npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/dist/layer2/dangerous-functions/math-random.js ADDED Viewed

@@ -0,0 +1,459 @@
+"use strict";
+/**
+ * Math.random() Detection
+ *
+ * Context-aware detection of Math.random() usage with intelligent severity
+ * classification based on usage context, variable names, and function intent.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isCosmeticMathRandom = isCosmeticMathRandom;
+exports.classifyFunctionIntent = classifyFunctionIntent;
+exports.analyzeToStringPattern = analyzeToStringPattern;
+exports.extractMathRandomVariableName = extractMathRandomVariableName;
+exports.classifyVariableNameRisk = classifyVariableNameRisk;
+exports.analyzeMathRandomContext = analyzeMathRandomContext;
+exports.shouldSkipMathRandom = shouldSkipMathRandom;
+const context_helpers_1 = require("../../utils/context-helpers");
+const control_flow_1 = require("./utils/control-flow");
+/**
+ * Check if Math.random() is used for cosmetic/UI purposes (not security)
+ * Cosmetic uses: CSS values, animations, UI variations, demo data
+ * Security uses: tokens, IDs, cryptographic operations, session management
+ */
+function isCosmeticMathRandom(lineContent, content, lineNumber) {
+    const lines = content.split('\n');
+    // Check the line itself for cosmetic indicators
+    const cosmeticLinePatterns = [
+        // CSS/style values
+        /['"`]\s*\$\{.*Math\.random.*\}\s*%['"`]/, // `${Math.random() * 40 + 50}%`
+        /Math\.random.*\s*\+\s*['"`]%['"`]/, // Math.random() * 40 + '%'
+        /Math\.random.*\)\s*\*\s*\d+\s*\+\s*\d+\s*\}\s*%/, // }) * 40 + 50}%
+        /return\s+`.*Math\.random.*%`/, // return `${...}%`
+        /width:\s*['"`].*Math\.random/i, // width: `${Math.random()...}%`
+        /height:\s*['"`].*Math\.random/i, // height: `${Math.random()...}%`
+        /opacity:\s*['"`]?.*Math\.random/i, // opacity: Math.random()
+        /transform:\s*['"`]?.*Math\.random/i, // transform: translate(...)
+        /rotate\(.*Math\.random/i, // rotate(Math.random() * 360)
+        /translate\(.*Math\.random/i, // translate(Math.random() * 100)
+        /scale\(.*Math\.random/i, // scale(Math.random() * 2)
+        // Color/animation values
+        /rgba?\(.*Math\.random/i, // rgb(Math.random() * 255, ...)
+        /hsl\(.*Math\.random/i, // hsl(Math.random() * 360, ...)
+        /Math\.random.*\*\s*360/, // Math.random() * 360 (degrees/hue)
+        /Math\.random.*\*\s*255/, // Math.random() * 255 (RGB values)
+        // Array/list randomization for UI
+        /Math\.floor\(Math\.random.*\.length\)/, // Math.floor(Math.random() * array.length)
+        /\[Math\.floor\(Math\.random/, // array[Math.floor(Math.random()...)]
+        // Demo/placeholder data
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bpx\b/i, // Math.random() * 100 + 50 + 'px'
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bms\b/i, // Math.random() * 1000 + 500 + 'ms'
+        /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bs\b/i, // Math.random() * 5 + 2 + 's'
+        // NOTE: toString patterns removed - now handled by analyzeToStringPattern()
+        // which provides more granular severity classification (info/low/medium/high)
+        // based on truncation length and context
+    ];
+    if (cosmeticLinePatterns.some(p => p.test(lineContent))) {
+        return true;
+    }
+    // Check surrounding context (5 lines before and after)
+    const contextStart = Math.max(0, lineNumber - 5);
+    const contextEnd = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Context indicators of cosmetic use
+    const cosmeticContextPatterns = [
+        // UI component files - REMOVED, let severity classification handle these
+        // Style-related variables/functions
+        /\b(style|styles|css|className|animation|transition)/i,
+        /\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
+        // Demo/example data
+        /\b(demo|example|placeholder|mock|fake|sample|test)Data/i,
+        /\b(random|shuffle|pick|choose).*\b(color|item|element|option)/i,
+        // Animation/timing
+        /setTimeout.*Math\.random/i,
+        /setInterval.*Math\.random/i,
+        /delay.*Math\.random/i,
+        /duration.*Math\.random/i,
+        // UI state variations
+        /\b(variant|theme|layout|position).*Math\.random/i,
+        // NOTE: Removed UI identifier patterns (key, id, tempId, etc.) - these should be
+        // classified with info/low severity by the severity classification logic, not skipped entirely
+    ];
+    if (cosmeticContextPatterns.some(p => p.test(context))) {
+        return true;
+    }
+    // Security-sensitive patterns that override cosmetic detection
+    const securityPatterns = [
+        /\b(token|secret|key|password|credential|signature)/i,
+        /\b(auth|crypto|encrypt|decrypt|hash)/i,
+        /\b(session|nonce|salt)\b/i,
+        /Math\.random.*\*\s*1e\d+/, // Math.random() * 1e16 (large numbers for IDs)
+    ];
+    if (securityPatterns.some(p => p.test(lineContent) || p.test(context))) {
+        return false; // Not cosmetic - this is security-sensitive
+    }
+    // Check for .toString(36) WITHOUT substring/slice/substr (security token pattern)
+    // If it has substring/slice/substr, it's already caught by cosmeticLinePatterns above
