@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/dangerous-functions/patterns.ts

@@ -0,0 +1,174 @@
+/**
+ * Dangerous Function Pattern Definitions
+ *
+ * This module defines the patterns for detecting dangerous function calls.
+ * These patterns are used by the main detection engine.
+ */
+
+import type { VulnerabilitySeverity } from '../../types'
+
+export interface DangerousFunctionPattern {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+  languages?: string[] // Optional: restrict to specific languages
+}
+
+export const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[] = [
+  // Code execution
+  {
+    name: 'eval() usage',
+    pattern: /\beval\s*\(/gi,
+    severity: 'critical',
+    description: 'eval() executes arbitrary code and is a major security risk',
+    suggestedFix: 'Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution',
+  },
+  {
+    name: 'Function constructor',
+    pattern: /new\s+Function\s*\(/gi,
+    severity: 'critical',
+    description: 'Function constructor can execute arbitrary code like eval()',
+    suggestedFix: 'Refactor to use static functions or safe alternatives',
+  },
+  {
+    name: 'setTimeout/setInterval with string',
+    pattern: /set(Timeout|Interval)\s*\(\s*['"`]/gi,
+    severity: 'high',
+    description: 'setTimeout/setInterval with string argument acts like eval()',
+    suggestedFix: 'Pass a function reference instead of a string',
+  },
+
+  // Command injection
+  {
+    name: 'child_process exec',
+    pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/gi,
+    severity: 'high',
+    description: 'Shell command execution can lead to command injection',
+    suggestedFix: 'Validate and sanitize all inputs, prefer execFile over exec',
+  },
+  {
+    name: 'os.system/subprocess (Python)',
+    pattern: /\b(os\.system|subprocess\.(call|run|Popen|check_output))\s*\(/gi,
+    severity: 'high',
+    description: 'Shell command execution can lead to command injection',
+    suggestedFix: 'Use subprocess with shell=False and pass arguments as a list',
+    languages: ['py'],
+  },
+
+  // SQL injection risks
+  {
+    name: 'Raw SQL query construction',
+    pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
+    severity: 'critical',
+    description: 'String concatenation in SQL queries can lead to SQL injection',
+    suggestedFix: 'Use parameterized queries or prepared statements',
+  },
+  {
+    name: 'SQL template literal',
+    pattern: /`SELECT.*FROM.*WHERE.*\$\{|`INSERT.*INTO.*VALUES.*\$\{|`UPDATE.*SET.*\$\{|`DELETE.*FROM.*WHERE.*\$\{/gi,
+    severity: 'critical',
+    description: 'Template literals in SQL queries can lead to SQL injection',
+    suggestedFix: 'Use parameterized queries with placeholders (?, $1, etc.)',
+  },
+
+  // XSS risks
+  {
+    name: 'innerHTML assignment',
+    pattern: /\.innerHTML\s*=|\.outerHTML\s*=/gi,
+    severity: 'high',
+    description: 'Direct innerHTML assignment can lead to XSS vulnerabilities',
+    suggestedFix: 'Use textContent for text, or sanitize HTML with DOMPurify',
+  },
+  {
+    name: 'document.write',
+    pattern: /document\.write\s*\(/gi,
+    severity: 'high',
+    description: 'document.write can introduce XSS vulnerabilities',
+    suggestedFix: 'Use DOM manipulation methods instead',
+  },
+  {
+    name: 'dangerouslySetInnerHTML',
+    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
+    severity: 'high',
+    description: 'dangerouslySetInnerHTML can lead to XSS if content is not sanitized',
+    suggestedFix: 'Sanitize HTML content with DOMPurify before rendering',
+  },
+
+  // Deserialization
+  {
+    name: 'Unsafe deserialization',
+    pattern: /\b(pickle\.loads?|yaml\.load\s*\((?!.*Loader)|unserialize|Marshal\.load)\s*\(/gi,
+    severity: 'critical',
+    description: 'Unsafe deserialization can lead to remote code execution',
