@oculum/scanner 1.0.14 → 1.0.15

package/src/__tests__/detect/python-sast-rules.test.ts

@@ -0,0 +1,453 @@
+/**
+ * Python General SAST Rule Tests
+ *
+ * Tests for Python branches of dangerous-eval-ast, child-process-ast,
+ * sql-injection-ast, and ssrf-ast rules.
+ */
+
+import { parseFile, clearASTCache } from '../../parse/ast'
+import { runASTRules } from '../../detect/ast-rules'
+import type { Vulnerability } from '../../shared/types'
+
+// Side-effect imports to register rules
+import '../../detect/ast-rules/dangerous-eval-ast'
+import '../../detect/ast-rules/child-process-ast'
+import '../../detect/ast-rules/sql-injection-ast'
+import '../../detect/ast-rules/ssrf-ast'
+
+function scanPython(code: string, filePath = 'app/server.py'): Vulnerability[] {
+  const ast = parseFile(code, filePath)
+  if (!ast) throw new Error('Failed to parse Python code')
+  return runASTRules(ast, code)
+}
+
+beforeEach(() => {
+  clearASTCache()
+})
+
+// ============================================================================
+// dangerous-eval-ast (Python)
+// ============================================================================
+
+describe('dangerous-eval-ast (Python)', () => {
+  it('detects eval() with dynamic argument', () => {
+    const findings = scanPython(`
+user_expr = get_input()
+result = eval(user_expr)
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('eval()'))
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('high')
+  })
+
+  it('detects exec() with dynamic argument', () => {
+    const findings = scanPython(`
+code = generate_code()
+exec(code)
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('exec()'))
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('high')
+  })
+
+  it('detects compile() with dynamic argument', () => {
+    const findings = scanPython(`
+source = read_source()
+code_obj = compile(source, '<string>', 'exec')
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('compile()'))
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('medium')
+  })
+
+  it('detects __import__() with dynamic argument', () => {
+    const findings = scanPython(`
+module_name = get_module()
+mod = __import__(module_name)
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('__import__()'))
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('high')
+  })
+
+  it('skips model.eval() — PyTorch method call', () => {
+    const findings = scanPython(`
+import torch
+model = torch.nn.Linear(10, 5)
+model.eval()
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('eval()'))
+    expect(match).toBeUndefined()
+  })
+
+  it('skips eval with static string', () => {
+    const findings = scanPython(`
+result = eval("2 + 2")
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('eval()'))
+    expect(match).toBeUndefined()
+  })
+
+  it('detects aliased eval: e = eval; e(x)', () => {
+    const findings = scanPython(`
+e = eval
+e(user_code)
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('eval()'))
+    expect(match).toBeDefined()
+  })
+
+  it('detects aliased exec: run = exec; run(x)', () => {
+    const findings = scanPython(`
+run = exec
+run(user_code)
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('exec()'))
+    expect(match).toBeDefined()
+  })
+
+  it('escalates eval() with user input to critical', () => {
+    const findings = scanPython(`
+result = eval(request.form.get('expression'))
+`)
+    const match = findings.find(f => f.category === 'dangerous_function' && f.description.includes('eval()'))
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+  })
+})
+
+// ============================================================================
+// child-process-ast (Python)
+// ============================================================================
+
+describe('child-process-ast (Python)', () => {
+  it('detects subprocess.run with dynamic arg', () => {
+    const findings = scanPython(`
+import subprocess
+cmd = get_command()
+subprocess.run(cmd)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+  })
+
+  it('detects os.system with dynamic arg', () => {
+    const findings = scanPython(`
+import os
+cmd = get_command()
+os.system(cmd)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('os.system()')
+  })
+
+  it('detects subprocess with shell=True', () => {
+    const findings = scanPython(`
+import subprocess
+cmd = get_command()
+subprocess.run(cmd, shell=True)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+    expect(match!.description).toContain('shell=True')
