@oculum/scanner 1.0.9 → 1.0.11

package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts

@@ -0,0 +1,439 @@
+/**
+ * Refactor Safety Snapshot Tests for dangerous-functions.ts
+ *
+ * These tests capture the current behavior of detectDangerousFunctions()
+ * to ensure refactoring doesn't change any detection behavior.
+ *
+ * DO NOT modify these tests unless intentionally changing detection behavior.
+ */
+
+import { detectDangerousFunctions } from '../../layer2/dangerous-functions'
+
+describe('Refactor Safety - dangerous-functions.ts', () => {
+  describe('eval/Function detection', () => {
+    it('should detect eval() usage', () => {
+      const code = `
+const result = eval(userInput);
+const computed = eval('2 + 2');
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect Function constructor', () => {
+      const code = `
+const fn = new Function('a', 'b', 'return a + b');
+const dynamic = new Function(userCode);
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect setTimeout/setInterval with string', () => {
+      const code = `
+setTimeout('alert("hello")', 1000);
+setInterval('console.log("tick")', 500);
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('child_process detection', () => {
+    it('should detect exec with user input', () => {
+      const code = `
+import { exec } from 'child_process';
+exec(\`ls \${userInput}\`, callback);
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect execSync with static command', () => {
+      const code = `
+const { execSync } = require('child_process');
+const output = execSync('ls -la');
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should NOT flag RegExp.exec as child_process', () => {
+      const code = `
+const regex = /pattern/g;
+const match = regex.exec(text);
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect spawn with dynamic args', () => {
+      const code = `
+import { spawn } from 'child_process';
+spawn('node', [userInput]);
+`
+      const result = detectDangerousFunctions(code, 'src/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('SQL injection detection', () => {
+    it('should detect raw SQL with template literal', () => {
+      const code = `
+const query = \`SELECT * FROM users WHERE id = \${userId}\`;
+db.query(query);
+`
+      const result = detectDangerousFunctions(code, 'src/db.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect SQL string concatenation', () => {
+      const code = `
+const query = "SELECT * FROM users WHERE name = '" + userName + "'";
+`
+      const result = detectDangerousFunctions(code, 'src/db.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect SQL with whitelist validation as lower severity', () => {
+      const code = `
+const allowedColumns = ['name', 'email', 'age'];
+if (!allowedColumns.includes(sortBy)) throw new Error('Invalid column');
+const query = \`SELECT * FROM users ORDER BY \${sortBy}\`;
+`
+      const result = detectDangerousFunctions(code, 'src/db.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('innerHTML/XSS detection', () => {
+    it('should detect innerHTML with dynamic content', () => {
+      const code = `
+element.innerHTML = userContent;
+div.innerHTML = \`<div>\${data}</div>\`;
+`
+      const result = detectDangerousFunctions(code, 'src/component.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect innerHTML with static content as lower severity', () => {
+      const code = `
+element.innerHTML = '<div class="container">Static content</div>';
+`
+      const result = detectDangerousFunctions(code, 'src/component.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect dangerouslySetInnerHTML', () => {
+      const code = `
+<div dangerouslySetInnerHTML={{ __html: userHtml }} />
+`
+      const result = detectDangerousFunctions(code, 'src/component.tsx')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect innerHTML with DOMPurify as lower severity', () => {
+      const code = `
+import DOMPurify from 'dompurify';
+const sanitized = DOMPurify.sanitize(userHtml);
+element.innerHTML = sanitized;
+`
+      const result = detectDangerousFunctions(code, 'src/component.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip style element innerHTML', () => {
+      const code = `
+const styleElement = document.createElement('style');
