@qasshq/qass 0.1.2

package/dist/runners/security/rules/config-audit.js

@@ -0,0 +1,91 @@
+/**
+ * Audits application configuration for security issues.
+ *
+ * Checks for:
+ * - CORS with localhost origins in non-dev configuration
+ * - Helmet CSP disabled
+ * - Error handlers leaking err.message in production
+ * - trust proxy misconfiguration
+ * - Hardcoded admin emails as fallbacks
+ */
+export async function runConfigAuditRule(files, _config) {
+    const findings = [];
+    for (const file of files) {
+        const lines = file.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/cors\s*\(/.test(line) || /origin\s*:/.test(line)) {
+                const alreadyFlaggedCors = findings.some((f) => f.rule === "config-audit" && f.file === file.path &&
+                    f.description.includes("CORS"));
+                if (!alreadyFlaggedCors) {
+                    const context = lines.slice(i, Math.min(i + 15, lines.length)).join("\n");
+                    if (/localhost|127\.0\.0\.1/.test(context) &&
+                        /origin/.test(context) &&
+                        !/process\.env|NODE_ENV|isDev|isLocal/.test(context)) {
+                        findings.push({
+                            rule: "config-audit",
+                            severity: "LOW",
+                            file: file.path,
+                            line: i + 1,
+                            description: "CORS configuration includes localhost origins without environment-gating. In production, any local service on these ports could make credentialed cross-origin requests.",
+                            fix: "Conditionally include localhost origins based on NODE_ENV: origin: process.env.NODE_ENV === 'production' ? [prodOrigins] : [prodOrigins, 'http://localhost:3000']",
+                        });
+                    }
+                }
+            }
+            if (/helmet\s*\(/.test(line)) {
+                const context = lines.slice(i, Math.min(i + 10, lines.length)).join("\n");
+                if (/contentSecurityPolicy\s*:\s*false/.test(context)) {
+                    findings.push({
+                        rule: "config-audit",
+                        severity: "LOW",
+                        file: file.path,
+                        line: i + 1,
+                        description: "Content Security Policy is disabled in Helmet configuration. While acceptable for pure JSON APIs, any HTML served (error pages, redirects) will have no CSP protection.",
+                        fix: "If this is a JSON-only API, this is acceptable. If any HTML is served, enable CSP with appropriate directives.",
+                    });
+                }
+            }
+            if (/err\.message|error\.message/.test(line) && /res\.(json|send|status)/.test(line)) {
+                const context = lines.slice(Math.max(0, i - 5), Math.min(i + 5, lines.length)).join("\n");
+                if (!/isDev|isLocal|development|NODE_ENV/.test(context)) {
+                    findings.push({
+                        rule: "config-audit",
+                        severity: "MEDIUM",
+                        file: file.path,
+                        line: i + 1,
+                        description: "Error message (err.message) is sent in API response without checking the environment. Library/database error messages can leak internal details (table names, query structures, file paths).",
+                        fix: 'Gate error details: res.json({ error: isDev ? err.message : "Internal server error" })',
+                    });
+                }
+            }
+            if (/ADMIN_EMAILS|admin.*email/i.test(line) && /\|\||fallback|default|\?\?/.test(line)) {
+                if (/@/.test(line)) {
+                    findings.push({
+                        rule: "config-audit",
+                        severity: "LOW",
+                        file: file.path,
+                        line: i + 1,
+                        description: "Admin email has a hardcoded fallback. If the environment variable is not set, this specific email automatically gets admin privileges.",
+                        fix: "Remove the hardcoded fallback. Fail explicitly if ADMIN_EMAILS is not configured: const adminEmails = process.env.ADMIN_EMAILS ?? ''; if (!adminEmails) throw new Error('ADMIN_EMAILS not configured');",
+                    });
+                }
+            }
+            if (/trust\s*proxy/.test(line)) {
+                const context = lines.slice(i, Math.min(i + 3, lines.length)).join("\n");
+                if (/true/.test(context)) {
+                    findings.push({
+                        rule: "config-audit",
+                        severity: "LOW",
+                        file: file.path,
+                        line: i + 1,
+                        description: "trust proxy is set to 'true' which trusts all proxies. This can allow clients to spoof their IP address via X-Forwarded-For header.",
+                        fix: "Set trust proxy to a specific number (e.g., 1 for a single reverse proxy) or to 'loopback' for localhost-only proxies.",
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=config-audit.js.map