+    const hasToString36WithoutTruncation = /Math\.random\(\)\.toString\(36\)/.test(lineContent) &&
+        !/\.(substring|substr|slice)\(/.test(lineContent);
+    const hasToString16WithoutTruncation = /Math\.random\(\)\.toString\(16\)/.test(lineContent) &&
+        !/\.(substring|substr|slice)\(/.test(lineContent);
+    if (hasToString36WithoutTruncation || hasToString16WithoutTruncation) {
+        return false; // Full-length toString() without truncation - likely security token
+    }
+    return false; // Default to flagging if unclear
+}
+/**
+ * Classify function intent based on function name
+ * Used to determine if Math.random() usage is legitimate
+ */
+function classifyFunctionIntent(functionName) {
+    if (!functionName)
+        return 'unknown';
+    const lower = functionName.toLowerCase();
+    // UUID/ID generation (UI correlation, not security)
+    // Check for specific UUID patterns and generic ID generation functions
+    const uuidPatterns = ['uuid', 'guid', 'uniqueid', 'correlationid', 'tempid', 'temp_id'];
+    // Match patterns like generateId, generateTempId, createId, etc.
+    const idGenerationPatterns = /^(generate|create|make|build)(\w*)?(id|identifier)$/i;
+    if (uuidPatterns.some(p => lower.includes(p)) ||
+        idGenerationPatterns.test(lower)) {
+        return 'uuid';
+    }
+    // CAPTCHA/puzzle generation (legitimate non-security)
+    const captchaPatterns = ['captcha', 'puzzle', 'mathproblem'];
+    // Also check for 'challenge' but only if not in security context
+    if (captchaPatterns.some(p => lower.includes(p)))
+        return 'captcha';
+    if (lower.includes('challenge') && !lower.includes('auth'))
+        return 'captcha';
+    // Demo/seed/fixture data
+    const demoPatterns = ['seed', 'fixture', 'demo', 'mock', 'fake'];
+    if (demoPatterns.some(p => lower.includes(p)))
+        return 'demo';
+    // Security-sensitive (check this after id generation to avoid false positives)
+    const securityPatterns = [
+        'token',
+        'secret',
+        'key',
+        'password',
+        'credential',
+        'signature',
+    ];
+    // Also match generate/create + security term combinations
+    const securityFunctionPattern = /^(generate|create|make)(token|secret|key|session|password|credential)/i;
+    if (securityPatterns.some(p => lower.includes(p)) ||
+        securityFunctionPattern.test(lower)) {
+        return 'security';
+    }
+    return 'unknown';
+}
+/**
+ * Analyze toString() pattern in Math.random() usage
+ * Determines intent based on base and truncation length
+ */
+function analyzeToStringPattern(lineContent) {
+    const toString36Match = lineContent.match(/Math\.random\(\)\.toString\(36\)/);
+    const toString16Match = lineContent.match(/Math\.random\(\)\.toString\(16\)/);
+    if (!toString36Match && !toString16Match) {
+        return {
+            hasToString: false,
+            base: null,
+            isTruncated: false,
+            truncationLength: null,
+            intent: 'unknown',
+        };
+    }
+    const base = toString36Match ? 36 : 16;
+    // Check for truncation methods
+    const substringMatch = lineContent.match(/\.substring\((\d+)(?:,\s*(\d+))?\)/);
+    const sliceMatch = lineContent.match(/\.slice\((\d+)(?:,\s*(\d+))?\)/);
+    const substrMatch = lineContent.match(/\.substr\((\d+)(?:,\s*(\d+))?\)/);
+    const truncMatch = substringMatch || sliceMatch || substrMatch;
+    if (!truncMatch) {
+        return {
+            hasToString: true,
+            base,
+            isTruncated: false,
+            truncationLength: null,
+            intent: 'full-token',
+        };
+    }
+    // Calculate truncation length
+    const start = parseInt(truncMatch[1]);
+    const end = truncMatch[2] ? parseInt(truncMatch[2]) : null;
+    // If no end specified (e.g., .substring(7)), the result is from start to end of string
+    // Math.random().toString(36) produces ~11 chars like "0.abc123def"
+    // .substring(2) gives ~9 chars, .substring(7) gives ~4 chars
+    // Estimate remaining length: ~11 - start
+    const estimatedFullLength = 11;
+    const length = end ? end - start : (start >= 2 ? estimatedFullLength - start : null);
+    // Classify intent by length
+    // Short (2-9 chars): UI correlation IDs, React keys
+    // Medium (10-15 chars): Business IDs, order numbers
+    if (length && length <= 9) {
+        return {
+            hasToString: true,
+            base,
+            isTruncated: true,
+            truncationLength: length,
+            intent: 'short-ui-id',
+        };
+    }
+    else if (length && length <= 15) {
+        return {
+            hasToString: true,
+            base,
+            isTruncated: true,
+            truncationLength: length,
+            intent: 'business-id',
+        };
+    }
+    else {
+        return {
+            hasToString: true,
+            base,
+            isTruncated: true,
+            truncationLength: length,
+            intent: 'business-id',
+        };
+    }
+}
+/**
+ * Extract variable name from Math.random() assignment
+ * Examples:
+ *   const token = Math.random() -> "token"
+ *   const businessId = Math.random().toString(36) -> "businessId"
+ *   return Math.random() -> null (no variable)
+ */
+function extractMathRandomVariableName(lineContent) {
+    // const/let/var variableName = Math.random...