+styleElement.innerHTML = '.class { color: red; }';
+`
+      const result = detectDangerousFunctions(code, 'src/styles.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect document.write', () => {
+      const code = `
+document.write('<script>alert(1)</script>');
+`
+      const result = detectDangerousFunctions(code, 'src/legacy.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('JSON.parse detection', () => {
+    it('should detect JSON.parse on user input', () => {
+      const code = `
+const data = JSON.parse(req.body);
+`
+      const result = detectDangerousFunctions(code, 'src/api/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect JSON.parse on localStorage', () => {
+      const code = `
+const settings = JSON.parse(localStorage.getItem('settings'));
+`
+      const result = detectDangerousFunctions(code, 'src/settings.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should suppress JSON.parse with try-catch on internal data', () => {
+      const code = `
+try {
+  const config = JSON.parse(fileContent);
+} catch (e) {
+  console.error(e);
+}
+`
+      const result = detectDangerousFunctions(code, 'src/config.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect JSON.parse with schema validation as handled', () => {
+      const code = `
+const raw = JSON.parse(input);
+const validated = schema.parse(raw);
+`
+      const result = detectDangerousFunctions(code, 'src/api/handler.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip JSON.parse in test files', () => {
+      const code = `
+const mockData = JSON.parse(fixture);
+`
+      const result = detectDangerousFunctions(code, 'src/__tests__/handler.test.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip trusted SDK response parsing', () => {
+      const code = `
+const response = await openai.chat.completions.create({});
+const content = JSON.parse(response.choices[0].content);
+`
+      const result = detectDangerousFunctions(code, 'src/ai/chat.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Math.random detection', () => {
+    it('should detect Math.random for security tokens as high', () => {
+      const code = `
+function generateToken() {
+  return Math.random().toString(36);
+}
+`
+      const result = detectDangerousFunctions(code, 'src/auth.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect Math.random in security context as high', () => {
+      const code = `
+const secret = Math.random().toString(36).substring(2);
+`
+      const result = detectDangerousFunctions(code, 'src/crypto.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should classify Math.random for UI IDs as info', () => {
+      const code = `
+const key = Math.random().toString(36).substring(2, 9);
+`
+      const result = detectDangerousFunctions(code, 'src/components/list.tsx')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip Math.random in seed files', () => {
+      const code = `
+const randomAge = Math.random() * 100;
+`
+      const result = detectDangerousFunctions(code, 'src/seed/users.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip cosmetic Math.random (CSS values)', () => {
+      const code = `
+const opacity = Math.random() * 0.5 + 0.5;
+element.style.opacity = opacity;
+`
+      const result = detectDangerousFunctions(code, 'src/animation.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should classify business IDs as low severity', () => {
+      const code = `
+const orderId = 'ORD-' + Math.random().toString(36).substring(2, 12);
+`
+      const result = detectDangerousFunctions(code, 'src/orders.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('File path detection', () => {
+    it('should detect dynamic file path in API handlers', () => {
+      const code = `
+const file = fs.readFileSync(req.params.filename);
+`
+      const result = detectDangerousFunctions(code, 'src/api/files.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect path traversal risk', () => {
+      const code = `
+const fullPath = path.join(uploadDir, req.query.path);
+`
+      const result = detectDangerousFunctions(code, 'src/api/upload.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip dynamic paths in CLI tools', () => {
+      const code = `
+const content = fs.readFileSync(filePath);
+`