+  })
+
+  it('skips static command in build context', () => {
+    const findings = scanPython(`
+import subprocess
+subprocess.run("echo hello")
+`, 'scripts/build/setup.py')
+    const match = findings.find(f => f.category === 'command_injection')
+    if (match) {
+      expect(match.severity).toBe('info')
+    }
+  })
+
+  it('detects direct import: from subprocess import run; run(cmd)', () => {
+    const findings = scanPython(`
+from subprocess import run
+cmd = get_command()
+run(cmd, shell=True)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+  })
+
+  it('detects aliased import: from subprocess import run as r', () => {
+    const findings = scanPython(`
+from subprocess import run as r
+cmd = get_command()
+r(cmd)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+  })
+
+  it('downgrades severity in desktop context', () => {
+    const findings = scanPython(`
+import subprocess
+cmd = get_command()
+subprocess.run(cmd)
+`, 'src/electron/main.py')
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('medium')
+  })
+
+  it('downgrades severity in MCP context', () => {
+    const findings = scanPython(`
+import subprocess
+cmd = get_command()
+subprocess.run(cmd)
+`, 'src/mcp/server.py')
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('medium')
+  })
+
+  it('respects Python allowlist validation', () => {
+    const findings = scanPython(`
+import subprocess
+
+def handle(cmd):
+    if cmd in ALLOWED_COMMANDS:
+        subprocess.run(cmd)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeUndefined()
+  })
+
+  it('skips when subprocess not imported', () => {
+    const findings = scanPython(`
+cmd = get_command()
+subprocess.run(cmd)
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeUndefined()
+  })
+
+  it('escalates to critical with user input', () => {
+    const findings = scanPython(`
+import subprocess
+subprocess.run(request.form.get('cmd'))
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+  })
+
+  it('detects os.execv with dynamic arg', () => {
+    const findings = scanPython(`
+import os
+cmd = get_command()
+os.execv(cmd, [cmd])
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+  })
+
+  it('keeps shell=True critical even in desktop context', () => {
+    const findings = scanPython(`
+import subprocess
+cmd = get_command()
+subprocess.run(cmd, shell=True)
+`, 'src/electron/main.py')
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+  })
+
+  it('fully suppresses static subprocess with no dynamic args', () => {
+    const findings = scanPython(`
+import subprocess
+subprocess.run(["/usr/sbin/system_profiler", "SPHardwareDataType"])
+`)
+    const match = findings.find(f => f.category === 'command_injection')
+    expect(match).toBeUndefined()
+  })
+})
+
+// ============================================================================
+// sql-injection-ast (Python)
+// ============================================================================
+
+describe('sql-injection-ast (Python)', () => {
+  it('detects f-string SQL in cursor.execute', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute(f"SELECT * FROM users WHERE name = '{name}'")
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+    expect(match!.description).toContain('f-string')
+  })
+
+  it('detects string concatenation SQL', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute("SELECT * FROM users WHERE name = '" + name + "'")
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('critical')
+    expect(match!.description).toContain('concatenation')
+  })
+
+  it('detects Django .raw() with f-string', () => {
+    const findings = scanPython(`
+name = get_name()
+User.objects.raw(f"SELECT * FROM users WHERE name = '{name}'")
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('f-string')
+  })
+
+  it('detects %-formatting SQL', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute("SELECT * FROM users WHERE name = '%s'" % name)
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('%-formatting')
+  })
+
+  it('detects .format() SQL', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute("SELECT * FROM users WHERE name = '{}'".format(name))
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('.format()')
+  })
+
+  it('skips parameterized cursor.execute with tuple', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute("SELECT * FROM users WHERE name = %s", (name,))
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeUndefined()