package/dist/runners/security/rules/config-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-audit.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/config-audit.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAoB,EACpB,OAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,cAAc,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI;oBACtD,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CACjC,CAAC;gBACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC1E,IACE,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC;wBACtC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC;wBACtB,CAAC,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,EACpD,CAAC;wBACD,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,cAAc;4BACpB,QAAQ,EAAE,KAAK;4BACf,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,WAAW,EACT,0KAA0K;4BAC5K,GAAG,EAAE,mKAAmK;yBACzK,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC1E,IAAI,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,KAAK;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,yKAAyK;wBAC3K,GAAG,EAAE,gHAAgH;qBACtH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC1F,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACxD,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,8LAA8L;wBAChM,GAAG,EAAE,wFAAwF;qBAC9F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvF,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,KAAK;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,wIAAwI;wBAC1I,GAAG,EAAE,yMAAyM;qBAC/M,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzE,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACzB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,KAAK;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,qIAAqI;wBACvI,GAAG,EAAE,wHAAwH;qBAC9H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runners/security/rules/dep-audit.d.ts

@@ -0,0 +1,7 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Runs npm audit to check for known dependency vulnerabilities (CVEs).
+ */
+export declare function runDepAuditRule(_files: FileContent[], _config: QassConfig, projectPath: string): Promise<SecurityFinding[]>;
+//# sourceMappingURL=dep-audit.d.ts.map

package/dist/runners/security/rules/dep-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-audit.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/dep-audit.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAY,MAAM,mBAAmB,CAAC;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAIzD;;GAEG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,WAAW,EAAE,EACrB,OAAO,EAAE,UAAU,EACnB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CA6D5B"}

package/dist/runners/security/rules/dep-audit.js

@@ -0,0 +1,82 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { access } from "node:fs/promises";
+import { resolve } from "node:path";
+const exec = promisify(execFile);
+/**
+ * Runs npm audit to check for known dependency vulnerabilities (CVEs).
+ */
+export async function runDepAuditRule(_files, _config, projectPath) {
+    const findings = [];
+    const lockFile = resolve(projectPath, "package-lock.json");
+    try {
+        await access(lockFile);
+    }
+    catch {
+        return [];
+    }
+    try {
+        const { stdout } = await exec("npm", ["audit", "--json"], {
+            cwd: projectPath,
+            timeout: 30000,
+        });
+        const audit = JSON.parse(stdout);
+        if (audit.vulnerabilities) {
+            for (const [pkg, vuln] of Object.entries(audit.vulnerabilities)) {
+                const severity = mapSeverity(vuln.severity);
+                if (!severity)
+                    continue;
+                findings.push({
+                    rule: "dep-audit",
+                    severity,
+                    file: "package.json",
+                    description: `Dependency '${pkg}' has a known ${vuln.severity} vulnerability: ${vuln.title || vuln.url || "see npm audit"}`,
+                    fix: vuln.fixAvailable
+                        ? `Run: npm audit fix (or npm install ${pkg}@latest)`
+                        : `No automatic fix available. Consider replacing '${pkg}' or pinning to a safe version.`,
+                });
+            }
+        }
+    }
+    catch (e) {
+        if (e && typeof e === "object" && "stdout" in e) {
+            try {
+                const audit = JSON.parse(e.stdout);
+                if (audit.vulnerabilities) {
+                    for (const [pkg, vuln] of Object.entries(audit.vulnerabilities)) {
+                        const severity = mapSeverity(vuln.severity);
+                        if (!severity)
+                            continue;
+                        findings.push({
+                            rule: "dep-audit",
+                            severity,
+                            file: "package.json",
+                            description: `Dependency '${pkg}' has a known ${vuln.severity} vulnerability`,
+                            fix: vuln.fixAvailable
+                                ? `Run: npm audit fix`
+                                : `No automatic fix. Consider replacing '${pkg}'.`,
+                        });
+                    }
+                }
+            }
+            catch {
+                // couldn't parse audit output
+            }
+        }
+    }
+    return findings;
+}
+function mapSeverity(npmSeverity) {
+    switch (npmSeverity) {
+        case "critical":
+        case "high":
+            return "HIGH";
+        case "moderate":
+            return "MEDIUM";
+        case "low":
+            return "LOW";
+        default:
+            return null;
+    }
+}
+//# sourceMappingURL=dep-audit.js.map

