@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/structural/xxe-detection.ts

@@ -1,295 +0,0 @@
-/**
- * Layer 2: XXE (XML External Entity) Detector
- * Detects XML parsing without entity expansion protection
- *
- * OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
- * CWE-611: Improper Restriction of XML External Entity Reference
- */
-
-import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
-import type { ParsedFile } from '../../shared/parsed-file'
-import {
-  isComment,
-  isTestOrMockFile,
-  isScannerOrFixtureFile,
-} from '../../parse/file-classifier'
-
-const BASE_CONFIDENCE = 0.55
-
-interface XXEOptions {
-  parsed?: ParsedFile
-}
-
-interface XXEPattern {
-  /** Regex to detect XML parser usage */
-  pattern: RegExp
-  /** Programming language */
-  lang: 'node' | 'python' | 'java' | 'php'
-  /** Library name for reporting */
-  lib: string
-  /** Regex for safe configuration that suppresses the finding */
-  safe?: RegExp
-  /** Default severity (can be overridden) */
-  severity?: VulnerabilitySeverity
-  /** File extensions this applies to */
-  extensions?: string[]
-}
-
-const XXE_PATTERNS: XXEPattern[] = [
-  // ==================== Node.js ====================
-  {
-    pattern: /xml2js\.parseString|new\s+xml2js\.Parser/,
-    lang: 'node',
-    lib: 'xml2js',
-    safe: /explicitCharkey|xmlMode/,
-    severity: 'medium', // xml2js v0.5+ doesn't expand entities by default
-    extensions: ['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx'],
-  },
-  {
-    pattern: /libxmljs\.parseXml/,
-    lang: 'node',
-    lib: 'libxmljs',
-    safe: /noent\s*:\s*false/,
-    severity: 'high',
-    extensions: ['.js', '.ts', '.mjs', '.cjs'],
-  },
-  {
-    pattern: /new\s+DOMParser\(\)\.parseFromString/,
-    lang: 'node',
-    lib: 'DOMParser',
-    severity: 'low', // Browsers block XXE by default
-    extensions: ['.js', '.ts', '.jsx', '.tsx'],
-  },
-  {
-    pattern: /(?:xmldom|@xmldom\/xmldom)/,
-    lang: 'node',
-    lib: 'xmldom',
-    safe: /entityExpansionEnabled\s*:\s*false/,
-    severity: 'medium',
-    extensions: ['.js', '.ts', '.mjs', '.cjs'],
-  },
-  {
-    pattern: /(?:fast-xml-parser|XMLParser)/,
-    lang: 'node',
-    lib: 'fast-xml-parser',
-    safe: /processEntities\s*:\s*false/,
-    severity: 'medium',
-    extensions: ['.js', '.ts', '.mjs', '.cjs'],
-  },
-
-  // ==================== Python ====================
-  {
-    pattern: /xml\.etree\.ElementTree\.parse|ET\.parse|etree\.parse/,
-    lang: 'python',
-    lib: 'xml.etree.ElementTree',
-    safe: /defusedxml/,
-    severity: 'high',
-    extensions: ['.py'],
-  },
-  {
-    pattern: /lxml\.etree\.parse|etree\.fromstring/,
-    lang: 'python',
-    lib: 'lxml.etree',
-    safe: /resolve_entities\s*=\s*False|defusedxml/,
-    severity: 'high',
-    extensions: ['.py'],
-  },
-  {
-    pattern: /xml\.sax\.parse|xml\.dom\.minidom\.parse/,
-    lang: 'python',
-    lib: 'xml.sax/minidom',
-    safe: /defusedxml/,
-    severity: 'high',
-    extensions: ['.py'],
-  },
-  {
-    pattern: /xml\.dom\.pulldom/,
-    lang: 'python',
-    lib: 'xml.dom.pulldom',
-    safe: /defusedxml/,
-    severity: 'high',
-    extensions: ['.py'],
-  },
-
-  // ==================== Java ====================
-  {
-    pattern: /DocumentBuilderFactory\.newInstance/,
-    lang: 'java',
-    lib: 'DocumentBuilderFactory',
-    safe: /disallow-doctype-decl|FEATURE_SECURE_PROCESSING/,
-    severity: 'high',
-    extensions: ['.java'],
-  },
-  {
-    pattern: /SAXParserFactory\.newInstance/,
-    lang: 'java',
-    lib: 'SAXParserFactory',
-    safe: /disallow-doctype-decl|external-general-entities/,
-    severity: 'high',
-    extensions: ['.java'],
-  },
-  {
-    pattern: /XMLInputFactory\.newInstance/,
-    lang: 'java',
-    lib: 'XMLInputFactory',
-    safe: /IS_SUPPORTING_EXTERNAL_ENTITIES|SUPPORT_DTD/,
-    severity: 'high',
-    extensions: ['.java'],
-  },
-  {
-    pattern: /TransformerFactory\.newInstance/,
-    lang: 'java',
-    lib: 'TransformerFactory',
-    safe: /ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_STYLESHEET/,
-    severity: 'high',
-    extensions: ['.java'],
-  },
-
-  // ==================== PHP ====================
-  {
-    pattern: /simplexml_load_string|simplexml_load_file/,
-    lang: 'php',
-    lib: 'simplexml',
-    safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)|LIBXML_NOENT/,
-    severity: 'high',
-    extensions: ['.php'],
-  },
-  {
-    pattern: /DOMDocument.*(?:loadXML|load)\b/,
-    lang: 'php',