+    suggestedFix: 'Use safe loaders (yaml.safe_load) or validate input before deserializing',
+  },
+  // Note: JSON.parse is handled specially with source-aware severity - see json-parse.ts
+  // Note: request.json() is NOT a dangerous function - see request-validation.ts
+
+  // File system risks
+  {
+    name: 'Dynamic file path',
+    pattern: /\b(readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\(\s*[^'"]/gi,
+    severity: 'medium',
+    description: 'Dynamic file paths can lead to path traversal attacks',
+    suggestedFix: 'Validate and sanitize file paths, use path.resolve with a base directory',
+  },
+  {
+    name: 'Path traversal risk',
+    pattern: /path\.(join|resolve)\s*\([^)]*req\.(params|query|body)/gi,
+    severity: 'high',
+    description: 'User input in file paths can lead to path traversal attacks',
+    suggestedFix: 'Validate paths and ensure they stay within allowed directories',
+  },
+
+  // Crypto weaknesses
+  {
+    name: 'Math.random for security',
+    pattern: /Math\.random\s*\(\s*\)/gi,
+    severity: 'medium',
+    description: 'Math.random() is not cryptographically secure',
+    suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive operations',
+  },
+
+  // Regex DoS
+  {
+    name: 'Potentially unsafe regex',
+    pattern: /new\s+RegExp\s*\(\s*[^'"]/gi,
+    severity: 'medium',
+    description: 'Dynamic regex construction can lead to ReDoS attacks',
+    suggestedFix: 'Validate regex patterns and consider using safe-regex library',
+  },
+
+  // Prototype pollution
+  {
+    name: 'Object.assign with user input',
+    pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(req\.|request\.|body|params|query)/gi,
+    severity: 'high',
+    description: 'Object.assign with user input can lead to prototype pollution',
+    suggestedFix: 'Validate and sanitize input, or use a safe merge function',
+  },
+  {
+    name: 'Spread operator with user input',
+    pattern: /\{\s*\.\.\.req\.(body|params|query)|\.\.\.request\.(body|params|query)/gi,
+    severity: 'medium',
+    description: 'Spreading user input can lead to mass assignment vulnerabilities',
+    suggestedFix: 'Explicitly pick allowed properties instead of spreading all input',
+  },
+]
+
+/**
+ * Check if file matches language filter
+ */
+export function matchesLanguage(filePath: string, languages?: string[]): boolean {
+  if (!languages || languages.length === 0) return true
+
+  const ext = filePath.split('.').pop()?.toLowerCase() || ''
+  return languages.some(lang => {
+    if (lang === 'py') return ext === 'py'
+    if (lang === 'js') return ['js', 'jsx', 'mjs', 'cjs'].includes(ext)
+    if (lang === 'ts') return ['ts', 'tsx'].includes(ext)
+    return ext === lang
+  })
+}

package/src/layer2/dangerous-functions/request-validation.ts

@@ -0,0 +1,145 @@
+/**
+ * Request Body Validation Detection
+ *
+ * Detection logic for request.json() / req.json() usage without
+ * proper schema validation.
+ */
+
+import type { Vulnerability } from '../../types'
+import { isComment } from '../../utils/context-helpers'
+import { hasManualValidation } from './utils/schema-validation'
+import { hasThrowingAuthHelper } from './utils/helpers'
+
+/**
+ * Detect request.json() / req.json() and suggest schema validation
+ * This is NOT a dangerous function - it's a prompt for best practices
+ */
+export function detectRequestJsonValidation(
+  content: string,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // Only check API route files
+  if (
+    !/\/(api|routes?|handlers?|controllers?)\//i.test(filePath) &&
+    !/route\.(ts|js)$/i.test(filePath)
+  ) {
+    return
+  }
+
+  // Skip if route has throwing auth helper - these are already protected routes
+  // and the schema validation suggestion is lower priority
+  if (hasThrowingAuthHelper(content)) {
+    return
+  }
+
+  const lines = content.split('\n')
+  // Matches: request.json(), req.json(), await request.json(), etc.