+    const assignmentMatch = lineContent.match(/(?:const|let|var)\s+(\w+)\s*=.*Math\.random/);
+    if (assignmentMatch)
+        return assignmentMatch[1];
+    // object.property = Math.random...
+    const propertyMatch = lineContent.match(/(\w+)\s*[:=]\s*Math\.random/);
+    if (propertyMatch)
+        return propertyMatch[1];
+    // function parameter default: functionName(param = Math.random())
+    const paramMatch = lineContent.match(/(\w+)\s*=\s*Math\.random/);
+    if (paramMatch)
+        return paramMatch[1];
+    return null; // No variable name found
+}
+/**
+ * Classify variable name security risk based on naming patterns
+ *
+ * High risk: Security-sensitive names (token, secret, key, etc.)
+ * Medium risk: Unclear context
+ * Low risk: Non-security names (id, businessId, orderId, etc.)
+ */
+function classifyVariableNameRisk(varName) {
+    if (!varName)
+        return 'medium'; // Unknown usage, moderate risk
+    const lower = varName.toLowerCase();
+    // High risk: security-sensitive variable names
+    // Note: 'key' alone is NOT included - it often means React key, not crypto key
+    // Instead, we match specific security key patterns
+    const highRiskPatterns = [
+        'token',
+        'secret',
+        'password',
+        'credential',
+        'signature',
+        'salt',
+        'nonce',
+        'session',
+        'csrf',
+        'auth',
+        'apikey',
+        'secretkey',
+        'privatekey',
+        'encryptionkey',
+        'accesstoken',
+        'refreshtoken',
+        'jwt',
+        'bearer',
+        'oauth',
+        'sessionid',
+    ];
+    if (highRiskPatterns.some(p => lower.includes(p))) {
+        return 'high';
+    }
+    // Low risk: clearly non-security contexts
+    const lowRiskPatterns = [
+        // Business identifiers
+        'id',
+        'uid',
+        'guid',
+        'business',
+        'order',
+        'invoice',
+        'customer',
+        'user',
+        'product',
+        'item',
+        'transaction',
+        'request',
+        'reference',
+        'tracking',
+        'confirmation',
+        // Test/demo data
+        'test',
+        'mock',
+        'demo',
+        'sample',
+        'example',
+        'fixture',
+        'random',
+        'temp',
+        'temporary',
+        'generated',
+        'dummy',
+        // UI identifiers (checked after high-risk, so 'apikey' etc. already caught)
+        'key',
+        'toast',
+        'notification',
+        'element',
+        'component',
+        'widget',
+        'modal',
+        'dialog',
+        'popup',
+        'unique',
+        'react',
+        // Non-security randomness usage (backoff/sampling/experiments)
+        'jitter',
+        'retry',
+        'backoff',
+        'delay',
+        'timeout',
+        'latency',
+        'sample',
+        'sampling',
+        'probability',
+        'chance',
+        'rollout',
+        'experiment',
+        'abtest',
+        'cohort',
+        'bucket',
+        'variant',
+    ];
+    if (lowRiskPatterns.some(p => lower.includes(p))) {
+        return 'low';
+    }
+    return 'medium'; // Unclear context, moderate risk
+}
+/**
+ * Analyze surrounding code context for security signals
+ * Returns context type and description for severity classification
+ */
+function analyzeMathRandomContext(content, filePath, lineNumber) {
+    const lines = content.split('\n');
+    const start = Math.max(0, lineNumber - 10);
+    const end = Math.min(lines.length, lineNumber + 5);
+    const context = lines.slice(start, end).join('\n');
+    // Security context indicators (functions, imports, comments)
+    const securityPatterns = [
+        /\b(generate|create)(Token|Secret|Key|Password|Nonce|Salt|Session|Signature)/i,
+        /\b(auth|crypto|encrypt|decrypt|hash|sign)\b/i,
+        /function\s+.*(?:token|secret|key|auth|crypto)/i,
+        /\bimport.*(?:crypto|jsonwebtoken|bcrypt|argon2|jose)/i,
+        /\/\*.*(?:security|authentication|cryptograph|authorization)/i,
+        /\/\/.*(?:security|auth|crypto|token|secret)/i,
+    ];
+    const inSecurityContext = securityPatterns.some(p => p.test(context));
+    // Test context
