@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/structural/dangerous-functions/patterns.ts

@@ -1,176 +0,0 @@
-/**
- * Dangerous Function Pattern Definitions
- *
- * This module defines the patterns for detecting dangerous function calls.
- * These patterns are used by the main detection engine.
- */
-
-import type { VulnerabilitySeverity } from '../../../shared/types'
-
-export interface DangerousFunctionPattern {
-  name: string
-  pattern: RegExp
-  severity: VulnerabilitySeverity
-  description: string
-  suggestedFix: string
-  languages?: string[] // Optional: restrict to specific languages
-}
-
-export const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[] = [
-  // Code execution
-  {
-    name: 'eval() usage',
-    pattern: /\beval\s*\(/gi,
-    severity: 'critical',
-    description: 'eval() executes arbitrary code and is a major security risk',
-    suggestedFix: 'Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution',
-  },
-  {
-    name: 'Function constructor',
-    pattern: /new\s+Function\s*\(/gi,
-    severity: 'critical',
-    description: 'Function constructor can execute arbitrary code like eval()',
-    suggestedFix: 'Refactor to use static functions or safe alternatives',
-  },
-  {
-    name: 'setTimeout/setInterval with string',
-    pattern: /set(Timeout|Interval)\s*\(\s*['"`]/gi,
-    severity: 'high',
-    description: 'setTimeout/setInterval with string argument acts like eval()',
-    suggestedFix: 'Pass a function reference instead of a string',
-  },
-
-  // Command injection
-  {
-    name: 'child_process exec',
-    pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/gi,
-    severity: 'high',
-    description: 'Shell command execution can lead to command injection',
-    suggestedFix: 'Validate and sanitize all inputs, prefer execFile over exec',
-  },
-  {
-    name: 'os.system/subprocess (Python)',
-    pattern: /\b(os\.system|subprocess\.(call|run|Popen|check_output))\s*\(/gi,
-    severity: 'high',
-    description: 'Shell command execution can lead to command injection',
-    suggestedFix: 'Use subprocess with shell=False and pass arguments as a list',
-    languages: ['py'],
-  },
-
-  // SQL injection risks
-  // Note: .execute is too generic (used by axios, tRPC, request utilities)
-  // Focus on .query and .raw which are more SQL-specific
-  {
-    name: 'Raw SQL query construction',
-    pattern: /\.(query|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
-    severity: 'critical',
-    description: 'String concatenation in SQL queries can lead to SQL injection',
-    suggestedFix: 'Use parameterized queries or prepared statements',
-  },
-  {
-    name: 'SQL template literal',
-    pattern: /`SELECT.*FROM.*WHERE.*\$\{|`INSERT.*INTO.*VALUES.*\$\{|`UPDATE.*SET.*\$\{|`DELETE.*FROM.*WHERE.*\$\{/gi,
-    severity: 'critical',
-    description: 'Template literals in SQL queries can lead to SQL injection',
-    suggestedFix: 'Use parameterized queries with placeholders (?, $1, etc.)',
-  },
-
-  // XSS risks
-  {
-    name: 'innerHTML assignment',
-    pattern: /\.innerHTML\s*=|\.outerHTML\s*=/gi,
-    severity: 'high',
-    description: 'Direct innerHTML assignment can lead to XSS vulnerabilities',
-    suggestedFix: 'Use textContent for text, or sanitize HTML with DOMPurify',
-  },
-  {
-    name: 'document.write',
-    pattern: /document\.write\s*\(/gi,
-    severity: 'high',