+  const requestJsonPattern = /\b(request|req)\.json\s*\(\s*\)/gi
+
+  // Check if file has schema validation (library-based)
+  const hasSchemaLibrary =
+    /\b(zod|yup|joi|ajv|superstruct|valibot|typebox)\b/i.test(content) ||
+    /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(/i.test(content)
+
+  // If file has schema library validation, don't report
+  if (hasSchemaLibrary) return
+
+  // Check for manual validation patterns (less robust but still indicates intent)
+  const hasManualCheck = hasManualValidation(content)
+
+  // Track instances for potential aggregation
+  const instances: { lineNumber: number; lineContent: string }[] = []
+
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+
+    requestJsonPattern.lastIndex = 0
+    if (!requestJsonPattern.test(line)) return
+
+    // Check if there's validation nearby (within 10 lines after)
+    const startCheck = index
+    const endCheck = Math.min(lines.length, index + 10)
+    const nearbyContent = lines.slice(startCheck, endCheck).join('\n')
+
+    // If there's validation in the nearby lines, skip
+    if (
+      /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(|schema\./i.test(
+        nearbyContent
+      )
+    ) {
+      return
+    }
+
+    // If manual validation is present, skip individual reporting but track for aggregate
+    if (hasManualCheck) {
+      instances.push({ lineNumber: index + 1, lineContent: line.trim() })
+      return
+    }
+
+    if (isTestFile) {
+      return // Don't report in test files
+    }
+
+    instances.push({ lineNumber: index + 1, lineContent: line.trim() })
+  })
+
+  // Don't report if no instances found
+  if (instances.length === 0) return
+
+  // If manual validation exists, create a single info-level note
+  if (hasManualCheck && instances.length > 0) {
+    vulnerabilities.push({
+      id: `request-json-manual-${filePath}`,
+      filePath,
+      lineNumber: instances[0].lineNumber,
+      lineContent: instances[0].lineContent,
+      severity: 'info',
+      category: 'dangerous_function',
+      title: 'Request body with manual validation',
+      description: `API endpoint parses request body with manual validation patterns detected. Consider using a schema library (zod, yup) for more robust type-safe validation.`,
+      suggestedFix:
+        'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // Aggregate if multiple instances without validation
+  if (instances.length >= 2) {
+    const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5)
+    vulnerabilities.push({
+      id: `request-json-aggregated-${filePath}`,
+      filePath,
+      lineNumber: instances[0].lineNumber,
+      lineContent: `${instances.length} instances`,
+      severity: 'info',
+      category: 'dangerous_function',
+      title: `Request body without schema validation (${instances.length} instances)`,
+      description: `API endpoint parses request body without visible schema validation at lines: ${lineNumbers.join(', ')}. Consider validating the shape of incoming data.`,
+      suggestedFix:
+        'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+      confidence: 'low',
+      layer: 2,
+    })
+  } else {
+    // Single instance
+    vulnerabilities.push({
+      id: `request-json-${filePath}-${instances[0].lineNumber}`,
+      filePath,
+      lineNumber: instances[0].lineNumber,
+      lineContent: instances[0].lineContent,
+      severity: 'info',
+      category: 'dangerous_function',
+      title: 'Request body without schema validation',
+      description:
+        'API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.',
+      suggestedFix:
+        'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
+      confidence: 'low',
+      layer: 2,
+    })
+  }
+}

package/src/layer2/dangerous-functions/utils/control-flow.ts

@@ -0,0 +1,162 @@
+/**
+ * Control Flow Analysis Utilities
+ *
+ * Functions for analyzing code control flow, including try-catch detection
+ * and function context extraction.
