@oculum/scanner 1.0.14 → 1.0.15

package/src/__tests__/taint/sanitizer-registry.test.ts

@@ -0,0 +1,304 @@
+/**
+ * Unit tests for AST-based sanitizer registry
+ */
+
+import Parser from 'tree-sitter'
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const { typescript: TypeScript, tsx: TSX } = require('tree-sitter-typescript')
+import type { ParsedAST } from '../../parse/ast'
+import { buildSanitizerRegistry } from '../../taint/sanitizer-registry'
+import type { TaintSanitizer, TaintKind } from '../../taint/types'
+
+// Dedicated parsers for this test file — kept at module scope to prevent native GC
+const tsParser = new Parser()
+tsParser.setLanguage(TypeScript)
+const tsxParser = new Parser()
+tsxParser.setLanguage(TSX)
+
+let counter = 0
+function getSanitizers(code: string, filePath?: string): TaintSanitizer[] {
+  const fp = filePath ?? `sanitizer-test-${++counter}.ts`
+  const parser = fp.endsWith('.tsx') ? tsxParser : tsParser
+  const tree = parser.parse(code)
+  const ast: ParsedAST = { tree, language: fp.endsWith('.tsx') ? 'tsx' : 'typescript', filePath: fp, hash: '' }
+  return buildSanitizerRegistry(ast)
+}
+
+function findSanitizerByName(sanitizers: TaintSanitizer[], name: string | RegExp): TaintSanitizer | undefined {
+  if (typeof name === 'string') {
+    return sanitizers.find(s => s.name === name)
+  }
+  return sanitizers.find(s => name.test(s.name))
+}
+
+describe('buildSanitizerRegistry', () => {
+  // ====================================================================
+  // DOMPurify — clears xss ONLY
+  // ====================================================================
+  describe('DOMPurify', () => {
+    it('detects DOMPurify.sanitize() and clears xss only', () => {
+      const sanitizers = getSanitizers(`
+        import DOMPurify from 'dompurify'
+        const clean = DOMPurify.sanitize(dirty)
+      `)
+      const s = findSanitizerByName(sanitizers, 'DOMPurify.sanitize')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('xss')).toBe(true)
+      expect(s!.clearsKinds.has('sql')).toBe(false)
+      expect(s!.clearsKinds.has('command')).toBe(false)
+      expect(s!.clearsKinds.has('path')).toBe(false)
+      expect(s!.clearsKinds.has('prompt')).toBe(false)
+      expect(s!.clearsKinds.has('ssrf')).toBe(false)
+      expect(s!.detection).toBe('known_library')
+      expect(s!.library).toBe('dompurify')
+    })
+
+    it('does NOT detect DOMPurify.sanitize() without import', () => {
+      const sanitizers = getSanitizers(`
+        const clean = DOMPurify.sanitize(dirty)
+      `)
+      // Should not find it via known_library detection (may still find via name_heuristic)
+      const knownLib = sanitizers.find(s => s.detection === 'known_library' && s.name === 'DOMPurify.sanitize')
+      expect(knownLib).toBeUndefined()
+    })
+  })
+
+  // ====================================================================
+  // Schema validation — clears all kinds
+  // ====================================================================
+  describe('schema validation', () => {
+    it('zod.parse clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        import { z } from 'zod'
+        const schema = z.object({ name: z.string() })
+        const validated = schema.parse(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'zod.parse')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('sql')).toBe(true)
+      expect(s!.clearsKinds.has('xss')).toBe(true)
+      expect(s!.clearsKinds.has('command')).toBe(true)
+      expect(s!.clearsKinds.has('path')).toBe(true)
+      expect(s!.clearsKinds.has('prompt')).toBe(true)
+      expect(s!.clearsKinds.has('ssrf')).toBe(true)
+      expect(s!.library).toBe('zod')
+    })
+
+    it('joi.validate clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        import Joi from 'joi'
+        const result = schema.validate(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'joi.validate')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+    })
+
+    it('yup.validate clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        import * as yup from 'yup'
+        const result = await schema.validate(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'yup.validate')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+    })
+  })
+
+  // ====================================================================
+  // Type coercion — clears all kinds
+  // ====================================================================
+  describe('type coercion', () => {
+    it('Number() clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        const id = Number(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'Number')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+      expect(s!.detection).toBe('known_library')
+    })
+
+    it('parseInt() clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        const id = parseInt(input, 10)
+      `)
+      const s = findSanitizerByName(sanitizers, 'parseInt')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+    })
+
+    it('parseFloat() clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        const price = parseFloat(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'parseFloat')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+    })
+
+    it('Boolean() clears all taint kinds', () => {
+      const sanitizers = getSanitizers(`
+        const flag = Boolean(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'Boolean')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6)
+    })
+  })
+
+  // ====================================================================
+  // URL encoding — clears ssrf + xss
+  // ====================================================================
+  describe('URL encoding', () => {
+    it('encodeURIComponent clears ssrf and xss', () => {
+      const sanitizers = getSanitizers(`
