@shakecodeslikecray/whiterose 1.0.3 → 1.0.4

package/dist/cli/index.js

@@ -4327,6 +4327,9 @@ function loadAccumulatedBugs(cwd) {
     if (!Array.isArray(stored.bugs)) {
       stored.bugs = [];
     }
+    if (!stored.fingerprints || typeof stored.fingerprints !== "object") {
+      stored.fingerprints = {};
+    }
     stored.bugs = stored.bugs.map((b) => ({ ...b, kind: b.kind || "bug" }));
     return stored;
   } catch (error) {
@@ -5875,7 +5878,9 @@ var FixConfirm = ({ bug, dryRun, onConfirm, onCancel, onFixComplete }) => {
       setStatus("fixing");
       setProgressMessage("Starting agentic fix...");
       try {
-        const result = await onConfirm();
+        const result = await onConfirm((message) => {
+          setProgressMessage(message);
+        });
         if (result.falsePositive) {
           setFalsePositiveReason(result.falsePositiveReason || "The AI determined this bug is not real after analyzing the code.");
           setStatus("false-positive");
@@ -6019,11 +6024,11 @@ var App = ({ bugs, config, fixOptions, onFix, onExit }) => {
   };
   const [fixError, setFixError] = useState(null);
   const [lastFixedBugId, setLastFixedBugId] = useState(null);
-  const handleConfirmFix = async () => {
+  const handleConfirmFix = async (onProgress) => {
     if (selectedBug) {
       setFixError(null);
       setLastFixedBugId(selectedBug.id);
-      const result = await onFix(selectedBug);
+      const result = await onFix(selectedBug, onProgress);
       return result;
     }
     return { falsePositive: false };
@@ -6228,6 +6233,67 @@ function markBugAsFixed(bug, commitHash, cwd = process.cwd()) {
 }
 
 // src/core/fixer.ts
+var MAX_SARIF_TEXT_LENGTH = 2e3;
+var PROMPT_INJECTION_PATTERNS = [
+  // Attempts to override or ignore instructions
+  /ignore\s+(previous|all|above)\s+instructions?/i,
+  /disregard\s+(previous|all|above)\s+instructions?/i,
+  /forget\s+(previous|all|above)\s+instructions?/i,
+  // Attempts to define new roles or personas
+  /you\s+are\s+(now|actually)\s+/i,
+  /act\s+as\s+(a|an)\s+/i,
+  /pretend\s+(you|to\s+be)\s+/i,
+  // Attempts to inject system-level commands
+  /\[SYSTEM\]/i,
+  /\[INST\]/i,
+  /<\|system\|>/i,
+  /<\|assistant\|>/i,
+  /<\|user\|>/i,
+  // Attempts to break out with special markers
+  /###\s*(INSTRUCTION|SYSTEM|END|NEW)/i,
+  /```\s*(system|instruction)/i,
+  // Direct file operation injections
+  /delete\s+(all|the)\s+files?/i,
+  /rm\s+-rf\s+/i,
+  /remove\s+(all|every)\s+file/i,
+  // Exfiltration attempts
+  /send\s+(this|the|all)\s+(data|content|file)/i,
+  /upload\s+(to|this)/i,
+  /curl\s+.*\s+-d/i,
+  /fetch\s*\(\s*['"][^'"]*['"]\s*,\s*\{[^}]*method\s*:\s*['"]POST['"]/i
+];
+function sanitizeSarifText(text2, fieldName = "field") {
+  if (!text2 || typeof text2 !== "string") {
+    return "";
+  }
+  let sanitized = text2.length > MAX_SARIF_TEXT_LENGTH ? text2.substring(0, MAX_SARIF_TEXT_LENGTH) + `... [truncated ${fieldName}]` : text2;
+  for (const pattern of PROMPT_INJECTION_PATTERNS) {
+    if (pattern.test(sanitized)) {
+      sanitized = sanitized.replace(pattern, "[REDACTED: potential injection]");
+    }
+  }
+  sanitized = sanitized.replace(/```+/g, "`\u200B`\u200B`");
+  sanitized = sanitized.replace(/###/g, "#\u200B#\u200B#");
+  return sanitized;
+}
+function sanitizeSarifEvidence(evidence) {
+  if (!Array.isArray(evidence)) {
+    return [];
+  }
+  return evidence.filter((e) => typeof e === "string").slice(0, 10).map((e) => sanitizeSarifText(e, "evidence"));
+}
+function sanitizeSarifCodePath(codePath) {
+  if (!Array.isArray(codePath)) {
+    return [];
+  }
+  return codePath.slice(0, 20).map((entry, idx) => ({
+    step: typeof entry?.step === "number" ? entry.step : idx + 1,
+    file: sanitizeSarifText(String(entry?.file || ""), "codePath.file").substring(0, 500),
+    line: typeof entry?.line === "number" ? entry.line : 0,
+    code: sanitizeSarifText(String(entry?.code || ""), "codePath.code"),
+    explanation: sanitizeSarifText(String(entry?.explanation || ""), "codePath.explanation")
+  }));
+}
 function isPathWithinProject(filePath, projectDir) {
   const resolvedPath = resolve(projectDir, filePath);
   const relativePath = relative(projectDir, resolvedPath);
@@ -6291,7 +6357,7 @@ In: ${bug.file}:${bug.line}`
   }
   let agenticResult;
   try {
-    agenticResult = await runAgenticFix(bug, config, projectDir);
+    agenticResult = await runAgenticFix(bug, config, projectDir, options.onProgress);
   } catch (error) {
     return {
       success: false,
@@ -6331,7 +6397,7 @@ In: ${bug.file}:${bug.line}`
     commitHash
   };
 }
-async function runAgenticFix(bug, config, projectDir) {