+    const testFilePatterns = /\.(test|spec)\.(ts|tsx|js|jsx)$/i;
+    const testContextPatterns = [
+        /\b(describe|it|test|expect|mock|jest|vitest|mocha|chai)\b/i,
+        /\b(beforeEach|afterEach|beforeAll|afterAll)\b/i,
+        /\b(fixture|stub|spy)\b/i,
+    ];
+    const inTestContext = testFilePatterns.test(filePath) ||
+        testContextPatterns.some(p => p.test(context));
+    // UI/cosmetic context (reuse existing logic)
+    const lineContent = lines[lineNumber];
+    const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber);
+    // Business logic context (non-security ID generation)
+    // Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
+    const businessLogicPatterns = [
+        /\b(business|order|invoice|customer|product|transaction)Id\b/i,
+        /\b(reference|tracking|confirmation)Number\b/i,
+        /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
+        /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
+    ];
+    const inBusinessLogicContext = businessLogicPatterns.some(p => p.test(context)) && !inSecurityContext;
+    // Determine context description
+    let contextDescription = 'unknown context';
+    if (inSecurityContext) {
+        contextDescription = 'security-sensitive function';
+    }
+    else if (inTestContext) {
+        contextDescription = 'test/mock data generation';
+    }
+    else if (inUIContext) {
+        contextDescription = 'UI/cosmetic usage';
+    }
+    else if (inBusinessLogicContext) {
+        contextDescription = 'non-security usage';
+    }
+    return {
+        inSecurityContext,
+        inTestContext,
+        inUIContext,
+        inBusinessLogicContext,
+        contextDescription,
+    };
+}
+/**
+ * Check if Math.random() should be skipped entirely
+ * Returns true for seed files, test fixtures, captcha/puzzle, uuid, and pure cosmetic uses
+ */
+function shouldSkipMathRandom(content, filePath, lineNumber) {
+    // Seed/data generation files - skip entirely
+    if ((0, context_helpers_1.isSeedOrDataGenFile)(filePath)) {
+        return true;
+    }
+    // Educational/intentional vulnerability files - skip entirely
+    // These include OWASP Juice Shop, intentionally-vulnerable examples, etc.
+    if ((0, context_helpers_1.isEducationalVulnerabilityFile)(filePath)) {
+        return true;
+    }
+    // Test files with test fixture patterns
+    if ((0, context_helpers_1.isTestOrMockFile)(filePath)) {
+        const lines = content.split('\n');
+        const line = lines[lineNumber];
+        // If in a test file and generating test data, skip
+        if (/\b(mock|fake|fixture|test)Data/i.test(line) ||
+            /\b(it|test|describe)\s*\(/.test(line)) {
+            return true;
+        }
+    }
+    // Pure cosmetic usage (CSS values, animations)
+    const lines = content.split('\n');
+    const lineContent = lines[lineNumber] || '';
+    if (isCosmeticMathRandom(lineContent, content, lineNumber)) {
+        // Additional check: if this is for animation/style, truly skip
+        const pureStylePatterns = [
+            /\.style\./,
+            /animation/i,
+            /transform/i,
+            /opacity/i,
+            /\brgb/i,
+            /\bhsl/i,
+        ];
+        if (pureStylePatterns.some(p => p.test(lineContent))) {
+            return true;
+        }
+    }
+    // Check function context for demo/seed/captcha/uuid functions
+    const functionName = (0, control_flow_1.extractFunctionContext)(content, lineNumber);
+    const functionIntent = classifyFunctionIntent(functionName);
+    // Skip demo, captcha, and uuid functions entirely - these are legitimate uses
+    if (functionIntent === 'demo' || functionIntent === 'captcha' || functionIntent === 'uuid') {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=math-random.js.map