-    lib: 'DOMDocument',
-    safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)/,
-    severity: 'high',
-    extensions: ['.php'],
-  },
-  {
-    pattern: /XMLReader.*open/,
-    lang: 'php',
-    lib: 'XMLReader',
-    safe: /setParserProperty.*LOADDTD.*false/,
-    severity: 'high',
-    extensions: ['.php'],
-  },
-]
-
-/**
- * Check if the file extension matches the expected language
- */
-function matchesLanguageExtension(filePath: string, extensions?: string[]): boolean {
-  if (!extensions) return true
-  return extensions.some(ext => filePath.endsWith(ext))
-}
-
-/**
- * Check surrounding context for safe configuration
- */
-function hasSafeConfig(
-  content: string,
-  lines: string[],
-  lineIndex: number,
-  safePattern: RegExp | undefined,
-  lang: string
-): boolean {
-  if (!safePattern) return false
-
-  // For Python: check entire file for defusedxml import
-  if (lang === 'python' && /defusedxml/.test(safePattern.source)) {
-    if (/import\s+defusedxml|from\s+defusedxml/.test(content)) {
-      return true
-    }
-  }
-
-  // Check surrounding context (±20 lines for Java setFeature, ±10 for others)
-  const windowSize = lang === 'java' ? 20 : 10
-  const start = Math.max(0, lineIndex - windowSize)
-  const end = Math.min(lines.length, lineIndex + windowSize + 1)
-  const context = lines.slice(start, end).join('\n')
-
-  return safePattern.test(context)
-}
-
-/**
- * Detect XXE patterns in code
- */
-export function detectXXEPatterns(
-  content: string,
-  filePath: string,
-  options?: XXEOptions
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
-
-  const isTestFile = isTestOrMockFile(filePath)
-  const lines = options?.parsed?.lines ?? content.split('\n')
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i]
-    if (isComment(line)) continue
-
-    for (const xxePattern of XXE_PATTERNS) {
-      // Check language extension match
-      if (!matchesLanguageExtension(filePath, xxePattern.extensions)) continue
-
-      if (!xxePattern.pattern.test(line)) continue
-
-      // Check for safe configuration
-      if (hasSafeConfig(content, lines, i, xxePattern.safe, xxePattern.lang)) continue
-
-      let severity: VulnerabilitySeverity = xxePattern.severity || 'high'
-
-      // Downgrade for test files
-      if (isTestFile) {
-        severity = 'info'
-      }
-
-      // DOMParser in .tsx client files is inherently safe
-      if (xxePattern.lib === 'DOMParser' && (filePath.endsWith('.tsx') || filePath.endsWith('.jsx'))) {
-        severity = 'info'
-      }
-
-      vulnerabilities.push({
-        id: `xxe-${filePath}-${i + 1}-${xxePattern.lib}`,
-        filePath,
-        lineNumber: i + 1,
-        lineContent: line.trim(),
-        severity,
-        category: 'xxe',
-        title: `XXE risk: ${xxePattern.lib} XML parser without entity protection`,
-        description:
-          `${xxePattern.lib} XML parser is used without disabling external entity processing. An attacker could supply malicious XML to read server files, perform SSRF, or cause denial-of-service.`,
-        suggestedFix: getSuggestedFix(xxePattern.lang, xxePattern.lib),
-        confidence: severity === 'high' ? 'high' : 'medium',
-        baseConfidence: BASE_CONFIDENCE,
-        layer: 2,
-        source: 'structural' as const,
-        requiresAIValidation: severity !== 'high',
-      })
-
-      break // One finding per line
-    }
-  }
-
-  return vulnerabilities
-}
-
-function getSuggestedFix(lang: string, lib: string): string {
-  switch (lang) {
-    case 'python':
-      return 'Use defusedxml instead of the standard xml library: pip install defusedxml && from defusedxml.ElementTree import parse'
-    case 'java':
-      return 'Disable external entities: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)'
-    case 'php':
-      return 'Disable entity loading: libxml_disable_entity_loader(true) before parsing XML'
-    case 'node':
-      if (lib === 'fast-xml-parser') {
-        return 'Disable entity processing: new XMLParser({ processEntities: false })'
-      }
-      if (lib === 'xml2js') {
-        return 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false'
-      }
-      return 'Disable external entity processing in the XML parser configuration'
-    default:
-      return 'Disable external entity processing in the XML parser configuration'
-  }
-}

package/src/model/cross-file-taint.ts

@@ -1,374 +0,0 @@
-/**
- * Cross-File Taint Analysis — Detects taint flows that cross file boundaries.