-    description: 'document.write can introduce XSS vulnerabilities',
-    suggestedFix: 'Use DOM manipulation methods instead',
-  },
-  {
-    name: 'dangerouslySetInnerHTML',
-    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
-    severity: 'high',
-    description: 'dangerouslySetInnerHTML can lead to XSS if content is not sanitized',
-    suggestedFix: 'Sanitize HTML content with DOMPurify before rendering',
-  },
-
-  // Deserialization
-  {
-    name: 'Unsafe deserialization',
-    pattern: /\b(pickle\.loads?|yaml\.load\s*\((?!.*Loader)|unserialize|Marshal\.load)\s*\(/gi,
-    severity: 'critical',
-    description: 'Unsafe deserialization can lead to remote code execution',
-    suggestedFix: 'Use safe loaders (yaml.safe_load) or validate input before deserializing',
-  },
-  // Note: JSON.parse is handled specially with source-aware severity - see json-parse.ts
-  // Note: request.json() is NOT a dangerous function - see request-validation.ts
-
-  // File system risks
-  {
-    name: 'Dynamic file path',
-    pattern: /\b(readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\(\s*[^'"]/gi,
-    severity: 'medium',
-    description: 'Dynamic file paths can lead to path traversal attacks',
-    suggestedFix: 'Validate and sanitize file paths, use path.resolve with a base directory',
-  },
-  {
-    name: 'Path traversal risk',
-    pattern: /path\.(join|resolve)\s*\([^)]*req\.(params|query|body)/gi,
-    severity: 'high',
-    description: 'User input in file paths can lead to path traversal attacks',
-    suggestedFix: 'Validate paths and ensure they stay within allowed directories',
-  },
-
-  // Crypto weaknesses
-  {
-    name: 'Math.random for security',
-    pattern: /Math\.random\s*\(\s*\)/gi,
-    severity: 'medium',
-    description: 'Math.random() is not cryptographically secure',
-    suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive operations',
-  },
-
-  // Regex DoS
-  {
-    name: 'Potentially unsafe regex',
-    pattern: /new\s+RegExp\s*\(\s*[^'"]/gi,
-    severity: 'medium',
-    description: 'Dynamic regex construction can lead to ReDoS attacks',
-    suggestedFix: 'Validate regex patterns and consider using safe-regex library',
-  },
-
-  // Prototype pollution
-  {
-    name: 'Object.assign with user input',
-    pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(req\.|request\.|body|params|query)/gi,
-    severity: 'high',
-    description: 'Object.assign with user input can lead to prototype pollution',
-    suggestedFix: 'Validate and sanitize input, or use a safe merge function',
-  },
-  {
-    name: 'Spread operator with user input',
-    pattern: /\{\s*\.\.\.req\.(body|params|query)|\.\.\.request\.(body|params|query)/gi,
-    severity: 'medium',
-    description: 'Spreading user input can lead to mass assignment vulnerabilities',
-    suggestedFix: 'Explicitly pick allowed properties instead of spreading all input',
-  },
-]
-
-/**
- * Check if file matches language filter
- */
-export function matchesLanguage(filePath: string, languages?: string[]): boolean {
-  if (!languages || languages.length === 0) return true
-
-  const ext = filePath.split('.').pop()?.toLowerCase() || ''
-  return languages.some(lang => {
-    if (lang === 'py') return ext === 'py'
-    if (lang === 'js') return ['js', 'jsx', 'mjs', 'cjs'].includes(ext)
-    if (lang === 'ts') return ['ts', 'tsx'].includes(ext)
-    return ext === lang
-  })
-}