package/dist/layer2/dangerous-functions/math-random.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"math-random.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/math-random.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAcH,oDAkGC;AAMD,wDAiDC;AAMD,wDAgFC;AASD,sEAkBC;AASD,4DAqGC;AAMD,4DAwEC;AAMD,oDAyDC;AAjhBD,iEAIoC;AACpC,uDAA6D;AAE7D;;;;GAIG;AACH,SAAgB,oBAAoB,CAClC,WAAmB,EACnB,OAAe,EACf,UAAkB;IAElB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,gDAAgD;IAChD,MAAM,oBAAoB,GAAG;QAC3B,mBAAmB;QACnB,yCAAyC,EAAE,gCAAgC;QAC3E,mCAAmC,EAAE,2BAA2B;QAChE,iDAAiD,EAAE,iBAAiB;QACpE,8BAA8B,EAAE,mBAAmB;QACnD,+BAA+B,EAAE,gCAAgC;QACjE,gCAAgC,EAAE,iCAAiC;QACnE,kCAAkC,EAAE,yBAAyB;QAC7D,oCAAoC,EAAE,4BAA4B;QAClE,yBAAyB,EAAE,8BAA8B;QACzD,4BAA4B,EAAE,iCAAiC;QAC/D,wBAAwB,EAAE,2BAA2B;QACrD,yBAAyB;QACzB,wBAAwB,EAAE,gCAAgC;QAC1D,sBAAsB,EAAE,gCAAgC;QACxD,wBAAwB,EAAE,oCAAoC;QAC9D,wBAAwB,EAAE,mCAAmC;QAC7D,kCAAkC;QAClC,uCAAuC,EAAE,2CAA2C;QACpF,6BAA6B,EAAE,sCAAsC;QACrE,wBAAwB;QACxB,4CAA4C,EAAE,kCAAkC;QAChF,4CAA4C,EAAE,oCAAoC;QAClF,2CAA2C,EAAE,8BAA8B;QAC3E,4EAA4E;QAC5E,8EAA8E;QAC9E,yCAAyC;KAC1C,CAAA;IAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACxD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uDAAuD;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IACzD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,qCAAqC;IACrC,MAAM,uBAAuB,GAAG;QAC9B,yEAAyE;QACzE,oCAAoC;QACpC,sDAAsD;QACtD,kEAAkE;QAClE,oBAAoB;QACpB,yDAAyD;QACzD,gEAAgE;QAChE,mBAAmB;QACnB,2BAA2B;QAC3B,4BAA4B;QAC5B,sBAAsB;QACtB,yBAAyB;QACzB,sBAAsB;QACtB,kDAAkD;QAClD,iFAAiF;QACjF,+FAA+F;KAChG,CAAA;IAED,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,+DAA+D;IAC/D,MAAM,gBAAgB,GAAG;QACvB,qDAAqD;QACrD,uCAAuC;QACvC,2BAA2B;QAC3B,0BAA0B,EAAE,+CAA+C;KAC5E,CAAA;IAED,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QACvE,OAAO,KAAK,CAAA,CAAC,4CAA4C;IAC3D,CAAC;IAED,kFAAkF;IAClF,sFAAsF;IACtF,MAAM,8BAA8B,GAClC,kCAAkC,CAAC,IAAI,CAAC,WAAW,CAAC;QACpD,CAAC,8BAA8B,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAEnD,MAAM,8BAA8B,GAClC,kCAAkC,CAAC,IAAI,CAAC,WAAW,CAAC;QACpD,CAAC,8BAA8B,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAEnD,IAAI,8BAA8B,IAAI,8BAA8B,EAAE,CAAC;QACrE,OAAO,KAAK,CAAA,CAAC,oEAAoE;IACnF,CAAC;IAED,OAAO,KAAK,CAAA,CAAC,iCAAiC;AAChD,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CACpC,YAA2B;IAE3B,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAA;IAEnC,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,EAAE,CAAA;IAExC,oDAAoD;IACpD,uEAAuE;IACvE,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IACvF,iEAAiE;IACjE,MAAM,oBAAoB,GAAG,sDAAsD,CAAA;IACnF,IACE,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAChC,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,sDAAsD;IACtD,MAAM,eAAe,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAA;IAC5D,iEAAiE;IACjE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,SAAS,CAAA;IAClE,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAA;IAE5E,yBAAyB;IACzB,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAA;IAChE,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,MAAM,CAAA;IAE5D,+EAA+E;IAC/E,MAAM,gBAAgB,GAAG;QACvB,OAAO;QACP,QAAQ;QACR,KAAK;QACL,UAAU;QACV,YAAY;QACZ,WAAW;KACZ,CAAA;IACD,0DAA0D;IAC1D,MAAM,uBAAuB,GAC3B,wEAAwE,CAAA;IAC1E,IACE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC7C,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,WAAmB;IAOxD,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAA;IAC7E,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAA;IAE7E,IAAI,CAAC,eAAe,IAAI,CAAC,eAAe,EAAE,CAAC;QACzC,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,IAAI,EAAE,IAAI;YACV,WAAW,EAAE,KAAK;YAClB,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,SAAS;SAClB,CAAA;IACH,CAAC;IAED,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAEtC,+BAA+B;IAC/B,MAAM,cAAc,GAAG,WAAW,CAAC,KAAK,CACtC,oCAAoC,CACrC,CAAA;IACD,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACtE,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAA;IAExE,MAAM,UAAU,GAAG,cAAc,IAAI,UAAU,IAAI,WAAW,CAAA;IAE9D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,IAAI;YACJ,WAAW,EAAE,KAAK;YAClB,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,YAAY;SACrB,CAAA;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IACrC,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE1D,uFAAuF;IACvF,mEAAmE;IACnE,6DAA6D;IAC7D,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,EAAE,CAAA;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IAEpF,4BAA4B;IAC5B,oDAAoD;IACpD,oDAAoD;IACpD,IAAI,MAAM,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,IAAI;YACJ,WAAW,EAAE,IAAI;YACjB,gBAAgB,EAAE,MAAM;YACxB,MAAM,EAAE,aAAa;SACtB,CAAA;IACH,CAAC;SAAM,IAAI,MAAM,IAAI,MAAM,IAAI,EAAE,EAAE,CAAC;QAClC,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,IAAI;YACJ,WAAW,EAAE,IAAI;YACjB,gBAAgB,EAAE,MAAM;YACxB,MAAM,EAAE,aAAa;SACtB,CAAA;IACH,CAAC;SAAM,CAAC;QACN,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,IAAI;YACJ,WAAW,EAAE,IAAI;YACjB,gBAAgB,EAAE,MAAM;YACxB,MAAM,EAAE,aAAa;SACtB,CAAA;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,6BAA6B,CAC3C,WAAmB;IAEnB,8CAA8C;IAC9C,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CACvC,6CAA6C,CAC9C,CAAA;IACD,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC,CAAC,CAAC,CAAA;IAE9C,mCAAmC;IACnC,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAA;IACtE,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAA;IAE1C,kEAAkE;IAClE,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAChE,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC,CAAC,CAAC,CAAA;IAEpC,OAAO,IAAI,CAAA,CAAC,yBAAyB;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,wBAAwB,CACtC,OAAsB;IAEtB,IAAI,CAAC,OAAO;QAAE,OAAO,QAAQ,CAAA,CAAC,+BAA+B;IAE7D,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAA;IAEnC,+CAA+C;IAC/C,+EAA+E;IAC/E,mDAAmD;IACnD,MAAM,gBAAgB,GAAG;QACvB,OAAO;QACP,QAAQ;QACR,UAAU;QACV,YAAY;QACZ,WAAW;QACX,MAAM;QACN,OAAO;QACP,SAAS;QACT,MAAM;QACN,MAAM;QACN,QAAQ;QACR,WAAW;QACX,YAAY;QACZ,eAAe;QACf,aAAa;QACb,cAAc;QACd,KAAK;QACL,QAAQ;QACR,OAAO;QACP,WAAW;KACZ,CAAA;IACD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,0CAA0C;IAC1C,MAAM,eAAe,GAAG;QACtB,uBAAuB;QACvB,IAAI;QACJ,KAAK;QACL,MAAM;QACN,UAAU;QACV,OAAO;QACP,SAAS;QACT,UAAU;QACV,MAAM;QACN,SAAS;QACT,MAAM;QACN,aAAa;QACb,SAAS;QACT,WAAW;QACX,UAAU;QACV,cAAc;QACd,iBAAiB;QACjB,MAAM;QACN,MAAM;QACN,MAAM;QACN,QAAQ;QACR,SAAS;QACT,SAAS;QACT,QAAQ;QACR,MAAM;QACN,WAAW;QACX,WAAW;QACX,OAAO;QACP,4EAA4E;QAC5E,KAAK;QACL,OAAO;QACP,cAAc;QACd,SAAS;QACT,WAAW;QACX,QAAQ;QACR,OAAO;QACP,QAAQ;QACR,OAAO;QACP,QAAQ;QACR,OAAO;QACP,+DAA+D;QAC/D,QAAQ;QACR,OAAO;QACP,SAAS;QACT,OAAO;QACP,SAAS;QACT,SAAS;QACT,QAAQ;QACR,UAAU;QACV,aAAa;QACb,QAAQ;QACR,SAAS;QACT,YAAY;QACZ,QAAQ;QACR,QAAQ;QACR,QAAQ;QACR,SAAS;KACV,CAAA;IACD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,QAAQ,CAAA,CAAC,iCAAiC;AACnD,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB,EAChB,UAAkB;IAQlB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;IAClD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,6DAA6D;IAC7D,MAAM,gBAAgB,GAAG;QACvB,8EAA8E;QAC9E,8CAA8C;QAC9C,gDAAgD;QAChD,uDAAuD;QACvD,8DAA8D;QAC9D,8CAA8C;KAC/C,CAAA;IACD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IAErE,eAAe;IACf,MAAM,gBAAgB,GAAG,kCAAkC,CAAA;IAC3D,MAAM,mBAAmB,GAAG;QAC1B,4DAA4D;QAC5D,gDAAgD;QAChD,yBAAyB;KAC1B,CAAA;IACD,MAAM,aAAa,GACjB,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/B,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IAEhD,6CAA6C;IAC7C,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,CAAC,CAAA;IACrC,MAAM,WAAW,GAAG,oBAAoB,CAAC,WAAW,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA;IAE1E,sDAAsD;IACtD,kFAAkF;IAClF,MAAM,qBAAqB,GAAG;QAC5B,8DAA8D;QAC9D,8CAA8C;QAC9C,mDAAmD;QACnD,2FAA2F;KAC5F,CAAA;IACD,MAAM,sBAAsB,GAC1B,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAA;IAExE,gCAAgC;IAChC,IAAI,kBAAkB,GAAG,iBAAiB,CAAA;IAC1C,IAAI,iBAAiB,EAAE,CAAC;QACtB,kBAAkB,GAAG,6BAA6B,CAAA;IACpD,CAAC;SAAM,IAAI,aAAa,EAAE,CAAC;QACzB,kBAAkB,GAAG,2BAA2B,CAAA;IAClD,CAAC;SAAM,IAAI,WAAW,EAAE,CAAC;QACvB,kBAAkB,GAAG,mBAAmB,CAAA;IAC1C,CAAC;SAAM,IAAI,sBAAsB,EAAE,CAAC;QAClC,kBAAkB,GAAG,oBAAoB,CAAA;IAC3C,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,aAAa;QACb,WAAW;QACX,sBAAsB;QACtB,kBAAkB;KACnB,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAClC,OAAe,EACf,QAAgB,EAChB,UAAkB;IAElB,6CAA6C;IAC7C,IAAI,IAAA,qCAAmB,EAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,8DAA8D;IAC9D,0EAA0E;IAC1E,IAAI,IAAA,gDAA8B,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,wCAAwC;IACxC,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAA;QAC9B,mDAAmD;QACnD,IACE,iCAAiC,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5C,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EACtC,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAA;IAC3C,IAAI,oBAAoB,CAAC,WAAW,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC;QAC3D,+DAA+D;QAC/D,MAAM,iBAAiB,GAAG;YACxB,WAAW;YACX,YAAY;YACZ,YAAY;YACZ,UAAU;YACV,QAAQ;YACR,QAAQ;SACT,CAAA;QACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,MAAM,YAAY,GAAG,IAAA,qCAAsB,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAChE,MAAM,cAAc,GAAG,sBAAsB,CAAC,YAAY,CAAC,CAAA;IAE3D,8EAA8E;IAC9E,IAAI,cAAc,KAAK,MAAM,IAAI,cAAc,KAAK,SAAS,IAAI,cAAc,KAAK,MAAM,EAAE,CAAC;QAC3F,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/layer2/dangerous-functions/patterns.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Dangerous Function Pattern Definitions
