@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/auth-patterns-ast.js

@@ -0,0 +1,280 @@
+"use strict";
+/**
+ * AST-Based Authentication Anti-Pattern Detection
+ *
+ * Migrates structural/auth-patterns.ts from regex to AST.
+ * Detects missing auth, weak auth patterns, JWT issues.
+ *
+ * AST advantages:
+ * - Detects auth calls in function body (not just nearby lines)
+ * - Understands exported HTTP method functions (Next.js App Router)
+ * - Resolves middleware chains from AST
+ * - Handles throwing auth helpers (getCurrentUserId(), auth())
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const context_detection_1 = require("./helpers/context-detection");
+const call_analysis_1 = require("./helpers/call-analysis");
+const scope_analysis_1 = require("./helpers/scope-analysis");
+const string_analysis_1 = require("./helpers/string-analysis");
+const file_classifier_1 = require("../../parse/file-classifier");
+// ============================================================================
+// Public Endpoint Detection
+// ============================================================================
+const AUTH_MIDDLEWARE_WRAPPERS = /\b(withMiddleware|withAuth|requireAuth|protectedRoute|withProtect|withSession|withApiAuth|authMiddleware|requireSession|withClerk|defaultResponder)\b/;
+const PUBLIC_ENDPOINT_PATTERNS = [
+    /health/i, /status/i, /ping/i, /ready/i, /alive/i,
+    /webhook/i, /cron/i, /callback/i,
+    /\.well-known/i, /robots\.txt/i, /sitemap/i, /favicon/i,
+    /login/i, /signup/i, /register/i, /forgot-password/i,
+    /oauth/i, /auth\/callback/i,
+];
+function isPublicEndpoint(filePath) {
+    return PUBLIC_ENDPOINT_PATTERNS.some(p => p.test(filePath));
+}
+function isDirectlyExported(fnNode) {
+    if (fnNode.parent?.type === 'export_statement')
+        return true;
+    if (fnNode.parent?.type === 'variable_declarator') {
+        const declaration = fnNode.parent.parent;
+        if (declaration?.parent?.type === 'export_statement')
+            return true;
+    }
+    return false;
+}
+// ============================================================================
+// AST Rule: Express Admin Route Without Auth
+// ============================================================================
+const ADMIN_PATH_PATTERN = /\/admin\//i;
+const HTTP_METHODS = new Set(['get', 'post', 'put', 'patch', 'delete']);
+(0, index_1.registerASTRule)({
+    id: 'ast-auth-admin-route',
+    title: 'Admin route without authentication',
+    description: 'Express route at admin path has no auth middleware or auth checks in handler',
+    severity: 'high',
+    category: 'missing_auth',
+    suggestedFix: 'Add authentication middleware before the route handler: app.get(\'/admin\', authMiddleware, handler)',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    requiresAIValidation: false,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        // Pre-check: must have admin path and app/router usage
+        if (!ADMIN_PATH_PATTERN.test(content))
+            return [];
+        if (!/\b(?:app|router)\.\s*(?:get|post|put|patch|delete)\b/.test(content))
+            return [];
+        const matches = [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target || target.type !== 'member')
+                continue;
+            if (!HTTP_METHODS.has(target.name))
+                continue;
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length < 2)
+                continue;
+            // First arg should be the path string
+            const pathArg = args[0];
+            const pathText = (0, string_analysis_1.extractStringValue)(pathArg);
+            if (!pathText || !ADMIN_PATH_PATTERN.test(pathText))
+                continue;
+            // Check for auth middleware: if there are 3+ args, middle args are middleware
+            // app.get('/admin', authMiddleware, handler) — 3 args means middleware present
+            if (args.length >= 3)
+                continue;
+            // Only 2 args: path + handler. Check if handler body has auth checks
+            const handler = args[1];
+            if (handler.type === 'arrow_function' || handler.type === 'function_expression') {
+                const body = handler.childForFieldName('body');
+                if (body) {
+                    const bodyText = body.text;
+                    if (/session|token|auth|userId|user_id|currentUser|isAdmin|is_admin|requireAuth|getSession/i.test(bodyText))
+                        continue;
+                }
+            }
+            matches.push({ node, severity: 'high' });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Unprotected API Route
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-auth-unprotected-route',