package/dist/runners/security/rules/dep-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-audit.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/dep-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAqB,EACrB,OAAmB,EACnB,WAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IAC3D,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE;YACxD,GAAG,EAAE,WAAW;YAChB,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEjC,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAM,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;gBACrE,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC5C,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAExB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,WAAW;oBACjB,QAAQ;oBACR,IAAI,EAAE,cAAc;oBACpB,WAAW,EAAE,eAAe,GAAG,iBAAiB,IAAI,CAAC,QAAQ,mBAAmB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,IAAI,eAAe,EAAE;oBAC3H,GAAG,EAAE,IAAI,CAAC,YAAY;wBACpB,CAAC,CAAC,sCAAsC,GAAG,UAAU;wBACrD,CAAC,CAAC,mDAAmD,GAAG,iCAAiC;iBAC5F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAE,CAAS,CAAC,MAAM,CAAC,CAAC;gBAC5C,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;oBAC1B,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAM,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;wBACrE,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBAC5C,IAAI,CAAC,QAAQ;4BAAE,SAAS;wBAExB,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,WAAW;4BACjB,QAAQ;4BACR,IAAI,EAAE,cAAc;4BACpB,WAAW,EAAE,eAAe,GAAG,iBAAiB,IAAI,CAAC,QAAQ,gBAAgB;4BAC7E,GAAG,EAAE,IAAI,CAAC,YAAY;gCACpB,CAAC,CAAC,oBAAoB;gCACtB,CAAC,CAAC,yCAAyC,GAAG,IAAI;yBACrD,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,8BAA8B;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,WAAW,CAAC,WAAmB;IACtC,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/runners/security/rules/input-sanitization.d.ts

@@ -0,0 +1,12 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Detects unsanitized user input interpolated into database queries or filters.
+ *
+ * Checks for:
+ * - req.query or req.params values used in template literals inside .or(), .filter(), .rpc()
+ * - String concatenation with query/params into Supabase/SQL methods
+ * - req.body values used without validation in database operations
+ */
+export declare function runInputSanitizationRule(files: FileContent[], _config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=input-sanitization.d.ts.map

package/dist/runners/security/rules/input-sanitization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-sanitization.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/input-sanitization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CAsE5B"}

