,CAAA;YACrB,CAAC;YAED,sCAAsC;YACtC,IAAI,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,aAAa,EAAE,CAAC;gBACvE,YAAY,GAAG,IAAI,CAAA;YACrB,CAAC;YAED,IAAI,YAAY,IAAI,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC/D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,+CAA+C;AAC/C,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,qBAAqB;IAC5B,WAAW,EAAE,wGAAwG;IACrH,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,YAAY,EAAE,6DAA6D;IAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE3C,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,OAAO,GAAG,IAAA,6BAAqB,EAAC,IAAI,CAAC,CAAA;QAC3C,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;QAE5C,oDAAoD;QACpD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,CAAC,YAAY,CAAC,CAAC,CAAA;QACvD,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,OAAO,EAAE,CAAC;YACvC,IAAI,OAAO,CAAC,YAAY,KAAK,YAAY,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACzE,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;YAC5B,CAAC;QACH,CAAC;QACD,sFAAsF;QACtF,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACrC,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;gBAC5D,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;YAC5B,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,eAAe,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEnC,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;YAC7C,IAAI,CAAC,EAAE;gBAAE,SAAQ;YAEjB,IAAI,YAAY,GAAG,KAAK,CAAA;YAExB,iCAAiC;YACjC,IAAI,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,YAAY,GAAG,IAAI,CAAA;YACrB,CAAC;YAED,wCAAwC;YACxC,IAAI,EAAE,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;gBAC7C,IAAI,IAAI,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;oBAChC,YAAY,GAAG,IAAI,CAAA;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,IAAA,yBAAiB,EAAC,IAAI,CAAC,EAAE,WAAW,EAAE,CAAA;gBACnD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;oBACnB,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACnD,OAAO,CAAC,IAAI,CAAC;4BACX,IAAI;4BACJ,QAAQ,EAAE,MAAM;4BAChB,IAAI,EAAE,+EAA+E;yBACtF,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;qBAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC3B,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACnD,OAAO,CAAC,IAAI,CAAC;4BACX,IAAI;4BACJ,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,yDAAyD;yBAChE,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,gCAAgC;IACvC,WAAW,EAAE,+CAA+C;IAC5D,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,YAAY,EAAE,iFAAiF;IAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAEjE,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,eAAe,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEnC,+BAA+B;YAC/B,IAAI,IAAA,gBAAQ,EAAC,IAAI,EAAE,KAAK,CAAC,IAAI,IAAA,gBAAQ,EAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;gBACnD,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnD,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,+EAA+E;qBACtF,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,IAAI,IAAA,gBAAQ,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAA,gBAAQ,EAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;gBACrD,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnD,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,yDAAyD;qBAChE,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,kDAAkD;AAClD,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,uBAAuB;IAC9B,WAAW,EAAE,mGAAmG;IAChH,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,YAAY,EAAE,wEAAwE;IACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,CAAC,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAEhE,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,OAAO,GAAG,IAAA,6BAAqB,EAAC,IAAI,CAAC,CAAA;QAC3C,MAAM,OAAO,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAA;QAE5C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAS,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,CAAC,CAAA;QAC3E,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,OAAO,EAAE,CAAC;YACvC,IAAI,CAAC,OAAO,CAAC,YAAY,KAAK,gBAAgB,IAAI,OAAO,CAAC,YAAY,KAAK,kBAAkB,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC9H,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,sGAAsG,CAAA;QAE1H,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,eAAe,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEnC,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;YAC7C,IAAI,CAAC,EAAE;gBAAE,SAAQ;YAEjB,IAAI,QAAQ,GAAG,KAAK,CAAA;YACpB,IAAI,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC;gBAAE,QAAQ,GAAG,IAAI,CAAA;YACzE,IAAI,EAAE,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;gBAC7C,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,CAAC;oBAAE,QAAQ,GAAG,IAAI,CAAA;YACnG,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,IAAA,yBAAiB,EAAC,IAAI,CAAC,EAAE,WAAW,EAAE,CAAA;gBACnD,IAAI,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnC,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,GAAG,IAAI,CAAC,WAAW,EAAE,6DAA6D;qBACzF,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,8CAA8C;AAC9C,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,gCAAgC;IACpC,KAAK,EAAE,8BAA8B;IACrC,WAAW,EAAE,mGAAmG;IAChH,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,YAAY,EAAE,qDAAqD;IACnE,SAAS,EAAE,CAAC,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QACxC,IAAI,CAAC,IAAA,gCAAe,EAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7D,MAAM,OAAO,GAAmB,EAAE,CAAA;QAElC,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,IAAA,wCAAuB,EAAC,IAAI,CAAC,CAAA;YAC5C,IAAI,CAAC,MAAM;gBAAE,SAAQ;YAErB,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;gBAAE,SAAQ;YAEhF,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnD,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,+EAA+E;qBACtF,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnD,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,yDAAyD;qBAChE,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/xxe-ast.d.ts

@@ -0,0 +1,13 @@
+/**
+ * AST-Based XXE (XML External Entity) Detection
+ *
+ * Migrates structural/xxe-detection.ts from regex to AST.