+    title: 'API route may lack authentication',
+    description: 'API route handler does not appear to have authentication checks',
+    severity: 'medium',
+    category: 'missing_auth',
+    suggestedFix: 'Add authentication middleware or check session at the start of the handler.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'medium',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        // Don't flag public endpoints
+        if (isPublicEndpoint(ast.filePath))
+            return [];
+        // If file has auth imports, it's likely auth-aware
+        const root = ast.tree.rootNode;
+        if ((0, context_detection_1.hasAuthImports)(root, content))
+            return [];
+        // If file uses auth middleware wrappers, auth is handled externally
+        if (AUTH_MIDDLEWARE_WRAPPERS.test(content))
+            return [];
+        const matches = [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'function_declaration', 'arrow_function', 'function_expression')) {
+            if (!(0, context_detection_1.isRouteHandler)(node))
+                continue;
+            if (!isDirectlyExported(node))
+                continue;
+            const body = node.childForFieldName('body');
+            if (!body)
+                continue;
+            // Check for auth checks in the function body
+            const authCalls = (0, context_detection_1.findAuthChecks)(body);
+            if (authCalls.length > 0)
+                continue; // has auth, skip
+            // Check for session/token checks
+            const bodyText = body.text;
+            if (/session|token|auth|userId|user_id|currentUser/i.test(bodyText))
+                continue;
+            // Determine severity based on context
+            const severity = isPublicEndpoint(ast.filePath) ? 'info' : 'medium';
+            matches.push({ node, severity });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Hardcoded Credentials Check
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-auth-hardcoded-creds',
+    title: 'Hardcoded credentials in authentication logic',
+    description: 'Authentication logic uses hardcoded username/password comparison',
+    severity: 'critical',
+    category: 'missing_auth',
+    suggestedFix: 'Use a proper user database with hashed passwords (bcrypt, scrypt, or Argon2).',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    detect(ast, _content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'if_statement')) {
+            // Look for if statements with === comparisons on user/password
+            const condition = node.childForFieldName('condition');
+            if (!condition)
+                continue;
+            const condText = condition.text;
+            // if (username === "admin" && password === "secret123")
+            if (/\b(username|user|email)\s*===?\s*['"][^'"]+['"]/.test(condText) &&
+                /\b(password|pass|pwd)\s*===?\s*['"][^'"]+['"]/.test(condText)) {
+                matches.push({ node: condition });
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Plain Text Password Comparison
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-auth-plaintext-password',
+    title: 'Plain text password comparison',
+    description: 'Password compared directly without hashing - use bcrypt.compare() or similar',
+    severity: 'high',
+    category: 'missing_auth',
+    suggestedFix: 'Use bcrypt.compare() or similar for password verification.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    detect(ast, _content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'binary_expression')) {
+            const left = node.childForFieldName('left');
+            const right = node.childForFieldName('right');
+            if (!left || !right)
+                continue;
+            const op = node.children.find(c => c.text === '===' || c.text === '==');
+            if (!op)
+                continue;
+            const lText = left.text;
+            const rText = right.text;
+            // password === user.password or user.password === password
+            if ((/\bpassword\b/i.test(lText) && /\buser\.password\b/i.test(rText)) ||
+                (/\buser\.password\b/i.test(lText) && /\bpassword\b/i.test(rText))) {
+                matches.push({ node });
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: JWT Without Verification
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-auth-jwt-no-verify',
+    title: 'JWT decoded without verification',
+    description: 'JWT decoded with jwt.decode() instead of jwt.verify() - no signature validation',
+    severity: 'high',
+    category: 'missing_auth',
+    suggestedFix: 'Use jwt.verify() instead of jwt.decode() for authentication.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        // Content pre-check: skip files without jwt mention