+        const safe = encodeURIComponent(input)
+      `)
+      const s = findSanitizerByName(sanitizers, 'encodeURIComponent')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('ssrf')).toBe(true)
+      expect(s!.clearsKinds.has('xss')).toBe(true)
+      expect(s!.clearsKinds.has('sql')).toBe(false)
+      expect(s!.clearsKinds.has('command')).toBe(false)
+    })
+  })
+
+  // ====================================================================
+  // Path sanitization — clears path
+  // ====================================================================
+  describe('path sanitization', () => {
+    it('path.normalize is NOT a sanitizer (does not prevent traversal)', () => {
+      const sanitizers = getSanitizers(`
+        const safe = path.normalize(userPath)
+      `)
+      const s = findSanitizerByName(sanitizers, 'path.normalize')
+      expect(s).toBeUndefined()
+    })
+
+    it('path.basename clears path', () => {
+      const sanitizers = getSanitizers(`
+        const filename = path.basename(userPath)
+      `)
+      const s = findSanitizerByName(sanitizers, 'path.basename')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('path')).toBe(true)
+    })
+  })
+
+  // ====================================================================
+  // Parameterized queries — clears sql
+  // ====================================================================
+  describe('parameterized queries', () => {
+    it('detects $1 placeholder pattern', () => {
+      const sanitizers = getSanitizers(`
+        db.query('SELECT * FROM users WHERE id = $1', [userId])
+      `)
+      const s = findSanitizerByName(sanitizers, 'parameterized_query')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('sql')).toBe(true)
+      expect(s!.clearsKinds.size).toBe(1)
+    })
+
+    it('detects ? placeholder pattern', () => {
+      const sanitizers = getSanitizers(`
+        db.query('SELECT * FROM users WHERE id = ?', [userId])
+      `)
+      const s = findSanitizerByName(sanitizers, 'parameterized_query')
+      expect(s).toBeDefined()
+    })
+  })
+
+  // ====================================================================
+  // React JSX auto-escaping — clears xss
+  // ====================================================================
+  describe('JSX auto-escaping', () => {
+    it('detects JSX expression auto-escaping', () => {
+      const sanitizers = getSanitizers(`
+        const el = <div>{userInput}</div>
+      `, 'test.tsx')
+      const s = findSanitizerByName(sanitizers, 'jsx_auto_escape')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('xss')).toBe(true)
+      expect(s!.clearsKinds.size).toBe(1)
+      expect(s!.detection).toBe('framework_auto')
+    })
+
+    it('does NOT mark dangerouslySetInnerHTML as auto-escaped', () => {
+      const sanitizers = getSanitizers(`
+        const el = <div dangerouslySetInnerHTML={{ __html: content }} />
+      `, 'test.tsx')
+      // Should NOT have jsx_auto_escape for dangerouslySetInnerHTML
+      const autoEscapes = sanitizers.filter(
+        s => s.name === 'jsx_auto_escape' && s.line === 2
+      )
+      expect(autoEscapes).toHaveLength(0)
+    })
+  })
+
+  // ====================================================================
+  // Name heuristic sanitizers
+  // ====================================================================
+  describe('name heuristic', () => {
+    it('detects function named sanitizeInput()', () => {
+      const sanitizers = getSanitizers(`
+        const clean = sanitizeInput(dirty)
+      `)
+      const s = sanitizers.find(s => s.detection === 'name_heuristic' && /sanitize/i.test(s.name))
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.size).toBe(6) // sanitize* clears all
+    })
+
+    it('detects function named escapeHtml()', () => {
+      const sanitizers = getSanitizers(`
+        const safe = escapeHtml(dirty)
+      `)
+      const s = sanitizers.find(s => s.detection === 'name_heuristic' && /escape/i.test(s.name))
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('xss')).toBe(true)
+    })
+
+    it('detects function named cleanUserInput()', () => {
+      const sanitizers = getSanitizers(`
+        const safe = cleanUserInput(dirty)
+      `)
+      const s = sanitizers.find(s => s.detection === 'name_heuristic' && /clean/i.test(s.name))
+      expect(s).toBeDefined()
+    })
+  })
+
+  // ====================================================================
+  // Shell escape — clears command
+  // ====================================================================
+  describe('shell escape', () => {
+    it('detects shellescape from shell-escape', () => {
+      const sanitizers = getSanitizers(`
+        import shellescape from 'shell-escape'
+        const safe = shellescape([cmd])
+      `)
+      const s = findSanitizerByName(sanitizers, 'shellescape')
+      expect(s).toBeDefined()
+      expect(s!.clearsKinds.has('command')).toBe(true)
+      expect(s!.clearsKinds.size).toBe(1)
+    })
+  })
+
+  // ====================================================================
+  // Negative cases
+  // ====================================================================
+  describe('negative cases', () => {
+    it('does NOT flag console.log as a sanitizer', () => {
+      const sanitizers = getSanitizers(`
+        console.log(data)
+      `)
+      expect(sanitizers.filter(s => s.name.includes('log'))).toHaveLength(0)
+    })
+
+    it('does NOT flag JSON.parse as a sanitizer', () => {
+      const sanitizers = getSanitizers(`
+        const obj = JSON.parse(data)
+      `)
+      expect(sanitizers.filter(s => s.name.includes('parse') && s.detection !== 'name_heuristic')).toHaveLength(0)
+    })
+  })
+})

package/src/__tests__/taint/sanitizer-regression.test.ts

@@ -0,0 +1,111 @@
+/**
+ * Regression tests for taint engine sanitizer bugs.