+ *
+ * This module defines the patterns for detecting dangerous function calls.
+ * These patterns are used by the main detection engine.
+ */
+import type { VulnerabilitySeverity } from '../../types';
+export interface DangerousFunctionPattern {
+    name: string;
+    pattern: RegExp;
+    severity: VulnerabilitySeverity;
+    description: string;
+    suggestedFix: string;
+    languages?: string[];
+}
+export declare const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[];
+/**
+ * Check if file matches language filter
+ */
+export declare function matchesLanguage(filePath: string, languages?: string[]): boolean;
+//# sourceMappingURL=patterns.d.ts.map

package/dist/layer2/dangerous-functions/patterns.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAExD,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,qBAAqB,CAAA;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;CACrB;AAED,eAAO,MAAM,mBAAmB,EAAE,wBAAwB,EA4IzD,CAAA;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAU/E"}

package/dist/layer2/dangerous-functions/patterns.js ADDED Viewed

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * Dangerous Function Pattern Definitions
+ *
+ * This module defines the patterns for detecting dangerous function calls.
+ * These patterns are used by the main detection engine.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DANGEROUS_FUNCTIONS = void 0;
+exports.matchesLanguage = matchesLanguage;
+exports.DANGEROUS_FUNCTIONS = [
+    // Code execution
+    {
+        name: 'eval() usage',
+        pattern: /\beval\s*\(/gi,
+        severity: 'critical',
+        description: 'eval() executes arbitrary code and is a major security risk',
+        suggestedFix: 'Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution',
+    },
+    {
+        name: 'Function constructor',
+        pattern: /new\s+Function\s*\(/gi,
+        severity: 'critical',
+        description: 'Function constructor can execute arbitrary code like eval()',
+        suggestedFix: 'Refactor to use static functions or safe alternatives',
+    },
+    {
+        name: 'setTimeout/setInterval with string',
+        pattern: /set(Timeout|Interval)\s*\(\s*['"`]/gi,
+        severity: 'high',
+        description: 'setTimeout/setInterval with string argument acts like eval()',
+        suggestedFix: 'Pass a function reference instead of a string',
+    },
+    // Command injection
+    {
+        name: 'child_process exec',
+        pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/gi,
+        severity: 'high',
+        description: 'Shell command execution can lead to command injection',
+        suggestedFix: 'Validate and sanitize all inputs, prefer execFile over exec',
+    },
+    {
+        name: 'os.system/subprocess (Python)',
+        pattern: /\b(os\.system|subprocess\.(call|run|Popen|check_output))\s*\(/gi,
+        severity: 'high',
+        description: 'Shell command execution can lead to command injection',
+        suggestedFix: 'Use subprocess with shell=False and pass arguments as a list',
+        languages: ['py'],
+    },
+    // SQL injection risks
+    {
+        name: 'Raw SQL query construction',
+        pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
+        severity: 'critical',
+        description: 'String concatenation in SQL queries can lead to SQL injection',
+        suggestedFix: 'Use parameterized queries or prepared statements',
+    },
+    {
+        name: 'SQL template literal',
+        pattern: /`SELECT.*FROM.*WHERE.*\$\{|`INSERT.*INTO.*VALUES.*\$\{|`UPDATE.*SET.*\$\{|`DELETE.*FROM.*WHERE.*\$\{/gi,
+        severity: 'critical',
+        description: 'Template literals in SQL queries can lead to SQL injection',