+ */
+
+import { isComment } from '../../../utils/context-helpers'
+
+/**
+ * Check if a line is inside a try-catch block
+ * Looks for enclosing try { ... } catch pattern
+ */
+export function isInsideTryCatch(content: string, lineNumber: number): boolean {
+  const lines = content.split('\n')
+
+  // Track brace depth and whether we're in a try block
+  let tryDepth = 0
+  let inTryBlock = false
+  const braceStack: Array<'try' | 'other'> = []
+
+  // Scan from start to the target line
+  for (let i = 0; i < lineNumber && i < lines.length; i++) {
+    const line = lines[i]
+
+    // Check for try keyword (not in a comment)
+    if (/\btry\s*\{/.test(line) && !isComment(line)) {
+      inTryBlock = true
+      tryDepth++
+      // Count opening braces on this line
+      const openBraces = (line.match(/\{/g) || []).length
+      const closeBraces = (line.match(/\}/g) || []).length
+      for (let j = 0; j < openBraces - closeBraces; j++) {
+        braceStack.push('try')
+      }
+    } else if (/\bcatch\s*\(/.test(line) && !isComment(line)) {
+      // Entering catch block - still protected
+      // Don't decrement tryDepth yet
+    } else if (/\bfinally\s*\{/.test(line) && !isComment(line)) {
+      // Entering finally block - still protected
+    } else {
+      // Track regular braces
+      const openBraces = (line.match(/\{/g) || []).length
+      const closeBraces = (line.match(/\}/g) || []).length
+
+      for (let j = 0; j < openBraces; j++) {
+        braceStack.push(inTryBlock && tryDepth > 0 ? 'try' : 'other')
+      }
+
+      for (let j = 0; j < closeBraces; j++) {
+        const popped = braceStack.pop()
+        if (popped === 'try') {
+          tryDepth--
+          if (tryDepth === 0) {
+            inTryBlock = false
+          }
+        }
+      }
+    }
+  }
+
+  return tryDepth > 0
+}
+
+/**
+ * Simpler heuristic: check if there's a try-catch in the same function scope
+ * Looks for try { before the line and } catch after, within reasonable bounds
+ */
+export function hasTryCatchNearby(content: string, lineNumber: number, windowSize: number = 20): boolean {
+  const lines = content.split('\n')
+  const startLine = Math.max(0, lineNumber - windowSize)
+  const endLine = Math.min(lines.length, lineNumber + windowSize)
+
+  // Look backward for 'try {'
+  let foundTry = false
+  for (let i = lineNumber - 1; i >= startLine; i--) {
+    const line = lines[i]
+    if (/\btry\s*\{/.test(line) && !isComment(line)) {
+      foundTry = true
+      break
+    }
+    // Stop if we hit a function boundary
+    if (/\b(function|async function|=>|class)\b/.test(line) && /\{/.test(line)) {
+      break
+    }
+  }
+
+  if (!foundTry) return false
+
+  // Look forward for '} catch'
+  for (let i = lineNumber; i < endLine; i++) {
+    const line = lines[i]
+    if (/\}\s*catch\s*\(/.test(line) && !isComment(line)) {
+      return true
+    }
+    // Stop if we hit another function boundary
+    if (i > lineNumber && /\b(function|async function|class)\b/.test(line) && /\{/.test(line)) {
+      break
+    }
+  }
+
+  return false
+}
+
+/**
+ * Extract function context where a call is being made
+ * Looks backwards from the current line to find enclosing function name
+ * Returns lowercase function name or null if not found
+ */
+export function extractFunctionContext(content: string, lineNumber: number): string | null {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineNumber - 20) // Increased from 10 to 20 for nested callbacks
+
+  // Look backwards for function declaration
+  for (let i = lineNumber; i >= start; i--) {
+    const line = lines[i]
+
+    // Skip anonymous arrow functions in callbacks (e.g., .map((x) => ...), .replace(/x/g, (c) => ...))
+    // These are not the function context we're looking for
+    // Look for pattern: .methodName(..., (param) => or .methodName(...(param) =>
+    const hasMethodCallWithArrowCallback = /\.\w+\(.*\([^)]*\)\s*=>/.test(line)
+
+    // Skip lines that only have arrow callbacks in method calls
+    if (hasMethodCallWithArrowCallback && !/^(const|let|var|function|async|export)/.test(line.trim())) {
+      continue
+    }
+
+    // Named function declaration: function funcName(
+    const funcMatch = line.match(/function\s+(\w+)\s*\(/)
+    if (funcMatch) {
+      return funcMatch[1].toLowerCase()
+    }
+
+    // Arrow function with const/let/var: const funcName = () => | const funcName = async () =>
+    // Must have => after the parameters to distinguish from const x = (expression)
+    // Also handles TypeScript return type annotations: const funcName = (): string =>
+    const arrowMatch = line.match(/(const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/)
+    if (arrowMatch) {
+      return arrowMatch[2].toLowerCase()
+    }
+
+    // Method declaration: methodName() { or async methodName() {
+    const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/)
+    if (methodMatch) {
+      return methodMatch[1].toLowerCase()
+    }
+
+    // Export function: export function funcName( or export const funcName = () =>
+    const exportFuncMatch = line.match(/export\s+(?:async\s+)?function\s+(\w+)\s*\(/)
+    if (exportFuncMatch) {
+      return exportFuncMatch[1].toLowerCase()
+    }
+
+    // Also handles TypeScript return type annotations: export const funcName = (): string =>
+    const exportConstMatch = line.match(/export\s+const\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/)
+    if (exportConstMatch) {
+      return exportConstMatch[1].toLowerCase()
+    }
+  }
+
+  return null
+}

package/src/layer2/dangerous-functions/utils/helpers.ts

@@ -0,0 +1,170 @@
+/**
+ * General Helper Utilities
+ *
+ * Small utility functions used across the dangerous functions detection module.