package/dist/runners/security/rules/input-sanitization.js

@@ -0,0 +1,64 @@
+/**
+ * Detects unsanitized user input interpolated into database queries or filters.
+ *
+ * Checks for:
+ * - req.query or req.params values used in template literals inside .or(), .filter(), .rpc()
+ * - String concatenation with query/params into Supabase/SQL methods
+ * - req.body values used without validation in database operations
+ */
+export async function runInputSanitizationRule(files, _config) {
+    const findings = [];
+    const codeFiles = files.filter((f) => /\.(ts|tsx|js|jsx)$/.test(f.path));
+    for (const file of codeFiles) {
+        const lines = file.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const orFilterMatch = line.match(/\.(or|filter)\s*\(\s*`[^`]*\$\{[^}]*(req\.(query|params|body)\.[^}]*)\}/);
+            if (orFilterMatch) {
+                findings.push({
+                    rule: "input-sanitization",
+                    severity: "MEDIUM",
+                    file: file.path,
+                    line: i + 1,
+                    description: `${orFilterMatch[2]} is interpolated into a .${orFilterMatch[1]}() call without sanitization. This enables filter injection attacks.`,
+                    fix: `Sanitize the input before use: const sanitized = (${orFilterMatch[2]} as string || '').replace(/[^a-zA-Z0-9\\s\\-@.]/g, ''); then use the sanitized value.`,
+                });
+            }
+            const stringConcatMatch = line.match(/\.(or|filter|rpc|sql)\s*\([^)]*(?:\+|,\s*["'`].*?\$\{)\s*(req\.(query|params)\.\w+)/);
+            if (stringConcatMatch && !orFilterMatch) {
+                findings.push({
+                    rule: "input-sanitization",
+                    severity: "MEDIUM",
+                    file: file.path,
+                    line: i + 1,
+                    description: `${stringConcatMatch[2]} is concatenated into a database query without sanitization.`,
+                    fix: `Sanitize the input before use. Strip special characters and limit length.`,
+                });
+            }
+            const directInterpolation = line.match(/(?:ilike|like|eq|neq|contains)\s*[.(]\s*[`"'].*\$\{.*?(req\.(query|params)\.\w+)/);
+            if (directInterpolation && !orFilterMatch) {
+                findings.push({
+                    rule: "input-sanitization",
+                    severity: "LOW",
+                    file: file.path,
+                    line: i + 1,
+                    description: `${directInterpolation[1]} is interpolated into a query filter. While individual filter methods are safer than .or(), input should still be sanitized.`,
+                    fix: `Validate and sanitize ${directInterpolation[1]} before use.`,
+                });
+            }
+            const evalMatch = line.match(/eval\s*\(\s*(req\.|user)/);
+            if (evalMatch) {
+                findings.push({
+                    rule: "input-sanitization",
+                    severity: "HIGH",
+                    file: file.path,
+                    line: i + 1,
+                    description: `User-controlled input passed to eval(). This is a remote code execution vulnerability.`,
+                    fix: `Remove eval() entirely. Parse the input using JSON.parse() or a purpose-built parser.`,
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=input-sanitization.js.map

package/dist/runners/security/rules/input-sanitization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-sanitization.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/input-sanitization.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAoB,EACpB,OAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAClC,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAC9B,yEAAyE,CAC1E,CAAC;YACF,IAAI,aAAa,EAAE,CAAC;gBAClB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,4BAA4B,aAAa,CAAC,CAAC,CAAC,sEAAsE;oBAClJ,GAAG,EAAE,qDAAqD,aAAa,CAAC,CAAC,CAAC,uFAAuF;iBAClK,CAAC,CAAC;YACL,CAAC;YAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,KAAK,CAClC,qFAAqF,CACtF,CAAC;YACF,IAAI,iBAAiB,IAAI,CAAC,aAAa,EAAE,CAAC;gBACxC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,iBAAiB,CAAC,CAAC,CAAC,8DAA8D;oBAClG,GAAG,EAAE,2EAA2E;iBACjF,CAAC,CAAC;YACL,CAAC;YAED,MAAM,mBAAmB,GAAG,IAAI,CAAC,KAAK,CACpC,kFAAkF,CACnF,CAAC;YACF,IAAI,mBAAmB,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1C,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,mBAAmB,CAAC,CAAC,CAAC,8HAA8H;oBACpK,GAAG,EAAE,yBAAyB,mBAAmB,CAAC,CAAC,CAAC,cAAc;iBACnE,CAAC,CAAC;YACL,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YACzD,IAAI,SAAS,EAAE,CAAC;gBACd,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,wFAAwF;oBACrG,GAAG,EAAE,uFAAuF;iBAC7F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runners/security/rules/rate-limit-audit.d.ts

@@ -0,0 +1,11 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Detects route groups that lack dedicated rate limiters.
+ *
+ * Checks for:
+ * - app.use() route mounting without rate limiter middleware
+ * - Sensitive routes (auth, payment, data mutation) relying only on global limiter
+ */
+export declare function runRateLimitAuditRule(files: FileContent[], _config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=rate-limit-audit.d.ts.map

package/dist/runners/security/rules/rate-limit-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-audit.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/rate-limit-audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CA8D5B"}

