@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/ai-execution-sinks.ts

@@ -54,21 +54,19 @@ function isUITemplateSuggestion(lineContent: string, surroundingContext: string)
   const fullContext = lineContent + '\n' + surroundingContext
 
   // UI suggestion object patterns (command palette, autocomplete suggestions)
+  // Note: Be careful not to match variable declarations like `const completion =`
   const uiSuggestionPatterns = [
-    // Object property patterns for suggestion items
-    /(?:id|key|label|title|name|description|completion|display|text|value|placeholder):\s*`[^`]*\$\{/i,
-    // Common suggestion UI patterns
-    /suggestions?\s*[=:]/i,
-    /completions?\s*[=:]/i,
+    // Object property patterns for suggestion items (key: value in objects)
+    /(?:id|key|label|title|name|description|display|text|value|placeholder):\s*`[^`]*\$\{/i,
+    // Common suggestion UI patterns (arrays or objects, not variable declarations)
+    /(?:set)?suggestions\s*[=:]\s*\[/i,  // suggestions: [...] or setSuggestions([])
     /autocomplete/i,
     /command\s*palette/i,
     /fuzzy\s*search/i,
     /search\s*result/i,
-    // UI component context patterns
-    /\.map\s*\(\s*\(?(?:item|result|suggestion|node|entry)/i,
-    /\.filter\s*\(/i,
     // React/UI state patterns
-    /useState|setItems|setResults|setSuggestions/i,
+    /useState.*suggestions|setSuggestions/i,
+    /setItems|setResults/i,
     // Template ID generation for UI
     /id:\s*`[a-z]+-\$\{/i,  // id: `delete-${...}`, id: `edit-${...}`
   ]
@@ -87,6 +85,12 @@ function isUITemplateSuggestion(lineContent: string, surroundingContext: string)
     /exec\s*\(/i,
     /spawn\s*\(/i,
     /eval\s*\(/i,
+    /fetch\s*\(/i,
+    /axios\./i,
+    /\.redirect\s*\(/i,
+    /\.setHeader\s*\(/i,
+    /\.cookie\s*\(/i,
+    /location\./i,
   ]
 
   // Check if context matches UI pattern but NOT execution pattern
@@ -174,7 +178,7 @@ function hasOutputValidation(content: string, lineNumber: number): boolean {
     /validate/i,
     /sanitize/i,
     /escape/i,
-    /filter/i,
+    /\.filter\s*\([^)]*(?:allowed|safe|valid)/i,  // .filter(x => allowed.includes(x))
     /parse.*catch/i,
     /schema\./i,
     /\.parse\s*\(/i,
@@ -182,9 +186,19 @@ function hasOutputValidation(content: string, lineNumber: number): boolean {
     /whitelist/i,
     /blocklist/i,
     /blacklist/i,
+    /allowed(?:Columns|Tables|Hosts|Domains|Extensions|Types|Args|Paths)/i,  // Allowlist variable names
     /JSON\.parse.*catch/i,
     /DOMPurify/i,
     /xss/i,
+    /encodeURIComponent/i,
+    /\.replace\s*\(\s*\/\[.*\]\/[gi]*/i,  // Regex sanitization like .replace(/[^a-z0-9]/gi, '')
+    /textContent\s*=/i,  // Using textContent (safe) instead of innerHTML
+    /ReactMarkdown/i,  // React Markdown sanitizes by default
+    /ast\.literal_eval/i,  // Python safe eval
+    /yaml\.(?:safe_load|SafeLoader)/i,  // Safe YAML parsing
+    /\.startsWith\s*\(\s*['"]\/['"]?\)/i,  // Relative URL check
+    /new\s+URL\s*\(.*\).*origin/i,  // URL origin check
+    /path\.resolve.*startsWith/i,  // Path validation
   ]
 
   return validationPatterns.some(p => p.test(context))
@@ -325,12 +339,28 @@ const EXECUTION_SINK_PATTERNS: ExecutionSinkPattern[] = [
   // ========== Template/DOM Sinks ==========
   {
     name: 'LLM output to innerHTML',
-    pattern: /\.innerHTML\s*=\s*(?:response|result|output|completion|message|content)(?:\.|\.data\.|\.text|\.content)?/gi,
+    pattern: /\.innerHTML\s*=\s*(?:response|result|output|completion|message|content|generated)(?:\.|\.data\.|\.text|\.content)?/gi,
     sinkType: 'template_render',
     baseSeverity: 'high',
     description: 'LLM output assigned to innerHTML. If the model outputs malicious HTML/JS, it will execute (XSS).',
     suggestedFix: 'Use textContent for plain text. Sanitize HTML with DOMPurify before rendering. Use React/Vue which auto-escape by default.',
   },
+  {
+    name: 'LLM output to outerHTML',