- *
- * Scenario 1: Source in file A, sink in imported function (file B).
- *   File A has req.params.id (tainted), calls getUser(id) imported from B.
- *   B's getUser has param 'id' reaching a sql_query sink.
- *
- * Scenario 2: Imported function returns user data.
- *   File A calls getUserInput() from B which returns req.body.
- *   File A then passes the return value to a local sink.
- *
- * Constraint: One level of imports only. No transitive chasing (A->B->C).
- */
-
-import type { ScanFile } from '../shared/types'
-import type { ModuleGraph } from './module-graph'
-import type { FunctionProfileMap, ExportedFunctionProfile } from './function-classifier'
-import type {
-  FileTaintAnalysis,
-  UserInputSource,
-  TaintSink,
-  SinkType,
-} from './taint-types'
-import { SINK_PATTERNS, escapeRegex } from './sink-patterns'
-
-// ============================================================================
-// Types
-// ============================================================================
-
-export interface CrossFileTaintPath {
-  sourceFile: string
-  source: UserInputSource
-  sinkFile: string
-  sink: TaintSink
-  importLink: {
-    fromFile: string
-    toFile: string
-    symbolName: string
-    paramName?: string
-    callLine: number
-  }
-  sanitised: boolean
-  confidence: 'high' | 'medium' | 'low'
-}
-
-// ============================================================================
-// Main Analysis
-// ============================================================================
-
-/**
- * Analyze cross-file taint paths across the project.
- *
- * For each file with taint sources, check if tainted variables flow into
- * calls to imported functions that reach dangerous sinks.
- */
-export function analyzeCrossFileTaint(
-  files: ScanFile[],
-  graph: ModuleGraph,
-  functionProfiles: FunctionProfileMap,
-  fileTaintAnalyses: Map<string, FileTaintAnalysis>
-): CrossFileTaintPath[] {
-  const paths: CrossFileTaintPath[] = []
-  const fileContentMap = new Map(files.map(f => [f.path, f.content]))
-
-  for (const [filePath, analysis] of fileTaintAnalyses) {
-    if (analysis.sources.length === 0) continue
-
-    const node = graph.nodes.get(filePath)
-    if (!node) continue
-
-    // Skip files involved in circular imports (unsafe to analyze)
-    if (graph.circularImports.has(filePath)) continue
-
-    const content = fileContentMap.get(filePath)
-    if (!content) continue
-
-    // Scenario 1: Source in file A, sink in imported function (file B)
-    const scenario1Paths = analyzeScenario1(
-      filePath,
-      content,
-      analysis,
-      node,
-      graph,
-      functionProfiles
-    )
-    paths.push(...scenario1Paths)
-
-    // Scenario 2: Imported function returns user data, used in local sink
-    const scenario2Paths = analyzeScenario2(
-      filePath,
-      content,
-      analysis,
-      node,
-      graph,
-      functionProfiles
-    )
-    paths.push(...scenario2Paths)
-  }
-
-  return paths
-}
-
-// ============================================================================
-// Scenario 1: Source in A, sink in imported function B
-// ============================================================================
-
-function analyzeScenario1(
-  filePath: string,
-  content: string,
-  analysis: FileTaintAnalysis,
-  node: ReturnType<ModuleGraph['nodes']['get']> & {},
-  graph: ModuleGraph,
-  functionProfiles: FunctionProfileMap
-): CrossFileTaintPath[] {
-  const paths: CrossFileTaintPath[] = []
-  const lines = content.split('\n')
-
-  // Build a map of imported function names → their profiles
-  const importedFunctions = new Map<string, { profile: ExportedFunctionProfile; importPath: string }>()
-
-  for (const imp of node.imports) {
-    if (!imp.resolvedPath) continue
-    const profiles = functionProfiles.get(imp.resolvedPath)
-    if (!profiles) continue
-
-    for (const name of imp.importedNames) {
-      if (name === 'default') continue
-      const profile = profiles.find(p => p.name === name)
-      if (profile && profile.reachesSinks.length > 0) {
-        importedFunctions.set(name, { profile, importPath: imp.resolvedPath })
-      }
-    }
-  }