package/dist/runners/security/rules/rate-limit-audit.js

@@ -0,0 +1,51 @@
+/**
+ * Detects route groups that lack dedicated rate limiters.
+ *
+ * Checks for:
+ * - app.use() route mounting without rate limiter middleware
+ * - Sensitive routes (auth, payment, data mutation) relying only on global limiter
+ */
+export async function runRateLimitAuditRule(files, _config) {
+    const findings = [];
+    const appFiles = files.filter((f) => /app\.(ts|js)$/.test(f.path) ||
+        /server\.(ts|js)$/.test(f.path) ||
+        /index\.(ts|js)$/.test(f.path));
+    for (const file of appFiles) {
+        const lines = file.content.split("\n");
+        const hasGlobalLimiter = /app\.use\s*\(\s*(?:global)?[Ll]imiter/.test(file.content);
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const routeMount = line.match(/app\.use\s*\(\s*["'`](\/[^"'`]+)["'`]\s*,\s*(.*)\)/);
+            if (!routeMount)
+                continue;
+            const path = routeMount[1];
+            const args = routeMount[2];
+            const hasRateLimiter = /[Ll]imiter|rateLimit|throttle/i.test(args);
+            if (hasRateLimiter)
+                continue;
+            const isSensitive = /auth|login|signup|register|payment|subscription|checkout|admin|token|password|reset/i.test(path);
+            if (isSensitive) {
+                findings.push({
+                    rule: "rate-limit-audit",
+                    severity: "MEDIUM",
+                    file: file.path,
+                    line: i + 1,
+                    description: `Route group ${path} has no dedicated rate limiter.${hasGlobalLimiter ? " Only the global rate limiter applies." : ""} This is a sensitive route that should have stricter rate limiting.`,
+                    fix: `Add a dedicated rate limiter: app.use("${path}", rateLimiter({ windowMs: 15*60*1000, max: 10 }), ${args})`,
+                });
+            }
+            else if (!hasGlobalLimiter) {
+                findings.push({
+                    rule: "rate-limit-audit",
+                    severity: "LOW",
+                    file: file.path,
+                    line: i + 1,
+                    description: `Route group ${path} has no rate limiter and no global rate limiter was detected.`,
+                    fix: `Add rate limiting either globally or per-route group.`,
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=rate-limit-audit.js.map

package/dist/runners/security/rules/rate-limit-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-audit.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/rate-limit-audit.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAoB,EACpB,OAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAC3B,CAAC,CAAC,EAAE,EAAE,CACJ,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAC5B,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAC/B,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CACjC,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,MAAM,gBAAgB,GAAG,uCAAuC,CAAC,IAAI,CACnE,IAAI,CAAC,OAAO,CACb,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC3B,oDAAoD,CACrD,CAAC;YAEF,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAE3B,MAAM,cAAc,GAClB,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE9C,IAAI,cAAc;gBAAE,SAAS;YAE7B,MAAM,WAAW,GACf,sFAAsF,CAAC,IAAI,CACzF,IAAI,CACL,CAAC;YAEJ,IAAI,WAAW,EAAE,CAAC;gBAChB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,eAAe,IAAI,kCAAkC,gBAAgB,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,EAAE,qEAAqE;oBACvM,GAAG,EAAE,0CAA0C,IAAI,sDAAsD,IAAI,GAAG;iBACjH,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,eAAe,IAAI,+DAA+D;oBAC/F,GAAG,EAAE,uDAAuD;iBAC7D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runners/security/rules/secrets-scan.d.ts

@@ -0,0 +1,4 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+export declare function runSecretsScanRule(files: FileContent[], config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=secrets-scan.d.ts.map

package/dist/runners/security/rules/secrets-scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-scan.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/secrets-scan.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAqGzD,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,eAAe,EAAE,CAAC,CAuC5B"}