+ * Detects XML parsing without entity expansion protection.
+ *
+ * AST advantages:
+ * - Resolves actual function calls and constructors from AST nodes
+ * - Checks for safe configuration in surrounding scope, not just nearby lines
+ * - Handles import aliasing (import { Parser as XmlParser } from 'fast-xml-parser')
+ */
+export {};
+//# sourceMappingURL=xxe-ast.d.ts.map

package/dist/detect/ast-rules/xxe-ast.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xxe-ast.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/xxe-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/dist/detect/ast-rules/xxe-ast.js

@@ -0,0 +1,157 @@
+"use strict";
+/**
+ * AST-Based XXE (XML External Entity) Detection
+ *
+ * Migrates structural/xxe-detection.ts from regex to AST.
+ * Detects XML parsing without entity expansion protection.
+ *
+ * AST advantages:
+ * - Resolves actual function calls and constructors from AST nodes
+ * - Checks for safe configuration in surrounding scope, not just nearby lines
+ * - Handles import aliasing (import { Parser as XmlParser } from 'fast-xml-parser')
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const import_analysis_1 = require("./helpers/import-analysis");
+const file_classifier_1 = require("../../parse/file-classifier");
+/** Check for text in cached file content (avoids repeated root.text calls) */
+function contentHasText(content, pattern) {
+    return pattern.test(content);
+}
+/** File-level early exit: does this file reference any XML library? */
+const XML_LIBRARY_QUICK_CHECK = /xml2js|libxmljs|DOMParser|xmldom|fast-xml-parser|XMLParser/;
+const XXE_CHECKS = [
+    // xml2js
+    {
+        lib: 'xml2js',
+        fileHasLib: (content) => content.includes('xml2js'),
+        check: (node) => {
+            if (node.type !== 'call_expression')
+                return false;
+            const text = node.text;
+            return /xml2js\.parseString|new\s+xml2js\.Parser/.test(text);
+        },
+        isSafe: (content) => contentHasText(content, /explicitCharkey|xmlMode/),
+        severity: 'medium',
+        fix: 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false',
+    },
+    // libxmljs — only vulnerable when noent: true is explicitly set
+    {
+        lib: 'libxmljs',
+        fileHasLib: (content) => content.includes('libxmljs'),
+        check: (node) => {
+            if (node.type !== 'call_expression')
+                return false;
+            if (!/libxmljs\.parseXml/.test(node.text))
+                return false;
+            // Check the options argument (2nd arg) for noent: true
+            const optionsArg = (0, call_analysis_1.getCallArgument)(node, 1);
+            if (!optionsArg || optionsArg.type !== 'object')
+                return false;
+            const noentVal = (0, call_analysis_1.getObjectLiteralProperty)(optionsArg, 'noent');
+            return noentVal?.text === 'true';
+        },
+        isSafe: () => false, // Safety check is now node-level in `check`
+        severity: 'high',
+        fix: 'Remove noent: true or set noent: false to disable external entity processing',
+    },
+    // DOMParser
+    {
+        lib: 'DOMParser',
+        fileHasLib: (content) => content.includes('DOMParser'),
+        check: (node) => {
+            if (node.type !== 'call_expression')
+                return false;
+            return /new\s+DOMParser\(\)\.parseFromString/.test(node.text);
+        },
+        isSafe: () => false, // Browsers block XXE by default
+        severity: 'low',
+        fix: 'DOMParser in browsers blocks XXE by default. If running server-side, use a dedicated XML library with entity protection.',
+    },
+    // xmldom
+    {
+        lib: 'xmldom',
+        fileHasLib: (content) => /xmldom|@xmldom/.test(content),
+        check: (node, content) => {
+            if (node.type !== 'new_expression' && node.type !== 'call_expression')
+                return false;
+            return /xmldom|@xmldom/.test(content) && /DOMParser/.test(node.text);
+        },
+        isSafe: (content) => contentHasText(content, /entityExpansionEnabled\s*:\s*false/),
+        severity: 'medium',
+        fix: 'Set entityExpansionEnabled: false in parser options',
+    },
+    // fast-xml-parser / XMLParser
+    {
+        lib: 'fast-xml-parser',
+        fileHasLib: (content) => content.includes('XMLParser') || content.includes('fast-xml-parser'),
+        check: (node, content, root) => {
+            if (node.type !== 'new_expression' && node.type !== 'call_expression')
+                return false;
+            const text = node.text;