+async function runAgenticFix(bug, config, projectDir, onProgress) {
   const providerCommand = getProviderCommand(config.provider);
   const prompt = buildAgenticFixPrompt(bug);
   const controller = new AbortController();
@@ -6385,9 +6451,13 @@ async function runAgenticFix(bug, config, projectDir) {
         }
       }
     } else if (config.provider === "claude-code") {
-      const result = await execa(
+      const args = ["--dangerously-skip-permissions", "-p"];
+      if (onProgress) {
+        args.push("--verbose", "--output-format", "stream-json");
+      }
+      const subprocess = execa(
         providerCommand,
-        ["--dangerously-skip-permissions", "-p"],
+        args,
         {
           cwd: projectDir,
           input: prompt,
@@ -6398,6 +6468,41 @@ async function runAgenticFix(bug, config, projectDir) {
           cancelSignal: controller.signal
         }
       );
+      if (onProgress && subprocess.stdout) {
+        let lineBuffer = "";
+        subprocess.stdout.on("data", (chunk) => {
+          const text2 = chunk.toString();
+          lineBuffer += text2;
+          const lines = lineBuffer.split("\n");
+          lineBuffer = lines.pop() || "";
+          for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed) {
+              try {
+                const event = JSON.parse(trimmed);
+                if (event.type === "assistant" && event.message?.content) {
+                  for (const block of event.message.content) {
+                    if (block.type === "tool_use") {
+                      const toolName = block.name || "tool";
+                      onProgress(`Using ${toolName}...`);
+                    } else if (block.type === "text" && block.text) {
+                      const preview = block.text.substring(0, 80).replace(/\n/g, " ").trim();
+                      if (preview) {
+                        onProgress(preview + (block.text.length > 80 ? "..." : ""));
+                      }
+                    }
+                  }
+                }
+              } catch {
+                if (trimmed.length > 3 && trimmed.length < 100) {
+                  onProgress(trimmed);
+                }
+              }
+            }
+          }
+        });
+      }
+      const result = await subprocess;
       stdout = result.stdout || "";
       stderr = result.stderr || "";
     } else if (config.provider === "gemini") {
@@ -6567,8 +6672,8 @@ function generateSimpleDiff(original, modified, filename) {
 }
 async function startFixTUI(bugs, config, options, cwd) {
   return new Promise((resolve6) => {
-    const handleFix = async (bug) => {
-      const result = await applyFix(bug, config, options);
+    const handleFix = async (bug, onProgress) => {
+      const result = await applyFix(bug, config, { ...options, onProgress });
       if (result.falsePositive) {
         if (cwd) {
           removeBugFromAccumulated(cwd, bug.id);
@@ -6727,39 +6832,67 @@ function loadBugsFromSarif(sarifPath) {
   } catch (error) {
     throw new Error(`Failed to parse SARIF file: ${sarifPath}. File may be corrupted or malformed.`);
   }
-  return sarif.runs?.[0]?.results?.map((r, i) => {
+  if (!sarif || typeof sarif !== "object") {
+    throw new Error(`Invalid SARIF file: ${sarifPath}. Expected a JSON object.`);
+  }
+  const runs = sarif.runs;
+  if (!Array.isArray(runs) || runs.length === 0) {
+    return [];
+  }
+  const results = runs[0]?.results;
+  if (!Array.isArray(results)) {
+    return [];
+  }
+  return results.map((r, i) => {
+    if (!r || typeof r !== "object") {
+      throw new Error(`Invalid SARIF result at index ${i}: expected an object.`);
+    }
     const props = r.properties || {};
+    const rawTitle = r.message?.text || "Unknown bug";
+    const rawDescription = r.message?.markdown || r.message?.text || "";
+    const rawCodePath = r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
+      step: idx + 1,
+      file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
+      line: loc.location?.physicalLocation?.region?.startLine || 0,
+      code: "",
+      explanation: loc.message?.text || ""
+    })) || [];
+    const rawFile = r.locations?.[0]?.physicalLocation?.artifactLocation?.uri;
+    const file = typeof rawFile === "string" ? rawFile : "unknown";
+    const rawLine = r.locations?.[0]?.physicalLocation?.region?.startLine;
+    const line = typeof rawLine === "number" && Number.isFinite(rawLine) ? Math.floor(rawLine) : 0;
+    const rawEndLine = r.locations?.[0]?.physicalLocation?.region?.endLine;
+    const endLine = typeof rawEndLine === "number" && Number.isFinite(rawEndLine) ? Math.floor(rawEndLine) : void 0;