package/dist/runners/security/rules/secrets-scan.js

@@ -0,0 +1,129 @@
+const SECRET_PATTERNS = [
+    {
+        name: "AWS Access Key",
+        pattern: /(?:AKIA|ASIA)[A-Z0-9]{16}/,
+        severity: "HIGH",
+        description: "AWS access key ID found in source code",
+    },
+    {
+        name: "AWS Secret Key",
+        pattern: /(?:aws_secret_access_key|secret_key)\s*[=:]\s*["']?[A-Za-z0-9/+=]{40}["']?/i,
+        severity: "HIGH",
+        description: "AWS secret access key found in source code",
+    },
+    {
+        name: "Stripe Secret Key",
+        pattern: /sk_live_[A-Za-z0-9]{24,}/,
+        severity: "HIGH",
+        description: "Stripe live secret key found in source code",
+    },
+    {
+        name: "Stripe Publishable Key (live)",
+        pattern: /pk_live_[A-Za-z0-9]{24,}/,
+        severity: "MEDIUM",
+        description: "Stripe live publishable key in source code (consider using env vars)",
+    },
+    {
+        name: "Private Key",
+        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+        severity: "HIGH",
+        description: "Private key found in source code",
+    },
+    {
+        name: "JWT Token",
+        pattern: /eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+/,
+        severity: "HIGH",
+        description: "JWT token found hardcoded in source code",
+    },
+    {
+        name: "Generic API Key Assignment",
+        pattern: /(?:api[_-]?key|apiKey|api_secret)\s*[=:]\s*["'][A-Za-z0-9_\-]{20,}["']/i,
+        severity: "MEDIUM",
+        description: "API key appears to be hardcoded instead of using environment variables",
+    },
+    {
+        name: "Generic Secret Assignment",
+        pattern: /(?:secret|SECRET|token|TOKEN)\s*[=:]\s*["'][A-Za-z0-9_\-/+=]{16,}["']/,
+        severity: "MEDIUM",
+        description: "Secret or token appears to be hardcoded",
+    },
+    {
+        name: "Hardcoded Password",
+        pattern: /(?:password|passwd|pwd)\s*[=:]\s*["'][^"'\s]{8,}["']/i,
+        severity: "MEDIUM",
+        description: "Password appears to be hardcoded in source code",
+    },
+    {
+        name: "Database Connection String",
+        pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^"'\s]+:[^"'\s]+@[^"'\s]+/,
+        severity: "HIGH",
+        description: "Database connection string with credentials found in source code",
+    },
+    {
+        name: "SendGrid API Key",
+        pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/,
+        severity: "HIGH",
+        description: "SendGrid API key found in source code",
+    },
+    {
+        name: "Slack Webhook",
+        pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/,
+        severity: "MEDIUM",
+        description: "Slack webhook URL found in source code",
+    },
+    {
+        name: "Google API Key",
+        pattern: /AIza[A-Za-z0-9_-]{35}/,
+        severity: "MEDIUM",
+        description: "Google API key found in source code. Consider restricting and using env vars.",
+    },
+];
+const SAFE_FILES = [
+    /\.env\.example$/,
+    /\.env\.sample$/,
+    /config\.example\./,
+    /README\.md$/,
+    /CHANGELOG/,
+    /\.test\./,
+    /\.spec\./,
+    /\.md$/,
+];
+export async function runSecretsScanRule(files, config) {
+    const findings = [];
+    const allowlist = config.security?.secrets_allowlist ?? [];
+    for (const file of files) {
+        if (SAFE_FILES.some((pattern) => pattern.test(file.path)))
+            continue;
+        if (file.path.includes("node_modules"))
+            continue;
+        const lines = file.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/^\s*(\/\/|\/\*|\*|#)/.test(line))
+                continue;
+            for (const sp of SECRET_PATTERNS) {
+                const match = sp.pattern.exec(line);
+                if (!match)
+                    continue;
+                const matchedValue = match[0];
+                if (allowlist.some((a) => matchedValue.includes(a)))
+                    continue;
+                if (/process\.env|import\.meta\.env|\$\{/.test(line))
+                    continue;
+                if (/example|placeholder|your[_-]|xxx|todo/i.test(matchedValue))
+                    continue;
+                findings.push({
+                    rule: "secrets-scan",
+                    severity: sp.severity,
+                    file: file.path,
+                    line: i + 1,
+                    description: `${sp.name}: ${sp.description}`,
+                    fix: `Move this value to an environment variable. Replace the hardcoded value with process.env.YOUR_VAR_NAME and add it to .env (which should be in .gitignore).`,
+                });
+                break;
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=secrets-scan.js.map