+            return /XMLParser|fast-xml-parser/.test(text) || ((0, import_analysis_1.hasImport)(root, 'fast-xml-parser') && /XMLParser/.test(text));
+        },
+        isSafe: (content) => contentHasText(content, /processEntities\s*:\s*false/),
+        severity: 'medium',
+        fix: 'Disable entity processing: new XMLParser({ processEntities: false })',
+    },
+];
+function getSuggestedFix(lib) {
+    const check = XXE_CHECKS.find(c => c.lib === lib);
+    return check?.fix ?? 'Disable external entity processing in the XML parser configuration';
+}
+// ============================================================================
+// AST Rule: XXE Detection
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-xxe',
+    title: 'XXE risk: XML parser without entity protection',
+    description: 'XML parser used without disabling external entity processing, risking file read, SSRF, or DoS',
+    severity: 'high',
+    category: 'xxe',
+    suggestedFix: 'Disable external entity processing in the XML parser configuration.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.55,
+    layer: 2,
+    source: 'structural',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        // Early exit: no XML library references in file
+        if (!XML_LIBRARY_QUICK_CHECK.test(content))
+            return [];
+        // Pre-filter to only relevant checks for this file
+        const applicableChecks = XXE_CHECKS.filter(c => c.fileHasLib(content));
+        if (applicableChecks.length === 0)
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        const root = ast.tree.rootNode;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression', 'new_expression')) {
+            for (const xxeCheck of applicableChecks) {
+                if (!xxeCheck.check(node, content, root))
+                    continue;
+                // Check for safe configuration
+                if (xxeCheck.isSafe(content))
+                    continue;
+                let severity = xxeCheck.severity;
+                if (isTestFile)
+                    severity = 'info';
+                // DOMParser in .tsx/.jsx client files is inherently safe
+                if (xxeCheck.lib === 'DOMParser' && /\.(tsx|jsx)$/.test(ast.filePath)) {
+                    severity = 'info';
+                }
+                matches.push({
+                    node,
+                    severity,
+                    note: `${xxeCheck.lib} XML parser without entity protection. ${xxeCheck.fix}`,
+                });
+                break; // One finding per node
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=xxe-ast.js.map

package/dist/detect/ast-rules/xxe-ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xxe-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/xxe-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAGH,mCAAsF;AAEtF,2DAA2I;AAC3I,+DAA0E;AAC1E,iEAAsF;AAmBtF,8EAA8E;AAC9E,SAAS,cAAc,CAAC,OAAe,EAAE,OAAe;IACtD,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAC9B,CAAC;AAED,uEAAuE;AACvE,MAAM,uBAAuB,GAAG,4DAA4D,CAAA;AAO5F,MAAM,UAAU,GAAmB;IACjC,SAAS;IACT;QACE,GAAG,EAAE,QAAQ;QACb,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACnD,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE;YACd,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO,KAAK,CAAA;YACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAA;YACtB,OAAO,0CAA0C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC9D,CAAC;QACD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,yBAAyB,CAAC;QACvE,QAAQ,EAAE,QAAQ;QAClB,GAAG,EAAE,iHAAiH;KACvH;IACD,gEAAgE;IAChE;QACE,GAAG,EAAE,UAAU;QACf,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;QACrD,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE;YACd,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO,KAAK,CAAA;YACjD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,KAAK,CAAA;YACvD,uDAAuD;YACvD,MAAM,UAAU,GAAG,IAAA,+BAAe,EAAC,IAAI,EAAE,CAAC,CAAC,CAAA;YAC3C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAA;YAC7D,MAAM,QAAQ,GAAG,IAAA,wCAAwB,EAAC,UAAU,EAAE,OAAO,CAAC,CAAA;YAC9D,OAAO,QAAQ,EAAE,IAAI,KAAK,MAAM,CAAA;QAClC,CAAC;QACD,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,4CAA4C;QACjE,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,8EAA8E;KACpF;IACD,YAAY;IACZ;QACE,GAAG,EAAE,WAAW;QAChB,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QACtD,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE;YACd,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO,KAAK,CAAA;YACjD,OAAO,sCAAsC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,gCAAgC;QACrD,QAAQ,EAAE,KAAK;QACf,GAAG,EAAE,0HAA0H;KAChI;IACD,SAAS;IACT;QACE,GAAG,EAAE,QAAQ;