package/src/detect/structural/dangerous-functions/request-validation.ts

@@ -1,153 +0,0 @@
-/**
- * Request Body Validation Detection
- *
- * Detection logic for request.json() / req.json() usage without
- * proper schema validation.
- */
-
-import type { Vulnerability } from '../../../shared/types'
-import { isComment } from '../../../parse/file-classifier'
-import { hasManualValidation } from './utils/schema-validation'
-import { hasThrowingAuthHelper } from './utils/helpers'
-
-const BASE_CONFIDENCE = 0.35
-
-/**
- * Detect request.json() / req.json() and suggest schema validation
- * This is NOT a dangerous function - it's a prompt for best practices
- */
-export function detectRequestJsonValidation(
-  content: string,
-  filePath: string,
-  isTestFile: boolean,
-  vulnerabilities: Vulnerability[]
-): void {
-  // Only check API route files
-  if (
-    !/\/(api|routes?|handlers?|controllers?)\//i.test(filePath) &&
-    !/route\.(ts|js)$/i.test(filePath)
-  ) {
-    return
-  }
-
-  // Skip if route has throwing auth helper - these are already protected routes
-  // and the schema validation suggestion is lower priority
-  if (hasThrowingAuthHelper(content)) {
-    return
-  }
-
-  const lines = content.split('\n')
-  // Matches: request.json(), req.json(), await request.json(), etc.
-  const requestJsonPattern = /\b(request|req)\.json\s*\(\s*\)/gi
-
-  // Check if file has schema validation (library-based)
-  const hasSchemaLibrary =
-    /\b(zod|yup|joi|ajv|superstruct|valibot|typebox)\b/i.test(content) ||
-    /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(/i.test(content)
-
-  // If file has schema library validation, don't report
-  if (hasSchemaLibrary) return
-
-  // Check for manual validation patterns (less robust but still indicates intent)
-  const hasManualCheck = hasManualValidation(content)
-
-  // Track instances for potential aggregation
-  const instances: { lineNumber: number; lineContent: string }[] = []
-
-  lines.forEach((line, index) => {
-    if (isComment(line)) return
-
-    requestJsonPattern.lastIndex = 0
-    if (!requestJsonPattern.test(line)) return
-
-    // Check if there's validation nearby (within 10 lines after)
-    const startCheck = index
-    const endCheck = Math.min(lines.length, index + 10)
-    const nearbyContent = lines.slice(startCheck, endCheck).join('\n')
-
-    // If there's validation in the nearby lines, skip
-    if (
-      /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(|schema\./i.test(
-        nearbyContent
-      )
-    ) {
-      return
-    }
-
-    // If manual validation is present, skip individual reporting but track for aggregate
-    if (hasManualCheck) {
-      instances.push({ lineNumber: index + 1, lineContent: line.trim() })
-      return
-    }
-
-    if (isTestFile) {
-      return // Don't report in test files
-    }
-
-    instances.push({ lineNumber: index + 1, lineContent: line.trim() })
-  })
-
-  // Don't report if no instances found
-  if (instances.length === 0) return
-
-  // If manual validation exists, create a single info-level note
-  if (hasManualCheck && instances.length > 0) {
-    vulnerabilities.push({
-      id: `request-json-manual-${filePath}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: instances[0].lineContent,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: 'Request body with manual validation',
-      description: `API endpoint parses request body with manual validation patterns detected. Consider using a schema library (zod, yup) for more robust type-safe validation.`,
-      suggestedFix:
-        'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
-      confidence: 'low',
-      baseConfidence: BASE_CONFIDENCE,
-      layer: 2,
-        source: 'structural' as const,
-    })
-    return
-  }
-
-  // Aggregate if multiple instances without validation
-  if (instances.length >= 2) {
-    const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5)
-    vulnerabilities.push({
-      id: `request-json-aggregated-${filePath}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: `${instances.length} instances`,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: `Request body without schema validation (${instances.length} instances)`,
-      description: `API endpoint parses request body without visible schema validation at lines: ${lineNumbers.join(', ')}. Consider validating the shape of incoming data.`,
-      suggestedFix:
-        'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
-      confidence: 'low',
-      baseConfidence: BASE_CONFIDENCE,
-      layer: 2,
-        source: 'structural' as const,
-    })
-  } else {
-    // Single instance
-    vulnerabilities.push({
-      id: `request-json-${filePath}-${instances[0].lineNumber}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: instances[0].lineContent,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: 'Request body without schema validation',
-      description:
-        'API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.',
-      suggestedFix:
-        'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
-      confidence: 'low',
-      baseConfidence: BASE_CONFIDENCE,
-      layer: 2,
-        source: 'structural' as const,
-    })
-  }
-}

package/src/detect/structural/dangerous-functions/utils/control-flow.ts

@@ -1,35 +0,0 @@
-/**
- * Control Flow Analysis Utilities
- *
- * Backward-compatible wrappers around shared code-analysis utilities.
- * Existing callers pass (content: string, lineNumber: number) — these
- * wrappers create a temporary ParsedFile to delegate to the shared implementation.
- */
-
-import { ParsedFile } from '../../../../shared/parsed-file'
-import * as codeAnalysis from '../../../../shared/code-analysis'
-
-/**
- * Check if a line is inside a try-catch block
- * Looks for enclosing try { ... } catch pattern
- */
-export function isInsideTryCatch(content: string, lineNumber: number): boolean {
-  return codeAnalysis.isInsideTryCatch(new ParsedFile(content, ''), lineNumber)
-}
-
-/**
- * Simpler heuristic: check if there's a try-catch in the same function scope
- * Looks for try { before the line and } catch after, within reasonable bounds
- */
-export function hasTryCatchNearby(content: string, lineNumber: number, windowSize: number = 20): boolean {
-  return codeAnalysis.hasTryCatchNearby(new ParsedFile(content, ''), lineNumber, windowSize)
-}
-
-/**
- * Extract function context where a call is being made
- * Looks backwards from the current line to find enclosing function name
- * Returns lowercase function name or null if not found
- */
-export function extractFunctionContext(content: string, lineNumber: number): string | null {
-  return codeAnalysis.extractFunctionContext(new ParsedFile(content, ''), lineNumber)
-}