+    pattern: /\.outerHTML\s*=\s*(?:response|result|output|completion|message|content|generated)(?:\.|\.data\.|\.text|\.content)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output assigned to outerHTML. This replaces the entire element and allows XSS.',
+    suggestedFix: 'Use textContent for plain text. Sanitize HTML with DOMPurify before rendering.',
+  },
+  {
+    name: 'LLM output to insertAdjacentHTML',
+    pattern: /\.insertAdjacentHTML\s*\([^,]+,\s*(?:response|result|output|completion|message|content|generated)/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'LLM output passed to insertAdjacentHTML. This allows XSS via injected HTML/JS.',
+    suggestedFix: 'Use insertAdjacentText for plain text. Sanitize HTML with DOMPurify: el.insertAdjacentHTML("beforeend", DOMPurify.sanitize(content))',
+  },
   {
     name: 'LLM output to dangerouslySetInnerHTML',
     pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*(?:response|result|output|completion|message|content)/gi,
@@ -399,8 +429,405 @@ const EXECUTION_SINK_PATTERNS: ExecutionSinkPattern[] = [
     description: 'AI output used in module path resolution. Could leak information about file system or enable module confusion attacks.',
     suggestedFix: 'Validate module name against allowlist before resolution.',
   },
+
+  // ========== Phase 2: Network/SSRF Sinks ==========
+  {
+    name: 'LLM output in fetch URL',
+    pattern: /fetch\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl|urlFromAi)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'code_execution', // SSRF is code-level risk
+    baseSeverity: 'critical',
+    description: 'AI-generated URL passed to fetch(). Attackers can manipulate the model to make requests to internal services (SSRF), exfiltrate data, or access localhost services.',
+    suggestedFix: 'Validate URL against allowlist: const allowed = ["api.example.com"]; if (!allowed.includes(new URL(url).host)) throw. Block private IP ranges.',
+  },
+  {
+    name: 'LLM output in axios request',
+    pattern: /axios\.(?:get|post|put|delete|patch|request)\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated URL passed to axios. This enables SSRF attacks where the model is manipulated to make requests to internal services.',
+    suggestedFix: 'Validate URL host against allowlist. Use axios interceptors to block private IPs and internal hosts.',
+  },
+  {
+    name: 'LLM output in axios config',
+    pattern: /axios\s*\(\s*\{[^}]*url:\s*(?:response|result|output|completion|aiUrl|generatedUrl)/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated URL passed to axios via config object. SSRF risk.',
+    suggestedFix: 'Validate URL host against allowlist before passing to axios.',
+  },
+  {
+    name: 'LLM output in HTTP client',
+    pattern: /(?:got|request|superagent|ky|undici\.fetch)\s*\(\s*(?:response|result|output|completion|aiUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated URL passed to HTTP client. Server-Side Request Forgery (SSRF) risk.',
+    suggestedFix: 'Validate URLs against allowlist of permitted hosts. Block internal IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, localhost).',
+  },
+
+  // ========== Phase 2: Redirect Sinks ==========
+  {
+    name: 'LLM output in server redirect',
+    pattern: /(?:res|response)\.redirect\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render', // Open redirect is similar to XSS
+    baseSeverity: 'high',
+    description: 'AI-generated URL used in HTTP redirect. Attackers can craft prompts to redirect users to phishing sites or malicious pages.',
+    suggestedFix: 'Validate redirect URL against allowlist. Only allow redirects to same-origin or known safe domains. Use relative URLs where possible.',
+  },
+  {
+    name: 'LLM output in client redirect assignment',
+    pattern: /(?:window\.)?location\.href\s*=\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated URL assigned to location.href. Enables open redirect attacks.',