+  })
+
+  it('skips parameterized cursor.execute with dict', () => {
+    const findings = scanPython(`
+name = get_name()
+cursor.execute("SELECT * FROM users WHERE name = :name", {"name": name})
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeUndefined()
+  })
+
+  it('skips static SQL string', () => {
+    const findings = scanPython(`
+cursor.execute("SELECT * FROM users WHERE active = 1")
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeUndefined()
+  })
+
+  it('detects SQLAlchemy text() with f-string', () => {
+    const findings = scanPython(`
+name = get_name()
+db.execute(text(f"SELECT * FROM users WHERE name = '{name}'"))
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('text()')
+  })
+
+  it('detects SQLAlchemy text() with concatenation', () => {
+    const findings = scanPython(`
+name = get_name()
+db.execute(text("SELECT * FROM users WHERE name = '" + name + "'"))
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.description).toContain('text()')
+  })
+
+  it('downgrades parameterized query with f-string LIMIT to info', () => {
+    const findings = scanPython(`
+latest_n = 5
+cursor.execute(f"SELECT * FROM tasks WHERE description = ? ORDER BY id LIMIT {latest_n}", (task_description,))
+`)
+    const match = findings.find(f => f.category === 'sql_injection')
+    expect(match).toBeDefined()
+    expect(match!.severity).toBe('info')
+    expect(match!.description).toContain('f-string')
+  })
+})
+
+// ============================================================================
+// ssrf-ast (Python)
+// ============================================================================
+
+describe('ssrf-ast (Python)', () => {
+  it('detects requests.get with user input', () => {
+    const findings = scanPython(`
+import requests
+response = requests.get(request.form.get('url'))
+`)
+    const match = findings.find(f => f.category === 'ssrf')
+    expect(match).toBeDefined()
+  })
+
+  it('detects httpx.get with user input', () => {
+    const findings = scanPython(`
+import httpx
+response = httpx.get(request.args.get('url'))
+`)
+    const match = findings.find(f => f.category === 'ssrf')
+    expect(match).toBeDefined()
+  })
+
+  it('detects variable-mediated SSRF', () => {
+    const findings = scanPython(`
+import requests
+target_url = request.json['url']
+response = requests.get(target_url)
+`)
+    const match = findings.find(f => f.category === 'ssrf' && f.description.includes('target_url'))
+    expect(match).toBeDefined()
+  })
+
+  it('skips requests.get with static URL', () => {
+    const findings = scanPython(`
+import requests
+response = requests.get("https://api.example.com/data")
+`)
+    const match = findings.find(f => f.category === 'ssrf')
+    expect(match).toBeUndefined()
+  })
+
+  it('skips when mitigation present', () => {
+    const findings = scanPython(`
+import requests
+from urllib.parse import urlparse
+
+def fetch(url):
+    parsed = urlparse(url)
+    if parsed.hostname not in allowedHosts:
+        raise ValueError("blocked")
+    return requests.get(request.args.get('url'))
+`)
+    const match = findings.find(f => f.category === 'ssrf')
+    expect(match).toBeUndefined()
+  })
+
+  it('detects open redirect with user input', () => {
+    const findings = scanPython(`
+from flask import redirect
+return redirect(request.args.get('next'))
+`)
+    const match = findings.find(f => f.category === 'ssrf' && f.description.includes('redirect'))
+    expect(match).toBeDefined()
+  })
+})

package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts

@@ -0,0 +1,151 @@
+/**
+ * Unit tests for Rules File Backdoor decoders and isAIRulesFile classifier
+ *
+ * Run: npx jest src/__tests__/detect/rules-file-backdoor-decoders.test.ts
+ */
+
+import { decodeZeroWidthBinary, decodeTagBlock } from '../../detect/config/rules-file-backdoor'
+import { isAIRulesFile, isAgentSkillFile } from '../../parse/file-classifier'
+
+// ============================================================================
+// decodeZeroWidthBinary
+// ============================================================================
+
+describe('decodeZeroWidthBinary', () => {
+  it('should decode valid 8-bit zero-width binary to ASCII', () => {
+    // Encode "Hi" — H=01001000, i=01101001
+    // U+200B=0, U+200C=1
+    const H = '\u200B\u200C\u200B\u200B\u200C\u200B\u200B\u200B' // 01001000
+    const i = '\u200B\u200C\u200C\u200B\u200C\u200B\u200B\u200C' // 01101001