package/src/detect/structural/dangerous-functions/utils/helpers.ts

@@ -1,170 +0,0 @@
-/**
- * General Helper Utilities
- *
- * Small utility functions used across the dangerous functions detection module.
- */
-
-/**
- * Get a specific line from content by line number (0-indexed)
- */
-export function getLineContent(content: string, lineNumber: number): string {
-  const lines = content.split('\n')
-  return lines[lineNumber] || ''
-}
-
-/**
- * Get a range of lines from content
- */
-export function getLineRange(
-  content: string,
-  startLine: number,
-  endLine: number
-): string {
-  const lines = content.split('\n')
-  const start = Math.max(0, startLine)
-  const end = Math.min(lines.length, endLine)
-  return lines.slice(start, end).join('\n')
-}
-
-/**
- * Check if eval/exec/Function has only static literal inputs (no user data)
- * Static inputs like eval('({ mode: "production" })') are low risk
- *
- * Returns true ONLY if the argument is a string literal (not a variable)
- */
-export function hasOnlyStaticInputs(
-  lineContent: string,
-  content: string,
-  lineNumber: number
-): boolean {
-  // Check if the argument to eval/exec/Function is a string literal ONLY
-  // If it's a variable, it's NOT static (could come from anywhere)
-  //
-  // String literal patterns:
-  // - Single quotes: 'content with "double quotes" inside' (no $ interpolation)
-  // - Double quotes: "content" (no $ interpolation)
-  // - Backticks without ${}: `content` (template literal but no interpolation)
-  //
-  // Note: We allow quotes INSIDE the string (e.g., 'text "with" quotes')
-  // but NOT $ (which would indicate interpolation)
-  const staticPatterns = [
-    // Single-quoted string: eval('...') - can contain anything except single quotes and $
-    /eval\s*\(\s*'[^'$]*'\s*\)/,
-    // Double-quoted string: eval("...") - can contain anything except double quotes and $
-    /eval\s*\(\s*"[^"$]*"\s*\)/,
-    // Backtick without interpolation: eval(`...`) - must not have ${ inside
-    /eval\s*\(\s*`[^`$]*`\s*\)/,
-    // Function constructor with string literal
-    /new\s+Function\s*\(\s*'[^'$]*'\s*\)/,
-    /new\s+Function\s*\(\s*"[^"$]*"\s*\)/,
-    // execSync with string literal
-    /execSync\s*\(\s*'[^'$]*'\s*\)/,
-    /execSync\s*\(\s*"[^"$]*"\s*\)/,
-    // exec with string literal
-    /exec\s*\(\s*'[^'$]*'/,
-    /exec\s*\(\s*"[^"$]*"/,
-  ]
-
-  // Only return true if it matches a static pattern (string literal)
-  // If it's a variable like eval(code), we can't assume it's static
-  return staticPatterns.some(p => p.test(lineContent))
-}
-
-/**
- * Check if path traversal protection is in place
- * Looks for common sanitization patterns that prevent directory traversal attacks
- */
-export function hasPathTraversalProtection(
-  context: string,
-  lineContent: string
-): boolean {
-  const protectionPatterns = [
-    // Path normalization with base directory check (same line)
-    /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
-
-    // startsWith check with common safe directory variable names
-    /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir|safeDir|SAFE_)/i,
-