+        suggestedFix: 'Use parameterized queries with placeholders (?, $1, etc.)',
+    },
+    // XSS risks
+    {
+        name: 'innerHTML assignment',
+        pattern: /\.innerHTML\s*=|\.outerHTML\s*=/gi,
+        severity: 'high',
+        description: 'Direct innerHTML assignment can lead to XSS vulnerabilities',
+        suggestedFix: 'Use textContent for text, or sanitize HTML with DOMPurify',
+    },
+    {
+        name: 'document.write',
+        pattern: /document\.write\s*\(/gi,
+        severity: 'high',
+        description: 'document.write can introduce XSS vulnerabilities',
+        suggestedFix: 'Use DOM manipulation methods instead',
+    },
+    {
+        name: 'dangerouslySetInnerHTML',
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
+        severity: 'high',
+        description: 'dangerouslySetInnerHTML can lead to XSS if content is not sanitized',
+        suggestedFix: 'Sanitize HTML content with DOMPurify before rendering',
+    },
+    // Deserialization
+    {
+        name: 'Unsafe deserialization',
+        pattern: /\b(pickle\.loads?|yaml\.load\s*\((?!.*Loader)|unserialize|Marshal\.load)\s*\(/gi,
+        severity: 'critical',
+        description: 'Unsafe deserialization can lead to remote code execution',
+        suggestedFix: 'Use safe loaders (yaml.safe_load) or validate input before deserializing',
+    },
+    // Note: JSON.parse is handled specially with source-aware severity - see json-parse.ts
+    // Note: request.json() is NOT a dangerous function - see request-validation.ts
+    // File system risks
+    {
+        name: 'Dynamic file path',
+        pattern: /\b(readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\(\s*[^'"]/gi,
+        severity: 'medium',
+        description: 'Dynamic file paths can lead to path traversal attacks',
+        suggestedFix: 'Validate and sanitize file paths, use path.resolve with a base directory',
+    },
+    {
+        name: 'Path traversal risk',
+        pattern: /path\.(join|resolve)\s*\([^)]*req\.(params|query|body)/gi,
+        severity: 'high',
+        description: 'User input in file paths can lead to path traversal attacks',
+        suggestedFix: 'Validate paths and ensure they stay within allowed directories',
+    },
+    // Crypto weaknesses
+    {
+        name: 'Math.random for security',
+        pattern: /Math\.random\s*\(\s*\)/gi,
+        severity: 'medium',
+        description: 'Math.random() is not cryptographically secure',
+        suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive operations',
+    },
+    // Regex DoS
+    {
+        name: 'Potentially unsafe regex',
+        pattern: /new\s+RegExp\s*\(\s*[^'"]/gi,
+        severity: 'medium',
+        description: 'Dynamic regex construction can lead to ReDoS attacks',
+        suggestedFix: 'Validate regex patterns and consider using safe-regex library',
+    },
+    // Prototype pollution
+    {
+        name: 'Object.assign with user input',
+        pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(req\.|request\.|body|params|query)/gi,
+        severity: 'high',
+        description: 'Object.assign with user input can lead to prototype pollution',
+        suggestedFix: 'Validate and sanitize input, or use a safe merge function',
+    },
+    {
+        name: 'Spread operator with user input',
+        pattern: /\{\s*\.\.\.req\.(body|params|query)|\.\.\.request\.(body|params|query)/gi,
+        severity: 'medium',
+        description: 'Spreading user input can lead to mass assignment vulnerabilities',
+        suggestedFix: 'Explicitly pick allowed properties instead of spreading all input',
+    },
+];
+/**
+ * Check if file matches language filter
+ */
+function matchesLanguage(filePath, languages) {
+    if (!languages || languages.length === 0)
+        return true;
+    const ext = filePath.split('.').pop()?.toLowerCase() || '';
+    return languages.some(lang => {
+        if (lang === 'py')
+            return ext === 'py';
+        if (lang === 'js')
+            return ['js', 'jsx', 'mjs', 'cjs'].includes(ext);
+        if (lang === 'ts')
+            return ['ts', 'tsx'].includes(ext);
+        return ext === lang;
+    });
+}
+//# sourceMappingURL=patterns.js.map