+      const result = detectDangerousFunctions(code, 'src/cli/scan.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect path traversal with sanitization as lower severity', () => {
+      const code = `
+if (filename.includes('..')) throw new Error('Invalid path');
+const fullPath = path.resolve(baseDir, filename);
+if (!fullPath.startsWith(baseDir)) throw new Error('Access denied');
+fs.readFileSync(fullPath);
+`
+      const result = detectDangerousFunctions(code, 'src/api/files.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('request.json() validation detection', () => {
+    it('should suggest schema validation for request.json()', () => {
+      const code = `
+export async function POST(request: Request) {
+  const body = await request.json();
+  return Response.json({ ok: true });
+}
+`
+      const result = detectDangerousFunctions(code, 'src/app/api/create/route.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip when schema validation is present', () => {
+      const code = `
+import { z } from 'zod';
+const schema = z.object({ name: z.string() });
+
+export async function POST(request: Request) {
+  const body = await request.json();
+  const data = schema.parse(body);
+  return Response.json({ data });
+}
+`
+      const result = detectDangerousFunctions(code, 'src/app/api/create/route.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip when throwing auth helper is present', () => {
+      const code = `
+export async function POST(request: Request) {
+  const userId = await getCurrentUserId();
+  const body = await request.json();
+  return Response.json({ ok: true });
+}
+`
+      const result = detectDangerousFunctions(code, 'src/app/api/create/route.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Deserialization detection', () => {
+    it('should detect pickle.loads (Python)', () => {
+      const code = `
+data = pickle.loads(user_data)
+`
+      const result = detectDangerousFunctions(code, 'handler.py')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect yaml.load without safe loader', () => {
+      const code = `
+config = yaml.load(file_content)
+`
+      const result = detectDangerousFunctions(code, 'config.py')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Prototype pollution detection', () => {
+    it('should detect Object.assign with user input', () => {
+      const code = `
+const merged = Object.assign({}, req.body);
+`
+      const result = detectDangerousFunctions(code, 'src/api/merge.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should detect spread operator with user input', () => {
+      const code = `
+const user = { ...req.body, createdAt: new Date() };
+`
+      const result = detectDangerousFunctions(code, 'src/api/create.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Regex DoS detection', () => {
+    it('should detect dynamic regex construction', () => {
+      const code = `
+const pattern = new RegExp(userPattern);
+`
+      const result = detectDangerousFunctions(code, 'src/search.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Test file handling', () => {
+    it('should downgrade severity in test files', () => {
+      const code = `
+eval(testCode);
+element.innerHTML = testHtml;
+`
+      const result = detectDangerousFunctions(code, 'src/__tests__/handler.test.ts')
+      expect(result).toMatchSnapshot()
+    })
+
+    it('should skip eval entirely in test files', () => {
+      const code = `
+it('should handle eval', () => {
+  expect(eval('2 + 2')).toBe(4);
+});
+`
+      const result = detectDangerousFunctions(code, 'src/__tests__/eval.test.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('LLM prompt context detection', () => {
+    it('should detect LLM prompt injection risk instead of XSS', () => {
+      const code = `
+const prompt = \`Answer this: \${userQuestion}\`;
+const response = await openai.chat.completions.create({
+  messages: [{ role: 'user', content: prompt }]
+});
+`
+      const result = detectDangerousFunctions(code, 'src/ai/chat.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+
+  describe('Static bootstrap script detection', () => {
+    it('should detect static bootstrap as lower severity', () => {
+      const code = `
+const theme = localStorage.getItem('theme');
+document.documentElement.setAttribute('data-theme', theme || 'light');
+`