+    suggestedFix: 'Validate URL before assignment. Prefer relative URLs or validate against allowlist: if (!url.startsWith("/") && !allowedHosts.includes(new URL(url).host)) throw',
+  },
+  {
+    name: 'LLM output in location.assign',
+    pattern: /location\.assign\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated URL passed to location.assign(). Enables open redirect attacks.',
+    suggestedFix: 'Validate URL before assignment. Only allow same-origin or allowlisted domains.',
+  },
+  {
+    name: 'LLM output in location.replace',
+    pattern: /location\.replace\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated URL passed to location.replace(). Enables open redirect attacks.',
+    suggestedFix: 'Validate URL before assignment. Only allow same-origin or allowlisted domains.',
+  },
+  {
+    name: 'LLM output in Next.js redirect',
+    pattern: /redirect\s*\(\s*(?:response|result|output|completion|aiUrl|generatedUrl)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated URL passed to Next.js redirect(). Enables open redirect attacks.',
+    suggestedFix: 'Validate URL before redirect. Only allow relative URLs or allowlisted domains.',
+  },
+  {
+    name: 'LLM output in meta refresh',
+    pattern: /<meta[^>]*http-equiv\s*=\s*['"`]refresh['"`][^>]*content\s*=\s*['"`][^'"]*url\s*=\s*(?:\$\{|<%=).*(?:response|output|completion)/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated URL in meta refresh tag. Open redirect vulnerability.',
+    suggestedFix: 'Avoid meta refresh with dynamic URLs. Use server-side redirects with URL validation instead.',
+  },
+
+  // ========== Phase 2: Header Injection Sinks ==========
+  {
+    name: 'LLM output in response header',
+    pattern: /(?:res|response)\.(?:setHeader|set|header)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:response|result|output|completion|aiValue)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated value used in HTTP response header. Enables header injection attacks (CRLF injection, cache poisoning).',
+    suggestedFix: 'Sanitize header values: remove CR/LF characters. Validate against expected format. Never use AI output directly in security-sensitive headers (Set-Cookie, Authorization).',
+  },
+  {
+    name: 'LLM output in cookie',
+    pattern: /(?:res|response)\.(?:cookie|setCookie)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated value set as cookie. Could enable session fixation or cookie injection attacks.',
+    suggestedFix: 'Never use AI output for cookie values. Generate tokens server-side with crypto.randomBytes(). Validate any user-facing values.',
+  },
+  {
+    name: 'LLM output in res.type',
+    pattern: /(?:res|response)\.type\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'template_render',
+    baseSeverity: 'high',
+    description: 'AI-generated value used to set Content-Type. Could enable MIME confusion attacks.',
+    suggestedFix: 'Use allowlist for content types: const allowed = ["json", "html", "text"]; if (!allowed.includes(type)) throw',
+  },
+
+  // ========== Phase 3: Additional Code Execution Sinks ==========
+  {
+    name: 'LLM output to setTimeout/setInterval string',
+    pattern: /(?:setTimeout|setInterval)\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'high',
+    description: 'AI-generated string passed to setTimeout/setInterval. When passed a string, these functions act like eval().',
+    suggestedFix: 'Never pass strings to setTimeout/setInterval. Use arrow functions: setTimeout(() => doSomething(), 1000)',
+  },
+  {
+    name: 'LLM output to globalThis.eval',
+    pattern: /(?:globalThis|window)\[?['"]?eval['"]?\]?\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated code passed to eval via globalThis/window. This is indirect eval() that enables arbitrary code execution.',
+    suggestedFix: 'Never eval() LLM output. Use structured output and validation.',
+  },
+  {
+    name: 'LLM output to execa',