+ */
+
+/**
+ * Get a specific line from content by line number (0-indexed)
+ */
+export function getLineContent(content: string, lineNumber: number): string {
+  const lines = content.split('\n')
+  return lines[lineNumber] || ''
+}
+
+/**
+ * Get a range of lines from content
+ */
+export function getLineRange(
+  content: string,
+  startLine: number,
+  endLine: number
+): string {
+  const lines = content.split('\n')
+  const start = Math.max(0, startLine)
+  const end = Math.min(lines.length, endLine)
+  return lines.slice(start, end).join('\n')
+}
+
+/**
+ * Check if eval/exec/Function has only static literal inputs (no user data)
+ * Static inputs like eval('({ mode: "production" })') are low risk
+ *
+ * Returns true ONLY if the argument is a string literal (not a variable)
+ */
+export function hasOnlyStaticInputs(
+  lineContent: string,
+  content: string,
+  lineNumber: number
+): boolean {
+  // Check if the argument to eval/exec/Function is a string literal ONLY
+  // If it's a variable, it's NOT static (could come from anywhere)
+  //
+  // String literal patterns:
+  // - Single quotes: 'content with "double quotes" inside' (no $ interpolation)
+  // - Double quotes: "content" (no $ interpolation)
+  // - Backticks without ${}: `content` (template literal but no interpolation)
+  //
+  // Note: We allow quotes INSIDE the string (e.g., 'text "with" quotes')
+  // but NOT $ (which would indicate interpolation)
+  const staticPatterns = [
+    // Single-quoted string: eval('...') - can contain anything except single quotes and $
+    /eval\s*\(\s*'[^'$]*'\s*\)/,
+    // Double-quoted string: eval("...") - can contain anything except double quotes and $
+    /eval\s*\(\s*"[^"$]*"\s*\)/,
+    // Backtick without interpolation: eval(`...`) - must not have ${ inside
+    /eval\s*\(\s*`[^`$]*`\s*\)/,
+    // Function constructor with string literal
+    /new\s+Function\s*\(\s*'[^'$]*'\s*\)/,
+    /new\s+Function\s*\(\s*"[^"$]*"\s*\)/,
+    // execSync with string literal
+    /execSync\s*\(\s*'[^'$]*'\s*\)/,
+    /execSync\s*\(\s*"[^"$]*"\s*\)/,
+    // exec with string literal
+    /exec\s*\(\s*'[^'$]*'/,
+    /exec\s*\(\s*"[^"$]*"/,
+  ]
+
+  // Only return true if it matches a static pattern (string literal)
+  // If it's a variable like eval(code), we can't assume it's static
+  return staticPatterns.some(p => p.test(lineContent))
+}
+
+/**
+ * Check if path traversal protection is in place
+ * Looks for common sanitization patterns that prevent directory traversal attacks
+ */
+export function hasPathTraversalProtection(
+  context: string,
+  lineContent: string
+): boolean {
+  const protectionPatterns = [
+    // Path normalization with base directory check (same line)
+    /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
+
+    // startsWith check with common safe directory variable names
+    /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir|safeDir|SAFE_)/i,
+
+    // MULTI-LINE PATTERN: path.resolve followed by startsWith check in context
+    // This handles the common case where resolve and startsWith are on separate lines:
+    //   const resolved = path.resolve(baseDir, userPath)
+    //   if (!resolved.startsWith(baseDir)) throw new Error()
+    // We check for BOTH patterns being present in the context
+    // (handled below as combined check)