QACb,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QACvD,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE;YACvB,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO,KAAK,CAAA;YACnF,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACtE,CAAC;QACD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,oCAAoC,CAAC;QAClF,QAAQ,EAAE,QAAQ;QAClB,GAAG,EAAE,qDAAqD;KAC3D;IACD,8BAA8B;IAC9B;QACE,GAAG,EAAE,iBAAiB;QACtB,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAC7F,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO,KAAK,CAAA;YACnF,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAA;YACtB,OAAO,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC/C,IAAA,2BAAS,EAAC,IAAI,EAAE,iBAAiB,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAC7D,CAAA;QACH,CAAC;QACD,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,6BAA6B,CAAC;QAC3E,QAAQ,EAAE,QAAQ;QAClB,GAAG,EAAE,sEAAsE;KAC5E;CACF,CAAA;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjD,OAAO,KAAK,EAAE,GAAG,IAAI,oEAAoE,CAAA;AAC3F,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,SAAS;IACb,KAAK,EAAE,gDAAgD;IACvD,WAAW,EAAE,+FAA+F;IAC5G,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,KAAK;IACf,YAAY,EAAE,qEAAqE;IACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAEnD,gDAAgD;QAChD,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAErD,mDAAmD;QACnD,MAAM,gBAAgB,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAA;QACtE,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5C,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACjD,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,EAAE,CAAC;YAC7E,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;gBACxC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC;oBAAE,SAAQ;gBAElD,+BAA+B;gBAC/B,IAAI,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC;oBAAE,SAAQ;gBAEtC,IAAI,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAA;gBAChC,IAAI,UAAU;oBAAE,QAAQ,GAAG,MAAa,CAAA;gBAExC,yDAAyD;gBACzD,IAAI,QAAQ,CAAC,GAAG,KAAK,WAAW,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACtE,QAAQ,GAAG,MAAa,CAAA;gBAC1B,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,CAAC,GAAG,0CAA0C,QAAQ,CAAC,GAAG,EAAE;iBAC9E,CAAC,CAAA;gBAEF,MAAK,CAAC,uBAAuB;YAC/B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/config/agent-skill-injection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent-skill-injection.d.ts","sourceRoot":"","sources":["../../../src/detect/config/agent-skill-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,oBAAoB,CAAA;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAwY1D,UAAU,eAAe;IACvB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AAED,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,eAAe,GACxB,aAAa,EAAE,CAoGjB"}
+{"version":3,"file":"agent-skill-injection.d.ts","sourceRoot":"","sources":["../../../src/detect/config/agent-skill-injection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,oBAAoB,CAAA;AAC9E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAkX1D,UAAU,eAAe;IACvB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AAED,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,eAAe,GACxB,aAAa,EAAE,CAoGjB"}

package/dist/detect/config/agent-skill-injection.js

@@ -325,30 +325,8 @@ const HIDDEN_EXECUTION_PATTERNS = [
         requiresAIValidation: false,
         group: 'hidden_execution',
     },
-    {
-        pattern: /[\u200B-\u200F]/,
-        title: 'Hidden execution: zero-width Unicode characters',
-        description: 'Agent skill file contains invisible zero-width Unicode characters that may hide malicious content.',
-        severity: 'high',
-        requiresAIValidation: false,
-        group: 'hidden_execution',
-    },
-    {
-        pattern: /[\u202A-\u202E]/,
-        title: 'Hidden execution: RTL override characters',
-        description: 'Agent skill file contains bidirectional text override characters that can visually hide code direction.',
-        severity: 'high',
-        requiresAIValidation: false,
-        group: 'hidden_execution',
-    },
-    {
-        pattern: /[\uFEFF]/,
-        title: 'Hidden execution: BOM character mid-file',
-        description: 'Agent skill file contains a Byte Order Mark character in an unexpected position, potentially hiding content.',
-        severity: 'high',
-        requiresAIValidation: false,
-        group: 'hidden_execution',
-    },
+    // Unicode patterns (zero-width, bidi, BOM) removed — now handled with
+    // much better coverage by rules-file-backdoor.ts (ai_rules_file_backdoor category)
 ];
 // Group 4: Tool/Function Description Poisoning (JSON/YAML)
 const DESCRIPTION_POISONING_PATTERNS = [