+      const result = detectDangerousFunctions(code, 'src/bootstrap.ts')
+      expect(result).toMatchSnapshot()
+    })
+  })
+})

package/src/baseline/__tests__/diff.test.ts

@@ -0,0 +1,261 @@
+/**
+ * Baseline Diff Computation Tests
+ */
+
+import { computeDiff, hasNewBlockingIssues, formatDiffSummary } from '../diff'
+import type { Vulnerability } from '../../types'
+import type { BaselineData } from '../types'
+
+describe('Baseline Diff Computation', () => {
+  // Helper to create a test vulnerability
+  const createVuln = (
+    filePath: string,
+    lineNumber: number,
+    category: string,
+    severity: 'critical' | 'high' | 'medium' | 'low' | 'info' = 'medium',
+    title: string = 'Test finding'
+  ): Vulnerability => ({
+    filePath,
+    lineNumber,
+    category: category as any,
+    severity,
+    title,
+    description: 'Test description',
+    confidence: 'high',
+    layer: 1,
+    lineContent: `Line ${lineNumber} content`,
+  })
+
+  // Helper to create a baseline
+  const createBaseline = (findings: Array<{
+    hash: string
+    filePath: string
+    lineNumber: number
+    category: string
+    severity: string
+    title: string
+  }>): BaselineData => ({
+    version: 1,
+    createdAt: '2024-01-15T10:00:00.000Z',
+    findings: findings as any,
+    stats: {
+      total: findings.length,
+      critical: findings.filter(f => f.severity === 'critical').length,
+      high: findings.filter(f => f.severity === 'high').length,
+      medium: findings.filter(f => f.severity === 'medium').length,
+      low: findings.filter(f => f.severity === 'low').length,
+      info: findings.filter(f => f.severity === 'info').length,
+    },
+  })
+
+  describe('computeDiff', () => {
+    it('should identify all findings as new when baseline is empty', () => {
+      const current = [
+        createVuln('src/a.ts', 10, 'hardcoded_secret', 'critical'),
+        createVuln('src/b.ts', 20, 'sql_injection', 'high'),
+      ]
+      const baseline = createBaseline([])
+
+      const diff = computeDiff(current, baseline)
+
+      expect(diff.new).toHaveLength(2)
+      expect(diff.fixed).toHaveLength(0)
+      expect(diff.existing).toHaveLength(0)
+      expect(diff.stats.newCount).toBe(2)
+      expect(diff.stats.fixedCount).toBe(0)
+      expect(diff.stats.existingCount).toBe(0)
+    })
+
+    it('should identify all findings as existing when current matches baseline', () => {
+      const current = [
+        createVuln('src/a.ts', 10, 'hardcoded_secret', 'critical', 'API key'),
+      ]
+
+      // Need to compute the hash that would match
+      const { computeFindingHash } = require('../../suppression/hash')
+      const hash = computeFindingHash(current[0])
+
+      const baseline = createBaseline([
+        {
+          hash,
+          filePath: 'src/a.ts',
+          lineNumber: 10,
+          category: 'hardcoded_secret',
+          severity: 'critical',
+          title: 'API key',
+        },
+      ])
+
+      const diff = computeDiff(current, baseline)
+
+      expect(diff.new).toHaveLength(0)
+      expect(diff.fixed).toHaveLength(0)
+      expect(diff.existing).toHaveLength(1)
+      expect(diff.stats.existingCount).toBe(1)
+    })
+
+    it('should identify fixed findings when they exist in baseline but not current', () => {
+      const current: Vulnerability[] = []
+      const baseline = createBaseline([
+        {
+          hash: 'fixedhash1234567',
+          filePath: 'src/fixed.ts',
+          lineNumber: 5,
+          category: 'hardcoded_secret',
+          severity: 'high',
+          title: 'Fixed finding',
+        },
+      ])
+
+      const diff = computeDiff(current, baseline)
+
+      expect(diff.new).toHaveLength(0)
+      expect(diff.fixed).toHaveLength(1)
+      expect(diff.fixed[0].title).toBe('Fixed finding')
+      expect(diff.existing).toHaveLength(0)
+      expect(diff.stats.fixedCount).toBe(1)
+    })
+
+    it('should handle mixed scenario with new, fixed, and existing findings', () => {
+      // Create a finding that will be in both current and baseline
+      const existingVuln = createVuln('src/existing.ts', 10, 'xss', 'medium', 'Existing XSS')
+      const { computeFindingHash } = require('../../suppression/hash')
+      const existingHash = computeFindingHash(existingVuln)
+