+    const rawId = r.ruleId;
+    const id = typeof rawId === "string" ? rawId : `WR-${String(i + 1).padStart(3, "0")}`;
+    const validatedKind = FindingKind.safeParse(props.kind);
+    const validatedCategory = BugCategory.safeParse(props.category);
+    const validatedConfidence = ConfidenceLevel.safeParse(props.confidence);
     return {
-      id: r.ruleId || `WR-${String(i + 1).padStart(3, "0")}`,
-      title: r.message?.text || "Unknown bug",
-      description: r.message?.markdown || r.message?.text || "",
-      file: r.locations?.[0]?.physicalLocation?.artifactLocation?.uri || "unknown",
-      line: r.locations?.[0]?.physicalLocation?.region?.startLine || 0,
-      endLine: r.locations?.[0]?.physicalLocation?.region?.endLine,
-      kind: props.kind || "bug",
+      id,
+      title: sanitizeSarifText(String(rawTitle), "title"),
+      description: sanitizeSarifText(String(rawDescription), "description"),
+      file,
+      line,
+      endLine,
+      kind: validatedKind.success ? validatedKind.data : "bug",
       severity: mapSarifLevel(r.level),
-      category: props.category || "logic-error",
+      category: validatedCategory.success ? validatedCategory.data : "logic-error",
       confidence: {
-        overall: props.confidence || "medium",
-        codePathValidity: props.codePathValidity || 0.8,
-        reachability: props.reachability || 0.8,
-        intentViolation: props.intentViolation || false,
-        staticToolSignal: props.staticToolSignal || false,
-        adversarialSurvived: props.adversarialSurvived || false
+        overall: validatedConfidence.success ? validatedConfidence.data : "medium",
+        codePathValidity: typeof props.codePathValidity === "number" ? props.codePathValidity : 0.8,
+        reachability: typeof props.reachability === "number" ? props.reachability : 0.8,
+        intentViolation: typeof props.intentViolation === "boolean" ? props.intentViolation : false,
+        staticToolSignal: typeof props.staticToolSignal === "boolean" ? props.staticToolSignal : false,
+        adversarialSurvived: typeof props.adversarialSurvived === "boolean" ? props.adversarialSurvived : false
       },
-      codePath: r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
-        step: idx + 1,
-        file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
-        line: loc.location?.physicalLocation?.region?.startLine || 0,
-        code: "",
-        explanation: loc.message?.text || ""
-      })) || [],
-      evidence: props.evidence || [],
-      suggestedFix: props.suggestedFix,
+      codePath: sanitizeSarifCodePath(rawCodePath),
+      evidence: sanitizeSarifEvidence(props.evidence),
+      suggestedFix: props.suggestedFix ? sanitizeSarifText(String(props.suggestedFix), "suggestedFix") : void 0,
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       status: "open"
     };
-  }) || [];
+  });
 }
 async function loadBugFromGitHub(issueUrl, cwd) {
   try {
@@ -6999,12 +7132,24 @@ async function fixSingleBug(bug, config, options, cwd) {
       process.exit(0);
     }
   }
-  const spinner6 = p3.spinner();
-  spinner6.start(options.dryRun ? "Generating fix preview..." : "Applying fix...");
+  console.log();
+  console.log(chalk3.cyan("  \u25C6 Starting agentic fix..."));
+  console.log();
   try {
-    const result = await applyFix(bug, config, options);
+    let lastMessage = "";
+    const result = await applyFix(bug, config, {
+      ...options,
+      onProgress: (message) => {
+        if (message !== lastMessage) {
+          lastMessage = message;
+          const truncated = message.length > 72 ? message.substring(0, 72) + "..." : message;
+          process.stdout.write(`\r\x1B[K  ${chalk3.dim("\u203A")} ${chalk3.gray(truncated)}`);
+        }
+      }
+    });
+    process.stdout.write("\r\x1B[K");
     if (result.success) {
-      spinner6.stop(options.dryRun ? "Fix preview generated" : "Fix applied");
+      console.log(chalk3.green("  \u2713 Fix applied successfully"));
       if (result.diff) {
         console.log();
         console.log(chalk3.dim("  Changes:"));
@@ -7030,12 +7175,12 @@ async function fixSingleBug(bug, config, options, cwd) {
       }
       p3.outro(chalk3.green("Fix complete!"));
     } else {
-      spinner6.stop("Fix failed");
+      console.log(chalk3.red("  \u2717 Fix failed"));
       p3.log.error(result.error || "Unknown error");
       process.exit(1);
     }
   } catch (error) {
-    spinner6.stop("Fix failed");
+    console.log(chalk3.red("  \u2717 Fix failed"));
     p3.log.error(error.message);
     process.exit(1);
   }