+        if (!/jwt/i.test(content))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        const aliases = (0, scope_analysis_1.collectVariableAliases)(root);
+        // Check if file also uses jwt.verify (if so, decode might be intentional for peeking)
+        let hasVerify = false;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if ((0, call_analysis_1.isMethodCallOn)(node, /^jwt$/, 'verify'))
+                hasVerify = true;
+        }
+        if (hasVerify)
+            return []; // File uses both decode and verify — intentional
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if ((0, call_analysis_1.isMethodCallOn)(node, /^jwt$/, 'decode')) {
+                matches.push({ node });
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=auth-patterns-ast.js.map

package/dist/detect/ast-rules/auth-patterns-ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-patterns-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/auth-patterns-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAIH,mCAAsF;AAEtF,mEAA4F;AAC5F,2DAA6F;AAC7F,6DAA6E;AAC7E,+DAA8D;AAE9D,iEAAsF;AAEtF,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,MAAM,wBAAwB,GAAG,uJAAuJ,CAAA;AAExL,MAAM,wBAAwB,GAAG;IAC/B,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ;IACjD,UAAU,EAAE,OAAO,EAAE,WAAW;IAChC,eAAe,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU;IACvD,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,kBAAkB;IACpD,QAAQ,EAAE,iBAAiB;CAC5B,CAAA;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAC7D,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAyB;IACnD,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,kBAAkB;QAAE,OAAO,IAAI,CAAA;IAC3D,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,qBAAqB,EAAE,CAAC;QAClD,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAA;QACxC,IAAI,WAAW,EAAE,MAAM,EAAE,IAAI,KAAK,kBAAkB;YAAE,OAAO,IAAI,CAAA;IACnE,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,6CAA6C;AAC7C,+EAA+E;AAE/E,MAAM,kBAAkB,GAAG,YAAY,CAAA;AACvC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAA;AAEvE,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,sBAAsB;IAC1B,KAAK,EAAE,oCAAoC;IAC3C,WAAW,EAAE,8EAA8E;IAC3F,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,sGAAsG;IACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,oBAAoB,EAAE,KAAK;IAC3B,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,uDAAuD;QACvD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAChD,IAAI,CAAC,sDAAsD,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAEpF,MAAM,OAAO,GAAmB,EAAE,CAAA;QAElC,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,MAAM,MAAM,GAAG,IAAA,iCAAiB,EAAC,IAAI,CAAC,CAAA;YACtC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAQ;YACjD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE5C,MAAM,IAAI,GAAG,IAAA,gCAAgB,EAAC,IAAI,CAAC,CAAA;YACnC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAQ;YAE7B,sCAAsC;YACtC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;YACvB,MAAM,QAAQ,GAAG,IAAA,oCAAkB,EAAC,OAAO,CAAC,CAAA;YAC5C,IAAI,CAAC,QAAQ,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YAE7D,8EAA8E;YAC9E,+EAA+E;YAC/E,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC;gBAAE,SAAQ;YAE9B,qEAAqE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;YACvB,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBAChF,MAAM,IAAI,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC9C,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAA;oBAC1B,IAAI,wFAAwF,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAAE,SAAQ;gBACvH,CAAC;YACH,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC1C,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,kCAAkC;AAClC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,4BAA4B;IAChC,KAAK,EAAE,mCAAmC;IAC1C,WAAW,EAAE,iEAAiE;IAC9E,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,6EAA6E;IAC3F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,oBAAoB,EAAE,IAAI;IAC1B,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,8BAA8B;QAC9B,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,mDAAmD;QACnD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,IAAI,IAAA,kCAAc,EAAC,IAAI,EAAE,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5C,oEAAoE;QACpE,IAAI,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAErD,MAAM,OAAO,GAAmB,EAAE,CAAA;QAElC,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,EAAE,CAAC;YACzG,IAAI,CAAC,IAAA,kCAAc,EAAC,IAAI,CAAC;gBAAE,SAAQ;YACnC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEvC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAC3C,IAAI,CAAC,IAAI;gBAAE,SAAQ;YAEnB,6CAA6C;YAC7C,MAAM,SAAS,GAAG,IAAA,kCAAc,EAAC,IAAI,CAAC,CAAA;YACtC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAQ,CAAC,iBAAiB;YAEpD,iCAAiC;YACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAA;YAC1B,IAAI,gDAAgD,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YAE7E,sCAAsC;YACtC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;YACnE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QAClC,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,wCAAwC;AACxC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,0BAA0B;IAC9B,KAAK,EAAE,+CAA+C;IACtD,WAAW,EAAE,kEAAkE;IAC/E,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,+EAA+E;IAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,QAAgB,EAAE,SAAqB;QAC5D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,cAAc,CAAC,EAAE,CAAC;YACxD,+DAA+D;YAC/D,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAA;YACrD,IAAI,CAAC,SAAS;gBAAE,SAAQ;YAExB,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAA;YAC/B,wDAAwD;YACxD,IACE,iDAAiD,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAChE,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC,EAC9D,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAA;YACnC,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,2CAA2C;AAC3C,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,6BAA6B;IACjC,KAAK,EAAE,gCAAgC;IACvC,WAAW,EAAE,8EAA8E;IAC3F,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,4DAA4D;IAC1E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,QAAgB,EAAE,SAAqB;QAC5D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE7C,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,mBAAmB,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;YAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;YAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,SAAQ;YAE7B,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;YACvE,IAAI,CAAC,EAAE;gBAAE,SAAQ;YAEjB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;YACvB,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAA;YAExB,2DAA2D;YAC3D,IACE,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClE,CAAC,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAClE,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,wBAAwB;IAC5B,KAAK,EAAE,kCAAkC;IACzC,WAAW,EAAE,iFAAiF;IAC9F,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,8DAA8D;IAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAEnD,oDAAoD;QACpD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAEpC,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,OAAO,GAAG,IAAA,uCAAsB,EAAC,IAAI,CAAC,CAAA;QAE5C,sFAAsF;QACtF,IAAI,SAAS,GAAG,KAAK,CAAA;QACrB,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,IAAA,8BAAc,EAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC;gBAAE,SAAS,GAAG,IAAI,CAAA;QAC/D,CAAC;QAED,IAAI,SAAS;YAAE,OAAO,EAAE,CAAA,CAAC,iDAAiD;QAE1E,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,IAAA,8BAAc,EAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;gBAC5C,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;YACxB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/byok-ast.d.ts

@@ -0,0 +1,13 @@
+/**
+ * AST-Based BYOK (Bring Your Own Key) Detection
+ *
+ * Migrates ai-code/byok-patterns.ts from regex to AST.
+ * Detects user-provided API keys flowing through route handlers.
+ *
+ * AST advantages:
+ * - Structurally detects `new OpenAI({ apiKey: req.body.key })` patterns
+ * - Resolves constructor calls and property access chains
+ * - Checks auth/storage context from enclosing function scope
+ */
+export {};
+//# sourceMappingURL=byok-ast.d.ts.map

package/dist/detect/ast-rules/byok-ast.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"byok-ast.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/byok-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/dist/detect/ast-rules/byok-ast.js

@@ -0,0 +1,180 @@
+"use strict";
+/**
+ * AST-Based BYOK (Bring Your Own Key) Detection
+ *
+ * Migrates ai-code/byok-patterns.ts from regex to AST.
+ * Detects user-provided API keys flowing through route handlers.
+ *
+ * AST advantages:
+ * - Structurally detects `new OpenAI({ apiKey: req.body.key })` patterns
+ * - Resolves constructor calls and property access chains
+ * - Checks auth/storage context from enclosing function scope
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const user_input_1 = require("./helpers/user-input");
+const context_detection_1 = require("./helpers/context-detection");
+const file_classifier_1 = require("../../parse/file-classifier");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Check if a node references user input for a key/apiKey field */
+function isKeyFromUserInput(node) {
+    const text = node.text;
+    return /(?:req|body|params|input|request)\.\w*(?:key|token|apiKey|api_key)/i.test(text) ||
+        /(?:apiKey|api_key|token|secret)\s*:\s*(?:req|body|params|input)/i.test(text);
+}
+/** Check if code contains explicit auth checks */