-
-  if (importedFunctions.size === 0) return paths
-
-  // Get tainted variable names and their sources
-  const taintedVarNames = new Map<string, UserInputSource>()
-  for (const src of analysis.sources) {
-    taintedVarNames.set(src.variable, src)
-  }
-  for (const tv of analysis.taintedVariables) {
-    if (!tv.sanitised) {
-      taintedVarNames.set(tv.name, tv.source)
-    }
-  }
-
-  // Pre-compile call patterns for imported functions (avoid per-line RegExp construction)
-  const compiledCallPatterns = new Map<string, RegExp>()
-  for (const funcName of importedFunctions.keys()) {
-    compiledCallPatterns.set(funcName, new RegExp(`\\b${escapeRegex(funcName)}\\s*\\(`))
-  }
-
-  // Pre-compile var patterns for tainted variables
-  const compiledVarPatterns = new Map<string, RegExp>()
-  for (const varName of taintedVarNames.keys()) {
-    compiledVarPatterns.set(varName, new RegExp(`\\b${escapeRegex(varName)}\\b`))
-  }
-
-  // Scan for calls to imported functions with tainted arguments
-  const seen = new Set<string>()
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i]
-    const lineNumber = i + 1
-    const trimmed = line.trim()
-
-    // Skip comments
-    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) continue
-
-    for (const [funcName, { profile, importPath }] of importedFunctions) {
-      // Check if this line calls the imported function
-      if (!compiledCallPatterns.get(funcName)!.test(line)) continue
-
-      // Extract call arguments
-      const args = extractCallArguments(line, funcName)
-
-      // Check if any tainted variable is passed as an argument
-      for (const arg of args) {
-        const argTrimmed = arg.trim()
-
-        // Check if this argument is a tainted variable
-        for (const [varName, source] of taintedVarNames) {
-          if (!compiledVarPatterns.get(varName)!.test(argTrimmed)) continue
-
-          // Check if the corresponding param is dangerous
-          const argIndex = args.indexOf(arg)
-          const paramName = profile.paramNames[argIndex]
-          const isDangerousParam = paramName
-            ? profile.dangerousParams.includes(paramName)
-            : profile.paramNames.length === 0 && profile.dangerousParams.length > 0
-
-          if (!isDangerousParam && profile.dangerousParams.length > 0) continue
-
-          // Build cross-file taint path
-          const key = `${filePath}:${source.variable}:${importPath}:${funcName}:${lineNumber}`
-          if (seen.has(key)) continue
-          seen.add(key)
-
-          const sinkType: SinkType = profile.reachesSinks[0]
-          paths.push({
-            sourceFile: filePath,
-            source,
-            sinkFile: profile.filePath,
-            sink: {
-              line: profile.line,
-              expression: `${funcName}(...)`,
-              sinkType,
-            },
-            importLink: {
-              fromFile: filePath,
-              toFile: importPath,
-              symbolName: funcName,
-              paramName,
-              callLine: lineNumber,
-            },
-            sanitised: profile.hasSanitisation,
-            confidence: 'medium',  // cross-file paths are medium confidence by default
-          })
-        }
-      }
-    }
-  }
-
-  return paths
-}
-
-// ============================================================================
-// Scenario 2: Imported function returns user data, used in local sink
-// ============================================================================
-
-function analyzeScenario2(
-  filePath: string,
-  content: string,
-  _analysis: FileTaintAnalysis,
-  node: ReturnType<ModuleGraph['nodes']['get']> & {},
-  _graph: ModuleGraph,
-  functionProfiles: FunctionProfileMap
-): CrossFileTaintPath[] {
-  const paths: CrossFileTaintPath[] = []
-  const lines = content.split('\n')
-
-  // Find imported functions that return user data
-  const userDataFunctions = new Map<string, { profile: ExportedFunctionProfile; importPath: string }>()
-
-  for (const imp of node.imports) {
-    if (!imp.resolvedPath) continue
-    const profiles = functionProfiles.get(imp.resolvedPath)
-    if (!profiles) continue
-