package/dist/runners/security/rules/secrets-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-scan.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/secrets-scan.ts"],"names":[],"mappings":"AAUA,MAAM,eAAe,GAAoB;IACvC;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;KACpF;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,wDAAwD;QACjE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kCAAkC;KAChD;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,yEAAyE;QAClF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wEAAwE;KACtF;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kEAAkE;KAChF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0CAA0C;QACnD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uCAAuC;KACrD;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+EAA+E;KAC7F;CACF,CAAC;AAEF,MAAM,UAAU,GAAG;IACjB,iBAAiB;IACjB,gBAAgB;IAChB,mBAAmB;IACnB,aAAa;IACb,WAAW;IACX,UAAU;IACV,UAAU;IACV,OAAO;CACR,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,EAAE,iBAAiB,IAAI,EAAE,CAAC;IAE3D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAAE,SAAS;QACpE,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAAE,SAAS;QAEjD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEhD,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;gBACjC,MAAM,KAAK,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpC,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC9B,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;oBAAE,SAAS;gBAC9D,IAAI,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAC/D,IAAI,wCAAwC,CAAC,IAAI,CAAC,YAAY,CAAC;oBAC7D,SAAS;gBAEX,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,cAAc;oBACpB,QAAQ,EAAE,EAAE,CAAC,QAAQ;oBACrB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,WAAW,EAAE;oBAC5C,GAAG,EAAE,4JAA4J;iBAClK,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runners/security/rules/xss-vectors.d.ts

@@ -0,0 +1,13 @@
+import type { QassConfig, SecurityFinding } from "../../../types.js";
+import type { FileContent } from "../static-analyzer.js";
+/**
+ * Detects XSS vectors in frontend and backend code.
+ *
+ * Checks for:
+ * - dangerouslySetInnerHTML with non-static content
+ * - SVG file upload acceptance without sanitization
+ * - Sanitize middleware that re-decodes HTML entities after stripping tags
+ * - innerHTML assignments with user-controlled content
+ */
+export declare function runXssVectorsRule(files: FileContent[], _config: QassConfig): Promise<SecurityFinding[]>;
+//# sourceMappingURL=xss-vectors.d.ts.map

package/dist/runners/security/rules/xss-vectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss-vectors.d.ts","sourceRoot":"","sources":["../../../../src/runners/security/rules/xss-vectors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CAgF5B"}