+function hasAuthInScope(content) {
+    return /getCurrentUser|getSession|getServerSession|auth\(\)|requireAuth|verifyToken|isAuthenticated|checkAuth|withAuth|req\.user|request\.user|context\.user|supabase\.auth\.getUser|supabase\.auth\.getSession|currentUser\(|auth\(\)\.protect/i.test(content);
+}
+/** Check if key is stored to database in scope */
+function hasStorageInScope(bodyText) {
+    const storagePatterns = /\.insert\s*\(|\.update\s*\(|\.upsert\s*\(|\.save\s*\(|INSERT\s+INTO|UPDATE\s+.*SET|prisma\.\w+\.create\s*\(|supabase\.from\(.*\)\.(?:insert|update|upsert)|localStorage\.setItem|sessionStorage\.setItem/i;
+    const aiApiExclude = /openai\..*\.create|anthropic\..*\.create|\.chat\.completions\.create|\.messages\.create/i;
+    return storagePatterns.test(bodyText) && !aiApiExclude.test(bodyText);
+}
+/** Check if key is used transiently (immediate API call, no storage) */
+function isTransientUsage(bodyText) {
+    const transient = /new\s+(?:OpenAI|Anthropic)\s*\(|\.completions\.create|\.messages\.create|await\s+(?:openai|anthropic|client)\./i;
+    return transient.test(bodyText) && !hasStorageInScope(bodyText);
+}
+/** Check if key is logged */
+function isKeyLogged(bodyText) {
+    return /console\.(log|info|debug|warn|error)\s*\([^)]*(?:apiKey|api_key|key)/i.test(bodyText) ||
+        /logger\.(log|info|debug|warn|error)\s*\([^)]*(?:apiKey|api_key|key)/i.test(bodyText);
+}
+/** Check if value is placeholder/example */
+function isExampleCredential(text) {
+    return /your[-_]?api[-_]?key|example[-_]?api|sample[-_]?key|replace[-_]?with|placeholder|xxx+|demo[-_]?key|test[-_]?key|fake[-_]?key|mock[-_]?key/i.test(text);
+}
+// ============================================================================
+// AST Rule: BYOK Pattern Detection
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-byok-pattern',
+    title: 'BYOK: User-provided API key detected',
+    description: 'User-provided API key flows through code. Risk depends on auth context and storage.',
+    severity: 'medium',
+    category: 'ai_pattern',
+    suggestedFix: 'For transient BYOK: add authentication and rate limiting. For stored keys: encrypt at rest and scope by user.',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isExampleFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        const flagged = new Set();
+        // Check file-level auth context
+        const hasAuth = hasAuthInScope(content) || (0, context_detection_1.hasAuthImports)(root, content);
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'new_expression', 'member_expression', 'pair')) {
+            // Pattern 1: new OpenAI({ apiKey: req.body.key })
+            if (node.type === 'new_expression') {
+                const constructor = node.childForFieldName('constructor');
+                if (constructor && /^(OpenAI|Anthropic)$/.test(constructor.text)) {
+                    const args = node.namedChildren.find(c => c.type === 'arguments');
+                    if (args) {
+                        const firstArg = args.namedChildren[0];
+                        if (firstArg?.type === 'object') {
+                            const apiKeyProp = (0, call_analysis_1.getObjectLiteralProperty)(firstArg, 'apiKey');
+                            if (apiKeyProp && (0, user_input_1.isUserInputExpression)(apiKeyProp)) {
+                                if (!flagged.has(node.startPosition.row)) {
+                                    flagged.add(node.startPosition.row);
+                                    emitMatch(node, apiKeyProp, 'Client initialized with user-provided key');
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            // Pattern 2: Property access that extracts key from user input
+            // e.g., req.body.apiKey, body.openaiKey, params.anthropicKey
+            if (node.type === 'member_expression') {
+                const text = node.text;
+                if (/^(?:req|request|body|params|input)\.(?:\w+\.)*(?:api[-_]?key|openai[-_]?key|anthropic[-_]?key|ai[-_]?key|llm[-_]?key)/i.test(text)) {
+                    // Check if this is in an assignment or used as argument
+                    const parent = node.parent;
+                    if (parent && (parent.type === 'variable_declarator' || parent.type === 'assignment_expression' || parent.type === 'pair' || parent.type === 'arguments')) {
+                        if (!flagged.has(node.startPosition.row)) {
+                            flagged.add(node.startPosition.row);
+                            emitMatch(node, node, 'User-provided API key accessed');
+                        }
+                    }
+                }
+            }
+            // Pattern 3: apiKey = req.body... or apiKey: req.body...