+ *
+ * Bug #1: findMatchingSanitizer bidirectional check — sanitizer nested inside
+ *         a call's args incorrectly cleared taint from sibling args.
+ * Bug #2: path.normalize / path.resolve registered as path sanitizers despite
+ *         not preventing path traversal attacks.
+ */
+
+import Parser from 'tree-sitter'
+import { createHash } from 'crypto'
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const { typescript: TypeScript } = require('tree-sitter-typescript')
+import type { ParsedAST } from '../../parse/ast'
+import type { TaintFinding } from '../../taint/propagation-types'
+import { analyzeTaintsForFile } from '../../taint/taint-analyzer'
+
+// Dedicated parser for this test file
+const tsParser = new Parser()
+tsParser.setLanguage(TypeScript)
+
+let counter = 0
+function analyze(code: string): TaintFinding[] {
+  const fp = `sanitizer-regression-${++counter}.ts`
+  const tree = tsParser.parse(code)
+  const hash = createHash('sha1').update(code + counter).digest('hex')
+  const ast: ParsedAST = { tree, language: 'typescript', filePath: fp, hash }
+  return analyzeTaintsForFile(ast, fp)
+}
+
+function hasKind(finding: TaintFinding, kind: string): boolean {
+  return finding.matchingKinds.has(kind as any)
+}
+
+// ============================================================================
+// Bug #1: Sanitizer inside call args should not clear sibling arg taint
+// ============================================================================
+describe('Bug #1: Sanitizer should not clear sibling arg taint', () => {
+  it('foo(sanitize(x), y) — y should still be tainted', () => {
+    const findings = analyze(`
+      import DOMPurify from 'dompurify'
+      function handler(req: Request) {
+        const x = req.body.html
+        const y = req.body.raw
+        document.innerHTML = foo(DOMPurify.sanitize(x), y)
+      }
+    `)
+    // y flows to innerHTML — should still produce an xss finding
+    expect(findings.some(f => hasKind(f, 'xss'))).toBe(true)
+  })
+
+  it('exec(DOMPurify.sanitize(input), rawInput) — rawInput taint survives', () => {
+    const findings = analyze(`
+      import DOMPurify from 'dompurify'
+      function handler(req: Request) {
+        const input = req.body.a
+        const rawInput = req.body.b
+        eval(exec(DOMPurify.sanitize(input), rawInput))
+      }
+    `)
+    // rawInput flows through exec() into eval() — command taint should survive
+    expect(findings.some(f => hasKind(f, 'command'))).toBe(true)
+  })
+})
+
+// ============================================================================
+// Bug #2: path.normalize and path.resolve are NOT valid path sanitizers
+// ============================================================================
+describe('Bug #2: path.normalize/resolve should not clear path taint', () => {
+  it('path.normalize(userInput) result should still carry path taint', () => {
+    const findings = analyze(`
+      import path from 'path'
+      import fs from 'fs'
+      function handler(req: Request) {
+        const userPath = req.query.file
+        const normalized = path.normalize(userPath)
+        fs.readFileSync(normalized)
+      }
+    `)
+    // path.normalize does not prevent traversal — path taint should survive
+    expect(findings.some(f => hasKind(f, 'path'))).toBe(true)
+  })
+
+  it('path.resolve(base, userInput) result should still carry path taint', () => {
+    const findings = analyze(`
+      import path from 'path'
+      import fs from 'fs'
+      function handler(req: Request) {
+        const userPath = req.query.file
+        const resolved = path.resolve('/base', userPath)
+        fs.readFileSync(resolved)
+      }
+    `)
+    // path.resolve('/base', '../../etc/passwd') = '/etc/passwd' — not safe
+    expect(findings.some(f => hasKind(f, 'path'))).toBe(true)
+  })
+
+  it('path.basename(userInput) result should NOT carry path taint (valid sanitizer)', () => {
+    const findings = analyze(`
+      import path from 'path'
+      import fs from 'fs'
+      function handler(req: Request) {
+        const userPath = req.query.file
+        const safe = path.basename(userPath)
+        fs.readFileSync(safe)
+      }
+    `)
+    // path.basename strips directory — it IS a valid sanitizer
+    expect(findings.filter(f => hasKind(f, 'path')).length).toBe(0)
+  })
+})