package/dist/runners/security/rules/xss-vectors.js

@@ -0,0 +1,76 @@
+/**
+ * Detects XSS vectors in frontend and backend code.
+ *
+ * Checks for:
+ * - dangerouslySetInnerHTML with non-static content
+ * - SVG file upload acceptance without sanitization
+ * - Sanitize middleware that re-decodes HTML entities after stripping tags
+ * - innerHTML assignments with user-controlled content
+ */
+export async function runXssVectorsRule(files, _config) {
+    const findings = [];
+    for (const file of files) {
+        const lines = file.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/dangerouslySetInnerHTML/.test(line)) {
+                const context = lines.slice(Math.max(0, i - 3), i + 4).join("\n");
+                const isStatic = /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*["'`]/.test(context);
+                if (!isStatic) {
+                    findings.push({
+                        rule: "xss-vectors",
+                        severity: "MEDIUM",
+                        file: file.path,
+                        line: i + 1,
+                        description: "dangerouslySetInnerHTML used with dynamic content. If the content comes from user input, API responses, or a CMS, this is a direct XSS vector.",
+                        fix: "Use a sanitization library like DOMPurify: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Or better, avoid dangerouslySetInnerHTML entirely and render content as text.",
+                    });
+                }
+            }
+            if (/\.innerHTML\s*=/.test(line) && !/\.innerHTML\s*=\s*["'`]/.test(line)) {
+                findings.push({
+                    rule: "xss-vectors",
+                    severity: "MEDIUM",
+                    file: file.path,
+                    line: i + 1,
+                    description: "innerHTML set with a dynamic value. This is an XSS vector if the value contains user-controlled content.",
+                    fix: "Use textContent instead of innerHTML, or sanitize with DOMPurify before assignment.",
+                });
+            }
+            if (/image\/svg\+xml|\.svg/.test(line) && /accept|ACCEPTED|allowed/i.test(line)) {
+                const context = lines.slice(Math.max(0, i - 2), i + 3).join("\n");
+                if (/upload|file|input/i.test(context)) {
+                    findings.push({
+                        rule: "xss-vectors",
+                        severity: "MEDIUM",
+                        file: file.path,
+                        line: i + 1,
+                        description: "SVG file uploads are accepted. SVG files can contain embedded JavaScript (<script> tags, onload handlers) that execute when served inline. This is a stored XSS vector.",
+                        fix: "Either block SVG uploads entirely, or serve uploaded SVGs with Content-Disposition: attachment header. Alternatively, sanitize SVGs server-side by stripping <script> tags and event handlers.",
+                    });
+                }
+            }
+            if (/&lt;|&gt;|&amp;|&quot;|&#x27;/.test(line) && /\.replace\(/.test(line)) {
+                const context = lines.slice(Math.max(0, i - 5), i + 5).join("\n");
+                const isSanitizer = /sanitize|strip|clean/i.test(context);
+                const stripsHtml = /replace.*<[^>]*>/.test(context);
+                if (isSanitizer && stripsHtml) {
+                    const alreadyFlagged = findings.some((f) => f.rule === "xss-vectors" && f.file === file.path &&
+                        f.description.includes("re-decodes HTML entities"));
+                    if (!alreadyFlagged) {
+                        findings.push({
+                            rule: "xss-vectors",
+                            severity: "LOW",
+                            file: file.path,
+                            line: i + 1,
+                            description: "Sanitizer re-decodes HTML entities (&lt; → <, &gt; → >, etc.) after stripping tags. Input like '&lt;script&gt;alert(1)&lt;/script&gt;' becomes '<script>alert(1)</script>' after decoding.",
+                            fix: "Strip HTML tags WITHOUT re-decoding entities, or use a proper sanitization library like sanitize-html or DOMPurify.",
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=xss-vectors.js.map

package/dist/runners/security/rules/xss-vectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss-vectors.js","sourceRoot":"","sources":["../../../../src/runners/security/rules/xss-vectors.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAoB,EACpB,OAAmB;IAEnB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClE,MAAM,QAAQ,GACZ,4DAA4D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAE7E,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,aAAa;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,gJAAgJ;wBAClJ,GAAG,EAAE,6LAA6L;qBACnM,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1E,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EACT,0GAA0G;oBAC5G,GAAG,EAAE,qFAAqF;iBAC3F,CAAC,CAAC;YACL,CAAC;YAED,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClE,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACvC,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,aAAa;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,WAAW,EACT,yKAAyK;wBAC3K,GAAG,EAAE,gMAAgM;qBACtM,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,IAAI,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3E,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClE,MAAM,WAAW,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC1D,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACpD,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;oBAC9B,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI;wBACrD,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CACrD,CAAC;oBACF,IAAI,CAAC,cAAc,EAAE,CAAC;wBACpB,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,aAAa;4BACnB,QAAQ,EAAE,KAAK;4BACf,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,WAAW,EACT,4LAA4L;4BAC9L,GAAG,EAAE,qHAAqH;yBAC3H,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/runners/security/static-analyzer.d.ts

@@ -0,0 +1,7 @@
+import type { QassConfig, DiffAnalysis, SecurityFinding } from "../../types.js";
+export interface FileContent {
+    path: string;
+    content: string;
+}
+export declare function runStaticAnalysis(config: QassConfig, projectPath: string, diff?: DiffAnalysis): Promise<SecurityFinding[]>;
+//# sourceMappingURL=static-analyzer.d.ts.map

package/dist/runners/security/static-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-analyzer.d.ts","sourceRoot":"","sources":["../../../src/runners/security/static-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,eAAe,EAAY,MAAM,gBAAgB,CAAC;AAe1F,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,UAAU,EAClB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,YAAY,GAClB,OAAO,CAAC,eAAe,EAAE,CAAC,CA4C5B"}