-    for (const name of imp.importedNames) {
-      if (name === 'default') continue
-      const profile = profiles.find(p => p.name === name)
-      if (profile && profile.returnsUserData) {
-        userDataFunctions.set(name, { profile, importPath: imp.resolvedPath })
-      }
-    }
-  }
-
-  if (userDataFunctions.size === 0) return paths
-
-  // Pre-compile assignment patterns for user-data functions
-  const compiledAssignPatterns = new Map<string, RegExp>()
-  for (const funcName of userDataFunctions.keys()) {
-    compiledAssignPatterns.set(funcName, new RegExp(`(?:const|let|var)\\s+(\\w+)\\s*=\\s*(?:await\\s+)?${escapeRegex(funcName)}\\s*\\(`))
-  }
-
-  // Track variables assigned from user-data-returning functions
-  const taintedByImport = new Map<string, { source: ExportedFunctionProfile; callLine: number; importPath: string; funcName: string }>()
-  // Cache compiled var patterns for tainted-by-import variables (grows as new vars are discovered)
-  const compiledImportVarPatterns = new Map<string, RegExp>()
-
-  const seen = new Set<string>()
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i]
-    const lineNumber = i + 1
-    const trimmed = line.trim()
-
-    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue
-
-    // Check for assignments from user-data functions
-    for (const [funcName, { profile, importPath }] of userDataFunctions) {
-      const assignMatch = line.match(compiledAssignPatterns.get(funcName)!)
-      if (assignMatch) {
-        const varName = assignMatch[1]
-        taintedByImport.set(varName, { source: profile, callLine: lineNumber, importPath, funcName })
-        // Pre-compile pattern for newly discovered tainted variable
-        if (!compiledImportVarPatterns.has(varName)) {
-          compiledImportVarPatterns.set(varName, new RegExp(`\\b${escapeRegex(varName)}\\b`))
-        }
-      }
-    }
-
-    // Check if any tainted-by-import variable reaches a local sink
-    for (const sp of SINK_PATTERNS) {
-      if (!sp.pattern.test(line)) continue
-
-      for (const [varName, info] of taintedByImport) {
-        if (!compiledImportVarPatterns.get(varName)!.test(line)) continue
-
-        const key = `${filePath}:${varName}:${info.importPath}:${info.funcName}:${lineNumber}`
-        if (seen.has(key)) continue
-        seen.add(key)
-
-        paths.push({
-          sourceFile: info.importPath,
-          source: {
-            line: info.source.line,
-            expression: `${info.funcName}() return value`,
-            variable: varName,
-            sourceType: info.source.returnSourceType ?? 'http_body',
-            confidence: 'medium',
-          },
-          sinkFile: filePath,
-          sink: {
-            line: lineNumber,
-            expression: trimmed,
-            sinkType: sp.sinkType,
-          },
-          importLink: {
-            fromFile: filePath,
-            toFile: info.importPath,
-            symbolName: info.funcName,
-            callLine: info.callLine,
-          },
-          sanitised: false,
-          confidence: 'low',  // scenario 2 is lower confidence
-        })
-      }
-    }
-  }
-
-  return paths
-}
-
-// ============================================================================
-// Helpers
-// ============================================================================
-
-function extractCallArguments(line: string, funcName: string): string[] {
-  const startIdx = line.indexOf(funcName)
-  if (startIdx === -1) return []
-
-  const parenStart = line.indexOf('(', startIdx + funcName.length)
-  if (parenStart === -1) return []
-
-  let depth = 0
-  let current = ''
-  const args: string[] = []
-
-  for (let i = parenStart; i < line.length; i++) {
-    const ch = line[i]
-    if (ch === '(') {
-      if (depth > 0) current += ch
-      depth++
-    } else if (ch === ')') {
-      depth--
-      if (depth === 0) {
-        if (current.trim()) args.push(current.trim())
-        break
-      }
-      current += ch
-    } else if (ch === ',' && depth === 1) {
-      if (current.trim()) args.push(current.trim())
-      current = ''
-    } else if (depth > 0) {
-      current += ch
-    }
-  }
-
-  return args
-}
-