+
+    // Explicit ".." rejection
+    /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+    /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
+    /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
+    // Replace ".." pattern (sanitization)
+    /\.replace\s*\([^)]*\\?\.\\?\.\s*[^)]*,\s*['"`]['"`]\s*\)/i,
+
+    // Path sanitization libraries
+    /sanitizePath|sanitizeFilename|sanitize-filename/i,
+    /path-sanitizer|secure-path/i,
+
+    // Explicit path validation
+    /validatePath|isValidPath|checkPath|verifyPath/i,
+    /isPathAllowed|isAllowedPath|pathIsAllowed/i,
+
+    // Normalize and check pattern
+    /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
+
+    // Regex validation for safe characters only
+    /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//, // Only alphanumeric, dash, underscore, dot
+
+    // Allowlist/whitelist patterns
+    /allowedExtensions|allowedTypes|whitelist/i,
+    /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i, // Extension check
+
+    // Path.basename to strip directory
+    /path\.basename\s*\(/i,
+
+    // Zod/validation for filename patterns
+    /z\.string\s*\(\s*\)\.regex\s*\(/i,
+  ]
+
+  // Check single-line patterns
+  if (protectionPatterns.some(p => p.test(context) || p.test(lineContent))) {
+    return true
+  }
+
+  // Multi-line pattern: path.resolve + startsWith check on separate lines
+  // This is a very common secure pattern:
+  //   const resolved = path.resolve(safeBaseDir, userInput)
+  //   if (!resolved.startsWith(safeBaseDir)) { throw ... }
+  const hasPathResolve = /path\.resolve\s*\(/i.test(context)
+  const hasStartsWithCheck = /\.startsWith\s*\(/i.test(context)
+  const hasThrowOnFailure = /(throw|return|reject)\s+.*(error|invalid|denied)/i.test(context)
+
+  if (hasPathResolve && hasStartsWithCheck && hasThrowOnFailure) {
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
+ * Routes with throwing auth helpers are already protected
+ */
+export function hasThrowingAuthHelper(content: string): boolean {
+  const throwingAuthPatterns = [
+    /\bgetCurrentUserId\s*\(/i,
+    /\brequireAuth\s*\(/i,
+    /\bensureAuth\s*\(/i,
+    /\bauth\s*\(\s*\)\s*\.protect\s*\(/i, // Clerk: auth().protect()
+    /\bcurrentUser\s*\(\s*\)/i, // Clerk: currentUser()
+    /\bgetServerSession\s*\([^)]*\)/i, // NextAuth
+    /\bauth\s*\(\s*\)/i, // Generic auth() call
+    /\bcheckAuth\s*\(/i,
+    /\bverifyAuth\s*\(/i,
+    /\bvalidateAuth\s*\(/i,
+    /\bassertAuth\s*\(/i,
+    /\bgetAuth\s*\(/i,
+    /\brequireUser\s*\(/i,
+    /\bgetUser\s*\(\s*\)/i, // supabase.auth.getUser()
+    /const\s+\{\s*user\s*\}\s*=\s*await/i, // Destructuring pattern
+  ]
+  return throwingAuthPatterns.some(p => p.test(content))
+}

package/src/layer2/dangerous-functions/utils/index.ts

@@ -0,0 +1,25 @@
+/**
+ * Utility Functions Index
+ *
+ * Re-exports all utility functions from the dangerous-functions module.
+ */
+
+export {
+  isInsideTryCatch,
+  hasTryCatchNearby,
+  extractFunctionContext,
+} from './control-flow'
+
+export {
+  hasSchemaValidationNearby,
+  hasManualValidation,
+  hasSQLWhitelistValidation,
+} from './schema-validation'
+
+export {
+  getLineContent,
+  getLineRange,
+  hasOnlyStaticInputs,
+  hasPathTraversalProtection,
+  hasThrowingAuthHelper,
+} from './helpers'