+    pattern: /execa\s*\(\s*(?:response|result|output|completion)(?:\.choices\[0\]\.message\.content|\.content|\.text)?/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'AI-generated command passed to execa. This enables command injection attacks.',
+    suggestedFix: 'Never pass LLM output directly to shell. Use allowlists for permitted commands.',
+  },
+
+  // ========== Phase 3: Python-Specific Sinks ==========
+  {
+    name: 'LLM output to Python eval',
+    pattern: /eval\s*\(\s*(?:response|result|output|completion|code)(?:\[['"]?choices['"]?\]\[0\]\[['"]?message['"]?\]\[['"]?content['"]?\]|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated code passed to Python eval(). Enables arbitrary code execution.',
+    suggestedFix: 'Never eval() LLM output. Use ast.literal_eval() for safe literal evaluation, or JSON parsing with schema validation.',
+  },
+  {
+    name: 'LLM output to Python exec',
+    pattern: /exec\s*\(\s*(?:response|result|output|completion)(?:\[['"]?choices['"]?\]\[0\]\[['"]?message['"]?\]\[['"]?content['"]?\]|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated code passed to Python exec(). Enables arbitrary code execution.',
+    suggestedFix: 'Never exec() LLM output. Use structured output and validation instead.',
+  },
+  {
+    name: 'LLM output to pickle.loads',
+    pattern: /pickle\.loads?\s*\(\s*(?:response|result|output|completion|serialized)(?:\.encode\(\)|\.content|\.text)?/gi,
+    sinkType: 'code_execution',
+    baseSeverity: 'critical',
+    description: 'AI-generated data passed to pickle.loads(). Pickle deserialization can execute arbitrary code.',
+    suggestedFix: 'Never unpickle untrusted data. Use JSON or other safe serialization formats.',
+  },
+  {
+    name: 'LLM output to subprocess with shell=True',
+    pattern: /subprocess\.(?:run|call|Popen)\s*\(\s*(?:response|result|output|completion|ai_command|generated_cmd)(?:\.content|\.text)?[^)]*shell\s*=\s*True/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'AI-generated command passed to subprocess with shell=True. Enables command injection.',
+    suggestedFix: 'Never use shell=True with user/AI input. Use subprocess.run(["cmd", "arg1", "arg2"]) without shell.',
+  },
+  {
+    name: 'LLM output to os.system',
+    pattern: /os\.system\s*\(\s*(?:response|result|output|completion|generated_cmd|ai_command)(?:\.content|\.text)?/gi,
+    sinkType: 'shell_command',
+    baseSeverity: 'critical',
+    description: 'AI-generated command passed to os.system(). Enables command injection.',
+    suggestedFix: 'Use subprocess.run() with list arguments instead of os.system(). Never pass AI output to shell.',
+  },
+  {
+    name: 'Python SQL f-string injection',
+    pattern: /cursor\.execute\s*\(\s*f["'].*\{.*(?:response|result|output|completion)/gi,
+    sinkType: 'sql_builder',
+    baseSeverity: 'critical',
+    description: 'AI-generated value interpolated into SQL query via f-string. Enables SQL injection.',
+    suggestedFix: 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = ?", [user_id])',
+  },
 ]
 
+// ============================================================================
+// Phase 2: URL/Network Validation Detection
+// ============================================================================
+
+/**
+ * Check if URL validation is present (returns 'strong', 'weak', or 'none')
+ * Strong validation = skip finding entirely
+ * Weak validation = downgrade severity
+ */
+function getURLValidationLevel(content: string, lineNumber: number): 'strong' | 'weak' | 'none' {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  // Strong validation - skip entirely
+  const strongValidationPatterns = [
+    /allowedHosts\.includes\s*\(\s*(?:new\s+URL)?/i,  // Explicit allowlist check
+    /safeDomains\.includes\s*\(/i,  // Safe domain allowlist
+    /allowedDomains\.includes\s*\(/i,  // Allowed domain check
+    /if\s*\(\s*allowedHosts/i,  // Conditional on allowlist
+    /if\s*\(\s*safeDomains/i,  // Conditional on safe domains