+      // Current: one existing + one new
+      const current = [
+        existingVuln,
+        createVuln('src/new.ts', 20, 'sql_injection', 'high', 'New SQL injection'),
+      ]
+
+      // Baseline: one existing + one fixed
+      const baseline = createBaseline([
+        {
+          hash: existingHash,
+          filePath: 'src/existing.ts',
+          lineNumber: 10,
+          category: 'xss',
+          severity: 'medium',
+          title: 'Existing XSS',
+        },
+        {
+          hash: 'fixedhash9999999',
+          filePath: 'src/old.ts',
+          lineNumber: 30,
+          category: 'hardcoded_secret',
+          severity: 'critical',
+          title: 'Fixed secret',
+        },
+      ])
+
+      const diff = computeDiff(current, baseline)
+
+      expect(diff.new).toHaveLength(1)
+      expect(diff.new[0].title).toBe('New SQL injection')
+      expect(diff.fixed).toHaveLength(1)
+      expect(diff.fixed[0].title).toBe('Fixed secret')
+      expect(diff.existing).toHaveLength(1)
+      expect(diff.existing[0].title).toBe('Existing XSS')
+
+      expect(diff.stats.newCount).toBe(1)
+      expect(diff.stats.fixedCount).toBe(1)
+      expect(diff.stats.existingCount).toBe(1)
+    })
+
+    it('should compute severity counts correctly', () => {
+      const current = [
+        createVuln('src/a.ts', 1, 'sql_injection', 'critical', 'Crit 1'),
+        createVuln('src/b.ts', 2, 'xss', 'high', 'High 1'),
+        createVuln('src/c.ts', 3, 'xss', 'high', 'High 2'),
+        createVuln('src/d.ts', 4, 'data_exposure', 'medium', 'Med 1'),
+      ]
+      const baseline = createBaseline([])
+
+      const diff = computeDiff(current, baseline)
+
+      expect(diff.stats.newBySeverity.critical).toBe(1)
+      expect(diff.stats.newBySeverity.high).toBe(2)
+      expect(diff.stats.newBySeverity.medium).toBe(1)
+      expect(diff.stats.newBySeverity.low).toBe(0)
+      expect(diff.stats.newBySeverity.info).toBe(0)
+    })
+  })
+
+  describe('hasNewBlockingIssues', () => {
+    it('should return true when there are new critical findings', () => {
+      const diff = computeDiff(
+        [createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical')],
+        createBaseline([])
+      )
+
+      expect(hasNewBlockingIssues(diff)).toBe(true)
+    })
+
+    it('should return true when there are new high findings', () => {
+      const diff = computeDiff(
+        [createVuln('src/a.ts', 1, 'sql_injection', 'high')],
+        createBaseline([])
+      )
+
+      expect(hasNewBlockingIssues(diff)).toBe(true)
+    })
+
+    it('should return false when there are only new medium/low/info findings', () => {
+      const diff = computeDiff(
+        [
+          createVuln('src/a.ts', 1, 'xss', 'medium'),
+          createVuln('src/b.ts', 2, 'data_exposure', 'low'),
+          createVuln('src/c.ts', 3, 'ai_pattern', 'info'),
+        ],
+        createBaseline([])
+      )
+
+      expect(hasNewBlockingIssues(diff)).toBe(false)
+    })
+
+    it('should return false when there are no new findings', () => {
+      const diff = computeDiff([], createBaseline([]))
+
+      expect(hasNewBlockingIssues(diff)).toBe(false)
+    })
+  })
+
+  describe('formatDiffSummary', () => {
+    it('should format a summary with all categories', () => {
+      const diff = computeDiff(
+        [
+          createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical'),
+          createVuln('src/b.ts', 2, 'xss', 'high'),
+        ],
+        createBaseline([
+          {
+            hash: 'fixedhash1234567',
+            filePath: 'src/fixed.ts',
+            lineNumber: 5,
+            category: 'sql_injection',
+            severity: 'high',
+            title: 'Fixed finding',
+          },
+        ])
+      )
+
+      const summary = formatDiffSummary(diff)
+
+      expect(summary).toContain('2 new')
+      expect(summary).toContain('1 fixed')
+    })
+
+    it('should omit zero counts', () => {
+      const diff = computeDiff(
+        [createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical')],
+        createBaseline([])
+      )
+
+      const summary = formatDiffSummary(diff)
+
+      expect(summary).toContain('1 new')
+      expect(summary).not.toContain('fixed')
+      expect(summary).not.toContain('existing')
+    })
+  })
+})