+            if (node.type === 'pair') {
+                const key = node.childForFieldName('key');
+                const value = node.childForFieldName('value');
+                if (key && value) {
+                    const keyText = key.text.replace(/['"]/g, '');
+                    if (/^(?:apiKey|api_key|token|secret|key)$/i.test(keyText) && (0, user_input_1.isUserInputExpression)(value)) {
+                        if (!flagged.has(node.startPosition.row)) {
+                            flagged.add(node.startPosition.row);
+                            emitMatch(node, value, `User-provided ${keyText} detected`);
+                        }
+                    }
+                }
+            }
+        }
+        function emitMatch(contextNode, reportNode, detail) {
+            // Skip example/placeholder values
+            if (isExampleCredential(reportNode.text))
+                return;
+            // Determine context from enclosing function
+            let fnBody = null;
+            let current = contextNode.parent;
+            while (current) {
+                if (/function_declaration|arrow_function|function_expression|method_definition/.test(current.type)) {
+                    fnBody = current.childForFieldName('body') ?? current;
+                    break;
+                }
+                current = current.parent;
+            }
+            const bodyText = fnBody?.text ?? content;
+            const isAuthenticated = hasAuth;
+            const isTransient = isTransientUsage(bodyText);
+            const isStored = hasStorageInScope(bodyText);
+            const keyLogged = isKeyLogged(bodyText);
+            // Severity determination (mirrors regex logic)
+            let severity;
+            let note;
+            if (isTransient && !keyLogged) {
+                // Transient BYOK — key used immediately and not stored. Skip regardless of auth.
+                return;
+            }
+            else if (isTransient && keyLogged) {
+                severity = 'low';
+                note = `${detail}. Keys used transiently but logged (avoid logging API keys).`;
+            }
+            else if (!isAuthenticated && isStored) {
+                severity = 'medium';
+                note = `${detail}. Endpoint lacks auth AND stores keys — unauthorized key storage risk.`;
+            }
+            else if (isStored && isAuthenticated) {
+                severity = 'info';
+                note = `${detail}. Authenticated route stores keys — consider encryption at rest.`;
+            }
+            else {
+                severity = 'info';
+                note = `${detail}. BYOK feature detected.`;
+            }
+            if (isTestFile) {
+                severity = 'info';
+                note += ' (in test file)';
+            }
+            matches.push({ node: reportNode, severity, note });
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=byok-ast.js.map

package/dist/detect/ast-rules/byok-ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"byok-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/byok-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAGH,mCAAsF;AAEtF,2DAA0H;AAC1H,qDAA4D;AAC5D,mEAA4E;AAC5E,iEAAqG;AAErG,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,mEAAmE;AACnE,SAAS,kBAAkB,CAAC,IAAuB;IACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAA;IACtB,OAAO,qEAAqE,CAAC,IAAI,CAAC,IAAI,CAAC;QACrF,kEAAkE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACjF,CAAC;AAED,kDAAkD;AAClD,SAAS,cAAc,CAAC,OAAe;IACrC,OAAO,0OAA0O,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AACjQ,CAAC;AAED,kDAAkD;AAClD,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,eAAe,GAAG,2MAA2M,CAAA;IACnO,MAAM,YAAY,GAAG,0FAA0F,CAAA;IAC/G,OAAO,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACvE,CAAC;AAED,wEAAwE;AACxE,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,SAAS,GAAG,iHAAiH,CAAA;IACnI,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAA;AACjE,CAAC;AAED,6BAA6B;AAC7B,SAAS,WAAW,CAAC,QAAgB;IACnC,OAAO,uEAAuE,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC3F,sEAAsE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AACzF,CAAC;AAED,4CAA4C;AAC5C,SAAS,mBAAmB,CAAC,IAAY;IACvC,OAAO,4IAA4I,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAChK,CAAC;AAED,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,kBAAkB;IACtB,KAAK,EAAE,sCAAsC;IAC7C,WAAW,EAAE,qFAAqF;IAClG,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,YAAY;IACtB,YAAY,EAAE,+GAA+G;IAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC9C,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,SAAS;IACjB,oBAAoB,EAAE,IAAI;IAC1B,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,+BAAa,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE1C,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAC9B,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACjD,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAA;QAEjC,gCAAgC;QAChC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,IAAA,kCAAc,EAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAExE,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,CAAC,EAAE,CAAC;YACvF,kDAAkD;YAClD,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACnC,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAA;gBACzD,IAAI,WAAW,IAAI,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjE,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAA;oBACjE,IAAI,IAAI,EAAE,CAAC;wBACT,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;wBACtC,IAAI,QAAQ,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;4BAChC,MAAM,UAAU,GAAG,IAAA,wCAAwB,EAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;4BAC/D,IAAI,UAAU,IAAI,IAAA,kCAAqB,EAAC,UAAU,CAAC,EAAE,CAAC;gCACpD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;oCACzC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;oCACnC,SAAS,CAAC,IAAI,EAAE,UAAU,EAAE,2CAA2C,CAAC,CAAA;gCAC1E,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,+DAA+D;YAC/D,6DAA6D;YAC7D,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,wHAAwH,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxI,wDAAwD;oBACxD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAA;oBAC1B,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,qBAAqB,IAAI,MAAM,CAAC,IAAI,KAAK,uBAAuB,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,CAAC,EAAE,CAAC;wBAC1J,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;4BACzC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;4BACnC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,gCAAgC,CAAC,CAAA;wBACzD,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAA;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;gBAC7C,IAAI,GAAG,IAAI,KAAK,EAAE,CAAC;oBACjB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;oBAC7C,IAAI,wCAAwC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAA,kCAAqB,EAAC,KAAK,CAAC,EAAE,CAAC;wBAC3F,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;4BACzC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;4BACnC,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,iBAAiB,OAAO,WAAW,CAAC,CAAA;wBAC7D,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,SAAS,SAAS,CAAC,WAA8B,EAAE,UAA6B,EAAE,MAAc;YAC9F,kCAAkC;YAClC,IAAI,mBAAmB,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,OAAM;YAEhD,4CAA4C;YAC5C,IAAI,MAAM,GAA6B,IAAI,CAAA;YAC3C,IAAI,OAAO,GAA6B,WAAW,CAAC,MAAM,CAAA;YAC1D,OAAO,OAAO,EAAE,CAAC;gBACf,IAAI,2EAA2E,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnG,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,OAAO,CAAA;oBACrD,MAAK;gBACP,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;YAC1B,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,EAAE,IAAI,IAAI,OAAO,CAAA;YAExC,MAAM,eAAe,GAAG,OAAO,CAAA;YAC/B,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAA;YAC9C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAA;YAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAA;YAEvC,+CAA+C;YAC/C,IAAI,QAA4C,CAAA;YAChD,IAAI,IAAY,CAAA;YAEhB,IAAI,WAAW,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC9B,iFAAiF;gBACjF,OAAM;YACR,CAAC;iBAAM,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;gBACpC,QAAQ,GAAG,KAAK,CAAA;gBAChB,IAAI,GAAG,GAAG,MAAM,8DAA8D,CAAA;YAChF,CAAC;iBAAM,IAAI,CAAC,eAAe,IAAI,QAAQ,EAAE,CAAC;gBACxC,QAAQ,GAAG,QAAQ,CAAA;gBACnB,IAAI,GAAG,GAAG,MAAM,wEAAwE,CAAA;YAC1F,CAAC;iBAAM,IAAI,QAAQ,IAAI,eAAe,EAAE,CAAC;gBACvC,QAAQ,GAAG,MAAM,CAAA;gBACjB,IAAI,GAAG,GAAG,MAAM,kEAAkE,CAAA;YACpF,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,MAAM,CAAA;gBACjB,IAAI,GAAG,GAAG,MAAM,0BAA0B,CAAA;YAC5C,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,IAAI,IAAI,iBAAiB,CAAA;YAC3B,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;QACpD,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/child-process-ast.d.ts

@@ -0,0 +1,13 @@
+/**
+ * AST-Based child_process / Command Injection Detection
+ *
+ * Migrates dangerous-functions child-process detection to AST.
+ *
+ * AST advantages:
+ * - Resolves child_process imports: const { exec } = require('child_process')
+ * - Tracks aliased imports: import { exec as run } from 'child_process'
+ * - Detects if command arguments are static vs dynamic
+ * - Understands allowlist patterns nearby in the function
+ */
+export {};
+//# sourceMappingURL=child-process-ast.d.ts.map

package/dist/detect/ast-rules/child-process-ast.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"child-process-ast.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/child-process-ast.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}