+    /url\.origin\s*===\s*(?:window\.)?(?:location\.)?origin/i,  // Same-origin check
+    /\.origin\s*===\s*origin/i,  // Same-origin check
+    /\.startsWith\s*\(\s*['"]\/['"]?\s*\)\s*&&\s*!\s*\w+\.startsWith\s*\(\s*['"]\/\//i,  // Relative URL with protocol-relative check
+    /if\s*\(\s*\w+\.startsWith\s*\(\s*['"]\/['"]?\s*\)\s*&&\s*!/i,  // Relative URL validation
+    /blockedHosts\.includes\s*\(/i,  // Block list check
+    /privateIpPatterns\.some\s*\(/i,  // Private IP blocking
+  ]
+
+  if (strongValidationPatterns.some(p => p.test(context))) {
+    return 'strong'
+  }
+
+  // Weak validation - downgrade severity
+  const weakValidationPatterns = [
+    /isValidUrl|validateUrl|isAllowedUrl/i,
+    /new\s+URL\s*\(.*\).*(?:host|hostname|origin)/i,
+    /allowedUrls|allowedHosts|allowedDomains|safeDomains/i,
+    /url\.startsWith\s*\(\s*['"`](?:https?:\/\/|\/[^\/])/i,
+    /sanitizeUrl|encodeURIComponent/i,
+    /blockedHosts|blockedDomains|privateIp/i,
+    /\.includes\s*\(\s*(?:new\s+URL\s*\()?.*\.host/i,
+  ]
+
+  if (weakValidationPatterns.some(p => p.test(context))) {
+    return 'weak'
+  }
+
+  return 'none'
+}
+
+/**
+ * Legacy function for backward compatibility
+ */
+function hasURLValidation(content: string, lineNumber: number): boolean {
+  return getURLValidationLevel(content, lineNumber) !== 'none'
+}
+
+/**
+ * Check if DOM content is sanitized (e.g., DOMPurify)
+ */
+function isDOMSanitized(lineContent: string, surroundingContext: string): boolean {
+  const fullContext = lineContent + '\n' + surroundingContext
+
+  const sanitizationPatterns = [
+    /DOMPurify\.sanitize\s*\(/i,
+    /sanitizeHtml\s*\(/i,
+    /xss\s*\(/i,
+    /escapeHtml\s*\(/i,
+    /textContent\s*=/i,  // textContent is safe
+    /innerText\s*=/i,    // innerText is safe
+    /ReactMarkdown/i,    // ReactMarkdown sanitizes by default
+    /<ReactMarkdown>/i,  // JSX ReactMarkdown
+  ]
+
+  return sanitizationPatterns.some(p => p.test(fullContext))
+}
+
+/**
+ * Check if file path is properly validated
+ */
+function isPathValidated(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const pathValidationPatterns = [
+    /path\.resolve\s*\([^)]*\).*startsWith/i,  // Resolved path + startsWith check
+    /resolved\.startsWith\s*\(/i,  // Common pattern: resolved.startsWith(baseDir)
+    /!.*startsWith.*throw/i,  // Validation with throw on failure
+    /if\s*\(\s*!?\s*resolved\.startsWith/i,  // Conditional path check
+    /allowedExtensions\.includes\s*\(/i,  // Extension allowlist
+    /allowedPaths/i,  // Path allowlist
+    /SAFE_BASE_DIR/i,  // Common safe directory constant
+    /baseDir|safeDir|allowedDir/i,  // Directory restriction variables
+    /path\.basename\s*\(/i,  // Only using basename (no traversal)
+    /\.replace\s*\(/i,  // Generic replace (likely sanitization)
+  ]
+
+  return pathValidationPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if header value is sanitized
+ */
+function isHeaderSanitized(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const headerSanitizationPatterns = [
+    /\.replace\s*\(\s*\/\[\\r\\n\]/i,  // CRLF removal
+    /\.replace\s*\(\s*\/\[\\\\r\\\\n\]/i,  // CRLF removal (escaped)
+    /allowedTypes\.includes\s*\(/i,  // Content-type allowlist
+    /allowed(?:Headers|Types|Values)\.includes\s*\(/i,  // Generic allowlist
+    /if\s*\(\s*allowed\w*\.includes\s*\(/i,  // Conditional allowlist
+    /crypto\.random/i,  // Server-generated value (not AI)
+    /randomUUID/i,  // UUID generation
+    /safeValue|sanitized/i,  // Variable indicating sanitization
+    /\/\^?\[a-zA-Z0-9\-_\.\s\]\+\$?\/.*\.test\s*\(/i,  // Regex validation (alphanumeric chars only)
+    /if\s*\(\/\^?\[a-zA-Z0-9/i,  // Conditional with alphanumeric regex
+  ]
+
+  return headerSanitizationPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check for Python-specific safe patterns
+ */
+function isPythonSafe(lineContent: string, surroundingContext: string): boolean {