-    // MULTI-LINE PATTERN: path.resolve followed by startsWith check in context
-    // This handles the common case where resolve and startsWith are on separate lines:
-    //   const resolved = path.resolve(baseDir, userPath)
-    //   if (!resolved.startsWith(baseDir)) throw new Error()
-    // We check for BOTH patterns being present in the context
-    // (handled below as combined check)
-
-    // Explicit ".." rejection
-    /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
-    /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
-    /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
-    // Replace ".." pattern (sanitization)
-    /\.replace\s*\([^)]*\\?\.\\?\.\s*[^)]*,\s*['"`]['"`]\s*\)/i,
-
-    // Path sanitization libraries
-    /sanitizePath|sanitizeFilename|sanitize-filename/i,
-    /path-sanitizer|secure-path/i,
-
-    // Explicit path validation
-    /validatePath|isValidPath|checkPath|verifyPath/i,
-    /isPathAllowed|isAllowedPath|pathIsAllowed/i,
-
-    // Normalize and check pattern
-    /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
-
-    // Regex validation for safe characters only
-    /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//, // Only alphanumeric, dash, underscore, dot
-
-    // Allowlist/whitelist patterns
-    /allowedExtensions|allowedTypes|whitelist/i,
-    /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i, // Extension check
-
-    // Path.basename to strip directory
-    /path\.basename\s*\(/i,
-
-    // Zod/validation for filename patterns
-    /z\.string\s*\(\s*\)\.regex\s*\(/i,
-  ]
-
-  // Check single-line patterns
-  if (protectionPatterns.some(p => p.test(context) || p.test(lineContent))) {
-    return true
-  }
-
-  // Multi-line pattern: path.resolve + startsWith check on separate lines
-  // This is a very common secure pattern:
-  //   const resolved = path.resolve(safeBaseDir, userInput)
-  //   if (!resolved.startsWith(safeBaseDir)) { throw ... }
-  const hasPathResolve = /path\.resolve\s*\(/i.test(context)
-  const hasStartsWithCheck = /\.startsWith\s*\(/i.test(context)
-  const hasThrowOnFailure = /(throw|return|reject)\s+.*(error|invalid|denied)/i.test(context)
-
-  if (hasPathResolve && hasStartsWithCheck && hasThrowOnFailure) {
-    return true
-  }
-
-  return false
-}
-
-/**
- * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
- * Routes with throwing auth helpers are already protected
- */
-export function hasThrowingAuthHelper(content: string): boolean {
-  const throwingAuthPatterns = [
-    /\bgetCurrentUserId\s*\(/i,
-    /\brequireAuth\s*\(/i,
-    /\bensureAuth\s*\(/i,
-    /\bauth\s*\(\s*\)\s*\.protect\s*\(/i, // Clerk: auth().protect()
-    /\bcurrentUser\s*\(\s*\)/i, // Clerk: currentUser()
-    /\bgetServerSession\s*\([^)]*\)/i, // NextAuth
-    /\bauth\s*\(\s*\)/i, // Generic auth() call
-    /\bcheckAuth\s*\(/i,
-    /\bverifyAuth\s*\(/i,
-    /\bvalidateAuth\s*\(/i,
-    /\bassertAuth\s*\(/i,
-    /\bgetAuth\s*\(/i,
-    /\brequireUser\s*\(/i,
-    /\bgetUser\s*\(\s*\)/i, // supabase.auth.getUser()
-    /const\s+\{\s*user\s*\}\s*=\s*await/i, // Destructuring pattern
-  ]
-  return throwingAuthPatterns.some(p => p.test(content))
-}