+    expect(decodeZeroWidthBinary(H + i)).toBe('Hi')
+  })
+
+  it('should return empty string for fewer than 8 zero-width chars', () => {
+    expect(decodeZeroWidthBinary('\u200B\u200C\u200B')).toBe('')
+  })
+
+  it('should return empty string for no zero-width chars', () => {
+    expect(decodeZeroWidthBinary('Hello world')).toBe('')
+  })
+
+  it('should skip non-zero-width characters interspersed', () => {
+    // "A" = 01000001
+    const A = '\u200B\u200C\u200B\u200B\u200B\u200B\u200B\u200C'
+    const withNoise = 'some text' + A + 'more text'
+    expect(decodeZeroWidthBinary(withNoise)).toBe('A')
+  })
+
+  it('should handle incomplete trailing bits', () => {
+    // "A" (8 bits) + 3 extra bits
+    const A = '\u200B\u200C\u200B\u200B\u200B\u200B\u200B\u200C'
+    const extra = '\u200B\u200C\u200B'
+    expect(decodeZeroWidthBinary(A + extra)).toBe('A')
+  })
+})
+
+// ============================================================================
+// decodeTagBlock
+// ============================================================================
+
+describe('decodeTagBlock', () => {
+  it('should decode tag block characters to ASCII', () => {
+    // U+E0063 → 'c', U+E0061 → 'a', U+E0074 → 't'
+    const encoded = String.fromCodePoint(0xE0063, 0xE0061, 0xE0074)
+    expect(decodeTagBlock(encoded)).toBe('cat')
+  })
+
+  it('should return empty string for no tag block chars', () => {
+    expect(decodeTagBlock('Hello world')).toBe('')
+  })
+
+  it('should skip tag chars outside printable ASCII range', () => {
+    // U+E0001 → ASCII 1 (non-printable), should skip
+    const nonPrintable = String.fromCodePoint(0xE0001)
+    expect(decodeTagBlock(nonPrintable)).toBe('')
+  })
+
+  it('should handle mixed tag block and normal characters', () => {
+    const H = String.fromCodePoint(0xE0048) // 'H'
+    const i = String.fromCodePoint(0xE0069) // 'i'
+    const mixed = 'normal' + H + 'text' + i
+    expect(decodeTagBlock(mixed)).toBe('Hi')
+  })
+})
+
+// ============================================================================
+// isAIRulesFile
+// ============================================================================
+
+describe('isAIRulesFile', () => {
+  // Files that SHOULD match
+  const shouldMatch = [
+    'project/.cursorrules',
+    'project/.windsurfrules',
+    '.cursorrules',
+    '.windsurfrules',
+    'project/CLAUDE.md',
+    'CLAUDE.md',
+    'project/.cursor/rules/security.mdc',
+    'project/.cursor/commands/test.md',
+    'project/.cursor/tools/lint.md',
+    'project/.claude/commands/deploy.md',
+    'project/.claude/skills/review.md',
+    'project/.claude/tools/test.md',
+    'project/.claude/settings.json',
+    'project/.claude/instructions.md',
+    'project/.github/copilot-instructions.md',
+    'project/.github/agents/reviewer.md',
+    'project/.gemini/config.json',
+    'project/global_rules.md',
+    'project/src/rules/test.mdc',
+  ]
+
+  // Files that should NOT match
+  const shouldNotMatch = [
+    'project/README.md',
+    'project/src/index.ts',
+    'project/package.json',
+    'project/.env',
+    'project/docs/guide.md',
+    'project/src/utils.js',
+  ]
+
+  for (const filePath of shouldMatch) {
+    it(`should match: ${filePath}`, () => {
+      expect(isAIRulesFile(filePath)).toBe(true)
+    })
+  }
+
+  for (const filePath of shouldNotMatch) {
+    it(`should NOT match: ${filePath}`, () => {
+      expect(isAIRulesFile(filePath)).toBe(false)
+    })
+  }
+
+  it('isAIRulesFile is a superset of isAgentSkillFile', () => {
+    // Every path matched by isAgentSkillFile should also be matched by isAIRulesFile
+    const skillPaths = [
+      'project/.cursorrules',
+      'project/.cursor/rules/test.mdc',
+      'project/.claude/commands/deploy.md',
+      'project/.github/copilot-instructions.md',
+      'project/.github/agents/reviewer.md',
+    ]
+    for (const p of skillPaths) {
+      expect(isAgentSkillFile(p)).toBe(true)
+      expect(isAIRulesFile(p)).toBe(true)
+    }
+  })
+
+  it('isAIRulesFile matches paths that isAgentSkillFile does NOT', () => {
+    // Root CLAUDE.md is NOT a skill file but IS an AI rules file
+    expect(isAgentSkillFile('project/CLAUDE.md')).toBe(false)
+    expect(isAIRulesFile('project/CLAUDE.md')).toBe(true)
+
+    // .windsurfrules
+    expect(isAIRulesFile('project/.windsurfrules')).toBe(true)
+
+    // .gemini directory
+    expect(isAIRulesFile('project/.gemini/rules.json')).toBe(true)
+  })
+})