+  const fullContext = lineContent + '\n' + surroundingContext
+
+  const pythonSafePatterns = [
+    /ast\.literal_eval\s*\(/i,  // Safe literal evaluation
+    /yaml\.(?:safe_load|SafeLoader)/i,  // Safe YAML
+    /yaml\.load\s*\([^)]*Loader\s*=\s*yaml\.SafeLoader/i,  // Explicit SafeLoader
+    /cursor\.execute\s*\([^,]+,\s*\[/i,  // Parameterized query with list
+    /\?\s*,\s*\[/i,  // SQL placeholder with params
+    /%s.*,\s*\[/i,  // Python %s placeholder with list
+    /subprocess\.run\s*\(\s*\[/i,  // subprocess with list (no shell)
+    /shell\s*=\s*False/i,  // Explicit shell=False
+  ]
+
+  return pythonSafePatterns.some(p => p.test(fullContext))
+}
+
+/**
+ * Check if SQL is using parameterized queries or ORM
+ */
+function isSQLParameterized(lineContent: string, surroundingContext: string): boolean {
+  const fullContext = lineContent + '\n' + surroundingContext
+
+  const parameterizedPatterns = [
+    /allowedColumns\.filter\s*\(/i,  // Column allowlist
+    /safeColumns/i,  // Safe column variable
+    /allowedColumns\.includes\s*\(/i,  // Column allowlist check
+    /\.filter\s*\(\s*\w+\s*=>\s*allowed\w*\.includes/i,  // Filter with allowlist
+    /schema\.parse\s*\(/i,  // Zod schema validation
+    /z\.enum\s*\(\s*\[/i,  // Zod enum (allowlist)
+    /prisma\.\w+\.(?:findMany|findUnique|create|update)/i,  // Prisma ORM methods (not raw)
+    /\$\{.*\}.*WHERE.*=\s*\$\d/i,  // Dynamic column but parameterized value
+  ]
+
+  return parameterizedPatterns.some(p => p.test(fullContext))
+}
+
+/**
+ * Check if shell execution uses allowlist
+ */
+function isShellAllowlisted(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const shellAllowlistPatterns = [
+    /allowedArgs\.includes\s*\(/i,  // Argument allowlist
+    /if\s*\(\s*allowedArgs\.includes/i,  // Conditional on allowlist
+    /allowedCommands\.includes\s*\(/i,  // Command allowlist
+    /execFile\s*\(\s*['"][^'"]+['"]/i,  // execFile with hardcoded command (safe)
+    /\.replace\s*\(\s*\/\[^a-z0-9\]/gi,  // Strict sanitization
+    /sanitized\s*=/i,  // Sanitization variable
+  ]
+
+  return shellAllowlistPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if dynamic import uses allowlist
+ */
+function isImportAllowlisted(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  const importAllowlistPatterns = [
+    /ALLOWED_PLUGINS\s*[=:]/i,  // Plugin allowlist
+    /importMap\s*[=:]/i,  // Import map object
+    /allowedModules/i,  // Module allowlist
+    /if\s*\(\s*\w+\s+in\s+importMap\)/i,  // Key in import map
+    /if\s*\(\s*loader\)/i,  // Loader function check (from allowlist)
+    /\[aiModule\]\s*$/i,  // Array access into known object (allowlist lookup)
+  ]
+
+  return importAllowlistPatterns.some(p => p.test(context))
+}
+
 // ============================================================================
 // Main Detection Function
 // ============================================================================
@@ -529,12 +956,86 @@ export function detectAIExecutionSinks(
       const isSandboxed = isSandboxedExecution(content, lineNumber)
       const hasValidation = hasOutputValidation(content, lineNumber)
 
+      // ===== SINK-SPECIFIC VALIDATION CHECKS =====
+
+      // Phase 2: Check for URL validation on network/redirect sinks (SSRF, Open Redirect)
+      const isNetworkSink = pattern.name.includes('fetch') || pattern.name.includes('axios') ||
+        pattern.name.includes('HTTP') || pattern.name.includes('redirect') ||
+        pattern.name.includes('location') || pattern.name.includes('got')
+      if (isNetworkSink) {
+        const urlValidLevel = getURLValidationLevel(content, lineNumber)
+        if (urlValidLevel === 'strong') {
+          continue  // Skip - strong URL validation present
+        }
+      }
+
+      // Phase 3: Check for DOM sanitization on template_render sinks
+      const hasDOMSanitization = pattern.sinkType === 'template_render'
+        ? isDOMSanitized(lineContent, surroundingContext)