package/src/detect/structural/dangerous-functions/utils/index.ts

@@ -1,25 +0,0 @@
-/**
- * Utility Functions Index
- *
- * Re-exports all utility functions from the dangerous-functions module.
- */
-
-export {
-  isInsideTryCatch,
-  hasTryCatchNearby,
-  extractFunctionContext,
-} from './control-flow'
-
-export {
-  hasSchemaValidationNearby,
-  hasManualValidation,
-  hasSQLWhitelistValidation,
-} from './schema-validation'
-
-export {
-  getLineContent,
-  getLineRange,
-  hasOnlyStaticInputs,
-  hasPathTraversalProtection,
-  hasThrowingAuthHelper,
-} from './helpers'

package/src/detect/structural/dangerous-functions/utils/schema-validation.ts

@@ -1,106 +0,0 @@
-/**
- * Schema Validation Detection Utilities
- *
- * Functions for detecting schema validation patterns (zod, yup, joi, etc.)
- * and manual validation patterns.
- */
-
-/**
- * Check if schema validation is applied near a JSON.parse call
- * Looks for zod, yup, joi, or similar validation patterns
- */
-export function hasSchemaValidationNearby(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const start = Math.max(0, lineNumber - 5)
-  const end = Math.min(lines.length, lineNumber + 10)
-  const context = lines.slice(start, end).join('\n')
-
-  const schemaValidationPatterns = [
-    // Zod patterns
-    /z\.(object|string|number|array|boolean)\s*\(/i,
-    /\.parse\s*\(/i,
-    /\.safeParse\s*\(/i,
-    /schema\.parse/i,
-    /Schema\.parse/i,
-    // Yup patterns
-    /yup\.(object|string|number|array|boolean)\s*\(/i,
-    /\.validate\s*\(/i,
-    /\.validateSync\s*\(/i,
-    // Joi patterns
-    /Joi\.(object|string|number|array|boolean)\s*\(/i,
-    /\.validateAsync\s*\(/i,
-    // Valibot patterns
-    /v\.(object|string|number|array|boolean)\s*\(/i,
-    // AJV patterns
-    /ajv\.compile/i,
-    /validate\s*\(\s*schema/i,
-    // TypeBox patterns
-    /Type\.(Object|String|Number|Array|Boolean)\s*\(/i,
-    // Generic validation patterns
-    /validateSchema/i,
-    /schemaValidator/i,
-    /parseAndValidate/i,
-  ]
-
-  return schemaValidationPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if this file appears to have form/input validation elsewhere
- * (manual checks on body fields, type guards, etc.)
- */
-export function hasManualValidation(content: string): boolean {
-  const manualValidationPatterns = [
-    // Type checking / type guards
-    /typeof\s+\w+\s*[!=]==?\s*['"](?:string|number|boolean|object)['"]|Array\.isArray\s*\(/i,
-    // Field existence checks followed by throws/returns
-    /if\s*\(\s*!(?:body|data|input)\.\w+\s*\)\s*\{?\s*(throw|return)/i,
-    // Property access with type assertion comments or inline validation
-    /\b(body|data|input)\s*as\s+\w+/i, // Type assertion
-    // Manual validation with error handling
-    /if\s*\(\s*![\w.]+\s*\|\|\s*typeof\s+[\w.]+/i,
-    // Using type predicates
-    /is\w+\s*\([\w.]+\)/i, // isFoo(bar) pattern
-  ]
-
-  return manualValidationPatterns.some(p => p.test(content))
-}
-
-/**
- * Check if SQL query uses whitelist validation pattern
- * e.g., columns validated against allowedColumns array before use
- */
-export function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 20)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-
-  // Whitelist/allowlist validation patterns
-  const whitelistPatterns = [
-    // Array-based whitelists
-    /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
-    /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
-    /valid\w*\s*=\s*\[/i, // validColumns = [...]
-    /\.filter\s*\([^)]*\.includes\s*\(/i, // .filter(c => allowed.includes(c))
-    /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
-    /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
-    /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
-
-    // Object-based whitelists (Record<string, string>)
-    /\w+\s+in\s+\w*(?:sortable|allowed|valid|whitelist)\w*/i, // sorter in sortableFields
-    /\w+\s+in\s+\w+Fields/i, // key in someFields
-    /:\s*Record<string,\s*string>/i, // Type annotation: Record<string, string>
-    /const\s+\w+Fields\s*:\s*\{[^}]*\}\s*=/i, // const xyzFields: {...} = (inline type)
-    /const\s+\w+Fields\s*=\s*\{[^}]*\}/i, // const xyzFields = { ... }
-    /if\s*\([^)]*\s+in\s+\w+Fields\s*\)/i, // if (x in yFields)
-    /&&\s*\w+\s+in\s+\w+/i, // && sorter in sortableFields
-
-    // Enum-based validation (ASC/DESC, etc.)
-    /===?\s*['"](?:ASC|DESC)['"]/i, // === 'ASC' or === 'DESC'
-    /===?\s*\w+\.(?:Asc|Desc|ASC|DESC)/i, // === SortType.Asc
-    /toLowerCase\s*\(\s*\)\s*===?\s*\w+\.(?:asc|desc)/i, // .toLowerCase() === SortType.asc
-  ]
-
-  return whitelistPatterns.some(p => p.test(context))
-}