+        : false
+
+      // Skip DOM findings if sanitized
+      if (hasDOMSanitization && pattern.sinkType === 'template_render') {
+        continue
+      }
+
+      // Check for header sanitization
+      const isHeaderSink = pattern.name.includes('header') || pattern.name.includes('cookie') ||
+        pattern.name.includes('res.type')
+      if (isHeaderSink && isHeaderSanitized(content, lineNumber)) {
+        continue  // Skip - header value is sanitized
+      }
+
+      // Check for path validation on file system sinks
+      const isFileSink = pattern.name.includes('file path') || pattern.name.includes('fs operation') ||
+        pattern.name.includes('path.join')
+      if (isFileSink && isPathValidated(content, lineNumber)) {
+        continue  // Skip - path is validated
+      }
+
+      // Check for SQL parameterization
+      const isSQLSink = pattern.sinkType === 'sql_builder'
+      if (isSQLSink && isSQLParameterized(lineContent, surroundingContext)) {
+        continue  // Skip - SQL is parameterized or uses allowlist
+      }
+
+      // Check for shell allowlist
+      const isShellSink = pattern.sinkType === 'shell_command'
+      if (isShellSink && isShellAllowlisted(content, lineNumber)) {
+        continue  // Skip - shell command uses allowlist
+      }
+
+      // Check for import allowlist
+      const isImportSink = pattern.name.includes('import') || pattern.name.includes('require')
+      if (isImportSink && isImportAllowlisted(content, lineNumber)) {
+        continue  // Skip - import uses allowlist
+      }
+
+      // Check for Python-specific safe patterns
+      const isPythonSink = pattern.name.includes('Python') || pattern.name.includes('pickle') ||
+        pattern.name.includes('subprocess') || pattern.name.includes('os.system')
+      if (isPythonSink && isPythonSafe(lineContent, surroundingContext)) {
+        continue  // Skip - Python code uses safe patterns
+      }
+
+      // Check for ast.literal_eval (Python safe eval) - this is a safe alternative to eval()
+      // It matches the eval pattern because literal_eval contains "eval("
+      if (pattern.name.includes('eval') && /ast\.literal_eval\s*\(/i.test(lineContent)) {
+        continue  // Skip - ast.literal_eval is safe, only evaluates literals
+      }
+
+      // Check URL validation level for severity adjustment
+      const hasURLValid = isNetworkSink ? getURLValidationLevel(content, lineNumber) !== 'none' : false
+
+      // Combine validation checks (URL validation counts as validation for network sinks)
+      const effectiveValidation = hasValidation || hasURLValid
+
       // Calculate final severity
       const severity = calculateSeverity(
         pattern.baseSeverity,
         pattern.sinkType,
         isSandboxed,
-        hasValidation,
+        effectiveValidation,
         isTestFile,
         isExample,
         isLibrary
@@ -548,6 +1049,9 @@ export function detectAIExecutionSinks(
       if (hasValidation) {
         description += ' (Some validation detected nearby.)'
       }
+      if (hasURLValid && !hasValidation) {
+        description += ' (URL validation detected nearby.)'
+      }
       if (isTestFile) {
         description += ' (In test file.)'
       } else if (isExample) {

package/src/layer2/ai-fingerprinting.ts

@@ -4,7 +4,7 @@
  */
 
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import { isExampleFile, isTestOrMockFile, isPlaceholderValue } from '../utils/context-helpers'
+import { isExampleFile, isTestOrMockFile, isPlaceholderValue, isScannerOrFixtureFile } from '../utils/context-helpers'
 
 interface AIFingerprint {
   name: string
@@ -635,6 +635,10 @@ export function detectAIFingerprints(
   filePath: string
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
+
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+
   const lines = content.split('\n')
 
   // Skip example/demo files entirely - they contain placeholder code by design